Updated Microsoft Malicious Software Removal Tool (March, 2006)

Microsoft has updated their malware removal tool. This is a tool that runs at Windows Update time and can also be downloaded and run on-demand. It is not a continual defense, unlike most AV products. Updates for March, 2006, include:

Source: Malicious Software Removal Tool, updated March 14, 2006.

March 14, 2006 in Bagle, Blaster, defense, microsoft, sasser, tools, witty, Zotob | Permalink | Comments (1)

Updated Microsoft Malware Removal Tool (Jan, 2006)

It's Patch Tuesday, and that means that Microsoft has updated their Malware Removal Tool. Detection this month focuses on some of the more prolific but "beneath the radar" malware: The full list of families detected and removed by the Windows Malware Removal Tool is listed on the website. The team responsible for the product are also blogging their work.

January 10, 2006 in Bagle, Blaster, detection, IM worms, microsoft, sasser, SQLSlammer, tools, Zotob | Permalink | Comments (4)

Win32/Blaster: A Case Study From Microsoft's Perspective

The Blaster worm is back, and bigger and badder than ever! No, not really, but lots of press about it lately. Most of it is centered around a paper from Microsoft that appeared a VBConf 2005 recently.

On August 11, 2003, the world of mobile malicious code changed with the release of the Blaster worm. Using a vulnerability in the Microsoft Windows 2000 and Windows XP operating systems to infect a computer, the threat replicated to more computer systems than any other malicious software in history.

Since the release of Blaster almost two years ago, Microsoft has invested considerable resources in reducing the number of users infected with this threat, in addition to putting mechanisms in place to help prevent the class of vulnerability that Blaster exploited.

This white paper provides deeply quantitative details and statistics that Microsoft has observed regarding the initial and continued effects of the worm on the global computing infrastructure and Internet users worldwide.

This white paper was originally presented at the 2005 Virus Bulletin Conference in Dublin, Ireland, on October 7, 2005.

Source: Win32/Blaster: A Case Study From Microsoft's Perspective, Matthew Braverman.

The followup press has been pretty interesting, too. See the following:

Analysis and Comments

I think the most telling piece is Table 3 in the Microsoft paper, namely how different kinds of malware identified and removed by Microsoft has been found in different Windows XP versions. Remember that XP Gold is the original version of XP, and that XP SP2 introduced a number of security fixes that prevent worms like Blaster from spreading. The most striking things about that table are twofold. First, XP SP2 has had a real impact on malware on Windows, which was one of the major goals of the project. You cannot ignore that fact. Secondly, not all kinds of malware are equally affected, namely Trojans and user-loaded (by hook or by crook) malware seems unaffected by XP SP2. Microsoft has a long way to go to stopping such attacks.

And finally, in that eWeek piece by Ryan, I had sworn I had said "It's not surprising that MS is removing hundreds of copies a day". In all of our studies we have always been about 10-fold below what Microsoft had said was Blaster's population. But, I can't say I'm that surprised by the number of "800 a day", given the numbers we measured.

Thanks to RL and RN for their heads up on the follow up articles to this paper.

December 6, 2005 in Blaster, editorial, microsoft, papers | Permalink | Comments (1)

Updated Windows Defender Tool (Nov, 2005)

It's "patch Tuesday", the day when Microsoft releases their monthly patches (in this case, one fixup for November, 2005), and they also release updates to their malware removal tool. It now has a new name, too, Windows Defender, signifying it's larger purpose. The new families detected by this latest update to Windows Defender:

You can see the full list of families detected by the tool on the Microsoft website Families Cleaned by the Malicious Software Removal Tool. Remember, keep your AV policies current, always make sure you have the latest tool for the newest malware, and check on their sites for updates. You wont detect new threats with out of date tools.

Update: As noted in comments, the malicious software removal tool has not been renamed. I guess I'll still call it the MSRT in future posts.

November 8, 2005 in Bagle, Blaster, defense, malware , microsoft, SQLSlammer, tools, witty, Zotob | Permalink | Comments (2)

MS Malware Tool Updated (October, 2005)

Microsoft has updated the malware removal tool they wrote and maintain for October, 2005. The new malware entities they detect are: As always, this is just one tool in a Windows malware remediation toolkit. Also, it does not run in real-time, so it offers no ongoing protection. Instead, look at an AV solution for that. This only looks for the obvious signs of these malware families, but may not catch all future variants.

