Evolution of Malware

Malware and Potentially Unwanted Software Trends

The state of malware today

At the end of 2001, approximately 60,000 forms of malware or threats were known to exist. This number was a significant increase from 1996 (about 10,000) and 1991 (about 1,000).

Approximate growth of malware since 1991

Approximate growth of malware since 1991

Click on the image to enlarge.

Over the last decade, the proliferation of malware has become an online crime story. Today, estimates of the number of known computer threats such as viruses, worms, trojans, exploits, backdoors, password stealers, spyware, and other variations of potentially unwanted software range into the millions.

Ever since criminal malware developers began using client and server polymorphism (the ability for malware to dynamically create different forms of itself to thwart antimalware programs), it has become increasingly difficult to answer the question “How many threat variants are there?” Polymorphism means that there can be as many threat variants as infected computers can produce; that is, the number is only limited by malware’s ability to generate new variations of itself.

It has become less meaningful to count the number of threat variants than it is to detect and eliminate their sources. In 2011, more than 49,000 different unique threat families were reported to the MMPC from customers. Many of these reported families were duplicates, polymorphic versions of key threat families; detecting and eliminating key threat families from infected computers is an ongoing activity.

In 2011 Microsoft added more than 22,000 signatures to detect key threat families. As criminal malware developers create more threats, the size of typical antimalware signature files increases; today antimalware signature files range to more than 100 MB in size. In 2002, typical antimalware signature files were less than 1 MB in size.

The number of files submitted to antimalware organizations has also increased. The following figure shows how the number of submitted files suspected of containing malware or potentially unwanted software to the MMPC has increased since 2005, an increase of more than 200 percent. (Suspected malware files can be submitted to the MMPC Submit a sample page.)

Percentage increase in the number of files submitted to the MMPC since 2005

Percentage increase in the number of files submitted to the MMPC since 2005

Click on the image to enlarge.

Top of page Top of Page

Malware and Potentially Unwanted Software Trends

Malware continues to evolve, and the fluctuations in detections of different forms of malware sometimes indicate the successes at given points in time of the software industry’s persistent antimalware efforts versus the efforts of malware developers.

How threats have evolved over time

When viewed from a multi-year perspective, some malware and potentially unwanted software families tend to peak, or become quite prevalent, for short periods of time as antimalware vendors focus their efforts on detecting and removing these threats. These peak periods are followed by periods of decline as attackers change their tactics and move on. The following figure illustrates this phenomenon. (For Figures 14 through 18, the vertical axis represents the percentage of all computers that were infected with malware.)

Malware and potentially unwanted software families that have peaked and declined since 2006

Malware and potentially unwanted software families that have peaked and declined since 2006

Click on the image to enlarge.

Win32/Rbot was an early botnet family that gained notoriety in 2004 and 2005 after a number of high profile outbreak incidents that affected media and government networks, among others. Rbot is a “kit” family: Rbot variants are built from an open source botnet creation kit called RxBot, which is widely available among malware operators, and many different groups have produced their own variants with different functionality. The MSRT was updated to detect Rbot in April 2005, and detections decreased sharply through 2006, falling below 2 percent of computers with detections by 2H08.

The trojan family Win32/Zlob was found on almost one of every four computers that was infected with malware in 1H08, a level of prevalence that no other family has equaled before or since. Zlob was typically distributed on webpages, posing as a media codec that visitors would have to install to watch video content downloaded or streamed from the Internet. After it is installed on a target computer, Zlob displays persistent pop-up advertisements for rogue security software. A Zlob variant detected at the end of 2008 included an encoded message, apparently written by the Zlob author and intended for MMPC researchers, indicating that the author would be ceasing development and distribution of the trojan:

For Windows Defender's Team:
I saw your post in the blog (10-Oct-2008) about my previous message.
Just want to say 'Hello' from Russia.
You are really good guys. It was a surprise for me that Microsoft can respond on threats so fast.
I can't sign here now (he-he, sorry), how it was some years ago for more seriously vulnerability for all Windows ;)
Happy New Year, guys, and good luck!
P.S. BTW, we are closing soon. Not because of your work. :-))
So, you will not see some of my great ;) ideas in that family of software.
Try to search in exploits/shellcodes and rootkits.
Also, it is funny (probably for you), but Microsoft offered me a job to help improve some of Vista's protection. It's not interesting for me, just a life's irony.

Indeed, detections of Zlob decreased significantly in 2H08, and by 2010 Zlob was no longer among the top 50 most-detected families worldwide.

Win32/Conficker is a worm family discovered in November 2008 that initially spread by exploiting a vulnerability addressed by security update MS08-067, which was released the previous month. Conficker detections peaked in 1H09 and declined to a much lower level thereafter, following coordinated efforts by the Conficker Working Group to contain the spread of the worm and clean infected computers. It has been detected on between 3 percent and 6 percent of infected computers in each 6-month period since then.

JS/Pornpop is adware that consists of specially crafted JavaScript-enabled objects that attempt to display pop-under advertisements. First detected in August 2010, it was the second most commonly detected family in 2H10 and 1H11, and is likely to be the most commonly detected family in 2H11.

Win32/Autorun is a generic detection for worms that attempt to spread between mounted computer volumes by misusing the AutoRun feature in Windows. Detections of Win32/Autorun increased gradually for several periods before peaking in 2H10 as the most commonly detected family during that period.

Microsoft introduced a change to the way that the AutoRun feature works in Windows 7 and Windows Server 2008 R2 in an effort to help protect users from AutoRun threats. In these versions of Windows, the AutoRun task is disabled for all volumes except optical drives such as CD-ROM and DVD-ROM drives, which have historically not been used to transmit AutoRun malware. Subsequently, Microsoft published a set of updates that back-ported this change to Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. These updates have been published as Important updates through the Windows Update and Microsoft Update services since February 2011, which may have helped contribute to the decline in Win32/Autorun detections observed throughout 2011.

Other malware and potentially unwanted software families aren’t as prevalent as the peak families, but exist for longer periods of time. The following figure illustrates the prevalence of some of these more persistent malware families.

Malware families that have remained active at lower levels since 2007

Malware families that have remained active at lower levels since 2007

Click on the image to enlarge.

Win32/Renos, assigned to the Trojan Downloaders & Droppers category in previous volumes of the SIR, was one of the four most commonly detected malware families in each six-month period from 1H07 to 2H10, taking the top slot in 2H08 and 1H10, and only dropped out of the top 25 in 2H11. Renos is a trojan downloader that installs rogue security software on infected computers.

Win32/Taterf, assigned to the Worms category in previous volumes of the SIR, was among the five most commonly detected malware families in each period from 2H08 to 2H10, and was the most commonly detected family in 2H09. Taterf is a worm that spreads via mapped drives to steal logon and account details for popular online games. The increasing popularity of massively multiplayer online role-playing games has created a market (usually discouraged by the makers of the games themselves) in virtual “gold” and in-game equipment, which players trade for real-world cash. This in turn has led to a class of threats like Taterf, which steal players’ gaming passwords on behalf of thieves who can then auction the victims’ virtual loot themselves. Taterf is a modified version of a similar threat, Win32/Frethog, which itself has been persistently prevalent over the same period of time.

Win32/Alureon, assigned to the Miscellaneous Trojans category in previous volumes of the SIR, is a family of data-stealing trojans with rootkit characteristics. It was first discovered in early 2007 and has been in or near the top 25 families in each half-year period since then. Alureon variants allow an attacker to intercept incoming and outgoing Internet traffic and gather confidential information such as user names, passwords, and credit card data.

Different threats at different times

Another point that becomes apparent when malware and potentially unwanted software is viewed from a multi-year perspective is that different categories of malware—that is, different types of threats—have been prevalent at different times. The following figure illustrates the relative prevalence of three different categories of malware.

Worms, Backdoors, and Miscellaneous Potentially Unwanted Software categories since 2006

Worms, Backdoors, and Miscellaneous Potentially Unwanted Software categories since 2006

Click on the image to enlarge.

In 2006 and 2007, the malware landscape was dominated by the Worms, Miscellaneous Potentially Unwanted Software, and Backdoors categories. (The term “Miscellaneous Potentially Unwanted Software” refers to programs with potentially unwanted behavior that may affect a user’s privacy, security, or computing experience.) By this time, large-scale outbreaks of worms such as Win32/Msblast and Win32/Sasser, which spread by exploiting vulnerabilities in network services, were mostly in the past. The most likely reason for their decline was the high-profile nature of these outbreaks, which caused antimalware vendors to increase their detection, cleaning, and blocking efforts and ultimately spurred widespread adoption of the security updates that addressed the affected vulnerabilities. Most of the prevalent worms in 2006 were mass-mailers, such as Win32/Wukill and Win32/Bagle, which spread by emailing copies of themselves to addresses discovered on infected computers.

