Details of feed "Anti-Malware Engineering Team":

To ease navigation and be more in synch with our security colleagues within Microsoft, we have moved to a new blog address: http://blogs.technet.com/mmpc

We hope you like the new look. Please remember to redirect any links to our new web address.

Today, Microsoft announced the acquisition of Komoku to add to Forefront and Windows Live OneCare's technological capabilities.  I would like to take this opportunity to review the year since my "Hello World" blog post and again provide insight on where we will be going.

A year ago, I noted our test results were "not stellar" :-). We were lacking VB100 certification, and independent test results placed us ten to fifteen points behind where we hoped to score.  I then promised that we were going to do our best to obtain the VB100 every time after. And while always concentrating on what was important—the malware most likely to affect our users—we brought our test scores on par with the rest of the industry. This year is going well, and we now have test results again to see how we delivered on those promises.

Virus Bulletin continues its bi-monthly VB100 Awards, and both Forefront and Windows Live OneCare have obtained VB100 Awards each time they were considered, five in total.  That is no simple task as many products, some sporting incredible streaks previously, managed to have that streak broken in that time.  We continue to maintain our certifications by ICSA Labs (www.icsalabs.com) and West Coast Labs (www.westcoastlabs.org).  Additionally, we now seek and obtain “Cleaning” certification.  That means malware removal is now also being certified.

In the area of test scores, we attained the level where we are competitive in our detection rates.  AV-Comparatives (www.av-comparatives.org), which had rated us a Fail with 82.4% last year, now rates our detection as Advanced at 93.9%.  At the same time, AV-Test (www.av-test.org) shows our detection rate to be 97.8%. This is above most of the other products listed, including those we consider our peers.  Last year, I had said, "You will see our results gradually and steadily increase until they are on par with the other majors in this arena.  And soon after, they will need to catch up to us!"  I think we are somewhere between those two sentences.

But, why the difference between the two scores?  Isn’t that a significant difference?

AV-Test used malware exclusively from the two months prior to its test.  AV-Comparatives, on the other hand, used malware stemming up to three years past.  The higher detection of more recent malware highlights our dedication to protect our users from malware that they will more likely encounter.  Malware older than a year, or even six months, that hasn't been seen in that time, is not likely to be encountered again.  Malware writers are more keen to create new malware that none of the security products detect than to reuse old malware that some already detect.  This issue of meaningful testing is an area that the newly forming Anti-Malware Testing Standards Organization (AMTSO) seeks to address.

So, are we “stellar” yet?  That would imply that we are satisfied with where we are.  So, the obvious answer is that we will never feel satisfied. 

AV-Test.org tests more than just malware detection.  There are criteria where we still need to improve.  Among them are rootkit detection, generic/proactive capabilities and response time. 

Response time is a component in how we support our users.  Now, with fully staffed Research Labs in Dublin (headed by Katrin Totcheva) and Melbourne (headed by Jakub Kaminski) and beefing up Redmond with the addition of Joe Hartmann, we are well suited to do our best to support our users.

And now back to the acquisition of Komoku.  The addition of Komoku, especially its talented core of researchers, will add to our proactive capabilities in detecting zero-day vulnerabilities and improve rootkit detection.  We are very excited and hope soon to conquer these next challenges.

-- Jimmy Kuo

For additional information visit: http://blogs.technet.com/forefront/archive/2008/03/20/microsoft-acquires-komoku.aspx

This week you may have heard or read about a new rootkit that has been reported in the wild that uses the Master Boot Record (MBR) as its Auto-Start Entry Point (ASEP).  The malware is being called VirTool:WinNT/Sinowal.A.  First we want to let you know that if you use any of the Microsoft antivirus technologies (Windows Live OneCare, Forefront Client Security, Forefront Security for Exchange or Windows Live OneCare Safety Scanner), you are already protected from this threat as of definition version 5364.0 and higher.  Next, we want to talk about the use of the MBR as an ASEP by which to kick off the malware loading process and some of the interesting consequences of using this technique.

There are several binaries in the wild which try to install this rootkit. All the known variants are detected by Microsoft antimalware products using two generic signatures: PWS:Win32/Sinowal.gen!C and PWS:Win32/Sinowal.gen!D. 

This malware attempts to modify the MBR so that it can control what gets read from the disk into memory and execute very early in the boot process.  After the modified MBR is executed, it reads additional malicious code into memory which modifies the NT kernel to force it to load a malicious driver that has been stored at the end of the physical disk (The driver will not be visible while the infected OS is running.).  Once the driver is loaded into the kernel, it behaves just like a standard kernel mode rootkit, providing covert and stealth network backdoor functionality by hooking low level APIs to attempt to avoid detection.

