worm blog

Updated Microsoft Malicious Software Removal Tool (March, 2006)

Microsoft has updated their malware removal tool. This is a tool that runs at Windows Update time and can also be downloaded and run on-demand. It is not a continual defense, unlike most AV products. Updates for March, 2006, include:

• Win32/Atak
• W32/Torvil
• W32/Zlob

Source: Malicious Software Removal Tool, updated March 14, 2006.

March 14, 2006 in Bagle, Blaster, defense, microsoft, sasser, tools, witty, Zotob | Permalink | Comments (1)

Updated Microsoft Malware Removal Tool (Jan, 2006)

It's Patch Tuesday, and that means that Microsoft has updated their Malware Removal Tool. Detection this month focuses on some of the more prolific but "beneath the radar" malware:

• Parite
• Maslan
• Bofra

The full list of families detected and removed by the Windows Malware Removal Tool is listed on the website. The team responsible for the product are also blogging their work.

January 10, 2006 in Bagle, Blaster, detection, IM worms, microsoft, sasser, SQLSlammer, tools, Zotob | Permalink | Comments (4)

Updated Windows Malware Removal Tool (December, 2005)

The Microsoft Malware Removal Tool has been updated for December, 2005, with three new families:

• IRCBot
• Ryknos
• F4IRootkit

As always, this is only a "catch the most obvious signs" tool, and up-to-date antivirus will be useful for real-time detection and defense, and also for any variants that may not be known to the tool.

Users of Microsoft's automatic updates will have the tool automatically run and installed, but you can also download it and run it manually.

December 13, 2005 in defense, microsoft, tools | Permalink | Comments (0)

Win32/Blaster: A Case Study From Microsoft's Perspective

The Blaster worm is back, and bigger and badder than ever! No, not really, but lots of press about it lately. Most of it is centered around a paper from Microsoft that appeared a VBConf 2005 recently.

On August 11, 2003, the world of mobile malicious code changed with the release of the Blaster worm. Using a vulnerability in the Microsoft Windows 2000 and Windows XP operating systems to infect a computer, the threat replicated to more computer systems than any other malicious software in history.

Since the release of Blaster almost two years ago, Microsoft has invested considerable resources in reducing the number of users infected with this threat, in addition to putting mechanisms in place to help prevent the class of vulnerability that Blaster exploited.

This white paper provides deeply quantitative details and statistics that Microsoft has observed regarding the initial and continued effects of the worm on the global computing infrastructure and Internet users worldwide.

This white paper was originally presented at the 2005 Virus Bulletin Conference in Dublin, Ireland, on October 7, 2005.

Source: Win32/Blaster: A Case Study From Microsoft's Perspective, Matthew Braverman.

The followup press has been pretty interesting, too. See the following:

• MSBlast infected more than 25 million, posted on SecurityFocus.
• Two Years Later, Blaster Worm Still Squirming, by Ryan Naraine.

Analysis and Comments

I think the most telling piece is Table 3 in the Microsoft paper, namely how different kinds of malware identified and removed by Microsoft has been found in different Windows XP versions. Remember that XP Gold is the original version of XP, and that XP SP2 introduced a number of security fixes that prevent worms like Blaster from spreading. The most striking things about that table are twofold. First, XP SP2 has had a real impact on malware on Windows, which was one of the major goals of the project. You cannot ignore that fact. Secondly, not all kinds of malware are equally affected, namely Trojans and user-loaded (by hook or by crook) malware seems unaffected by XP SP2. Microsoft has a long way to go to stopping such attacks.

And finally, in that eWeek piece by Ryan, I had sworn I had said "It's not surprising that MS is removing hundreds of copies a day". In all of our studies we have always been about 10-fold below what Microsoft had said was Blaster's population. But, I can't say I'm that surprised by the number of "800 a day", given the numbers we measured.

Thanks to RL and RN for their heads up on the follow up articles to this paper.

December 6, 2005 in Blaster, editorial, microsoft, papers | Permalink | Comments (1)

Updated Windows Defender Tool (Nov, 2005)

It's "patch Tuesday", the day when Microsoft releases their monthly patches (in this case, one fixup for November, 2005), and they also release updates to their malware removal tool. It now has a new name, too, Windows Defender, signifying it's larger purpose. The new families detected by this latest update to Windows Defender:

• Bugbear
• Codbot
• Mabutu
• Opaserv
• Swen

You can see the full list of families detected by the tool on the Microsoft website Families Cleaned by the Malicious Software Removal Tool. Remember, keep your AV policies current, always make sure you have the latest tool for the newest malware, and check on their sites for updates. You wont detect new threats with out of date tools.

