This month’s MSRT release includes signatures for Win32/Banload. This family of malware is known to download and execute variants of both Win32/Bancos and Win32/Banker – which are both malware families of password stealing trojans. Typically, they attempt to capture online banking credentials and other sensitive information. The data gathering is performed by various means, such as key-logging.
 
If any of these three malware families sound familiar, it is probably due to how long each family has been in existence. Their respective ages are measured in years! Additionally, both Win32/Bancos and Win32/Banker are longstanding MSRT families. Of particular note, the Microsoft Malware Protection Centre (MMPC) receives more reports from MSRT for Win32/Bancos and Win32/Banker  than any other single source.
 
If we examine the threat counts for the top three countries for each of Bancos and Banker families over the last 6 months. We observe that a majority of these reports originate from Brazil. This is expected, as Brazilian banks are the primary targets of these password stealers.

Win32/Bancos (6 month timeframe)

Country

Percentage

Threat Count

Brazil

81.17%

864,640

Portugal

5.5%

58,626

Spain

4.15%

44,226

 

Win32/Banker (6 months timeframe)

Country

Percentage

Threat Count

Brazil

82.47%

518,708

Portugal

4.45%

27,963

United States

3.11%

19,537

We can see that the data for Win32/Banload from January 2009 MSRT has the same geographical skew.

Win32/Banload (2 week timeframe)

Country

Percentage

Threat Count

Brazil

75.43%

63,099

Spain

8.46%

7,075

Portugal

4.56%

3,814

With the inclusion of Win32/Banload this month, MSRT is now able to detect and remove both the password stealing and downloading components. The total number of machines that January MSRT has detected as of January 21:

January 2009 MSRT

Family

Machine Count

Win32/Banload

78,729

Win32/Banker

92,108

Win32/Bancos

133,024

The total number of unique machines detected with at least one of Banload, Banker, Bancos is 249,808. It should be noted that this is less than the summation of the machine counts listed above. This is  due to the overlapping reports from a machine affected by multiple families. In fact, 39,933 unique machines reported a combination of threats from two families, and 7,060 machines reported threats from all three families.

-- Scott Molenkamp