Microsoft Malware Protection Center

Threat Research & Response Blog

Microsoft Malware Protection Center

  • MSRT September 2014 - Zemot

    ​This month we added the Win32/Zemot family to the Malicious Software Removal Tool . The Zemot family of trojan downloaders are frequently used by malware with a number of different payloads. We started seeing activity from TrojanDownloader:Win32/Upatre.B in late 2013 and identified this threat as the main distributor of the click fraud malware PWS:Win32/Zbot.gen!AP and PWS:Win32/Zbot.CF . We renamed the downloader to Zemot in May 2014. Recently, other malware such as Win32/Rovnix , Win32/Viknok...
  • A close look at a targeted attack delivery

    For antimalware products, targeted attacks represent a very interesting class of malware. They are stealthy and only target specific organizations and industries - flying under the radar when it comes to identifying new malware files based on telemetry. The purpose of these attacks is most commonly to steal confidential and sensitive information by means of social engineering and unpatched, vulnerable software. We recently investigated a sample used in this kind of attack, Trojan:Win32/Retefe...
  • FireEye and Fox-IT tool can help recover Crilock-encrypted files

    Since file-encryption ransomware Crilock (also called CryptoLocker) has reared its head, the security industry has been hard at work finding ways to mitigate and neutralize these threats. We've also been hard at work finding ways to recover from the encryption and restore affected files - such as our recommendations on using version control and recovery options in SkyDrive and Windows . This week, researchers from FireEye and Fox-IT have released a tool that may be able to recover files encrypted...
  • Coordinated malware eradication

    Today, as an industry, we are very effective at disrupting malware families, but those disruptions rarely eradicate them. Instead, the malware families linger on, rearing up again and again to wreak havoc on our customers. To change the game, we need to change the way we work. It is counterproductive when you think about it. The antimalware ecosystem encompasses many strong groups: security vendors, service providers, CERTs, anti-fraud departments, and law enforcement. Each group uses their...
  • MSRT April 2014 – Ramdo

    This month we added Win32/Ramdo and Win32/Kilim to the Microsoft Malicious Software Removal Tool. In this blog, we will focus on Ramdo and some of what we have since found out about this relatively new trojan family. Ramdo, a click-fraud bot with built-in antisinkhole and antivirtualization code, was first found in the wild in December 2013. Telemetry Compared to other big families, Win32/Ramdo’s impact is relatively small in terms of the number of infected machines. However, when one...
  • Febipos for Internet Explorer

    In a previous blog post we discussed Trojan:JS/Febipos.A , a malicious browser extension that targets the Facebook profiles of Google Chrome and Mozilla Firefox users. We recently came across a new Febipos sample that was specifically developed for Internet Explorer - we detect it as Trojan:Win32/Febipos.B!dll . This trojan is a browser helper object that loads a JavaScript to Internet Explorer. We detect the loaded JavaScript as Trojan:JS/Febipos.E . The plugin tries to look legitimate by calling...
  • Be a real security pro - Keep your private keys private

    One of the many unusual characteristics of the Stuxnet malware that was discovered in 2010 was that its files were distributed with a valid digital signature, created using authentication credentials that belonged to two unrelated legitimate software companies. Normally the signature would verify that the program was issued by the company listed in the signing certificate, and that the contents of the program had not been tampered with since it was signed. By using other companies’ authentication...
  • Coordinated malware eradication nears launch

    ​Good news: the coordinated malware eradication preparations are almost done. We have held several roundtable meetings at industry events around the world, and the last two are scheduled for June and July. We had insightful conversations with a diverse group of experts from across the antimalware industry. The ideas have converged into a shared vision of how we’ll work together to put pressure on the malware ecosystem. I am excited for the first coordinated eradication campaigns to launch!...
  • USB firmware: An upcoming threat for home and enterprise users

    Every year, thousands of hackers and security researchers from around the world descend on Las Vegas to attend the annual Black Hat security conference. The conference boasts top notch security presentations from industry leaders – often centered on breaking computer security. Although many of the presentations are on breaking things, most of the attendees and presenters are in fact using the knowledge for good – to design more secure software, better secure their organization, or fix...
  • Mevade and Sefnit: Stealthy click fraud

    ​Recently Trojan:Win32/Mevade made news for being the first large botnet to use Tor to anonymize and hide its network traffic. Within a few weeks, starting mid-August, the number of directly connecting Tor users increased by almost 600 percent - from about 500,000 users per day to more than 3,000,000. Last week we concluded, after further review, that Mevade and Sefnit are the same family and our detections for Mevade have now been moved to join the Sefnit family. Win32/Sefnit is a well-known...