Compromised Computers Host an Average of 3 Malware Families

By Brian Prince  |  Posted 2009-09-03 Print this article Print

Why take one when you can have a baker's dozen?

Unfortunately, we are talking about infected files and not doughnuts. According to security company ESET, the average compromised machine is home to 13 infected files as well as malicious programs from three different malware families.

ESET based its findings on scans of more than a half-million PCs using the free online scanner on the company's Website. In their own way, the results may demonstrate the way attackers are working together to tag-team vulnerable users.

According to ESET, the presence of multiple malware families is the result of the "pay per install" phenomenon, in which cyber-criminals are pushing out malware to computers under their control.

"Multiple malware families do not have any propagation mechanism built into their code," blogged ESET Senior Researcher Pierre-Marc Bureau Sept. 3. "Instead, these pieces of malware are distributed and installed on computers by criminal gangs."

Some good examples of this are campaigns to push out rogue anti-virus programs, he continued.

"Rogue anti-virus scams typically do not copy themselves to external drives, nor do they propagate through a network," Bureau wrote. "Their operators simply pay other criminal gangs every time a copy of their rogue software is installed on a PC."

Those familiar with the Conficker worm will remember that earlier in 2009 Conficker infections were linked to the installation of the Waledac worm. Waledac in turn installed a bogus anti-virus program.

In a conversation with me in April, RSA security pro Uri Rivner said attackers are increasingly buying subscriptions to fraud services to install data-stealing malware on machines they control. Subscriptions can cost $300 a month, potentially a drop in the bucket when compared with the profits that can be reaped from the theft of data such as banking credentials.

ESET's findings also show that there isn't always a one-to-one relationship between malware and infected files. Many files on an infected computer can be corrupted by the same piece of malware, Bureau wrote.

"This number can be explained by the comeback of file-infecting viruses, which were considered almost extinct a couple years ago," he blogged. "Modern malware families such as WMA/TrojanDownloader.GetCodec infect multimedia files, and playing any of these files will result in an infection of a system. For example, if you have 500 songs on your computer and you get infected by that threat, you will have more than 500 malicious files on your PC. ...

"To sum up, we are seeing more malware per infected computer and also more malicious files on each of them. Our virus lab receives over 100,000 new pieces of malware every day. There are more malware authors than ever and their technologies are getting better to rapidly create new variants of malicious code." |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel