The malware landscape has always been very dynamic. New threat types and malware always replace the old ones. The prevalence of a particular malware family at any given time is dependent upon multiple factors like the business model, the efficiency of the person(s) driving this malware, and sometimes, actions by the anti malware industry. For example, due to efforts of the research community, Storm 1.0 and Srizbi, which were once the world's largest botnets, are history now. Due to certain design limitations, IRC botnets which were dominant back in 2004-2006 are no longer very popular. We have also seen a constant uptick in new banking trojans. The popularity of online banking has led cyber criminals to seek huge opportunities by operating info stealers. The Web 2.0 era is responsible for giving birth to a new breed of malware spreading through social networking. A perfect example is Koobface. Security awareness in the public at large led to fears about these malware threats which gave a boost to rogue "antivirus" software.
The first principle of a successful defense is identifying the enemies and their strengths. Believing in the philosophy of "keeping your friends close but your enemies closer" is a big step towards defeating your opposition. So let's do it. What are the latest trends? What are the world's most widespread malware and what these do? I am going to answer a few of these questions today based on data collected by FireEye during the last quarter.
Determining the volume of a particular malware family is a complex task. Many anti-malware organizations have attempted this in the past. The problem I
see in most of these estimates is that it is based only on their own internal data. Using a "What we detect the most" technique sometimes overlooks your own deficiencies. Sometimes the estimation technique could itself be defective like finding a spam botnet size based on the spam volume could be misleading. Some botnets are more aggressive in sending spam than others, it depends upon the amount of business a particular bot herder might have. Counting only the unique malware samples could be very tricky in the case of polymorphic malware (malware changing their binary footprints quickly).
In order to solve the above mentioned problems and give accurate results, I am going to consider two different estimation techniques.
- Counting the unique number of hosts infected by a given malware. This data was collected from FireEye's MAX Cloud Intelligence network.
- Cross comparison of the above estimate with data offered by other anti-malware
organizations, malware feeds received from 3rd party
sources and the way they name these malware.
This "top malware" list may also differ from a "top botnets" list. By definition, "a botnet is a collection of homogeneous malware
installations under the control of a single group". For example Zbot/Zeus is a toolkit in the hands of hundreds of bad guys. Each one has its own network of zombies. So, saying that Zbot is the world's largest botnet is grossly oversimplifying the true extent of the problem.
However, in some cases when a malware family is in the hands of a
single group, a "top malware" can also be considered as a "top
botnet". Koobface is one such example, it's a malware family as well as a botnet.
Enough explanation, let's get back to the point.
Statistics based on FireEye's MAX Cloud Intelligence network
As of today, these are the world's top 20 malware families. This conclusion is based on the number of unique infected machines found inside our customer networks. According to this analysis, the top 20 malware represent 48.74% of the total malware population.
Note: Payload type here is determined by the most dominant attribute of a particular malware family.
|Modern Malware||% Infected hosts||Payload||Single Botnet|
|1 1||Butterfly/Palevo Butterfly/Palevo||7.5 7.5||DDoS, Info stealer DDoS, Info stealer||NO NO|
|2 2||Hiloti Hiloti||4.69 4.69||Downloader/PPI Downloader/PPI||YES YES|
|3 3||Zbot/Zeus Zbot/Zeus||3.62 3.62||Info stealer Info stealer||NO NO|
|4 4||FakeRean FakeRean||3.47 3.47||Rogue AV(s) Rogue AV(s)||YES YES|
|5 5||Onlinegames Onlinegames||2.94 2.94||Info stealer Info stealer||YES YES|
|6 6||Rustock Rustock||2.66 2.66||Spam Spam||YES YES|
|7 7||Ldpinch Ldpinch||2.64 2.64||Info stealer Info stealer||NO NO|
|8 8||Renos Renos||2.58 2.58||Rogue AV(s) Rogue AV(s)||YES YES|
|9 9||Zlob Zlob||2.54 2.54||Rogue software Rogue software||YES YES|
|10 10||Autoit Autoit||2.53 2.53||Downloader/PPI Downloader/PPI||YES YES|
|11 11||Conficker Conficker||2.48 2.48||Worm Worm||YES YES|
|12 12||Opachki Opachki||1.95 1.95||Click Fraud Click Fraud||YES YES|
|13 13||Buzus Buzus||1.91 1.91||Info stealer Info stealer||YES YES|
|14 14||Koobface Koobface||1.17 1.17||Downloader Downloader||YES YES|
|15 15||Alureon Alureon||1.16 1.16||Downloader Downloader||NO NO|
|16 16||Bredolab Bredolab||1.15 1.15||Downloader/PPI Downloader/PPI||NO NO|
|17 17||Piptea Piptea||1.13 1.13||Downloader/PPI Downloader/PPI||YES YES|
|18 18||Ertfor Ertfor||0.91 0.91||Rogue AV(s) Rogue AV(s)||YES YES|
|19 19||Virut Virut||0.91 0.91||Virus, Downloader Virus, Downloader||YES YES|
|20 20||Storm 2.0 Storm 2.0||0.80 0.80||Spam Spam||YES YES|
The biggest surprise is that Zbot/Zeus, which was once world's largest collection of botnets, has now moved to the number 3 position. The Butterfly/Palevo toolkit proved to be a dark horse and is currently at the number 1 position. Note here that Butterfly is the same toolkit from which the famous Mariposa botnet was created. We have also seen a huge uptick in the number of hosts infected by a relatively unknown trojan called Hiloti, which is currently at the number 2 position. The games thief 'OnlineGames' (a.k.a Frethog and Taterf) is at the number 5 position.
