Microsoft Malware Protection Center

By continuing to include new variants of the existing threat families, the MSRT has removed malware from more than 1.5 million machines three days after its release on 10 November.  This month we’ve also added Win32/FakeVimes and Win32/PrivacyCenter to the MSRT detection and have removed these new rogues from more than 110,000 machines. 

A lot of the top threat families are no strangers if you refer to our previous blog posts, or our recent published Security Intelligence Report.

• Out of these prevalent threat families worldwide, 8 are password stealers collecting online game credentials, online banking passwords or other user identities of users’ online accounts.
• 8 of them are fake security products or trojan downloaders for rogues.  The MSRT now covers the following most high profile rogues
• Win32/FakeVimes
• Win32/PrivacyCenter
• Win32/FakeScanti
• Win32/FakeSecsen
• Win32/FakeXPA
• Win32/Yektel
• Win32/Winwebsec
• Win32/InternetAntivirus
• Win32/FakeSpypro
• Win32/FakeRean
• 5 are trojan downloaders or droppers, a threat category which is often an infection vector to deliver drive-by malware to the victims’ computers.
• Win32/Koobface is still on top 25 though it has dropped out of top 10. Online Social Network sites such as Facebook continues to boost their security hardening to protect their customers and we welcome their actions.
• Win32/Zlob had dropped out of the list in recent months after being extremely prevalent for almost three years.  We observed that the Zlob authors appeared to move to somewhere else in our Oct 2008 blog and Jan 2009 blog.

Family	Computers Cleaned	Most Significant Category	Notes
Taterf	239,870	Worms	online game PWS
Alureon	141,358	Miscellaneous Trojans	data stealing trojans modifying DNS settings
Bancos	138,803	Password Stealers & Monitoring Tools	Brazil online banking PWS
Renos	115,970	Trojan Downloaders & Droppers	AV rogues downloaders
FakeXPA	96,466	Miscellaneous Trojans	AV rogues
Yektel	90,982	Trojan Downloaders & Droppers	AV rogues
FakeVimes	78,749	Miscellaneous Trojans	AV rogues
Cutwail	78,161	Trojan Downloaders & Droppers	Spambot
FakeSpypro	57,534	Miscellaneous Trojans	AV rogues
Frethog	54,764	Password Stealers & Monitoring Tools	online game PWS
Bredolab	48,323	Trojan Downloaders & Droppers	mass downloader
IRCbot	40,259	Backdoors	old spambot with traditional C&C
Vundo	38,481	Miscellaneous Trojans	adware downloaders
Koobface	36,300	Worms	web2.0 worm targets social networking sites
Brontok	35,531	Worms	mass-mailing e-mail worms
PrivacyCenter	34,726	Miscellaneous Trojans	AV rogues
Banker	28,293	Password Stealers & Monitoring Tools	Brazil online banking PWS
Banload	25,166	Password Stealers & Monitoring Tools	Brazil online banking PWS
Jeefo	23,887	Viruses	parasitic file-infector virus
Virut	22,549	Viruses	viruses evolved with backdoor behaviors
FakeRean	20,603	Miscellaneous Trojans	AV rogues
FakeScanti	20,222	Miscellaneous Trojans	AV rogues
Parite	20,076	Viruses	Prevalent viruses in Asia
Lolyda	19,210	Password Stealers & Monitoring Tools	online game PWS
RJump	18,452	Worms	Worm targeting removable devices

As usual we encourage you to run Microsoft Security Essentials, which contains the full AV signature set from the MMPC, or another reputable AV product, to protect your internet activities.

Scott Wu -- MMPC

The migration of PC computing from 32-bit to 64-bit is in full swing at last, and if you’ve been confused as to what it all means, you’re not alone.  PCs built for years now have been capable of running both 32-bit and 64-bit operating systems, but for that you need 64-bit version of Windows (and corresponding drivers for devices), and getting everything working on 64-bit used to be for brave and technical people only.

There are many advantages to using a 64-bit operating system – using twice as many bits can make computers faster and the maximum amount of memory that can be used goes way above the 4 gigabyte limit (that’s 2³² bytes). And 64-bit Windows includes Patchguard, which makes tampering with the Windows kernel (the part of the OS that makes the underlying hardware usable by software) much, much more difficult.

Most PCs shipping with Windows 7 come with the 64-bit versions of Windows, and finally there’s nothing to be confused about; these PCs just work.

As reported in the Security Intelligence Report, 64-bit Windows has some of the lowest reported malware infection rates in the first half of 2009:

There are still many threats that can affect 64-bit Windows, unfortunately. One other feature of 64-bit Windows is WOW64 – which is an acronym for Windows On Windows 64. WOW64 emulates a 32-bit Windows environment to allow software to run on the 64-bit operating system, which is great for compatibility with applications that haven’t ported to 64-bit yet, but also allows malicious code to grab a foothold. Even though these threats may run, since they’re running in the 32-bit emulated Windows environment they can do less to your computer, and don’t see 64-bit processes at all. For the same reason, 64-bit Windows needs 64-bit antimalware software like Microsoft Security Essentials to protect the whole computer.

Computer viruses are very confused by 64-bit. Taking a look at 64-bit executable code detected by Microsoft antimalware technologies in the past month, the vast majority is innocent 64-bit files infected by 32-bit viruses. While a 32-bit virus can only see other 32-bit processes, it unfortunately can see the file system, and can tamper with files it finds there. The 32-bit code in a 64-bit binary will immediately crash when executed. So even 64-bit Windows needs protection from malware.

There are also two remote control software packages that have been ported to 64-bit, which are potentially unwanted if you don’t know they are on your computer, and a couple of hacking tools that have been written for 64-bit.

Threat	Reports	Distinct Files
Virus:Win32/Virut	193954	11307
RemoteAccess:Win32/DameWareMiniRemoteControl	24672	16
Virus:Win32/Slugin	12817	2474
HackTool:Win32/Wpakill	9700	19
Virus:Win32/Gael	5033	2206
RemoteAccess:Win32/RemotelyAnywhere	388	111
Virus:Win32/Bacalid	82	36
HackTool:Win64/Welevate	25	3

   Table 1: Detected 64-bit binaries

Note that though the Microsoft Antimalware Engine may use the Win32 prefix for threat names, the technologies used can still locate malicious 64-bit code with signatures for 32-bit threats.

Overall, 64-bit malware is still exceedingly rare in the wild, and the additional protections built into 64-bit Windows will make it harder for malware to make the 64-bit jump that’s easy for PC users with Windows 7.

For a complete discussion of the PC threat landscape, see the Security Intelligence Report.

--Joe Faulhaber

Just over a week ago the Microsoft Malware Protection Center released the seventh edition of our Security Intelligence Report covering the first half of 2009.  Like all of our previous reports we have distilled information and insight from the wide array of telemetry we have available to us. New to this edition, however, is the inclusion of third party data and insight.  Specifically, we have worked with Shadowserver to include data collected for the Conficker Working Group (CWG) as well as insights from various Computer Emergency Response Teams (CERTs) worldwide. Microsoft is thankful for the many strong partnerships we have around the world and is committed to the industry collaboration typified by CWG as well as the programs in the Microsoft Security Response Alliance (MSRA).  MSRA is an umbrella program which is made up of similarly themed security programs for different constituencies. Some MSRA programs include the Microsoft Virus Initiative (MVI) and the Virus Information Alliance which are in place to provide technical guidance, malware sample exchange and support to other Anti-virus ISVs as well as the Security Cooperation Program (SCP) and SCPcert which relate to information exchange and collaboration with governments and with CERT organizations (governmental or non-governmental) in regions across the globe. 

We would specifically like to call your attention to content provided by several of our CERT partners. As you have likely seen from either my previous blog entry on this Security Intelligence Report or from the report itself or even previous reports we have released we do a comparative analysis of infection rates between countries. We’ve asked several CERTs from some of the countries with the lowest rates of infection to discuss factors to which they attribute the lower rate and their thoughts on associated best practices. Some very interesting things can be found in there (starting on page 44) such as the correlation between higher broadband penetration and adoption of security updates, the correlation between prevalence of pirated software and infection rate and, most importantly, the importance of industry collaboration in reducing the impact of malware in a region.

