Microsoft Malware Protection Center

Threat Research & Response Blog

Microsoft Malware Protection Center

  • MSRT February 2014 - Jenxcus

    ​We have been seeing a lot more VBScript malware in recent months, thanks in most part to VBS/Jenxcus . Jenxcus is a worm coded in VBScript that is capable of propagating via removable drives. Its payload opens a backdoor on an infected machine, allowing it to be controlled by a remote attacker. For the past few months we have seen the number of affected machines remain constantly high. For this reason we have included Jenxcus in the February release of the Microsoft Malicious Software Removal Tool...
  • A journey to CVE-2013-5330 exploit

    ​Recently, we've seen a few attacks in the wild targeting a patched Adobe Flash Player vulnerability ( CVE-2013-5330 ). This vulnerability was addressed with a patch released by Adobe on November 12, 2013. On the Windows platform, Flash Player version 11.9.900.117 and earlier, are vulnerable. We had a chance to analyze how the attacks work and noted some interesting details from our investigation. The malicious file has been distributed as a .swf file using obfuscator secureSWF, which has...
  • Coordinated malware eradication

    Today, as an industry, we are very effective at disrupting malware families, but those disruptions rarely eradicate them. Instead, the malware families linger on, rearing up again and again to wreak havoc on our customers. To change the game, we need to change the way we work. It is counterproductive when you think about it. The antimalware ecosystem encompasses many strong groups: security vendors, service providers, CERTs, anti-fraud departments, and law enforcement. Each group uses their...
  • Microsoft antimalware support for Windows XP

    Microsoft has announced the Windows XP end of support date of April 8, 2014. After this date, Windows XP will no longer be a supported operating system * . To help organizations complete their migrations, Microsoft will continue to provide updates to our antimalware signatures and engine for Windows XP users through July 14, 2015. This does not affect the end-of-support date of Windows XP, or the supportability of Windows XP for other Microsoft products, which deliver and apply those signatures...
  • Protection metrics – December results

    Happy New Year! December 2013 was an exciting month for monitoring our protection results and watching malware trends. The good news - our customer infection rate for December (0.06 percent) was lower than any other month in 2013 and one third the size of our peak in October . The Win32/Sefnit trio mentioned in the October and November 2013 results declined even more significantly than last month. Even better, Win32/Sirefef malware development appears to have stopped after the disruption effort led...
  • MSRT January 2014 – Bladabindi

    This month the Malicious Software Removal Tool (MSRT) includes a new malware family - MSIL/Bladabindi . An interesting part of this family is that the author made three versions of this RAT, written in VB.NET, VBS and AutoIt. The malware builder is also publically available for download. Because of this, there are many variants in this family, and they spread in many different ways, such as Facebook message and hacked websites. Once installed, malware in this family can be used to take control...
  • Tackling the Sefnit botnet Tor hazard

    Sefnit, a prevailing malware known for using infected computers for click fraud and bitcoin mining, has left millions of machines potentially vulnerable to future attacks. We recently blogged about Sefnit performing click fraud and how we added detection on the upstream Sefnit installer . In this blog we explain how the Tor client service, added by Sefnit, is posing a risk to millions of machines, and how we are working to address the problem. Win32/Sefnit made headlines last August as it took...
  • Protection metrics – November results

    In our October results , we talked about a trio of families related to Win32/Sefnit . Our November results showed progress against Sefnit and the installers and downloaders of Sefnit ( Win32/Rotbrow and Win32/Brantall ). In comparison to September, active Sefnit infections have been reduced by 82 percent. As with prior months, our rate of incorrect detections also remained low and performance stayed consistent. (If you want a refresh on the definition of the metrics we use in our monthly results...
  • Turkey: Understanding high malware encounter rates in SIRv15

    In our most recent version of the Security Intelligence Report (SIRv15) , we compared the encounter rates of malware categories for the top 10 countries with computers reporting the most detections in 2Q13. Amongst these countries, Turkey stood out with considerably high encounter rates in multiple categories. Encounter rate is the percentage of computers in a country that reported at least one detection of malware. Figure 1. Threat category prevalence worldwide and in the 10 locations with...
  • Be a real security pro - Keep your private keys private

    One of the many unusual characteristics of the Stuxnet malware that was discovered in 2010 was that its files were distributed with a valid digital signature, created using authentication credentials that belonged to two unrelated legitimate software companies. Normally the signature would verify that the program was issued by the company listed in the signing certificate, and that the contents of the program had not been tampered with since it was signed. By using other companies’ authentication...