The latest MSRT release included coverage for two more malware families, one being Win32/EyeStye, which we discussed earlier this month, and the other being Win32/Poison.

In tandem with our efforts to provide an antidote to the scourge of Win32/Poison infections via the MSRT, we've also today published a detailed MMPC Threat Report on the same family. This Microsoft Malware Protection Center (MMPC) Threat Report provides an overview of the Win32/Poison (Poison Ivy) family of malware. The report examines the background and functionality of Poison Ivy, and provides telemetry data and analysis. The Report also discusses how Poison Ivy is detected and removed by Microsoft antimalware products and services.

Win32/Poison, with an origin as early as 2005, is a remote administration tool used by malware authors to gain control of an affected computer. On an affected system, a remote attacker could perform any of the following activities:

  • Download and upload files remotely
  • Log keystrokes
  • Steal WiFi credentials (such as a WEP key)
  • Steal NT/NTLM hashes
  • Inject malicious code into processes
  • Capture video and audio
  • Redirect Internet proxies
  • Scan ports

Distribution vectors for this malware may include exploiting software vulnerabilities, phishing emails, and PUA (potentially unwanted application) bundles. Historically, Win32/Poison has been readily available, and was actively developed and supported up until early 2008, after which point development stopped:

Figure 1 - Win32/Poison development timeline

We are currently closely monitoring the impact of adding this family to the MSRT. As of October 25, the MSRT has removed Win32/Poison from a little over 16,000 computers.

The top five SHA1s/MD5s for Win32/Poison are also shown in the table below. These top 5 represent 8.6% of the detections found by the MSRT so far this month:

Table 1 - Top 5 SHA1s/MD5s for Win32/Poison


Win32/EyeStye by the numbers

As for the second MSRT release, Win32/EyeStye, we have had several people asking us about the impact of its inclusion in this month’s MSRT.

We looked at 10 days worth of data since the release and are happy to report that we have disinfected EyeStye from more than half a million unique machines during that time period (605,825 at the time of writing, to be exact). To give you an indication as to how EyeStye disinfections stack up against other prevalent malware families addressed by MSRT, we've provided the table below, which shows the top 10 families detected by MSRT between October 11-21, 2011:

Table 2 - Top 10 Families in MSRT

We also noted that most of the computers found to be infected with EyeStye were located in western Europe, with the largest number of detections found in Germany, as illustrated in the graph below:

Figure 2 - Geographical distribution of EyeStye

The top five SHA1s/MD5s for Win32/EyeStye are also shown in the table below. These top 5 represent 5.6% of the detections found by the MSRT so far this month:

Table 3 - Top 5 SHA1s/MD5s for Win32/EyeStye

We in the MMPC continue to keep an eye on the threat landscape and update the MSRT to fight for the users!

Vincent Tiu & Jaime Wong