Archive

Archive for the ‘Microsoft Safety Scanner’ Category

Limited Periodic Scanning in Windows 10 to Provide Additional Malware Protection

May 26th, 2016 No comments

Every month, Microsoft’s Malicious Software Removal Tool (MSRT) scans more than 500 million Windows devices for malware and malicious software. This tool aids in the detection and removal of malware from 1 to 2 million machines each time, even on those devices running antivirus software. Meanwhile, many Windows customers continue to use the Microsoft Safety Scanner (MSS) to manually scan their PC for malware.

Windows 10 is the most secure operating system Microsoft has ever shipped, and we continue to make it better with regular security updates and new features. For example, we’re making malware detection and protection even easier and more seamless for our customers, whether they choose to use the built-in Windows Defender antivirus or a third-party antivirus solution. Starting with the Windows 10 Anniversary Update this summer—and available in this week’s Windows Insider build—Windows 10 will include a new security setting called Limited Periodic Scanning. Windows Insiders can enable this feature on unmanaged devices today.

When enabled, Windows 10 will use the Windows Defender scanning engine to periodically scan your PC for threats and remediate them.  These periodic scans will utilize Automatic Maintenance—to ensure the system chooses optimal times based on minimal impact to the user, PC performance, and energy efficiency—or customers can schedule these scans. Limited Periodic Scanning is intended to offer an additional line of defense to your existing antivirus program’s real-time protection.

 

Enabling Windows 10 Limited Periodic Scanning

If you are not using Windows Defender as your antivirus program on Windows 10, you can enable Limited Periodic Scanning under Settings.

  1. Navigate to Settings -> Update & Security -> Windows Defender.
  2. Turn Limited Periodic Scanning on.

Screenshot of the Limited Periodic Scanning option

If you are already using Windows Defender as your antivirus program on Windows 10, then you already have this feature enabled. Windows Defender periodically scans your PC, also known as Scheduled scans.

 

Notifying you of threats found on your PC

When Windows 10 Limited Periodic Scanning is turned ON, and even if you are NOT using Windows Defender for your real-time protection, the Windows Defender user interface and History tab will allow you to view any additional threats that have been detected.

Screenshot of Windows Defender periodic scanning settings Screenshot of the Windows Defender History settings

When a threat is found, Windows Defender will notify you with a Windows 10 notification. In most cases, Windows Defender will also automatically take action on the threat. Clicking on the notification will open Windows Defender where you can further review the threat that was found and the action that was automatically taken.

Screenshot of the Windows Defender scan notification

Clicking the notification will take you to the Windows Defender main user interface, where additional actions (if required) can be taken and applied.

At this time, Windows 10 Limited Periodic Scanning is intended for consumers. We are evaluating this feature for commercial customers, but Limited Periodic Scanning only applies to unmanaged devices for the Windows 10 Anniversary Update.

Windows 10 is our most secure operating system yet, and we will continue to improve Windows 10 with features like Limited Periodic Scanning. With Windows 10, you can rest assured you’ll always have the latest security protections. To learn more about the security features offered in Windows 10 visit: http://www.microsoft.com/security.

 

 

Deepak Manohar

Microsoft Malware Protection Center

Microsoft Malware Protection Center assists in disrupting Ramnit

February 25th, 2015 No comments

Recent disruption of the Ramnit malware family was successful due to a multinational collaboration, led by Europol’s European Cybercrime Center (EC3), in partnership with Financial Services and Information Sharing & Analysis Center (FS-ISAC), Symantec, AnubisNetworks, Microsoft’s Digital Crimes Unit (DCU), and the Microsoft Malware Protection Center (MMPC).

The MMPC has been closely monitoring Ramnit since its discovery in April 2010, as you can see by reading: Ramnit – The renewed bot in town and Little Red Ramnit: My, what big eyes you have, Grandma!

The Ramnit threat tampers with antivirus software and disables Windows Update to prevent computers from getting critical security updates through Windows Update and antivirus software. We recommend using Microsoft Safety Scanner to scan and clean the threat. Additional technical details about what Ramnit can do, and how to clean it up, can be found by visiting the Malware Protection Center and help-page respectively.

During the past six months, Microsoft detected approximately 500,000 instances of computers infected with Ramnit.

Infected machines in the last six months

 Figure 1: Ramnit infection trend from the past six months

 

Ramnit is a module-based malware which concentrates on stealing credential information from banking websites.

Ramnit is configured to hide itself, disable security defences, and establish a connection with the Ramnit command and control server (C&C).

Ramnit generates 300 domains through a Domain Generation Algorithm (DGA), which is a function of rand and a hard-coded seed in the threat. Then, it tries to communicate to each through a custom protocol using port 443. Ramnit expects a reply from the C&C server that is signed using a RSA 1024-bit key, and uses RC4 encryption for the communication.

C&C server that is signed using a RSA 1024-bit key, and uses RC4 encryption for the communication.

