The Next Web Blog
The following are the titles of recent articles syndicated from The Next Web Blog
Add this feed to your friends list for news aggregation, or view this feed's syndication information. makes no claim to the content supplied through this journal account. Articles are retrieved via a public feed supplied by the site for this purpose.

[ << Previous 20 ]
Wednesday, October 9th, 2013 makes no claim to the content supplied through this journal account. Articles are retrieved via a public feed supplied by the site for this purpose.
9:21 am
Our commitment to Microsoft antimalware

We are fully committed to protecting our consumer and business customers from malware. Our strong solutions provide the comprehensive defense needed against malicious code and attacks. Our support of antimalware partners helps in building a strong and diverse ecosystem to fight malware.

Over the past year, we’ve continued to make investments in our protection technologies:

  • We’ve created new methods to identify emerging threats earlier and defend against them faster. Although around 80 percent of the malware our customers encounter are known or proactively blocked threats, new threats emerge every day. We’ve developed early warning telemetry and faster signature delivery systems to respond to these threats.
  • We’ve focused our resources on activities that directly contribute to customer protection. We exist to serve and protect our customers, so our research and response efforts focus on real threats that affect customers. Today millions of customers have voluntarily opted to let their computers share telemetry data with us on encountered threats, helping us identify and prioritize new malware files. If you are interested in learning more about our approach, I encourage you to read my previous blog and check out this paper which details our outcomes. Our public monthly report shows our trends and the progress we’re seeing.
  • We share our telemetry and samples with the industry to collectively make all of us stronger against our true adversaries - the malware writers. Our commitment to collaboration and sharing programs for antivirus (AV) partners and AV testers is stronger than ever. Through these programs, we encourage the ecosystem to address real world threats that impact all customers.

The end result is that, over the past year, our investments have increased the protection quality we deliver to our customers. As of the middle of 2013, we’ve increased our protection quality – that means less incorrect detections and less misses - by a significant rate since we first started measuring these metrics in the last quarter of 2011.

We are proud of the protection capabilities we provide for well over 150 million computers worldwide with our real-time antimalware products. We believe in Microsoft antimalware products and strongly recommend them to our customers, to our friends, and to our families.

Dennis Batchelder
Partner Group Program Manager
Microsoft Malware Protection Center

Friday, October 11th, 2013 makes no claim to the content supplied through this journal account. Articles are retrieved via a public feed supplied by the site for this purpose.
11:45 pm
Redirect hides browser extension

​While analyzing a malicious Chrome browser extension we recently came across a Virtool that tries to redirect the Chrome Extension page.

We detect it as VirTool:JS/Redichrextor.A.

VirTool:JS/Redichrextor.A won’t let you view, change, remove or uninstall Chrome browser extensions. It does this by stopping you from viewing the Chrome Extension page.

It uses this technique so an affected user won’t be able to remove or uninstall the malicious extension without help from their antimalware software. This makes VirTool:JS/Redichrextor.A a useful piece of code for any malicious Chrome browser extension that wants to avoid manual detection or removal.

When an affected user does try to view the Chrome browser extension page they are redirected. We have seen it open a new tab, or go to the Chrome web store or

  • Chrome://newtab



We have also seen similar behaviour used by the following known malicious Chrome browser extensions:

Once VirTool:JS/Redichrextor.A is detected and removed, you should be able to go to the Chrome extension page.

We recommend you then check and uninstall any suspicious browser extension that might be linked to VirTool:JS/Redichrex.A or other malware. We also recommend keeping your security products up-to-date to avoid infection. 

While this new trick makes it harder to remove the Virtool manually, it is still easily detected and removed by Microsoft Security software.



Jonathan San Jose


Saturday, October 26th, 2013 makes no claim to the content supplied through this journal account. Articles are retrieved via a public feed supplied by the site for this purpose.
1:08 am
Our protection metrics - September results

Earlier this year, we started publishing a new set of metrics on our portal – An evaluation of our protection performance and capabilities. These metrics show month over month how we do in three areas: coverage, quality, and customer experience in protecting our customers.

And, since we started to publish the results on this page, I've had many great conversations with customers and partners alike, discussing what the results mean for their organization and their protections. In this post, I want to cover some of the most common taxonomy questions I was asked during those conversations and also discuss the results for September 2013.

First, let's dive into what the terms we use really mean:

  1. Coverage – the infection metric

    This is how we measure threat misses and infections. If we block a threat, that means we've protected our customers as expected and that's a win. Misses and infections show up as a red dot and the bar chart in red.

    Misses are threats we had early warning detections on (non-blocking detection), but by the time we determined it to be a threat, the threat had either disappeared or changed into a different file on the computer.

    Infections are threats we detected and then had to remediate (instead of a block). We call these active because, according to our telemetry, they appeared to have some active running component when we detected them. On the positive side, our real-time protection detected and worked to remove the active threat. We continue to work on methods to determine the ways in which threats become active, for example, through vulnerability exploits, through another program that drops the malware, or through credential-based attacks so that we can further address these active threats and provide actionable information to customers about how to protect themselves.

    Here's why that's important. Many threats, like Conficker, show up as active because the threat uses passwords or exploits that were effective in compromising the system for a very brief moment in time. For example, 85% of Conficker infections on Windows 7 happen through credential-based attacks (read more about this Conficker case in SIRv12). When we detect a Conficker infection that was delivered this way (which happens immediately), we identify it as active because it was written by a system process compromised through a credential-based attack.

  2. Quality – Incorrect detections

    Incorrect detections happen when antimalware products incorrectly flag and misclassify a file as malware or unwanted software. The yellow dot and the other bar chart represent incorrect detections. In any given month, only an extremely small number of programs are incorrectly detected. In most months in 2013, for example, only 1 in a million customers experienced an incorrect detection - the percent of customers with incorrect detections was less than three zeros to the right of the decimal (<0.0001%).

  3. Customer experience

    With this criteria, we measure the performance implications of antimalware on the day-to-day activities that a person might perform – such as opening an application, browsing the web, downloading files, and playing games and multimedia. Latency perceptible by a human tends to land within the 50 to 100 millisecond range. In most months, most activities stay under 100 milliseconds latency. This is the second graphic on our results page and it shows the customer experience when running the latest version of Windows Defender on the latest version of Windows 8. September's measurement reflects Windows 8.1.

To sum it up, the two graphics on our results page highlight the findings for coverage, quality, and customer experience (in terms of system performance). The first graphic shows protection coverage and quality for Microsoft's real-time protection products that cover home, small business, and enterprise, which represent approximately 150 million endpoints. The second graphic shows the performance implications when running the latest version of Windows Defender on the latest version of Windows 8. There is a great whitepaper that provides additional insights at this link.

And finally, let's talk about the September 2013 results:

  1. Coverage and top infections – September 2013

    In September, 0.17% of our customers encountered a miss (0.03%) or an infection (0.14%). This infection number was uncharacteristically high because of the resurgence of an old threat we currently call Sefnit. 44% of the active detections for the month were related to this Sefnit family. That's a very large percentage – on normal months, no one family represents more than 6% of active infections. As we investigated the threat, we noticed that the distributors of Sefnit were using some sneaky techniques to infect computers, including using installer programs that install legitimate software but occasionally install legitimate software with bonus material (Sefnit). Sefnit distributors are also modifying the appearance of components, such as sometimes using an obfuscator and then sometimes not.

  2. Incorrect detections – September 2013

    This month, only 0.00025% customers were impacted due to incorrect detections. This percentage was slightly above average. The driver for the slightly above average impact was due to an incorrect detection on a 2009 version of the Microsoft Malicious Software Removal Tool.

  3. Customer experience – September 2013

    We consistently provide great performance for our customers using Microsoft antimalware products. In September 2013, the results have been consistent with the 50 to 100 milliseconds range.

Our goal is to provide great antimalware solutions for our consumer and business customers. I hope this blog demonstrates how committed we are in raising the bar for ourselves and others in the industry for doing so. We're monitoring our results, performance, and progress closely, prioritizing for real threats that might affect our customers and applying lessons learned to make our products even better. Plus, we support antimalware partners in order to build a strong and diverse ecosystem to fight malware – the true adversary.

Holly Stewart, Senior Program Management Lead, MMPC

Tuesday, October 29th, 2013 makes no claim to the content supplied through this journal account. Articles are retrieved via a public feed supplied by the site for this purpose.
10:00 am
New Security Intelligence Report, new data, new perspectives

Today, Microsoft released volume 15 of the Microsoft Security Intelligence Report (SIRv15). The report analyzes malware, exploits and more based on data from more than a billion systems worldwide and some of the Internet’s busiest online services.

