I guess you have read it in the meantime: There are a lot of reports out there, that Finjan found a Botnet affecting 1.9 Million computers. This is really bad – obviously. The press now started to cover this and I think we are already losing a little bit of focus in the discussion. I tried to understand what was going on based on the publically available information.

To me it seems like the Botnet was leveraging known vulnerabilities in browsers to download malicious Javascript. It then started to spread on the infected machines and downloaded a Trojan called Win32/Procesemes.A (The link leads you to our encyclopedia on this Trojan). We added the detection for this Trojan to our signature version 1.57.181.0 (so, since quite a while) and with that to all our products like Windows Live OneCare, Microsoft Forefront Client Security and Windows Live OneCare Safety Scanner.

What does this tell us? Well, is it not the same story as always? There are three things that went wrong here:

  1. Machines were unpatched (and not only IE)
  2. People are running as Admins
  3. The AV-signature was/is not up-to-date. We even remove the Trojan if you are infected…

So, the Botnet is huge and therefore dangerous and it is definitely a criminal activity to infect people’s machines. But there are ways to protect…

As always, if you think that you are infected, report it to your local Law Enforcement. You may contact our support (free of charge for security incidents) on  http://support.microsoft.com/security. And then follow the standard steps of the “Protect Your PC” guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software.

Roger