See the Python implementation of DGA below:

Python implementation of DGA

  Figure 2: Sample Python code

 

Ramnit's design is modular to accommodate dynamic modules from the C&C server that can add additional functionality to the threat. This allows different malware modules that are pushed from the C&C server to plug into the malware framework on the user's computer and allows it to operate diskless (off of RAM).

To accomplish this, when an infected computer first contacts a C&C server, it can download one or more malware modules which give it new capabilities. For example, one module is designed to steal sensitive files from the user's computer, while a different module is designed to steal user credentials when the user logs into the website of a targeted financial institution, etc.

We have observed that Ramnit uses the following modules:

  • Hook-Spy Module:

This core module does a sophisticated form of fraud referred to as a "web-injection" attack to capture the user's banking credentials. To achieve this goal, this module first downloads a configuration file which contains a list of websites to monitor. A majority of the websites we saw were banks. With this list, Ramnit continues to monitor websites on the list.

When Ramnit sees the user attempting to connect to one of the websites on the list, it silently captures the credential information and uploads it to the C&C server.

Configuration can also specify additional information to be collected from the user. User interface elements needed to collect this information are dynamically inserted into the web page that the user is visiting.

For the user, it appears as though the target website itself is requesting new information. For example, Figure 3 shows the effect of a Ramnit web-injection. The image on the left shows how the webpage would be presented to a user on an uninfected computer. The image on the right shows how the webpage would be presented to a user on a Ramnit-infected computer. 

The effect of Ramnit web-injection

Figure 3: What a web page looks like before and after a Ramnit infection

We observed two different control servers:

    • C&C1 – the server that is contacted through DGA that controls what modules are downloaded, to provide command and VNC interface to the bot controller.
    • C&C2 – exists in the configuration file that is designed to handle web-injection responsible for stealing extra credential information.

By having two disassociated C&C, the threat gains the following advantages from its architecture:

    1. Dynamic content injected into webpages can change more rapidly and be tailored to the victim according to the country where the victim is located in and the websites visited.
    2. This can also act as a camouflage to hide the C&C2 from researchers, as this server is not referenced in the malware binary, reverse engineering the binary wouldn't reveal it. Identifying this server requires decryption of the configuration file sent by C&C1. The encryption algorithm used is RC4 with a machine specific key that also protects and increases the difficulty in finding it.
    3. The website content might update frequently. Updates for the website require the retrieval of a new configuration file. With this new server, it gives Ramnit bot controller the ability to put a portion of the injection code in a remote server.
    4. It allows credential information to be stored and managed separately. Figure 4 shows how the Ramnit C&C servers are organized.

The way Ramnit C&C servers are organized

Figure 4: A high-level flow of how Ramnit C&C servers operate

  • Anti-AV Module

There is a significant Anti-AV function that is part of the Ramnit installer. When Ramnit is installed, it disables the following Windows components:

  • Windows Firewall
  • Windows Update
  • Windows Defender
  • Windows User Account Control

When the C&C connection was established, the C&C server sent a blacklist of more than 300 types of antivirus applications. See the detailed list in this blog: Ramnit – The renewed bot in town.

This dynamic module sent from the server was first observed in 2013 with the name "Antivirus Trusted Module v1.0.” See the technical details in this blog: Ramnit – The renewed bot in town

In recent months, this blacklist shrunk to Microsoft Anti-AV application core executables.

  • FTP Grabber

The FTP Grabber enables Ramnit to steal credentials from FTP applications. One of Ramnit's propagation techniques is to implant those files with either Ramnit itself or other malware so that a user who downloads one of those files will be infected with Ramnit. See Win32/Ramnit for the detailed list of FTP Applications targeted by Ramnit. .

  • Cookie Grabber

The Cookie Grabber enables Ramnit to steal browser cookie information or to forge cookies. A cookie is a piece of information sent by the web server during a web session. In the case of a banking session, the cookie might contain user credential identification information. Ramnit steals that cookie information for later use in defrauding the user.

It also shows the list of websites that the user visited so that the C&C server can send a tailored spy configuration module. See Win32/Ramnit for the detailed list of browsers targeted by Ramnit.

  • VNC Module

The VNC module enables the Ramnit botnet controller to directly access and control the user's computer through a virtual network computing (VNC) connection. In other words, this allows the herder to access and completely control the user's computer. Machines with a properly configured firewall, or sit behind network address translation (NAT) won't be affected.

  • Drive Scan Module

The Drive Scan module enables Ramnit to gather credential information in addition to the information gathered by the Hook-Spy module. By achieving this, this module scans the computer looking for interesting files that contain specific key words, typically associated with banking credentials. Figure 5 shows a list of keywords that this module looks for as it attempts to identify files to steal. If the Ramnit running on a user's computer can locate file names with these keywords in them, it will upload the file to the C&C server.

The Ramnit botnet controller then collects that file and reviews it for information to more effectively target the computer user.

