Welcome to TechNet Blogs Sign in | Join | Help
Friday, April 28, 2006 2:49 PM

VirusTotal Participation

Hi, this is Ziv Mador again from the Microsoft Anti-Malware team. This week, the folks over at VirusTotal added the Microsoft anti-malware engine to their service. VirusTotal is a free service that enables users to submit suspicious files to be scanned by several anti-malware engines. If you choose, files that are not identified as malicious are sent to the vendors who supply the anti-malware engines to this service to be analyzed. As of April 27, the Microsoft anti-malware scanner is included in the set of scanning engines used by VirusTotal. This scanner is based on the same technology found in Windows Live OneCare, the Windows Malicious Software Removal Tool, and Microsoft Antigen, and includes our full antivirus set of signatures. We are glad to be participating in this community opportunity.

posted by blogmalware | 4 Comments
Wednesday, April 26, 2006 5:42 PM

On the Road at Infosecurity Europe and EICAR

Eric Allred and I are in London for the Infosecurity Europe conference. We spent the last two days on the conference floor with the Microsoft UK team, talking to customers and partners about Windows Defender, Windows Live OneCare, Microsoft Client Protection, and the Windows Malicious Software Removal Tool. We've also been demoing Windows Vista to customers which includes a number of new security features to help protect from malware, spyware, and potentially unwanted software including Windows Defender, User Account Control, and Internet Explorer 7 with Protected Mode.
 
On Friday, we'll be flying to the European Institute for Computer Antivirus Research (EICAR) conference in Hamburg. Jeff Williams and two more of our colleagues, Tony Lee and Jigar Mody, will be joining us at this conference. Tony and Jigar will be presenting on Behavioral Classification on Monday, May 1. I've seen an early version of their presentation and it's some pretty interesting stuff. If you're planning to be at EICAR, please track us down and say hello ... and, naturally, come by Tony and Jigar's presentation on Monday.
 
Matt
posted by blogmalware | 0 Comments
Thursday, April 13, 2006 11:36 AM

Windows Defender Beta 2 Refresh

Today, we released a refresh of Windows Defender (Beta 2) which includes updates based on the customer feedback that we have received through this blog and the newsgroups. This update also addresses some issues that have been brought to our attention around signature updating, improves upon the usability of Windows Defender and also improves our SpyNet reporting capabilities.

First off, we have added a checkbox option to continually display the system tray icon. We heard your feedback loud and clear on this one, so those who want to see our icon with the little green check in their system tray as a sign of system health can now do so. We have also improved Windows Defender's ability to report more accurate data about potentially unwanted software through SpyNet so that we can help create better definition updates.

Finally, we've made some minor updates to the UI and we are on track to release our Japanese and German localized versions and expect to turn on the update notification for existing Beta 1 and Beta 2 customers soon - so keep an eye out!

I would also like to urge you to opt-into the "Advanced" participation level in SpyNet. In this mode, you will not only be alerted of changes to critical system settings by recognized and potentially unwanted applications but you will also be notified of changes by applications that have not yet been classified. By choosing "Advanced" you can help combat spyware by sending back full reports and potential samples to our analysts. To the extent any personal information is included in an "Advanced" member report, this information will not be used to identify you or contact you in accordance with our privacy policy. For example, under the "Basic" setting, the SpyNet report will strip off the path to an executable it found, in case it was in a folder that contained your user name; however, knowing where potentially unwanted applications install is useful information. Thank you for helping us fight spyware and potentially unwanted software!

With these upcoming changes to our reporting network and our core technology, we will improve our detection and removal capabilities even more in the upcoming months.

Thanks,

Adam
posted by blogmalware | 15 Comments
Monday, April 03, 2006 5:32 PM

News on Alcan, Mywife.E

In Bill Gates' keynote at RSA in February, one of the subjects he spoke on was the ability for Microsoft to have a comprehensive view of the evolving threat landscape using the information and feedback from such tools as Hotmail, Watson, the Windows Malicious Software Removal Tool, and Windows Defender.

