Matt McCormack Microsoft
download slides (PDF)
The arms race between the anti-virus industry and concerted malware developers continues to escalate. Microsoft's Malicious Software Removal Tool (MSRT) is executed on over half a billion computers every month, giving it a huge execution base and an unparalleled view of malware operations. In their first month of targeting by MSRT, the Win32/Cutwail and Win32/Nuwar families yielded an infection spread of almost half a million distinct machines between them. MSRT's monthly release provides a unique snapshot of the Windows ecosystem, and of the sledgehammer effect the tool has on the targeted families; an effect that can hardly be ignored by the malware's authors. With so much money at stake, it appears that the Malware developers do not go down without a fight.
This paper couples analysis of the major malware families targeted by MSRT with the telemetry it gathers, in order to provide a perspective on how malware authors quickly respond to the massive impact on their networks after each release. Analyses of the techniques used to evade the MSRT are presented. A look at the engineering evolution of each of these families with respect to MSRT releases is also explored.