Fight back: MS targets Storm malware
Microsoft quietly added detection of the "Storm" family of malware to the September build of its Malicious Software Removal Tool. The MSRT is released as part of the monthly security update cycle (although I do wish it was updated more often - it can be an extremely effective tool in the fight against malware, as you will see from this article).
Jimmy Kuo of the Anti-Malware Engineering Team has posted some very interesting statistics and snippets of background information about the effect that adding detection of "Storm" had on Windows PCs (and the Storm botnet) around the world which illustrates just how powerful the MSRT can be in the fight against malware.
Jimmy reports that:
"The Renos family of malware has been removed from 668,362 distinct machines. The Zlob family has been removed from 664,258 machines. And the Nuwar family has been removed from 274,372 machines. In total, malware has been removed by this month’s MSRT from 2,574,586 machines.
So, despite some public concern in the press and among researchers about the “Storm” worm, it ranks third among the families of malware whose signatures have been added to the MSRT."
Sadly, as has always been the case in this type of battle, the criminals behind Storm fought back quickly. Jimmy went on to say that:
"Another antimalware researcher who has been tracking these recent attacks has presented us with data that shows we knocked out approximately one-fifth of “Storm’s” Denial of Service (DoS) capability on September 11th. Unfortunately, that data does not show a continued decrease since the first day. We know that immediately following the release of MSRT, the criminals behind the deployment of the “Storm” botnet immediately released a newer version to update their software. To compare, one day from the release of MSRT, we cleaned approximately 91,000 machines that had been infected with any of the number of Nuwar components. Thus, the 180,000+ additional machines that have been cleaned by MSRT since the first day are likely to be home user machines that were not notably incorporated into the daily operation of the “Storm” botnet. Machines that will be cleaned by MSRT in the subsequent days will be of similar nature."
The Malicious Software Removal Tool is offered as a critical update via Microsoft Update, Windows Update, and Auto Update to any computer that is running Windows Vista, Windows XP, Windows 2000, and Windows Server 2003. Comprehensive information about the MSRT, and download links, can be found here:
An important note about the MSRT:
"**W32/HackDef typically hides other potentially unwanted software on the computer. If the cleaner tool reports that W32/HackDef was detected on the computer, we strongly recommend that you run a scan with up-to-date antivirus and antispyware programs (see http://www.microsoft.com/athome/security/spyware/default.mspx). If you want to view the software that W32/HackDef was hiding, first open the log file for the cleaner tool (%WINDIR%\debug\mrt.log). Next, in the Scanning Results section, find the line or lines that note the folder in which Win32/Hackdef was found. In that same folder, you should find the Win32/Hackdef configuration file that has the .ini file name extension. View this file to determine the software that Win32/HackDef was hiding on the computer."