Threat Research & Response Blog
As those who follow our blog already know, we added Win32/Zbot to MSRT this month. This is a complex threat with techniques employed to make removal by AV challenging and which necessitated advances in the technology we use. The threat is aimed at theft of credentials (often financial) and, according to the FBI, part of a major theft ring which, as the result of cooperation between law enforcement in several countries, led to numerous arrests this month.
Since the release of MSRT on Tuesday we have removed Zbot 281,491 times from 274,873 computers and is the #1 family of malware removed (which is not uncommon the month a family is added). Of the 1,344,669 computers cleaned, this is about 1 in 5, a ratio that’s higher than we typically see even when accounting for the normal, first-month spike which results from adding a new family but not exceptionally so.
To put this in greater perspective the removals of Zbot are almost as many as the removals of the #2 and #3 malware families this month combined (Win32/Vundo and Win32/Bubnix respectively). Approximately 86 million computers have run this version of MSRT as we compile this data so we should expect this number to increase as the month continues.
For more information on Zbot and other botnets, please review our most recent Security Intelligence Report (covering the first half of 2010) which was released earlier in the week.