Threat Research & Response Blog
This month’s Malicious Software Removal Tool (MSRT) release added new detection and cleaning for several malware threats that incorporate the use of the CVE-2010-2568 vulnerability (which was fixed by the MS10-046 security bulletin released in August). This includes the Win32/Stuxnet family and several variants of Win32/Vobfus and W32/Sality.
From a global perspective, the results for these .lnk-related families were interesting. The following chart shows countries with the most saturated infections—that is, for every computer scanned, what percentage had an infection for each family.
Although these families had large numbers of cleanings in places like the US, India, France, Russia, Spain, and Brazil, these locations were not nearly as saturated with the malware (when you look at infections per capita) in comparison to the top regions shown in the chart above. Some regions had smaller numbers of affected computers, but extraordinarily high saturation rates, such as Iran and Indonesia.
Iran and Indonesia have typically had very low CCM rates. (CCM stands for Computers Cleaned per Mille – a count of how many computers were infected for each thousand scanned.) This count is a measure of all malware families, not just a single family. The Stuxnet infections that Iran and Indonesia have incurred over these past few months have been high enough to triple their CCMs. To have a single family increase a country’s typically low malware saturation by a factor of three is very significant.
The charts below show the top five locations were the most computers were cleaned by family along with the percentage of computers cleaned in comparison to the total number scanned by MSRT in that location (between the start of Aug. 10 and midnight, Aug. 17, 2010).
In addition to these malware families, MSRT also cleaned any malicious links found on these systems in an attempt to stop the propagation vector, no matter what malware family may have incorporated it.
Top 10 families so far this month:
Within the first week of release, MSRT cleaned 12,283,167 files in 2,005,960 infected machines. Bubnix, the threat that was added last month to the MSRT, is currently the most-cleaned threat and is actually third on the list of the top 25 families from last month’s MSRT release. It has been disinfected from 471,243 machines.
Top 10 threats so far this month:
Stuxnet, which led to the initial discovery of the CVE-2010-2568 vulnerability that allows shortcut files to automatically launch when a removable drive is accessed, has a disinfection count that is lower than other related families. At the moment, it has been disinfected from 46,351 machines (components like Trojan:WinNT/Stuxnet.A and Trojan:WinNT/Stuxnet.B are often found on the same computer). On the other hand, Win32/Vobfus, a family of obfuscated worms that has been around since 2009 but incorporated the vulnerability into several of its later variants, has a higher disinfection count compared to Stuxnet. Win32/Vobfus has been disinfected from 149,911 machines, mostly due to the Worm:Win32/Vobfus.gen!A variant. Sality is right behind Vobfus in terms of machine counts, coming in at 130,992 disinfected machines.
More reading about Stuxnet, Vobfus and other related stuff:
More about Bubnix:
Aside from the above mentioned threats, MSRT disinfected the usual game-password stealers such as Taterf and Frethog, several rogue threats including FakeSpypro and FakeXPA and other prevalent and familiar threats that we usually see.
- Francis Allan Tan Seng, Vincent Tiu, and Holly Stewart