Understanding Malware: Trends & Sources

by CXOtoday Staff    Apr 21, 2010

Malware attacks are a growing concern amongst enterprises. It not only results in downtime but also poses the threat of data theft. In the first of this four part series on malware attacks on enterprises, we bring to you the currents trends of malware attacks and its sources.

Global malware trends in enterprises
In 2010, because of the financial environment, the vast majority of malicious applications are oriented towards illicit financial gains. It is estimated that this year will bring an increased amount of malware, especially of adware applications and rogue antivirus software. More complex malware, such as rootkit-based file infectors and worms relying on multiple vectors of infection (e-mail, instant messaging and peer-to-peer protocols), are also expected.

Regarding the organizations, Microsoft’s Windows Server 2008 R2 Hyper-V and the VMware vSphere virtualization technologies have opened new opportunities for them. Accommodating multiple servers to a single machine with virtualization will contribute to cutting down on costs. During 2010, remote attackers are expected to look for vulnerabilities in software that would allow them to seize control over the hypervisor and, implicitly, on all the virtual machines deployed on the system.

Cloud computing services are also living their heyday. No matter whether they are used for e-mailing (such as Google’ Gmail service) or for data storage and backup, the cloud technologies hold and process significant amounts of sensitive data. It is just a matter of time until attackers shift their focus on these infrastructures to seize control over or limit access to these cloud resources.

But 2010 also see more attacks moving to smartphones, now that the devices are being used more like mobile computers. The latest version of the iPhone with 3G dramatically increased the iPhone user-base in 2009. Many iPhone users are jail-breaking the operating system in order to install third-party applications. Jail-breaking involves activation of the SSH service with a default password and root access. It is expected that this year will bring new e-threats focusing on the rapidly-growing mobile platform, especially worms and password-stealing Trojans.

Major source malware

Both from outside and from inside of the network. E-threats have become an industry, which, just as any other business, revolves around profit. To obtain it, cybercriminals diversified and strengthened their methods and tools. For instance, previously signature-based antiviral solutions were overcome by malware that was frequently modified (even several times per day) to evade detection. We have seen a great deal of cases when malware creators used automated tools to alter the code responsible for the virus’ signature. Bagle, Peed or Zbot are just few examples where the malware or one of its components (especially the downloader) suffered frequent alterations that allowed the Trojan or virus to dodge the signature-based products.

As a countermeasure, security companies introduced heuristics and behaviour based technologies that made malware writers’ job more difficult. This led to a drastic decrease of the time frame between the initial launch of the malware and antimalware signature update (also known as window of exposure). It is much easier to prevent and save a great deal of time and money, rather than to disinfect.

A good example of geographical distribution is provided by Conficker. Along with the already "traditional" Trojan.Clicker.CM infections, Conficker (a.k.a. Downadup or Kido) has been one of the most notorious e-threats for the past six months.


The high rate of infections also tells that the level of awareness is still low among users. Not only when it comes to (constantly) update an OS with the latest fixes against security flaws, but even in terms of (good sense) removable media scanning against malware (even if it comes from a trusted sources). Last but not least, it also shows that many users do not know that removal tools are available and they could employ them to disinfect their systems (until is not too late).
During the last six months the most active countries in terms of malware propagation were China, France and the United States, followed by Australia, Romania and Spain.


Phishing attacks worldwide

As seen in the image above, phishers’ primary targets are PayPal, Visa and eBay, followed by HSBC, America Express and Abbey Bank. Ally Bank and Bank of America rank last with a little over one percent of the total amount of phishing messages.

These messages mostly target English-speaking computer users who are using the services of at least one of the institutions mentioned in the top.

The most common targets for malware
There is no such thing as ordinary vs. uncommon e-threats. Any piece of malware delivered via an unsolicited message or phishing Web site has the ability to disrupt an unprotected computer network and to subsequently lead to data and money losses.

E-criminals seek to take advantage of users’ and systems’ vulnerabilities employing different types of complex behavioural- and technological-based tactics and strategies. For businesses, unlike the average home user, e-threats are also to be held accountable for the significant increase of:

Infrastructure costs - ISPs’ and other organizations’ network management, antimalware solutions deployment and maintenance (at desktop, server, and Internet level), help desk assistance, etc.
Productivity loss - Slower networks due to the bandwidth wastage, reduced e-mail processing and storage capabilities, time spent to sort and discard the unwanted messages, resource consuming collateral damages, such as detection and removal of malware, etc.

The top 10 most spread viruses in India between May and October 2009 include:

 Malware  Percentage
 Trojan.Wimad.Gen.1  9.07
 Iframe.Malware.1C15745E  5.94
 Trojan.AutorunINF.Gen  4.25
 Trojan.JS.PYV  2.12
 Trojan.Generic.1609040  2.10
 Trojan.Skintrim.HTML.A  1.32
 Trojan.Script.14303  1.13
 Win32.Virtob.Gen.12  1.12
 Trojan.Autorun.AET  1.04
 Trojan.Generic.IS.574696  1.03
 Other  70.88

This article has been written with inputs from Catalin Cosoi, Senior Antimalware Researcher, BitDefender.