Following up on the blog post that our friends in the Microsoft Security Response Center posted a few weeks ago, we wanted to share the results from the April edition of MSRT. As part of our ongoing updates to families already in MSRT, we have added support for more variants of the Win32/Alureon rootkit/infector, including the ones responsible for the issues widely reported with Microsoft Security Bulletin MS10-015. Below is a summary of the Alureon cleaning using MSRT in April:

Variant

Computers Cleaned

Virus:Win32/Alureon.A

43,620

Virus:Win32/Alureon.B

7,297

Virus:Win32/Alureon.F

36,586

Virus:Win32/Alureon.G

102,549

Alureon Trojans and Droppers

72,917

Total

262,969

We had also previously mentioned in our blog post, that although the Alureon family has been around for years, some variants (.A-.F) gained a lot of attention since they conflicted with Microsoft Security Bulletin MS10-015 and rendered machines unbootable after applying updates to ntoskrnl.exe. Within a few days, the rootkit authors updated Win32/Alureon.G to avoid the issue since it was attracting a lot of unwanted attention. Moreover, Microsoft also re-released Microsoft Security Bulletin MS10-015 with new heuristic checks included in the installer identifying symptoms of the rootkit, preventing the patch from being applied to the affected users while warning them of the issues. The recently released Microsoft Security Bulletin MS10-021 also demonstrates a similar behavior.

The good news however, is that once MSRT April installs and cleans Alureon from the machine, these patches can be installed successfully to secure the machines.

It can be inferred from the chart that around two thirds of the total infections occurred on Windows XP.  A quick look at the manifest on a sample installer reveals that the malware explicitly requests elevation to install:

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level="requireAdministrator" uiAccess="false">
        </requestedExecutionLevel>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>

This reiterates the necessity to employ security best practices such as User Account Control (UAC) to thwart the malware.

Analyzing the geographical location distribution, it can be construed that the majority of the infections occur in English speaking countries. Since the rootkit installers frequently include quotations from Hollywood pop culture, it is apparent that the authors are intimately familiar with the latest US pop culture trends.

Apart from tackling the Alureon variants, the newly added threat family for this month, Win32/Magania, was cleaned from 43,394 machines.  In total, MSRT April cleaned malware infections from 3,168,563 machines since it was released on the 13th of this month. Below are the top six most prevalent threat families cleaned with MSRT in April.

Family

Computers Cleaned

Frethog

831,289

Taterf

372,597

 Alureon

262,969

Rimecud

250,603

Hamweq

225,104

Four out of the top five, Frethog, Taterf, Rimecud and Hamweq, are worms taking advantage of propagation mechanisms that traditionally lead to outbreaks. These worms use shared/mapped drives, removable devices, autorun behaviors, all of which are common attack surfaces that we’ve combated for years.  We highly recommend reading the section “Protecting Against Malicious and Potentially Unwanted Software” in the latest edition of the Microsoft Security Intelligence Report which provides great advice on preventing the spread of infections and tackling malware in general to ensure you and any users you may support stay fully protected.

Joe Johnson & Vishal Kapoor