During the past year, as we were planning this volume of the Security Intelligence Report, and as we considered how to improve the breadth and accuracy of guidance given to our customers, we gave a lot of thought on how best to represent malware prevalence beyond the data provided in past reports.

We need to establish a metric that measured the impact of malware based on our real-time protection products.

We already report on infection rates using a metric called computers cleaned per mille (CCM), which represents the number of computers cleaned for every 1,000 executions of the Malicious Software Removal Tool (MSRT). This helps us describe how widespread an infection is.

To better understand the range of threats that affect computers today, it’s increasingly valuable to consider infection attempts, including attempts that never result in infection. This data, which can only be provided by real-time security products, is measured by our new metric – the encounter rate. The encounter rate is the percent of computers running Microsoft real-time security products that come across, or encounter malware. When viewed together, the infection rate and the encounter rate provide different lenses to look at the malware landscape, assembling a picture that can contribute to a more informed risk assessment.

For example, one key finding to surface from the analysis of platforms by encounter rate and infection rate during the past year, was that computers running Windows XP encountered about as much malware as Windows 7. However, Windows XP computers experienced many more infections than other operating systems. In fact, Windows XP had an infection rate that was six times higher than Windows 8.  

Infection and encounter rates by operating system

Figure 1: Infection and encounter rates for Windows operating systems

Later today we will publish another blog which will dive deeper into the analysis of Windows XP, in light of the upcoming end of support date – April 8, 2014. Tim Rains also talks more about this issues in his latest blog.  

In our analysis of the landscape we also separate out malware from potentially unwanted software, based on severity. This distinction is important, since high/severe threats are serious enough that our products will remove these threats from computers automatically. Moderate/low threats, which we categorize as potentially unwanted software in this SIR, depend on user action to quarantine or remove.

We also show trends for countries with the highest and lowest encounter rates for malware and potentially unwanted software. Some countries appear on highest and lowest lists for potentially unwanted software and not for malware. This helps draw conclusions about the effect of potentially unwanted software on certain regions, as well as helping zero-in on the severe threats facing different locations.

As we look at threats regionally, we see one country that rose to significance in many parts of our analysis. Between the second half of 2012 and the first half of 2013, Turkey’s encounter rate increased by more than 13 percent.  Exploits, miscellaneous trojans and worms were all encountered at higher levels in Turkey when compared with other regions globally. You can read further on our findings for Turkey and other countries in SIRv15.


Encounter rates by country

Figure 2: Threat category prevalence worldwide and in the 10 locations with the most computers reporting detections in 2Q13. Totals for each location may exceed 100 percent because some computers reported threats from more than one category.

We also took a peek at the growing issue of ransomware - a type of malware designed to render a computer or its files unusable until the computer user pays a certain amount of money to the hacker. Often disguised as an official-looking warning from a well-known law enforcement agency, it accuses the computer user of committing a computer-related crime and demands that the user pay a fine via electronic money transfer to regain control of the computer.

We tracked the top ransomware families and found Win32/Reveton and Win32/Tobfy trending upward globally.

These are just a few of the many key findings contained in the latest report.  To download the Microsoft Security Intelligence Report Volume 15, visit

We hope you will read it, pass it on to others to read and use it as a resource to take action and help protect your computer and your organizations’ systems from malicious software.

Vidya Sekhar

Image makes no claim to the content supplied through this journal account. Articles are retrieved via a public feed supplied by the site for this purpose.
1:00 pm
Infection rates and end of support for Windows XP

In the newly released Volume 15 of the Microsoft Security Intelligence Report (SIRv15), one of the key findings to surface relates to new insight on the Windows XP operating system as it inches toward end of support on April 8, 2014.

In this post we want to highlight our Windows XP analysis and examine what the data says about the risks of being on unsupported software. In the SIR, we traditionally report on supported operating systems only. For this analysis we examined data from unsupported platforms, like Windows XP SP2, from a few different data points:

  • Malware encounters (newly introduced in SIRv15) in comparison to infections.
  • Infection rates for supported and unsupported operating systems.
  • Impact of antimalware protection on supported and unsupported operating systems.

Malware encounters and malware infections

Earlier today we published a blog post that discussed a new metric for analyzing malware prevalence which was introduced in the latest report. This new metric, called the encounter rate, measures the percentage of computers protected with Microsoft real-time antimalware products that come into contact with malware. It is important to note encounters do not equate to infections. Although some computers do report active malware, the vast majority of these encounters represent blocked infections reported by our antimalware products. Another recent blog explained our metrics in more detail.

You can think of the encounter rate as a way to measure what percentage of computers are exposed to malware. In comparison, the infection rate (CCM) measures how many computers out of 1,000 scanned by the Microsoft Malicious Software Removal Tool (MSRT) actually got infected. What’s really fascinating about these data points is when you compare the two.

The following chart shows the encounter rate in comparison to the infection rate by operating system and service pack. While Windows XP SP3 computers encountered almost as much malware as other platforms, computers running Windows XP as a whole experienced a much higher infection rate. For example, although Windows 8 computers may encounter a similar amount of malware as Windows XP, people who use Windows XP are six times more likely get infected.

Malware Infection and encounter rates

Figure 1: Malware Infection and encounter rates for Windows operating systems during 2Q13

A few possible reasons for the higher infection rate on Windows XP are:

  • Antimalware protection may not be active or up to date (more on this hypothesis in the last section).
  • Older technology lacks the protective measures built into more recently introduced operating systems, and therefore is challenged to defend against some attacks.

Windows XP was built more than 12 years ago and was architected to include security technologies that were innovative at the time. For example, Windows XP SP2 was released in 2004 and introduced Data Execution Prevention. However, the threat landscape has changed quite a bit since then and technologies that were built a decade ago, like DEP, are now commonly bypassed. A paper released earlier this year from Trustworthy Computing: Software Vulnerability Exploitation Trends helps illustrate this point. The paper also provides a comparison of security mitigations built into Windows 8 and compares them against the mitigations built into Windows XP.

Newer operating systems are not vulnerable to many of the exploitation techniques that are still widely used and remain effective against older platforms. Newer operating systems include a number of security features and mitigations that older versions were simply not designed for at the time.

Infection rates on unsupported operating systems

Once support ends, if Windows XP SP3 follows a trend similar to prior Windows XP versions which are unsupported now, we can expect infection rates to rise.

For example, support for Windows XP SP2 ended on July 13, 2010 (support notification). The dashed blue line in the following chart represents its infection rate after that time.

XP SP2 infection rates

Figure 2: Windows XP SP2 infection rate after end of support

In the first two years after Windows XP SP2 went out of support, the infection rate disparity between the supported (Windows XP SP3) and unsupported (Windows XP SP2) service packs grew. In fact, the infection rate of the unsupported version was, on average, 66 percent higher than the supported version (Windows XP SP3).

After support ends, Microsoft security updates are no longer provided to address new vulnerabilities found, but that does not mean that new vulnerabilities won’t be discovered and exploited by attackers. For example, it will be possible for attackers to reverse-engineer new security updates for supported platforms to identify any that may exist in unsupported platforms. Tim Rains talked about the potential impact of doing so in his blog post this morning.

Impact of malware protection on supported and unsupported operating systems

One question I hear a lot when discussing unsupported versions of the OS is "So, won’t antivirus help protect my computer?" We absolutely encourage everyone to use real-time antimalware to help protect themselves against cybercriminal activity. In fact, the latest report shows that during the last quarter unprotected computers were 7.1 times more likely to be infected than protected computers.

That said, our data also tells us that running antimalware on out-of-support systems is not an equitable solution to protect against threats. The following chart compares the monthly infection rates for protected and unprotected computers on Windows XP SP2 and Windows XP SP3 in the last half of 2012 (this data for Windows XP SP3 was reported in the "Running unprotected" section of SIRv14).

The data shows that protected systems on Windows XP SP2 are twice as likely (2.2 times, to be exact) to be infected in comparison to protected Windows XP SP3 computers. Unprotected computers show a similar trend: you’re 2.5 times as likely to be infected on Windows XP SP2 in comparison to Windows XP SP3 when neither have up-to-date antimalware protection. 

Average infection rates

Figure 3: Average infection rate for computer with and without antimalware protection

As past Microsoft Security Intelligence Reports have shown, running a well-protected solution means running up-to-date antimalware software, regularly applying security updates for all software installed and using a more modern operating system that has increased security technologies and mitigations. This advice remains consistent with the new data in SIRv15.

Of course this blog highlights just one of the many key findings in the latest report.   I encourage you to download the report today to learn all about the latest trends in the threat landscape.

