Archive for the ‘SIR v10’ Category

May MSRT by the numbers

June 9th, 2011 No comments

In May, we added Win32/Ramnit to the Microsoft Removal Tool (MSRT) detection capability, as my colleague Scott Molenkamp blogged. As of May 20th, MSRT disinfected 52,549 computers from the Win32/Ramnit infection. Ramnit is one of the four parasitic viruses out of the top 10 detected threat families.

Top 25 detections by MSRT, May 10 – May 20

Family Machine Count Note
Sality 202,351 Classic parasitic virus
Taterf 77,236 Worm
Rimecud 65,149 Worm
Vobfus 59,918 Worm
Alureon 58,884 Evolved parasitic virus
Parite 53,778 Evolved parasitic virus
Ramnit 52,549 Evolved parasitic virus
Brontok 50,392 Worm
Cycbot 50,209 Trojan
Conficker 49,173 Worm
Renocide 48,395 Worm
Bubnix 45,712 Trojan
FakeRean 40,695 Rogue
Zbot 40,087 Trojan
Bancos 39,452 Trojan
Frethog 33,100 Evolved parasitic virus
Banker 31,675 Trojan
Jeefo 22,396 Classic parasitic virus
Renos 21,858 Trojan
Lethic 21,521 Trojan
Cutwail 21,222 Trojan
Virut 20,963 Classic parasitic virus
Hamweq 17,102 Worm
FakeVimes 14,899 Rogue
Hupigon 14,553 Trojan


You may have noticed that Ramnit, like several of the other viruses mentioned in the above chart, is classified as an “evolved” virus – as described in Scott’s previous Ramnit post, one that combines earlier and later generations of malicious infection techniques.

Allow me to go ‘back to the book’ for the definition of a parasitic virus. A parasitic virus, or a file infector, is a type of ‘old school’ malware that attaches, modifies or resides in a host file on the file system. Due to its invasive spreading technique, one may wonder why malware are still in love with this old method, particularly when file infectors tend to leave the computer in an unstable state, slow and crashing often, while some even render the infected computer useless.

With today’s malware authors aiming to make profit from their victims, one would expect the malware authors are motivated to create stealth threats with the least overhead to the machine as to keep the windows of time open long enough to harvest data (or perform other payloads).

There are several possible explanations:

  • Malware authors know that anti-malware industry is targeting them; viruses can sometimes require more effort to detect and clean properly, possibly causing security companies to invest more resources in the remediation of the threat.
  • Current threats tend to have multiple components. For example, Ramnit authors wrote worm modules to help propagate via USB and network drives, using Autorun
  • While some file infector viruses such as Sality, Jeefo and Virut are traditional, many other file infectors are not.  For example Alureon and Cutwail will only infect system files or system drivers (e.g. “atapi.sys” or “agp440.sys”).  If a system file is infected and becomes hidden, the job of the file infecting component is done, while the other malicious components may continue to execute the payload.

Parasite viruses are not going away, they are still relevant and evolving.  Our newly published Microsoft Security Intelligence Report shows the steady presence of viruses as a threat category.

Detections by Threat Category

Image 1 – Detections by Threat Category


For more information about SIR, refer to

Special thanks to Patrick Nolan for his assistance in this post.


— Scott Wu, MMPC

MMPC Threat Report: Cracking open Qakbot

May 27th, 2011 No comments

Today, we’re releasing a Microsoft Malware Protection Center Threat Report on Qakbot as a follow-up to the recently-released Microsoft SIRv10 and our special report on Battling Botnets in late 2010.  This report focuses on one botnet in particular, Qakbot. Qakbot is a backdoor that includes user-mode rootkit functionality to hide itself and also steal sensitive user data from infected machines.

In addition to some of the interesting traits of Qakbot, such as the areas of the world where it’s most prevalent and the types of computers it targets, we found one particular aspect to be quite interesting – where the Qakbot authors may have gotten some of their code.

We have long suspected that the Qakbot authors were taking code samples from the Internet and incorporating them into their malware as the family evolved. Recently, while reviewing some of the earliest samples of Qakbot, we found something interesting: NtIllusion debug strings.

Qakbot NTIllusion Strings

is a rootkit that was first disclosed in an article within the underground security zine called Phrack in July of 2004. It includes functionality to hide processes, files, registry entries, and evidence of TCP/IP communication. It hooks several network communication APIs in order to steal POP3 and FTP passwords. This code still appears in Qakbot today.

You can read about this and more on Qakbot in our Threat Report:


Dan Kurc

Categories: botnets, MMPC, Qakbot, SIR v10 Tags: