Microsoft brings the fight to SpyEye

Since the last monthly update on Tuesday 11 October, Microsoft's Malicious Software Removal Tool (MSRT) has been removing the SpyEye online banking trojan, according to the announcement on the firm's Malware Protection Center blog. Along with ZeuS, SpyEye is considered one of the most widespread contaminants. The Microsoft tool is distributed for free via Windows Update and is used on some 600 million computers worldwide. In general, it automatically runs in the background when Windows Update finishes.

Microsoft relies on the element of surprise to detect SpyEye: the scan is based solely on signatures and can therefore only detect known mutations of the contaminant – in other words, those already in circulation when the tool was released. But if a scan is carried out soon after release, it can remove active SpyEye instances before virus creators have a chance to react.

Even minimal changes to the contaminant are sufficient to get past Microsoft's scanner. Because SpyEye can update itself independently, it will probably only be a matter of hours before a new version of the trojan appears; so if you wait a few days after the release of the updated MSRT before running Windows Update on an infected system, you will probably not benefit.

Detection of the free Poision Ivy remote administration tool is also new. This backdoor software has been in circulation for more than six years, and its basic version is easy to detect; however, it remains common. Just recently, the spy tool was used in the attack on security specialist RSA . It is unclear why Microsoft is only now using its tool to detect Poison Ivy.

See also:

• Another online banking trojan for Android, a report from The H.
• Virgin Media warns 1,500 customers of SpyEye infections, a report from The H.

(ehe)