Wednesday, October 29, 2008 5:05 PM
by
mmpc
Win32/Rustock Hide and Seek – MSRT Telemetry
In his 10/18 blog post, Oleg provided great insights about the distribution, installation and payload of Win32/Rustock which was added to MSRT 10/14 release. As of 10/29 MSRT has removed this rootkit from 99,418 distinct machines.
Breakdown of these removals by regions is shown as below.
|
Country/Region |
distinct machined cleaned |
|
United States |
41,305 |
|
France |
6,295 |
|
Spain |
5,987 |
|
Italy |
5,033 |
|
United Kingdom |
4,962 |
|
Russia |
3,390 |
|
Germany |
3,079 |
|
Netherlands |
2,399 |
|
Korea |
2,279 |
|
Japan |
2,069 |
|
All Other |
22,620 |
Incidence of the top 10 variants looks like this:
|
Variants |
Distinct machined cleaned |
|
Backdoor:WinNT/Rustock.E |
80,256 |
|
Backdoor:WinNT/Rustock.C |
12,950 |
|
Backdoor:WinNT/Rustock.B |
3,568 |
|
Backdoor:Win32/Rustock |
1,963 |
|
Backdoor:WinNT/Rustock.D |
643 |
|
Backdoor:WinNT/Rustock.A |
142 |
|
Trojan:Win32/Rustock.D |
67 |
|
Backdoor:Win32/Rustock.B!sys |
66 |
|
TrojanDropper:Win32/Rustock.C |
15 |
|
Trojan:Win32/Rustock.E |
11 |
The following table shows the top 15 Rustock files detected by MSRT. We provide this data for any other antimalware vendors and security research firms who wish to solidify their detection capability or malware analysis.
|
Rank |
SHA1 |
Percentage |
|
1 |
0x577C22C79DD72E5F2477283502B47FD8C7D50A0F |
21.0% |
|
2 |
0x395172D630DA0EB076B1DBB35665C0DBEF826274 |
11.4% |
|
3 |
0xD4AEECDD0943C91D7E1C08B6F5F796202A6C4A36 |
5.7% |
|
4 |
0x0526B429CC4762629F9B30F55F2A0ED02245950F |
4.5% |
|
5 |
0xC59F270478D8FE60CC5EA7B988BCFFF1E8C76B9B |
4.0% |
|
6 |
0x3EDAD0FFA64651922C2DA34AE50AA372FAB1F9C0 |
3.7% |
|
7 |
0x0288F557E6AA1CC75DACAF5629576C7460718130 |
2.7% |
|
8 |
0x894B4F2CB9A9BA0A308A0890AE2D2CE597D805A7 |
2.6% |
|
9 |
0xB724DF204530EADBCDAA29F1EC41ED552D780747 |
2.4% |
|
10 |
0xF6AAFF904FAA577447EF23C535100D32FD20AB7A |
2.1% |
|
11 |
0x7B8C0250DECE92DC6221648D73D09FCCCB102AEC |
1.7% |
|
12 |
0xEE9D3B39729AF6150C40E87604D193BC69079CE6 |
1.7% |
|
13 |
0x9791F6944DE42FE0FFB47E74D6CF720BDAAC8D3A |
1.6% |
|
14 |
0x0D85B7B2CF6DB2BD88155B35E503BD0AD86EC33A |
1.5% |
|
15 |
0x2F40A2CE1955C8E823DFC2EB38F8F9787F7CD524 |
1.4% |
|
|
Other |
31.9% |
While we detect and remove most of the Rustock variants in our collection, it is possible this crimeware has other masks. If you have samples that you think we don't detect, please send them to us through our portal.
-- Scott Wu (MMPC)
