Threat Research Blog

World's Top Malware

The malware landscape has always been very dynamic. New threat types and malware always replace the old ones. The prevalence of a particular malware family at any given time is dependent upon multiple factors like the business model, the efficiency of the person(s) driving this malware, and sometimes, actions by the anti malware industry. For example, due to efforts of the research community, Storm 1.0 and Srizbi, which were once the world's largest botnets, are history now. Due to certain design limitations, IRC botnets which were dominant back in 2004-2006 are no longer very popular. We have also seen a constant uptick in new banking trojans. The popularity of online banking has led cyber criminals to seek huge opportunities by operating info stealers. The Web 2.0 era is responsible for giving birth to a new breed of malware spreading through social networking.  A perfect example is Koobface. Security awareness in the public at large led to fears about these malware threats which gave a boost to rogue "antivirus" software.

The first principle of a successful defense is identifying the enemies and their strengths. Believing in the philosophy of "keeping your friends close but your enemies closer" is a big step towards defeating your opposition. So let's do it. What are the latest trends? What are the world's most widespread malware and what these do? I am going to answer a few of these questions today based on data collected by FireEye during the last quarter.

Determining the volume of a particular malware family is a complex task. Many anti-malware organizations have attempted this in the past. The problem I

see in most of these estimates is that it is based only on their own internal data. Using a "What we detect the most" technique sometimes overlooks your own deficiencies.  Sometimes the estimation technique could itself be defective like finding a spam botnet size based on the spam volume could be misleading. Some botnets are more aggressive in sending spam than others, it depends upon the amount of business a particular bot herder might have. Counting only the unique malware samples could be very tricky in the case of polymorphic malware (malware changing their binary footprints quickly).

In order to solve the above mentioned problems and give accurate results, I am going to consider two different estimation techniques.

  1. Counting the unique number of hosts infected by a given malware. This data was collected from FireEye's MAX Cloud Intelligence network.
  2. Cross comparison of the above estimate with data offered by other anti-malware

    organizations, malware feeds received from 3rd party

    sources and the way they name these malware.

This "top malware" list may also differ from a "top botnets" list. By definition, "a botnet is a collection of homogeneous malware

installations under the control of a single group". For example Zbot/Zeus is a toolkit in the hands of hundreds of bad guys. Each one has its own network of zombies. So, saying that Zbot is the world's largest botnet is grossly oversimplifying the true extent of the problem.

However, in some cases when a malware family is in the hands of a

single group, a "top malware" can also be considered as a "top

botnet". Koobface is one such example, it's a malware family as well as a botnet.

Enough explanation, let's get back to the point.

Statistics based on FireEye's MAX Cloud Intelligence network

As of today, these are the world's top 20 malware families. This conclusion is based on the number of unique infected machines found inside our customer networks. According to this analysis, the top 20 malware represent 48.74% of the total malware population.

Note: Payload type here is determined by the most dominant attribute of a particular malware family.

  Modern Malware % Infected hosts Payload Single Botnet
1 1 Butterfly/Palevo Butterfly/Palevo 7.5 7.5 DDoS, Info stealer DDoS, Info stealer NO NO
2 2 Hiloti Hiloti 4.69 4.69 Downloader/PPI Downloader/PPI YES YES
3 3 Zbot/Zeus Zbot/Zeus 3.62 3.62 Info stealer Info stealer NO NO
4 4 FakeRean FakeRean 3.47 3.47 Rogue AV(s) Rogue AV(s) YES YES
5 5 Onlinegames Onlinegames 2.94 2.94 Info stealer Info stealer YES YES
6 6 Rustock Rustock 2.66 2.66 Spam Spam YES YES
7 7 Ldpinch Ldpinch 2.64 2.64 Info stealer Info stealer NO NO
8 8 Renos Renos 2.58 2.58 Rogue AV(s) Rogue AV(s) YES YES
9 9 Zlob Zlob 2.54 2.54 Rogue software Rogue software YES YES
10 10 Autoit Autoit 2.53 2.53 Downloader/PPI Downloader/PPI YES YES
11 11 Conficker Conficker 2.48 2.48 Worm Worm YES YES
12 12 Opachki Opachki 1.95 1.95 Click Fraud Click Fraud YES YES
13 13 Buzus Buzus 1.91 1.91 Info stealer Info stealer YES YES
14 14 Koobface Koobface 1.17 1.17 Downloader Downloader YES YES
15 15 Alureon Alureon 1.16 1.16 Downloader Downloader NO NO
16 16 Bredolab Bredolab 1.15 1.15 Downloader/PPI Downloader/PPI NO NO
17 17 Piptea Piptea 1.13 1.13 Downloader/PPI Downloader/PPI YES YES
18 18 Ertfor Ertfor 0.91 0.91 Rogue AV(s) Rogue AV(s) YES YES
19 19 Virut Virut 0.91 0.91 Virus, Downloader Virus, Downloader YES YES
20 20 Storm 2.0 Storm 2.0 0.80 0.80 Spam Spam YES YES

