Microsoft Succesfully Cleanses 1 Million Systems
Recently surfaced reports detailing Microsoft Corporations‘ (NasdaqGS: MSFT) Malicious Software Removal Tool (MSRT) successful clearing of at least 1,000,000 infected computer systems have been posted at the company’s Malware Protection Center Blog. The infections are of the Win32/FakeSecSen family of false anti-spyware software.
Distributed with the software giant’s latest Patch Tuesday Update (11/11/2008), the MSRT has, up to now, been a bit more low key, and rather unremarkable in it’s effectiveness…Read the full Microsoft statement on the effort after the break.
From the Microsoft Malware Protection Center Blog:
MSRT Review on Win32/FakeSecSen Rogues
Win32/FakeSecSen was added to MSRT November release as Hamish mentioned in his MMPC blog. We’ve since observed MSRT removing FakeSecSen from 994,061 distinct machines.
Breakdown of these removals by regions is shown as below.
|
Region/Country |
Distinct Machines Cleaned |
|
United States |
548,218 |
|
United Kingdom |
74,343 |
|
France |
47,581 |
|
Germany |
43,347 |
|
Netherlands |
28,724 |
|
Spain |
23,027 |
|
Italy |
18,453 |
|
Australia |
16,287 |
|
Canada |
16,180 |
|
Sweden |
15,412 |
|
Other |
162,489 |
There is no surprise about the prevalence of these rogues given our earlier telemetry analysis on other Microsoft AV products and tools. For comparison, the #1 family last month was Renos with 389,036 distinct machines cleaned in the first week and 655,535 machines for the whole month. And the most significant result for MSRT this year was the June release when we added eight game password stealer families, was Win32/Taterf with 1,246,792 machines cleaned by week 1 and 1,536,831 machines for the whole month.
One way to interpret this data is to look into the infection rate. In the recent release of volume 5 of the Microsoft Security Intelligence Report we introduced “Computer Cleaned per thousand MSRT executions” (CCM). During 1H08, the CCM for US for the full six months was 11.2. Within one week in November US CCM for all threats is 10.3 and US CCM for just FakeSecSen alone is 5.0. This reads: every one thousand machines in US scanned by MSRT during the last seven days, roughly five were infected with FakeSecSen rogues.
Normally each FakeSecSen installation contains one EXE, one or two DAT files, one Control Panel applet (CPL), one desktop shortcut and sometimes one uninstaller. It is interesting that only 20% of these removals contain executables of FakeSecSen. This indicates either the other 80% machines had at one point been infected by FakeSecSen and the threat was then manually and partially removed, or the machines were cleaned by other AV products/tools, or FakeSecSen had failed to install, etc. To put the number in perspective and adjust the FakeSecSen to count only the EXE, it is #2, behind Renos..
|
Threat Family |
Distinct Machines Cleaned |
|
Renos |
565,728 |
|
FakeSecSen (EXEs) |
198,812 |
|
Taterf |
177,660 |
|
Zlob |
175,559 |
|
Lolyda |
118,130 |
Now how did one’s machine get infected by FakeSecSen? From our research a few Win32/Renos variants such as TrojanDownloader:Win32/Renos.Y, TrojanDownloader:Win32/Renos.AY, TrojanDownloader:Win32/Renos.EK are responsible for downloading FakeSecSen. The table below shows the top ten threats infecting machines that were also infected by FakeSecSen. Five of them are Renos.
|
Rank |
Threat on FakeSec infected machine |
Distinct Machines Cleaned |
|
1 |
TrojanDownloader:Win32/Renos.AY |
5,437 |
|
2 |
TrojanDownloader:Win32/Renos.Y |
5,223 |
|
3 |
Trojan:Win32/Zlob.J |
4,922 |
|
4 |
TrojanDropper:Win32/Zlob |
3,076 |
|
5 |
TrojanDownloader:Win32/Renos |
2,619 |
|
6 |
Trojan:Win32/Zlob.AU |
2,040 |
|
7 |
TrojanDownloader:Win32/Zlob.AMV |
1,627 |
|
8 |
TrojanDownloader:Win32/Zlob.gen!CJ |
1,567 |
|
9 |
TrojanDownloader:Win32/Renos.AT |
1,399 |
|
10 |
TrojanDownloader:Win32/Zlob.gen!AX |
1,248 |
We suggest you get familiar with the behaviors of Win32/Renos especially the three variants mentioned above and be cautious out there with your web surfing and other internet usage.
The following table shows the top ten FakeSecSen EXEs. We provide this data for any other antimalware vendors and security research firms who wish to solidify their detection capability or malware analysis.
|
Rank |
FakeSecSen EXE |
Distinct Machines Cleaned |
|
1 |
0×594771CD995BA6A77DEB10BEAA27DFD30B4A6CF1 |
24,488 |
|
2 |
0xDCED8E211919CC57878B53C7E6D288A31DC1C6AB |
8,696 |
|
3 |
0xA73CEE93F3EF7B913CDE29EB84DCBF43B41C4920 |
6,595 |
|
4 |
0×83B3ED7F420D6B06A0F7FA0D429E3B8098205446 |
6,482 |
|
5 |
0×8CE338D88245B7C5DB92BFB9C2FD3852039477D5 |
6,392 |
|
6 |
0×6F6BB37E574FC70FCD90B5075A9100D254C83286 |
6,035 |
|
7 |
0xDB3C727A2F99E04FA8595161A6ADD6889DD29320 |
5,949 |
|
8 |
0xD98221F3893C15DBAE130CB38F3A02856091E733 |
5,236 |
|
9 |
0×3FC84BC022F53B1BED34FFB59681CE2DD42F6AE2 |
5,225 |
|
10 |
0×0D4C8ECA468532A72C4840ACE58257A307CA06EA |
4,821 |
MMPC is keeping an eye on this space and watching closely the activities of AV rogues and their evolution. We strive for ensuring the safe Internet experience of our customers and we trust our colleagues in other industry leading firms are doing the same.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_b.png?x-id=153d6ca2-26b4-436f-a797-03e7c01009da)
