The anti-malware company I work for has just published its half-yearly report on threat trends, based on automated malware tracking systems. Already I hear the more cynical among you muttering "Aha! Product pitch!" and, of course, this kind of document does have a marketing purpose. However, at 50-odd pages, it's a bit more than a press release, and many of those pages actually consist of near-raw localized data (included for the benefit of our distributors). All that aside, there are some conclusions that may interest you. Well, they interested me - just as well, considering how long I spent on the analysis...
- Email has declined dramatically as a direct channel for the transport of new malware (that is, as attachments) though it remains a prime carrier of malicious web links (web-hosted malware has pretty much taken the place of the malicious attachment, and continues to increase in prevalence). What did surprise me was the extent to which the "top ten" email-borne threats reflected the picture of a few years ago, when I was managing email antivirus systems: the list is largely dominated by prehistoric mass mailers like Netsky and Bagle. When you think about it, though, this makes sense. If email has fallen out of favour for the distribution of new malware (as indeed it has), then most of what is left is going to be distributed by systems that have never been patched or properly protected by constantly updated anti-malware software. I'd take an educated guess that these are mostly owned by home users with obsolescent operating systems and an expired licence for whatever came with the machine in the first place: I'd also guess that there's a significant overlap there with the population of zombie machines comprising the botnets that are responsible for so many of our security ills.
- If you've tracked malware trends in any detail over the past few years, it won't surprise you that "Potentially Unwanted Applications" and other forms of adware and spyware constitute a significant proportion of our "top ten". PUAs with deceptive EULAs (End User Licensing Agreements) that underplay the extent to which they hijack the user's Internet experience are themselves a considerable nuisance. When you add in the iniquitous and ubiquitous Virtumonde Trojan, an example of adware that causes both users and anti-malware companies a great deal of grief, you're looking at software that impacts so heavily on a system as to make it effectively unusable.
- Our top scorer for that period isn't a single malicious program (actually, nearly all our top scorers are either generic or heuristic detections: I might go into the similarities and differences another time), but a group of malware families that use the Windows AutoRun facility to self-install from removable media such as flash drives and CDs. You may wonder why this trend hasn't been flagged more prominently by other companies: it's not (necessarily!) because they don't detect these families, but because they may not have an exact equivalent to that heuristic, so they may be flagged under other names. In fact, a specific malicious program may "qualify" for detection by more than one heuristic, and which one it actually triggers is determined by a number of factors.
- The most dramatic change in the threatscape that we've noticed, though, is the upsurge in malware designed to steal passwords for online gaming and metaverses like Second Life. While password attacks in these areas are by no means new, they've dominated our monthly reports in recent months. And that's apart from attacks like grey goo and griefing...
There's a little more detail at my work
blog or the full report is
here. For some alternative AV industry views of 2008, you might check out
F-Secure,
Sophos and
MessageLabs, all of whom have issued half-yearly reports recently.
More...
08-08-2008