Each month, the Malicious Software Removal Tool runs on approximately 250 million computers, mainly via Windows Update and Automatic Updates. In February's release of the tool, we added the ability to detect and remove a worm called Win32/Alcan. We believed that Alcan would be moderately prevalent based on data from Windows Live Safety Center and Windows Live OneCare but we were genuinely surprised once we sifted through the data from the February release. During the course of that month, the tool detected Alcan (and, specifically, Alcan.B) on just over 250 thousand unique machines, easily the top detection for the month. Compare this to the Win32/Mywife.E worm (aka CME-24), which we removed from approximately 40 thousand computers in February.

Alcan.B does not exploit any software vulnerabilities. Instead, it spreads through popular peer to peer applications and its prevalence is likely due to effective social engineering. Specifically, when sharing copies of itself over a P2P network, to name the copies, it contacts several websites to look for the names of recent, popular program cracks. Thus, the worm's name is always relatively up-to-date and attractive to those surfing these networks for cracks. Also, when the worm is run, instead of displaying nothing or popping up 50 browser windows, it displays what appears to be a setup wizard window, as displayed in our write-up. When the user clicks next, an error message is displayed. Thus, the user is fooled into thinking that what he or she just ran was a buggy or incomplete program, not a worm.

Threats like this reinforce the idea that malware that exploits user weakness can be as dangerous as those threats which exploit software vulnerabilities and reinforces the value of up-to-date antivirus products as well as general user vigilance.

Matt

posted by blogmalware | 4 Comments
Tuesday, February 21, 2006 5:44 PM

Windows Defender Beta 2: Updated Version Available

An updated version of Windows Defender Beta 2 is now available from the Microsoft Download Center. This update resolves the two issues described in the below blog post relating to non-English versions of Windows and referenced in KB915087.  If you are running on a non-English version of Windows, then we advise that you uninstall the previous installation and install the updated version.  If you are running on an English version of Windows, then no action is required.

Also, a new definition update package is now available from Microsoft Update which should resolve the problem described in KB915105.  Users with Automatic Updates enabled will be notified of the availability of the release in a manner consistent with their Automatic Updates settings.

posted by blogmalware | 4 Comments
Thursday, February 16, 2006 6:12 PM

Windows Defender Beta 2: Update

Hi all,

We’ve gotten some great feedback from places like this blog and our support newsgroups about the recently released Windows Defender Beta 2. We really appreciate the enthusiastic participation!

Some of this feedback has allowed us to identify a couple of problems with our setup on non-English versions of Windows: 

  • We have a problem installing on systems which don’t have a group named “Users”. On these systems, the group typically exists but it is in another language.
  • Sometimes the link to Windows Defender creates a new group called “Programs” at the top of the start menu.

Our international users are very important to us and so we are currently testing an updated version that fixes these issues.  That update will be available soon through the same links where you installed the original version. Until we make this version available, users may follow the steps in KB915087 to workaround these issues and successfully install Windows Defender Beta 2.

Another problem that was appearing in the newsgroups:

  • Uninstalling and reinstalling can temporarily cause problems updating signatures.

This will automatically get fixed in the next update of our signatures, which is scheduled for Tuesday. Please see KB915105 for more information.

Finally, we have also received a few questions about the tray icon. A consistent point of feedback from Windows users is that there are just too many icons that appear in the system tray.  With this in mind, we decided not to display a system tray icon for Windows Defender if no action is needed.  This way, we can help the industry move towards a model where the items in the system tray are programs that need a user's attention instead of items that are simply running.  As always, your comments on this are welcome.

Thanks again for all the support and please keep the feedback coming !

