Symantec Global internet Security threat report
Prevalence of malicious code types
Analyzing the prevalence of malicious code types provides insight into the general diversity of the threat landscape. Combined with the data from other metrics, this helps Symantec more accurately determine emerging trends in malicious code. During this reporting period, the overall volume of the top 50 potential malicious code infections doubled from 2008 to 2009; therefore, decreases in percentages do not likely indicate a year-over-year decline in potential infections. As in previous reporting periods, trojans composed the highest percentage of the volume of the top 50 potential malicious code infections (figure 11), although the percentage dropped from 68 percent in 2008 to 56 percent in 2009.138
Percentage of top 50 by potential infections
Figure 11. Prevalence of malicious code types by potential infections Source: Symantec
the previous two volumes of the Symantec Global Internet Security Threat Report discussed the possibility that attackers are gravitating toward the extensive use of a smaller number of more successful trojans.139 the Bredolab trojan is a good example of this: its flexibility, style of downloading new threats, obfuscation, and polymorphism mechanisms together enable it to be easily customized for specific targets. its success corroborates the hypothesis of attackers using smaller numbers of more successful trojans more often.
the proportionate decline in trojan activity observed in 2009 is also likely due to the rise in worm and virus activity. For example, the top malicious code sample causing potential infections in 2009 was the Sality.AE140 virus. the main goal of Sality.AE is to download and install additional malicious software on a victim’s computer. the virus also prevents access to various security-related domains, stops security- related services, and deletes security-related files. the virus also infects .exe and .scr files on a victim’s local drive as well as on any writable network resource. it also spreads by copying itself to attached removable drives.
Because malicious code samples may be comprised of multiple components that are each classified as different types, cumulative percentages discussed in this metric may exceed 100 percent. h t t p : / / e v a l . s y m a n t e c . c o m / m k t g i n f o / e n t e r p r i s e / w h i t e _ p a p e r s / b - w h i t e p a p e r _ i n t e r n e t _ s e c u r i t y _ t h r e a t _ r e p o r t _ x i v _ 0 4 - 2 0 0 9 . e n - u s . p d f a n d h t t p : / / e v a l . s y m a n t e c . c o m / m k t g i n f o / e n t e r p r i s e / w h i t e _ p a p e r s / b - w h i t e p a p e r _ i n t e r n e t _ s e c u r i t y _ t h r e a t _ r e p o r t _ x i i i _ 0 4 - 2 0 0 8 . e n - u s . p http://www.symantec.com/security_response/writeup.jsp?docid=2008-042106-1847-99 d f