Download the report here:  http://www.microsoft.com/downloads/details.aspx?FamilyID=037f3771-330e-4457-a52c-5b085dc0a4cd&displaylang=en

Jeff Williams
(we want to hear from you—SIRFB at microsoft.com)

This month we’ve added two more rogue families to the Malicious Software Removal Tool (MSRT) – Win32/FakeVimes and Win32/PrivacyCenter. Both have been around since early 2009, but have become more prevalent in the last few months.

Win32/FakeVimes has gone through a lot of different names, usually with two or three active at any given time. Currently it’s calling itself Windows System Defender and Windows Enterprise Suite. Its interface may look familiar even if you’ve never had the misfortune of being affected by the malware - it has copied elements of the Windows Defender and Windows Security Center UIs and its activate* button includes an imitation of the Genuine Microsoft Software logo.

In addition to the usual reports of non-existent malware, some variants of FakeVimes display imitation User Account Control (UAC) dialogs, with a recommended option of “protect”. Clicking “protect” just leads to another dialog asking you to activate*. Sometimes FakeVimes also claims to detect spambot behaviour. In this case, it uses the Microsoft Office logo in an attempt to make its warnings appear more credible.

Win32/PrivacyCenter hasn’t gone through anywhere near as names as FakeVimes. It started off calling itself Privacy Center, changed to Privacy Components and now goes by Safety Center. PrivacyCenter looks quite primitive compared to most modern rogues. Sometimes it even reports its own files as malware.

Some variants of PrivacyCenter make themselves the default shell application, so when you reboot you might find that the trojan runs instead of Explorer.

Both Win32/FakeVimes and Win32/PrivacyCenter are distributed through fake online scanners, similar to those used by most other rogues.

-- Hamish O'Dea

* As with most rogues, “activate” means pay.

This year at the PacSec conference, I will present a Microsoft view of the threat landscape during the first six months in 2009. It will be based on telemetry data published in the latest Security Intelligence Report (SIR) published on Nov 2nd, 2009. You can find agenda of the conference at http://pacsec.jp/agenda.html

From data gathered by a number of Microsoft security products (e.g. Forefront Client Security, Windows Defender, Microsoft Windows Malicious Software Removal Tool, etc.), we see attacks by malware continuing to target specific regions or groups of users. While Japan has a relatively lower infection rate than many countries, we notice that other Asian countries have a high relative infection rate which, in a number of cases, is due to high prevalence of Win32/Taterf (a worm used to steal passwords). 

As attackers continue to exploit the Internet infrastructure and application/service environment in large scale, it is important to establish collaboration among ISPs, security solution providers, law enforcement and other service providers to combat malicious threats. In Japan, participants in Japan’s Cyber Clean Center (e.g. ISPs, security ISVs including Microsoft, government) have been working collaboratively against malicious and potentially unwanted malware. We shall appreciate more in similar efforts and collaboration models, particularly in countries and regions where threats are most prevalent. 

I hope to see people at the conference and invite them to learn more about the different threat mixes and trends in a number of countries, by downloading and reading the latest SIR.

Regards,
Tony Lee

Hello from the historical imperial city of Kyoto.  Yesterday, or today depending on where you are, I had the honor of giving the opening presentation at the twelfth annual AVAR conference.  The AVAR conference has grown in significance over the past decade to become one of the top security conferences in the world.

The International AVAR conference concentrates on the computer security situation in the Asia Pacific region.  So I will be highlighting data from volume 7 of the Security Intelligence Report that has been gathered from the region.

All in all, most of the Asia and Pacific regions are significantly below worldwide average.  But, two of the most highly infected regions are among the largest and increasing.  This tells us we still have work ahead of us.  Community based defenses are what's needed in our next step in the war against malware.  And organizations like AVAR are necessary to bring the community together.

Jimmy Kuo

A relatively new trojan has been making the rounds and causing some problems, particularly on Windows XP systems. Trojan:Win32/Daonol is malware which hooks various system calls in order to steal credential information and redirect some Web traffic. It also protects itself by keeping some security-related software from running.

Several recent versions of this malware are buggy and prevent computers from successfully shutting down or (more importantly) starting up. If you have (or someone you know has) a Windows XP system which won’t boot completely (ie, shows the ‘Windows XP’ splash-screen with the progress bar, but then the screen turns black and the system never starts up completely), it’s likely a Daonol infection. Visit our write-up for Trojan:Win32/Daonol to find instructions on cleaning Daonol off your system if you think you are infected.

Another obvious symptom of infection is that regedit.exe and cmd.exe will not launch properly. To see if this is the case, navigate to Start->Run and enter regedit.exe. If nothing happens after a few seconds, most likely you are infected with Daonol. If you launch cmd.exe in the same way, you will see a command-prompt window but no text will appear in the window itself. Daonol allows the regedit and cmd processes to launch, but it forces them into a suspended state and doesn’t allow them to do anything.

Microsoft Security Essentials can detect and remove all known variants of Daonol, as well as keep you from being infected by it in the first place. If you aren’t using an anti-malware solution, do yourself a favor and head over there for a free copy of Microsoft Security Essentials.

Stay safe out there on the interwebs,
Aaron Putnam

Twice a year we put together a report detailing trends that we see which are threat related in the computer security environment.  Today we have released our seventh report which you can find at www.microsoft.com/sir. I’m very excited about this report. We, the MMPC, and our partners in the Microsoft Security Engineering Center, Bing, Windows Live and many others have collaborated to make this our most comprehensive report to date. 

The report includes insights drawn from data collected consensually from the more than 450 million people  running the Malicious Software Removal Tool each month, the hundreds of millions of mailboxes at Hotmail we protect, data gathered by Bing in scanning billions of web pages each year as well as the telemetry received from more than 100 million of our customers running Windows Live OneCare, Forefront Client Security, Windows Defender as well as spam, phishing and malware data relating to the billions of emails scanned by Forefront Online Protection for Exchange.

The data we have available gives us an unparalleled view of threat activity on the internet both worldwide as well as regionally in more than 212 countries and regions across all seven continents. 

In this edition we provide an in-depth review of malicious and potentially unwanted software, software exploits, security breaches, software vulnerabilities (both Microsoft and third party) around the world as well as providing detailed views of a number of countries. We review malware distribution sites by country, discuss phishing and spam trends and geographic distribution, details on vulnerability disclosure practices, differences in threat distribution between consumers and enterprise and we also provide guidance for IT professionals and business decision makers based on this information.

For the first time ever, we include Best Practices contributed by representatives from four of the countries (Austria, Finland, Germany, and Japan) that have managed to maintain the lowest malware infection counts in their countries.

It is our hope that you find this information valuable and that it helps you to make shrewd risk-management decisions.  We also welcome your feedback for future editions.  Please email us at SIRFB at microsoft.com with your thoughts.

--Jeff Williams Principal Group Program Manager, MMPC

As of October 21st, the MSRT has removed the newly added threat, Win32/FakeScanti from 56,700 infected machines. For this month, it was the 12th most prevalent threat family worldwide and 7th in the US. Overall the MSRT has cleaned 2,516,235 machines this month from all kinds of malware infections.

We all know the threat landscape is not homogenous across geographic regions.  Let’s take a look at US, China, and Brazil as a case study.

United States			China			Brazil
Family	Threats	Machines Cleaned	Family	Threats	Machines Cleaned	Family	Threats	Machines Cleaned
Alureon	147,387	117,351	Lolyda	77,781	72,863	Taterf	72,464	70,069
Taterf	121,988	116,217	Frethog	21,927	20,042	Bancos	67,577	59,414
FakeXPA	108,026	103,578	Ceekat	9,440	8,767	Frethog	33,455	32,009
Renos	69,147	55,461	Conficker	8,899	8,427	Banker	27,421	26,420
FakeRean	78,067	53,376	Hupigon	5,127	4,879	Conficker	19,664	18,398
Yektel	52,259	51,061	Parite	7,518	4,592	Banload	18,617	18,121
FakeScanti	70,120	50,260	RJump	3,875	2,552	Cutwail	8,452	5,269
Frethog	51,038	49,526	Brontok	980	969	Alureon	3,656	3,053
Daurso	32,205	32,150	Taterf	1,177	963	Renos	3,192	2,228
Koobface	43,640	27,793	Corripio	980	855	IRCbot	1,929	1,874
FakeSpypro	26,530	26,242	Sdbot	776	770	Brontok	1,768	1,739

 Note: Rogues in italics; Password Stealer (PWS) bolded

Some key takeaways:

• In the US (as well as other English speaking countries) rogues are predominant.  Six of the top ten threat families in the US are rogues or rogue-related trojan downloaders. This poses a challenge for the end users to identify the legit AV products when there are so many rogue products popping up on the users’ machines. 
• Six of the top ten threat families in China are password stealers, most of which are hunting for online gamers’ credentials.
• Six of the top ten threat families in Brazil are also password stealers, though a lot of them (Bancos, Banker and Banload) tend to target online banking credentials in Brazil.

We close, as we always do, by urging you to take action and protect yourself. 

Scott Wu

As we’ve mentioned before, your average user is the most at risk of getting infected these days. So, with the release of Microsoft Security Essentials recently en masse, we’re really able to see some of the fruits of our labour over the last few years. We’re very pleased to see such a positive response to MSE, with many new home users giving it a try, which as you can imagine, makes us all happy little Vegemites*.

As you might expect, we see pretty different infection types from home-users versus the enterprise. Generally, infection vectors for the home user are web-based; either via malicious websites or by being enticed to download something that is, how you say ‘not so much with the good’.  The term ‘home user’ generalises – computer-based experience of these users covers a broad spectrum. The savvier of these computer users, one would expect, would have a better chance of avoiding infection. However this is not entirely true; as we’ve mentioned in previous posts, savvy computer users actually open themselves up to more risks while they’re exploring the deeper darker depths of what the Internet has to offer.

To wit, after MSE’s release, we’ve seen a spike in a particular variant of Win32/Bifrose – Backdoor:Win32/Bifrose.EO. Why, you ask? Well, it seems that the malware authors (or perhaps an unsuspecting pirate) are distributing a ‘cracked’ version of Windows that comes pre-infected for your convenience – labelled, fittingly, “Vista Black Edition”. Just to clarify, this means computer users are downloading an ISO of pirated Microsoft software (and saving to disk on a Genuine Windows system) and a free Microsoft anti-virus product is alerting them to a potential infection in their freshly stolen software. I’m not really sure if ‘irony’ really emphasises the situation enough. But hey, at least the Windows is free**, right?

What’s even more interesting (read: funny) is that despite this, it seems this isn’t enough to stop people from trying to utilize their ill-gotten gains. Underground forums are teeming with helpful hints on how to disinfect your newly acquired (though somewhat ‘not as advertised’) software. No doubt some of the instructions include using other pirated software products.

So you see kids, illegal software is seldom free of all cost. Chances are you’re paying for it in ways you didn’t consider.

Matt McCormack
MMPC Melbourne

*The team down in Australia at least
** Disclaimer: “Free” may be changed at any time to actually mean “cost you”, with one or more of the following words appended to the end: passwords, bandwidth, login information, bank account details, email accounts, credit rating, dignity, ...

Now that Microsoft Security Essentials is generally available to consumers in 19 countries, we've had a chance to go over the data, and there are some very interesting results. Just in the first week we saw well over 1.5 million downloads of Microsoft Security Essentials, but the price (free to Windows users) is hard to beat!

Computers reporting detections up to October 6: almost four million detections on 535,752 distinct machines. The detections are eight times the machine count because many computers are infected with multiple threats.

Microsoft Security Essentials is available in 8 languages and 19 markets at RTM, which covers a lot of the PC using world. The geographic distribution of detections so far still closely follows the Microsoft Security Essentials Beta countries, and is ramping up in other countries that use the 8 languages.

Looking at counts of computers reporting detections by threat categories, we see that the order is different in each of the top three countries.  Trojans are the top detected category in the US, China has lots of potentially unwanted software threats, and worms (particularly Conficker) are very active in Brazil.  There are also many exploits being encountered in China, which may mean these PCs do not have the latest security updates.

The top threat families for these countries have remarkably similar curves, but very different family mixes.

China top families include several exploits (ShellCode, IFrameRef), the US has the trojans Wimad and rogue trojan FakeXPA at the top, while Brazil has worms Conficker and Taterf.

For family details, see the MMPC threat encyclopedia at http://microsoft.com/security/portal

Looking at the operating systems breakdown, we're seeing lots of Windows 7 using Microsoft Security Essentials, but a pretty even balance between OS'es:

The Windows 7 numbers are spectacular for an operating system that hasn't yet released for global availability.  Even better, about 1/3rd of Windows 7 Microsoft Security Essentials machines are 64-bit, which is even more resistant to malware than 32-bit due to PatchGuard.

By looking at detections divided by active Microsoft Security Essentials machines over the whole population, we see far more detections per XP machine, with the fewest from Win7.  This follows our usual observed trend of seeing less malware on newer OSes and service packs. 

In one short week, Microsoft Security Essentials's making a big difference to those people using it on their computers. If you don't have updated antimalware on your computer we strongly recommend giving Microsoft Security Essentials a try.

--Joe Faulhaber

Anyone who’s seen a system infected by a rogue security program doesn’t need to be told how annoying they can be, as they attempt to scare, threaten, cajole, hector, harangue, pester, aggravate, intimidate, badger, harass and generally nag* the user into paying to register the fake software. And even among rogues, there are few that are quite as annoying as Win32/FakeScanti, which is this month’s addition to the Malicious Software Removal Tool (MSRT).

*I realize I’m being more than a little repetitive here.  But this still pales in comparison to how repetitive your average rogue can get.

We first saw a variant of Win32/FakeScanti back in early March of this year, when it went by the name of ASC Antivirus. There was then very little activity on the FakeScanti front until late July, when we noticed a file, which we detect as TrojanDownloader:Win32/FakeScanti, downloading a new version of the scanner going by the name of Windows Antivirus Pro. This version was proactively detected by the signatures added in March. Since then there has been a steady stream of new files, but only one name change, to Windows Police Pro. Apart from the name change, the user interface, and even the list of alleged “malware” detected by this rogue, has remained identical:

FakeScanti has your usual grab bag of popups, system tray balloons, and dialog boxes (and there are many examples of these in our Win32/FakeScanti description) all reporting malicious activity, and recommending that the reported threats be removed. Of course, if you want this to happen, then naturally you have to pay:

These popups tend to pile up on the screen at a rapid rate, and dismissing any one of these results in the confirmation dialog below, which also needs to be closed. Notice how the placement of the Purchase and Continue buttons is swapped compared to the dialog above.

 

Win32/FakeScanti also uses a number of other tricks common to many other rogues, such as the display of a fake version of the Windows Security Center, or blocking access to certain web sites:

It uses a number of other methods in an attempt to convince users that the system is infected. These include:

• Periodically rebooting the system
• Preventing other executables from running

It does this by associating the .exe extension with desot.exe, one of the files installed by Win32/FakeScanti. As a result, when an attempt is made to run one of these files, the filename is passed to desot.exe, which will decide whether it is allowed to run, and display a message box such as the one above if not.

• Using Active Desktop to place text on the desktop background

• Displaying error messages which resemble the “Dr Watson” Windows system error dialog

The “Fix it” button launches the fake scanner. The other buttons do not do anything.

As we've mentioned before, if you're concerned about the veracity or legitimacy of a particular antivirus scanner, it's a good idea to check if the product in question has received any industry-recognized certification. Virus Bulletin VB100 is a good place to start, but there are other industry-recognized testing and certification bodies that are good for this kind of verification. If you're looking for security software for your computer, you could also visit http://www.microsoft.com/windows/antivirus-partners for a list of security software providers.

If you believe you are infected, we encourage you to use the Windows Live OneCare safety scanner to check your PC for malware and to help remove them from your system.  In addition we encourage you to submit any suspicious files to the MMPC team for analysis. If you don’t already have active, up-to-date Anti-malware protection remember that our new security product - Microsoft Security Essentials – runs quietly in the background and never asks you for payment.

--David Wood

Based on the interest we saw in the various presentations our team did at Virus Bulletin in Geneva a couple of weeks back we thought you might be interested in where else we will be presenting in the coming weeks.
 
October 13 Vinny Gullotto will be in a panel discussion in Washington D.C. at the Emerging Threats, Vulnerabilities, & Challenges in the Cybersecurity Ecosystem event put on by TechAmerica. You can find information on how to register for this event at http://www.techamerica.org/cybersecurity-ecosystem.
 
Also on October 13, Jeff Williams will present the keynote for Malware 2009 in Montreal, Canada. Information on Malware 2009 is available at http://www.malware2009.org/.
 
On November 4, Jimmy Kuo will present the keynote  for the Association of anti-Virus Asia Researchers International Conference (AVAR) in Kyoto, Japan. Information on AVAR 2009 can be found here: http://www.aavar.org/avar2009/
 
November 4-5 also is when you will find us at the PacSec conference in Tokyo, Japan where Tony Lee will be presenting on the threat landscape and where Jeff Williams may deliver a lightning talk if he has the chance. You can find information about PacSec at http://pacsec.jp/.
 
That’s all for now since we need time to pack. We hope to see many of you at one or more of these events. 
 
--Microsoft Malware Protection Center

Today marks the beginning of National CyberSecurity Awareness Month here in the United States.
 
I would like to take this opportunity to acknowledge all the security professionals around the world who work tirelessly to make cyberspace a safer place for all our online pasttimes.  You know who you are.  It's nice to know we all work for the same team.
 
Jimmy Kuo
 
PS. I'm glad to see www.staysafeonline.info still going strong.

Back in our labs in Dublin, Melbourne, and Redmond from the 2009 Virus Bulletin conference! 

This year there were almost 400 attendees and 49 presentations covered by 60 speakers (7 of them from Microsoft). The MMPC had presenters from all three labs at the conference and we started and ended the technical stream. The topics this year included malware, spam, and this year's hot topic, cloud technology.  There were also interesting talks on social networks, URL shortening, browser plug-ins, Banker trojans, and testing the performance of in-the-cloud antivirus scanners.

It was exciting for our first-time speakers to meet others from the industry. It was also an opportunity to catch up with old friends and colleagues. The welcome drinks and gala dinner allowed us to mingle with them in a relaxed atmosphere. Microsoft also won second place in the IT Security Table Foosball Championship. Francis from the Dublin MMPC lab and Terry from the Antispam team played against foosball teams from other companies.

We had also the chance to see some sights in Geneva and the surrounding countryside and vineyards (which are directly adjacent to France). Luckily, the weather was perfect the whole time we were there and so the beautiful fountain in Lake Geneva, the Jet d’eau, was turned on every day. We also saw the flower clock and the old town with its gorgeous architecture.

Next year, the Virus Bulletin conference will be in Vancouver. We're certainly looking forward to it.

 

--Katrin

The Microsoft Malware Protection Center (MMPC) would like to introduce you to Microsoft’s new security program - Microsoft Security Essentials. The MMPC is very excited about this release, which should help us to protect more customers around the world at no cost.

Here’s a note from the Microsoft Security Essentials team:

Microsoft Security Essentials (formerly codenamed “Morro”) is the newest security product from Microsoft that helps protect consumers against viruses, spyware and other malicious software. The program, using the same technology as the Forefront product family, is designed to protect and take the guess work out of you wondering if you are protected or not.

If you’re green, you’re good. 

Red or yellow means there is something that needs to be done to keep your PC secure. A single click and the PC is back to the green protected state. 

Microsoft Security Essentials is also designed to address cost and other barriers that have prevented many of our customers from running up-to-date security protection on their PCs. Because there are no subscription fees, there is no registration required to collect billing or other personal information.

It also runs quietly in the background scheduling scans when the PC is most likely idle and interrupting the user only when there is an action required to keep their PC secure. It employs practices like active memory swapping and CPU throttling to limit the impact on your PC performance, even on older or less powerful PCs.

This isn’t a security suite product that provides rich PC tuning capabilities or backs up your data. But if what you’re looking for is “install and forget” malware protection and solid quality Microsoft Security Essentials may be just what you’ve been waiting for. Plus, as a user of Microsoft Security Essentials you’ll get support from the MMPC.   

We think you’re gonna like what you get with Microsoft Security Essentials. See for yourself and download it now!

Microsoft Security Essentials is available now in 8 languages and 19 markets around the world for genuine Windows PCs. 
Download at: http://www.microsoft.com/security_essentials.