Top Ten 2008 Threats

The top ten (twenty, twenty-five…) season doesn’t seem to have finished yet: the latest to cross my radar was something like seven ways of surviving the recession, which I’m sure is of interest to all of us, but not really in scope for this blog.

So here’s a snippet from our 2008 Global Threat Report, which is about to come out, and from which I’ve previously included some tasters here.

Our in-the-cloud threat-tracking system ThreatSense.Net® gives us a way of tracking detections of known threats over months or years (you may have noticed that I referred to it in a previous blog about Conficker/Downadup), so we looked at the top twenty threat detections reported between January and December 2008.

(See table 1 below)

As you’ll have noticed, there are quite a few very similar detections there such as INF/Autorun, INF/Autorun.gen, and Win32/Autorun.KS, or all the Online Games Password stealers, so we consolidated some of them into a single detection category, as we do for our monthly reports, and reduced the resulting detections to a top ten. (Sometimes, less is more.)

In fact, these detections could have been consolidated further – for instance, there’s an overlap between Pacex and gamer password stealers – but we think that the table above gives a pretty good impression of the underlying trends, which seems to us more useful than focusing on  individual variants and sub-families.

The top ten trends are shown in table 2 below.

There’s much more information in the forthcoming report (I’ll link it here when it’s available), but here’s a brief summary of what this table tells us about trends over the past year.

  • Gaming password stealers have the largest volume and percentage share over the whole year, even if we don’t include Pacex.gen detections. Gamers are a very popular target.
  • Malware that uses the Windows Autorun facility as an infection vector (a very broad classification label) runs gaming trojans a close second. Autorun would be a good idea in a better world, but in the one we actually live in, it’s better for most people if it’s disabled.
  • While the general classification of adware covers many distinct programs, the continuing presence of Win32/Toolbar.MyWebSearch and the many variants of the Virtumonde Trojan in the top ten give some idea of the size of the problem.
  • The GetCodec downloader and associated threats continue to be a major presence. This testifies to the continued success of social engineering of the “click here and install this program so that you can view this highly desirable content” genus.
  • Data theft through PC compromise is one of the most consistent aims of the malware author, as the Win32/Agent group of Trojans indicates.
  • The continuing presence of advanced detections like INF/Autorun, Win32/Statik and Win32/Genetik in the top ten testify to the continuing need for sophisticated heuristics to flag the presence of new malware that doesn’t resemble known malware closely enough to be identified using an existing family identifier.

Table 1: Top 20 Detections

Malware Detection Name Detections % of total detections
Win32/PSW.OnLineGames.NMY 22990746 6.69%
INF/Autorun.gen 13827373 4.03%
INF/Autorun 10593305 3.08%
Win32/Toolbar.MyWebSearch 8921028 2.60%
Win32/Pacex.Gen 8620971 2.51%
Win32/PSW.OnLineGames.NMP 6713116 1.95%
WMA/TrojanDownloader.GetCodec.Gen 5685400 1.66%
WMA/TrojanDownloader.Wimad.N 5218889 1.52%
Win32/PSW.OnLineGames.NNU 5096504 1.48%
Win32/Agent 4859566 1.41%
Win32/Adware.Virtumonde 4588952 1.34%
Win32/AutoRun.KS 4087011 1.19%
Win32/Genetik 3828021 1.11%
Win32/Qhost 3717897 1.08%
Win32/Statik 3244414 0.94%
Win32/TrojanDownloader.Murlo.NN 3140400 0.91%
Win32/Agent.AJVG 2900763 0.84%
Win32/HackAV.G 2305628 0.67%
Win32/PSW.OnLineGames.ODJ 2270310 0.66%
Win32/Patched.BU 2254901 0.66%

Table 2: Top Ten Trend Detections

Malware Detection Name Detections % of total detections
Win32/PSW.OnLineGames            37070676 10.78%
INF/Autorun 28507689  8.30%
WMA/TrojanDownloader.GetCodec.Gen 10904289 3.18%
Win32/Toolbar.MyWebSearch 8921028 2.60%
Win32/Pacex.Gen 8620971 2.51%
Win32/Agent 7760329 2.25%
Win32/Adware.Virtumonde 4588952 1.34%
Win32/Genetik 3828021 1.11%
Win32/Qhost 3717897 1.08%
Win32/Statik 3244414 0.94%

David Harley 
Director of Malware Intelligence

Author David Harley, ESET

  • Great post, thanks for sharing it with us.

    Hope to see more of those on this blog. Also would like to get info from here about the latest news in the industry.

  • Thank you! :)

    There will certainly be more of these. We’ll see what we can do about industry news. Some people get cold shivers if we mention other companies too much, but as researchers, we’re very aware that some of our competitors are also co-members of a community. I might come back to this theme tomorrow. ;-)

  • Hi. Good one! Mind if we re-use?

    Also….have you got this one on your radar?


  • Thanks, Urban!

    You’re very welcome to re-use. :)

    We’re well aware of Waledec. In fact, Pierre-Marc blogged on December (see about its resemblance to Storm. I’m up to my ears in other stuff today, but we’re probably overdue to revisit Waledec here, in view of the use of inauguration-related social engineering. I’ll try to get back to it soon.

Follow us

Copyright © 2017 ESET, All Rights Reserved.