Holly Stewart

Wednesday, October 30th, 2013 makes no claim to the content supplied through this journal account. Articles are retrieved via a public feed supplied by the site for this purpose.
4:11 am
New infection rate data for unprotected computers

​In the previous Microsoft Security Intelligence Report, SIRv14, we introduced a new metric to measure the infection rate for computers protected with real-time antimalware software (protected computers) in comparison to computers that were not protected with up-to-date security software (unprotected computers).  Using this new data, we wrote a feature story about the risks of running unprotected. Our customers told us that providing this data really helped measure the value of running real-time antimalware software. It clearly showed that security software can provide a significant contribution to a computer’s protection level. 

With Windows 8, we’ve made further improvements to help keep customers protected.

For example, Windows Defender is automatically activated when the Windows 8 device is turned on for the first time, and will only deactivate if another antimalware program is running. If there is no other antimalware software installed, Windows Defender will be enabled. If another antivirus application is activated later, Windows Defender will automatically disable itself.  Windows Action Center monitors Windows Defender, and if it is turned off, Action Center will show a notification and provide an option to turn it back on. We’ve done all of this to help ensure that all Windows customers are protected.

What happens when another antimalware product is installed, but then stops receiving updates or the license expires? 

Like a computer without antimalware protection, this computer is also considered as being in an unprotected state.

At the MMPC, we closely monitor why people fall into an unprotected state.  Joe Blackbird and Bill Pfeifer presented on this topic at Virus Bulletin this year with The global impact of anti-malware protection state on infection rates. They found that more than half of the Windows 8 customers listed as unprotected are in that state because their antivirus has expired.

After assessing the telemetry on why customers were staying unprotected, a few updates were made in Windows 8.1 to help customers make a safe choice to stay protected.  Now, after prompting a customer about their unprotected state and giving the choice to renew or see other options at the Windows Store, a final prompt helps the customer get back into a protected state even if they do not choose to renew.  If you really don’t want to have protection enabled, you can still disable it– it’s your choice.  The feature simply makes the safe choice really easy, and the less safe choice a bit more work.

During the past year I’ve talked to a lot of people who are just as passionate about keeping our customers protected as we are.  So, I’m happy to report that we now measure protected/unprotected data on a quarter-by-quarter basis as a standard part of the Microsoft Security Intelligence Report.

As shown in the following chart, our research reveals that every quarter, about 25 percent of computers are not completely protected. This includes computers that are both unprotected and intermittently protected. We count a computer as intermittently protected for the quarter if it reports being unprotected for one month. We’d like to move the number of computers in both categories closer to zero. 

We also found that computers that never had protection were 7.1 times more likely to be infected with malware than computers that always had protection.

worldwide protected computers - 3Q122Q13

Figure 1: Percentage of computers worldwide protected by real-time security software, 3Q12–2Q13

For more data and analysis on protected and unprotected computers, including how we calculate this data, see SIRv15.

Stay protected folks!

Holly Stewart


Friday, November 1st, 2013 makes no claim to the content supplied through this journal account. Articles are retrieved via a public feed supplied by the site for this purpose.
12:28 am
Upatre: Emerging Up(d)at(er) in the wild

The MMPC is constantly monitoring emerging threats that are impacting our customers the most.

Recently, we started seeing Win32/Upatre being distributed in the wild. This chart shows how this threat has impacted customer machines in just about two months.

Chart showing increase of Win32/Upatre infections in August to September of 2013

Figure 1: Monthly telemetry data on Win32/Upatre downloader


As we see in this next chart, the concentration of infections is in the United States with 96% of total infections, followed by the UK, Canada, and Australia. The high rate of infections in the US may be due to the spam distribution methods, such that infections are being reported via online email services.

Pie chart showing geographic spread of Win32/Upatre

Figure 2:  Monthly telemetry data on Win32/Upatre by country 


We have seen this malware distributed via spam campaigns with email attachments such as the following:

  • USPS_Label_<random number>.zip
  • USPS - Missed package 
  • Statement of 
  • <number>-<number>.zip
  • TAX_<variable names>.zip
  • Case_<random number>.zip
  • Remit_<variable names>.zip
  • ATO_TAX_<variable names>.zip

The <variable names> can be domains, company and individual names, or may be just random letters or words.

Furthermore, based upon the telemetry, Win32/Upatre is also distributed via exploits kits - such as those delivered via Java and PDF-related exploits.

Win32/Upatre’s end purpose is to download and install PWS:Win32/Zbot.gen!AM. The month after its first appearance, Win32/Upatre also started downloading the VBR bootkit TrojanDownloader:Win32/Rovnix.I.

In the past, PWS:Win32/Zbot.gen!AM was known to use domain generation algorithm (DGA) generated URLs and attempt to download updates. DGA URLs are harder to track than normal URLs as they are usually registered for a very short time by the attacker’s choice. As the attacker knows the algorithm, they are able to predict which domain the malware to attempt to connect at any given date and time.

However, recently we have seen this variant of Zbot configured to download other malware. In particular, we have seen it downloading the "CryptoLock" ransomware that we detect as Trojan:Win32/Crilock.B. After a few days, it was modified to download a different malware, detected as Trojan:Win32/Necurs.A.

This diagram shows the infection chain:

Infection chain for Win32/Upatre

Figure 3: Upatre and Zbot infection


It is worth noting that a recent variant of this downloader (TrojanDownloader:Win32/Upatre.B) shares common modules with its payload malware, Win32/Zbot. The way Upatre’s code has evolved over time has made it easier to allow more URL links to be embedded. It has an export function named loaderConfigSource() that does not contain codes but rather data on URLs from which to download malware:

Figure 4: loaderConfigSource export function


Pseudo code of the core downloading module

Figure 5: Pseudo code of the core downloading module


This may also impact the proper system remediation of Win32/Zbot (or other malware used as the payload in Win32/Upatre variants) because failure to properly detect and block Win32/Upatre may mean your system will get re-infected by Win32/Zbot.

The MMPC team is constantly monitoring emerging threats and ensuring that our protection covers them. As always, we recommend keeping your security products up-to-date.


Rodel Finones




Tuesday, November 12th, 2013 makes no claim to the content supplied through this journal account. Articles are retrieved via a public feed supplied by the site for this purpose.
5:00 pm
MSRT November 2013 - Napolar

​We first noticed the new family we named Win32/Napolar being distributed in the wild in early August this year. It quickly became a big problem on our customers’ machines.

Napolar is one of two families targeted by the Malicious Software Removal Tool (MSRT) this month. The other is the bitcoin mining family Win32/Deminnix.

As shown in the chart below, Napolar was hitting ~220K unique machines during the week of August 23rd.

Napolar is a trojan that can download and run files, utilize your machine’s resources to conduct a DDoS attack or serve as a SOCKS proxy, monitor network traffic, and steal credentials for FTP, POP3 and websites.  There is also a plugin infrastructure designed in Napolar, but we haven’t seen much usage of it.

Napolar infected machines in August/September 2013

Figure 1: Napolar infected machines in August/September 2013

The major infection vector used by Napolar during the spike of the week of August 23rd was a spammed link sent in a Facebook message.

The group behind this major  distribution chose to use public file sharing services (such as 4shared and mediafire) to host their malware. They also utilized computers infected by another family, Win32/Dorpiex, to send the malicious links to their Facebook friends.

The links redirect to a Napolar executable hosted on the file share service. The  files downloaded from those links  have a name and icon that make them look like an image (see example below) to lure people into opening it.

Although this is an old and well-known social engineering trick, sadly it still seems to trick a decent number of victims for the bad guys.

example of the downloaded file containing win32/Napolar

Figure 2: An example of the downloaded file containing win32/Napolar

Napolar installs itself in a similar way as other bots, but it takes a further step to install a user-mode rootkit to hide its file presence in the system and inject itself into newly created processes by hooking system native APIs (Ntdll!NtResumeThread and Ntdll!NtQueryDirectoryFile).

The chart below demonstrates a typical process found in Napolar. With newer variants, the main module name “lsass.exe” and plugins folder name “SlrPlugins” are changed to a random schema. There is more information on this in our Napolar family description.

Napolar starts when a user logs, because the Napolar file is located in the %Startup% folder. The  file is hidden by the user-mode rootkit so it can’t be seen directly with Windows Explorer. To be even stealthier, the main payload is injected and run in the explorer.exe process. The payload does the main tasks like communicating with a C&C, download files/plugins, etc. We have seen it download Win32/Dorpiex, which does further spreading, as well as Win32/Vicenor which does bitcoin mining.

A typical process found in Win32/Napolar

Figure 3: A typical process found in Win32/Napolar

When running in web browsers and processes where ws2_32.dll is loaded, Napolar monitors network traffic and captures credentials by matching given patterns. Default strings ‘USER’ and ‘PASS’ are used to capture credentials from unencrypted FTP and POP3 traffic, and more patterns can be given by a C&C to capture credentials from websites.

Besides hiding itself, Napolar also tries to block changes to the following registry key paths with its rootkit functionality:

  • Microsoft\Windows\CurrentVersion\Run
  • Microsoft\Windows NT\CurrentVersion\Windows\run
  • Microsoft\Windows NT\CurrentVersion\Windows\load
  • Microsoft\Windows\CurrentVersion\Policies\Explorer\run
  • Microsoft\Windows NT\CurrentVersion\Winlogon
  • Microsoft\Active Setup\Installed Components

According to one website that advertises and sells Napolar as Solar Bot, this “feature” is for anti-bot installation - which sounds like preventing other malware from installing. This reminds me of the already crowded and competitive black market.
There are a couple of anti-debugging tricks can be found in Napolar that are also worth mentioning. They are not new but work for common debuggers:

  • Using code section name “%*s%*s%s*” for crashing OllyDbg.
  • Self-debugging to evade single process debugging.
  • Hooking Ntdll!DbgUiRemoteBreakin to block debugger remote attaching.

More interestingly, Napolar is written like Shellcode so it’s able to self-relocate and dynamically resolve APIs. At first glance, it is an x86 executable; however, so it can work with both x86 and x64 platforms it embeds the x64 copy of itself (no PE structure, just code and data) in the x86 executable. The x64 code is then decompressed by standard API RtlDecompressBuffer with COMPRESSION_FORMAT_LZNT1 as format if it is running under a Wow64 emulator.

To run the 64bit code from x86 code, Napolar allocates a 7 bytes buffer and puts far-call code calls into the decompressed x64 code with the segment selector set to 0x33 (the x64 code segment), then calls into the buffer. 

A typical process found in Win32/Napolar

Figure 4: Napolar generates far call code into segment 0x33

The far-call switches the current process to execute x64 code and do code injection into x64 explorer.exe.

Napolar is a trojan that can do pretty bad things – from deploying more malware to stealing your credentials. The social engineering trick it uses is simple but it works, just keep that in mind and be careful when opening executables sent on social networks. Even if it's sent from one of your friends, don’t open it if you have no idea what it is.

 As always, the best protection from Napolar and similar threats is an up-to-date real time security solution.

Shawn Wang

Friday, November 15th, 2013 makes no claim to the content supplied through this journal account. Articles are retrieved via a public feed supplied by the site for this purpose.
1:09 am
Febipos for Internet Explorer

In a previous blog post we discussed Trojan:JS/Febipos.A, a malicious browser extension that targets the Facebook profiles of Google Chrome and Mozilla Firefox users.  We recently came across a new Febipos sample that was specifically developed for Internet Explorer - we detect it as Trojan:Win32/Febipos.B!dll.

This trojan is a browser helper object that loads a JavaScript to Internet Explorer. We detect the loaded JavaScript as Trojan:JS/Febipos.E. The plugin tries to look legitimate by calling itself MicrosoftSecurityPlugin when viewed in Internet Explorer add-ons.

Internet Explorer add-ons 

Figure 1: The plugin tries to look legitimate in Internet Explorer add-ons

Spamming links on Facebook

When installed and loaded successfully Trojan:Win32/Febipos.B!dll will attempt to load a configuration file that it downloads from<removed>.php. It can then access a logged in Facebook account to:

  • Like a page
  • Share
  • Post
  • Join a group
  • Invite friends to a group
  • Chat with your friends
  • Comment on a post

We have seen it post the following messages in Portuguese on the wall of a logged in Facebook account. It can also tag several of the affected user’s friends:

  • Encontrei um vídeo no Youtube ensinando a ganhar $$ na Internet pelo Google! Acho que vale a pena
    I found a video on Youtube teaching how to earn $$ on the Internet through Google! I think it’s worth it.
  • Nem eu acredito, mas é verdade.
    Even I don’t believe it, but it’s true.
  • Dificuldades para PERDER PESO? Com ULTRA SLIM você emagrece sem sofrer!
    Struggling to lose weight? With ULTRA SLIM you lose weight without suffering!
    Lose weight, gain in health and self-steem. It’s only up to you.
  • Encontrei um vídeo no Youtube ensinando a ganhar $$ na Internet pelo Google!
    I found a video on Youtube teaching how to earn $$ on the Internet through Google!
  • Oportunidade: Google paga R$160 por hora para trabalhar em Casa!
    Opportunity: Google pays R$ 160 per hour to work from home!
  • Ganhe R$15.000 por mês trabalhando em Casa na Internet. Acesse o Link e saiba como!
    Earn R$15,000 per month working from home on the Internet. Click on the link and find out how!

One of the following URLs is also included in the message:


It may also use one of the following images:

An image used by Trojan:Win32/Febipos.B!dll Another image used by Trojan:Win32/Febipos.B!dll

Figure 2: An example of the images used by Trojan:Win32/Febipos.B!dll in Facebook spam

Here is an example of the Facebook post: 

An example Trojan:Win32/Febipos.B!dll Facebook post

Figure 3: An example Trojan:Win32/Febipos.B!dll Facebook post

When someone clicks on the link in the message, they are redirected to<removed>/v294v294e4p233r224w2t254/. This site will then redirect again to one of the following URLs:



We have seen Trojan:Win32/Febipos.B!dll being dropped and loaded by Trojan:Win32/Febipos.B with the path and filename %appdata%\WService.dll. It is loaded using the legitimate Windows application named regsvr32.exe. This application is used to register dynamic-link libraries and ActiveX controls in the registry.

The trojan creates the following registry entries to register itself as a browser helper object:

  • HKEY_CLASSES_ROOT\CLSID\{3543619C-D563-43f7-95EA-4DA7E1CC396A}
    (default) = "MicrosoftSecurityPlugin"
  • HKEY_CLASSES_ROOT\CLSID\{3543619C-D563-43f7-95EA-4DA7E1CC396A}\InProcServer32
    (default) = "%appdata%\WService.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3543619C-D563-43f7-95EA-4DA7E1CC396A}
    (default) = "MicrosoftSecurityPlugin"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3543619C-D563-43f7-95EA-4DA7E1CC396A}\InProcServer32
    (default) = "%appdata%\WService.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{3543619C-D563-43f7-95EA-4DA7E1CC396A}

It will also create the following registry entry to ensure it is only loaded in Internet Explorer and not in Windows Explorer:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{3543619C-D563-43f7-95EA-4DA7E1CC396A}
    NoExplorer = dword:00000001

The following registries entries are also created to disable some Internet Explorer notifications:

  • This will disable the IE notification to the user that the add-on is ready to use
    IgnoreFrameApprovalCheck = dword:00000001
  • This will disable the add-on performance IE notifications
    DisableAddonLoadTimePerformanceNotifications = dword:00000001

All of the above information was found at the time of our analysis; however, these websites can change at any time. In any case, we always recommend you keep your security products up-to-date with the latest definitions to help reduce your change of infection.

Jonathan San Jose


5cbd9c1e870b09fdd4b67e7610acbea8dddee9bd - Trojan:Win32/Febipos.B
361546e95a79b96a15e15ab82b1849f68b7381b2 - Trojan:Win32/Febipos.B!dll
bad556fb373e14f7041b3361ca450b2156a5ecda - Trojan:JS/Febipos.E

Tuesday, November 19th, 2013 makes no claim to the content supplied through this journal account. Articles are retrieved via a public feed supplied by the site for this purpose.
2:00 pm
Backup the best defense against (Cri)locked files

Crilock – also known as CryptoLocker – is one notorious ransomware that’s been making the rounds since early September. Its primary payload is to target and encrypt your files, such as your pictures and Office documents. All of the file types that can be encrypted are listed in our Trojan:Win32/Crilock.A and Trojan:Win32/Crilock.B descriptions.

Crilock affected about 34,000 machines between September and early November 2013.

Once Crilock encrypts your file types, they are rendered unusable. The malware shows a message that covers your desktop and demands you pay a ransom to have access to your files again. The ransom can be paid with various online currencies such as BitCoin, CashU, MoneyPak, Paysafecard, and Ukash. Once you pay, the malware author will supposedly give you back the private keys used in encryption. However, we don’t recommend doing this as there is no guarantee that paying will lead to recovering your documents and, in effect, you’re giving criminals some of your hard-earned money.

Crilock message

Figure 1: The message that Crilock might display on your desktop

Crilock document upload

Figure 2: Crilock asks you to upload your encrypted documents and recover them for a fee

The Crilock authors have even setup an online payment scheme on the Tor network where affected people can upload their encrypted files for recovery.

