Adware is still a big profit generator for malware operators

(07/08/2008)

Despite the dominance of malware targeting online gamers and the persistence of INF/Autorun, the continuing presence of Virtumonde and Toolbar.MyWebSearch in ESET's monthly report of top ten threat detections suggests that adware is still a big profit generator for malware operators.

However, even though programs like this have dubious credentials, anti-malware companies are reluctant to flag "potentially unwanted applications" as out-and-out malware and detection is often an option, rather than a scanner default.

This is because some adware and spyware can be considered legitimate, especially if it mentions the behaviour that makes it potentially unwanted in the EULA, demonstrating that it pays to read the small print.

Both Virtumonde and Toolbar.MyWebSearch are classified by ESET as potentially unwanted applications. They create a profit for malware operators by delivering adverts direct to the user's desktop or directing web searches through MyWebSearch.com. But is it appropriate that "legitimate" applications should deliberately try and hide themselves from anti-malware scanners, which is one aspect that Virtumonde's distributors pay particular attention to.

"Virtumonde has become a particularly difficult problem for vendors and users alike, far more than our classification as adware or potentially unwanted application might suggest," comments David Harley, Director of Malware Intelligence, ESET. "It is consistently represented in our top ten scores, despite the fact that its distributors keep changing Virtumonde's characteristics and delivery mechanism to hide it from us, which suggests that we're pretty successful at detecting it. But if it does manage to install itself, it can be very difficult to automate removal completely, often requiring manual intervention."

Once installed, some variants of Virtumonde are very difficult to disinfect safely with the malware in memory. Some vendors have published a "generic" removal process, but ESET does not believe that this is always appropriate, because it assumes a fairly static infection and removal procedure, whereas the Virtumonde gang goes to some lengths to make the process both variable and difficult. ESET says that this is when it becomes essential to have an interactive support process.

"Not surprisingly, the bad guys concentrate a lot of R&D effort on hiding from the most commercially successful anti-virus products and all of the major anti-malware scanners have difficulty detecting or removing at least some specimens of Virtumonde, unless their settings are so paranoid as to be almost unusable. We've just made some alterations to our detection method that should put us ahead for a while, but fighting Virtumonde has become a war of attrition, not a boxing match. The arena changes, the advantage swings from the bad guys to the good guys, but there is no final knockout," concludes Harley.

Top 10 Threats for July 2008:

1 Win32/PSW.OnlineGames - 12.72%
2 INF/Autorun - 4.68%
3 Win32/Adware.Virtumonde - 4.41%
4 Win32/Pacex.Gen - 2.88%
5 Win32/Toolbar.MyWebSearch - 2.31%
6 JS/TrojanDownloader.Wimad.N - 1.90%
7 JS/Exploit.RealPlay.LF - 1.56%
8 Win32/TrojanDownloader.Murlo.NN - 1.35%
9 Win32/Qhost - 1.31%
10 WIN32/AutoRun.KS - 1.19%

Related topics:  Hacking and intrusion prevention   Internet and Web security   Virus, Worm, Email security, spyware and malware 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources