World's Top Malware
The malware landscape has always been very dynamic. New threat types and malware always replace the old ones. The prevalence of a particular malware family at any given time is dependent upon multiple factors like the business model, the efficiency of the person(s) driving this malware, and sometimes, actions by the anti malware industry. For example, due to efforts of the research community, Storm 1.0 and Srizbi, which were once the world's largest botnets, are history now. Due to certain design limitations, IRC botnets which were dominant back in 2004-2006 are no longer very popular. We have also seen a constant uptick in new banking trojans. The popularity of online banking has led cyber criminals to seek huge opportunities by operating info stealers. The Web 2.0 era is responsible for giving birth to a new breed of malware spreading through social networking. A perfect example is Koobface. Security awareness in the public at large led to fears about these malware threats which gave a boost to rogue "antivirus" software.
The first principle of a successful defense is identifying the enemies and their strengths. Believing in the philosophy of "keeping your friends close but your enemies closer" is a big step towards defeating your opposition. So let's do it. What are the latest trends? What are the world's most widespread malware and what these do? I am going to answer a few of these questions today based on data collected by FireEye during the last quarter.
Determining the volume of a particular malware family is a complex task. Many anti-malware organizations have attempted this in the past. The problem I see in most of these estimates is that it is based only on their own internal data. Using a "What we detect the most" technique sometimes overlooks your own deficiencies. Sometimes the estimation technique could itself be defective like finding a spam botnet size based on the spam volume could be misleading. Some botnets are more aggressive in sending spam than others, it depends upon the amount of business a particular bot herder might have. Counting only the unique malware samples could be very tricky in the case of polymorphic malware (malware changing their binary footprints quickly).
In order to solve the above mentioned problems and give accurate results, I am going to consider two different estimation techniques.
- Counting the unique number of hosts infected by a given malware. This data was collected from FireEye's MAX Cloud Intelligence network.
- Cross comparison of the above estimate with data offered by other anti-malware organizations, malware feeds received from 3rd party sources and the way they name these malware.
This "top malware" list may also differ from a "top botnets" list. By definition, "a botnet is a collection of homogeneous malware installations under the control of a single group". For example Zbot/Zeus is a toolkit in the hands of hundreds of bad guys. Each one has its own network of zombies. So, saying that Zbot is the world's largest botnet is grossly oversimplifying the true extent of the problem. However, in some cases when a malware family is in the hands of a single group, a "top malware" can also be considered as a "top botnet". Koobface is one such example, it's a malware family as well as a botnet.
Enough explanation, let's get back to the point.
Statistics based on FireEye's MAX Cloud Intelligence network
As of today, these are the world's top 20 malware families. This conclusion is based on the number of unique infected machines found inside our customer networks. According to this analysis, the top 20 malware represent 48.74% of the total malware population.
Note: Payload type here is determined by the most dominant attribute of a particular malware family.
|
|
Modern Malware |
% Infected hosts |
Payload |
Single Botnet |
|
1 |
Butterfly/Palevo |
7.5 |
DDoS, Info stealer |
NO |
|
2 |
Hiloti |
4.69 |
Downloader/PPI |
YES |
|
3 |
Zbot/Zeus |
3.62 |
Info stealer |
NO |
|
4 |
FakeRean |
3.47 |
Rogue AV(s) |
YES |
|
5 |
Onlinegames |
2.94 |
Info stealer |
YES |
|
6 |
Rustock |
2.66 |
Spam |
YES |
|
7 |
Ldpinch |
2.64 |
Info stealer |
NO |
|
8 |
Renos |
2.58 |
Rogue AV(s) |
YES |
|
9 |
Zlob |
2.54 |
Rogue software |
YES |
|
10 |
Autoit |
2.53 |
Downloader/PPI |
YES |
|
11 |
Conficker |
2.48 |
Worm |
YES |
|
12 |
Opachki |
1.95 |
Click Fraud |
YES |
|
13 |
Buzus |
1.91 |
Info stealer |
YES |
|
14 |
Koobface |
1.17 |
Downloader |
YES |
|
15 |
Alureon |
1.16 |
Downloader |
NO |
|
16 |
Bredolab |
1.15 |
Downloader/PPI |
NO |
|
17 |
Piptea |
1.13 |
Downloader/PPI |
YES |
|
18 |
Ertfor |
0.91 |
Rogue AV(s) |
YES |
|
19 |
Virut |
0.91 |
Virus, Downloader |
YES |
|
20 |
Storm 2.0 |
0.80 |
Spam |
YES |
The biggest surprise is that Zbot/Zeus, which was once world's largest collection of botnets, has now moved to the number 3 position. The Butterfly/Palevo toolkit proved to be a dark horse and is currently at the number 1 position. Note here that Butterfly is the same toolkit from which the famous Mariposa botnet was created. We have also seen a huge uptick in the number of hosts infected by a relatively unknown trojan called Hiloti, which is currently at the number 2 position. The games thief 'OnlineGames' (a.k.a Frethog and Taterf) is at the number 5 position.
