Looking back at malware in 2009

2009 was the year in which nobody that uses the Internet could afford not to educate him/herself about the dangers that lurk in the inbox, in Google’s search results, on the social networks they use, and sometimes even on their favorite news site.

This year has definitely been marked by the increase of malware being delivered directly to your door (so to speak). So, let’s see what were the major threats.


Also know as Kido, Downadup or Downup, this worm was first detected a little more than a year ago and it originated in China. It targets machines running Windows, and variants A and E take advantage of the OS’ MS08-067 vulnerability in the network service to install itself. It spreads by using specially crafted Remote Procedure Calls (RPC) to other machines. Vulnerable machines will then download a copy of the worm, making them infected as well. RPC is a protocol that permits remote code injection to a networked computer, which in this case, allows the worm creator to take control of the infected machines remotely.

The worm also propagates over LANs through USB memory devices and network shares (variant B and C). Increasing the threat, this worm constantly updates, downloading new versions of itself onto infected machines and through different and changing IPs, making it difficult to block.

At the same time, variant E is designed to download other malware (Waledac spambot, SpyProtect 2009 scareware) onto an infected computer. It is feared that could be an indication that the worm authors are preparing to carry out a large scale attack in the near future using the infected machines. April 1st was largely fear to bring about an unknown devastating change in the worm’s behavior, but it resulted only in Conficker starting to generate 50,000 new URLs from which, supposedly, the malware would be able to update itself to a new version, starting a massive series of infections.

It is difficult to say how many computers are infected with one or more Conficker variants at the moment. PandaLabs revealed in January that almost six percent of the two million computers they scanned showed an infection.

Once the machine is infected, the worm is notoriously good at protecting itself from being discovered and removed. It turns off Windows Update services – thereby preventing the machine from obtaining the very patch that would have prevented the initial exploit, and denies Internet access to the websites of many different security vendors.

Of all the thing we know so far about Conficker, we still don’t know for sure what is the final goal of the its authors, although it was suggested that money could be behind the whole scheme, because of the offer to buy a (rogue) anti-virus software.


Also know as WSNPOEM, NTOS and PRG, this online banking Trojan is the most prevalent financial malware on the Internet today.

It infects consumer PCs, waits for the user to log onto a list of targeted banks and financial institutions, and then sniffs the traffic and intercepts data keystrokes – steals user credentials which are sent to a remote server in real time. It can also modify, in a user’s browser, the genuine web pages from a bank’s web servers to ask for personal information such as payment card number and PIN, one time passwords, etc. It is believed to be controlled by Russian cyber criminals.

A report by Trusteer unveiled that it infects machines that are running up-to-date anti-virus programs up to 77 percent of the time. According to a ScanSafe research, the number of data-stealing Trojans has increased 1,424 percent in the past year (and a whooping 4,955 percent since 2007!).

How does the Trojan propagate? Infected users are tricked into installing it. They usually receive an email with a link from which they can download something that is of interest to them (‘H1N1 Vaccine Profile Archive’, ‘MySpace Update Tool’, ‘Flash player upgrade’, etc).

At the end of September, Finjan unveiled new research which uncovered new techniques (which included banking Trojans) used by cybercriminals to rob online bank accounts.

Luckily, amidst all this bad news, there is one good: at the end of November a man and woman, both aged 20 years, were arrested in Manchester for suspected dissemination of the Zeus/Zbot Trojan.


Since social networks experienced explosive growth in 2009, it is no wonder that they are targeted by criminals. Koobface (an anagram of Facebook) is a worm that targets Facebook, My Space, Twitter, Friendster and other social networking sites. Its main goal is to gather personal and financial information (such as credit card numbers). It is propagated in the same way as the aforementioned Zeus/Zbot Trojan – users are tricked into downloading it.

It works in many ways. It can steal your logon credentials for Facebook. It logs in, steals your picture and friends’ e-mail addresses, creates a fake YouTube page with your Facebook photo and then sends an e-mail to your friends saying they’ve been tagged in a video on YouTube.

A new Koobface component that makes Internet Explorer create Facebook accounts arose a month ago. It automates the whole process – the browser registers the account, confirms and activates the registration via Gmail, joins random Facebook groups, adds friends, posts messages to their walls…

It seems the worms are also designed to upload additional malicious modules with other functionality via the Internet. It is highly probable that victim machines will not only be used for spreading links via these social networking sites, but the botnets will also be used for other malicious purposes.

The rest of the “gang”

PandaLabs reports that approximately 35 million computers are newly infected with rogueware each month (approximately 3.50 percent of all computers), and cybercriminals are earning approximately $34 million per month through rogueware attacks.

Skype users have also been targeted by a new Trojan that can listen to and record calls you make.

At the end of 2009 there were four iPhone exploits in a span of a few weeks—representing the first major attacks on the iPhone platform and the first iPhone data-stealing malware with bot functionality. With a rapidly growing user base, business adoption and increasing use for conducting financial transactions with these devices, Websense is expecting attackers to begin more dedicated targeting of smartphones in 2010 (read more about the security trends coming in 2010).


The harsh reality is that criminals go where the money goes, and money went digital. Malware will continue to be part of our online experience, so we have to know how to spot it, prevent its installation or remove if it gets installed.

Don't miss