Tag Archives: msrt

Microsoft Adds ZeuS Detection To MSRT

As of October 12th 2010, the MSRT Team added detection for the ZeuS crimeware (also known as Zbot and WSNPoem) on Microsoft’s Malicious Software Removal Tool (MSRT):

For those who don’t know: MSRT is being distributed to WinXP, WinVista and Win7 automaticly using Windows Update Service. Of course these are really great news but the thing which worries me a little bit is the fact that Microsoft waited years until they finally added detection for the ZeuS Crimeware. ZeuS has been a big threat in the cyberspace for years and has already managed to steal millions of dollars.

MSRT’s ZeuS detection rate

I thought it would be a good idea to test MSRT’s detection for ZeuS by running some quick tests. I’ve tested 20 ZeuS infection binaries (v2) by infecting a VM with the following test conditions:

MSRT Version: Kb890830 (2010-10-12)

Below are the results of my tests:

Infection binary (MD5) ZeuS Version MSRT Result Virustotal
a7d9996744d7129dc6af94d5827006e0 missed 4/43 (9.30%)
4e6114b5cbfbd5eeb0cea380c3416b2a detected 32/43 (74.40%)
20d1b5c8b868ecf314d5b7d50188f55f detected 38/41 (92.70%)
70bda659bf0852c1ce96532df3b57021 detected 20/43 (46.50%)
a2ba908c3fe7f2bd99ad0c6e31c24995 detected 6/43 (14.00%)
e206407083a772a015a21f0398f0fbf0 missed 8/43 (18.60%)
ace6aec48663a0179af2e60cceb2ebb4 missed 10/43 (23.30%)
92b58d067b13f47d14a4747af07b2d10 detected 6/41 (14.60%)
6250a5c48f5aff26474e9eaff4d0520c missed 6/41 (14.60%)
d6c169be176e60a67780feb48327b2ab detected 12/43 (27.90%)
21102185c207602505d45019f5d782b9 missed 10/43 (23.30%)
fc797f7b8a20ab4e6ce2df39ae41069f missed 20/42 (47.60%)
e8f83eefe8069c360c73bf7127426155 detected 33/43 (76.70%)
cf11173481abb10e92246be92d8304dc detected 17/42 (40.50%)
b64b598e6b5106d770f94c659bc994d5 missed 0/43 (0.00%)
359316aa5901613a3ad4f9265a93c600 detected 13/42 (31.00%)
2c9702bf84a7c9a094109ff2fe0a7910 missed 3/42 (7.10%)
b0fe715bce28f9c3e48520f23c7cf8fe detected 10/43 (23.30%)
d52d8bea0bd22be5382e05b9e787ff5d missed 3/43 (7.00%)
78edc0048427103a3f785fe8ac453d30 missed 1/43 (2.30%)
Total   Detected: 10, Missed: 10  

Microsoft’s Malicious Software Removal Tool was able to identify 10 out of 20 infected systems which is a detection rate of 50%.


During the tests I noticed that in most of the cases you need to run a fullscan with MSRT to detect a ZeuS infection. Please also note that these are some quick tests from my side and don’t necessarily represent the real detection rate of MSRT on ZeuS.

I’m really curious about the number of infections detected by MSRT world wide. Hopefully Microsoft will publish some data in the next few days.

PS: You can also follow abuse.ch on Twitter: twitter.com/abuse_ch