We have seen variants of Worm:Win32/Gamarue spread via removable drives in the past, but recent variants have adopted a more convoluted method of spreading involving several components. Let's take a look at one. For this variant of Worm:Win32/Gamarue, we start with an infected removable drive, for example a USB flash drive. Our infected example drive contains the following files: ~$wb.usbdrv , detected as Worm:Win32/Gamarue.N desktop.ini , detected as Worm:Win32/Gamarue.O thumbs.db...

The family added to the February release of the Malicious Software Removal Tool is Win32/Sirefef . Win32/Sirefef is a highly prevalent complex multi-component family which continues to evolve. The payload for current variants may include such actions as modifying browser search engine results, generating pay-per-click revenue and performing Bitcoin mining on an affected computer. The first detection for Sirefef was added in July 2009. Whilst the form of some malware families remains relatively...

When I first started working in the antivirus industry, I found that learning how Java exploits work, even at a very high level, was difficult. Even now with a few seasons under my belt, understanding the process and consequences of the exploitation of a Java vulnerability still proves challenging. Based on the feedback we see from some of you, I’m not alone. There are a lot of technical papers and blogs to be found that tell you how a Java vulnerability is exploited. In this blog, I’d...

Today Microsoft released a special edition of its Security Intelligence Report ( SIR ) titled " Linking Cybersecurity Policy and Performance ." The report examines the relationship between quantitative indicators about a country or region -- such as computers per capita, broadband penetration and whether the country or region had adopted certain public policies to advance cybersecurity -- and the rate of malware infections as measured by computers cleaned per mile ( CCM ) by the Malicious Software...

Recently, a 0-day vulnerability ( CVE-2013-0422 ) was disclosed. Oracle promptly reacted on this 0-day vulnerability, and last weekend a new patch was made available. Here's the advisory from Oracle. You can download latest JRE here . As the vulnerability is specific to Java 7, if you're using JRE 7, you should apply the patch. From our analysis, we've seen that it is a package access check issue which allows the untrusted Java applet to access the restricted class in trusted code. Using a vulnerable...

AV-Test just published the results of their most recent antimalware vendor testing, and they didn't grant Microsoft Security Essentials and Microsoft Forefront Endpoint Protection their "AV-Test Certified" status. We conduct a rigorous review of the results whenever test results warrant it. We take the protection of our customers very seriously, and the investments we make to do these reviews is an example of that commitment. Our review showed that 0.0033 percent of our Microsoft Security Essentials...

This is the second of a two-part post, and continues from " Making the most of fear and deception – rogue v ransomware (part 1) ". Ransomware’s approach is aggressive. It uses fear to motivate an affected user to pay a fee (usually not with a credit card but using another payment system – Green Dot Moneypak, Ukash, and others). It generally uses only one deceptive message and is quite specific: you receive a message, supposedly from the police or some other law-enforcement agency...

This is the first of a two-part post. Fear can be a great motivator for getting someone to act on the receipt of a message (think public health messages regarding smoking, or wearing sunscreen). Add some deception in there, and you have a powerful tool of illegitimate influence that can be used to get people to act in ways that are not in their best interest. Unsurprisingly, the same folks that bring you malware are the same folks that have no problem at all using illegitimate and deceptive fear...

To start the new year, we have added the Win32/Ganelp and Win32/Lefgroo families of worms to the January release of the Malicious Software Removal Tool . Win32/Ganelp spreads via removable drives, uploads stolen information and downloads arbitrary files from remote FTP servers. We have had detection signatures for this family for approximately 2 years and it continues to be prevalent, as seen in Figure 1. Figure 1: Ganelp monthly report volume January 2011 to December 2012. What we...

Our guiding vision at the Microsoft Malware Protection Center (MMPC) is to keep every customer safe from malware. Both our research team and automated systems work around the clock in an effort to achieve this vision. The volume of threats that attackers are developing continues to increase. For example, last month we collected and analyzed 20 million new potential malware files. Six percent of these files were classified as malware. From that six percent, just over 100,000 files resulted in the...