Malware Statistics – March 2010

Malicious programs detected on users’ computers

Top twenty malicious programs detected on users computers throughout the month of March.

Position Change in position Name Number of infected computers
1 0 332833
2 0 Virus.Win32.Sality.aa 211229
3 0 Net-Worm.Win32.Kido.ih 186685
4 0 181825
5 0 121027
6 0 Trojan-Downloader.Win32.VB.eql 68580
7 New Trojan.Win32.AutoRun.abj 66331
8 1 Virus.Win32.Virut.ce 61003
9 1 Packed.Win32.Krap.l 55823
10 -2 55065
11 4 Worm.Win32.Mabezat.b 49521
12 -5 Exploit.JS.Aurora.a 43776
13 New 40912
14 New Trojan.Win32.AutoRun.aay 40754
15 3 Trojan-Dropper.Win32.Flystud.yo 40190
16 -4 Virus.Win32.Induc.a 38683
17 -4 38547
18 New Trojan.Win32.AutoRun.abd 37037
19 -5 not-a-virus:AdWare.Win32.Boran.z 36996
20 0 not-a-virus:AdWare.Win32.FunWeb.q 34177
Source: Kaspersky Lab

Most “Malware” is now “Crimeware”

Computer viruses, Trojans, and worms have evolved a great deal since their inception in the 1970s.  Originally the province of pranksters and glory seekers, then anarchists trying to see how much damage they can cause, the new generation of malicious hackers is in it for the money.

The first widespread virus outbreak occurred in 1982 and was known as “Elk Cloner.”  At every 50th boot, it would display a humorous poem, but was otherwise harmless.  Since then there have been many viruses and variants that caused no intentional damage to hardware or software, but at various or random intervals would display jokes, political messages, or humorous (to the virus authors, at least) messages.  Such “harmless” malware can still be disruptive though, by clogging networks, slowing system performance, and consuming storage space.

It wasn’t long after that first widespread outbreak that virus technology attracted a more despicable breed of hacker, those who create malware with intentionally destructive capabilities.  A prime example is the Jerusalem virus launched in 1987.  It was designed to destroy all executable program files every Friday the 13th.  This virus spawned a large number of variants which activated on different dates and created numerous symptoms – some intended and others accidental – but the majority of them, like the original, deleted or destroyed executable programs.  The motivations behind these attacks are perplexing because the destruction of resources seems pointless.  The question, “Why don’t these programmers put their skills to more productive use?” seems to have inspired the current mindset among malware authors, although not in the direction we would have liked.

While the pranksters and anarchists may still be around, of much greater concern these days is the alarming prevalence of viruses, Trojans, and worms whose creators are financially motivated, with connections to illegal gangs and organized crime.  Thus, the coinage of the term “crimeware.”  Far from trying to make the most dramatic impact possible as was the case with original malware, crimeware attempts to conceal its presence completely, avoiding detection as long as possible.  Indeed, hundreds of thousand – even millions – of PCs and servers are infected at any given time, in most cases without the knowledge of their owners.  Crimeware employs a number of techniques to allow it to run in stealth mode.  Rootkits for example install themselves deeply within an operating system and redirect standard system calls so that their processes run invisibly.  This makes it difficult even for antivirus and other security programs to detect and remove them.

Crimeware, as the name implies, exists to help its authors perpetrate crimes, such as identity theft, fraud, financial scams, theft of intellectual property and industrial secrets, access to confidential information.  Keyloggers, often delivered via a virus or worm, work to capture users’ keystrokes and transmit them to criminals, who in turn analyze the data to discover passwords and security phrases.  Why risk getting shot while robbing a bank, when one can simply use a stolen password and electronically clean out someone’s bank account?

As bad as this kind of crimeware is, there is one more trend that is even more disturbing.  Using worms, viruses, and Trojans, crimeware authors have been deploying agents which give them remote control over infected machines.  The average size of networks of such infected machines (referred to as “botnets”) is about 20,000 computers, but some have reportedly numbered in the millions.  Botnets give their criminal perpetrators control over enormous computing power heretofore unavailable except to agencies with access to super-computers.  They harness this power to launch phishing and denial-of-service attacks, send out massive amounts of spam, crack passwords, and perpetrate other types of internet crime.  Botnet controllers have gone so far as to create complete business models, licensing segments of their botnets to members of organized crime and other criminal elements for targeted attacks on specific businesses, government agencies, or market segments.  Sometimes these “services” come complete with technical support!

As an indication of just how serious the impact of crimeware is these days, the FBI recently issued a press release where they state that crimeware in general and botnets in particular represent “a growing threat to national security, the national information infrastructure, and the economy.”