You may be aware that in addition to our semi-annual global threat trends reports, we also do a monthly report. Much of this report is trend analysis based on data from our ThreatSense.Net threat tracking system. ThreatSense.Net® is an advanced threat tracking system which reports detection statistics from tens of millions of client computers around the world. This (anonymised) statistical information is collected from those users of ESET security software who choose to enable the reporting service in the product, and it gives a more comprehensive view of the behavior and spread of malware in the real world. While it's sometimes difficult to extract solid trend data over a few weeks, we often find that even a month-to-month tracking snapshot can suggest some interesting fluctuations in the threatscape, especially when checked against the figures going back over several months. And so it turns out with the November figures, which I've been looking at this weekend.

ESET's "top ten" results don't look exactly like anyone else's. That's not about whose product is better at detection: it's simply about the very different approaches to detection algorithms that different products use. In our case, because we make heavy use of advanced heuristics, our results may look very different to, for instance, a product that's heavily reliant on signature detection. Perhaps I should define again what the mainstream approaches to detection are (this is a somewhat simplified model):

  • Signature detection (searchstrings):
  • Generic signature detection (sigs that detect multiple variants and subvariants, and may detect some unknown malware that's sufficiently similar to known malware)
  • Passive heuristics (static scanning of a file or object)
  • Advanced heuristics and other forms of behavior analysis (dynamic analysis based on allowing the file to execute, albeit in a "safe" environment or context so that it can't do harm (emulation, sandbox etc).

Products that are still heavily into malware-specific signature scanning will tend to use names that look something like W32/UnpleasantBot.AKA, where the suffix identifies a variant. (A malware-specific signature can be considerably more complex than that, depending on the type of malware, though.) The more a product's detection lies at the behavior analysis end of the spectrum, though, the more variation in naming there is. That's because the name is likelier to reflect the heuristic algorithm used, not the "true name" of the malware.

In fact, the idea that each malicious program should have its own unique identifier is unrealistic in the current glut-ridden threatscape, as Pierre-Marc Bureau and I discussed in our paper "The Name of the Dose" at this year's Virus Bulletin. This is particularly so for ESET because of the sophistication of our heuristics.

So after that long preamble, what trends have we actually noticed this time?

  • Malware that uses the Windows Autorun facility has regained the top spot again, after several months where it was replaced by gaming password stealers. However, both are still seen in very high volumes, and percentage counts can be misleading in a monthly top ten. Still, the contrast between this month's reversal and the spike in gaming Trojans back in September is dramatic.
  • The Win32/Patched.BU label, which is applied to legitimate system files modified by malware so that a malicious file will be loaded at the same time as the modified file, is a new entry at number 5. This is a common approach, and we're seeing significant volumes of other variants.
  • The very similar WMA/TrojanDownloader.GetCodec.Gen, which facilitates infection by Win32/GetCodec.A, and WMA/TrojanDownloader.Wimad.N, are strongly represented at numbers 7 and 8, though both have dropped a few places since last month.

David Harley