Analyzing data to find the root cause of infections has been a long-standing focus of the MMPC. One area we’ve been investigating is the correlation between endpoint protection and infection rates. Back in version 14 of the Security Intelligence Report (SIRv14), we first published data on infection rates for PCs protected with fully up-to-date antimalware software in comparison to those that either had no antimalware software or software that was not on or fully current. We discovered that PCs are 5.5 times more likely to be infected if they aren’t protected with a fully up-to-date antimalware product. This data drove the MMPC to a new tenet – get everyone protected – and led to some changes in Windows 8 to help ensure that as many people as possible are running real-time, up-to-date,  antimalware software. Alas, we know that customers, even on Windows 8, are in an unprotected state, leaving their computers prone to infection. So, over the past six months we’ve been digging deeper in the data to learn more about unprotected PCs. We published our findings in version 17 of the Security Intelligence Report released today (SIRv17). Here’s what we found. On Windows 8, it appears that the number one reason why people are unprotected is because their antimalware has gone into an expired state. Stated another way, more than one half of all unprotected Windows 8 PCs are in an unprotected state because they are running expired security software. An expired state happens when a trial version of an antimalware product has reached the end of the trial. The product may continue to inform you that you need to pay for the software to continue receiving updates, but it stops downloading updates that protect your PC. This often happens when you buy a PC from an online or local store and that PC is preloaded with lots of software. People may believe that an antimalware product is still protecting them even if it hasn’t downloaded updates in a while. The data says otherwise. When we compared the infection rates on PCs with expired antimalware,  we found that infection rates were nearly the same as PCs with no protection. The following chart shows the infection rate of  PCs with expired antimalware products and other unprotected states, in comparison to a protected  PC.     A  PC with expired antimalware protection was nearly four times more likely to be infected with malware in comparison to a fully protected  PC. So we have more work ahead of us. First, we’ve been working with security software vendors in our MVI program to help them understand their impact on people that are left in an expired state. Since March, we have been providing monthly reports that show their percentage of unprotected customers, their infection rates and other information to help them keep their customers safer. We also made some updates in Windows 8.1 to help close the time gap on how long a person will be left in an expired state. Lastly, we hope that the data in SIRv17 will demonstrate that people running expired software should not be lulled into thinking that an outdated security product will provide adequate protection. We urge people to upgrade to the paid version of their antimalware product, or download a free antimalware product, such as Microsoft Security Essentials or Windows Defender (which comes pre-installed on Windows 8.1 and Windows 8). Holly Stewart MMPC

Read More:
Expired antimalware software is nearly as unsafe as having no protection at all

Since file-encryption ransomware Crilock (also called CryptoLocker) has reared its head, the security industry has been hard at work finding ways to mitigate and neutralize these threats. We’ve also been hard at work finding ways to recover from the encryption and restore affected files – such as our recommendations on using version control and recovery options in SkyDrive and Windows . This week,   researchers from FireEye and Fox-IT have released a tool that may be able to recover files encrypted by Crilock – without having to pay the malware authors. It’s important to note that the tool comes on the heels of a takedown of a Zeus/Gameover CnC server that was previously being used to authenticate and generate the encryption keys. This means the tool can only provide decryption keys for files that were encrypted by keys generated by that server. In other words, the tool comes with a caveat: it may not work in all instances. Ultimately, however, it’s still worth a try when you’ve tried everything else, and we want to share as many options and techniques to recover and protect your systems as possible The tool, created as a collaboration between FireEye and Fox-IT , is hosted at www.decryptcryptolocker.com  (note that you’ll need to consent to their Terms of Use and Privacy Policy; Microsoft doesn’t own or operate the tool and we won’t be able to help you if it doesn’t work). The user uploads an encrypted file (it probably makes sense to use something without sensitive information or data) to the recovery portal, which searches for a matching private key from the database. If there is a match, the user receives an email with the actual private key which they can use to in a stand-alone command-line tool to decrypt each encrypted file on their own. Figure 1: Uploading a file to their online service   We tested it out with files that were encrypted in November 2013 and received positive results (via email) for each file that was encrypted: Figure 2: Instructions from the DecryptCryptoLocker team   Once downloaded, the tool can be launched with a command prompt: ​Decryptolocker.exe –key ” ”   The command line operation would look like this (you just need to copy and paste the key from the email and specify the file): Figure 3: Decryption per file   After applying the decryption key, you’ll receive an acknowledgement and consent request, and the file will be decrypted.  Figure 4: File successfully decrypted   It’s important to note that this tool will not work in every case – it depends on when the file was encrypted (and, therefore, if the CnC server that Crilock used was part of the takedown). You can read more about the tool at the FireEye blog Your locker of information for CryptoLocker decryption . Acknowledgements We would like to extend our thanks to colleagues at FireEye and Fox-IT for providing this kind of support for users whose files have been compromised by Crilock (CryptoLocker). Marianne Mallen MMPC   Disclaimer The tool described in this blog is used at your risk. Read the instructions carefully on the tool’s website at https://www.decryptcryptolocker.com . In particular, note that you will be asked to consent to the site’s Terms of Use and the Privacy Policy. The site is not owned or operated by or affiliated with Microsoft.   Follow us on Twitter ( @MSFTMMPC ) and like us on Facebook to get notifications of our blog posts and industry news.

