It's time to
Render Your Vision.

RVC logo

Render Visions

Types of Malware

Malware graphicAs I mentioned in the previous post, my laptop was recently infected by a trojan virus designed to steal confidential information. From what I learned, it was developed specifically to steal authentication data such as IDs and passwords for bank and credit card websites. This was very disturbing and motivated me to do a little research on the scope of the malware problem today. In addition to the financial cost, what really irks me about malware and the criminals/creeps that develop and distribute it, is the time it robs from people. Based on the numbers I have uncovered, on a worldwide basis the amount of time that gets taken from people dealing with unexpected computer problems due to malware must be phenomenal. The previous post provides a general gauge of the size of the problem. This article focuses on the different types of malware and their prevalence worldwide.

I spent a considerable amount of time researching malware statistics “by type” trying to obtain credible numbers as of 2009. I found out that these numbers are not easy to come by. For that reason, I decided to reference Microsoft’s Security Intelligence Report (SIR) 2009 because it is a comprehensive analysis of 2009 data but more importantly because, according to their SIR, Microsoft security products “gather data from more than 500 million computers worldwide and from some of the Internet’s busiest online services.” That’s a pretty credible data set for any analysis.

The following table provides a breakdown of malware types. The unique samples listed in column 2 were submitted to the Microsoft Malware Protection Center through Microsoft’s worldwide data collection network.

Malware Type Unique Samples
Jul-Dec ’09
Viruses 71,991,221
Miscellaneous Trojans 26,881,574
Trojan Downloaders & Droppers 9,107,556
Misc. Potentially Unwanted Software 4,674,336
Adware 3,492,743
Exploits 3,341,427
Worms 3,006,966
Password Stealers & Monitoring Tools 2,217,902
Backdoors 812,256
Spyware 678,273
Total 126,204,254

(Source: Microsoft SIR)

In their report, Microsoft points out that “Malware authors attempt to evade detection by continually releasing new variants in an effort to outpace the release of new signatures by antivirus vendors. One way to determine which families and categories of malware are currently most active is to count unique samples.”

These “samples” provide characteristic byte patterns (signatures) that allow viruses to be distinguished from one another and they are the foundation for how all antivirus vendors develop their antivirus software solutions. It’s important to keep in mind, therefore, that the above table reflects only Microsoft data. While there are over 25 major antivirus software vendors, none has the worldwide reach of Microsoft based on its Internet Explorer browser and PC operating systems. My goal in including the data in the table above is to provide an understanding of the different types of malware in existence today and a sense of how active they are across the internet.

Malware Names and Definitions

The following are definitions for the malware types listed in the table above:

Virus – A computer virus propagates by inserting a copy of itself into and becoming part of another program. It spreads from one computer to another, leaving infections as it travels. (Source: Cisco Security Intelligence Operations)

Trojan – A trojan is another type of malware named after the wooden horse the Greeks used to infiltrate Troy. It is a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems. After it is activated, it can achieve any number of attacks on the host, from irritating the user (popping up windows or changing desktops) to damaging the host (deleting files, stealing data, or activating and spreading other malware, such as viruses). Trojans are also known to create back doors to give malicious users access to the system. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate. Trojans must spread through user interaction such as opening an e-mail attachment or downloading and running a file from the Internet. (Source: Cisco Security Intelligence Operations)

Adware is a type of advertising display software that delivers advertising content potentially in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions and therefore may also be categorized as tracking technologies. (Source: Lavasoft Security Center glossary)

Exploits – Malicious code that takes advantage of software vulnerabilites to infect a computer (Source: Microsoft Security Intelligence Report 2009, glossary). Wikipedia goes further stating that “exploits are commonly categorized and named by these criteria (Source: Wikipedia): a) The type of vulnerability they exploit. b) Whether they need to be run on the same machine as the program that has the vulnerability (local) or can be run on one machine to attack a program running on another machine (remote). c) The result of running the exploit (EoP, DoS, Spoofing, etc…).

