Protection metrics – November results

In our October results, we talked about a trio of families related to Win32/Sefnit. Our November results showed progress against Sefnit and the installers and downloaders of Sefnit (Win32/Rotbrow and Win32/Brantall). In comparison to September, active Sefnit infections have been reduced by 82 percent. As with prior months, our rate of incorrect detections also remained low and…

1

Turkey: Understanding high malware encounter rates in SIRv15

In our most recent version of the Security Intelligence Report (SIRv15), we compared the encounter rates of malware categories for the top 10 countries with computers reporting the most detections in 2Q13. Amongst these countries, Turkey stood out with considerably high encounter rates in multiple categories. Encounter rate is the percentage of computers in a…

1

Be a real security pro – Keep your private keys private

One of the many unusual characteristics of the Stuxnet malware that was discovered in 2010 was that its files were distributed with a valid digital signature, created using authentication credentials that belonged to two unrelated legitimate software companies. Normally the signature would verify that the program was issued by the company listed in the signing…

6

Rotbrow: the Sefnit distributor

This month’s addition to the Microsoft Malicious Software Removal Tool is a family that is both old and new. Win32/Rotbrow existed as far back as 2011, but the first time we saw it used for malicious purposes was only in the past few months. In September, Geoff blogged about the dramatic resurgence of Win32/Sefnit (aka…

3

Our protection metrics – October results

​Last month we introduced our monthly protection metrics and talked about our September results. Today, we’d like to talk about our results from October. If you want a refresh on the definition of the metrics we use in our monthly results, see our prior post: Our protection metrics – September results. During October 2013, while…

3

Carberp-based trojan attacking SAP

Recently there has been quite a bit of buzz about an information-stealing trojan that was found to be targeting the logon client for SAP. We detect this trojan as TrojanSpy:Win32/Gamker.A. SAP is a global company with headquarters in Germany and operations in 130 countries worldwide. SAP develops enterprise software applications for tracking and managing business operations,…

7

Backup the best defense against (Cri)locked files

Crilock – also known as CryptoLocker – is one notorious ransomware that’s been making the rounds since early September. Its primary payload is to target and encrypt your files, such as your pictures and Office documents. All of the file types that can be encrypted are listed in our Trojan:Win32/Crilock.A and Trojan:Win32/Crilock.B descriptions. Crilock affected…

15

Febipos for Internet Explorer

In a previous blog post we discussed Trojan:JS/Febipos.A, a malicious browser extension that targets the Facebook profiles of Google Chrome and Mozilla Firefox users.  We recently came across a new Febipos sample that was specifically developed for Internet Explorer – we detect it as Trojan:Win32/Febipos.B!dll. This trojan is a browser helper object that loads a…

1

MSRT November 2013 – Napolar

​We first noticed the new family we named Win32/Napolar being distributed in the wild in early August this year. It quickly became a big problem on our customers’ machines. Napolar is one of two families targeted by the Malicious Software Removal Tool (MSRT) this month. The other is the bitcoin mining family Win32/Deminnix. As shown…

2

Upatre: Emerging Up(d)at(er) in the wild

The MMPC is constantly monitoring emerging threats that are impacting our customers the most. Recently, we started seeing Win32/Upatre being distributed in the wild. This chart shows how this threat has impacted customer machines in just about two months. Figure 1: Monthly telemetry data on Win32/Upatre downloader   As we see in this next chart,…

2