Top_hosts

The biggest surprise is that Zbot/Zeus, which was once world's largest collection of botnets, has now moved to the number 3 position. The Butterfly/Palevo toolkit proved to be a dark horse and is currently at the number 1 position. Note here that Butterfly is the same toolkit from which the famous Mariposa botnet was created. We have also seen a huge uptick in the number of hosts infected by a relatively unknown trojan called Hiloti, which is currently at the number 2 position.  The games thief 'OnlineGames' (a.k.a Frethog and Taterf) is at the number 5 position.

Koobface, which was in the top 5 list for last 2 quarters, is back at the number 14 position (I am still in a process to find the reasons of this sudden drop). Rustock is at the sixth position but still in a much better position as compared to other rival spam botnets like Pushdo and Storm 2.0.

Statistics based on unique malware samples (MD5s).

It's sure that counting the unique number of malware samples is not a best way to

estimate the volume of a malware family. Estimation based on the unique infected hosts as shown above is a far superior approach. But still this technique can

give us a rough picture of the overall trends.

Here in the FireEye labs, we processed close to 700,000 samples during last quarter for this study. After analyzing these samples, we found multiple instances of thousands of different malware families. It's not a surprise as in order to evade conventional antivirus signatures, modern malware changes its binary footprint very quickly.  

I am quite satisfied to see that most of the top malware we found at our customer networks also have a high sample frequency. Although the ranking of these malware is a little different in each case, it's completely understandable due to the different nature of input data. According to this analysis, the top 20 malware represent 26.43% of the total malware samples we processed during the last quarter.

  Modern Malware % Unique samples (MD5) Payload Single Botnet
1 1 Virut Virut 4.47 4.47 Virus, Downloader Virus, Downloader YES YES
2 2 Ldpinch Ldpinch 4.1 4.1 Info stealer Info stealer NO NO
3 3 Renos Renos 3.9 3.9 Rogue AV(s) Rogue AV(s) YES YES
4 4 Zbot/Zeus Zbot/Zeus 2.37 2.37 Info stealer Info stealer NO NO
5 5 Onlinegames Onlinegames 2.22 2.22 Info stealer Info stealer YES YES
6 6 Buzus Buzus 1.91 1.91 Info stealer Info stealer YES YES
7 7 Zlob Zlob 1.89 1.89 Rogue software Rogue software YES YES
8 8 Alureon Alureon 1.05 1.05 Downloader Downloader NO NO
9 9 Butterfly/Palevo Butterfly/Palevo 0.89 0.89 DDoS, Info stealer DDoS, Info stealer NO NO
10 10 Autoit Autoit 0.65 0.65 Downloader/PPI Downloader/PPI YES YES
11 11 Piptea Piptea 0.60 0.60 Downloader/PPI Downloader/PPI YES YES
12 12 Conficker Conficker 0.55 0.55 Worm Worm YES YES
13 13 Bredolab Bredolab 0.52 0.52 Downloader/PPI Downloader/PPI NO NO
14 14 Hiloti Hiloti 0.42 0.42 Downloader/PPI Downloader/PPI YES YES
15 15 FakeRean FakeRean 0.40 0.40 Rogue AV(s) Rogue AV(s) YES YES
16 16 Koobface Koobface 0.23 0.23 Downloader Downloader YES YES
17 17 Pushdo Pushdo 0.13 0.13 Spam Spam YES YES
18 18 Rustock Rustock 0.06 0.06 Spam Spam YES YES
19 19 Monkif Monkif 0.05 0.05 Downloader Downloader YES YES
20 20 Storm 2.0 Storm 2.0 0.02 0.02 Spam Spam YES YES

Top_md5s

Virut, a famous virus and trojan is at the number 1 position in terms of number of samples. A huge number

of unique malware samples make complete sense here. Virut is a file

infecter which tries to inject itself into each executable found on the

victim machine. This results in conversion of each benign binary into a unique instance of Virut itself. Infected hosts might have thousands of unique copies of this malware.

Surprisingly, although Butterfly/Palevo is at the first position when it comes to the unique number of infected hosts, it is at the number 9 position when it comes to unique number of samples. This is good evidence that the cyber criminals behind this have been very successfully flying under the radar.

