Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
In his 10/18 blog post, Oleg provided great insights about the distribution, installation and payload of Win32/Rustock which was added to MSRT 10/14 release. As of 10/29 MSRT has removed this rootkit from 99,418 distinct machines.
Breakdown of these removals by regions is shown as below.
Country/Region
distinct machined cleaned
United States
41,305
France
6,295
Spain
5,987
Italy
5,033
United Kingdom
4,962
Russia
3,390
Germany
3,079
Netherlands
2,399
Korea
2,279
Japan
2,069
All Other
22,620
Incidence of the top 10 variants looks like this:
Variants
Distinct machined cleaned
Backdoor:WinNT/Rustock.E
80,256
Backdoor:WinNT/Rustock.C
12,950
Backdoor:WinNT/Rustock.B
3,568
Backdoor:Win32/Rustock
1,963
Backdoor:WinNT/Rustock.D
643
Backdoor:WinNT/Rustock.A
142
Trojan:Win32/Rustock.D
67
Backdoor:Win32/Rustock.B!sys
66
TrojanDropper:Win32/Rustock.C
15
Trojan:Win32/Rustock.E
11
The following table shows the top 15 Rustock files detected by MSRT. We provide this data for any other antimalware vendors and security research firms who wish to solidify their detection capability or malware analysis.
Rank
SHA1
Percentage
1
0x577C22C79DD72E5F2477283502B47FD8C7D50A0F
21.0%
2
0x395172D630DA0EB076B1DBB35665C0DBEF826274
11.4%
3
0xD4AEECDD0943C91D7E1C08B6F5F796202A6C4A36
5.7%
4
0x0526B429CC4762629F9B30F55F2A0ED02245950F
4.5%
5
0xC59F270478D8FE60CC5EA7B988BCFFF1E8C76B9B
4.0%
6
0x3EDAD0FFA64651922C2DA34AE50AA372FAB1F9C0
3.7%
7
0x0288F557E6AA1CC75DACAF5629576C7460718130
2.7%
8
0x894B4F2CB9A9BA0A308A0890AE2D2CE597D805A7
2.6%
9
0xB724DF204530EADBCDAA29F1EC41ED552D780747
2.4%
10
0xF6AAFF904FAA577447EF23C535100D32FD20AB7A
2.1%
0x7B8C0250DECE92DC6221648D73D09FCCCB102AEC
1.7%
12
0xEE9D3B39729AF6150C40E87604D193BC69079CE6
13
0x9791F6944DE42FE0FFB47E74D6CF720BDAAC8D3A
1.6%
14
0x0D85B7B2CF6DB2BD88155B35E503BD0AD86EC33A
1.5%
0x2F40A2CE1955C8E823DFC2EB38F8F9787F7CD524
1.4%
Other
31.9%
While we detect and remove most of the Rustock variants in our collection, it is possible this crimeware has other masks. If you have samples that you think we don't detect, please send them to us through our portal.
-- Scott Wu (MMPC)