In his 10/18 blog post, Oleg provided great insights about the distribution, installation and payload of Win32/Rustock which was added to MSRT 10/14 release. As of 10/29 MSRT has removed this rootkit from 99,418 distinct machines.

Breakdown of these removals by regions is shown as below.

Country/Region

distinct machined cleaned

United States

41,305

France

6,295

Spain

5,987

Italy

5,033

United Kingdom

4,962

Russia

3,390

Germany

3,079

Netherlands

2,399

Korea

2,279

Japan

2,069

All Other

22,620

Incidence of the top 10 variants looks like this:

Variants

Distinct machined cleaned

Backdoor:WinNT/Rustock.E

80,256

Backdoor:WinNT/Rustock.C

12,950

Backdoor:WinNT/Rustock.B

3,568

Backdoor:Win32/Rustock

1,963

Backdoor:WinNT/Rustock.D

643

Backdoor:WinNT/Rustock.A

142

Trojan:Win32/Rustock.D

67

Backdoor:Win32/Rustock.B!sys

66

TrojanDropper:Win32/Rustock.C

15

Trojan:Win32/Rustock.E

11

The following table shows the top 15 Rustock files detected by MSRT. We provide this data for any other antimalware vendors and security research firms who wish to solidify their detection capability or malware analysis.

Rank

SHA1

Percentage

1

0x577C22C79DD72E5F2477283502B47FD8C7D50A0F

21.0%

2

0x395172D630DA0EB076B1DBB35665C0DBEF826274

11.4%

3

0xD4AEECDD0943C91D7E1C08B6F5F796202A6C4A36

5.7%

4

0x0526B429CC4762629F9B30F55F2A0ED02245950F

4.5%

5

0xC59F270478D8FE60CC5EA7B988BCFFF1E8C76B9B

4.0%

6

0x3EDAD0FFA64651922C2DA34AE50AA372FAB1F9C0

3.7%

7

0x0288F557E6AA1CC75DACAF5629576C7460718130

2.7%

8

0x894B4F2CB9A9BA0A308A0890AE2D2CE597D805A7

2.6%

9

0xB724DF204530EADBCDAA29F1EC41ED552D780747

2.4%

10

0xF6AAFF904FAA577447EF23C535100D32FD20AB7A

2.1%

11

0x7B8C0250DECE92DC6221648D73D09FCCCB102AEC

1.7%

12

0xEE9D3B39729AF6150C40E87604D193BC69079CE6

1.7%

13

0x9791F6944DE42FE0FFB47E74D6CF720BDAAC8D3A

1.6%

14

0x0D85B7B2CF6DB2BD88155B35E503BD0AD86EC33A

1.5%

15

0x2F40A2CE1955C8E823DFC2EB38F8F9787F7CD524

1.4%

 

Other

31.9%

While we detect and remove most of the Rustock variants in our collection, it is possible this crimeware has other masks. If you have samples that you think we don't detect, please send them to us through our portal.

 -- Scott Wu (MMPC)