When the hammer falls - effects of successful widespread disinfection on malware development and direction

Matt McCormack Microsoft

  download slides (PDF)

The arms race between the anti-virus industry and concerted malware developers continues to escalate. Microsoft's Malicious Software Removal Tool (MSRT) is executed on over half a billion computers every month, giving it a huge execution base and an unparalleled view of malware operations. In their first month of targeting by MSRT, the Win32/Cutwail and Win32/Nuwar families yielded an infection spread of almost half a million distinct machines between them. MSRT's monthly release provides a unique snapshot of the Windows ecosystem, and of the sledgehammer effect the tool has on the targeted families; an effect that can hardly be ignored by the malware's authors. With so much money at stake, it appears that the Malware developers do not go down without a fight.

This paper couples analysis of the major malware families targeted by MSRT with the telemetry it gathers, in order to provide a perspective on how malware authors quickly respond to the massive impact on their networks after each release. Analyses of the techniques used to evade the MSRT are presented. A look at the engineering evolution of each of these families with respect to MSRT releases is also explored.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.