The way Ramnit C&C servers are organized

 Figure 5: The list of keywords that Ramnit looks for

In summary, Ramnit has a hot pluggable modular framework design that gives it plenty of flexibility to extend new functionality on demand.

As always, we urge Windows users to be vigilant against malware:

  • Exercise caution when opening emails or social media messages from unknown users.
  • Be wary about downloading software from websites other than the program developers.
  • Run an antivirus software regularly.

If you're using Windows 8 or later versions, Windows Defender is built-in. If you're running an older operating system, you can install Microsoft Security Essentials.

As a reminder to organizations invested in security, MMPC has a Coordinated Malware Eradication Program. If your organization is interested in joining or initiating an eradication campaign or participate in the CME program, please see the CME program page. You can also reach out to us at cme-invite@microsoft.com for more information. 

 

Tanmay Ganacharya, Karthik Selvaraj, and Tim Liu

MMPC

 

Microsoft Malware Protection Center assists in disrupting Ramnit

February 25th, 2015 No comments

Recent disruption of the Ramnit malware family was successful due to a multinational collaboration, led by Europol’s European Cybercrime Center (EC3), in partnership with Financial Services and Information Sharing & Analysis Center (FS-ISAC), Symantec, AnubisNetworks, Microsoft’s Digital Crimes Unit (DCU), and the Microsoft Malware Protection Center (MMPC).

The MMPC has been closely monitoring Ramnit since its discovery in April 2010, as you can see by reading: Ramnit – The renewed bot in town and Little Red Ramnit: My, what big eyes you have, Grandma!

The Ramnit threat tampers with antivirus software and disables Windows Update to prevent computers from getting critical security updates through Windows Update and antivirus software. We recommend using Microsoft Safety Scanner to scan and clean the threat. Additional technical details about what Ramnit can do, and how to clean it up, can be found by visiting the Malware Protection Center and help-page respectively.

During the past six months, Microsoft detected approximately 500,000 instances of computers infected with Ramnit.

Infected machines in the last six months

 Figure 1: Ramnit infection trend from the past six months

 

Ramnit is a module-based malware which concentrates on stealing credential information from banking websites.

Ramnit is configured to hide itself, disable security defences, and establish a connection with the Ramnit command and control server (C&C).

Ramnit generates 300 domains through a Domain Generation Algorithm (DGA), which is a function of rand and a hard-coded seed in the threat. Then, it tries to communicate to each through a custom protocol using port 443. Ramnit expects a reply from the C&C server that is signed using a RSA 1024-bit key, and uses RC4 encryption for the communication.

C&C server that is signed using a RSA 1024-bit key, and uses RC4 encryption for the communication.

See the Python implementation of DGA below:

Python implementation of DGA

  Figure 2: Sample Python code

 

Ramnit's design is modular to accommodate dynamic modules from the C&C server that can add additional functionality to the threat. This allows different malware modules that are pushed from the C&C server to plug into the malware framework on the user's computer and allows it to operate diskless (off of RAM).

To accomplish this, when an infected computer first contacts a C&C server, it can download one or more malware modules which give it new capabilities. For example, one module is designed to steal sensitive files from the user's computer, while a different module is designed to steal user credentials when the user logs into the website of a targeted financial institution, etc.

We have observed that Ramnit uses the following modules:

  • Hook-Spy Module:

This core module does a sophisticated form of fraud referred to as a "web-injection" attack to capture the user's banking credentials. To achieve this goal, this module first downloads a configuration file which contains a list of websites to monitor. A majority of the websites we saw were banks. With this list, Ramnit continues to monitor websites on the list.

When Ramnit sees the user attempting to connect to one of the websites on the list, it silently captures the credential information and uploads it to the C&C server.

Configuration can also specify additional information to be collected from the user. User interface elements needed to collect this information are dynamically inserted into the web page that the user is visiting.

For the user, it appears as though the target website itself is requesting new information. For example, Figure 3 shows the effect of a Ramnit web-injection. The image on the left shows how the webpage would be presented to a user on an uninfected computer. The image on the right shows how the webpage would be presented to a user on a Ramnit-infected computer. 

The effect of Ramnit web-injection

Figure 3: What a web page looks like before and after a Ramnit infection

We observed two different control servers:

    • C&C1 – the server that is contacted through DGA that controls what modules are downloaded, to provide command and VNC interface to the bot controller.
    • C&C2 – exists in the configuration file that is designed to handle web-injection responsible for stealing extra credential information.

By having two disassociated C&C, the threat gains the following advantages from its architecture:

    1. Dynamic content injected into webpages can change more rapidly and be tailored to the victim according to the country where the victim is located in and the websites visited.
    2. This can also act as a camouflage to hide the C&C2 from researchers, as this server is not referenced in the malware binary, reverse engineering the binary wouldn't reveal it. Identifying this server requires decryption of the configuration file sent by C&C1. The encryption algorithm used is RC4 with a machine specific key that also protects and increases the difficulty in finding it.
    3. The website content might update frequently. Updates for the website require the retrieval of a new configuration file. With this new server, it gives Ramnit bot controller the ability to put a portion of the injection code in a remote server.
    4. It allows credential information to be stored and managed separately. Figure 4 shows how the Ramnit C&C servers are organized.