Prevalent backdoors included a pair of related botnet families, Win32/Rbot and Win32/Sdbot. Variants in these families are built from botnet construction kits that are traded in the underground market for malware, and are used to control infected computers over Internet Relay Chat (IRC). Rbot and Sdbot have largely been supplanted by newer botnet families, but remain in active use nonetheless, probably because of the relative ease with which prospective botnet operators can obtain the construction kits.

Prevalent trojan families in 2006 and 2007 included Win32/WinFixer, an early rogue security software family, and the browser toolbar Win32/Starware. Unlike most modern rogue families, which typically pose as antimalware scanners, WinFixer masquerades as a utility that supposedly identifies “privacy violations” in the computer’s registry and file system and offers to “remove” them for a fee. Win32/Starware is a browser toolbar that monitors searches at popular search engines, conducting its own search in tandem and displaying the results in an inline frame within the browser window.

Worms, Trojan Downloaders and Droppers, and Password Stealers and Monitoring Tools categories since 2006

Worms, Trojan Downloaders and Droppers, and Password Stealers and Monitoring Tools categories since 2006

Click on the image to enlarge.

The Trojan Downloaders and Droppers category, which affected less than 9 percent of computers with detections in 1H06, rose rapidly to become one of the most significant threat categories in 2007 and 2008, primarily because of increased detections of Win32/Zlob and Win32/Renos.

After decreasing significantly from its 1H06 peak, the Worms category began to increase again in 2009 after the discovery of Win32/Conficker and reached a second peak in 2Q10 with increased detections of Win32/Taterf and Win32/Rimecud. Rimecud is a family of worms with multiple components that spreads via removable drives and instant messaging. It also contains backdoor functionality that allows unauthorized access to an affected computer.

Malware families in the Password Stealers and Monitoring Tools category, which were responsible for a negligible percentage of detections in 1H06, increased slowly but steadily through 2008 and 2009 before peaking in 2Q10. Game password stealers such as Win32/Frethog were responsible for much of this increase.

Adware, Miscellaneous Potentially Unwanted Software, and Miscellaneous Trojans categories since 2006

Adware, Miscellaneous Potentially Unwanted Software, and Miscellaneous Trojans categories since 2006

Click on the image to enlarge.

The Adware, Miscellaneous Potentially Unwanted Software, and Miscellaneous Trojans categories were the most commonly detected categories in 2010 and 2011. Adware detections increased significantly in 1H11, including the adware families Win32/OpenCandy and JS/Pornpop. OpenCandy is an adware program that may be bundled with certain third-party software installation programs. Some versions of the OpenCandy program send user-specific information without obtaining adequate user consent, and these versions are detected by Microsoft antimalware products. Pornpop is a detection for specially crafted JavaScript-enabled objects that attempt to display pop-under advertisements in users’ web browsers. Initially, JS/Pornpop appeared exclusively on websites that contained adult content; however, it has since been observed to appear on websites that may contain no adult content whatsoever.

The Miscellaneous Potentially Unwanted Software category, which was the most commonly detected category in 2006, declined in prevalence in 2007 and 2008, then increased again to become the second most prevalent category in 2Q11. Significant families in this category in 2Q11 were Win32/Keygen, a generic detection for tools that generate product keys for illegally obtained versions of various software products, and Win32/Zwangi, a program that runs as a service in the background and modifies web browser settings to visit a specific website.

The Miscellaneous Trojans category has consistently affected about a third of computers that were infected with malware in each period since 2H08. A number of rogue security software families fall into this category, such as Win32/FakeSpyPro, the most commonly detected rogue security software family in 2010. Other prevalent families in this category include Win32/Alureon, the data-stealing trojan, and Win32/Hiloti, which interferes with an affected user's browsing habits and downloads and executes arbitrary files.

Top of page Top of Page

Featured Articles

Locations

United States Change All Microsoft Sites

Search

Feedback:

Was the information in this article helpful?