Microsoft Adds ZeuS Detection To MSRT

As of October 12th 2010, the MSRT Team added detection for the ZeuS crimeware (also known as Zbot and WSNPoem) on Microsoft’s Malicious Software Removal Tool (MSRT):

For those who don’t know: MSRT is being distributed to WinXP, WinVista and Win7 automaticly using Windows Update Service. Of course these are really great news but the thing which worries me a little bit is the fact that Microsoft waited years until they finally added detection for the ZeuS Crimeware. ZeuS has been a big threat in the cyberspace for years and has already managed to steal millions of dollars.

MSRT’s ZeuS detection rate

I thought it would be a good idea to test MSRT’s detection for ZeuS by running some quick tests. I’ve tested 20 ZeuS infection binaries (v2) by infecting a VM with the following test conditions:

OS: WinXP SP3
MSRT Version: Kb890830 (2010-10-12)

Below are the results of my tests:

Infection binary (MD5) ZeuS Version MSRT Result Virustotal
a7d9996744d7129dc6af94d5827006e0 2.0.7.0 missed 4/43 (9.30%)
4e6114b5cbfbd5eeb0cea380c3416b2a 2.0.7.0 detected 32/43 (74.40%)
20d1b5c8b868ecf314d5b7d50188f55f - detected 38/41 (92.70%)
70bda659bf0852c1ce96532df3b57021 1.2.10.1 detected 20/43 (46.50%)
a2ba908c3fe7f2bd99ad0c6e31c24995 2.0.7.0 detected 6/43 (14.00%)
e206407083a772a015a21f0398f0fbf0 2.0.7.0 missed 8/43 (18.60%)
ace6aec48663a0179af2e60cceb2ebb4 2.0.7.0 missed 10/43 (23.30%)
92b58d067b13f47d14a4747af07b2d10 2.0.1.1 detected 6/41 (14.60%)
6250a5c48f5aff26474e9eaff4d0520c 2.0.7.0 missed 6/41 (14.60%)
d6c169be176e60a67780feb48327b2ab 2.0.7.0 detected 12/43 (27.90%)
21102185c207602505d45019f5d782b9 2.0.7.0 missed 10/43 (23.30%)
fc797f7b8a20ab4e6ce2df39ae41069f - missed 20/42 (47.60%)
e8f83eefe8069c360c73bf7127426155 2.0.7.0 detected 33/43 (76.70%)
cf11173481abb10e92246be92d8304dc 2.0.7.0 detected 17/42 (40.50%)
b64b598e6b5106d770f94c659bc994d5 2.0.7.0 missed 0/43 (0.00%)
359316aa5901613a3ad4f9265a93c600 2.0.7.0 detected 13/42 (31.00%)
2c9702bf84a7c9a094109ff2fe0a7910 - missed 3/42 (7.10%)
b0fe715bce28f9c3e48520f23c7cf8fe - detected 10/43 (23.30%)
d52d8bea0bd22be5382e05b9e787ff5d 2.0.7.0 missed 3/43 (7.00%)
78edc0048427103a3f785fe8ac453d30 2.0.7.0 missed 1/43 (2.30%)
Total   Detected: 10, Missed: 10  

Microsoft’s Malicious Software Removal Tool was able to identify 10 out of 20 infected systems which is a detection rate of 50%.

Conclusion

During the tests I noticed that in most of the cases you need to run a fullscan with MSRT to detect a ZeuS infection. Please also note that these are some quick tests from my side and don’t necessarily represent the real detection rate of MSRT on ZeuS.

I’m really curious about the number of infections detected by MSRT world wide. Hopefully Microsoft will publish some data in the next few days.

PS: You can also follow abuse.ch on Twitter: twitter.com/abuse_ch

0 Responses to “Microsoft Adds ZeuS Detection To MSRT”


  • No Comments

Leave a Reply




economics-recluse
Scene
Urgent!