Adam

posted by blogmalware | 21 Comments
Tuesday, February 14, 2006 9:43 AM

Announcing Windows Defender Beta 2

Hi, I'm Adam Overton, the group program manager for the anti-malware technology team. I'm very excited to be blogging today about the availability of Windows Defender Beta 2 which was announced by Bill Gates at his RSA conference keynote earlier this morning. You can download the new beta version from the Microsoft Download Center. Users who have Microsoft AntiSpyware Beta 1 already installed do not need to first uninstall this program; the installer will automatically upgrade you to Windows Defender Beta 2. There are a lot of exciting and fundamental changes which we have made with this release and I highly recommend that you check out the press release and fact sheet for more details. As previously announced, updates to Windows Defender will be available at no additional charge to Windows customers.

This is the culmination of many months of hard work by our team to provide the best antispyware solution to our customers. We recently topped 25 million active customers in December with Windows Antispyware Beta 1 and hope to grow our customer base even more with this release of Windows Defender Beta 2. If you have any comments on this release, please feel free to respond to this blog entry or post a message to our newsgroups. We look forward to your feedback as we work towards our final release.

Thanks,

Adam

posted by blogmalware | 11 Comments
Monday, February 13, 2006 8:52 PM

Notes from the Anti-Spyware Coalition (ASC) Public Workshop, etc.

Hello, my name is Jeff Williams.  While I'm new to the team, I'm not new to our efforts in this space as I've worked with the team for almost two years in my previous role.  I've just returned from a trip to Washington DC last week to attend the ASC Workshop as Microsoft's representative.  Not only did I get to meet with industry and community colleagues but I also was able to participate in the Congressional Internet Caucus Tech Fair.  At the Tech Fair, we had the opportunity to demonstrate Windows Defender's integration into Windows Vista to members of Congress and their senior staff, as well as representatives from the media, industry and non-profit organizations.  The booth was packed almost continuously and the demos were well received.  Also at the show were some other ASC members- Earthlink (Aluria), Dell, PC Tools and Symantec so we were in good company and the ASC was well represented. 

The ASC Workshop on Thursday was a full house with a number of great sessions.  It was encouraging to see so much support for the ASC and attendance exceeded expectations.  The session was opened by Chairman Deborah Platt Majoras of the FTC who spoke about the importance of education, partnership and new technology in combating spyware- points with which I completely agree.  Other sessions focused on the impact of spyware on business and individuals, potential solutions to spyware, cross border challenges to fighting spyware, and industry self-regulation. The workshop was also a great place to meet with others who are fighting these same threats and I'm looking forward to the next ASC Workshop in Ottawa in May.

Warm Regards,
Jeff
posted by blogmalware | 0 Comments
Monday, February 06, 2006 12:38 AM

The Mywife.E Worm: Update # 2

As we pass noon on Monday, here in Redmond, we are happy to see that the Mywife.E worm (aka CME 24) turned out to be more hype than reality. Our product support departments (including calls to our free virus support line: 1-866-PCSafety) around the world are currently reporting low call volumes with respect to this issue and the few calls they did receive tended to be inquiries based on word-of-mouth vs. infected users.  This is consistent with what most of our anti-malware partners are reporting.
 
It is my hope that incidents like this don’t get too over-hyped in the future. As members of the security community, I believe we have the responsibility to provide our audience with accurate data that properly reflects the threat. What's interesting is that in this case, data from an unreliable source (a web counter essentially controlled by a malware author) was the primary data source to determine the level of threat to the world. I fear that too much hype in situations that end in false alarms ends up diluting the meaning of warnings for true worldwide threats. That's not to say that customers should not have been warned for this threat, but these notices should be based on fact and broadcast with the best interest of the audience in mind.