Koobface, which was in the top 5 list for last 2 quarters, is back at the number 14 position (I am still in a process to find the reasons of this sudden drop). Rustock is at the sixth position but still in a much better position as compared to other rival spam botnets like Pushdo and Storm 2.0.
Statistics based on unique malware samples (MD5s).
It's sure that counting the unique number of malware samples is not a best way to
estimate the volume of a malware family. Estimation based on the unique infected hosts as shown above is a far superior approach. But still this technique can
give us a rough picture of the overall trends.
Here in the FireEye labs, we processed close to 700,000 samples during last quarter for this study. After analyzing these samples, we found multiple instances of thousands of different malware families. It's not a surprise as in order to evade conventional antivirus signatures, modern malware changes its binary footprint very quickly.
I am quite satisfied to see that most of the top malware we found at our customer networks also have a high sample frequency. Although the ranking of these malware is a little different in each case, it's completely understandable due to the different nature of input data. According to this analysis, the top 20 malware represent 26.43% of the total malware samples we processed during the last quarter.
|Modern Malware||% Unique samples (MD5)||Payload||Single Botnet|
|1 1||Virut Virut||4.47 4.47||Virus, Downloader Virus, Downloader||YES YES|
|2 2||Ldpinch Ldpinch||4.1 4.1||Info stealer Info stealer||NO NO|
|3 3||Renos Renos||3.9 3.9||Rogue AV(s) Rogue AV(s)||YES YES|
|4 4||Zbot/Zeus Zbot/Zeus||2.37 2.37||Info stealer Info stealer||NO NO|
|5 5||Onlinegames Onlinegames||2.22 2.22||Info stealer Info stealer||YES YES|
|6 6||Buzus Buzus||1.91 1.91||Info stealer Info stealer||YES YES|
|7 7||Zlob Zlob||1.89 1.89||Rogue software Rogue software||YES YES|
|8 8||Alureon Alureon||1.05 1.05||Downloader Downloader||NO NO|
|9 9||Butterfly/Palevo Butterfly/Palevo||0.89 0.89||DDoS, Info stealer DDoS, Info stealer||NO NO|
|10 10||Autoit Autoit||0.65 0.65||Downloader/PPI Downloader/PPI||YES YES|
|11 11||Piptea Piptea||0.60 0.60||Downloader/PPI Downloader/PPI||YES YES|
|12 12||Conficker Conficker||0.55 0.55||Worm Worm||YES YES|
|13 13||Bredolab Bredolab||0.52 0.52||Downloader/PPI Downloader/PPI||NO NO|
|14 14||Hiloti Hiloti||0.42 0.42||Downloader/PPI Downloader/PPI||YES YES|
|15 15||FakeRean FakeRean||0.40 0.40||Rogue AV(s) Rogue AV(s)||YES YES|
|16 16||Koobface Koobface||0.23 0.23||Downloader Downloader||YES YES|
|17 17||Pushdo Pushdo||0.13 0.13||Spam Spam||YES YES|
|18 18||Rustock Rustock||0.06 0.06||Spam Spam||YES YES|
|19 19||Monkif Monkif||0.05 0.05||Downloader Downloader||YES YES|
|20 20||Storm 2.0 Storm 2.0||0.02 0.02||Spam Spam||YES YES|
Virut, a famous virus and trojan is at the number 1 position in terms of number of samples. A huge number
of unique malware samples make complete sense here. Virut is a file
infecter which tries to inject itself into each executable found on the
victim machine. This results in conversion of each benign binary into a unique instance of Virut itself. Infected hosts might have thousands of unique copies of this malware.
Surprisingly, although Butterfly/Palevo is at the first position when it comes to the unique number of infected hosts, it is at the number 9 position when it comes to unique number of samples. This is good evidence that the cyber criminals behind this have been very successfully flying under the radar.
