The February release of MSRT added a new threat family, Win32/Srizbi, as Vince discussed last week.  As of February 16, MSRT has cleaned 38,697 machines from Srizbi infections, which is 14.1% of the total September 2007 removals of Win32/Nuwar or the “Storm” worm during the same timeframe.

So what tops the detection and removal list this month? Online game password stealers (PWS) Win32/Taterf and Win32/Frethog are the top two threat families, with 981,051 and 316,971 machines cleaned respectively a week after MSRT release. Taterf removals are already 171% higher than the full month's volume in January. 

Below is the Top 10 threat families from MSRT February telemetry one week after release:

Rank

Family

Distinct machines cleaned

1

Taterf

981,051

2

Frethog

316,971

3

Renos

270,395

4

Alureon

205,930

5

Tibs

148,866

6

Vundo

116,837

7

Bancos

114,190

8

FakeXPA

110,855

9

Yektel

101,773

10

Banker

81,873

In the last Security Intelligence Report (SIR), Microsoft observed online game PWS threats as a key area in the threat landscape.

The increasing popularity of massively multiplayer online role-playing games (MMORPGs) has created a new online economy in which players auction off hard-won virtual “gold” and in-game equipment for real-world cash. Though the games’ makers usually discourage such commerce and often penalize players who are known to engage in it, the possessions and attributes of a well-stocked character can fetch hundreds of U.S. dollars from game devotees. Perhaps inevitably, this has led to the development of a curious new class of threat—worms and trojans that steal players’ gaming passwords on behalf of thieves who can then auction the victim’s virtual loot themselves. –- Page 62, Microsoft Security Intelligence Report January through June 2008.

MMPC continues to monitor the activities of these PWS threats. Many of these threats have remained quite prevalent during the last eight months. The trending below shows that Taterf and Frethog remain very active since being added to MSRT detection list in June 2008. Taterf never dropped out of the top 5 and Frethog has consistently been in the top 5 except during last November and December.

PWS Telemetry

What does this mean? In comparison to the families of rogue security software we focused on last November and December, these game PWS threats appear to be more resilient and have longer life cycles. (Win32/FakeSecSen rogue, the threat family included in MSRT November 2008, dropped out of the top 20 a month after the initial #1 ranking; Win32/FakeXPA rogue, the family included in MSRT December 2008, is now #9 after ranked #1 in December) Malware authors are busy updating Taterf and Frethog to make these threats highly polymorphic and to distribute variations of the same codebase to multiple criminal groups. This month we still saw 17,070 different Taterf and 26,420 different Frethog files. 

Top 10 Win32/Taterf files detected by the MSRT February release:

Top 10 Taterf Sha1

 machines cleaned

0x4D5C36EBFF00262E08FF12DC6B9CC3F297B93A76

                               197,184

0x35072F85D8E5AD7D731BCE01295C2108FCD55C85

                               147,390

0xD7748D299E65AD47D1A48D8E2408612E35A143AC

                                  66,505

0xB3299A705AF4A1E5F6C2FCE2316BB665A0F4E550

                                  56,204

0x00B366551030D6D20D31C7254636CBCEABB53EAF

                                  47,302

0x68DCEC00E799ED4351EFD4A1D74AE016DB72D2A6

                                  47,193

0xFC22B927A8371FF5DA758BA8CF10DCEA30AA5279

                                  43,344

0xD1EB3B53B60277E8CF87F5C7FB2EE526600683AB

                                  38,490

0x814D454466BAB020ABCD71F5097E96732D45E559

                                  33,235

0xBC7A31198F890C27D31AEA70A54A9CC37CB3F1CF

                                  32,505

Top 10 Win32/Frethog files detected by the MSRT February release:

Top 10 Frethog Sha1

 machines cleaned

0x282CA82931E7D3C80074A7506DCF5B2041B02D38

                           62,649

0xFD747631398350020A1EE126B1E3C27668194809

                           40,798

0xF7C3DD41D5F385C569B2D0C2C3D94904189A2442

                           21,360

0x1E60883D943AFA395708F583AE33FCE6935867DA

                           16,142

0x297C4A4CBA246B70F12EBAADDC48B5D65A41A875

                           11,037

0xD18CF04FC57D0111AA436258AE7DCA9A00645FA0

                           11,017

0x1FA01DC607E5D2FA5893A610DAB49C2DDC96CDB5

                           10,014

0x131C8DC19A6C301BEBB4CF27F231064789A778A5

                             9,695

0xB5EF7032C2E81D6BD99DB6E7A30B43C6063F1EC0

                             8,055

0x6AF19AC78B47FE46AE71ECBD584D1CB6A9CDDE2E

                             6,392

The main shift in geographic distribution of these PWS is that China is no longer in the top 10 for instances of infected systems compared to what Matt McCormack disclosed in his June 2008 blog post or Jeff Williams in his August 2008 blog post, when China was the most prevalent region for these PWS threats.  This may not mean the malware authors are retreating from China. With a projected online game market of “17.03 billion RMB (around 2.43 billion USD) in 2009” described in Chun Feng’s VB paper, “Playing with shadows - exposing the black market for online game password theft", the malware writers will definitely want a piece of the pie.  Read on Chun's paper to get a peek of the malware underground economy. You do not want your IDs being auctioned there.

Win32/Taterf, week 1, February 2009:

Rank

Country/Region

 distinct machines cleaned

1

United States

                                       127,833

2

Taiwan

                                       113,944

3

Korea

                                       112,784

4

Turkey

                                       112,464

5

Spain

                                          93,168

6

Brazil

                                          72,196

7

Japan

                                          53,536

8

France

                                          49,688

9

Poland

                                          47,558

10

Mexico

                                          47,512

11

Russia

                                          18,494

12

Italy

                                          16,588

13

Hong Kong

                                            9,849

14

Saudi Arabia

                                            9,757

15

Colombia

                                            7,953

16

United Kingdom

                                            7,953

17

Thailand

                                            5,626

18

Chile

                                            5,329

19

Portugal

                                            4,579

20

Peru

                                            4,375

 

Other

                                          58,248

Note: China is #36 on the Win32/Taterf list

Win32/Frethog, week 1, February 2009:

Rank

Country/Region

 distinct machines cleaned

1

United States

                                            44,859

2

Taiwan

                                            38,804

3

Turkey

                                            32,650

4

Korea

                                            32,122

5

Brazil

                                            22,460

6

Spain

                                            24,858

7

France

                                            15,072

8

Poland

                                            12,704

9

Mexico

                                            12,094

10

China

                                               7,899

11

Italy

                                               4,520

12

Saudi Arabia

                                               3,277

13

Hong Kong

                                               2,838

14

United Kingdom

                                               2,595

15

Russia

                                               2,564

16

Colombia

                                               2,224

17

Thailand

                                               1,957

18

Chile

                                               1,569

19

Japan

                                               1,374

20

Venezuela

                                               1,315

 

Other

                                            18,808

We identified at least the following games or game platforms that are targeted by Taterf and Frethog authors:

  • Rainbow Island
  • Cabal Online
  • A Chinese Odyssey
  • Hao Fang Battle Net
  • Lineage
  • Gamania
  • MapleStory
  • Qqgame
  • Legend of Mir
  • World Of Warcraft

If you play the above games we suggest you read Jeremy Croy’s blog post and be cautious in your online and gaming adventure, especially if you log in from an Internet café. At home, do yourself a favor and install a full AV product. At a minimum, if you suspect your computer has been infected, run a virus scan with Microsoft Windows Live safety scanner at http://safety.live.com.

--Scott Wu