Koobface, which was in the top 5 list for last 2 quarters, is back at the number 14 position (I am still in a process to find the reasons of this sudden drop). Rustock is at the sixth position but still in a much better position as compared to other rival spam botnets like Pushdo and Storm 2.0.
Statistics based on unique malware samples (MD5s).
It's sure that counting the unique number of malware samples is not a best way to estimate the volume of a malware family. Estimation based on the unique infected hosts as shown above is a far superior approach. But still this technique can give us a rough picture of the overall trends.
Here in the FireEye labs, we processed close to 700,000 samples during last quarter for this study. After analyzing these samples, we found multiple instances of thousands of different malware families. It's not a surprise as in order to evade conventional antivirus signatures, modern malware changes its binary footprint very quickly.
I am quite satisfied to see that most of the top malware we found at our customer networks also have a high sample frequency. Although the ranking of these malware is a little different in each case, it's completely understandable due to the different nature of input data. According to this analysis, the top 20 malware represent 26.43% of the total malware samples we processed during the last quarter.
|
|
Modern Malware |
% Unique samples (MD5) |
Payload |
Single Botnet |
|
1 |
Virut |
4.47 |
Virus,
Downloader |
YES |
|
2 |
Ldpinch |
4.1 |
Info
stealer |
NO |
|
3 |
Renos |
3.9 |
Rogue
AV(s) |
YES |
|
4 |
Zbot/Zeus |
2.37 |
Info
stealer |
NO |
|
5 |
Onlinegames |
2.22 |
Info
stealer |
YES |
|
6 |
Buzus |
1.91 |
Info
stealer |
YES |
|
7 |
Zlob |
1.89 |
Rogue
software |
YES |
|
8 |
Alureon |
1.05 |
Downloader |
NO |
|
9 |
Butterfly/Palevo |
0.89 |
DDoS,
Info stealer |
NO |
|
10 |
Autoit |
0.65 |
Downloader/PPI |
YES |
|
11 |
Piptea |
0.60 |
Downloader/PPI |
YES |
|
12 |
Conficker |
0.55 |
Worm |
YES |
|
13 |
Bredolab |
0.52 |
Downloader/PPI |
NO |
|
14 |
Hiloti |
0.42 |
Downloader/PPI |
YES |
|
15 |
FakeRean |
0.40 |
Rogue AV(s) |
YES |
|
16 |
Koobface |
0.23 |
Downloader |
YES |
|
17 |
Pushdo |
0.13 |
Spam |
YES |
|
18 |
Rustock |
0.06 |
Spam |
YES |
|
19 |
Monkif |
0.05 |
Downloader |
YES |
|
20 |
Storm 2.0 |
0.02 |
Spam |
YES |
Virut, a famous virus and trojan is at the number 1 position in terms of number of samples. A huge number of unique malware samples make complete sense here. Virut is a file infecter which tries to inject itself into each executable found on the victim machine. This results in conversion of each benign binary into a unique instance of Virut itself. Infected hosts might have thousands of unique copies of this malware.
Surprisingly, although Butterfly/Palevo is at the first position when it comes to the unique number of infected hosts, it is at the number 9 position when it comes to unique number of samples. This is good evidence that the cyber criminals behind this have been very successfully flying under the radar.
