Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
In the week since its release on December 8, MSRT has cleaned over 2.5 million machines of malware. The new family for December was Win32/Hamweq, an IRC controlled backdoor which spreads via removable drives. Hamweq was removed from 638,491 machines, making it the most prevalent family for the month, with around double the number of removals of Win32/Taterf, the next most prevalent family. Taterf, which is perennially one of the highest reported families by MSRT, also had more than twice the number of removals of the third most prevalent family.
Listed below are some of the families with high numbers of removals for this month.
Worm targeting removable drives, and IRC controlled backdoor
Worm targeting network/removable drives, and online game PWS
Network worm and malware downloader
Rogue antivirus downloader
Multiple component downloader and spammer
Data stealing malware that changes DNS settings
Online game password stealer related to Taterf
Password Stealer targeting predominantly Brazilian banks
Rogue antivirus component related to FakeXPA
Mass emailing worm
Multiple component worm targeting social networking sites
Downloader of numerous malware components
File infecting virus
IRC controlled backdoor
File infecting virus with IRC controlled backdoor
Multiple component malware family that downloads arbitrary files
Worm targeting removable drives
Downloader of bank password stealers
Rootkit enabled backdoor used to assist with sending of spam
Hamweq was prevalent across a wide range of locales worldwide – of the 199 locales where MSRT reported cleaning at least one system, 185 of them reported cleaning a Hamweq infection. Wherever a locale reported high numbers of machines cleaned of malware, reports of Hamweq were also generally high. The main exception to this was Chinese speaking countries, where reports were dominated by online game password stealing malware such as Taterf, Frethog, and Lolyda.
Machines cleaned (All Malware)
Machines Cleaned (Hamweq)
December’s MSRT release also saw a significant drop in the number of reports for Win32/FakeScanti, a rogue antivirus that was added to MSRT in October. At the corresponding period in October, FakeScanti was the 12th most prevalent family, with removals from 56,700 machines. Shortly afterwards, FakeScanti’s authors stopped modifying the rogue to avoid detection by antivirus products, and as a result, we have not needed to add a signature for FakeScanti since October 26. In November, FakeScanti was the 23rd most prevalent family with 20,222 removals, whilst by December it had dropped to 49th with 1595 removals.
While FakeScanti’s authors may have moved their focus to developing other malware, the rogue can still be downloaded, and we have since seen other malware that installs FakeScanti on to affected systems. Similarly, Win32/FakeSecSen, which was the very first rogue we added to MSRT in November 2008, can still be downloaded even though it has not been updated since later that month, and is still being cleaned in small numbers by MSRT over a year later. This month FakeSecSen was the 54th most prevalent family with 1031 removals.
The fact that these rogues’ distributors find it worthwhile to continue to host malware that would be detected by most antivirus products shows that unprotected systems are still a rich target for those who would use them for profit, or for other nefarious activities. As usual, we recommend protecting yourself by running Microsoft Security Essentials, or any other reputable antivirus solution.
David WoodMMPC Melbourne