Malware du Jour

ESET, the anti-malware company for which I work, has just published its half-yearly report on global malware trends, based on data generated by automatic threat-tracking systems. Few people who read this blog will be interested in the marketing aspects of that document, but I thought you might find some of the conclusions interesting.

  • We’ve noticed (actually over far longer than six months) a huge number of detections of malware that uses the Windows AutoRun facility to self-install from removable media (USB flash drives, CDs and so on). It may seem slightly surprising that other vendors haven’t flagged this trend particularly, but it doesn’t mean they don’t detect the same things: it’s just that we have a heuristic that highlights that trend. In the same way, another vendor has a detection that highlights a high proportion of iFrame exploits. We’re very aware of the ever-increasing volume of web-hosted threats, but we don’t have an exact equivalent to that heuristic, so that particular trend isn’t so obvious from our (prevalence-based) figures.
  • Possibly Unwanted Applications (PUAs) and other adware and spyware detections occupy several places in our top ten. That’s not a complete novelty, but the impact of the Virtumonde Trojan in particular is dramatic. Virtumonde is a real pain: its authors work hard at hiding it from specific anti-malware products, and it can be grim trying to remove it from a system when it’s in memory. Leaving it there isn’t much of an option, either: it has a habit of pounding an infected system with so much advertising that it becomes unusable.
  • There’s been a dramatic decline in the use of email to distribute new malicious attachments: of course, it remains a prime vector for the dissemination of malicious URLs. What interested me was the sheer volume of antique mass mailers like Netsky.Q, but my guess is that these are mostly generated by unprotected home machines running obsolescent Windows versions.
  • Password stealing attacks on online gamers and haunters of metaverses like Second Life have been around for a while, too, but they’ve overtaken AutoRun exploits in the “top ten” over the past few months. And that’s not even taking into account other attacks like griefing and replicative “grey goo” style attacks.

David Harley
ESET Malware Intelligence Team

  • nonl33t

    David two questions –

    1. How do you define “possibly unwanted aplications”?
    2. Who benefits from stealing on-line gamers passwords? Someone must be paying the cost for the malware distribution, no?

  • David Harley

    1. There’s a good (and vendor-neutral) entry at Virus Bulletin’s web site at My definition would (will) be slightly different, though: I’d make a distinction between PUAs and other forms of adware, spyware and other manifestations of badness. In general, a PUA will have some functionality that might just be considered useful by the PC user, or is installed as part of the installation process for another presumed desirable package (so the user might accept the activities of the PUA as a trade-off against the advantages of the package he intended to install). Characteristically, the package will include some indication of the less-desirable functionality, though it’s likely to be buried deep in the EULA (End User License Agreement) where the user is less likely to notice it. In my opinion, software crosses the somewhat hazy line between PUA and Trojan when it (1) doesn’t give any indication whatsoever of the undesirable functionality it includes (2) and/or is associated with unequivocally malicious or fraudulent activity (3) and/or pushes its own agenda (advertising, distribution of spam or malware, and so on) so that the PC owner is unable to use his system for his own legitimate purposes (think Virtumonde!).

    2. The cost of malware development and distribution is recouped through the auctioning of characters and avatars, points, the conversion of “virtual” money to real dollars, and so on. For instance, we know of WoW characters being sole routinely for $1000-1500, and sometimes for much more. Make no mistake. This has stopped being about adolescents bullying and exploiting each other for kicks: this is a profitable business.

  • nonl33t

    “a PUA will have some functionality that might just be considered useful by the PC user, or is installed as part of the installation process for another presumed desirable package [...] the package will include some indication of the less-desirable functionality”

    Isn’t this a bit broad? Many large and respectable vendors (Adobe, Macromedia, Apple, Real) stick some marketing utils inside free useful tools – I would be surprised if ESET would dare to mark or report those. Am I wrong?

  • David Harley

    Marketing isn’t in itself an illegitimate activity. The point of contention is where any useful functionality is overshadowed by undesirable activity. I don’t really think it’s possible to be much more specific in a short definition. You can recognize what most people would think of as unacceptable behaviour, but including every possible “undesirable activity” isn’t practical.

  • nonl33t

    Ok, thanks… I just wanted a quick peek into your mind on how you classify such malware. What you said makes a lot of sense

  • David Harley

    Thanks. :) Not often I’m accused of making sense…