Attackers are spreading Trojan horses using downloaders and droppers more than ever before, according to a new security threat report from Microsoft, which shows the number of infections skyrocketing.
The Microsoft Security Intelligence Report, released today, discloses trends researchers observed from July 2007 to Dec. 2007.
The report revealed that the number of Trojan downloaders and droppers detected and removed rose dramatically, increasing 300% over the same period a year ago. More than 200,000 variants were discovered and infected nearly 19 million computer users, Microsoft said.
"Downloaders have become the delivery mechanism of choice for malware authors who rely on rapidly developing variations of a downloader in attempts to defeat anti-malware software," said Vinny Gullotto, general manager of Microsoft's Malware Protection Center, the author of the report.
Gullotto wrote that a vast majority of the Trojan downloaders distribute malware from Win32/Zlob, a Trojan family that tweaks Internet Explorer in an effort to force users to download malicious software; and Win32/Renos, which forces unwanted software onto users.
Newer Trojan families are also being dished up by the downloaders. Newer versions include the Win32/ConHook, which terminates some security services and connects to the Internet without the user's knowledge and Win32/RJump, a worm spread through USB sticks and other devices.
The constant release of new specimens helps spammers and phishers stay ahead of the antivirus vendors, said Ed Skoudis, a SANS instructor and a founder and senior security consultant with Intelguardians, a Washington, DC-based information security consulting firm..
"Downloaders and droppers are the staging ground for the loading of more malware," Skoudis said. "These tools represent the software distribution infrastructure for the bad guys' empire. They are seeking to reinforce the robustness of this infrastructure to help perpetuate their control of victim machines."
Botnets have been growing to massive sizes in recent years and downloaders and droppers are not only leveraging them, but they help build out the infrastructure. The Storm and Nugache and the Kraken botnets have been growing in size and scope. Kraken has taken the biggest jump in size, gaining more than 100,000 new machines in the last month alone.
Another reason for the increase in downloaders and droppers is that Trojans are far more effective to monetize than worms or other attack vectors, said Mike Rothman, president and principal analyst at Security Incite, an industry analyst firm in Atlanta.
"Once the Trojan is there, it can be turned on and off as needed," Rothman said.
The best protection for enterprises is to build a defense in layers, Rothman said. End users should be given training to understand what not to click on and adequate defenses should be deployed on the perimeter gateway as well as on the desktop, he said.
"But ultimately enterprises need to plan for the fact that a portion of their devices will be compromised," Rothman said. "No defenses are foolproof and if they don't plan for compromise, they will be hurting when it happens, without a plan to contain the damage."
Threats have moved from email to the Web, because it's the path of least resistance, said Doug Camplejohn, CEO of Web gateway security vendor, Mi5. Once infected, a Trojan remains almost silent on a victim's machine, until the malware writer executes a command, either to begin a spam campaign or conduct a denial of service attack.
"What we've seen over last year or two is a very deep increasing sophistication in part of malware writers," Camplejohn said. "They're very adept at moving across protocols."
The Microsoft report also showed that more phishers are using social networks rather than email to trick users into giving up their information. The technique involves using a person's contacts to make a particular message appear to be legitimate. Microsoft said the attacks remain primarily written for English speakers, which account for about 75% to 80% of active phishing pages tracked by the Microsoft Phishing Filter.