This month the MMPC added a new threat family, Win32/FakeRean, to the MSRT. You can refer to Hamish’s blog post, “Win32/FakeRean and MSRT” for more details on this fake, or rogue, security software. As of August 24, the MSRT had cleaned FakeRean from 162,328 infected machines. The following table shows data gathered from the MSRT since its August release.
|Family||Threat Count||Machine Count|
Note the “Threat Count” total is higher than "Machine Count" because an infected machine may contain multiple components of a threat.
Win32/Taterf noticeably still holds first place in the MSRT’s top detections. This is a family of worms that spread via mapped drives in order to steal login and account details for popular online games. Taterf is closely related to Win32/Frethog, another MSRT family added at the same time as Taterf, and also found in the above list. We believe that the two are based on the same source code due to the similarities between them. Since they were first added, these two families have been ranked near the top and this month is no exception. You can revisit a previous blog post about this threat for more in-depth details.
Another usual suspect is Win32/Renos. It was added to the MSRT in May 2007, before rogue software was viewed as being disruptive as they are today. Renos holds a high ranking due to it its strong ties with rogues. We think this addition was a good investment as many of us have at least once encounterd the dreaded “Your computer is infected!” message.
A few notes about the remaining threats from the list:
- Win32/Koobface is a prevalent worm that spreads by utilizing social networking sites. It’s a complex family with multiple components that act as proxies, report affected user's online behavior, generate “pay per click” advertising revenue, steal data, and even break captchas.
- Win32/Alureon is a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic to gather confidential information such as user names, passwords, and credit card data. Win32/Alureon may also allow an attacker to transmit malicious data to the infected computer. This family also has rootkit components that provide stealth functionality.
- Win32/Bancos is a family of data-stealing trojans that captures users' online banking credentials such as account login names and passwords. These trojans send the captured information to the attacker by e-mail, or by uploading to an attacker's FTP site or posting to an attacker's Web site.
The following table shows the breakdown by country/region. US, China, and Brazil report the highest numbers of infected machines during the same time frame as the previous table.
|Country/Region||Threat Count||Machine Count|
The US is at the top of this list as it is by default the top target for most of the malicious code out there. China and Brazil are actually a totally different story. While China is a top target for online games password stealers and the black market associated with it, Brazil is a prime goal for another breed of password stealers: those targeting bank accounts. Given these locations, it should come as no surprise that the top prevalent threats are what they are.
As you look at this table you will see that the number of unique machines infected is lower than the total number of disinfections by MSRT. There are several reasons for this including infections of multiple malware families on the same machine (some malware downloads other malware), multiple variants of the same family of malware found on the same machine and re-infections of the same machine over time. MSRT is not a replacement for antivirus software with real-time protection from a known, trusted vendor. When choosing an AV vendor be wary of rogue security software. You can find a list of anti-virus products for Windows here.
We hope this data has been helpful for our readers.
Marian Radu & Scott Wu – MMPC
Additional resources: Latest Microsoft Security Intelligence Report (SIR)