Here are some interesting things about this malware:

First, the installer for this rootkit needs to modify the MBR in order to ensure that the rootkit can persist across reboots.  It does this by using the CreateFile API attempting to open “\Device\Harddisk0\DR0” for write access.  Using the CreateFile API in this way (for direct / raw disk access) requires administrative privileges as mentioned in this KB article: http://support.microsoft.com/kb/q100027.  So if you are logged into Windows as a standard user or if you are using Windows Vista with UAC enabled, even if you accidentally run the malware installer or it runs via some exploit code, it will be running with insufficient privilege to modify the hard disks MBR; thus it will not be able to persist a system restart.

Next, the perceived strength of this new rootkit, its lack of a visible footprint in the registry and file system due to the use of the MBR as the ASEP, is also a big weakness!  If you suspect that you have a system that is infected with this rootkit, to prevent it from loading, all that is required is to write a known-good copy of a master boot record back to the disk to prevent the rootkit driver from being loaded on the next reboot!  Fortunately, we have made that a fairly painless process with the Windows Recovery Console and the ‘fixmbr’ command!

Here are some instructions for using the Windows Recovery Console:

Windows XP instructions: http://support.microsoft.com/kb/314058 (just type ‘fixmbr’ in the console)

Windows Vista instructions: http://support.microsoft.com/kb/927392 (just type ‘bootrec.exe /fixmbr’ at the console)

One of the Microsoft Malware Protection Center’s (MMPC) goals is to share the valuable data, insights and expertise we have with customers on a regular basis in an effort to help customers better understand the changes occurring in the threat landscape and improve their defenses accordingly.  We just released the third volume of our threat report, called the Security Intelligence Report (SIR). The SIR shares the conclusions drawn by our research team using data gathered from the Microsoft Malicious Software Removal Tool (MSRT), Windows Defender, Windows Live OneCare, Windows Live OneCare safety scanner, Exchange Hosted Services, and Forefront Client Security (FCS).  The net of this, is threat related data from several hundred million Windows based systems.

The MMPC partners with several groups within Microsoft to make the SIR a unique threat report.  The Microsoft Security Response Center (MSRC), the Trustworthy Computing (TwC) group and numerous product groups all contribute to the report.  In this volume of the SIR, the MSRC has written a couple of sections on software vulnerability disclosures and exploits.  Here’s an example of one observation by the MSRC:  The number of disclosed vulnerabilities across the software industry continues to climb, with more than 3,400 new vulnerabilities disclosed in 1H07. But according to the  data we’ve gathered this number actually represents a decrease from 2H06, the first period-to-period decline in total vulnerabilities since 2003.  Another trend identified by the MSRC is that while the number of vulnerabilities continues to increase, the ratio of exploit code available for those vulnerabilities is on a slight decline.

We have been listening to feedback from customers, partners and analysts regarding what they liked in past releases of the SIR and what they thought could be improved.  Based on that feedback we have made some big changes in this new volume of the SIR that I hope readers will like.  Please keep the feedback coming!  Some of the changes we made in the new SIR include:

·         The report includes a new section on Software Vulnerability Exploits, which is authored by the MSRC. 

·         The report now has a new look and feel which includes an executive summary as well as customer guidance (strategies, mitigations, and countermeasures) in each section of the report

·         A ten page “Key Findings Summary” is also available which provides an executive summary of the 92 page SIR.  This summary is available in the following languages: Chinese (Simplified), Chinese (Traditional), English, French, German, Italian, Japanese, Korean, Portuguese (Brazil), Russian, Spanish

·         From the data in the SIR we can see that the trends continue in a direction that indicates attackers are financially motivated and are adjusting their tactics along with constantly modifying the threats, both malicious and potentially unwanted (you can read more about what distinguishes each of these in the report)  they use to support this goal.  Some examples of findings in the new SIR:

·         Significant increases in categories, such as Trojan downloaders, potentially unwanted software (which includes rogue security software), and exploits, suggest that distribution of potentially unwanted software is less and less a matter of a normal affiliate model and more often malicious and/or criminal in method and intent.

·         The MSRT removed significantly more malware in 1H07 than in previous periods.  It removed malware from 1 out of every 217 computers in 1H07, compared to 1:409 in 2006 and 1:359 in 2H05.

·         We found 65% less Potentially Unwanted Software and 60% less malware on computers running Windows Vista than on computers running Windows XP SP2.

You can read more in the SIR: www.microsoft.com/sir

Thanks,

Vinny Gullotto

Hi again, WOW so a month now since the VB2007 Conference in Vienna, Austria.  Vienna was beautiful!

Where has the time gone, since then!?

I couldn’t let too much more time pass before saying a few words, as I’m finally off the road to be able to sit and gather some thoughts on it.

