When the hammer falls - effects of successful widespread disinfection on malware development and direction

Matt McCormack Microsoft

  download slides (PDF)

The arms race between the anti-virus industry and concerted malware developers continues to escalate. Microsoft's Malicious Software Removal Tool (MSRT) is executed on over half a billion computers every month, giving it a huge execution base and an unparalleled view of malware operations. In their first month of targeting by MSRT, the Win32/Cutwail and Win32/Nuwar families yielded an infection spread of almost half a million distinct machines between them. MSRT's monthly release provides a unique snapshot of the Windows ecosystem, and of the sledgehammer effect the tool has on the targeted families; an effect that can hardly be ignored by the malware's authors. With so much money at stake, it appears that the Malware developers do not go down without a fight.

This paper couples analysis of the major malware families targeted by MSRT with the telemetry it gathers, in order to provide a perspective on how malware authors quickly respond to the massive impact on their networks after each release. Analyses of the techniques used to evade the MSRT are presented. A look at the engineering evolution of each of these families with respect to MSRT releases is also explored.


Poll

How should software and OS patching/security updates be managed?
Manually, at the user's discretion
Automatically via an optional, user-defined schedule
Automatically via a fixed, but optional schedule
Automatically via a fixed schedule, on by default with opt-out system
Automatically and silently, with no option to run unpatched

Leave a comment
View 19 comments

Jobs Recruit Sidebar

VB2009

VB2009 VB2009 will take place 23-25 September 2009 at the Crowne Plaza Geneva, Switzerland.
Virus Bulletin currently has 165,662 registered users.