Thanks,
-Matt

------------------------------------------------------------
Matt Braverman
Program Manager
Anti-Malware Technology Team
Microsoft Corporation

Team Blog: http://blogs.technet.com/antimalware

posted by blogmalware | 2 Comments
Monday, January 30, 2006 7:40 PM

The Mywife.E Worm: Update

Microsoft has posted an advisory for the Mywife.E worm that provides information on the threat and suggests possible mitigations. To help detect and remove the infection from a computer, we recommend using the Windows Live Safety Center Beta at http://safety.live.com.

posted by blogmalware | 0 Comments
Thursday, January 26, 2006 5:31 PM

The Mywife.E Worm

Here is an update from the Microsoft anti-malware team regarding the recent variant of the Mywife mass mailing worm. The mails' subject and body may vary. However they include an attachment that looks like a ZIP file while it is actually a malicious executable file. The naming for this worm is really all over the place (such as Nyxem, Blackmal, Grew, Kasper, and Tearec) but most vendors have been referring to it in their write-ups using its CME ID of 24. Our analysis of the worm can be found here. As described in the write-up, the worm will corrupt common document format files, first on February 3rd 2006 and on the third day of every month moving forward. As always, we strongly recommend running an up-to-date antivirus program on your computers and being wary of opening suspicious e-mail attachments even if they were sent from a familiar mail address.

Microsoft releases a new version of the Windows Malicious Software Removal Tool every month on the second Tuesday of the month together with the other security updates. The next version, targeted for release on February 14th will detect and remove this worm. Also, the beta version of Windows OneCare Live protects against this threat. It can be obtained here:  http://www.windowsonecare.com.

Finally, there has been significant discussion regarding the web-based counter that the worm uses and attempts to map the values of the counter to infection statistics. Our investigation has revealed that the web counter that is incremented by the malicious software is being artificially manipulated by outside parties.  It is therefore not a trustworthy indication of the infection rate or of the total of infected computers.  Instead, we utilize our industry partnerships as well as our own internal data to help gauge the impact to customers.  This information has revealed that the attack is limited at this time.

posted by blogmalware | 1 Comments
Wednesday, December 14, 2005 4:33 PM

December Update for Windows Malicious Software Removal Tool Released

Yesterday we released this month's update of the Windows Malicious Software Removal Tool. This update includes three new malware families: F4IRootkit, Ryknos, and IRCBot. This tool now cleans over 50 of the most prevalent malware families.

This release, as in the past, is available as an interactive web-based cleaner, as a downloadable executable, as well as through Windows Update, Microsoft Update, and Windows Server Update Services.

With the inclusion of rootkit cleaning of the F4IRootkit in this release, we now have cleaning in all our tools: Windows AntiSpyware beta, Windows OneCare Live beta, Windows Live Safety Center beta, and now the Windows Malicious Software Removal Tool.

In addition to adding new malware families to the tool each month, we also make sure that families we already include are updated with signatures for new variants of that family. In particular, I'll call out that we've included cleaning of the Sober.Z email worm (also known by it's Common Malware Enumeration (CME) ID, CME-681), as well as many other variants of Sober that have been released in the last month. As a note, we had signatures of this variant of Sober on Windows Live Safety Center beta and in the Windows OneCare beta since November 22. If you haven't tried these two cool technologies, please give them a try!

Thanks for your interest,
-JasonG

------------------------------------------------------------
Jason Garms
Architect & Group PM
Anti-Malware Technology Team
Microsoft Corporation

Team Blog: http://blogs.technet.com/antimalware
posted by blogmalware | 1 Comments
Thursday, December 01, 2005 4:56 PM

Windows OneCare Live Beta Available!

On Tuesday, the Windows OneCare team announced the availability of the beta of Windows OneCare Live – a comprehensive PC health service for consumers, which offers an integrated approach to help consumers more easily protect and care for their computers. The Windows OneCare team is a very important partner team of ours, and we are extremely excited about this release because it marks yet another technology debut for our team: our full antivirus engine and signature set! We have been working hard over the two years to provide the antivirus technology for this product, and seeing it in beta now is really cool. Windows OneCare Live will offer regular virus scanning as well as continuous protection against the latest virus threats. Windows OneCare Live also includes a two way firewall, a performance tune up wizard, automated backup and more. We hope you'll give this beta a try, and submit feedback to their team blog, which also has some more information on the beta.

