FortiGuard Center

2006 Malware Threats and Trends

  • Overall: has been a continuation year of 2005’s progressive, almost complete monetization of malware

  • Business vs. Innovation: Cyber criminals have focused more intently on the business side of cyber criminality than mere technical virtuosity

    • Off-the-shelf malware kits are now available for only $100-$400

    • Stolen online bank accounts are sold in specialized chatrooms

  • Surprise of the Year = Stration: 2006 criminals made a brief exception to the business vs. innovation trend with the Stration mass-mailer that has been wreaking havoc since September

    • A spike in October showed Stration’s variants dragging mass-mailing activity to 44 percent of global malware – an unprecedented score this year

    • However, even with Stration’s up rise, however, mass-mailers in general decreased by 57 percent in 2006 as compared to 2005

  • Firsts: While 2005 saw the first IM worms, the first Symbian MMS worms, and the resurgence of rootkits, 2006 merely witnessed the first crossover virus:

    • A piece of code deemed MSIL/Overcross.A was able to jump from Microsoft Windows PocketPC systems to desktop Windows systems

    • This one, however, remained a “proof of concept” of sorts, while 2005’s innovations settled as some of the fastest growing threats this year

  • Mac and Unix? MacOS threats were on the rise in 2006, and Unix threats, although still very low in volume, increased by 1000 percent from 2005 to 2006

  • What about IM Worms? IM worms activity increased by 105 percent

  • And MMS Worms? Symbian worms propagating via MMS messages reached a significant prevalence, with peaks showing that nearly 75 percent of MMS messages contained some variation of the worm. This was only 5 percent in 2005.

  • Bank Trojans: This year, banks tried to stay a step ahead of the hackers by leveraging virtual keyboards to thwart any keylogging attempts. However, banker trojans quickly caught up with these new measures and can not record mouse moves and clicks, capturing the passwords. When banks started using random layouts of virtual keyboards as a counter measure, banker Trojans took screen shots of the virtual keyboards in addition to the mouse moves. No need to be “uber-leet” to do this, either – these kits are also available for sale for a very low cost.

  • Browser Exploits: Numerous browser exploits were unveiled in 2006, targeting both Internet Explorer and Firefox, and exploits embedded into web pages progressed by 17 percent from 2005 to 2006.

  • Social Engineering: Various specialists have predicted the death of “plain phishing through social engineering techniques” in favor of banking Trojans. This is currently not happening. In 2006, while Trojan activity decreased by 32 percent, phishing increased by 60 percent as compared to 2005.

    • 2006 has seen a change in the core target of the phishing scam, as these social engineering phishing attacks are more aggressively targeting MSN Messenger, Yahoo! Messenger, MySpace, and other social networking sites. The motivation behind these phishes, which don’t yield immediate profits, are multifold

      • Capturing active email addresses will ensure spammers and bank phishers a “read rate” of nearly 100 percent

      • They allow for more targeted, and more malicious, social engineering attacks

      • Ultimately, any social engineering activity, whether immediately involving money or not, will likely pave the way for future identity threat operations (via phish, Trojans, etc.). This has already happened with online poker sites, Massive Multiplayer Online Role Playing Games (MMORPG), and social networking sites

Source: Guillaume Lovet and Bryan Lu, Fortinet Threat Research Team