Data collected on the geographical distribution of malware “Phone Home” locations in the first half of 2009 shows that  the USA hosts 35% of malware worldwide, followed by China (14%) and Brazil (8%). Additionally, cyber criminals use TCP port 80 most often for downloading and HTTP to transfer and send infections so they can avoid suspicion as these are both very common protocols.

Trojan malware rose the most in popularity in samples collected between January – June this year, and the penetration of viruses increased slightly. PUPs, Backdoors, and Worms declined just a little. Here’s how each category contributed to malware as a whole.

• Trojan – Trojans represent 55% of all Malware on the internet. Here’s how they work: Trojans perform a variety of malicious functions such as spying, stealing information, logging key strokes and downloading additional Malware.
• Backdoor (21%): Backdoors provide functionality for a remote attacker to log on and/or execute arbitrary commands on the affected system.
• Pup, a Potentially Unwanted Program (8%): PUPs are programs which the user may consent on being installed but may affect the security posture of the system or may be used for malicious purposes. Examples are Adware, Dialers and Hacktools/“hacker tools” (which includes sniffers, port scanners, malware constructor kits, etc.)
• Worm (6%): Worms self-propagate via e-mail, network shares, removable drives, file sharing or instant messaging applications.
• Virus (4%): Viruses propagate by infecting host files

The Trojan Malware category continues to occupy the largest share of new malware samples. In the first half of this year, the distribution of Trojans increased 9%. Experts speculate that the rise in Trojan popularity my be attributed to the proliferation of publicly available (and easily accessible) toolkits designed to control, spy on, and steal information from infected computers.

These toolkits are very easy to use. By completing a few text boxes, cyber criminals can have a backdoor or infostealer ready for deployment within seconds. Because they require little technical investment researchers expect the upward trend in popularity to continue.

Within the Trojan malware category, Infostealers (including password stealers, keystroke loggers, and spyware) represent 27% of all new samples.

While Infostealers are the most popular type of Trojan, their trend in popularity remained fairly flat throughout the first half of 2009. FraudTools on the other hand rose sharply and a brand new functionality called an Injector was introduced.

Definitions and trends courtesy of IBM X-Force Team‘s 2009 Mid-Year Trend & Risk Report.

Websites that made the list represent the “worst of the worst” based on the number of threats detected by Norton Safe Web. Without downloading or clicking on anything in particular, you risk exposing your computer to infection and revealing your personal and financial information into the hands of cyber criminals. Simply visiting one of these websites could infect your computer, so we don’t recommend you actually visit any of the websites that made the list.

So what makes these websites so dirty? Malware, security risks like phishing, and browser exploits top the list. In fact, the average number of threats found on the top dirtiest sites is… (ready for this?) 18,000, and 40 of the top 100 dirtiest websites have more than 20,000 unique threats each lurking in the shadows waiting to exploit unknowing visitors.

Symantec found the dirty websites by crawling the web using web forensic techniques like file scanning, IDS (intrusion detection systems), behavioral detection, and install/uninstall analysis to find security risks. In addition, Symantec has more than 20 million active contributors in the Norton Community Watch program. You can see dirty site submissions in real time by visiting http://safeweb.norton.com/safety.

While Norton can help you detect which websites are bad, FireHost can help keep your website off the bad list. We help keep hacker activity at bay by providing application level firewall protection, proactive vulnerability monitoring, and much more as a standard part of every secure web hosting package.

It takes “as little as $300 to infect several Windows clients and take complete control of them in a test environment,” Mills reports. By using real samples of malicious code, she was able to infect PCs with a Sub Seven Trojan and gain remote access to the machines. Once inside the computers, she was exposed to some of the malicious tricks hackers can play on unsuspecting malware victims.

• Invert the users screen so images and text appear upside down
• Change background colors
• Direct the PCs browser to any URL
• Control webcams, chat sessions, and printers

After mastering the Sub Seven Trojan’s “mildly malicious” features and functions, Ms. Mills was ready for the big leagues. With a few simple keystrokes, she created a botnet to control multiple zombies and do things like shut down websites with a DOS attack, send spam, scan ports, and install malicious files and keystroke loggers on multiple PCs.

McAfee’s Avert Labs participated in the event and reported to participants that there are 400,000+ new zombies deployed and 4,000+ new pieces of malware discovered daily that result in over 1.5MM malicious website attacks every month.

Ms. Mills wrapped up the McAfee Malware Experience by saying, “The numbers aren’t all that surprising to me now that I’ve seen first hand how easy the malware is to create and use. All in all, I’d say it was a very sobering experience.”

Start protecting your online presence today by partnering with a Secure Web Hosting provider. Contact a FireHost sales engineer today.

According to the article on eWeek.com, malware on each of the infected machines (running Windows XP) was installed and activated through a Borland Delhi RAD (Rapd Application Development) executable dropper file by the name of isadmin.exe. The dropper binary contains a Data Resource (RCDATA) named PACKAGEINFO that contains the actual malware. The dropper file is executed when the hacker inserts a fake ATM card with the malware trigger code into the machine. Once activated, the trigger code produces the malware file Isass.exe inside the C:\\WINDOWS directory of the compromised system.

The eWeek.com article reports that this particular ATM hacker vulnerability can be easily modified to target multiple ATM vendors and is making it’s way to other countries, including the US.