Global Threat Report – Half Year

Our mid-yearly Global Threat Report looks at malware threat trends over the past six months, based on data from our ThreatSense®.net threat tracking system. This report focuses on broad trends rather than individual malware variants: this reflects better the proactive detection which is the strength of our products, but is also more useful to most readers. Here’s a fairly brief summary of a rather bulky document.

  • Malicious software that tries to use the Windows Autorun facility to self-install from removable media (such as flash drives and CDs) continues to flourish. While we have an efficient heuristic detection for this, we strongly advise disabling the facility in Windows.
  • We’ve been seeing high volumes of malware intended to steal passwords for online gaming and virtual worlds like Second Life since 2007 and earlier, but are now seeing a dramatic upsurge. This isn’t just about teenage mischief any more: the theft of “virtual” treasure often translates into real profit for organized criminal gangs. While we’re pleased to see other security vendors taking more notice of the issue recently, users in general need to be aware of just how much malicious activity occurs in virtual worlds (phishing, “grey goo” viral malware, griefing attacks).
  • Potentially Unwanted Applications and other adware and spyware continue to constitute a large proportion of the programs we detect. While such programs are sometimes defended as being harmless and legitimate advertising material, they’re often presented in a deceptive manner, skating over the damaging effects on the usefulness of an affected system:
    • Extensive modifications are made to the host system, and may entail breaches of privacy, inability to access legitimate sites, and exposure to malicious sites and software.
    • Once installed, it’s made intentionally difficult to remove the application, especially when it’s still in memory.
    • The performance hit caused by the program’s payload can amount to a denial of service. Adware like the Virtumonde Trojan can serve so much advertising material that the system becomes effectively unusable for the legitimate purposes for which the owner acquired it.
  • The use of email as a direct channel for the transport of new malware is in dramatic decline, though email remains a major vector for the transmission of malicious URLs, so that social engineering is used to persuade the recipient to access a malicious web site. Malicious attachments are far less likely to be completely new threats: indeed, many of the top detections are elderly mass mailers like Netsky.Q, suggesting that the main sources of email-borne malware nowadays are unprotected machines, probably mostly home machines rather than corporate systems.

As a result of the way the threat scene changes at an ever-accelerating rate, most of our top-ranking detections are generic and/or heuristic, focusing on detecting and blocking malware before it has a chance to cause damage, rather than waiting for detailed laboratory analysis. Generic signatures and advanced heuristics identify new malware through code and behavior analysis, supplementing signature detection and greatly expanding the range of threats detected. It’s also possible when a product uses advanced multiple heuristic algorithms, for a single sample to be detectable potentially by more than one detection (generic, heuristic, or signature), and several factors may determine which detection is actually “flagged” when the scanner checks the sample.

The only detection in the global top ten over the period in question that identified a specific variant was an IRCBot variant. Bots remain a major malware issue, but tend to be somewhat under-represented in “top ten” lists based on prevalence, because of the wide range of bot families and the comparatively short lifespan of specific bot instantiations. Successful botnets are highly adaptive, continually changing and evolving in order to reduce the risk of detection by security software: they don’t tend to be propagated by long runs of the same malware.

David Harley
Malware Intelligence Team

Author David Harley, ESET

Follow us

Copyright © 2017 ESET, All Rights Reserved.