Win32/FakeSecSen was added to MSRT November release as Hamish mentioned in his MMPC blog.  We’ve since observed MSRT removing FakeSecSen from 994,061 distinct machines.

Breakdown of these removals by regions is shown as below.

There is no surprise about the prevalence of these rogues given our earlier telemetry analysis on other Microsoft AV products and tools. For comparison, the #1 family last month was Renos with 389,036 distinct machines cleaned in the first week and 655,535 machines for the whole month. And the most significant result for MSRT this year was the June release when we added eight game password stealer families, was Win32/Taterf with 1,246,792 machines cleaned by week 1 and 1,536,831 machines for the whole month.

One way to interpret this data is to look into the infection rate.  In the recent release of volume 5 of the Microsoft Security Intelligence Report we introduced “Computer Cleaned per thousand MSRT executions” (CCM).  During 1H08, the CCM for US for the full six months was 11.2. Within one week in November US CCM for all threats is 10.3 and US CCM for just FakeSecSen alone is 5.0. This reads: every one thousand machines in US scanned by MSRT during the last seven days, roughly five were infected with FakeSecSen rogues.   

Normally each FakeSecSen installation contains one EXE, one or two DAT files, one Control Panel applet (CPL), one desktop shortcut and sometimes one uninstaller. It is interesting that only 20% of these removals contain executables of FakeSecSen. This indicates either the other 80% machines had at one point been infected by FakeSecSen and the threat was then manually and partially removed, or the machines were cleaned by other AV products/tools, or FakeSecSen had failed to install, etc. To put the number in perspective and adjust the FakeSecSen to count only the EXE, it is #2, behind Renos..

Now how did one’s machine get infected by FakeSecSen? From our research a few Win32/Renos variants such as TrojanDownloader:Win32/Renos.Y, TrojanDownloader:Win32/Renos.AY, TrojanDownloader:Win32/Renos.EK are responsible for downloading FakeSecSen. The table below shows the top ten threats infecting machines that were also infected by FakeSecSen. Five of them are Renos.

We suggest you get familiar with the behaviors of Win32/Renos especially the three variants mentioned above and be cautious out there with your web surfing and other internet usage. 

The following table shows the top ten FakeSecSen EXEs.  We provide this data for any other antimalware vendors and security research firms who wish to solidify their detection capability or malware analysis.

MMPC is keeping an eye on this space and watching closely the activities of AV rogues and their evolution.  We strive for ensuring the safe Internet experience of our customers and we trust our colleagues in other industry leading firms are doing the same.

-- Scott Wu, Scott Molenkamp and Hamish O’Dea