Crilock encrypts your files using an AES-256 key that is unique to each file and then encrypts the file-specific AES key using a 2048-bit RSA public key. This is similar to the GpCode ransomware, which first came out in 2006 and used the same technique, but with RC4 first, and then 1024-bit RSA for encrypting the per-file key.

Crilock can be downloaded onto your computer by exploits or malware. For instance, we have seen Upatre download Zbot, which in turn downloads Crilock. Upatre has been heavily spammed in the past few months, and spam runs can be an effective way to distribute malware. This is discussed in detail in the blog post Upatre: Emerging Up(d)at(er) in the wild.

As shown in the chart below, Crilock has predominantly affected English-speaking countries, although it does have a comparatively small presence in non-English speaking locations as well. Every Crilock variant we’ve seen so far has a ransom message written only in English.

Crilock affected countries graph

Crilock affected countries map

Figure 3: Crilock-affected countries from September 2013 to early November 2013

Can you recover your documents without paying?

In some cases, you can recover previous versions of encrypted files. However, the following conditions must be in place:

  • System Restore Point must have been turned on before you were infected with Crilock.
  • You must already have detected and removed Crilock, and there can be no traces of it on your PC.
  • Your files must be on the same PC you're using to recover them (that is, the files aren't on a network or removable drive).

SkyDrive for Windows 8.1 also has a means of restoring previous versions of Microsoft documents. Similar to System Restore Point, you can look at the version history and recover files from a previous state.

Right-click on the file to see available version history

Figure 4: Right-click on the file to see available version history

Restore file from older known working versions

Figure 6: Restore file from older known working versions

You can find more information about restoring previous file versions below:

We’ve also added signatures based on Crilock behaviors to our antimalware products. This detection, Behavior:Win32/Crilock.A, can detect an infection before it infects and encrypts files.

Crilock is not the first malware to extort money by encrypting files and it certainly won’t be the last. However, you can help prevent Crilock and other malware, from infecting your PC by:

  • Keeping your operating system and antivirus product up-to-date.
  • Being careful about which files you download (and where you download from).
  • Being cautious about which attachments and links you open.

Ransomware such as Crilock also emphasizes the importance of backing up your files on a regular basis. You can back up files by enabling System Restore, using manual syncing methods, or even by manually moving your files to a separate drive.

Marianne Mallen and Karthik Selvaraj

Thursday, November 21st, 2013 makes no claim to the content supplied through this journal account. Articles are retrieved via a public feed supplied by the site for this purpose.
4:48 am
Carberp-based trojan attacking SAP

Recently there has been quite a bit of buzz about an information-stealing trojan that was found to be targeting the logon client for SAP. We detect this trojan as TrojanSpy:Win32/Gamker.A.

SAP is a global company with headquarters in Germany and operations in 130 countries worldwide. SAP develops enterprise software applications for tracking and managing business operations, and is used by an estimated 86% of Forbes 500 companies. These business operations can range from applications such as tracking the manufacture of a product in a factory, managing human resources processes, or tracking and managing customer sales. Needless to say, the data contained in SAP systems is often sensitive and the security surrounding SAP systems is a recurring topic in the information security field.

A few weeks ago, another vendor reported a trojan in the wild specifically including functionality targeting SAP. This is believed to be the first malware developed by criminals targeting SAP.

In this blog we will present our analysis on how this trojan targets SAP and how it has code in common with Win32/Carberp.


Based on Carberp source

Carberp is an infamous banking trojan whose source-code was leaked earlier this year, and Gamker clearly shares part of its code with Carberp's code. Gamker has code-matches to the remote control code contained in Carberp:

  • Carberp/source - absource /pro/all source/RemoteCtl/hvnc2/libs/hvnc/hvnc/

The following relative files match through the string constants that are encrypted within Gamker:

This usage of the virtual network computing (VNC) code indicates that Gamker has the capability to remotely control an infected machine. It is unclear if there is a larger connection between Gamker and Carberp since the remainder of Gamker’s code differs from Carberp's publicly leaked code.


SAP targeting

Gamker is a general banking and information-stealing trojan. Among its targets are online banking web-browser sessions, BitCoin wallets, public and private keys, cryptography tools, and finance-related software applications. In this section we go into detail on the threat this trojan poses to SAP.

The malware records keystrokes per application, generating keylog records in plaintext format to the file "%APPDATA%\<lowercase letters>". An example of these recorded keylogs is as follows:

Example keylogs

Figure 1: Example of recorded keylogs


In addition to this keylogging, hardcoded inside the payload is a list of application names which are used as triggers to record additional information. Among this list is the SAP Logon for Windows client, as seen in Figure 2: 

Highlighted targeted saplogon.exe component

Figure 2: Targeting of SAP saplogon.exe component


Table 1 - List of triggers used to record screenshots and command-line arguments

Executable name trigger

Category assigned by trojan author




Client for Remote Administration



Unknown Russian payment-related tool



Unknown, likely a tool use to perform HTTP POST operations



Unknown, likely a tool use to perform HTTP POST operations



Tool by Western Union Inc






Client for VPN remote access to computers



Tool used to manage TrueCrypt protected filesystems



Tool used to manage BestCrypt protected filesystems



SAP Logon for Windows









Application by Omikron related to electronic banking



Application by Omikron related to electronic banking



Application by Omikron Systemhaus GmbH related to electronic banking



Application by UniCredit Bank Australia






Maybe Deutsche Bundesbank Eurosystem



Maybe Deutsche Bundesbank Eurosystem






Profibanka by Komercní banka






Banking application, Komercní banka


When the keylogging component is loaded into a process that matches one of the executable names in Table 1, it then additionally records the command-line arguments passed to the application, and begins to capture screenshots of the entire desktop periodically. It captures 10 screenshots spaced about one second apart from each other before transmitting them to the C&C server.

In addition to these listed triggers, there are also two other application lists used as screen and command-line argument-recording triggers included in Table 3 and Table 4 below, under the category names "IT" and "ETC" respectively.

An example of the recorded data after executing "saplogon.exe" with command-line arguments "-test" can be seen in Figure 3 below:

Screenshot of recording of command-line arguments passed into saplogon.exe

Figure 3: Recording of command-line arguments passed into saplogon.exe


With screenshots captured every one second in the "%APPDATA%\<lowercase letters>\scrs\" directory seen in Figure 4 below:

Screenshots captured after running saplogon.exe

Figure 4: Screenshots captured after executing saplogon.exe


In summary, this is an attempted attack on SAP and not just a harmless data-gathering operation to determine if SAP is installed. The attackers are using the execution of the SAP component "saplogon.exe" to trigger recording of the command-line arguments passed into it, combined with a series of 10 screenshots to the C&C server. These three types of information sent to the server will, in many cases, include critical information such as:

  1. Keylogs:
    • SAP password and sometimes the user name.
  2. Screenshots:
    • SAP user name, server name, some confidential data, and more.
  3. Command-line arguments:
    • Unlikely to contain sensitive information based on initial analysis of the ‘saplogon.exe’ binary.
  4. VNC:
    • A VNC session can be initiated by the attacker to grab any additional information necessary to compromise the SAP server, as well as attack the SAP server directly from the infected machine.

This trojan’s targeting of businesses, as opposed to individuals, is an alarming move and we will be monitoring this for further developments to protect and inform our customers.


Mitigating the risk

To reduce the risk of and mitigate the damages caused by an attack like the one on SAP, there are a number of recommended security policies. Some general recommended policies are as follows:

  • Access control. Grant users the minimum access privilege level required to complete their job. This reduces the amount of data compromised in a successful attack.
  • Two-factor authentication. A two-factor authentication process may stop this attack from being successful.
  • Security education. Schedule training courses for all employees. A security-smart employee may be able to avoid infection in the first place.
  • Antimalware solution. Run antimalware software on all workstations and monitor compliance. This may detect the trojan prior to infecting the workstation.
  • Network intrusion detection system. This may create alerts on the suspicious VNC connection, detect the data exfiltration, or may also detect the trojan C&C communication on the network.
  • Security management. Ensure workstations are running up-to-date versions of Windows with the latest security patches applied. All security critical software such as Java, Adobe Flash, Adobe Reader, Microsoft Office, and web-browser clients are up-to-date. Compliance needs to be monitored and enforced.

For further recommendations, guidelines, and information on additional SAP security products it is recommended to consult SAP and read through their security solutions.



Geoff McDonald





Table 2 – Reference checksums for analyzed samples





MD5: c9197f34d616b46074509b4827c85675



Injects the trojan into all processes.


MD5: efe6cd23659a05478e28e08a138df81e


Carberp-based password and information stealer.