Right now we're in an exciting time for our team, we have been heads-down for a long time working on some great technologies and we are finally getting to sharing it all with you. In just the past month we have been able to share with you a number of milestones:

  • Delivering for the first time, our full antivirus engine and signatures in the Windows OneCare Live beta
  • Debut an online, on-demand virus scanner as part of Windows Live Safety Center beta, including an interface into our searchable malware encyclopedia
  • Announce more details of our plans around Windows Defender, and its availability in the December Community Technology Preview (CTP) for Windows Vista
  • Shipping an update to the current Windows AntiSpyware beta to extend the expiration date to July 31, 2006
  • Share our plans to detect and remove the rootkit that has been shipped as part of Sony’s XCP software with our upcoming December release of the Malicious Software Removal Tool, as well as with the Windows Live Safety Center, and the current beta of Windows AntiSpyware

We will keep trying to provide you with the latest information about what's going on here at Microsoft in the anti-malware space. Stay tuned!

Thanks for your interest,
-JasonG

------------------------------------------------------------
Jason Garms
Architect & Group PM
Anti-Malware Technology Team
Microsoft Corporation

Team Blog: http://blogs.technet.com/antimalware

posted by blogmalware | 1 Comments
Thursday, December 01, 2005 4:38 PM

Anti-Malware White Papers Posted

Hi, Matthew Braverman here again.

In early October, members of Microsoft's anti-malware team attended the 2005 Virus Bulletin Conference in Dublin, Ireland. This is one of the top three annual antivirus industry conferences, and was an excellent opportunity to mix and mingle with some of the leading members of the anti-malware industry and community. While members of our team have attended the annual Virus Bulletin conferences for the past few years, this year was especially exciting for us because we were presenting papers for the first time. We presented two papers: "Defeating Polymorphism: Beyond Emulation", presented by Adrian Stepan, a software developer on our team, and "Win32/Blaster: A Case Study From Microsoft's Perspective", presented by myself.

Both white papers can now be downloaded from the Microsoft Download Center, by clicking on their titles above. We hope that you find these papers interesting. If you have any thoughts or feedback, feel free to send them along or post comments to this blog.

Thanks,
Matt

posted by blogmalware | 2 Comments
Wednesday, November 30, 2005 12:07 PM

Extending the expiration date for Windows AntiSpyware Beta 1

Hi, I'm Sterling Reasor, a program manager for the current Windows AntiSpyware beta and forth-coming Windows Defender.

A few days ago we posted an update to the Windows AntiSpyware beta and yesterday, we turned on the auto-updater code to automatically update existing users to this updated beta. For the techies, this update is build 1.0.701. Before you get too excited, there is only one change in this beta update from the previous beta. This updates the expiration date to July 31, 2006. We're doing this because as most current users know the beta expires on December 31, 2005. We're releasing this update to ensure that users don't experience any lapse in protection by having the beta expire on them.

Also, for those of you wondering, yes, after you update your signatures, the Windows AntiSpyware beta will be able to detect and remove the rootkit that was installed by the Sony DRM software. I also want to thank those customers who are giving us feedback on Beta 1 through the community newsgroups. We hear your feedback and are incorporating it into the development of Windows Defender Beta 2, which we expect in a couple of months. Right now our biggest priority is getting Windows Vista out the door. As mentioned previously, you will also be able to see an early preview of Windows Defender Beta 2 in an upcoming Community Technology Preview (CTP) release of Windows Vista.

For those who are now saying, "but wait - Windows AntiSpyware didn't notify me that a new version is available!" - don't worry, existing Windows AntiSpyware (Beta) customers will get that notification over the next few days. If you want to grab your copy right now, you can download the latest beta refresh manually.

Thanks,
Sterling

posted by blogmalware | 1 Comments
More Posts Next page »