 We (The Microsoft Malware Protection Center, a.k.a The MMPC) were a platinum sponsor of this year’s conference and many folks from the team traveled far and wide to get there from our Ireland, Australia, and U.S. labs to attend and present at the event. 

I want to thank all who attended my Sponsor's Presentation at the conference.  During the presentation I gave an overview of Microsoft’s entry into the anti-virus market, how we have been working to continually improve our research and response capabilities, and also introduced some of the key industry hires we have made over the past year.  

As usual, it was great to see everyone; the best and brightest folks in the anti-malware industry who do this work; keep you protected and informed and talk about what’s been, what’s next and what needs to be done.  It also gave attendees the chance to meet and discuss important issues with some of our researchers, including Jimmy Kuo, Katrin Totcheva, and Jakub Kaminski, all who’ve been in attendance at VB for years. Folks also got to meet some of the team who attended for the first time, like Alex Carp, Kyle Larsen and Todd Gaiser.

We had some productive discussions with attendees regarding new threats to Internet users, anti-virus testing methodologies, how the MMPC is evolving, and where the best restaurants in Vienna are located. J  Much discussion went into how to transform the WildList to better represent the real threats of today.  Those conversations, as I’m sure you can imagine, were quite lively and just an opinion or two were shared.

 We look forward to the changes that are likely to develop from these discussions.  I really enjoyed the session on sample sharing that Dmitry Gryaznov and Joe (Feech) Telafici presented, as well as the discussions that followed – especially the interview Feech gave to the “BBC” J.  The explosive growth in malware presents some interesting engineering challenges, like in the area of storage that the anti-malware industry needs to address.

Onward we continue to go, both as a collective industry and as individual organizations, to drive these programs and change forward. I’m looking forward to see how some of these conversations play out; I clearly plan to have the MMPC at the forefront (hehe) of those conversations, as we have had many customers tell us they want and expect us to be there. They can count on it.

October and November are busy months for us…stay tuned!

Vinny Gullotto

Over the past few months, there has been talk about a wave of malware known commonly as “Storm”.  “Storm” has been noted to be responsible for Distributed Denial of Service (DDoS) attacks, mass phishing emails, spam, botnets, and all sorts of online malicious activity.

While the name “Storm” was adopted by press, security companies had already adopted a myriad of names for the set of malware that encompasses this attack.  Here at Microsoft, we refer to certain components as Win32/Nuwar and others as Win32/Tibs.  Other names such as Zhelatin and shorter names associated with brief attacks have also been used, such as e-card or nfltracker.  As I noted, there are many different components, each with its own specialized functionality, so over time, many names have been used.

In August, Microsoft’s Malware Protection Center (MMPC), the group of researchers responsible for each month’s additions to the Malicious Software Removal Tool (MSRT), decided to add this family to the September MSRT release based on its prevalence.  The MSRT updates are released monthly in conjunction with Microsoft’s security software updates, and are free to the public in an effort to remove prevalent malware from the Windows eco-system and improve everyone’s ability to enjoy the Internet.  With more than 350 million machines around the world that run this program, it requires great care and planning to release each new version.

After much work and testing, we made this month’s MSRT available for download September 11, and nowafter one week, we would like to share some of the statistics with you.  But before I do, the researcher in me requires that I give you the caveats.  First, MSRT is targeted against very specific known malware.  It is well known that the “Storm” attacks are engineered by criminals who update their malware frequently.  As a result, we are in an endless chase.  But that doesn’t mean we shouldn’t try to make things better.  Also, once we decide to take on a family in the MSRT, we continue the assault on that family moving forward, so we will keep at it.  Because of all the testing that has to be done, we have to freeze our signature additions weeks in advance to make sure we have ample time to do the testing required to release a product as error free as possible (since even a small percentage of errors will impact thousands or millions of people). 

Finally, to the numbers (numbers as of 2PM Tuesday, PDT).

The Renos family of malware has been removed from 668,362 distinct machines.  The Zlob family has been removed from 664,258 machines.  And the Nuwar family has been removed from 274,372 machines.  In total, malware has been removed by this month’s MSRT from 2,574,586 machines.

So, despite some public concern in the press and among researchers about the “Storm” worm, it ranks third among the families of malware whose signatures have been added to the MSRT. 

Another antimalware researcher who has been tracking these recent attacks has presented us with data that shows we knocked out approximately one-fifth of “Storm’s” Denial of Service (DoS) capability on September 11^th.  Unfortunately, that data does not show a continued decrease since the first day.  We know that immediately following the release of MSRT, the criminals behind the deployment of the “Storm” botnet immediately released a newer version to update their software.  To compare, one day from the release of MSRT, we cleaned approximately 91,000 machines that had been infected with any of the number of Nuwar components.  Thus, the 180,000+ additional machines that have been cleaned by MSRT since the first day are likely to be home user machines that were not notably incorporated into the daily operation of the “Storm” botnet.  Machines that will be cleaned by MSRT in the subsequent days will be of similar nature.