Table 3 – Additional screen and command-line capture triggers under the category "IT"









IDProtect Monitor.exe





Table 4 – Additional screen and command-line capture triggers under the category "ETC"














































































Wednesday, November 27th, 2013 makes no claim to the content supplied through this journal account. Articles are retrieved via a public feed supplied by the site for this purpose.
2:09 am
Our protection metrics – October results

​Last month we introduced our monthly protection metrics and talked about our September results. Today, we’d like to talk about our results from October. If you want a refresh on the definition of the metrics we use in our monthly results, see our prior post: Our protection metrics – September results.

During October 2013, while our rate of incorrect detections remained low, and our performance metrics stayed fairly consistent, the infection rate of 0.18 percent was higher in comparison to the average daily infection rate of 0.1 percent in the first half of the year.

In September, we talked about a family called Win32/Sefnit that was the driver behind the increase in our infection rate. We mentioned that the distributors of Sefnit are using some sneaky techniques to infect computers. This includes programs that install legitimate software, and occasionally install legitimate software with bonus material (Sefnit). Many of these installer programs were previously determined to be clean. However, with this change in behavior (installing the Sefnit malware), they now meet our detection criteria.

Sefnit is a bot that can take instructions from remote servers to do practically anything. We’ve observed it using infected computers for click fraud, which makes money by pretending to be a person clicking on ads from your computer or by redirecting your search results. It may also abuse your computer’s resources through Bitcoin mining.

The two installer families related to Sefnit that were behind the high active infection rate in October are Win32/Rotbrow and Win32/Brantall. Rotbrow is a program that claims to protect you from browser addons.  Brantall pretends to be an installer for other, legitimate programs. Brantall might install those legitimate programs as well as malware. These previously legitimate software programs were prevalent in comparison to most malware families, and so most of our detections in October were on active infections.

The Malicious Software Removal Tool, which scans 600-700 million computers each month, has found and removed more than two million Sefnit infections on computers protected by current, real-time antimalware during the past two months. Until our antimalware partners target not only Sefnit, but also the Sefnit installers, people may struggle with reinfections.

Like us, many antimalware vendors have previously classified these programs as clean or potentially unwanted rather than high or severe malware. We’ve even had a tester ask us recently if our detection for one of these programs was an incorrect detection. Based on the installation of Sefnit, these programs absolutely meet our detection criteria, even if they had previously developed a reputation as a clean program.

We’ve identified related samples for our antimalware partners so that they can protect their customers against these threats if they have not already.

If you want to check your computer for Rotbrow or Brantall, you can install Microsoft Security Essentials, enable Windows Defender (on Windows 8), or use the Microsoft Safety Scanner if you already have current antimalware installed. They’re all provided to you for free to make good on our pledge to help keep you all safe. You can read more about our security software on the Microsoft Malware Protection Center website.

Our goal is to provide great antimalware solutions for our consumer and business customers. I hope this blog demonstrates how committed we are in raising the bar for ourselves and others in the industry for doing so. We're monitoring our results, performance, and progress closely, prioritizing for real threats that might affect our customers and applying lessons learned to make our products even better. Plus, we support our antimalware partners in order to build a strong ecosystem to fight malware – the true adversary. More next month!

Holly Stewart


Tuesday, December 10th, 2013 makes no claim to the content supplied through this journal account. Articles are retrieved via a public feed supplied by the site for this purpose.
6:00 pm
Rotbrow: the Sefnit distributor

This month's addition to the Microsoft Malicious Software Removal Tool is a family that is both old and new. Win32/Rotbrow existed as far back as 2011, but the first time we saw it used for malicious purposes was only in the past few months.

In September, Geoff blogged about the dramatic resurgence of Win32/Sefnit (aka Mevade). At the time, we knew of several ways in which Sefnit was distributed, but we continued investigating how it was able to get on so many machines. When we concentrated on the most prevalent component, which Geoff labelled the "Updater and Installer Service" in his blog, we found one file in particular stood out. We knew that this file was bundled with an installer for a harmless program called FileScout, but where did the FileScout installer come from?

Our telemetry showed us a pattern. The FileScout/Sefnit installer was not being downloaded directly from the web; it was usually written by a process called "BitGuard.exe". We were quickly able to trace the individual file that was writing the installer on so many computers. It was the most prevalent sample of something that called itself "Browser Protector" (and sometimes "Browser Defender"). We had seen many versions of this before, but never any that exhibited behaviour that would warrant our detection. This sample was different – we knew it must have either carried the FileScoout/Sefnit installer inside it, or it was downloading it from somewhere else.

It took only minutes to identify which possibility was correct. Inside the file we found a resource called RT_BIN, whose content was not immediately significant, but whose size was 251,299 bytes - exactly the same as the FileScout/Sefnit installer.

Apparently the resource was encrypted. We could see that "Browser Protector" contained the same RC4 decryption code we'd seen in Sefnit, and the decryption key was easy to locate inside the code (rather obviously it was "FilescoutEncryptionKey"), so we tried it out. Sure enough, the decrypted result matched the the FileScout/Sefnit installer we expected. It was also easy to confirm that "Browser Protector" could write the decrypted file to the temporary folder with the file name setup_fsu_cid.exe, exactly as we had seen from our telemetry.

While we found that many variants of "Browser Protector" do not contain Sefnit, they are capable of updating to versions that do, so we added a generic detection under the name Win32/Rotbrow. To further stymie this avenue for Sefnit distribution, this month we add the Rotbrow family to MSRT.


Sefnit updater and installer service: 942860bedf408cc4c6a1831ef3744a3f9e68b375
FileScout installer: c5758309136cd1e7e804d2003dc5ca27ae743ac3
Rotbrow: efe10525395591ca4fb6ec083f6f22c9e0db2d9d

Sunday, December 15th, 2013 makes no claim to the content supplied through this journal account. Articles are retrieved via a public feed supplied by the site for this purpose.
10:20 pm
Be a real security pro - Keep your private keys private

One of the many unusual characteristics of the Stuxnet malware that was discovered in 2010 was that its files were distributed with a valid digital signature, created using authentication credentials that belonged to two unrelated legitimate software companies. Normally the signature would verify that the program was issued by the company listed in the signing certificate, and that the contents of the program had not been tampered with since it was signed. By using other companies’ authentication credentials to sign their own files, malware distributors are able to make it appear that their files have come from a more trustworthy source.

Since then, malware signed with poorly secured or stolen credentials has been relatively rare. Most digitally-signed malware uses code-signing certificates that have been paid for and obtained directly from the certification authority (CA) that issued them. These CAs would be unaware the certificates were intended to be used for nefarious purposes. For example, recently the fake antivirus family Rogue:Win32/FakePav reappeared after being inactive for more than a year. Prior to the period of inactivity, FakePav’s executables were not digitally signed, but the new variants have been. After a few days using a single certificate, FakePav switched to a different certificate, issued in the same name as the previous one, but by a different CA.

However, in the past month or so, the use of stolen certificates has become more common. In particular, Rogue:Win32/Winwebsec, another rogue calling itself Antivirus Security Pro, has been distributed signed with credentials stolen from at least twelve different software developers.

Antivirus Security Pro user interface

Figure 1: Antivirus Security Pro user interface

A related family, TrojanSpy:Win32/Ursnif, has also been distributed with files signed using stolen credentials. We have observed Winwebsec downloading Ursnif, a trojan that monitors web traffic, and steals sensitive information, including passwords. Earlier variants of Ursnif were also capable of stealing certificates and private keys, but this functionality does not appear to be present in the latest versions. Instead, it appears to have been added to certain samples of PWS:Win32/Fareit.

Fareit steals certificates

Figure 2: Fareit steals certificates

PWS:Win32/Fareit is a Trojan that mostly steals passwords from a user's FTP client, but sometimes also downloads and installs other malware, such as Winwebsec and Win32/Sirefef.

Fareit infects computers, using stolen signed certificates

Figure 3: Relationship and interactions between Fareit, Sirefef, Winwebsec, and Ursnif families

The stolen certificates were issued by a number of different CAs to software developers in various locations around the world. The table below shows details of some of the certificates used to sign Winwebsec samples. Note that the number of samples column lists only the digitally-signed Winwebsec samples that we have a copy of – there may be many other samples that we have not received. But, it gives an idea of the magnitude of the problem. Interestingly, one of these certificates was issued only three days before we started seeing malware samples signed with it, which suggests that the malware’s distributors are regularly stealing new certificates, rather than using certificates from an older stockpile.