The way Ramnit C&C servers are organized

Figure 4: A high-level flow of how Ramnit C&C servers operate

  • Anti-AV Module

There is a significant Anti-AV function that is part of the Ramnit installer. When Ramnit is installed, it disables the following Windows components:

  • Windows Firewall
  • Windows Update
  • Windows Defender
  • Windows User Account Control

When the C&C connection was established, the C&C server sent a blacklist of more than 300 types of antivirus applications. See the detailed list in this blog: Ramnit – The renewed bot in town.

This dynamic module sent from the server was first observed in 2013 with the name "Antivirus Trusted Module v1.0.” See the technical details in this blog: Ramnit – The renewed bot in town

In recent months, this blacklist shrunk to Microsoft Anti-AV application core executables.

  • FTP Grabber

The FTP Grabber enables Ramnit to steal credentials from FTP applications. One of Ramnit's propagation techniques is to implant those files with either Ramnit itself or other malware so that a user who downloads one of those files will be infected with Ramnit. See Win32/Ramnit for the detailed list of FTP Applications targeted by Ramnit. .

  • Cookie Grabber

The Cookie Grabber enables Ramnit to steal browser cookie information or to forge cookies. A cookie is a piece of information sent by the web server during a web session. In the case of a banking session, the cookie might contain user credential identification information. Ramnit steals that cookie information for later use in defrauding the user.

It also shows the list of websites that the user visited so that the C&C server can send a tailored spy configuration module. See Win32/Ramnit for the detailed list of browsers targeted by Ramnit.

  • VNC Module

The VNC module enables the Ramnit botnet controller to directly access and control the user's computer through a virtual network computing (VNC) connection. In other words, this allows the herder to access and completely control the user's computer. Machines with a properly configured firewall, or sit behind network address translation (NAT) won't be affected.

  • Drive Scan Module

The Drive Scan module enables Ramnit to gather credential information in addition to the information gathered by the Hook-Spy module. By achieving this, this module scans the computer looking for interesting files that contain specific key words, typically associated with banking credentials. Figure 5 shows a list of keywords that this module looks for as it attempts to identify files to steal. If the Ramnit running on a user's computer can locate file names with these keywords in them, it will upload the file to the C&C server.

The Ramnit botnet controller then collects that file and reviews it for information to more effectively target the computer user.

The way Ramnit C&C servers are organized

 Figure 5: The list of keywords that Ramnit looks for

In summary, Ramnit has a hot pluggable modular framework design that gives it plenty of flexibility to extend new functionality on demand.

As always, we urge Windows users to be vigilant against malware:

  • Exercise caution when opening emails or social media messages from unknown users.
  • Be wary about downloading software from websites other than the program developers.
  • Run an antivirus software regularly.

If you're using Windows 8 or later versions, Windows Defender is built-in. If you're running an older operating system, you can install Microsoft Security Essentials.

As a reminder to organizations invested in security, MMPC has a Coordinated Malware Eradication Program. If your organization is interested in joining or initiating an eradication campaign or participate in the CME program, please see the CME program page. You can also reach out to us at cme-invite@microsoft.com for more information. 

 

Tanmay Ganacharya, Karthik Selvaraj, and Tim Liu

MMPC

 

New research shows rise in “deceptive downloads”

May 7th, 2014 No comments

According to the latest cybersecurity report from Microsoft, “deceptive downloads” were the top threat for 95 percent of the 110 countries surveyed.

What are deceptive downloads?

Deceptive downloads are legitimate downloadable programs (usually free) such as software, games, or music that cybercriminals bundle with malicious items.

For example, you might receive a file in email or through social networking, but when you try to open it you see a message that says you don’t have the right software to open it. You do a search online and come across a free software download that claims it can help you open the file. You download that software, but you unknowingly might also be downloading malicious software (also known as “malware”) with it. This malware might have the ability to access personal information on your computer or use your computer for cybercrime.

It could be months or even years before you notice your system has malware.

How can I avoid deceptive downloads?

What should I do if I think I’ve been a victim of a deceptive download?

Do a scan with your antivirus software. If your computer is running Windows 8 or Windows 8.1, you can use the built-in Windows Defender to check for and to help you get rid of a virus or other malware.

If your computer is running Windows 7 or Windows Vista, do the following:

What is the Security Intelligence Report?

The Microsoft Security Intelligence Report (SIR) covers research on computer security, including software vulnerabilities, exploits, and malicious and potentially unwanted software. Volume 16 of the report was released today. If you want to learn more about deceptive downloads and other key findings, please visit Microsoft.com/SIR.

3 ways to speed up your PC

October 15th, 2013 No comments

Here are three ways to speed up a sluggish computer.