Here's a side-by-side comparison:
|
|
Modern Malware |
% Infected hosts |
% Unique samples (MD5) |
Payload |
Single Botnet |
|
1 |
Butterfly/Palevo |
7.5 |
0.89 |
DDOS,
Info stealer |
No |
|
2 |
Hiloti |
4.69 |
0.42 |
Downloader/PPI |
YES |
|
3 |
Zbot |
3.62 |
2.37 |
Info
stealer |
NO |
|
4 |
FakeRean |
3.47 |
0.40 |
Rogue
AV(s) |
YES |
|
5 |
Onlinegames |
2.94 |
2.22 |
Info
stealer |
YES |
|
6 |
Rustock |
2.66 |
0.06 |
Spam |
YES |
|
7 |
ldpinch |
2.64 |
4.1 |
Info
stealer |
NO |
|
8 |
Renos |
2.58 |
3.9 |
Rogue
AV(s) |
YES |
|
9 |
Zlob |
2.54 |
1.89 |
Rogue
software |
YES |
|
10 |
Autoit |
2.53 |
0.65 |
Downloader/PPI |
YES |
|
11 |
Conficker |
2.48 |
0.55 |
Worm |
YES |
|
12 |
Opachki |
1.95 |
0.0035 |
Click
Fraud |
YES |
|
13 |
Buzus |
1.91 |
1.91 |
Info
stealer |
YES |
|
14 |
Koobface |
1.17 |
0.23 |
Downloader |
YES |
|
15 |
Alureon |
1.16 |
1.05 |
Downloader |
NO |
|
16 |
Bredolab |
1.15 |
0.52 |
Downloader/PPI |
NO |
|
17 |
Piptea |
1.13 |
0.60 |
Downloader/PPI |
YES |
|
18 |
Ertfor |
0.91 |
0.02 |
Rogue
AV(s) |
YES |
|
19 |
Virut |
0.91 |
4.47 |
Virus, Downloader/PPI |
YES |
|
20 |
Storm 2.0 |
0.80 |
0.02 |
Spam |
YES |
One can see that both results complement each other. In slightly different order, the Butterfly toolkit, Zbot,
Onlinegames, LdPinch, Zlob, Renos etc are in the top 10 list.
Based on the malware payload types one can also try find common intentions behind running most of these malware families. This can also shed some light on the direction of the current underground economy.
Beyond any doubt information stealers, generic malware droppers and rogue anti viruses are amongst the top threats. The majority of these generic downloaders are part of a pay per install network. The owners of these downloaders generally have very good expertise in spreading their malware using different infection vectors like drive by downloads and social engineering. The sole purpose of these malware families is to spread themselves as aggressively as possible and offer pay per install services (normally a few cents per installation) to other cyber criminals who might not be very good at spreading their own malware.
Spam is at the number 5 position as there are only two spam botnets which made their way into top 20s, i.e Rustock and Storm 2.0. The click fraud and pay per DDOS business are on the rise as well. There are dedicated DDOS botnets (like those created out of BlackEnergy and Palevo toolkits) available which offer DDOS services to others. For the sake of money, these botnets can DDOS any Internet resource. Although the worm era is almost over, Conficker is still kicking using it's self prorogation mechanisms.
If any of you are wondering about some famous malware missing from above lists. Here are some interesting statistics.
|
|
Modern Malware |
%
Infected hosts |
Payload
Type |
Single
Botnet |
|
1 |
Torpig/Sinowal |
0.58 |
Info stealer |
YES |
|
2 |
Pushdo |
0.35 |
Spam |
YES |
|
3 |
Monkif |
0.29 |
Downloader |
YES |
|
4 |
Clampi |
0.17 |
Info stealer |
YES |
|
5 |
RBot |
0.13 |
Info stealer, Ddos |
NO |
The underground malware economy is no different from any other. It's the same world full of greed, rivalry, deceit and monopolies. Survival of the fittest also holds true here. Those who don't change with the times can't survive the opposition and perish eventually.
Atif Mushtaq @ FireEye Malware Intelligence Lab
Detailed Questions/Comments : research SHIFT-2 fireeye DOT COM
Recent Comments
It seems the malware arena didn't change too much from the user perspective.
To me it looks like the same bad guys just with different suits.
Online gaming keyloggers and trojans has been around since windows XP came out and it has not changed,you proved it.
To people in the security business it might look different but the users who are hurt by these malware still experience the same things : spam,password stealing etc.. and the manual removal techniques are mostly still the same since 2006 or probably even before.
Great reading great article.
Unite member on World's Top MalwareWell andrew,
We are aware that mega-d was able to survive partially from the initial shutdown. It's back in action but not strong enough to be in top 20 list.
Atif Mushtaq on World's Top MalwareGreat article!. What about megad, which fireeye shutdown few months ago. is it back or dead forever?
andrew on World's Top Malware