Certificates used to sign Rogue:Win32/Winwebse

Figure 4: Certificates used to sign Rogue:Win32/Winwebsec samples

For those of you who are software developers, Microsoft has a document that describes the best practices for code-signing.  Although that document was written in 2007 and contains a few references to operating system tools that have since changed, all of the recommendations of appropriate security procedures for obtaining and storing code-signing certificates and private keys, and for digitally signing your software, remain as relevant as ever.

Just as it is important to keep your house and car keys secure, securing your code-signing private keys is essential. Not only is it inconvenient, and often expensive, to have the certificate replaced, it can also result in loss of your company’s reputation if it is used to sign malware. The document recommends keeping private keys physically secure by storing them on a securely-stored hardware device such as a smart card, USB token, or hardware security module. Certainly, no system used to store code-signing credentials should ever be used for web browsing, and it is vital that these systems run a regularly updated antivirus solution, and that any file you sign has been scanned for possible virus infection beforehand.

If a system you use for signing has been infected with Win32/Fareit or other malware, and you suspect your private keys have been compromised, you should contact the CA that issued the credentials immediately.

David Wood


d330699f28a295c42b7e3b4a127c79dfed3c34f1 (PWS:Win32/Fareit with certificate stealing capability)
006c4857c6004b0fcbb185660e6510e1feb0a7a3 (Digitally-signed Winwebsec)


Monday, December 23rd, 2013 makes no claim to the content supplied through this journal account. Articles are retrieved via a public feed supplied by the site for this purpose.
6:09 pm
Turkey: Understanding high malware encounter rates in SIRv15

In our most recent version of the Security Intelligence Report (SIRv15), we compared the encounter rates of malware categories for the top 10 countries with computers reporting the most detections in 2Q13. Amongst these countries, Turkey stood out with considerably high encounter rates in multiple categories. Encounter rate is the percentage of computers in a country that reported at least one detection of malware.

Threat category prevalence worldwide

Figure 1. Threat category prevalence worldwide and in the 10 locations with the most computers reporting detections in 2Q13. Totals for each location may exceed 100 percent because some computers reported threats from more than one category.

If you examine the above table carefully, Turkey's encounter rate in miscellaneous trojans, worms, exploits, and trojan downloaders and droppers are at least 18 percent greater than the next highest country in this list. Our research here is focused on examining contributing factors to the higher rate.

Miscellaneous trojans are malware that are self-contained and do not self-replicate. On the other hand, worms are defined as malware that send copies of themselves through various communication mechanisms. Exploits include malware that take advantage of software vulnerabilities, and trojan downloaders and droppers are trojans that download or drop other malware onto computers it has already infected. The high encounter rates of a wide area of malware types in an isolated region suggest that Turkey may have been targeted by online criminals.

Targeted encounter rate

To go about investigating this hypothesis, a definition of targeted is necessary. For this research, we define a family as targeted if at least 80 percent of the infected computers are located in a single country. Subsequently, we can update the original definition of encounter rate for this problem. Targeted encounter rate is the percentage of computers that reported at least one detection of a targeted malware family.

Targeted encounter rate in 10 locations

Figure 2. Targeted encounter rate in the 10 locations with the most computers reporting detections in 2Q13. Totals for each location may exceed 100 percent because some computers reported threats from more than one category.

Turkey has experienced extremely high targeted encounter rates in miscellaneous trojans, trojan downloaders and droppers, and worms, when compared to the other top regions/countries. Running an updated real-time antimalware solution is highly recommended for computers in any region seeing increases in these malware category types. For further information, see Running Unprotected, a deep dive into this topic in SIRv14.

Further investigation into the top targeted families in Turkey can give us more concrete evidence of targeting.

Machine count inside and outside Turkey

Figure 3. Machine count inside and outside Turkey for the top five targeted families in Turkey.

Top targeted families

Each of the top targeted families use the Turkish language in some aspect. Kilim and Reksner both use social media outlets, such as Facebook and Twitter, for infection. They gain access to user accounts and post false advertisements and malicious links in Turkish to continue spreading. Murkados hides its presence by setting the homepage of a Chrome browser, which it has modified, to the Turkish Google search webpage. Truado redirects user traffic between various Turkish websites. Preflayer uses a fake Adobe installer in Turkish to trick users and infect computers. All of these families leverage Turkish language as their basis for attack, rather than focusing on attacking Turkey-based computers. There are also hints of various Turkish words in the source code showing that the malware might be authored by local attackers.

Language targeting is not uncommon; many families specifically target languages, as we have seen above and in the Security Intelligence Report. A quick look at the Turkish language shows that most people who read websites in Turkish live in Turkey. So, malware authors targeting Turkey might just be an unintentional consequence of trying to infect the population of Turkish computer users.

From this data, we can confidently conclude that Turkey was indeed targeted by malware authors through language targeting. Social engineering, used by all families discussed above, is a method that online criminals use to trick users into performing actions or divulging confidential information, to gain access to their computers or hide the presence of malicious behavior. Social engineering can occur in any language that is used on computers, commonly using email, web or telephone scams. Using a language that is less prevalent does not exclude you from the dangers of malware.

We recommend commonly known protective measures, no matter what language you use. If you suspect that confidential information has been stolen by a social engineering attack that a computer user may have responded to, take a few steps to protect data, such as:

  • Changing passwords or PINs on all compromised accounts.
  • Place a fraud alert on credit reports.
  • Do not follow the links in fraudulent email messages and be similarly wary of files on portable flash drives.
  • Routinely review bank and credit card statements monthly for unexplained charges or inquiries.

IT professionals are recommended to follow best practices in security risk management, including:

  • Using group policy to enforce configuration for Windows Update and SmartScreen filter
  • Using Network Access Protection (NAP) and Direct Access (DA) to enforce compliance polices for firewall, antimalware, and patch management on remote systems connecting to corporate network
  • Implementing a strong security awareness program for their enterprise to prevent malware and potentially unwanted software.

You can learn about Microsoft's own best practices in Malware at Microsoft: Dealing with threats in the Microsoft environment.

For additional guidelines we recommend for consumers and enterprises to leverage to protect computers from social engineering attacks:

Kevin Yeo


Tuesday, December 24th, 2013 makes no claim to the content supplied through this journal account. Articles are retrieved via a public feed supplied by the site for this purpose.
12:43 am
Protection metrics – November results

In our October results, we talked about a trio of families related to Win32/Sefnit. Our November results showed progress against Sefnit and the installers and downloaders of Sefnit (Win32/Rotbrow and Win32/Brantall). In comparison to September, active Sefnit infections have been reduced by 82 percent. As with prior months, our rate of incorrect detections also remained low and performance stayed consistent.

(If you want a refresh on the definition of the metrics we use in our monthly results, see our initial post: Our protection metrics – September results.)

For Rotbrow, (which, by the way, was also added to the MSRT in December), we saw half the number of active infections in November in comparison to the previous month. Active Brantall infections were reduced by about a fifth, month over month.

A relatively new family, Win32/Wysotot, which was added to our realtime protection products at the end of October, and impacted 0.002 percent of our customer base in November, had a moderate impact (although much smaller in comparison to the Sefnit trio), but went into decline later in the month. Wysotot is typically installed on your computer through software bundlers that advertise free software or games. It redirects you to another website when you open certain browsers through a shortcut file. It can also download other software, run and kill processes on your computer and sends the status of your security software to a command and control (C&C) server.

The VBS/Jenxcus family had a similar impact, but, contrary to Wysotot, hasn't declined. This worm uses shortcut links to propagate, but also is often downloaded online or through torrents. It also has the capability to spread through removable drives, so if your computer's infected with Jenxcus, make sure you also scan any removable drives you've used recently with an antivirus product. More on Jenxcus next month.

Also, considering the recent action against the Sirefef family, we will have a few interesting trends to report next month. Stay tuned for that update in the new year.

In the meantime, make sure your antivirus solution is up to date. If you're running Windows 8, Windows Defender helps protect you against malware; if you're running Windows 7 and earlier, you can install Microsoft Security Essentials.

Holly Stewart

Monday, July 1st, 2013 makes no claim to the content supplied through this journal account. Articles are retrieved via a public feed supplied by the site for this purpose.
1:04 am
Viewing Vobfus infections from above

Win32/Vobfus is a family of worms that spreads via removable drives and downloads other malware, and a family that is causing people a lot of pain lately. Vobfus was initially discovered in September 2009 and became prevalent with its use of the MS10-046 .LNK vulnerability. The .LNK vulnerability has also been used by Chymine, Sality, and Zbot, though it is no longer used by Vobfus.

