Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
The February release of MSRT added a new threat family, Win32/Srizbi, as Vince discussed last week. As of February 16, MSRT has cleaned 38,697 machines from Srizbi infections, which is 14.1% of the total September 2007 removals of Win32/Nuwar or the “Storm” worm during the same timeframe.
So what tops the detection and removal list this month? Online game password stealers (PWS) Win32/Taterf and Win32/Frethog are the top two threat families, with 981,051 and 316,971 machines cleaned respectively a week after MSRT release. Taterf removals are already 171% higher than the full month's volume in January.
Below is the Top 10 threat families from MSRT February telemetry one week after release:
Rank
Family
Distinct machines cleaned
1
Taterf
981,051
2
Frethog
316,971
3
Renos
270,395
4
Alureon
205,930
5
Tibs
148,866
6
Vundo
116,837
7
Bancos
114,190
8
FakeXPA
110,855
9
Yektel
101,773
10
Banker
81,873
In the last Security Intelligence Report (SIR), Microsoft observed online game PWS threats as a key area in the threat landscape.
The increasing popularity of massively multiplayer online role-playing games (MMORPGs) has created a new online economy in which players auction off hard-won virtual “gold” and in-game equipment for real-world cash. Though the games’ makers usually discourage such commerce and often penalize players who are known to engage in it, the possessions and attributes of a well-stocked character can fetch hundreds of U.S. dollars from game devotees. Perhaps inevitably, this has led to the development of a curious new class of threat—worms and trojans that steal players’ gaming passwords on behalf of thieves who can then auction the victim’s virtual loot themselves. –- Page 62, Microsoft Security Intelligence Report January through June 2008.
MMPC continues to monitor the activities of these PWS threats. Many of these threats have remained quite prevalent during the last eight months. The trending below shows that Taterf and Frethog remain very active since being added to MSRT detection list in June 2008. Taterf never dropped out of the top 5 and Frethog has consistently been in the top 5 except during last November and December.
What does this mean? In comparison to the families of rogue security software we focused on last November and December, these game PWS threats appear to be more resilient and have longer life cycles. (Win32/FakeSecSen rogue, the threat family included in MSRT November 2008, dropped out of the top 20 a month after the initial #1 ranking; Win32/FakeXPA rogue, the family included in MSRT December 2008, is now #9 after ranked #1 in December) Malware authors are busy updating Taterf and Frethog to make these threats highly polymorphic and to distribute variations of the same codebase to multiple criminal groups. This month we still saw 17,070 different Taterf and 26,420 different Frethog files.
Top 10 Win32/Taterf files detected by the MSRT February release:
Top 10 Taterf Sha1
machines cleaned
0x4D5C36EBFF00262E08FF12DC6B9CC3F297B93A76
197,184
0x35072F85D8E5AD7D731BCE01295C2108FCD55C85
147,390
0xD7748D299E65AD47D1A48D8E2408612E35A143AC
66,505
0xB3299A705AF4A1E5F6C2FCE2316BB665A0F4E550
56,204
0x00B366551030D6D20D31C7254636CBCEABB53EAF
47,302
0x68DCEC00E799ED4351EFD4A1D74AE016DB72D2A6
47,193
0xFC22B927A8371FF5DA758BA8CF10DCEA30AA5279
43,344
0xD1EB3B53B60277E8CF87F5C7FB2EE526600683AB
38,490
0x814D454466BAB020ABCD71F5097E96732D45E559
33,235
0xBC7A31198F890C27D31AEA70A54A9CC37CB3F1CF
32,505
Top 10 Win32/Frethog files detected by the MSRT February release:
Top 10 Frethog Sha1
0x282CA82931E7D3C80074A7506DCF5B2041B02D38
62,649
0xFD747631398350020A1EE126B1E3C27668194809
40,798
0xF7C3DD41D5F385C569B2D0C2C3D94904189A2442
21,360
0x1E60883D943AFA395708F583AE33FCE6935867DA
16,142
0x297C4A4CBA246B70F12EBAADDC48B5D65A41A875
11,037
0xD18CF04FC57D0111AA436258AE7DCA9A00645FA0
11,017
0x1FA01DC607E5D2FA5893A610DAB49C2DDC96CDB5
10,014
0x131C8DC19A6C301BEBB4CF27F231064789A778A5
9,695
0xB5EF7032C2E81D6BD99DB6E7A30B43C6063F1EC0
8,055
0x6AF19AC78B47FE46AE71ECBD584D1CB6A9CDDE2E
6,392
The main shift in geographic distribution of these PWS is that China is no longer in the top 10 for instances of infected systems compared to what Matt McCormack disclosed in his June 2008 blog post or Jeff Williams in his August 2008 blog post, when China was the most prevalent region for these PWS threats. This may not mean the malware authors are retreating from China. With a projected online game market of “17.03 billion RMB (around 2.43 billion USD) in 2009” described in Chun Feng’s VB paper, “Playing with shadows - exposing the black market for online game password theft", the malware writers will definitely want a piece of the pie. Read on Chun's paper to get a peek of the malware underground economy. You do not want your IDs being auctioned there.
Win32/Taterf, week 1, February 2009:
Country/Region
distinct machines cleaned
United States
127,833
Taiwan
113,944
Korea
112,784
Turkey
112,464
Spain
93,168
Brazil
72,196
Japan
53,536
France
49,688
Poland
47,558
Mexico
47,512
11
Russia
18,494
12
Italy
16,588
13
Hong Kong
9,849
14
Saudi Arabia
9,757
15
Colombia
7,953
16
United Kingdom
17
Thailand
5,626
18
Chile
5,329
19
Portugal
4,579
20
Peru
4,375
Other
58,248
Win32/Frethog, week 1, February 2009:
44,859
38,804
32,650
32,122
22,460
24,858
15,072
12,704
12,094
China
7,899
4,520
3,277
2,838
2,595
2,564
2,224
1,957
1,569
1,374
Venezuela
1,315
18,808
We identified at least the following games or game platforms that are targeted by Taterf and Frethog authors:
If you play the above games we suggest you read Jeremy Croy’s blog post and be cautious in your online and gaming adventure, especially if you log in from an Internet café. At home, do yourself a favor and install a full AV product. At a minimum, if you suspect your computer has been infected, run a virus scan with Microsoft Windows Live safety scanner at http://safety.live.com.
--Scott Wu