This month’s Malicious Software Removal Tool (MSRT) release added new detection and cleaning for several malware threats that incorporate the use of the CVE-2010-2568 vulnerability (which was fixed by the MS10-046 security bulletin released in August).  This includes the Win32/Stuxnet family and several variants of Win32/Vobfus and W32/Sality.

From a global perspective, the results for these .lnk-related families were interesting.  The following chart shows countries with the most saturated infections—that is, for every computer scanned, what percentage had an infection for each family.

Although these families had large numbers of cleanings in places like the US, India, France, Russia, Spain, and Brazil, these locations were not nearly as saturated with the malware (when you look at infections per capita) in comparison to the top regions shown in the chart above.  Some regions had smaller numbers of affected computers, but extraordinarily high saturation rates, such as Iran and Indonesia.

Iran and Indonesia have typically had very low CCM rates.  (CCM stands for Computers Cleaned per Mille – a count of how many computers were infected for each thousand scanned.)  This count is a measure of all malware families, not just a single family.  The Stuxnet infections that Iran and Indonesia have incurred over these past few months have been high enough to triple their CCMs.  To have a single family increase a country’s typically low malware saturation by a factor of three is very significant.

The charts below show the top five locations were the most computers were cleaned by family along with the percentage of computers cleaned in comparison to the total number scanned by MSRT in that location (between the start of Aug. 10 and midnight, Aug. 17, 2010).

Stuxnet

Geography

Cleanings

  %  

United States

31,740

0.03%

Indonesia

11,030

1.66%

Iran

4,818

1.83%

India

2,130

0.10%

Russia

714

0.01%

 

Vobfus

Geography

Cleanings

  %   

United States

54,065

0.1%

Mexico

20,243

0.4%

France

12,352

0.1%

Brazil

12,296

0.1%

Portugal

9,995

0.4%

 

 Sality.AU

Geography

Cleanings

  %   

United States

9,058

0.01%

Turkey

5,575

0.15%

Brazil

4,810

0.04%

Russia

1,931

0.03%

Spain

1,077

0.01%

 

In addition to these malware families, MSRT also cleaned any malicious links found on these systems in an attempt to stop the propagation vector, no matter what malware family may have incorporated it.

Top 10 families so far this month:

#

Family

Machine Count

1

Bubnix

265,964

2

Taterf

240,165

3

Alureon

184,921

4

Rimecud

165,125

5

Vobfus

149,911

6

Sality

130,992

7

Bancos

115,079

8

FakeSpypro

112,175

9

Frethog

111,029

10

Renos

105,751

 

15

Stuxnet

46,351

45

CplLnk

3,385


Within the first week of release, MSRT cleaned 12,283,167 files in 2,005,960 infected machines. Bubnix, the threat that was added last month to the MSRT, is currently the most-cleaned threat and is actually third on the list of the top 25 families from last month’s MSRT release.  It has been disinfected from 471,243 machines.

Top 10 threats so far this month:

#

Threat Name

Machine Count

1

Trojan:WinNT/Bubnix.gen!A

236,098

2

Worm:Win32/Taterf.B

166,355

3

Worm:Win32/Vobfus.gen!A

137,434

4

Trojan:WinNT/Sality

125,151

5

Virus:Win32/Alureon.H

113,707

6

Rogue:Win32/FakeSpypro

112,107

7

Worm:Win32/Hamweq.A

56,668

8

Worm:Win32/Conficker.B

55,188

9

Trojan:WinNT/Bubnix.J

54,414

10

PWS:Win32/Frethog.gen!H

52,805

 

14

Trojan:WinNT/Stuxnet.A

45,605

15

Trojan:WinNT/Stuxnet.B

45,046

30

Virus:Win32/Sality.AU

19,140

49

Worm:Win32/Vobfus.gen!B

9,683

61

Worm:Win32/Sality.AU

6,832

86

Worm:Win32/Vobfus.gen!C

4,264


Stuxnet, which led to the initial discovery of the CVE-2010-2568 vulnerability that allows shortcut files to automatically launch when a removable drive is accessed, has a disinfection count that is lower than other related families. At the moment, it has been disinfected from 46,351 machines (components like Trojan:WinNT/Stuxnet.A and Trojan:WinNT/Stuxnet.B are often found on the same computer). On the other hand, Win32/Vobfus, a family of obfuscated worms that has been around since 2009 but incorporated the vulnerability into several of its later variants, has a higher disinfection count compared to Stuxnet. Win32/Vobfus has been disinfected from 149,911 machines, mostly due to the Worm:Win32/Vobfus.gen!A variant. Sality is right behind Vobfus in terms of machine counts, coming in at 130,992 disinfected machines.

More reading about Stuxnet, Vobfus and other related stuff:

http://blogs.technet.com/b/mmpc/archive/2010/08/10/breaking-some-malicious-lnks-with-msrt.aspx
http://blogs.technet.com/b/mmpc/archive/2010/07/30/stuxnet-malicious-lnks-and-then-there-was-sality.aspx
http://blogs.technet.com/b/mmpc/archive/2010/07/23/protection-for-new-malware-families-using-lnk-vulnerability.aspx
http://blogs.technet.com/b/mmpc/archive/2010/07/16/the-stuxnet-sting.aspx

More about Bubnix:

http://blogs.technet.com/b/mmpc/archive/2010/07/14/bubnix-uses-interesting-obfuscation-scheme.aspx

Aside from the above mentioned threats, MSRT disinfected the usual game-password stealers such as Taterf and Frethog, several rogue threats including FakeSpypro and FakeXPA and other prevalent and familiar threats that we usually see.

- Francis Allan Tan Seng, Vincent Tiu, and Holly Stewart