Microsoft Malware Protection Center

Threat Research & Response Blog

Microsoft Malware Protection Center

  • Backup the best defense against (Cri)locked files

    Crilock – also known as CryptoLocker – is one notorious ransomware that’s been making the rounds since early September. Its primary payload is to target and encrypt your files, such as your pictures and Office documents. All of the file types that can be encrypted are listed in our Trojan:Win32/Crilock.A and Trojan:Win32/Crilock.B descriptions. Crilock affected about 34,000 machines between September and early November 2013. Once Crilock encrypts your file types, they are...
  • A close look at a targeted attack delivery

    For antimalware products, targeted attacks represent a very interesting class of malware. They are stealthy and only target specific organizations and industries - flying under the radar when it comes to identifying new malware files based on telemetry. The purpose of these attacks is most commonly to steal confidential and sensitive information by means of social engineering and unpatched, vulnerable software. We recently investigated a sample used in this kind of attack, Trojan:Win32/Retefe...
  • MSRT September 2014 - Zemot

    ​This month we added the Win32/Zemot family to the Malicious Software Removal Tool . The Zemot family of trojan downloaders are frequently used by malware with a number of different payloads. We started seeing activity from TrojanDownloader:Win32/Upatre.B in late 2013 and identified this threat as the main distributor of the click fraud malware PWS:Win32/Zbot.gen!AP and PWS:Win32/Zbot.CF . We renamed the downloader to Zemot in May 2014. Recently, other malware such as Win32/Rovnix , Win32/Viknok...
  • Sefnit’s Tor botnet C&C details

    ​We have talked about the impact that resulted from the Sefnit botnet Tor hazard as well as the clean-up effort that went into that threat. In this post we’d like to introduce some of the details regarding the Tor component’s configuration and its communication with the Tor service. Specifically, we’ll talk about how Trojan:Win32/Sefnit.AT communicates with the Tor network, what domains it tries to contact, and where it keeps its configuration data. After Sefnit installs the...
  • Febipos for Internet Explorer

    In a previous blog post we discussed Trojan:JS/Febipos.A , a malicious browser extension that targets the Facebook profiles of Google Chrome and Mozilla Firefox users. We recently came across a new Febipos sample that was specifically developed for Internet Explorer - we detect it as Trojan:Win32/Febipos.B!dll . This trojan is a browser helper object that loads a JavaScript to Internet Explorer. We detect the loaded JavaScript as Trojan:JS/Febipos.E . The plugin tries to look legitimate by calling...
  • Protection metrics – November results

    In our October results , we talked about a trio of families related to Win32/Sefnit . Our November results showed progress against Sefnit and the installers and downloaders of Sefnit ( Win32/Rotbrow and Win32/Brantall ). In comparison to September, active Sefnit infections have been reduced by 82 percent. As with prior months, our rate of incorrect detections also remained low and performance stayed consistent. (If you want a refresh on the definition of the metrics we use in our monthly results...
  • Coordinated malware eradication nears launch

    ​Good news: the coordinated malware eradication preparations are almost done. We have held several roundtable meetings at industry events around the world, and the last two are scheduled for June and July. We had insightful conversations with a diverse group of experts from across the antimalware industry. The ideas have converged into a shared vision of how we’ll work together to put pressure on the malware ecosystem. I am excited for the first coordinated eradication campaigns to launch!...
  • Turkey: Understanding high malware encounter rates in SIRv15

    In our most recent version of the Security Intelligence Report (SIRv15) , we compared the encounter rates of malware categories for the top 10 countries with computers reporting the most detections in 2Q13. Amongst these countries, Turkey stood out with considerably high encounter rates in multiple categories. Encounter rate is the percentage of computers in a country that reported at least one detection of malware. Figure 1. Threat category prevalence worldwide and in the 10 locations with...
  • Mevade and Sefnit: Stealthy click fraud

    ​Recently Trojan:Win32/Mevade made news for being the first large botnet to use Tor to anonymize and hide its network traffic. Within a few weeks, starting mid-August, the number of directly connecting Tor users increased by almost 600 percent - from about 500,000 users per day to more than 3,000,000. Last week we concluded, after further review, that Mevade and Sefnit are the same family and our detections for Mevade have now been moved to join the Sefnit family. Win32/Sefnit is a well-known...
  • The MSRT in Action: Keeping systems safe

    In four days the January release of the Microsoft Malicious Software Removal Tool (MSRT) detected almost a million threats on PCs across the globe. In the video below, Dustin Childs and Joe Faulhaber explain what happened as the MSRT sprang into action.