The name Vobfus comes from the characteristics that these worms are Visual Basic and obfuscated. Vobfus is a Visual Basic malware compiled either in p-code (pseudo code) or native code (see this KB for information about p- and native-codes). The obfuscation of the malicious payload of Vobfus started with simple string manipulation, and it has evolved to a more complex string decoding. The following are some examples of polymorphic strings building used by different variants of Vobfus:

Vobfus code examples

Figure 1 Vobfus code examples

Vobfus is downloaded by other malware; currently it's being downloaded by Win32/Beebone downloaders. Based on our observations, Beebone variants then download other variants of Vobfus, creating an infection cycle that means where you see one of these families, you'll often see the other. But more about this later.

Beebone is a family of Visual Basic compiled trojan downloaders that is known to download threats from the following families, listed in order of prevalence observed over the past month: 

Vobfus spreads via removable drives and network mapped drives. It copies itself to these drives with a random name, or not-so-random file name such as:

  • passwords.exe
  • porn.exe
  • secret.exe
  • sexy.exe
  • subst.exe
  • video.exe

The "autorun.inf" file accompanying the Vobfus worm file is detected as VirTool:INF/Vobfus.gen.  

Vobfus copies itself to the %userprofile% folder with a random name, or a not-so-random name, as previously listed. It also creates a runkey to ensure it runs every time Windows starts. Finally, Vobfus contacts a C&C server to obtain encrypted instructions on where to download Beebone; Beebone subsequently downloads Vobfus, and a number of other threats.

So, to recap, where Vobfus is detected, we often find Win32/Beebone too; thus exists the cyclical relationship between Vobfus and Beebone, the two threat families that are intrinsically related. This cyclical relationship between Beebone and Vobfus downloading each other is the reason why Vobfus may seem so resilient to antivirus products. Vobfus and Beebone can constantly update each other with new variants. Updated antivirus products may detect one variant present on the system; however, newer downloaded variants may not be detected immediately. A typical self-updating malware family that just updates itself can be remediated once it is detected, because once removed from the system it cannot download newer versions of itself. In the case with Vobfus, even if it is detected and remediated, it could have downloaded an undetected Beebone which can in turn download an undetected variant of Vobfus. The following diagrams illustrate this more clearly.

Vobfus stage 1

Vobfus stage 2

Vobfus stage 3

Vobfus stage 4

In a network environment with lots of mapped network usage or data-sharing via removable drives, Vobfus can spread by copying itself and an autorun.inf file in the infected drive. In the wild, we have observed that Vobfus maintains a very successful removable-drive infection rate, thus supporting its spreading.

Furthermore, because of all the companion malware families that are downloaded by Beebone, the cumulative side-effects of all the malware families are present in infected machines. We recommend you refer to the encyclopedia entries for each of these families for more information on the effects these malware have on your machine, and for specific remediation advice.

You might consider the following guidelines to help prevent being infected with Vobfus and Beebone:

  • One infection vector is drive-by download, so use caution when clicking external links, and keep your browser and all other installed software up to date to help prevent software exploits
  • Vobfus is primarily downloaded by Beebone or spread via removable drives. A possible method of prevention is disabling autorun functionality; see this KB for more details on how to do this

And of course, as always, using an up-to-date complete antivirus solution such as Microsoft Security Essentials will help prevent many malware infections.

Hyun Choi

Tuesday, July 16th, 2013 makes no claim to the content supplied through this journal account. Articles are retrieved via a public feed supplied by the site for this purpose.
11:44 pm
A fresh face for the Microsoft Malware Protection Center

Today we launched our new Microsoft Malware Protection Center website.

Throughout the redesign process we have been listening to your feedback. You asked for an easier way to find our security software and updates; you can now get to all of our product downloads straight from our homepage.

While you’re on the homepage you’ll also see links to our help archive, blogs, and trending security topics from the Microsoft Community forums.

One of our top priorities is to make it easier for you to solve any issues with malware and potentially unwanted software. To help, we created a box on each page of our new website that answers some of your most-asked questions.

We also added new content to address common problems, such as:  

To make it simpler to find the information you need about specific malware, we’ve given our malware encyclopedia a face-lift. You can still find detailed information about each threat under the “Technical information” tab. 

Please stop by the new site and have a look around. As always, we’re listening to your feedback and would love to know what you think. You can use the feedback form at the bottom of most pages to let us know.



Friday, July 26th, 2013 makes no claim to the content supplied through this journal account. Articles are retrieved via a public feed supplied by the site for this purpose.
1:38 am
The evolution of Rovnix: Private TCP/IP stacks

We recently discovered a new breed of the bootkit Rovnix that introduces a private TCP/IP stack.  It seems this is becoming a new trend for this type of malware.

The implementation of the private stack is based on an open-source TCP/IP project and it can be accessed from both kernel and user modes.

It works like this:

  1. At boot time, Rovnix hooks the following exported APIs in ndis.sys by patching the export table in memory: 
    • NdisMRegisterMiniportDriver()  (for NDIS 6.0)
    • NdisMRegisterMiniport()  (for NDIS 5.1)
  2. When the network adapter driver calls NdisMRegisterMiniportDriver()/ NdisMRegisterMiniport() to  register to NDIS, the hooked function registers Rovnix’s own miniport handler functions.
  3. With Rovnix’s own miniport handler functions, the malware is able to send/receive the packets through this private TCP/IP stack (see Figure 1).

The Rovnix private TCP/IP stack

Figure 1: The private TCP/IP stack

The stack is introduced for stealth purposes:

  • It bypasses the rest of NDIS library code so it can bypass the personal firewall hooks
  • The port used by private TCP/IP stack cannot normally be accessed (such as “nbtstat” command)

Basically, this means Rovnix has introduced new stealth in its network communication.

Traditional methods of analysis, for example running network traffic monitoring software, may not be able to see the packets that are sent or received via a private TCP/IP stack.

However, the compromised machine will contact the domain If a network administrator notices traffic sent to this domain, then most likely there are machines infected.

With our latest signature update, we detect the Rovnix dropper as TrojanDropper:Win32/Rovnix.I. Windows Defender Offline (WDO) also detects the infected volume boot record as Trojan:DOS/Rovnix.F.

Sample: SHA1: a9fd55b88636f0a66748c205b0a3918aec6a1a20

Chun Feng

Tuesday, August 13th, 2013 makes no claim to the content supplied through this journal account. Articles are retrieved via a public feed supplied by the site for this purpose.
6:19 am
The original AppCompat (solving a 20-year-old mystery for me)

DOS v5.0, released in 1991, introduced the concept of DOS loading "high".  That is, into the high memory area - that special 64kb area at the top of the first megabyte of memory.

As a result of this change, programs now loaded to a much lower address in memory than they did before.  This change also exposed a previously unknown bug that exists in the code produced by certain versions of the Exepack utility, or Link* with the "/EXEPACK" option.  The bug caused memory corruption, which usually resulted in the process hanging during start-up.
There were a number of workarounds that involved forcing an allocation of 64kb (e.g. using loadfix) to ensure that the program loaded above the 64kb block - the usual "black box" solution.   By that point, there were so many ExePacked files that "please update your software" was not an option.
What made me think to solve it now?  It's my nature - I can't leave a mystery unsolved, no matter how long it takes me.
These days DOS viruses are extinct, but DOS games live on with the help of DOSBox.
I was working on a patch for DOSBox in my spare time.  The program worked in DOSBox if loadfix was run first, but it worked in all cases in real DOS.  Ah, the mystery deepens.
What's more interesting is that I saw the issue only by luck. I needed EMM386.EXE to be running and providing access to the Upper Memory Block area; I needed to load my debugger into the Upper Memory Block area; I needed to be debugging a program that was so large that it would not fit into the Upper Memory Block area along with the debugger; and, of course, I needed that program to be packed by ExePack.
It wasn’t likely, but it happened.
So, on the left is the code as it would be found on disk.  On the right is the code that I saw on that day, 20 years ago, in my debugger (and shortly thereafter, I found two other variations).

ExePack code

Wow, quite different.  What happened there?
Well, DOS went and rewrote that unpacking code for me, on-the-fly, as the file was loaded into memory.
That's right - DOS went and “hot-patched” my code to avoid a bug.  No warning, and no explanation - at the time, I didn't have an Internet connection, but it seems likely that even if I had, it would never have occurred to me to search for an answer.  Or if I did, the answer would not have been documented anywhere yet, anyway.  As you can see, Windows 95 was not the first platform to implement an application compatibility layer.
The mystery is finally solved.  As for DOSBox, you just have to use loadfix, but now you know why.
(*) Specifically, Link 3.x where x is 51 or larger, all 4.x, and 5.x where x is 15 or smaller.
[ << Previous 20 ] makes no claim to the content supplied through this journal account. Articles are retrieved via a public feed supplied by the site for this purpose.