 

The effort by criminals who try to usurp machines on the Internet for their criminal enterprise continues.  The September release of the MSRT probably cleaned up approximately one hundred thousand machines from the active “Storm” botnet.  Such numbers might project that the strength of that botnet possibly stood at almost half a million machines with an additional few hundred thousand infected machines that the “Storm” botnet perhaps were not actively incorporating.

 

Unfortunately, “the virus you are most likely to be infected with is the one that you most recently cleaned” because people with a habit of doing something are likely to repeat whatever they did.  Despite so many machines having been cleaned recently by MSRT, the “Storm” botnet will slowly regain its strength.  This highlights the importance that MSRT is only effective if it is used in conjunction with a real-time antimalware program or package.

 

As I said before, once we set our sights on a particular malware family, we will continue in that fight.  So, we await the next release of MSRT when hopefully, we will take another bite out of crime.

 

--  Jimmy Kuo

Hey all, if you recall, back in April we released the PREVIEW version of our new portal affectionately known as the Microsoft Malware Protection Center Portal.  Since then we’ve received loads of feedback from customers and partners on what they like about the portal and the features they really want to see now and in the future. All of it great stuff!

The official Version 1 of the Microsoft Malware Protection Center Portal is now live!

You can check it out here:  http://www.microsoft.com/security/portal/

Some of the features you asked for and we included are:

·         Access to our malware encyclopedia. 

o        When you need to do some research on a particular threat or family you can search or browse our encyclopedia and get the details we’ve written about on it.

·         Download our antivirus and/or our antispyware signatures. 

o        We recommend updating daily, the products will do it for you, BUT if want you can do it yourself for the Forefront client or Windows Defender products  both the 32 bit and 64 bit systems.

·         Threat and Potentially Unwanted Software Telemetry. 

o        The portal provides information on the top threats and potentially unwanted software that we are observing and that’s being reported to us by YOU. Each top ten category  provides links to read up on those listed

·         Tools and Resources. 

o        We have a collection of links to tools and resources that we think can be useful and interesting to you including blogs and the Microsoft Security Intelligence Report.

·         Microsoft Security Intelligence Report. 

o        And of course no blog would be complete without me mentioning the SIR, we have a page dedicated to hosting the various reports we produce:  http://www.microsoft.com/security/portal/SIR.aspx 

And last but not least we have the Sample Submission feature! You got a file that you think is infected and want to know for sure?? Upload it to us, we’ll take a look and let you know.

This is just the start – literally a v1 release.  As always we want to hear what you think about the portal – the good, the bad, and the ugly (don’t be shy).  Please send us feedback and let us know which features you want to see in future releases.  mpcfb@microsoft.com

Take care, more soon!!

Vinny

Hi again, just recently returned from MS TechEd in Orlando, oh it was HOT!

It was great to get a chance to meet some customers and partners face to face and discuss what’s happening at a more granular level today in the enterprise.  The issues they face are of course at the heart of what we’re providing solutions for and allows us to reprioritize where needed to make sure we’re addressing things daily as that’s how fast we see things happening at the moment, as I know others do as well. Oh the day of the boot sector infector are long behind us and the pace at which we all must move now is at lightning speed, ya gotta love it!

Some of the important questions and issues we discussed included things like Rootkit technology, naming conventions and the overall breadth of the problem today around spyware and what next generation of threats would we see.

In addition, there were many concerns about the never ending Bot problem and of course how the Microsoft Malware Protection Center will continue to grow to support customers globally.

My commitment to them was to return in some way shape or form and update them on our progress in these areas through this blog and next year at TechED

The customers that attended the presentation seemed a bit overwhelmed by the data we put together in our last Security Intelligence Report.

When I returned back to Redmond, one of the first things I did was go to the TechNet recording studios and record a Security Intelligence Report webcast.  If you don’t have the time to read the full report (http://www.microsoft.com/downloads/details.aspx?FamilyId=AF816E28-533F-4970-9A49-E35DC3F26CFE&displaylang=en ) this webcast is an easy way to hear about all the findings in the report and come up to speed on the malware trends we have been observing.

Check it out! 

http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032340085&Culture=en-US

There is more to come…stay tuned.

Vinny Gullotto

As I mentioned in my last blog post, our researchers and engineers in the Microsoft Malware Protection Center have been focusing their efforts on protecting customers from current, in the wild threats, and established an undertaking to achieve the next VB100 award.  Today Virus Bulletin announced the results of their latest tests and Windows Live OneCare as well as Forefront Client Security have both been awarded their VB100 award. 

http://www.virusbtn.com/vb100/index

-- Jimmy Kuo