AV-Test just published the results of their most recent antimalware vendor testing, and they didn't grant Microsoft Security Essentials and Microsoft Forefront Endpoint Protection their "AV-Test Certified" status. We conduct a rigorous review of the results whenever test results warrant it. We take the protection of our customers very seriously, and the investments we make to do these reviews is an example of that commitment. Our review showed that 0.0033 percent of our Microsoft Security Essentials...

This is the second of a two-part post, and continues from " Making the most of fear and deception – rogue v ransomware (part 1) ". Ransomware’s approach is aggressive. It uses fear to motivate an affected user to pay a fee (usually not with a credit card but using another payment system – Green Dot Moneypak, Ukash, and others). It generally uses only one deceptive message and is quite specific: you receive a message, supposedly from the police or some other law-enforcement agency...

This is the first of a two-part post. Fear can be a great motivator for getting someone to act on the receipt of a message (think public health messages regarding smoking, or wearing sunscreen). Add some deception in there, and you have a powerful tool of illegitimate influence that can be used to get people to act in ways that are not in their best interest. Unsurprisingly, the same folks that bring you malware are the same folks that have no problem at all using illegitimate and deceptive fear...

To start the new year, we have added the Win32/Ganelp and Win32/Lefgroo families of worms to the January release of the Malicious Software Removal Tool . Win32/Ganelp spreads via removable drives, uploads stolen information and downloads arbitrary files from remote FTP servers. We have had detection signatures for this family for approximately 2 years and it continues to be prevalent, as seen in Figure 1. Figure 1: Ganelp monthly report volume January 2011 to December 2012. What we...

Our guiding vision at the Microsoft Malware Protection Center (MMPC) is to keep every customer safe from malware. Both our research team and automated systems work around the clock in an effort to achieve this vision. The volume of threats that attackers are developing continues to increase. For example, last month we collected and analyzed 20 million new potential malware files. Six percent of these files were classified as malware. From that six percent, just over 100,000 files resulted in the...

In my previous blog " Fake apps and the lure of alternative sources ," I discussed a fraudulent scheme that takes advantage of known, legitimate and free applications. Unlike rogues and ransomware which use threats and force to influence their victims, the social engineering techniques employed by a fake installer are less aggressive yet, interestingly, more deceptive. This technique is widely used in the Win32/Pameseg family – our detection for a family of "paid archives" that present as...

Some users of Microsoft antimalware products have reported a performance issue with signature definition versions starting with 1.141.2400.0 (12/21/2012 1920 UTC). The current definition files, since 1.141.2639.0 (12/27/2012 0625 UTC), resolve this issue. If you have a signature set in the affected range, please update to the current definition files . Shannon Sabens MMPC

Recently, we’ve seen similar activities being performed by different malware that monitor online Korean applications. Mostly, the applications they monitor are card games, such as those in Figure 1. Figure 1: Examples of online Korean games that are being monitored. (Source: http://www.hangame.com ) The following applications are monitored if found running on the system: LASPOKER.EXE h ighlow2.exe baduki.exe duelpoker.exe HOOLA3.exe poker7.exe FRN.exe ...

Phdet is the family which has been added to the December 2012 release of the Malicious Software Removal Tool . Phdet is a family of backdoor trojans that have the ability to perform distributed denial of service (DDoS) attacks. The bot can be found online, going by the formal name of "Black Energy". The DDoS bot has existed for a number of years, with initial detections added in 2007. An attacker can build and configure binaries to perform different actions, and can specify the frequency...

Recently we discovered an advanced backdoor sample - VirTool:WinNT/Exforel.A . Unlike traditional backdoor samples, this backdoor is implemented at the NDIS (Network Driver Interface Specification) level. VirTool:WinNT/Exforel.A implements a simple private TCP/IP stack and hooks NDIS_OPEN_BLOCK for the TCP/IP protocol, as shown in Figure 1. Figure 1: Hooked functions in NDIS_OPEN_BLOCK This means that backdoor-related TCP traffic will be diverted to the private TCP/IP stack and delivered...