G Data Malware Report Half-year report January-June 2010 Ralf Benzmüller & Sabrina Berkenkopf G Data Security Labs MalwareReport_1_2010 Go safe. Go safer. G Data. G Data Malware Report January-June 2010 Content At a Glance ..................................................................................................................................................3 Malware: Facts and Figures .....................................................................................................................4 Malware cornucopia ......................................................................................................................................................4 Malware Categories........................................................................................................................................................5 Malware Families .............................................................................................................................................................6 Platforms: .Net increasing ...........................................................................................................................................8 Conclusion and Trends 2010 ...................................................................................................................9 Outlook................................................................................................................................................................................9 Events and Trends in the first Half of 2010 ........................................................................................10 January 2010 ...................................................................................................................................................................10 February 2010 ................................................................................................................................................................11 March 2010.......................................................................................................................................................................12 April 2010 ..........................................................................................................................................................................15 May 2010 ...........................................................................................................................................................................16 June 2010 ..........................................................................................................................................................................17 Copyright © 2010 G Data Software AG 2 G Data Malware Report January-June 2010 At a Glance • In the first half of 2010, there were 1,017,208 new malware programs, once again a new record. • In comparison with the previous half-year, the number increased by 10%, and was a full 50% more than the same period last year. • In 2010 as a whole, we expect more than 2 million new computer malware programs to be picked up. • With a 51% increase, spyware is the malware category showing the biggest increase in volume. This is especially true for keyloggers and banking Trojans. • The volume of new adware has fallen by 40%. • The two most productive malware families, Genome and Hupigon, resulted in more variants than the entire total of malicious programs in 2007. • Malicious programs aimed at Windows are the most predominant, representing 99.4% of all occurrences. The proportion of .NET malware, however, climbed by a factor of 3.4 and now represents 0.9%. Even malware authors are taking advantage of the benefits of .NET. • Malicious code written for Unix derivatives and Java also increased considerably. Trends • Data theft is and remains a core function of malware. • Adware is being superseded by virus protection imitations (fake AV) and blackmailers. • More and more online services and functions are being misused for malicious purposes. Events • Social networks make it into the events lists with plenty of innovations but also a few data leaks. Far in the lead are Twitter and the market leader, Facebook. • The Mariposa botnet has been put out of action. Spanish police have arrested the three opera- tors. • The Waledac Botnet, one of the ten largest in USA, has also been hit hard by investigators and 277 .com domains have been removed from the net. • The German Emissions Trading Authority is the victim of a phishing attack in which the crimi- nals steal and trade permits worth around three million euros. • PDF files increasingly become the focus of malware authors and consequently reports of weak points in PDF readers abound. Copyright © 2010 G Data Software AG 3 G Data Malware Report January-June 2010 Malware: Facts and Figures Malware cornucopia 2005 2006 2007 2008 2009 2010 H 1 Diagram 1: Number of new malware programs per year since 2005 and in first half of 2010 The 1,017,208 new malicious computer programs1 detected in the first half of 2010 represented a new record, exceeding the previous half year by around 10%. In comparison with the same period last year, the number was up by more than 50%. In the first half of 2010 alone, more new malicious programs have surfaced than in the whole of 2008. By the end of the year, the number of new malicious programs is likely to break through the two million level. Jan Feb March April May June July Aug Sep Oct Nov Dec Diagram 2: Number of new malware programs per month for 2009 and 2010 1 The figures in this report are based on the identification of malware using virus signatures. They are based on similarities in the code in the harmful files. Many malicious codes are similar and are gathered together in categories, in which small deviations are referred as variants. Fundamentally different files form the foundation for their own families. The count is based on new signature variants created in the first half of 2010. Copyright © 2010 G Data Software AG 4 G Data Malware Report January-June 2010 Malware categories The proportion of spyware has grown by about 3.4% in comparison with the second half of 2009 - a bigger increase in share than for any other category. Consequently, the considerable downturn recorded in the last G Data malware report has come to an end, even though the share achieved in the same period last year was not reached. In absolute figures this corresponds to an increase of 51%. Particularly high growth rates were recorded in the keylogger2 and banking trojan3 spyware categories. In contrast, the increasing use of rootkits has continued unabated. Their number again grew over the last half by a factor of 2.6. On the other hand, worms - the meteoric risers of the last G Data malware report - could not sustain that rate of increase, but did however maintain the same level. The share of Trojan horses exceeded the high level of the previous half year. In this group, the level of ransomware (blackmailers and some fake AVs) increased by a factor of 10 in comparison with the same period last year! The share of new backdoors has fallen by around 2.9% and in so doing is continuing the down- wards trend from the first half of 2009. Also the number oftools decreased by a factor of about a third, their share falling to 1.0%. The most marked fall was in the quantity of adware. In contrast with the previous year (H1 2009 to H1 2010), numbers have fallen by around 40%, with the share falling from 5.3% to 2.1%. Diff. Diff. 2010 H1 2010 H1 Category # 2010 H1 Share # 2009 H2 Share 2009 H2 # 2009 H1 Share 2009 H1 Trojan horses 433,367 42.6 % 393,421 42.6 % +10 % 221,610 33.6 % +96 % Downloaders/ droppers 206,298 20.3 % 187,958 20.3 % +10 % 147,942 22.1 % +39 % Spyware 130,175 12.8 % 86,410 9.4 % +51 % 97,011 14.6 % +34 % Backdoors 122,469 12.0 % 137,484 14.9 % -11 % 104,224 15.7 % +18 % Worms 53,609 5.3 % 51,965 5.6 % +3 % 26,542 4.0 % +102 % Rootkits 31,160 3.1 % 11,720 1.3 % +166 % 12,229 1.9 % +155 % Adware 21,035 2.1 % 30,572 3.3 % -31 % 34,813 5.3 % -40 % Tools 9,849 1.0 % 14,516 1.6 % -32 % 11,413 1.6 % -14 % Exploits 2,495 0.2 % 3,412 0.4 % -27 % 2,279 0.3 % +9 % Miscellaneous 6,751 0.7 % 5,543 0.5 % +22 % 4,593 0.7 % +47 % Total 1,017,208 100.0 % 924,053 100.0 % +10 % 663,952 100.0 % +53 % Table 1: Number and share of new malware categories in 2009 and 2010 and their change 2 2.5 times compared to the second half of 2009 3 2.2 times compared to the first half of 2009 Copyright © 2010 G Data Software AG 5 G Data Malware Report January-June 2010 Malware families Malicious programs can be grouped into families according to their functions and properties. For some of these families, new variants are constantly being produced. While the share of new mali- cious programs grew constantly in the past, the number of different families reduced. This trend came to an end in the last half year. In the first half of 2010 there were 2,262 active malware fami- lies. This is approximately 3% higher than the value for the last half year and approximately one seventh greater than the first half of 2009. # 2010 H1 Virus family # 2009 H2 Virus family # 2009 H1 Virus family 1 116,469 Genome 67,249 Genome 34,829 Monder 2 32,830 Hupigon 38,854 PcClient 26,879 Hupigon 3 30,055 Buzus 37,026 Hupigon 18,576 Genome 4 25,071 Refroso 35,115 Scar 16,719 Buzus 5 24,961 Scar 24,164 Buzus 16,675 OnlineGames 6 21,675 Lipler 20,581 Lipler 13,889 Fraudload 7 19,385 OnlineGames 19,848 Magania 13,104 Bifrose 8 17,542 Palevo