Worms – Computer worms are similar to viruses in that they replicate functional copies of themselves and can cause the same type of damage. In contrast to viruses, which require the spreading of an infected host file, worms are standalone software and do not require a host program or human help to propagate. To spread, worms either exploit a vulnerability on the target system or use some kind of social engineering to trick users into executing them. A worm enters a computer through a vulnerability in the system and takes advantage of file-transport or information-transport features on the system, allowing it to travel unaided. (Source: Cisco Security Intelligence Operations)

Password Stealers & Monitoring Tools – A password stealer is specifically used to transmit personal information, such as user names and passwords. It often works in conjunction with a keylogger, which sends keystrokes or screen shots to an attacker. Monitoring tools monitor activity, usually by capturing keystrokes or screen images. It may also include network sniffing software. (Source: Microsoft Security Intelligence Report 2009, glossary)

Backdoors refer to a type of trojan that provides attackers with remote access to infected computers. Bots are a subcategory of backdoor trojans. (Source: Microsoft Security Intelligence Report 2009, glossary)

Spyware tracks your surfing behavior to create a marketing profile for you that is transmitted without your knowledge to the compilers and sold to advertising companies. If you see new toolbars in your Internet Explorer that you haven’t intentionally installed, if your browser crashes inexplicably, or if your home page has been “hijacked” (or changed without your knowledge), your computer is most probably infected with spyware. (Source: Spybot Search & Destroy)

Bot – The term bot is derived from the word “robot” and is an automated process that interacts with other network services. Bots often automate tasks and provide information or services that would otherwise be conducted by a human being. A typical use of bots is to gather information (such as web crawlers), or interact automatically with instant messaging (IM), Internet Relay Chat (IRC), or other web interfaces. They may also be used to interact dynamically with websites.

Bots can be used for either good or malicious intent. A malicious bot is self-propagating malware designed to infect a host and connect back to a central server or servers that act as a command and control (C&C) center for an entire network of compromised devices, or “botnet.” With a botnet, attackers can launch broad-based, “remote-control,” flood-type attacks against their target(s). In addition to the worm-like ability to self-propagate, bots can include the ability to log keystrokes, gather passwords, capture and analyze packets, gather financial information, launch DoS attacks, relay spam, and open back doors on the infected host. Bots have all the advantages of worms, but are generally much more versatile in their infection vector, and are often modified within hours of publication of a new exploit. They have been known to exploit back doors opened by worms and viruses, which allows them to access networks that have good perimeter control. Bots rarely announce their presence with high scan rates, which damage network infrastructure; instead they infect networks in a way that escapes immediate notice. (Source: Cisco Security Intelligence Operations)

The type of malware my laptop was recently infected with was a Trojan Downloader. Specifically, it was TrojanDownloader:Win32/BredOlab.AC. Once it was on my machine, it apparently spawned the virus TrojanSpy:Win32/URsnif.FJ. In my next post, I will provide details on some of the symptoms of this virus and how it  was removed.

In closing, here are a few short videos from Microsoft that discuss ways criminals disseminate malware and how to protect yourself. To be clear, I’m not a Microsoft employee nor do I get paid to advertise for them. I recommend these instructional videos simply because I think they are informative and useful for busy small business owners. I also recommend Microsoft’s latest “free” antivirus solution, Microsoft Security Essentials” (MSE) but… only in conjunction with other complimentary anti-malware solutions. The reality is, no one solution is 100% effective. With millions of malware variants on the attack across the internet and more being developed every day, it would not be realistic to expect one product to handle everything. The trick is to use compatible products which generally means configuring only one to work in real time (resident) and using the others(s) as a manual malware scanner. I wll talk about this in a future post: “Anti-virus (Anti-malware) Solutions”. Until then, surf selectively and safely.

What is Rogue Software

How to Check for Rogue Software

How to Defend Against Rogue Software

2 comments to Types of Malware

  • Thank you for information! Very useful. My computer was recently infected by malware. I have tried several applications to get rid of it, but no luck. 🙁 At the end I found expert blog about viruses and guys running this blog were able to help me with the problem. They have removed virus from my computer in 30 minutes!

  • Packy

    Kudos to you! Great stuff here. Very clear and real simple to understand. I’m very selective in my “real-time” AV tool and turn off the MS firewall; I think it slows down the machine performance. I rely on several manual scanners to troll for malware (automated schedule). And, most importantly, I rely on staying current with information (such as you’re providing) and being vigilant while surfing.