As always, make sure you get the latest version from Microsoft. The number of families they detect and clean up is always growing.

October 11, 2005 in Bagle, Blaster, defense, mass mailers, microsoft, sasser, witty, Zotob | Permalink | Comments (0)

Updated MS Malware Removal Tool (Sept. 2005)

Microsoft has updated their Malware Removal Tool for September, 2005. The new families of malware detected are:

If you're building an incident response kit, this is a worthwhile tool to have on hand. It's not a substitute for a full AV tool, but it's a fast "first pass".

If you've come to this page via a web search, make sure you download the latest update of the tool. Microsoft updates it every month.

September 14, 2005 in Bagle, Blaster, detection, microsoft, sasser, tools, witty, Zotob | Permalink | Comments (0)

Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone

An interesting set of slides regarding the August, 2003, Blaster worm outbreak from the ETH (DDoSVax) team. Presented at DIMVA, 2005.

We present an extensive flow-level traffic analysis of the network worm Blaster.A and of the e-mail worm Sobig.F. Based on packet-level measurements with these worms in a testbed we defined flow-level filters. We then extracted the flows that carried malicious worm traffic from AS559 (SWITCH) border router backbone traffic that we had captured in the DDoSVax project. We discuss characteristics and anomalies detected during the outbreak phases, and present an in-depth analysis of partially and completely successful Blaster infections. Detailed flow-level traffic plots of the outbreaks are given. We found a short network test of a Blaster pre-release, significant changes of various traffic parameters, backscatter effects due to non-existent hosts, ineffectiveness of certain temporary port blocking countermeasures, and a surprisingly low frequency of successful worm code transmissions due to Blaster's multi-stage nature. Finally, we detected many TCP packet retransmissions due to Sobig.F's far too greedy spreading algorithm.

Source: Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone [PDF slides], Thomas Dübendorfer, Arno Wagner, Theus Hossmann, and Bernhard Plattner,  Computer Engineering and Networks Laboratory (TIK), Swiss Federal Institute of Technology, ETH Zurich.

August 30, 2005 in Blaster, slides | Permalink | Comments (0)

Updated Microsoft Malware Removal Tool (August, 2005)

This past "patch Tuesday" Microsoft released an updated malware removal tool. This month adds:

You can view the tool's details online or run it from their website for your Windows system on the Microsoft Malware Removal Tool Homepage. As always, this tool is not a replacement for AV scanners and is only a relatively fast acting tool for some popular malware. Not all variants are caught.

August 15, 2005 in Bagle, Blaster, detection, microsoft, sasser, tools | Permalink | Comments (0)

The Blaster Worm: Then And Now

This past week myself and several other researchers had our Blaster observations paper published in IEEE Security & Privacy magazine. This is based in large part on an earlier presentation at NANOG 29.
In August of 2003 the Blaster worm struck the Internet, infecting at least 100,000 Microsoft Windows systems and causing millions of dollars in damages. In spite of considerable cleanup efforts, an antiworm aimed at patching systems, and a widely downloaded clean-up tool from Microsoft, the worm is still very much alive. In this article we describe observations of the Blaster worm from its onset in 2003 to its continued persistence a year later.
Source: The Blaster Worm: Then And Now, Michael Bailey, Evan Cooke, Farnam Jahanian, David Watson, and Jose Nazario. This is a galley proof of the paper (the final copy is for subscribers only), so it will contain a few errors and some markup.

In short, the paper has three main points and contributions:

  1. Blaster provides an excellent model for a worms life cycle: it's genesis, it's decay, and it's persistence. We have data for all three phases of the worm's life cycle.
  2. Like any major worm outbreak, Blaster has not gone away. Over a year later we still see it active, and not from the same hosts. It's population has changed in this time, although the overall size is now constant.
  3. neither the Welchia worm nor the Blaster removal tool from Microsoft appeared to make a significant difference in the worm's population.

August 10, 2005 in Blaster, papers | Permalink | Comments (0)

DDoSVax Worm Traffic Analysis

The Swiss research group hosted under the banner of 'DDoSVAX' has been known for many years for doing good work. They have used some of their measurement infrastructure to analyze worm traffic, as well. Several worms are studied and presented on their website:

August 3, 2005 in Blaster, mass mailers, sasser, tools | Permalink | Comments (1)