Malware writers have preserved their focus on web-based attacks while actively looking for new methods to disseminate their products. BitDefender released the results of its malware and spam survey from July through December 2009, showing an increase in a wide range of threats, from the exploitation of international news events to higher levels of spam being disseminated through social networking platforms aiming to curb marketing costs in a down economy.
Malware threats in review
Over the last six months, malware writers have continued their efforts to infect computer users in order to receive direct financial gain and/or to seize control over their machines.Trojan.Clicker.CM holds as the number one e-threat for the second half of the year. It’s used to force advertisements inside the users’ browsers when visiting grey area websites (such as porn websites or services offering “warez” software). The alarming infection rate reveals that malware authors are driven by profit, while cyber-criminals are motivated by pay-per-click fraud.
Along with the already “traditional” Trojan.Clicker.CM infections, Win32.Worm.Downadup has been one of the most notorious e-threats of the past six months. Malware authors’ top choice of distributing their e-threats remains the web, but Autorun-based techniques have been rapidly gaining ground. By default, every removable storage device features an autorun.ini script that instructs the computer on which file to execute when the medium is plugged in. However, malware authors frequently tamper with the file to make it launch miscellaneous malicious applications. Although extremely useful for non-technical computer users, the feature has been completely discarded in Windows Vista SP2 and Windows 7 in order to prevent infections.
During the last six months the most active countries in terms of malware propagation were China, France and the United States, followed by Australia (up one place from the first half of 2009), Romania (also up one place) and Spain (down one place).
World’s Top 10 Malware from July-December 2009
01. Trojan.Clicker.CM 8.97%
02. Trojan.AutorunINF.Gen 8.41%
03. Trojan.Wimad.Gen.1 4.41%
04. Win32.Worm.Downadup.Gen 4.13%
05. Exploit.PDF-JS.Gen 3.39%
06. Win32.Sality.OG 2.60%
07. Trojan.Autorun.AET 1.97%
08. Worm.Autorun.VHG 1.59%
09. Trojan.JS.PYV 1.50%
10. Exploit.SWF.Gen 1.47%
Spam trends in second half of 2009
During the second half of 2009, the spam landscape has remained relatively unchanged, with the Canadian Pharmacy positioned as top worldwide spammer. This is an extremely lucrative field of spam, mostly because the products ordered via Canadian Pharmacy webshops never make it to the customer, who is often too ashamed to report these issues to the authorities. More than that, these online payments are extremely risky, since the spammer has access to the used credit card details and can draw any amount of money at will.
Spam messages account for 88.9 percent of the total amount of electronic messages sent worldwide. Text-based messages are the most frequently encountered form of spam, while image-based spam is extremely rare, with only 2.3 – 2.5 percent. The average size of a spam message is 3.5 Kb, although their size usually varies from 2 Kb to 9 Kb, depending on the approach.
In the second half of 2009, spammers have especially exploited international or national media events to lure their victims into opening the messages. One of the most important spam campaigns was launched after the controversial death of pop-star Michael Jackson. Back in July, BitDefender identified multiple spam waves allegedly offering more info on Michael Jackson’s unknown killer, but actually carrying sexual enhancement drug ads and malware.
The Top 10 list for the second half of 2009’s most advocated content through e-mail spam includes:
1 Medicine Spam
2 Phishing Links
3 Product Spam/Knockoff
4 Malware Attached
9 Pornography (non dating)
Web 2.0 threats
Spamming is also a common practice among Web 2.0 service users, such as social networking. While Twitter and Facebook have imposed strict policies on spamming, some other social network services have barely taken into account this possibility. For instance, the professional network LinkedIn has become the favorite playground for people and organizations offering miscellaneous services. Spammers attempt to join users’ professional networks and then bomb them with messages advertising their products or services.
During the past six months, BitDefender has identified multiple variations of LinkedIn spam – a warning sign showing that the precarious state of the global economy pushes more and more providers into abusively marketing their services via social networks.
While spam and phishing sum up almost 80 percent of the e-threats related to social networks, worms exploiting large platforms have rapidly escalated. During the last six months of 2009, numerous families of worms have been pestering the largest social networks such as Twitter, MySpace and Facebook.
Initially spotted on August 2008, the Koobface worm has been one of the most active and destructive e-threats affecting social networking platforms. The cyber-criminal team behind the worm has released multiple variants of it in order to extend their reach with multiple social networking services. The viral infections took most of the platforms by surprise and the damage inflicted to users was beyond imagination, disabling some of the commercially-available antivirus utilities and exporting sensitive data such as e-banking credentials and IM passwords to a remote location. The infection technique was simple yet efficient: the worm used compromised accounts to lure friends into clicking the infected links.