MSRT Review on Win32/FakeSecSen Rogues
来源:互联网 发布:mac系统rar解压 编辑:程序博客网 时间:2024/04/29 11:14
Wednesday, November 19, 2008 11:55 PM by mmpc
Win32/FakeSecSen was added to MSRT November release as Hamish mentioned in his MMPC blog. We’ve since observed MSRT removing FakeSecSen from 994,061 distinct machines.
Breakdown of these removals by regions is shown as below.
正如Hamish在他的MMPC博客中提到的,11月发布的MSRT已经添加了Win32/FakeSecSen的特征。我们监控到 MSRT已经清除了 994,061台不同的电脑里的FakeSecSen。
下面的表格显示了 不同地区的清除情况
Region/Country
Distinct Machines Cleaned
United States
548,218
United Kingdom
74,343
France
47,581
Germany
43,347
Netherlands
28,724
Spain
23,027
Italy
18,453
Australia
16,287
Canada
16,180
Sweden
15,412
Other
162,489
here is no surprise about the prevalence of these rogues given our earlier telemetry analysis on other Microsoft AV products and tools. For comparison, the #1 family last month was Renos with 389,036 distinct machines cleaned in the first week and 655,535 machines for the whole month. And the most significant result for MSRT this year was the June release when we added eight game password stealer families, was Win32/Taterf with 1,246,792 machines cleaned by week 1 and 1,536,831 machines for the whole month.
借助于微软其它的AV产品和工具,通过初期的自动测量分析,这些恶意软件的传播仍在意料之中。对比发现,Renos 是上个月传播的头号家族。整月共修复了655,535台被感染的电脑,其中第一个星期就修复了389,036台。今年MSRT最重大的成果是在六月清除的Win32/Taterf ,当时发布的MSRT添加了8个盗窃游戏密码的家族。整个六月共修复了1,536,831台被感染的电脑,其中第一个星期就修复了1,246,792台。
One way to interpret this data is to look into the infection rate. In the recent release of volume 5 of the Microsoft Security Intelligence Report we introduced “Computer Cleaned per thousand MSRT executions” (CCM). During 1H08, the CCM for US for the full six months was 11.2. Within one week in November US CCM for all threats is 10.3 and US CCM for just FakeSecSen alone is 5.0. This reads: every one thousand machines in US scanned by MSRT during the last seven days, roughly five were infected with FakeSecSen rogues.
解析这些数据的一个方法就是 观察它们的感染率。在最近一次发布的微软安全情报报告第5卷中,我们介绍了CCM(MSRT每千次运行而修复过的电脑)。During 1H08,米国上半年的CCM为11.2,而11月一个星期内针对所有威胁的CCM为10.3,其中仅FakeSecSen就占据了5.0。换句话说:米国 上星期MSRT每扫描一千台电脑大概就有五台电脑是被FakeSecSen感染的。
Normally each FakeSecSen installation contains one EXE, one or two DAT files, one Control Panel applet (CPL), one desktop shortcut and sometimes one uninstaller. It is interesting that only 20% of these removals contain executables of FakeSecSen. This indicates either the other 80% machines had at one point been infected by FakeSecSen and the threat was then manually and partially removed, or the machines were cleaned by other AV products/tools, or FakeSecSen had failed to install, etc. To put the number in perspective and adjust the FakeSecSen to count only the EXE, it is #2, behind Renos..
通常每个FakeSecSen安装包包含了1个EXE文件,1到2个DAT文件,1个控制面板小程序,1个桌面快捷方式有时候还有1个卸载文件。有趣的是清除的FakeSecSen中只有20%包含了可执行文件。这表明剩余的80%要么是 某个时刻在FakeSecSen感染后,就立刻被手动清除了部分文件,要么是被其它的AV产品/工具修复了,也有可能是FakeSecSen安装失败等等其它原因。表格第二栏(Renos下面)是调整为包含有EXE的FakeSecSen数目。
Threat Family
Distinct Machines Cleaned
Renos
565,728
FakeSecSen (EXEs)
198,812
Taterf
177,660
Zlob
175,559
Lolyda
118,130
Now how did one's machine get infected by FakeSecSen?From our research a few Win32/Renos variants such as TrojanDownloader:Win32/Renos.Y,TrojanDownloader:Win32/Renos.AY,TrojanDownloader:Win32/Renos.EK are responsible for downloading FakeSecSen. The table below shows the top ten threats infecting machines that were also infected by FakeSecSen. Five of them are Renos.
