What is Toluu?
Toluu is a free service for sharing the feeds you read and discovering new ones.		 Get Invite

Anti-Malware Engineering Team

This blog provides information about what's happening in the anti-malware technology team at Microsoft. We're the team that builds the core antivirus, antispyware, anti-rootkit, and related technology, which is then used across a number of Microsoft products and technologies.


We have moved!June 19 2008

To ease navigation and be more in synch with our security colleagues within Microsoft, we have moved to a new blog address: http://blogs.technet.com/mmpc

We hope you like the new look. Please remember to redirect any links to our new web address.

aggbug.aspx?PostID=3074764
When SQL Injections Go Awry, Incident Case StudyMay 30 2008

It seems to be the "in-thing" these days - using an automated tool to perform SQL injections against vulnerable sites across multiple domains. Although the attack method isn't new, some sites are hit multiple times, as evident by a corruption of the injection code when one attacker overwrite a previously injected record. Below, you can see cached search results when searching for a specific known script injection:


image_1
Image 1: Search results indicating embedded scripts - multiple attacks


In the above highlighted portion, note the beginning of an original script tag injection being superimposed with another script tag injection. Below, you can see the effect of multiple attacks on another site and as evident in the page source:

 




Oderoor - all it's Kraked up to be?May 21 2008

Greetings from (sorta) sunny Melbourne, Australia! We’re the newest addition to Microsoft’s Security Research and Response global team. In arbitrary seating order we have: Jakub Kaminski, Scott Molenkamp, Hamish O’Dea, Heather Goudey, Raymond Roberts, David Wood, Chun Feng, Oleg Petrovsky, Hermineh Tchagatzbanian, Hil Gradascevic and Matt McCormack. In the same order we have: Skinny Latte w/ 1, Espresso, Skinny Latte w/1, Skinny Latte w/1, Latte w/1, Hot Chocolate, Latte, Cappuccino, Cappuccino and Latte. Try carrying all those coffees at once – it’s not easy.

After our inclusion of the Win32/Nuwar (alias Storm) family last September (http://blogs.technet.com/antimalware/archive/2007/09/20/storm-drain.aspx) and the dent we put in the Win32/Cutwail (alias Pandex) network in January this year, we thought we’d continue the anti-spam motif by targeting the Win32/Oderoor (ominously dubbed ‘Kraken’) network. Research shows botnets with cooler names are way scarier.

“Spam networks you say?” “Why spam networks?” – Oh, convenient question random person! Glad you asked! In our recently published Security Intelligence Report (http://www.microsoft.com/security/portal/sir.aspx *) it was found that around 96% of inbound messages to Exchange Hosted Services were blocked because they had spam on t

Microsoft acquires KomokuMarch 20 2008

Today, Microsoft announced the acquisition of Komoku to add to Forefront and Windows Live OneCare's technological capabilities.  I would like to take this opportunity to review the year since my "Hello World" blog post and again provide insight on where we will be going.

 

A year ago, I noted our test results were "not stellar" :-). We were lacking VB100 certification, and independent test results placed us ten to fifteen points behind where we hoped to score.  I then promised that we were going to do our best to obtain the VB100 every time after. And while always concentrating on what was important—the malware most likely to affect our users—we brought our test scores on par with the rest of the industry. This year is going well, and we now have test results again to see how we delivered on those promises.

 

Virus Bulletin continues its bi-monthly VB100 Awards, and both Forefront and Windows Live OneCare have obtained VB100 Awards each time they were considered, five in total.  That is no simple task as many products, some sporting incredible streaks previously, managed to have that streak broken in that time.  We continue to maintain our certifications by ICSA Labs (www.icsalabs.com) and West Coast Labs (www.westcoastlabs.org).  Additionally, we now seek and obtain “Cleaning” certification.  That means malware removal is now also being c

MBR rootkit: VirTool:WinNT/Sinowal.A reportJanuary 10 2008

This week you may have heard or read about a new rootkit that has been reported in the wild that uses the Master Boot Record (MBR) as its Auto-Start Entry Point (ASEP).  The malware is being called VirTool:WinNT/Sinowal.A.  First we want to let you know that if you use any of the Microsoft antivirus technologies (Windows Live OneCare, Forefront Client Security, Forefront Security for Exchange or Windows Live OneCare Safety Scanner), you are already protected from this threat as of definition version 5364.0 and higher.  Next, we want to talk about the use of the MBR as an ASEP by which to kick off the malware loading process and some of the interesting consequences of using this technique.

 

There are several binaries in the wild which try to install this rootkit. All the known variants are detected by Microsoft antimalware products using two generic signatures: PWS:Win32/Sinowal.gen!C and PWS:Win32/Sinowal.gen!D. 

 

This malware attempts to modify the MBR so that it can control what gets read from the disk in