1.       Scan your computer for viruses

If your computer is slow or restarts often, it could be infected with a virus or other malicious software.

If you have Windows 8, you can use the built-in Windows Defender to help you get rid of a virus or other malware. If you have Windows 7, Windows Vista, or Windows XP, scan your computer with the Microsoft Safety Scanner. Or get help at the Virus and Security Solution Center.

For more information, see How to avoid and remove computer viruses.

2.       Turn on automatic updating

One of the easiest things you can do to speed up your PC is to make sure that your operating system and software are kept up to date. Learn how to get security updates automatically.

Is your computer sluggish, or is it just your web browser? The newest version of Internet Explorer is Internet Explorer 10. It’s included with Windows 8, and you can download it for free for other versions of Windows. Learn more about security in Internet Explorer 10.

 

3.       Upgrade your operating system

If you’re still using Windows XP, you could speed up your PC by upgrading to Windows 8 or Windows 7.

Support for Windows XP ends on April 8, 2014. You can get solutions to your Windows XP security issues now, but not for too much longer. If you’re still using Windows XP, you’re missing out on all kinds of security, productivity, and performance enhancements available in Windows 7 and Windows 8.

Find out what end of support for Windows XP means to you.

If your computer is still slow, you can try limiting how many programs run at start up, deleting software and files you don’t need, or following these additional tips to speed up your PC.

Get free or paid support for your malware problem

September 24th, 2013 No comments

Is your computer running slowly? Are programs starting unexpectedly? Is the activity light on your broadband or external modem constantly lit? Does it sound like your computer’s hard disk is continually working?

If you answered “yes” to any of these questions, your computer might be infected with malware.

Scan your PC for viruses

If you suspect that your computer has a virus, you can download the Microsoft Safety Scanner. The Microsoft Safety Scanner is a free downloadable security tool that provides on-demand scanning and helps remove viruses, spyware, and other malicious software.

Download the Microsoft Safety Scanner

Get help from the Microsoft forums

If you’ve scanned your computer and you can’t get rid of the virus, you might be able to get free help from the Microsoft Community. Check out the Viruses and Malware forum.

Get help from a Microsoft Answer Tech for $99

If you want to pay for help, a Microsoft Answer Tech can help track down viruses, malware, and spyware.  

Chat with an Answer Tech now

Why does my AV software keep turning off?

July 25th, 2013 No comments

Bob writes:

My antivirus software keeps turning off and I can’t get it back on.

Here are the most common reasons you might encounter this problem:

Your computer is already infected with rogue security software

The warning that you’re antivirus software is turned off might be a fake alert, also known as “rogue security software.” This type of warning is designed to fool you into downloading malicious software or paying for antivirus software. Take our Real vs. Rogue quiz to see if you can identify the difference.”

You have more than one antivirus program

Your antivirus software could turn off if you try to install another antivirus program. Running more than one antivirus program at the same time can cause conflicts and errors that make your antivirus protection less effective or not effective at all.

You might have a virus

Some viruses can disable your antivirus software or disable updates to your antivirus software. Viruses can also prevent you from going online to update or reinstall your antivirus software.

For troubleshooting help, see What to do if your antivirus software stops working.

How to get rid of a computer virus

June 25th, 2013 No comments

Is your computer running more slowly than usual? Does it stop responding or freeze often? It might have a virus.

If you can connect to the Internet

These instructions are different depending on which operating system you’re using.

Check your operating system

Windows 8

If your computer is running Windows 8, you can use the built-in Windows Defender to get rid of the virus or other malware.

Windows 7, Windows Vista, Windows XP

If your computer is running Windows 7, Windows Vista, or Windows XP, do the following:

  • Run the Microsoft Safety Scanner. The scanner can be used with any kind of antivirus software (not just antivirus software from Microsoft).
  • Download Microsoft Security Essentials for free. (Note: Some viruses will prevent you from downloading Microsoft Security Essentials.)

If you can’t connect to the Internet

Windows Defender Offline works with Windows 8, Windows 7, Windows Vista, and Windows XP.

Use another computer to download Windows Defender Offline and create a CD, DVD, or USB flash drive.

Windows Defender (built in to Windows 8), Microsoft Security Essentials, and other antivirus software use the Internet to download the latest updates to fight new malware. Windows Defender Offline helps protect against advanced malware that can’t always be detected by antivirus software.

Learn how to use Windows Defender Offline

Learn more

Security researchers: Get paid to thwart cybercriminals. We want your help fighting potential viruses. Microsoft has announced three new bounty programs that offer cash payments in exchange for reporting certain vulnerabilities in and techniques for exploiting Internet Explorer, Windows, and other Microsoft programs. Visit Microsoft.com/BountyPrograms for details.

Clean up malware resulting from the Bamital botnet

February 8th, 2013 No comments

On February 6, Microsoft announced that its Digital Crimes Unit had worked with Symantec to successfully deactivate a major botnet called Bamital. Below is an overview of Bamital and how you can remove it from your computer.