那么电脑是如何感染上FakeSecSen的?研究发现,一些Win32/Renos变种如:TrojanDownloader:Win32/Renos.Y,TrojanDownloader:Win32/Renos.AY,TrojanDownloader:Win32/Renos。EK负责下载FakeSecSen。下面的表格显示了既感染电脑又下载FakeSecSen 的头10种恶意软件,其中有一半属于Renos家族的。
Rank
Threat on FakeSec infected machine
Distinct Machines Cleaned
1
TrojanDownloader:Win32/Renos.AY
5,437
2
TrojanDownloader:Win32/Renos.Y
5,223
3
Trojan:Win32/Zlob.J
4,922
4
TrojanDropper:Win32/Zlob
3,076
5
TrojanDownloader:Win32/Renos
2,619
6
Trojan:Win32/Zlob.AU
2,040
7
TrojanDownloader:Win32/Zlob.AMV
1,627
8
TrojanDownloader:Win32/Zlob.gen!CJ
1,567
9
TrojanDownloader:Win32/Renos.AT
1,399
10
TrojanDownloader:Win32/Zlob.gen!AX
1,248
We suggest you get familiar with the behaviors of Win32/Renos especially the three variants mentioned above and be cautious out there with your web surfing and other internet usage.
我们建议你熟悉Win32/Renos尤其是上面提到的3个变种 的行为,并且在网络冲浪和其它网络用途时保持谨慎。
The following table shows the top ten FakeSecSen EXEs. We provide this data for any other antimalware vendors and security research firms who wish to solidify their detection capability or malware analysis.
下面的表格显示了排名前十的FakeSecSen EXE。我们向任何其他AV厂商以及希望提升检测能力或恶意软件分析的安全研究组织提供这些数据。
Rank
FakeSecSen EXE
Distinct Machines Cleaned
1
0x594771CD995BA6A77DEB10BEAA27DFD30B4A6CF1
24,488
2
0xDCED8E211919CC57878B53C7E6D288A31DC1C6AB
8,696
3
0xA73CEE93F3EF7B913CDE29EB84DCBF43B41C4920
6,595
4
0x83B3ED7F420D6B06A0F7FA0D429E3B8098205446
6,482
5
0x8CE338D88245B7C5DB92BFB9C2FD3852039477D5
6,392
6
0x6F6BB37E574FC70FCD90B5075A9100D254C83286
6,035
7
0xDB3C727A2F99E04FA8595161A6ADD6889DD29320
5,949
8
0xD98221F3893C15DBAE130CB38F3A02856091E733
5,236
9
0x3FC84BC022F53B1BED34FFB59681CE2DD42F6AE2
5,225
10
0x0D4C8ECA468532A72C4840ACE58257A307CA06EA
4,821
MMPC is keeping an eye on this space and watching closely the activities of AV rogues and their evolution. We strive for ensuring the safe Internet experience of our customers and we trust our colleagues in other industry leading firms are doing the same.
-- Scott Wu, Scott Molenkamp and Hamish O’Dea
MMPC会继续留意并监控它们的活动(activities of AV rogues )以及发展。我们力求确保客户能安全的体验网络。我们也相信工作在其它行业领头羊的同仁也会做同样的事情。
-- Scott Wu, Scott Molenkamp and Hamish O’Dea
- MSRT Review on Win32/FakeSecSen Rogues
- Win32/FakeSecSen - A Nasty Piece of Work
- review ruby on rails
- note on paper review
- cheaprayban.rogues.ca/ some sort of trading program on the potential must absolutely move as a resul
- Review on Expert J2EE 1
- Random thoughts on code review
- Review Board Installing on Linux
- Python Programming on WIN32
- Building PHP5 on Win32
- SVN Server On Win32
- Review life based on connected views
- Review--Configure the environment on X86
- Review--Configure the environment on Sparc
- Review on 2 well-known Haskell textbooks
- Gerrit : Code Review Tool based on Git
- build lcc 4.2 on win32
- GNU C Compiler On Win32
- 使用Hibernate来实现持久对象
- 女生谈如何追女生
- VC 常见问题百问
- 两表联合查询插入代码:
- 杂谈
- MSRT Review on Win32/FakeSecSen Rogues
- javascript的createElement用法
- logic的使用
- On Error 语句
- 工作就是这样
- Thinking in JAVA 3 - (Introduction to Objects:)
- [转]姐弟恋—条走不完的路!恳求意见!
- 都在说国美和黄光裕的那点破事
- 认识 GCC 4