Update: As noted in comments, the malicious software removal tool has not been renamed. I guess I'll still call it the MSRT in future posts.

November 8, 2005 in Bagle, Blaster, defense, malware , microsoft, SQLSlammer, tools, witty, Zotob | Permalink | Comments (2)

MS Malware Tool Updated (October, 2005)

Microsoft has updated the malware removal tool they wrote and maintain for October, 2005. The new malware entities they detect are:

• Antinny
• Gibe
• Mywife
• Wukill

As always, this is just one tool in a Windows malware remediation toolkit. Also, it does not run in real-time, so it offers no ongoing protection. Instead, look at an AV solution for that. This only looks for the obvious signs of these malware families, but may not catch all future variants.

As always, make sure you get the latest version from Microsoft. The number of families they detect and clean up is always growing.

October 11, 2005 in Bagle, Blaster, defense, mass mailers, microsoft, sasser, witty, Zotob | Permalink | Comments (0)

Updated MS Malware Removal Tool (Sept. 2005)

Microsoft has updated their Malware Removal Tool for September, 2005. The new families of malware detected are:

• Zotob.A
• Zotob.B
• Zotob.C
• Zotob.D
• Zotob.E
• Bobax.O
• Esbot.A
• Rbot.MA
• Rbot.MB
• Rbot.MC

If you're building an incident response kit, this is a worthwhile tool to have on hand. It's not a substitute for a full AV tool, but it's a fast "first pass".

If you've come to this page via a web search, make sure you download the latest update of the tool. Microsoft updates it every month.

September 14, 2005 in Bagle, Blaster, detection, microsoft, sasser, tools, witty, Zotob | Permalink | Comments (0)

More Zotob Removal Tools

I posted a list of two Zotob removal tools the other day, but it seems that more are out. If you're building a USB keychain for malware removal and Zotob cleanup, these should be on it. They don't replace a full blown AV scanner, but they can help you in a crisis time. Many thanks to Donna's blog for the list.

• Panda QuickRemover by Panda Software
• W32.Zotob Removal Tool by Symantec
• Zotob.A disinfection tool by F-Secure
• ZOTOBGUI by Sophos
• Stinger by McAfee
• Malicious Software Removal Tool by Microsoft
• Sysclean by Trend Micro

August 22, 2005 in defense, detection, microsoft, tools, Zotob | Permalink | Comments (2)

Zotob Removal Tools

The Zotob worm has morphed into several variants in the past few days. They all have similar traits, affecting Windows 2000 mainly (and it appears that WinXP SP2 is immune) and using an IRC server as a C&C server. If you have to clean up this mess, there are a couple of tools now available for you to use.

Microsoft has updated their malware removal tool to remove several variants of the new Zotob worm. This is an emergency update to their frequently updated malware removal tool, so if you downloaded the one for August last week, you need to update.

In addition to that tool, Symantec has released a similar tool. The Symantec Zotob Removal Tool can be downloaded for free and claims to detect and delete several variants of the worm.

PS: Really, I promise I'm still on vacation!

August 18, 2005 in detection, microsoft, tools, Zotob | Permalink | Comments (0)

New Worms: Zotob

A new network worm is on the loose, this one affecting Microsoft Windows 2000 systems specifically. The vulnerability exploited by the worm, MS05-039: "Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege", was disclosed less than a week ago during Microsoft's August "Patch Tuesday". Exploit code was released later in the week.

At least two variants are now found in the wild, Zotob.A and Zotob.B. The B variant is only slightly different than the A strain, which scans for vulnerable hosts, transfers the worm executable to the victim, and uses an IRC server to control the growing botnet. Some links for more information:

• What You Should Know About Zotob. Published by Microsoft on August 14, 2005.
• Zotob.A writeup from Trend Micro.
• Zotob.B writeup from Trend Micro.
• Symantec's writeup for Zotob.A
• Zotob.B writeup from Symantec.
• Zotob.A description from F-Secure.
• MS Security Response Center Blog writup on Zotob

Read up and make sure that you're protected.

August 15, 2005 in malware , microsoft, new worms, Zotob | Permalink | Comments (2)