Botnets are networks of compromised computers, controlled remotely by criminals who use them to  secretly spread malware, steal personal information, and commit fraud. Bamital was designed to hijack internet search results and take people to websites that were potentially dangerous.

To learn more about botnets, see How to better protect your PC with botnet protection and avoid malware.

A majority of computers affected by Bamital were running Windows XP and not using a firewall and antivirus software or having monthly security updates installed.

You might have malware on your computer if you see this page:

To help clean Bamital and other malware from your computer, you can install antivirus and antispyware programs that are available online from a provider that you trust.

Microsoft and Symantec each provide free malware removal tools:

For more information about how to remove malware, visit the Virus and Security Solution Center from Microsoft Support.

Read more at the Official Microsoft Blog.

Clean up malware resulting from the Bamital botnet

February 8th, 2013 No comments

On February 6, Microsoft announced that its Digital Crimes Unit had worked with Symantec to successfully deactivate a major botnet called Bamital. Below is an overview of Bamital and how you can remove it from your computer.

Botnets are networks of compromised computers, controlled remotely by criminals who use them to  secretly spread malware, steal personal information, and commit fraud. Bamital was designed to hijack internet search results and take people to websites that were potentially dangerous.

To learn more about botnets, see How to better protect your PC with botnet protection and avoid malware.

A majority of computers affected by Bamital were running Windows XP and not using a firewall and antivirus software or having monthly security updates installed.

You might have malware on your computer if you see this page:

To help clean Bamital and other malware from your computer, you can install antivirus and antispyware programs that are available online from a provider that you trust.

Microsoft and Symantec each provide free malware removal tools:

For more information about how to remove malware, visit the Virus and Security Solution Center from Microsoft Support.

Read more at the Official Microsoft Blog.

Take care with ransomware

December 4th, 2012 No comments

Have you ever received an email or seen a warning page on a website claiming that legal authorities had detected illegal activities on your computer?

This scam infects your computer with a type of malicious software called “ransomware.” The aim of ransomware is to prevent you from using your computer until you pay a fee (the “ransom”). If you see an email or a warning like this, do not follow the payment instructions.

Some ransomware will lock your computer so you can’t use the Internet to get help. But you might be able to fix the problem if you have another computer with a clean operating system and Internet access. You can use it to download Windows Defender Offline onto removable media and then run the recovery tool on your computer.

Learn more about ransomware

See examples of ransomware and learn how to get it off your computer

Protect your PC from the latest threats

May 29th, 2012 No comments

Since the Microsoft Security Intelligence Report was released last month, we’ve been discussing some of the findings here, including research on the Conficker worm and the prevalence of rogue security software called scareware.

Here are three Microsoft tools that can help you protect yourself from these threats and others:

  • Microsoft Security Essentials offers free real-time protection that combines an anti-virus and anti-spyware scanner with phishing and firewall protection.
  • The Microsoft Safety Scanner is a free downloadable security tool that provides on-demand scanning and helps remove malware and other malicious software. The Microsoft Safety Scanner is not a replacement for an up-to-date antivirus solution, because it does not offer real-time protection and cannot prevent a computer from becoming infected.
  • SmartScreen Filter, a feature in Internet Explorer 8 and 9, offers protection against phishing sites and sites that host malware. Microsoft maintains a database of phishing and malware sites reported by users of Internet Explorer and other Microsoft products and services. If you attempt to visit a site in the database with the filter enabled, Internet Explorer displays a warning and blocks navigation to the page.

For more information, see a list of free Microsoft products help protect your computer from malware.

How to spot fraudulent tech support phone calls

May 24th, 2012 No comments

Betty writes:

I just received a call from a guy who said that my Windows was infected. He wanted me to sit in front of my computer while he fixed it. He became angry when I told him no and I hung up.

Thanks for writing, Betty. This type of call is a popular scam and you did exactly the right thing. Cybercriminals often use publicly available phone directories to call you and offer tech support. Once they’ve gained your trust, they might ask for your user name and password or ask you to go to a website to install software that will let them access your computer to fix it. If you do this, your computer and your personal information is vulnerable.

Do not trust unsolicited calls. Do not provide any personal information.

  • Never provide your credit card or financial information to someone claiming to be from Microsoft tech support.
  • Do not purchase any software or services.
  • Never give control of your computer to a third party unless you can confirm that it is a legitimate representative of a computer support team with whom you are already a customer.

Get more information on how to avoid tech support phone scams.

If you think you’ve been a victim of a tech support scam

If you think that you might have downloaded malware from a phone tech support scam website or allowed a cybercriminal to access your computer, take these steps:

  • Change your computer’s password. Change your Hotmail or other email password if you’ve given it to the caller.
  • Scan your computer with the Microsoft Safety Scanner to find out if you have malware installed on your computer. (This program automatically expires 10 days after you download it so it won’t clog your hard drive.)
  • Install Microsoft Security Essentials. (Microsoft Security Essentials is a free program. If someone calls you to install this product and then charges you for it, this phone call is also a scam.)