Here's a side-by-side comparison:
|Modern Malware||% Infected hosts||% Unique samples (MD5)||Payload||Single Botnet|
|1 1||Butterfly/Palevo Butterfly/Palevo||7.5 7.5||0.89 0.89||DDOS, Info stealer DDOS, Info stealer||NO NO|
|2 2||Hiloti Hiloti||4.69 4.69||0.42 0.42||Downloader/PPI Downloader/PPI||YES YES|
|3 3||Zbot Zbot||3.62 3.62||2.37 2.37||Info stealer Info stealer||NO NO|
|4 4||FakeRean FakeRean||3.47 3.47||0.40 0.40||Rogue AV(s) Rogue AV(s)||YES YES|
|5 5||Onlinegames Onlinegames||2.94 2.94||2.22 2.22||Info stealer Info stealer||YES YES|
|6 6||Rustock Rustock||2.66 2.66||0.06 0.06||Spam Spam||YES YES|
|7 7||ldpinch ldpinch||2.64 2.64||4.1 4.1||Info stealer Info stealer||NO NO|
|8 8||Renos Renos||2.58 2.58||3.9 3.9||Rogue AV(s) Rogue AV(s)||YES/span> YES|
|9 9||Zlob Zlob||2.54 2.54||1.89 1.89||Rogue software Rogue software||YES/span> YES|
|10 10||Autoit Autoit||2.53 2.53||0.65 0.65||Downloader/PPI Downloader/PPI||YES/span> YES|
|11 11||Conficker Conficker||2.48 2.48||0.55 0.55||Worm Worm||YES/span> YES|
|12 12||Opachki Opachki||1.95 1.95||0.0035||Click Fraud Click Fraud||YES YES|
|13 13||Buzus Buzus||1.91 1.91||1.91 1.91||Info stealer Info stealer||YES YES|
|14 14||Koobface Koobface||1.17 1.17||0.23 0.23||Downloader Downloader||YES YES|
|15 15||Alureon Alureon||1.16 1.16||1.05 1.05||Downloader Downloader||NO NO|
|16 16||Bredolab Bredolab||1.15 1.15||0.52 0.52||Downloader/PPI Downloader/PPI||NO NO|
|17 17||Piptea Piptea||1.13 1.13||0.60 0.60||Downloader/PPI Downloader/PPI||YES YES|
|18 18||Ertfor Ertfor||0.91 0.91||0.02 0.02||Rogue AV(s) Rogue AV(s)||YES YES|
|19 19||Virut Virut||0.91 0.91||4.47 4.47||Virus, Downloader/PPI Virus, Downloader/PPI||YES YES|
|20 20||Storm 2.0 Storm 2.0||0.80 0.80||0.02 0.02||Spam Spam||YES YES|
Onlinegames, LdPinch, Zlob, Renos etc are in the top 10 list.
Based on the malware payload types one can also try find common intentions behind running most of these malware families. This can also shed some light on the direction of the current underground economy.
Beyond any doubt information stealers, generic malware droppers and rogue anti viruses are amongst the top threats. The majority of these generic downloaders are part of a pay per install network. The owners of these downloaders generally have very good expertise in spreading their malware using different infection vectors like drive by downloads and social engineering. The sole purpose of these malware families is to spread themselves as aggressively as possible and offer pay per install services (normally a few cents per installation) to other cyber criminals who might not be very good at spreading their own malware.
Spam is at the number 5 position as there are only two spam botnets which made their way into top 20s, i.e Rustock and Storm 2.0. The click fraud and pay per DDOS business are on the rise as well. There are dedicated DDOS botnets (like those created out of BlackEnergy and Palevo toolkits) available which offer DDOS services to others. For the sake of money, these botnets can DDOS any Internet resource. Although the worm era is almost over, Conficker is still kicking using it's self prorogation mechanisms.
|Modern Malware||% Infected hosts||Payload Type||Single Botnet|
|1 1||Torpig/Sinowal Torpig/Sinowal||0.58 0.58||Info stealer Info stealer||YES YES|
|2 2||Pushdo Pushdo||0.35 0.35||Spam Spam||YES YES|
|3 3||Monkif Monkif||0.29 0.29||Downloader Downloader||YES YES|
|4 4||Clampi Clampi||0.17 0.17||Info stealer Info stealer||YES YES|
|5 5||RBot RBot||0.13 0.13||Info stealer, Ddos Info stealer, Ddos||NO NO|
The underground malware economy is no different from any other. It's the same world full of greed, rivalry, deceit and monopolies. Survival of the
fittest also holds true here. Those who don't change with the times can't survive the opposition and perish eventually.
Atif Mushtaq @ FireEye Malware Intelligence
Questions/Comments : research SHIFT-2 fireeye DOT COM