Microsoft Malware Protection Center

Threat Research & Response Blog

Microsoft Malware Protection Center

  • Infection rates and end of support for Windows XP

    In the newly released Volume 15 of the Microsoft Security Intelligence Report (SIRv15), one of the key findings to surface relates to new insight on the Windows XP operating system as it inches toward end of support on April 8, 2014. In this post we want to highlight our Windows XP analysis and examine what the data says about the risks of being on unsupported software. In the SIR, we traditionally report on supported operating systems only. For this analysis we examined data from unsupported...
  • Microsoft antimalware support for Windows XP

    Microsoft has announced the Windows XP end of support date of April 8, 2014. After this date, Windows XP will no longer be a supported operating system * . To help organizations complete their migrations, Microsoft will continue to provide updates to our antimalware signatures and engine for Windows XP users through July 14, 2015. This does not affect the end-of-support date of Windows XP, or the supportability of Windows XP for other Microsoft products, which deliver and apply those signatures...
  • Backup the best defense against (Cri)locked files

    Crilock – also known as CryptoLocker – is one notorious ransomware that’s been making the rounds since early September. Its primary payload is to target and encrypt your files, such as your pictures and Office documents. All of the file types that can be encrypted are listed in our Trojan:Win32/Crilock.A and Trojan:Win32/Crilock.B descriptions. Crilock affected about 34,000 machines between September and early November 2013. Once Crilock encrypts your file types, they are...
  • The evolution of Rovnix: Private TCP/IP stacks

    We recently discovered a new breed of the bootkit Rovnix that introduces a private TCP/IP stack. It seems this is becoming a new trend for this type of malware. The implementation of the private stack is based on an open-source TCP/IP project and it can be accessed from both kernel and user modes. It works like this: At boot time, Rovnix hooks the following exported APIs in ndis.sys by patching the export table in memory: NdisMRegisterMiniportDriver() (for NDIS 6.0) NdisMRegisterMiniport...
  • Carberp-based trojan attacking SAP

    Recently there has been quite a bit of buzz about an information-stealing trojan that was found to be targeting the logon client for SAP. We detect this trojan as TrojanSpy:Win32/Gamker.A . SAP is a global company with headquarters in Germany and operations in 130 countries worldwide. SAP develops enterprise software applications for tracking and managing business operations, and is used by an estimated 86% of Forbes 500 companies . These business operations can range from applications such as...
  • Reversal of fortune: Sirefef’s registry illusion

    ​I have mentioned in a previous blog that the use of the right-to-left-override (U+202E) unicode character is nothing new. This blog also went on to show the various file name tricks used by malware. But now we see something different: the use of this trick by variants of the Sirefef family of malware. The variants use the right-to-left-override character in the registry in order to hide its presence by mimicking a setting instantiated by a Google Chrome installation. When a user installs an...
  • MSRT September 2013 - Win32/Simda

    This month’s Microsoft Malicious Software Removal Tool (MSRT) release includes one new malware family – the high-volume banking trojan Win32/Simda . Simda is a multi-component malware family that includes trojan, backdoor, password-stealing, downloader and file-infector variants. It is very rare for a single malware family to possess all of these characteristics; Alureon and Sirefef are among the few families also in this category. Simda was first seen in mid-2009 with samples detected...
  • New infection rate data for unprotected computers

    ​In the previous Microsoft Security Intelligence Report , SIRv14, we introduced a new metric to measure the infection rate for computers protected with real-time antimalware software (protected computers) in comparison to computers that were not protected with up-to-date security software (unprotected computers). Using this new data, we wrote a feature story about the risks of running unprotected . Our customers told us that providing this data really helped measure the value of running real-time...
  • A fresh face for the Microsoft Malware Protection Center

    Today we launched our new Microsoft Malware Protection Center website . Throughout the redesign process we have been listening to your feedback. You asked for an easier way to find our security software and updates; you can now get to all of our product downloads straight from our homepage. While you’re on the homepage you’ll also see links to our help archive , blogs , and trending security topics from the Microsoft Community forums . One of our top priorities is to make it...
  • New Security Intelligence Report, new data, new perspectives

    Today, Microsoft released volume 15 of the Microsoft Security Intelligence Report (SIRv15). The report analyzes malware, exploits and more based on data from more than a billion systems worldwide and some of the Internet’s busiest online services. During the past year, as we were planning this volume of the Security Intelligence Report, and as we considered how to improve the breadth and accuracy of guidance given to our customers, we gave a lot of thought on how best to represent malware...