As I mentioned in the previous post, my laptop was recently infected by a trojan virus designed to steal confidential information. From what I learned, it was developed specifically to steal authentication data such as IDs and passwords for bank and credit card websites. This was very disturbing and motivated me to do a little research on the scope of the malware problem today. In addition to the financial cost, what really irks me about malware and the criminals/creeps that develop and distribute it, is the time it robs from people. Based on the numbers I have uncovered, on a worldwide basis the amount of time that gets taken from people dealing with unexpected computer problems due to malware must be phenomenal. The previous post provides a general gauge of the size of the problem. This article focuses on the different types of malware and their prevalence worldwide.
I spent a considerable amount of time researching malware statistics “by type” trying to obtain credible numbers as of 2009. I found out that these numbers are not easy to come by. For that reason, I decided to reference Microsoft’s Security Intelligence Report (SIR) 2009 because it is a comprehensive analysis of 2009 data but more importantly because, according to their SIR, Microsoft security products “gather data from more than 500 million computers worldwide and from some of the Internet’s busiest online services.” That’s a pretty credible data set for any analysis.
The following table provides a breakdown of malware types. The unique samples listed in column 2 were submitted to the Microsoft Malware Protection Center through Microsoft’s worldwide data collection network.
|Malware Type||Unique Samples
|Trojan Downloaders & Droppers||9,107,556|
|Misc. Potentially Unwanted Software||4,674,336|
|Password Stealers & Monitoring Tools||2,217,902|
(Source: Microsoft SIR)
In their report, Microsoft points out that “Malware authors attempt to evade detection by continually releasing new variants in an effort to outpace the release of new signatures by antivirus vendors. One way to determine which families and categories of malware are currently most active is to count unique samples.”
These “samples” provide characteristic byte patterns (signatures) that allow viruses to be distinguished from one another and they are the foundation for how all antivirus vendors develop their antivirus software solutions. It’s important to keep in mind, therefore, that the above table reflects only Microsoft data. While there are over 25 major antivirus software vendors, none has the worldwide reach of Microsoft based on its Internet Explorer browser and PC operating systems. My goal in including the data in the table above is to provide an understanding of the different types of malware in existence today and a sense of how active they are across the internet.
Malware Names and Definitions
The following are definitions for the malware types listed in the table above:
Virus – A computer virus propagates by inserting a copy of itself into and becoming part of another program. It spreads from one computer to another, leaving infections as it travels. (Source: Cisco Security Intelligence Operations)
Trojan – A trojan is another type of malware named after the wooden horse the Greeks used to infiltrate Troy. It is a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems. After it is activated, it can achieve any number of attacks on the host, from irritating the user (popping up windows or changing desktops) to damaging the host (deleting files, stealing data, or activating and spreading other malware, such as viruses). Trojans are also known to create back doors to give malicious users access to the system. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate. Trojans must spread through user interaction such as opening an e-mail attachment or downloading and running a file from the Internet. (Source: Cisco Security Intelligence Operations)
Adware is a type of advertising display software that delivers advertising content potentially in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions and therefore may also be categorized as tracking technologies. (Source: Lavasoft Security Center glossary)
Exploits – Malicious code that takes advantage of software vulnerabilites to infect a computer (Source: Microsoft Security Intelligence Report 2009, glossary). Wikipedia goes further stating that “exploits are commonly categorized and named by these criteria (Source: Wikipedia): a) The type of vulnerability they exploit. b) Whether they need to be run on the same machine as the program that has the vulnerability (local) or can be run on one machine to attack a program running on another machine (remote). c) The result of running the exploit (EoP, DoS, Spoofing, etc…).
Worms – Computer worms are similar to viruses in that they replicate functional copies of themselves and can cause the same type of damage. In contrast to viruses, which require the spreading of an infected host file, worms are standalone software and do not require a host program or human help to propagate. To spread, worms either exploit a vulnerability on the target system or use some kind of social engineering to trick users into executing them. A worm enters a computer through a vulnerability in the system and takes advantage of file-transport or information-transport features on the system, allowing it to travel unaided. (Source: Cisco Security Intelligence Operations)
Password Stealers & Monitoring Tools – A password stealer is specifically used to transmit personal information, such as user names and passwords. It often works in conjunction with a keylogger, which sends keystrokes or screen shots to an attacker. Monitoring tools monitor activity, usually by capturing keystrokes or screen images. It may also include network sniffing software. (Source: Microsoft Security Intelligence Report 2009, glossary)
Backdoors refer to a type of trojan that provides attackers with remote access to infected computers. Bots are a subcategory of backdoor trojans. (Source: Microsoft Security Intelligence Report 2009, glossary)
Spyware tracks your surfing behavior to create a marketing profile for you that is transmitted without your knowledge to the compilers and sold to advertising companies. If you see new toolbars in your Internet Explorer that you haven’t intentionally installed, if your browser crashes inexplicably, or if your home page has been “hijacked” (or changed without your knowledge), your computer is most probably infected with spyware. (Source: Spybot Search & Destroy)
Bot – The term bot is derived from the word “robot” and is an automated process that interacts with other network services. Bots often automate tasks and provide information or services that would otherwise be conducted by a human being. A typical use of bots is to gather information (such as web crawlers), or interact automatically with instant messaging (IM), Internet Relay Chat (IRC), or other web interfaces. They may also be used to interact dynamically with websites.
Bots can be used for either good or malicious intent. A malicious bot is self-propagating malware designed to infect a host and connect back to a central server or servers that act as a command and control (C&C) center for an entire network of compromised devices, or “botnet.” With a botnet, attackers can launch broad-based, “remote-control,” flood-type attacks against their target(s). In addition to the worm-like ability to self-propagate, bots can include the ability to log keystrokes, gather passwords, capture and analyze packets, gather financial information, launch DoS attacks, relay spam, and open back doors on the infected host. Bots have all the advantages of worms, but are generally much more versatile in their infection vector, and are often modified within hours of publication of a new exploit. They have been known to exploit back doors opened by worms and viruses, which allows them to access networks that have good perimeter control. Bots rarely announce their presence with high scan rates, which damage network infrastructure; instead they infect networks in a way that escapes immediate notice. (Source: Cisco Security Intelligence Operations)
The type of malware my laptop was recently infected with was a Trojan Downloader. Specifically, it was TrojanDownloader:Win32/BredOlab.AC. Once it was on my machine, it apparently spawned the virus TrojanSpy:Win32/URsnif.FJ. In my next post, I will provide details on some of the symptoms of this virus and how it was removed.
In closing, here are a few short videos from Microsoft that discuss ways criminals disseminate malware and how to protect yourself. To be clear, I’m not a Microsoft employee nor do I get paid to advertise for them. I recommend these instructional videos simply because I think they are informative and useful for busy small business owners. I also recommend Microsoft’s latest “free” antivirus solution, Microsoft Security Essentials” (MSE) but… only in conjunction with other complimentary anti-malware solutions. The reality is, no one solution is 100% effective. With millions of malware variants on the attack across the internet and more being developed every day, it would not be realistic to expect one product to handle everything. The trick is to use compatible products which generally means configuring only one to work in real time (resident) and using the others(s) as a manual malware scanner. I wll talk about this in a future post: “Anti-virus (Anti-malware) Solutions”. Until then, surf selectively and safely.