Threat Research & Response Blog
Last month we had reported good cleaning results against the Win32/Alureon rootkit, and this month we have more good numbers to share with the May edition of MSRT. Similar to last month, we continued to add detection for newer variants of Alureon:
Alureon Trojans and Droppers
As can be inferred from the numbers, compared to last month, the new .H variant is the most prominent in terms of prevalence. There were several changes to the design of the rootkit to avoid detection and cleaning, revealing that the rootkit is still under active development and distribution. One of the notable changes was to infect arbitrary system drivers instead of only the hooked miniport driver. Expectedly, this can have negative side effects on the machine depending on the chosen driver. For example, we’ve seen some machines having their keyboard disabled as a result of an infection. On other machines, Windows XP unexpectedly requests reactivation because the infection appears like a significant hardware change.
Moreover, the trend percentages also show that some older variants of the rootkit “upgrade” to the latest version relatively quickly after a new release. However, the .A variant is still prevalent because of its use with a different malicious payload, called zooclicker. Overall the number of computer cleaned increased by a whopping 37% compared to April due to a spurt in detection of the newest variant and as a result, Alureon climbed to the number 1 family spot in MSRT May.
Continuing the trend from last month, more than three-quarters of the infections occur on machines running Windows XP. This is likely due to better security in the later versions of the Microsoft Windows operating systems. The dominance of XP SP3 can be attributed to the combination of the above in conjunction with its high prevalence of use.
The geographical location distribution is consistent with last month’s statistics and still reflects the prevalence bias of the malware in English speaking country.
Moreover, the new family for this month, Win32/Oficla was cleaned from 74,690 machines. In total, MSRT May cleaned malware infections from 1,961,243 machines and below are the top most prevalent threat families cleaned with MSRT in May.
As always, we strongly urge users to run the latest version and updated signatures of an Anti-Malware product such as our Microsoft Security Essentials in order to stay protected.
- Vishal Kapoor and Joe Johnson