When the hammer falls - effects of successful widespread disinfection on malware development and direction

Matt McCormack Microsoft

The arms race between the anti-virus industry and concerted malware developers continues to escalate. Microsoft's Malicious Software Removal Tool (MSRT) is executed on over half a billion computers every month, giving it a huge execution base and an unparalleled view of malware operations. In their first month of targeting by MSRT, the Win32/Cutwail and Win32/Nuwar families yielded an infection spread of almost half a million distinct machines between them. MSRT's monthly release provides a unique snapshot of the Windows ecosystem, and of the sledgehammer effect the tool has on the targeted families; an effect that can hardly be ignored by the malware's authors. With so much money at stake, it appears that the Malware developers do not go down without a fight.

This paper couples analysis of the major malware families targeted by MSRT with the telemetry it gathers, in order to provide a perspective on how malware authors quickly respond to the massive impact on their networks after each release. Analyses of the techniques used to evade the MSRT are presented. A look at the engineering evolution of each of these families with respect to MSRT releases is also explored.

VB Conferences

VB2010 (Vancouver)

VB2009 (Geneva)

VB2008 (Ottawa)

VB2007 (Vienna)

VB2006 (Montréal)

VB2005 (Dublin)

VB2004 (Chicago)

VB2003 (Toronto)

VB2002 (New Orleans)

VB2001 (Prague)

VB2000 (Orlando)

VB99 (Vancouver)

VB98 (Munich)

VB97 (San Francisco)

VB96 (Brighton)

VB95 (Boston)

VB94 (Jersey)

VB93 (Amsterdam)

VB92 (Edinburgh)

VB91 (Jersey)

‘The whole conference was superb. Not enough superlatives to describe it.’

Poll

How should software and OS patching/security updates be managed?

Leave a comment
View 19 comments

VB2009

VB2009 will take place 23-25 September 2009 at the Crowne Plaza Geneva, Switzerland.

Virus Bulletin currently has 165,662 registered users.

Fighting malware and spam