Deceptive Downloads: Software, Music, and Movies

Malware Statistics

Computers reporting detections of the six indicator families mentioned (Keygen, Wimad, Pameseg, Wpakill, Gendows, and Patch) have a higher malware detection rate than those that don’t. Figure 1 lists the families that were most commonly detected alongside the indicator families in 1H12.

Figure 1. Threat families most commonly detected on computers displaying evidence of unsecure file distribution in 1H12, by absolute number of computers and by percentage of all computers displaying such evidence

Family

Most significant category

1Q12

1Q12 %

2Q12

2Q12 %

Win32/Autorun

Worms

849,108

10.5%

937,747

11.3%

JS/Pornpop

Adware

637,966

7.9%

661,711

8.0%

Win32/Obfuscator

Misc. Unwanted Software

515,575

6.4%

606,081

7.3%

Blacole

Exploits

561,561

7.0%

512,867

6.2%

Win32/Dorkbot

Worms

492,106

6.1%

522,617

6.3%

  • Win32/Autorun is a generic detection for worms that spread between mounted volumes using the Autorun feature of Windows. Recent changes to the feature in Windows XP and Windows Vista have made this technique less effective, but attackers continue to distribute malware that attempts to target it.
  • JS/Pornpop is a detection for specially crafted JavaScript-enabled objects that attempt to display pop-under advertisements in users’ web browsers. Initially, Pornpop appeared exclusively on websites that contained adult content; however, it has since been observed to appear on websites that may contain no adult content whatsoever.
  • Win32/Obfuscator is a generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and anti-emulation techniques.
  • Blacole is a multiplatform family of exploits that target vulnerabilities in popular products and components and are delivered through malicious or compromised webpages. (See page 20 for more information about Blacole.)
  • Win32/Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits.

See “Malware and unwanted software” beginning on page 33 for more information about threat detection patterns around the world.

Featured Articles

Locations

United States Change All Microsoft Sites

Search

Feedback:

Was the information in this article helpful?