This month the MMPC added a new threat family, Win32/FakeRean, to the MSRT.  You can refer to Hamish’s blog post, “Win32/FakeRean and MSRT” for more details on this fake, or rogue, security software.  As of August 24, the MSRT had cleaned FakeRean from 162,328 infected machines.  The following table shows data gathered from the MSRT since its August release.

Family  Threat Count Machine Count 
Taterf 544,662 463,000
Renos 308,789 228,973
Alureon 249,101 211,441
FakeRean 219,359 162,328
Bancos 173,134 158,152
Koobface 274,769 134,139
Frethog 140,218 132,827
Cutwail 166,284 110,840
Rustock 98,673 90,788
Tibs 93,175 84,081

Note the “Threat Count” total is higher than "Machine Count" because an infected machine may contain multiple components of a threat.

Win32/Taterf noticeably still holds first place in the MSRT’s top detections.  This is a family of worms that spread via mapped drives in order to steal login and account details for popular online games.  Taterf is closely related to Win32/Frethog, another MSRT family added at the same time as Taterf, and also found in the above list. We believe that the two are based on the same source code due to the similarities between them. Since they were first added, these two families have been ranked near the top and this month is no exception.  You can revisit a previous blog post about this threat for more in-depth details.

Another usual suspect is Win32/Renos.  It was added to the MSRT in May 2007, before rogue software was viewed as being disruptive as they are today. Renos holds a high ranking due to it its strong ties with rogues. We think this addition was a good investment as many of us have at least once encounterd the dreaded “Your computer is infected!” message.

A few notes about the remaining threats from the list:

  • Win32/Koobface is a prevalent worm that spreads by utilizing social networking sites. It’s a complex family with multiple components that act as proxies, report affected user's online behavior, generate “pay per click” advertising revenue, steal data, and even break captchas. 
  • Win32/Alureon is a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic to gather confidential information such as user names, passwords, and credit card data. Win32/Alureon may also allow an attacker to transmit malicious data to the infected computer. This family also has rootkit components that provide stealth functionality.
  • Win32/Bancos is a family of data-stealing trojans that captures users' online banking credentials such as account login names and passwords. These trojans send the captured information to the attacker by e-mail, or by uploading to an attacker's FTP site or posting to an attacker's Web site.

The following table shows the breakdown by country/region.  US, China, and Brazil report the highest numbers of infected machines during the same time frame as the previous table.

Country/Region   Threat Count   Machine Count 
US               8,750,628                     2,183,166 
China               1,085,140                        383,378 
Brazil                   737,322                        282,152 
UK               1,078,540                        278,207 
Korea                   601,646                        262,539 
France                   412,115                        156,566 
Taiwan                   236,047                        140,283 
Spain                   328,829                        133,264 
Canada                   433,770                        119,885 
Mexico                   447,841                        117,845 

The US is at the top of this list as it is by default the top target for most of the malicious code out there.  China and Brazil are actually a totally different story. While China is a top target for online games password stealers and the black market associated with it, Brazil is a prime goal for another breed of password stealers: those targeting bank accounts. Given these locations, it should come as no surprise that the top prevalent threats are what they are.

As you look at this table you will see that the number of unique machines infected is lower than the total number of disinfections by MSRT.  There are several reasons for this including infections of multiple malware families on the same machine (some malware downloads other malware), multiple variants of the same family of malware found on the same machine and re-infections of the same machine over time.  MSRT is not a replacement for antivirus software with real-time protection from a known, trusted vendor.  When choosing an AV vendor be wary of rogue security software.  You can find a list of anti-virus products for Windows here.

We hope this data has been helpful for our readers.
Marian Radu & Scott Wu – MMPC

Additional resources:  Latest Microsoft Security Intelligence Report (SIR)