We recently updated the Microsoft Safety Scanner – a just-in-time, free cleanup tool. The new version adds support for 64-bit Windows systems and also allows for the download of the tool to run in non-networked systems such as those behind an air-gap network, those within an ISPs walled garden, and those where the infection has impaired internet connectivity. You can download the Microsoft Safety Scanner (MSS) at www.microsoft.com/security/scanner.
Early results have been very positive with this tool and we are actively reviewing telemetry from our customers who use it in order to better understand aspects of threat impact from specific malware families. In addition, we urge our customers to install security updates provided by Microsoft for our operating systems and applications, as well as from other third-party applications and any security updates that may be provided by Internet service providers. Early telemetry gathered from the release of the Microsoft Safety Scanner echoes this continuous messaging.
During the first seven days of the MSS release, there were close to 420,000 downloads, or 60,000 downloads per day, of the product. It cleaned 20,097 infected computers in total, for users that suspected their computers were infected and downloaded MSS to scan their machines. Kudos to these users for having security awareness.
Among the detections, 7 of the top 10 threats are files containing exploits for Java vulnerabilities such as CVE-2008-5353, CVE-2010-0094, CVE-2010-0840 and CVE-2009-3867. (For more information related to these exploits, see the blog post “Have you checked the Java?” by our colleague Holly Stewart.)
Below is a table detailing Microsoft Safety Scanner detections in the first seven days since its release:
|
Threat |
Threat Count |
Machine Count |
Note |
|
CVE-2008-5353 |
7,739 |
2,272 |
Java Exploit |
|
CVE-2010-0840 |
5,387 |
2,785 |
Java Exploit |
|
CVE-2010-0094 |
4,744 |
1,579 |
Java Exploit |
|
OpenConnection |
3,929 |
2,396 |
Java Exploit |
|
OpenCandy |
3,408 |
3,238 |
Adware |
|
CVE-2009-3867 |
2,759 |
1,445 |
Java Exploit |
|
Wimad |
1,658 |
637 |
Malicious Win Media File |
|
Keygen |
1,287 |
1,234 |
Key Generator Hacking Tool |
|
Mesdeh |
1,156 |
714 |
Java Exploit |
|
OpenStream |
1,125 |
759 |
Java Exploit |
Of course many of these detections by MSS are the debris or aftermath after the exploit has already executed. By the time a user downloads and runs MSS to detect malware, the machine may have already been infected, if it was vulnerable to the exploit at the time. For example, aside from additional malicious Java code detections, the following active threats were also reported on machines found to be infected by Exploit:Java/CVE-2008-5353 on April 15 2011:
|
Threat |
Percentage of machines |
Note |
|
Alureon |
7.3% |
Rootkit Data Stealing Trojan |
|
Zwangi |
6.0% |
Browser Modifier |
|
Winwebsec |
5.7% |
Rogue |
|
Hotbar |
5.4% |
Adware |
|
ClickPotato |
5.4% |
Adware |
|
FakeRean |
5.3% |
Rogue |
|
Renos |
4.6% |
Rogue Downloader |
|
FakeSpypro |
4.3% |
Rogue |
|
Obfuscator |
4.3% |
Encrypted Threat |
|
Hiloti |
3.6% |
Downloader |
On average, MSS detected 3.5 threats on each of the infected computers.
|
Threat Count |
Infected Machine Count |
Threats Per Infected Machine |
|
69,858 |
20,097 |
3.5 |
This won’t surprise you if you have read our newly published Security Intelligence Report (SIR). For example in the exploit section, the data shows Java exploits uptake in 2010:
If you are one of these users, we encourage you to apply security updates from Microsoft (and from the ISVs where applicable). In addition, take care and protect your Internet activities. Install antimalware security software such as Microsoft Security Essentials (or other AVs) to protect your computers proactively using real-time scanning technology.
We want to give a special thanks to Holly Stewart for her assistance in this post.
— Scott Wu & Joe Faulhaber, MMPC
Leave a reply
