We recently updated the Microsoft Safety Scanner - a just-in-time, free cleanup tool.  The new version adds support for 64-bit Windows systems and also allows for the download of the tool to run in non-networked systems such as those behind an air-gap network, those within an ISPs walled garden, and those where the infection has impaired internet connectivity.  You can download the Microsoft Safety Scanner (MSS) at www.microsoft.com/security/scanner. 

Early results have been very positive with this tool and we are actively reviewing telemetry from our customers who use it in order to better understand aspects of threat impact from specific malware families. In addition, we urge our customers to install security updates provided by Microsoft for our operating systems and applications, as well as from other third-party applications and any security updates that may be provided by Internet service providers. Early telemetry gathered from the release of the Microsoft Safety Scanner echoes this continuous messaging.

During the first seven days of the MSS release, there were close to 420,000 downloads, or 60,000 downloads per day, of the product. It cleaned 20,097 infected computers in total, for users that suspected their computers were infected and downloaded MSS to scan their machines. Kudos to these users for having security awareness.

Among the detections, 7 of the top 10 threats are files containing exploits for Java vulnerabilities such as CVE-2008-5353, CVE-2010-0094, CVE-2010-0840 and CVE-2009-3867. (For more information related to these exploits, see the blog post “Have you checked the Java?” by our colleague Holly Stewart.)

Below is a table detailing Microsoft Safety Scanner detections in the first seven days since its release:

 

Threat	Threat Count	Machine Count	Note
CVE-2008-5353	7,739	2,272	Java Exploit
CVE-2010-0840	5,387	2,785	Java Exploit
CVE-2010-0094	4,744	1,579	Java Exploit
OpenConnection	3,929	2,396	Java Exploit
OpenCandy	3,408	3,238	Adware
CVE-2009-3867	2,759	1,445	Java Exploit
Wimad	1,658	637	Malicious Win Media File
Keygen	1,287	1,234	Key Generator Hacking Tool
Mesdeh	1,156	714	Java Exploit
OpenStream	1,125	759	Java Exploit

 

Of course many of these detections by MSS are the debris or aftermath after the exploit has already executed. By the time a user downloads and runs MSS to detect malware, the machine may have already been infected, if it was vulnerable to the exploit at the time.  For example, aside from additional malicious Java code detections, the following active threats were also reported on machines found to be infected by Exploit:Java/CVE-2008-5353 on April 15 2011:

 

Threat	Percentage of machines where MSS also detected Exploit:Java/CVE-2008-5353	Note
Alureon	7.3%	Rootkit Data Stealing Trojan
Zwangi	6.0%	Browser Modifier
Winwebsec	5.7%	Rogue
Hotbar	5.4%	Adware
ClickPotato	5.4%	Adware
FakeRean	5.3%	Rogue
Renos	4.6%	Rogue Downloader
FakeSpypro	4.3%	Rogue
Obfuscator	4.3%	Encrypted Threat
Hiloti	3.6%	Downloader

 

On average, MSS detected 3.5 threats on each of the infected computers.

 

Threat Count	Infected Machine Count	Threats Per Infected Machine
69,858	20,097	3.5

 

This won’t surprise you if you have read our newly published Security Intelligence Report (SIR).  For example in the exploit section, the data shows Java exploits uptake in 2010:

 

If you are one of these users, we encourage you to apply security updates from Microsoft (and from the ISVs where applicable). In addition, take care and protect your Internet activities.  Install antimalware security software such as Microsoft Security Essentials (or other AVs) to protect your computers proactively using real-time scanning technology.

We want to give a special thanks to Holly Stewart for her assistance in this post.

 

-- Scott Wu & Joe Faulhaber, MMPC