Microsoft Volume Licensing Blogtwitter

Past research

AVAR 2013 (16th Association of Antivirus Asia Researchers International Conference) - December 2013

Patrick Estavillo and Rodel Finones
Getting ahead of Zbot

Our research into Zbot's (Citadel) components has resulted in better gathering of new and undetected samples, detection, and remediation of Zbot-based infections. We’ve also found ways to disrupt its money flow by analyzing its configuration file that led to the tak- down of some of Zbot’s C&C servers and intercepted updated Zbot binary downloads. This paper discusses how we used a characteristic in Zbot’s installation method to identify unknown variants and newly compromised machines.

VB2013 (Virus Bulletin International Conference) - October 2013

Holly Stewart and Tom Cross (Lancope)
Can alerting the public about exploitation do more harm than good?

Much has been written on the ethics and timing of vulnerability disclosure, but what about exploitation? When a vulnerability is being exploited in the wild, should the general public be informed immediately? This paper will highlight multiple scenarios, showing empirical data from real-world case studies that identify when disclosure can be helpful and when it can do harm.

Justin Kim
In-memory ROP payload detection

Since the introduction of DEP (Data Execution Prevention) to block shellcode from execution, the use of ROP (Return-Oriented Programming) in exploits has increased over the past decade. ROP is an exploit technique that uses the mechanism of a calling convention to execute attacker-specified code locations that are linked as ROP chains. This paper will show how it is possible to detect these chains that are targeted towards various applications.

Joe Blackbird and Bill Pfeifer
The global impact of anti-malware protection state on infection rates

This paper analyses the malware infection rates of computers with various states of anti-malware protection. Specifically, it compares the infection rates of computers with no anti-malware protection, to those with anti-malware protection running with out-of-date signatures, to those with up-to-date anti-malware. The role of cloud-based protection is also evaluated.

Michael Johnson
Make it tight, protect with might, and try not to hurt anyone

Over the past year, in response to changing conditions in the wild, we've bolstered our approach to potentially unwanted software. The release of Defender in Windows 8 last year turned our research focus more closely towards consumers as the largest audience segment for our technology and protection. This led us to re-evaluate our approach, and further reflect on the values, expectations and experience of our users.

International CARO Workshop – May 2013

Chun Feng
Are you going to “Scarborough Fair”

Firewall and Network Address Translation (NAT) have been widely deployed and are commonly used by organizations as a part of their network infrastructure. In November 2012, we discovered a new mysterious breed of malware which has been used to target a global organization. This malware, named Exforel, has been designed to penetrate the firewall / NAT under certain circumstances.