FBI warns against hotel net connections

May 22nd, 2012 No comments

The Federal Bureau of Investigation (FBI) issued a warning earlier this month that travelers should be careful using Internet connections in hotels. Some travelers had inadvertently downloaded malicious software onto their computers when they accepted fake security updates.

Reportedly, hackers had compromised hotel networks (mainly outside of the United States) so that when travelers tried to log on they would see a pop-up window indicating they needed to update their computer in order to get Internet access. The updates were actually malicious software designed to gain control of your computer and steal your personal information.

We recommend that you turn on automatic updating and visit Microsoft Update before you travel to help ensure that your computer is up to date. You can also increase your safety by connecting to the Internet in hotels through a cable instead of using a wireless connection.

Microsoft battles Zeus ID theft botnet

April 3rd, 2012 No comments

Microsoft, in collaboration with the financial services industry, successfully executed a coordinated global action against the Zeus botnet. Zeus is a type of malware that can monitor your online activity and record your keystrokes to commit identity theft.

Learn more about the botnet takedown.

If you think that your computer might be infected with the Zeus botnet, we recommend you:

  • Run the Microsoft Safety Scanner
    The Microsoft Safety Scanner is a free service that helps you identify and remove both worms and viruses to improve PC performance.

For more information, see the Microsoft Virus and Security Solution Center

Latest privacy and online safety tweets

September 2nd, 2011 No comments

Microsoft Safety Scanner detects exploits du jour

May 25th, 2011 No comments

We recently updated the Microsoft Safety Scanner – a just-in-time, free cleanup tool.  The new version adds support for 64-bit Windows systems and also allows for the download of the tool to run in non-networked systems such as those behind an air-gap network, those within an ISPs walled garden, and those where the infection has impaired internet connectivity.  You can download the Microsoft Safety Scanner (MSS) at www.microsoft.com/security/scanner

Early results have been very positive with this tool and we are actively reviewing telemetry from our customers who use it in order to better understand aspects of threat impact from specific malware families. In addition, we urge our customers to install security updates provided by Microsoft for our operating systems and applications, as well as from other third-party applications and any security updates that may be provided by Internet service providers. Early telemetry gathered from the release of the Microsoft Safety Scanner echoes this continuous messaging.

During the first seven days of the MSS release, there were close to 420,000 downloads, or 60,000 downloads per day, of the product. It cleaned 20,097 infected computers in total, for users that suspected their computers were infected and downloaded MSS to scan their machines. Kudos to these users for having security awareness.

Among the detections, 7 of the top 10 threats are files containing exploits for Java vulnerabilities such as CVE-2008-5353, CVE-2010-0094, CVE-2010-0840 and CVE-2009-3867. (For more information related to these exploits, see the blog post “Have you checked the Java?” by our colleague Holly Stewart.)

Below is a table detailing Microsoft Safety Scanner detections in the first seven days since its release:

 

Threat

Threat Count

Machine Count

Note

CVE-2008-5353

                    7,739

                         2,272

Java Exploit

CVE-2010-0840

                    5,387

                         2,785

Java Exploit

CVE-2010-0094

                    4,744

                         1,579

Java Exploit

OpenConnection

                    3,929

                         2,396

Java Exploit

OpenCandy

                    3,408

                         3,238

Adware

CVE-2009-3867

                    2,759

                         1,445

Java Exploit

Wimad

                    1,658

                            637

Malicious Win Media File

Keygen

                    1,287

                         1,234

Key Generator Hacking Tool

Mesdeh

                    1,156

                            714

Java Exploit

OpenStream

                    1,125

                            759

Java Exploit

 

Of course many of these detections by MSS are the debris or aftermath after the exploit has already executed. By the time a user downloads and runs MSS to detect malware, the machine may have already been infected, if it was vulnerable to the exploit at the time.  For example, aside from additional malicious Java code detections, the following active threats were also reported on machines found to be infected by Exploit:Java/CVE-2008-5353 on April 15 2011:

 

Threat

Percentage of machines
where MSS also detected
Exploit:Java/CVE-2008-5353

Note

Alureon

7.3%

Rootkit Data Stealing Trojan

Zwangi

6.0%

Browser Modifier

Winwebsec

5.7%

Rogue

Hotbar

5.4%

Adware

ClickPotato

5.4%

Adware

FakeRean

5.3%

Rogue

Renos

4.6%

Rogue Downloader

FakeSpypro

4.3%

Rogue

Obfuscator

4.3%

Encrypted Threat

Hiloti

3.6%

Downloader

 

On average, MSS detected 3.5 threats on each of the infected computers.

