To get a better understanding of infection trends over the last few months, the ESET research team has analyzed data compiled by our online scanner. This tool is available freely from ESET’s website at http://www.esetonlinescan.com and can be accessed by anyone to scan their system without having to install our product. Data from our online scanner is interesting because it comes from systems that are not necessarily running one of our products (or do not have any antivirus installed at all). During the last three months, more than half a million PCs were scanned using this tool, with very interesting results.
First, we discovered that when a computer is infected, an average of thirteen (13) malicious files are found on the system. A malware infection does not equal one malicious file being installed on the system – many files on an infected computer can be corrupted or infected by the same piece of malware. And, it’s not just infected with malware, it’s often infested. This number can be explained by the comeback of file infecting viruses, which were considered almost extinct a couple years ago. Modern malware families such as WMA/TrojanDownloader.GetCodec infect multimedia files, and playing any of these files will result in an infection of a system. For example, if you have 500 songs on your computer and you get infected by that threat, you will have more than 500 malicious files on your PC. Another example of current file infector is the Win32/Virut family which, in addition to infecting executable files, changes HTML files to insert an IFRAME to a malicious site. Anyone viewing the modified HTML file with a vulnerable browser then becomes infected.
The second interesting point we found while analyzing our online scanner logs is that there are, on average, three (3) malware families found on infected computers. This illustrates another trend we have been observing lately, which is “pay per install” malware distribution. Multiple malware families do not have any propagation mechanism built into their code. Instead, these pieces of malware are distributed and installed on computers by criminal gangs. One very good example of such malicious software are rogue antivirus programs. Rogue antivirus scams typically do not copy themselves to external drives, nor do they propagate through a network. Their operators simply pay other criminal gangs every time a copy of their rogue software is installed on a PC. Back in March, the Win32/Conficker worm installed a variant of the Win32/Waledac worm on systems it infected. In turn, Win32/Waledac downloaded and installed a rogue antivirus. This is a typical scenario and explains the numbers of families we are seeing. This second statistic is different from the number of malicious files because each of these malware families can also infect multiple files.
Through our ThreatSense.Net monitoring system, we also gather statistics on malicious activity witnessed by computers running ESET's antivirus software. On a daily basis, 3,3% of the computers detect and block at least one threat. If your company has 1,000 computers connected to the Internet, chances are that, during the next 24 hours, thirty-three (33) of them will either try to access a malicious file on the Internet, receive something suspicious by email or be attacked by a network worm.
To sum up, we are seeing more malware per infected computer and also more malicious files on each of them. Our virus lab receives over 100,000 new pieces of malware every day. There are more malware authors than ever and their technologies are getting better to rapidly create new variants of malicious code. To build awareness around the problem of cybercrime and malware, ESET is launching a month long campaign in San Francisco. An image being worth a thousand words, our readers are invited to visit the following website: http://www.esetsecures.com. You can find there interesting images that might help illustrating what happens to a PC once the door is open to malicious software.
Pierre-Marc Bureau
Senior Researcher