The February release of MSRT added a new threat family, Win32/Srizbi, as Vince discussed last week. As of February 16, MSRT has cleaned 38,697 machines from Srizbi infections, which is 14.1% of the total September 2007 removals of Win32/Nuwar or the “Storm” worm during the same timeframe.
So what tops the detection and removal list this month? Online game password stealers (PWS) Win32/Taterf and Win32/Frethog are the top two threat families, with 981,051 and 316,971 machines cleaned respectively a week after MSRT release. Taterf removals are already 171% higher than the full month's volume in January.
Below is the Top 10 threat families from MSRT February telemetry one week after release:
Distinct machines cleaned
In the last Security Intelligence Report (SIR), Microsoft observed online game PWS threats as a key area in the threat landscape.
The increasing popularity of massively multiplayer online role-playing games (MMORPGs) has created a new online economy in which players auction off hard-won virtual “gold” and in-game equipment for real-world cash. Though the games’ makers usually discourage such commerce and often penalize players who are known to engage in it, the possessions and attributes of a well-stocked character can fetch hundreds of U.S. dollars from game devotees. Perhaps inevitably, this has led to the development of a curious new class of threat—worms and trojans that steal players’ gaming passwords on behalf of thieves who can then auction the victim’s virtual loot themselves. –- Page 62, Microsoft Security Intelligence Report January through June 2008.
MMPC continues to monitor the activities of these PWS threats. Many of these threats have remained quite prevalent during the last eight months. The trending below shows that Taterf and Frethog remain very active since being added to MSRT detection list in June 2008. Taterf never dropped out of the top 5 and Frethog has consistently been in the top 5 except during last November and December.
What does this mean? In comparison to the families of rogue security software we focused on last November and December, these game PWS threats appear to be more resilient and have longer life cycles. (Win32/FakeSecSen rogue, the threat family included in MSRT November 2008, dropped out of the top 20 a month after the initial #1 ranking; Win32/FakeXPA rogue, the family included in MSRT December 2008, is now #9 after ranked #1 in December) Malware authors are busy updating Taterf and Frethog to make these threats highly polymorphic and to distribute variations of the same codebase to multiple criminal groups. This month we still saw 17,070 different Taterf and 26,420 different Frethog files.
Top 10 Win32/Taterf files detected by the MSRT February release:
Top 10 Taterf Sha1
Top 10 Win32/Frethog files detected by the MSRT February release:
Top 10 Frethog Sha1
The main shift in geographic distribution of these PWS is that China is no longer in the top 10 for instances of infected systems compared to what Matt McCormack disclosed in his June 2008 blog post or Jeff Williams in his August 2008 blog post, when China was the most prevalent region for these PWS threats. This may not mean the malware authors are retreating from China. With a projected online game market of “17.03 billion RMB (around 2.43 billion USD) in 2009” described in Chun Feng’s VB paper, “Playing with shadows - exposing the black market for online game password theft", the malware writers will definitely want a piece of the pie. Read on Chun's paper to get a peek of the malware underground economy. You do not want your IDs being auctioned there.
Win32/Taterf, week 1, February 2009:
distinct machines cleaned
Win32/Frethog, week 1, February 2009:
distinct machines cleaned
We identified at least the following games or game platforms that are targeted by Taterf and Frethog authors:
- Rainbow Island
- Cabal Online
- A Chinese Odyssey
- Hao Fang Battle Net
- Legend of Mir
- World Of Warcraft
If you play the above games we suggest you read Jeremy Croy’s blog post and be cautious in your online and gaming adventure, especially if you log in from an Internet café. At home, do yourself a favor and install a full AV product. At a minimum, if you suspect your computer has been infected, run a virus scan with Microsoft Windows Live safety scanner at http://safety.live.com.