 

Threat Count

Infected Machine Count

Threats Per Infected Machine

                      69,858

                                         20,097

3.5

 

This won’t surprise you if you have read our newly published Security Intelligence Report (SIR).  For example in the exploit section, the data shows Java exploits uptake in 2010:

Exploits detected by Microsoft desktop antimalware products in 2010, by targeted platform or technology

 

If you are one of these users, we encourage you to apply security updates from Microsoft (and from the ISVs where applicable). In addition, take care and protect your Internet activities.  Install antimalware security software such as Microsoft Security Essentials (or other AVs) to protect your computers proactively using real-time scanning technology.

We want to give a special thanks to Holly Stewart for her assistance in this post.

 

— Scott Wu & Joe Faulhaber, MMPC

Computer security tales of woe: What’s yours?

May 19th, 2011 No comments

I recently received two email messages from people who had been the victims of cybercrime. These people weren’t just readers of our blog—they work on our team. That means that they spend almost every day thinking about viruses, online fraud, security updates, and other issues of computer security.

And they still weren’t immune to the threat.

I got permission to share these stories in an effort to prove that cybercriminals are so tricky that they can even fool people who should know better.

The first tale comes from an employee who I’ll call “Christine.” Christine writes:

I was on a news site and got infected with a computer virus. I believe I got some pop-up about an Adobe Acrobat test, and I may have hit “OK” rather than closing the pop-up. Instantly, I started getting all of these dire warning threats that my security had been breached, my computer was infected, and I should download the latest update to “Win 7 Internet Security 2011.”

I’ve actually never had a virus before, but I knew that Microsoft would never abbreviate the word “Windows” to “Win,” and then I spotted a few telltale other signs—a couple misspellings in the messages, and the warnings were so alarmist that I knew they couldn’t be from Microsoft. So I wasn’t dumb enough to click on anything, but it did paralyze my computer for a while, flooding my PC with these messages and blocking my access to the Internet.

From another PC, I found information on this virus and recommendations on how to remove it. I tried to remove it manually and had trouble locating where it was in my files. Then I tried downloading a spyware scanner (which I had to put on a USB drive, and then transfer to my infected PC). After getting it on my PC (I had to rename the .exe file because the virus knew it was spyware removal software and wouldn’t let me run it) and finding the infection, I found out that I needed to buy it before it would fix anything!

Then I remembered Microsoft’s scanner and did the same thing, and it worked! It found the virus and removed it—I guess I had the “Win32/FakeRean” virus that we featured in the newsletter a few months back. It was a fast, easy download, and it found and fixed my system for free.

Now I’ve downloaded every security update I can find, and scanned my system about 5 different times.”

This sounds like rogue security software to us. For more information, see Watch out for fake virus alerts. If you think you might have the same problem, download the Microsoft Safety Scanner.

 

The second story comes from an employee who I’ll call “Megan.” Megan writes:

“Right before I left for vacation I got a message that my email account had been “compromised.” At first I thought that this was a scam, but when I checked my credit card statement, I realized that over $600 of merchandise had been charged to my account. That was because I used the same user name and password information for my email account as I did for other online accounts, including my bank account.  

I was using a strong password. It wasn’t a word from the dictionary and it had a mix of numbers and letters. The problem was that I used this same password since I opened the email account more than four years earlier. And like I said, I was using the same user name and password on many of my online accounts, including my bank account. I immediately changed the password on my email account, on my bank account, and on all other financial accounts. And this time I used different passwords.”

Have you had this problem? Learn how to create strong passwords or test your password’s strength.

Do you have a computer security tale of woe? Share it in our comment section below.

Presenting… the Microsoft Safety Scanner

May 12th, 2011 No comments

We have just released a new tool called Microsoft Safety Scanner to help you diagnose if your computer is infected and clean it if possible. It is available from www.microsoft.com/security/scanner. The old online safety scanner from safety.live.com also now points to www.microsoft.com/security/scanner

So what is Microsoft Safety Scanner? It is a standalone, easy-to-use scanner, packaged with the latest signatures, updated many times a day. While it is not a replacement for a full antimalware solution with real-time protection, it offers detection and cleaning using the same set of signatures and technology utilized by both Microsoft Security Essentials and Forefront Endpoint Protection.

If, like me, you have friends that don’t run up-to-date antivirus software, and as a result, they ask for your help cleaning up their computer, you may want to suggest this as a first step (before you give up your free time to assist them) so you can use that time instead to be social.

All you need is to download the 32-bit or 64-bit version via your favourite web browser and run Microsoft Safety Scanner *. It will detect and remove malware, and potentially unwanted software, for you. There is nothing to install, it’s as simple as that. And because it is just one executable, you can also easily copy it from one computer and run it on another. This is especially useful when your access to security websites is blocked by malware on the infected machine.

 

– Tony Kwan

 

* Note: Microsoft Safety Scanner expires 10 days after downloading. To re-run a scan with the latest antimalware definitions, please download and run Microsoft Safety Scanner again. If you are unsure if you are using the 32-bit or 64-bit version of Windows operating system, please visit this support link: http://go.microsoft.com/fwlink/?LinkId=212750&clcid=0x409