As mentioned previously on this blog, we added two “rogue” families to MSRT this month: Win32/FakeXPA and Win32/Yektel. We’ve known that rogues in general have been growing in prevalence for some time and with two months of MSRT data (last month we added a family of rogues called Win32/FakeSecSen) we’re seeing that confirmed. In analysing the data, however, we have also found some surprises. Here are the numbers:

Threat Family
Distinct machines cleaned
Win32/FakeXPA
394,247
Win32/Yektel 107,495
 

In raw numbers, Win32/FakeXPA appears less prevalent than Win32/FakeSecSen; a week after the release of MSRT November, Win32/FakeSecSen had been removed from 994,061 distinct machines. But as was the case with Win32/FakeSecSen, Win32/FakeXPA often installs multiple components – usually each install consists of an executable (.EXE) and a Control Panel applet (.CPL), which launches the EXE. If we look at the number of machines which had the EXE component removed the story changes:
 

Threat Family
Distinct machines cleaned in first week
Win32/FakeSecSen
198,812
Win32/FakeXPA
218,015

By this measurement, Win32/FakeXPA was actually more prevalent than Win32/FakeSecSen. This also implies that “partial” installations were more common in the case of Win32/FakeSecSen. This could be because Win32/FakeSecSen uses more components, some of which are more likely to be left behind if the threat was cleaned manually or by another security product. It could also be because Win32/FakeSecSen has been around longer than Win32/FakeXPA, with more opportunities to be found and partially removed.

While the percentage of partial Win32/FakeXPA installations is lower than those for last month’s rogue, it is still a significant number. Multi-component malware is not unusual, but there is something that distinguishes rogue security products like Win32/FakeXPA and Win32/FakeSecSen from most of the other malware that MSRT removes. Both of these rogues display obvious signs that they are running, even if it isn’t obvious that they are malicious. They look and act like legitimate applications in most ways; in particular, they have full GUIs that imitate the look and feel of real security products. It is obvious when they are running and they are easier to disable than most malware. For example, to find the Win32/FakeXPA EXE one could simply follow the “Antivirus 2009” shortcut on the desktop. Manual removal is therefore more likely than with most malware.

Not surprisingly, there was a large overlap between Win32/FakeXPA and Win32/Yektel, with MSRT cleaning 61,439 machines that had both. With a total of 107,495 machines cleaned of Win32/Yektel, however, we can see that there were many cases of Yektel running in isolation as well.

Finally, we saw a dramatic decrease in Win32/FakeSecSen removals this month, down to 62,077 distinct machines. From these numbers, coupled with the fact that we have seen no new variants of the rogue for three weeks, it appears that the creators of Win32/FakeSecSen may have moved on to other ways of making money.
 
-- Hamish O'Dea