Microsoft Malware Protection Center

Threat Research & Response Blog

Microsoft Malware Protection Center

  • Novetta leads first coordinated malware eradication campaign

    ​Earlier this month, Novetta took their initial public action in the first Coordinated Malware Eradication (CME) campaign against Win32/Hikiti and its associated threats. Today, Novetta released a comprehensive report that describes in detail the threats and threat actors, known as Axiom, targeted in this campaign. Axiom is a well-resourced, disciplined, and sophisticated threat actor that analysts believe has been conducting espionage operations online since at least 2008. Since then, Axiom...
  • Staying in control of your browser: New detection changes

    This week we made some important changes to how we detect browser modifiers and adware. These changes are designed to better protect your browsing experience. We have already blogged about the changes to the behaviors we detect as adware. I will explain the changes to our browser modifier detections below. Our objective criteria has all the details about how and why we detect unwanted software. Unacceptable behaviors There are two new browser modifier behaviors that we detect: Bypassing...
  • Close means close: New adware detection criteria

    In April we introduced the rules that software developers should follow when creating advertisements to avoid being detected by Microsoft security products as adware . These rules are designed to keep our customers in control of their Internet browsing experience. Since then, we have had great success working with some companies through our developer contact process . At the same time we have started to see other advertising programs trying to bend and even circumvent our rules. These advertisements...
  • MSRT October 2014 – Hikiti

    The October release of the Malicious Software Removal Tool (MSRT) is directly related to a Coordinated Malware Eradication (CME) initiative led by Novetta and with the help of many other security partners: F-Secure, ThreatConnect, ThreatTrack Security, Volexity, Symantec, Tenable, Cisco, and iSIGHT. Collaboration across private industry is crucial to addressing advanced persistent threats. The target in this campaign is an advanced persistent threat that served as the infrastructure of actors...
  • Microsoft cloud protection

    ​Microsoft is using cloud protection to help keep our customers safe. In fact, nearly any detection made by Microsoft security products could be the result of cloud protection. Software developers often ask us how this cloud protection works and how they can improve our cloud’s impression of their software. How our cloud protection works When our antimalware products encounter anything unusual, they can send a small packet of information about the event or file to our server. The server...
  • Download at your own risk: Bitcoin miners bundled with game repacks

    Recently we have seen an emerging trend among malware distributors - Bitcoin miners being integrated into installers of game repacks. This type of system hijacking is just one of the many ways to exploit a user by utilizing their system's computing resources to earn more cash. Malware is easily bundled with game installers that are then uploaded and shared with unsuspecting users using torrent download sites. Once a machine is infected, a downloaded Bitcoin miner silently carries out mining...
  • MSRT September 2014 - Zemot

    ​This month we added the Win32/Zemot family to the Malicious Software Removal Tool . The Zemot family of trojan downloaders are frequently used by malware with a number of different payloads. We started seeing activity from TrojanDownloader:Win32/Upatre.B in late 2013 and identified this threat as the main distributor of the click fraud malware PWS:Win32/Zbot.gen!AP and PWS:Win32/Zbot.CF . We renamed the downloader to Zemot in May 2014. Recently, other malware such as Win32/Rovnix , Win32/Viknok...
  • USB firmware: An upcoming threat for home and enterprise users

    Every year, thousands of hackers and security researchers from around the world descend on Las Vegas to attend the annual Black Hat security conference. The conference boasts top notch security presentations from industry leaders – often centered on breaking computer security. Although many of the presentations are on breaking things, most of the attendees and presenters are in fact using the knowledge for good – to design more secure software, better secure their organization, or fix...
  • The fall of rogue antivirus software brings new methods to light

    Rogue antivirus software has been a part of the malware ecosystem for many years now – Win32/SpySheriff and Win32/FakeRean date all the way back to 2007. These rogues, and the many that have followed them throughout the years, generally mislead and scare users into paying a fee for "cleaning" false detections that the software claims to have found on the machine. They often use dozens of different brandings and name combinations in an attempt to hide, cover their tracks, and avoid...
  • FireEye and Fox-IT tool can help recover Crilock-encrypted files

    Since file-encryption ransomware Crilock (also called CryptoLocker) has reared its head, the security industry has been hard at work finding ways to mitigate and neutralize these threats. We've also been hard at work finding ways to recover from the encryption and restore affected files - such as our recommendations on using version control and recovery options in SkyDrive and Windows . This week, researchers from FireEye and Fox-IT have released a tool that may be able to recover files encrypted...