The past year has been one of expansion for ransomware. Throughout 2012 an increasing number of blogs, tutorials and discussion forums were written to help people gain access to ransomware-locked computers without paying the ransom. The authors of Reveton ransomware are aware that the persistence of their malware on a system is not only narrowed by an antivirus product, but also the computer user who tries to remove the threat. Not every infection is going to result in a paid ransom, so the Reveton...

We added three new families to this month’s Malicious Software Removal Tool (MSRT): Win32/FakeDef , Win32/Vicenor , and Win32/Kexqoud . In this blog, we will talk about the rogue antivirus family Win32/FakeDef. It’s not a big player in rogues’ world, but it holds its own unique characteristics. We found this family in the wild in December 2012. Initially it was pushed to a victim's machine by Win32/Fareit variants. This means machines where Win32/FakeDef is found may also be...

Recently we released the Microsoft Security Intelligence Report volume 14. The report initially presented data showing reduced Java malware detections in Q3 2012 and gaining prevalence in Q4 of 2012. During a later review of the backend data, we found that we were missing some detection counts from our initial calculations. We have revised the data, and Figure 1 shows the updated graph. Figure 1 Machine count of detections for each exploit categories From Figure 1, what we can see...

We have received reports about a wave of malicious browser extensions trying to hijack Facebook profiles. This threat was first discovered in Brazil. We detect it as Trojan:JS/Febipos.A . The malware is a malicious browser extension specifically targeting Chrome and Mozilla Firefox. When installed, it attempts to update itself using the following URLs: Chrome browser: du-pont.info/updates/<removed>/BL-chromebrasil.crx Mozilla Firefox browser: du-pont.info/updates/<removed>...

A recently debuted exploit kit (EK), called "Cool EK," and detected by us with the name Exploit:JS/Coolex , has been known to include various exploits targeting Oracle JRE, Adobe Reader, Adobe Flash Player to Windows kernel-mode drivers. If you’re unlucky enough to visit a webpage that hosts Cool EK, you might encounter all these exploits in the one place, turned against you in a barrage designed to compromise your computer. Recently there was an update to the kit’s armaments to include...

In a previous post, " Fake apps: Behind the effective social strategy of fraudulent paid-archives ," we exposed the social engineering technique behind Win32/Pameseg - our detection for a family of "paid-archives." We described the use of "low-ball" techniques and explained how users are led to believe they are making an informed choice. However, the choice ultimately leads to the user being deceived into doing what the attacker wants - downloading and executing an installer. The scheme begins...

As we first reported in the Microsoft Security Report Volume 13 , Keygens have become the number one threat reported by users of Microsoft antimalware products. The research also indicates that 76 percent of users that downloaded Keygen or software cracks were also exposed to other, more dangerous malware. Keygens are typically not very dangerous on their own. However, malware authors are having great success using deceptive downloads that either pretend to be Keygens or contain them as well as...

In order to evaluate the performance of their protection provider, customers need to rely on information that goes beyond what external certifications and comparative tests can provide. Today we’re releasing a whitepaper, called " Evaluating Microsoft’s protection performance and capabilities ," that we believe will help customers with these evaluations. The whitepaper describes the measurements we use to track our effectiveness across quality, customer experience, and protection coverage...

Exploitation of software vulnerabilities continues to be a common way to infect computers with malware. Leveraging exploits allows malware authors to infect, disrupt, or take control of a computer without the user’s consent and typically without their knowledge. Exploits target vulnerabilities in operating systems, web browsers, applications, or software components that are installed on the computer. For details on exploit trends and insights on security vulnerabilities please refer to the...

In today’s threat landscape, distributing malware and developing malware are two different worlds. Both require a different set of skills in order to work and in order to achieve their separate goals. For example, in my blog post Get gamed and rue the day... , I described a bot-controlled worm in which the code fragment suggested that it belonged to an offensive development called “Andromeda”. This story about the Gamarue worm is a good example of the differences between the...