Read More:
FireEye and Fox-IT tool can help recover Crilock-encrypted files

​Today, following an investigation to which the Microsoft Malware Protection Center (MMPC) contributed, the Microsoft Digital Crimes Unit initiated a disruption of the Jenxcus and Bladabindi malware families. These families are believed to have been created by individuals Naser Al Mutairi, aka njQ8, and Mohamed Benabdellah, aka Houdini. These actions are the first steps to stop the people that created, distributed, and assisted the propagation of these malware families. There are more details about the takedown itself in the latest blog from the Microsoft Digital Crimes Unit . At the MMPC we have been monitoring both malware families for some time. We have observed the Bladabindi family since at least July 2012. Jenxcus came onto the scene as early as December 2012. During the past year, Microsoft detected more than 7, 486, 833 instances of computers operating Microsoft Windows with some version of Bladabindi or Jenxcus.   Figure 1: Heat map showing the global impact of Bladabindi and Jenxcus during the past year   Figure 2: Machine encounters per month for Jenxcus   Figure 3: Machine encounters per month for Bladabindi These families can install backdoor trojans on your computer, which allow criminals to steal your information, such as your passwords, and use your computer to collect other sensitive information. For example, Bladabindi can take snapshots and record videos without your permission. It can also control your system remotely. These backdoor trojans can also upload new components or malware to your computer to add more malicious functionality. They often communicate with hosts that are typically a Dynamic DNS service such as NO-IP because this makes them more difficult to trace.   Figure 4: An example dashboard showing how an attacker controls infected machines   Figure 5: The possible commands available to the malware writer These malware families spread primarily through social engineering techniques that try to trick unsuspecting victims into carrying out some action which results in their computer getting infected. For example, Bladabindi can be installed when you: Visit a hacked website. Click on a malicious link in a social media message. Receive and open an email “sent” by friends and family who have been infected with the malware. Bladabindi also plants files with enticing names and icons on removable media and linked drives to lure new victims. There are more example of these techniques in our blog MSRT January 2014 – Bladabindi . Most Jenxcus infections occur through torrents and websites when the malware is bundled with other programs or videos. Jenxcus also tries to trick you into installing it by pretending to be a Flash update that you need to install before watching a video. After infecting a computer, Jenxcus leaves enticing shortcut files on removable media that look like songs or other personal files. When opened these files run a copy of the malware. Through our research we have observed that there is information available in public online forums and group discussions, including tutorials, which allow anyone to download a package and create their own versions of the malware. This makes Bladabindi and Jenxcus a bit different from the previous botnets we have seen. A traditional botnet usually has one command-and-control (CNC) server to control all infected machines. In the case of Bladabinda and Jenxcus there can be a syndicate of botnets and thousands of botnet herders.   Figure 6: The communication method of the CNC and the infected system Microsoft added Bladabindi to the Malicious Software Removal Tool in January 2014.  Jenxcus was added to the MSRT in February 2014. However, with aggressive infection and distribution methods, the malware authors and the distribution system behind them have continued to affect thousands of Microsoft customers every day. Anyone concerned that their computer is infected with malware should follow the guidance available from the Microsoft Support Virus and Security Center . To help stay protected we also recommend you to install an up-to-date, real-time protection security product such as Microsoft Security Essentials . Tanmay Ganacharya and Francis Tan Seng MMPC

Original post:
Microsoft Digital Crimes Unit disrupts Jenxcus and Bladabindi malware families