Win32/FakeSecSen was added to MSRT November release as Hamish mentioned in his MMPC blog.  We’ve since observed MSRT removing FakeSecSen from 994,061 distinct machines.

Breakdown of these removals by regions is shown as below.

Region/Country

Distinct Machines Cleaned

United States

548,218

United Kingdom

74,343

France

47,581

Germany

43,347

Netherlands

28,724

Spain

23,027

Italy

18,453

Australia

16,287

Canada

16,180

Sweden

15,412

Other

162,489

There is no surprise about the prevalence of these rogues given our earlier telemetry analysis on other Microsoft AV products and tools. For comparison, the #1 family last month was Renos with 389,036 distinct machines cleaned in the first week and 655,535 machines for the whole month. And the most significant result for MSRT this year was the June release when we added eight game password stealer families, was Win32/Taterf with 1,246,792 machines cleaned by week 1 and 1,536,831 machines for the whole month.

One way to interpret this data is to look into the infection rate.  In the recent release of volume 5 of the Microsoft Security Intelligence Report we introduced “Computer Cleaned per thousand MSRT executions” (CCM).  During 1H08, the CCM for US for the full six months was 11.2. Within one week in November US CCM for all threats is 10.3 and US CCM for just FakeSecSen alone is 5.0. This reads: every one thousand machines in US scanned by MSRT during the last seven days, roughly five were infected with FakeSecSen rogues.   

Normally each FakeSecSen installation contains one EXE, one or two DAT files, one Control Panel applet (CPL), one desktop shortcut and sometimes one uninstaller. It is interesting that only 20% of these removals contain executables of FakeSecSen. This indicates either the other 80% machines had at one point been infected by FakeSecSen and the threat was then manually and partially removed, or the machines were cleaned by other AV products/tools, or FakeSecSen had failed to install, etc. To put the number in perspective and adjust the FakeSecSen to count only the EXE, it is #2, behind Renos..

Threat Family

Distinct Machines Cleaned

Renos

565,728

FakeSecSen (EXEs)

198,812

Taterf

177,660

Zlob

175,559

Lolyda

118,130

Now how did one’s machine get infected by FakeSecSen? From our research a few Win32/Renos variants such as TrojanDownloader:Win32/Renos.Y, TrojanDownloader:Win32/Renos.AY, TrojanDownloader:Win32/Renos.EK are responsible for downloading FakeSecSen. The table below shows the top ten threats infecting machines that were also infected by FakeSecSen. Five of them are Renos.

Rank

Threat on FakeSec infected machine

Distinct Machines Cleaned

1

TrojanDownloader:Win32/Renos.AY

5,437

2

TrojanDownloader:Win32/Renos.Y

5,223

3

Trojan:Win32/Zlob.J

4,922

4

TrojanDropper:Win32/Zlob

3,076

5

TrojanDownloader:Win32/Renos

2,619

6

Trojan:Win32/Zlob.AU

2,040

7

TrojanDownloader:Win32/Zlob.AMV

1,627

8

TrojanDownloader:Win32/Zlob.gen!CJ

1,567

9

TrojanDownloader:Win32/Renos.AT

1,399

10

TrojanDownloader:Win32/Zlob.gen!AX

1,248

We suggest you get familiar with the behaviors of Win32/Renos especially the three variants mentioned above and be cautious out there with your web surfing and other internet usage. 

The following table shows the top ten FakeSecSen EXEs.  We provide this data for any other antimalware vendors and security research firms who wish to solidify their detection capability or malware analysis.

Rank

FakeSecSen EXE

Distinct Machines Cleaned

1

0x594771CD995BA6A77DEB10BEAA27DFD30B4A6CF1

24,488

2

0xDCED8E211919CC57878B53C7E6D288A31DC1C6AB

8,696

3

0xA73CEE93F3EF7B913CDE29EB84DCBF43B41C4920

6,595

4

0x83B3ED7F420D6B06A0F7FA0D429E3B8098205446

6,482

5

0x8CE338D88245B7C5DB92BFB9C2FD3852039477D5

6,392

6

0x6F6BB37E574FC70FCD90B5075A9100D254C83286

6,035

7

0xDB3C727A2F99E04FA8595161A6ADD6889DD29320

5,949

8

0xD98221F3893C15DBAE130CB38F3A02856091E733

5,236

9

0x3FC84BC022F53B1BED34FFB59681CE2DD42F6AE2

5,225

10

0x0D4C8ECA468532A72C4840ACE58257A307CA06EA

4,821

MMPC is keeping an eye on this space and watching closely the activities of AV rogues and their evolution.  We strive for ensuring the safe Internet experience of our customers and we trust our colleagues in other industry leading firms are doing the same.

-- Scott Wu, Scott Molenkamp and Hamish O’Dea