Trojans on the up

Posted by Gunter Ollmann on July 07, 2008 at 11:25 AM EDT.

I see that Panda Labs released their quarterly threat report (for Q2 2008) today.

While I think it’s important for security professionals to read these types of reports when they come out, it’s also very important to compare those findings with what other vendors are saying and what you’re actually observing on your own networks (or the networks and environments of the customers you work with) – and not to take any figures as gospel.

The Panda Labs report points out that Trojans are increasingly common, and now constitute 63.17 percent of new malware variants. This isn’t unexpected, and tallies with what other vendors have been observing throughout the year once you bundle malware classes such as backdoors in with them.

I am a little curious about why they chose to bundle bots and worms together though? Granted they may appear to be related at first glance, but they operate quite differently and have different criminal associations.

Infected or Not?

A third of the way through the report Panda Labs introduces us to their new monthly monitoring system “infected or not?” which conducts free online scans of the visitor’s computer.

I like the way they differentiate between the malware that gets discovered as part of these opt-in scans, and may adopt the same terminology in the future…

  1. Latent Malware – malware present on the computer but not taking any action, and awaiting execution either by the user (victim) or by the attacker remotely.
  2. Active Malware – malware that’s active and in the process of undertaking malicious damage for which it was constructed to do.

Panda points out that by June approximately 22 percent of observed malware was “active” (with an average of 17 percent since the beginning of the year), which surprises me a little, and is something I’m planning on taking a closer look at in the future because I’d have expected that number to be a bit higher. Perhaps my expectation of the number being higher draws from the fact that I would class any malware waiting for remote commands as being “active” rather than “latent”.

More surprising to me is their country breakdown analysis of hosts infected with active malware. Perhaps I’m missing something in their analysis write-up, but I’m a little confused about the numbers presented because all of the listed countries appear to have over 30 percent “active” malware infections – which doesn’t average to the 22 percent they initially mentioned.

Hopefully someone can explain it to me and why Russia tops out with 47.67 percent “active” malware infection because it doesn’t make too much sense to me at the moment.

Having said that, I’d take these findings with a grain of salt if I was actually planning on basing any business decisions from them. The fact that the data appears to have come from an opt-in scanning service means that it isn’t likely to be representative of most networks – i.e. from past experience those people using the service probably suspect that something’s not quite right with their computer already and are already infected. If everything is going ok with your computer and you’re confident that you’ve got your anti-virus bases covered, you’re less likely to want to trial out the free-scanning service (whether you're a Panda customer or not).

As for the rest of the report, no surprises there. Although I wish they’d be a little more consistent in their malware naming conventions. I know it can be hard sometimes when so many researchers contribute content for the report, but the mixing of ‘botnets’ and ‘zombies’ and ‘worm’ classifications is likely to confuse most people and detracts from the excellent work that has gone in to the report.

    Copyright 2001-2008 © Gunter Ollmann