Malware Statistics – March 2010

Malicious programs detected on users’ computers

Top twenty malicious programs detected on users computers throughout the month of March.

Position Change in position Name Number of infected computers
1 0 Net-Worm.Win32.Kido.ir 332833
2 0 Virus.Win32.Sality.aa 211229
3 0 Net-Worm.Win32.Kido.ih 186685
4 0 Net-Worm.Win32.Kido.iq 181825
5 0 Worm.Win32.FlyStudio.cu 121027
6 0 Trojan-Downloader.Win32.VB.eql 68580
7 New Trojan.Win32.AutoRun.abj 66331
8 1 Virus.Win32.Virut.ce 61003
9 1 Packed.Win32.Krap.l 55823
10 -2 Worm.Win32.AutoIt.tc 55065
11 4 Worm.Win32.Mabezat.b 49521
12 -5 Exploit.JS.Aurora.a 43776
13 New Packed.Win32.Krap.as 40912
14 New Trojan.Win32.AutoRun.aay 40754
15 3 Trojan-Dropper.Win32.Flystud.yo 40190
16 -4 Virus.Win32.Induc.a 38683
17 -4 not-a-virus:AdWare.Win32.RK.aw 38547
18 New Trojan.Win32.AutoRun.abd 37037
19 -5 not-a-virus:AdWare.Win32.Boran.z 36996
20 0 not-a-virus:AdWare.Win32.FunWeb.q 34177
Source: Kaspersky Lab

Most “Malware” is now “Crimeware”

Computer viruses, Trojans, and worms have evolved a great deal since their inception in the 1970s.  Originally the province of pranksters and glory seekers, then anarchists trying to see how much damage they can cause, the new generation of malicious hackers is in it for the money.

The first widespread virus outbreak occurred in 1982 and was known as “Elk Cloner.”  At every 50th boot, it would display a humorous poem, but was otherwise harmless.  Since then there have been many viruses and variants that caused no intentional damage to hardware or software, but at various or random intervals would display jokes, political messages, or humorous (to the virus authors, at least) messages.  Such “harmless” malware can still be disruptive though, by clogging networks, slowing system performance, and consuming storage space.

It wasn’t long after that first widespread outbreak that virus technology attracted a more despicable breed of hacker, those who create malware with intentionally destructive capabilities.  A prime example is the Jerusalem virus launched in 1987.  It was designed to destroy all executable program files every Friday the 13th.  This virus spawned a large number of variants which activated on different dates and created numerous symptoms – some intended and others accidental – but the majority of them, like the original, deleted or destroyed executable programs.  The motivations behind these attacks are perplexing because the destruction of resources seems pointless.  The question, “Why don’t these programmers put their skills to more productive use?” seems to have inspired the current mindset among malware authors, although not in the direction we would have liked.

While the pranksters and anarchists may still be around, of much greater concern these days is the alarming prevalence of viruses, Trojans, and worms whose creators are financially motivated, with connections to illegal gangs and organized crime.  Thus, the coinage of the term “crimeware.”  Far from trying to make the most dramatic impact possible as was the case with original malware, crimeware attempts to conceal its presence completely, avoiding detection as long as possible.  Indeed, hundreds of thousand – even millions – of PCs and servers are infected at any given time, in most cases without the knowledge of their owners.  Crimeware employs a number of techniques to allow it to run in stealth mode.  Rootkits for example install themselves deeply within an operating system and redirect standard system calls so that their processes run invisibly.  This makes it difficult even for antivirus and other security programs to detect and remove them.

Crimeware, as the name implies, exists to help its authors perpetrate crimes, such as identity theft, fraud, financial scams, theft of intellectual property and industrial secrets, access to confidential information.  Keyloggers, often delivered via a virus or worm, work to capture users’ keystrokes and transmit them to criminals, who in turn analyze the data to discover passwords and security phrases.  Why risk getting shot while robbing a bank, when one can simply use a stolen password and electronically clean out someone’s bank account?

As bad as this kind of crimeware is, there is one more trend that is even more disturbing.  Using worms, viruses, and Trojans, crimeware authors have been deploying agents which give them remote control over infected machines.  The average size of networks of such infected machines (referred to as “botnets”) is about 20,000 computers, but some have reportedly numbered in the millions.  Botnets give their criminal perpetrators control over enormous computing power heretofore unavailable except to agencies with access to super-computers.  They harness this power to launch phishing and denial-of-service attacks, send out massive amounts of spam, crack passwords, and perpetrate other types of internet crime.  Botnet controllers have gone so far as to create complete business models, licensing segments of their botnets to members of organized crime and other criminal elements for targeted attacks on specific businesses, government agencies, or market segments.  Sometimes these “services” come complete with technical support!

As an indication of just how serious the impact of crimeware is these days, the FBI recently issued a press release where they state that crimeware in general and botnets in particular represent “a growing threat to national security, the national information infrastructure, and the economy.”

UNC data breach exposes 163,000 SSNs

Another recent large scale breach has been identified as University of North Carolina at Chapel Hill notified around 163,000 women that there is a potential compromise that may result in the leak of personal information as well as their social security numbers.  This potential leak is due to a hacker breaching a system containing this data.

Although the breached server at UNC School of Medicine contained information on 236,000 women, only 163,000 contained social security information.   Matt Mauro, chairman of the university’s Department of Radiology said the breach was originally discovered in July but the intrusion may have taken place as long as two years ago.  Mauro said “We think we found some viruses that date back to 2007”.

The server was taken offline since July when the breach was detected and the sites sending information to UNC have temporarily stopped.  Forensic teams required time to piece together the extent of the damage and potential leaked information and is the main reason given for the delayed annoucement.  They do not believe the information was downloaded or modified in anyway at this point.

Do you have Conficker?

One of the quickest and easiest ways to tell if you are infected with Conficker virus is to look below and see if any of the images from four of the 100+ security sites blocked by Conficker do not load.  I put four images for the following security websites: Kaspersky Lab, F-Secure, Secureworks, and Trend Micro below. If you have any problems loading these images or visiting the sites listed, you may be infected with the Conficker virus. If you are using a proxy server you will likely still be able to load the images and this is not a good test.

If you believe you are infected with Conficker (Kido/Downadup) check out Kaspersky’s KKiller tool to remove it.

Images are trademarks of their respective owners.

Malware Statistics July 2008

Throughout July the majority (76%) of all malware identified fell into the Trojan category. Of the 20,704 unique malware findings in July, 20,000 of them were found in the wild.

1 Trojan.Win32.DNSChanger.ech
2 Trojan-Downloader.WMA.Wimad.n
3 Trojan.Win32.Monderb.gen
4 Trojan.Win32.Monder.gen
5 not-a-virus:AdWare.Win32.HotBar.ck
6 Trojan.Win32.Monderc.gen
7 not-a-virus:AdWare.Win32.Shopper.v
8 not-a-virus:AdTool.Win32.MyWebSearch.bm
9 Trojan.Win32.Agent.abt
10 Worm.VBS.Autorun.r
11 Trojan.Win32.Agent.rzw
12 Trojan-Downloader.Win32.CWS.fc
13 not-a-virus:AdWare.Win32.Mostofate.cx
14 Trojan-Downloader.JS.Agent.bi
15 Trojan-Downloader.Win32.Agent.xvu
16 not-a-virus:AdWare.Win32.BHO.ca
17 Trojan.Win32.Agent.sav
18 Trojan-Downloader.Win32.Obitel.a
19 Trojan.Win32.Chifrax.a
20 Trojan.Win32.Agent.tfc

Source: Kaspersky Lab