As of October 12th 2010, the MSRT Team added detection for the ZeuS crimeware (also known as Zbot and WSNPoem) on Microsoft’s Malicious Software Removal Tool (MSRT):
For those who don’t know: MSRT is being distributed to WinXP, WinVista and Win7 automaticly using Windows Update Service. Of course these are really great news but the thing which worries me a little bit is the fact that Microsoft waited years until they finally added detection for the ZeuS Crimeware. ZeuS has been a big threat in the cyberspace for years and has already managed to steal millions of dollars.
MSRT’s ZeuS detection rate
I thought it would be a good idea to test MSRT’s detection for ZeuS by running some quick tests. I’ve tested 20 ZeuS infection binaries (v2) by infecting a VM with the following test conditions:
MSRT Version: Kb890830 (2010-10-12)
Below are the results of my tests:
| Infection binary (MD5) | ZeuS Version | MSRT Result | Virustotal |
| a7d9996744d7129dc6af94d5827006e0 | 2.0.7.0 | missed | 4/43 (9.30%) |
| 4e6114b5cbfbd5eeb0cea380c3416b2a | 2.0.7.0 | detected | 32/43 (74.40%) |
| 20d1b5c8b868ecf314d5b7d50188f55f | - | detected | 38/41 (92.70%) |
| 70bda659bf0852c1ce96532df3b57021 | 1.2.10.1 | detected | 20/43 (46.50%) |
| a2ba908c3fe7f2bd99ad0c6e31c24995 | 2.0.7.0 | detected | 6/43 (14.00%) |
| e206407083a772a015a21f0398f0fbf0 | 2.0.7.0 | missed | 8/43 (18.60%) |
| ace6aec48663a0179af2e60cceb2ebb4 | 2.0.7.0 | missed | 10/43 (23.30%) |
| 92b58d067b13f47d14a4747af07b2d10 | 2.0.1.1 | detected | 6/41 (14.60%) |
| 6250a5c48f5aff26474e9eaff4d0520c | 2.0.7.0 | missed | 6/41 (14.60%) |
| d6c169be176e60a67780feb48327b2ab | 2.0.7.0 | detected | 12/43 (27.90%) |
| 21102185c207602505d45019f5d782b9 | 2.0.7.0 | missed | 10/43 (23.30%) |
| fc797f7b8a20ab4e6ce2df39ae41069f | - | missed | 20/42 (47.60%) |
| e8f83eefe8069c360c73bf7127426155 | 2.0.7.0 | detected | 33/43 (76.70%) |
| cf11173481abb10e92246be92d8304dc | 2.0.7.0 | detected | 17/42 (40.50%) |
| b64b598e6b5106d770f94c659bc994d5 | 2.0.7.0 | missed | 0/43 (0.00%) |
| 359316aa5901613a3ad4f9265a93c600 | 2.0.7.0 | detected | 13/42 (31.00%) |
| 2c9702bf84a7c9a094109ff2fe0a7910 | - | missed | 3/42 (7.10%) |
| b0fe715bce28f9c3e48520f23c7cf8fe | - | detected | 10/43 (23.30%) |
| d52d8bea0bd22be5382e05b9e787ff5d | 2.0.7.0 | missed | 3/43 (7.00%) |
| 78edc0048427103a3f785fe8ac453d30 | 2.0.7.0 | missed | 1/43 (2.30%) |
| Total | Detected: 10, Missed: 10 |
Microsoft’s Malicious Software Removal Tool was able to identify 10 out of 20 infected systems which is a detection rate of 50%.
Conclusion
During the tests I noticed that in most of the cases you need to run a fullscan with MSRT to detect a ZeuS infection. Please also note that these are some quick tests from my side and don’t necessarily represent the real detection rate of MSRT on ZeuS.
I’m really curious about the number of infections detected by MSRT world wide. Hopefully Microsoft will publish some data in the next few days.
PS: You can also follow abuse.ch on Twitter: twitter.com/abuse_ch
0 Responses to “Microsoft Adds ZeuS Detection To MSRT”