Here's a side-by-side comparison:

  Modern Malware % Infected hosts % Unique samples (MD5) Payload Single Botnet
1 1 Butterfly/Palevo Butterfly/Palevo 7.5 7.5 0.89 0.89 DDOS, Info stealer DDOS, Info stealer NO NO
2 2 Hiloti Hiloti 4.69 4.69 0.42 0.42 Downloader/PPI Downloader/PPI YES YES
3 3 Zbot Zbot 3.62 3.62 2.37 2.37 Info stealer Info stealer NO NO
4 4 FakeRean FakeRean 3.47 3.47 0.40 0.40 Rogue AV(s) Rogue AV(s) YES YES
5 5 Onlinegames Onlinegames 2.94 2.94 2.22 2.22 Info stealer Info stealer YES YES
6 6 Rustock Rustock 2.66 2.66 0.06 0.06 Spam Spam YES YES
7 7 ldpinch ldpinch 2.64 2.64 4.1 4.1 Info stealer Info stealer NO NO
8 8 Renos Renos 2.58 2.58 3.9 3.9 Rogue AV(s) Rogue AV(s) YES/span> YES
9 9 Zlob Zlob 2.54 2.54 1.89 1.89 Rogue software Rogue software YES/span> YES
10 10 Autoit Autoit 2.53 2.53 0.65 0.65 Downloader/PPI Downloader/PPI YES/span> YES
11 11 Conficker Conficker 2.48 2.48 0.55 0.55 Worm Worm YES/span> YES
12 12 Opachki Opachki 1.95 1.95 0.0035 Click Fraud Click Fraud YES YES
13 13 Buzus Buzus 1.91 1.91 1.91 1.91 Info stealer Info stealer YES YES
14 14 Koobface Koobface 1.17 1.17 0.23 0.23 Downloader Downloader YES YES
15 15 Alureon Alureon 1.16 1.16 1.05 1.05 Downloader Downloader NO NO
16 16 Bredolab Bredolab 1.15 1.15 0.52 0.52 Downloader/PPI Downloader/PPI NO NO
17 17 Piptea Piptea 1.13 1.13 0.60 0.60 Downloader/PPI Downloader/PPI YES YES
18 18 Ertfor Ertfor 0.91 0.91 0.02 0.02 Rogue AV(s) Rogue AV(s) YES YES
19 19 Virut Virut 0.91 0.91 4.47 4.47 Virus, Downloader/PPI Virus, Downloader/PPI YES YES
20 20 Storm 2.0 Storm 2.0 0.80 0.80 0.02 0.02 Spam Spam YES YES

Both

One can see that both results complement each other. In slightly different order, the Butterfly toolkit, Zbot,

Onlinegames, LdPinch, Zlob, Renos etc are in the top 10 list. 

Based on the malware payload types one can also try find common intentions behind running most of these malware families. This can also shed some light on the direction of the current underground economy.

Beyond any doubt information stealers, generic malware droppers and rogue anti viruses are amongst the top threats. The majority of these generic downloaders are part of a pay per install network. The owners of these downloaders generally have very good expertise in spreading their malware using different infection vectors like drive by downloads and social engineering. The sole purpose of these malware families is to spread themselves as aggressively as possible and offer pay per install services (normally a few cents per installation) to other cyber criminals who might not be very good at spreading their own malware.

Spam is at the number 5 position as there are only two spam botnets which made their way into top 20s, i.e Rustock and Storm 2.0.  The click fraud and pay per DDOS business are on the rise as well. There are dedicated DDOS botnets (like those created out of BlackEnergy and Palevo toolkits) available which offer DDOS services to others. For the sake of money, these botnets can DDOS any Internet resource.  Although the worm era is almost over, Conficker is still kicking using it's self prorogation mechanisms.

 

Trends
If any of you are wondering about some famous malware missing from above lists. Here are some interesting statistics.

  Modern Malware % Infected hosts Payload Type Single Botnet
1 1 Torpig/Sinowal Torpig/Sinowal 0.58 0.58 Info stealer Info stealer YES YES
2 2 Pushdo Pushdo 0.35 0.35 Spam Spam YES YES
3 3 Monkif Monkif 0.29 0.29 Downloader Downloader YES YES
4 4 Clampi Clampi 0.17 0.17 Info stealer Info stealer YES YES
5 5 RBot RBot 0.13 0.13 Info stealer, Ddos Info stealer, Ddos NO NO

The underground malware economy is no different from any other. It's the same world full of greed, rivalry, deceit and monopolies. Survival of the

fittest also holds true here. Those who don't change with the times can't survive the opposition and perish eventually.

Atif Mushtaq @ FireEye Malware Intelligence

Lab

Detailed

Questions/Comments : research SHIFT-2 fireeye DOT COM