In May, we added Win32/Ramnit to the Microsoft Removal Tool (MSRT) detection capability, as my colleague Scott Molenkamp blogged. As of May 20th, MSRT disinfected 52,549 computers from the Win32/Ramnit infection. Ramnit is one of the four parasitic viruses out of the top 10 detected threat families.
Top 25 detections by MSRT, May 10 – May 20
|Sality||202,351||Classic parasitic virus|
|Alureon||58,884||Evolved parasitic virus|
|Parite||53,778||Evolved parasitic virus|
|Ramnit||52,549||Evolved parasitic virus|
|Frethog||33,100||Evolved parasitic virus|
|Jeefo||22,396||Classic parasitic virus|
|Virut||20,963||Classic parasitic virus|
You may have noticed that Ramnit, like several of the other viruses mentioned in the above chart, is classified as an “evolved” virus – as described in Scott’s previous Ramnit post, one that combines earlier and later generations of malicious infection techniques.
Allow me to go ‘back to the book’ for the definition of a parasitic virus. A parasitic virus, or a file infector, is a type of ‘old school’ malware that attaches, modifies or resides in a host file on the file system. Due to its invasive spreading technique, one may wonder why malware are still in love with this old method, particularly when file infectors tend to leave the computer in an unstable state, slow and crashing often, while some even render the infected computer useless.
With today’s malware authors aiming to make profit from their victims, one would expect the malware authors are motivated to create stealth threats with the least overhead to the machine as to keep the windows of time open long enough to harvest data (or perform other payloads).
There are several possible explanations:
- Malware authors know that anti-malware industry is targeting them; viruses can sometimes require more effort to detect and clean properly, possibly causing security companies to invest more resources in the remediation of the threat.
- Current threats tend to have multiple components. For example, Ramnit authors wrote worm modules to help propagate via USB and network drives, using Autorun
- While some file infector viruses such as Sality, Jeefo and Virut are traditional, many other file infectors are not. For example Alureon and Cutwail will only infect system files or system drivers (e.g. “atapi.sys” or “agp440.sys”). If a system file is infected and becomes hidden, the job of the file infecting component is done, while the other malicious components may continue to execute the payload.
Parasite viruses are not going away, they are still relevant and evolving. Our newly published Microsoft Security Intelligence Report shows the steady presence of viruses as a threat category.
Image 1 - Detections by Threat Category
For more information about SIR, refer to http://www.microsoft.com/sir.
Special thanks to Patrick Nolan for his assistance in this post.
-- Scott Wu, MMPC