Malware Samples Top 100 Million

November 13, 2012

Malware remains a huge problem — the number of malware samples in the McAfee Labs database topped 100 million in the third quarter of 2012 alone, and these numbers will continue to increase. The behavior and ultimate intention of a piece of malware varies widely, depending on who created the threat. The motivations for creating malware vary according to the class of attacker:

  • Cybercriminals’ motivations are straightforward — making money from malware and related attacks without being detected.
  • Hacktivist or state-sponsored attackers are concerned with sabotage and espionage, making these attacks very different from those seeking financial gain. These campaigns range from simple to complex, with some designed for sabotage and espionage (e.g., Stuxnet and Duqu) — while others aim to spread chaos and destruction (e.g., Shamoon).

Rootkits, or stealth malware, are one of the most destructive types of malware — and continues to be a troubling threat. These kits are designed to evade detection and thus “live” on a system for prolonged periods.

McAfee Labs researchers saw these trends in the third quarter.

  • The total number of AutoRun, fake AV, and password-stealing Trojans continues to grow.
  • After a tremendous growth spurt, ZeroAccess is slowly declining. However, it is shifting from kernel-mode toward user-mode techniques.
  • Koutodoor has shown fluctuations in activity — both rising and falling in 2012.
  • The common rootkit TDSS appears to be declining.
  • Koobface, malware that targets Facebook users, is declining.
  • Mac malware, which compromises Apple devices, shows strong, continued growth. This surprises many people because it gets less attention than PC and mobile malware — but the number of incidents reported continues to increase.
  • Signed malware is a very advanced technique usually reserved for targeted attacks. Although it continues to be a small percentage of total malware reported, it increased slightly in the third quarter.
  • One type of rookit targets a computer’s master boot record (MBR) — an area that performs key startup operations. Compromising the MBR offers an attacker a wide variety of control, persistence, and deep penetration. Recently these attacks, including mebroot, Tidserv, Cidox, and Shamoon, have increased in frequency. McAfee Labs researchers expect this threat will continue to grow.