News Stay informed about the latest enterprise technology news and product updates.

Trojan downloaders, droppers skyrocket, Microsoft says

The spread of Trojan horses via downloaders and droppers is multiplying rapidly, infecting nearly 19 million computer users in the second half of 2007.

Attackers are spreading Trojan horses using downloaders and droppers more than ever before, according to a new...

security threat report from Microsoft, which shows the number of infections skyrocketing.

Ultimately enterprises need to plan for the fact that a portion of their devices will be compromised.
Mike Rothman,
president and principal analystSecurity Incite

The Microsoft Security Intelligence Report, released today, discloses trends researchers observed from July 2007 to Dec. 2007.

The report revealed that the number of Trojan downloaders and droppers detected and removed rose dramatically, increasing 300% over the same period a year ago. More than 200,000 variants were discovered and infected nearly 19 million computer users, Microsoft said.

"Downloaders have become the delivery mechanism of choice for malware authors who rely on rapidly developing variations of a downloader in attempts to defeat anti-malware software," said Vinny Gullotto, general manager of Microsoft's Malware Protection Center, the author of the report.

Gullotto wrote that a vast majority of the Trojan downloaders distribute malware from Win32/Zlob, a Trojan family that tweaks Internet Explorer in an effort to force users to download malicious software; and Win32/Renos, which forces unwanted software onto users.

These tools represent the software distribution infrastructure for the bad guys' empire.
Ed Skoudis,
founder and senior security consultantIntelguardians

Newer Trojan families are also being dished up by the downloaders. Newer versions include the Win32/ConHook, which terminates some security services and connects to the Internet without the user's knowledge and Win32/RJump, a worm spread through USB sticks and other devices.

The constant release of new specimens helps spammers and phishers stay ahead of the antivirus vendors, said Ed Skoudis, a SANS instructor and a founder and senior security consultant with Intelguardians, a Washington, DC-based information security consulting firm..

"Downloaders and droppers are the staging ground for the loading of more malware," Skoudis said. "These tools represent the software distribution infrastructure for the bad guys' empire. They are seeking to reinforce the robustness of this infrastructure to help perpetuate their control of victim machines."

Botnets have been growing to massive sizes in recent years and downloaders and droppers are not only leveraging them, but they help build out the infrastructure. The Storm and Nugache and the Kraken botnets have been growing in size and scope. Kraken has taken the biggest jump in size, gaining more than 100,000 new machines in the last month alone.

Another reason for the increase in downloaders and droppers is that Trojans are far more effective to monetize than worms or other attack vectors, said Mike Rothman, president and principal analyst at Security Incite, an industry analyst firm in Atlanta.

"Once the Trojan is there, it can be turned on and off as needed," Rothman said.

Trojans and botnets:
Will the botnet threat continue? Is the botnet threat here to stay? In this Q&A, information security threat expert Ed Skoudis explains how these money-making machines could become a greater threat.

Kraken botnet balloons to dangerous levels: The Kraken botnet is twice the size of the Storm Trojan and exists to spread massive amounts of spam.

New phishing, Zeus Trojan technique spreads crimeware: Researchers are tracking a new method of phishing attacks that steal a victim's information and spreads a Trojan designed to pilfer even more data.

Self-morphing Trojan uses blogs to spread rootkits: A variant of the Storm Trojan that changes with each download is infecting blog sites with malicious URLs, intercepting traffic when visitors try to post comments.

The best protection for enterprises is to build a defense in layers, Rothman said. End users should be given training to understand what not to click on and adequate defenses should be deployed on the perimeter gateway as well as on the desktop, he said.

"But ultimately enterprises need to plan for the fact that a portion of their devices will be compromised," Rothman said. "No defenses are foolproof and if they don't plan for compromise, they will be hurting when it happens, without a plan to contain the damage."

Threats have moved from email to the Web, because it's the path of least resistance, said Doug Camplejohn, CEO of Web gateway security vendor, Mi5. Once infected, a Trojan remains almost silent on a victim's machine, until the malware writer executes a command, either to begin a spam campaign or conduct a denial of service attack.

"What we've seen over last year or two is a very deep increasing sophistication in part of malware writers," Camplejohn said. "They're very adept at moving across protocols."

The Microsoft report also showed that more phishers are using social networks rather than email to trick users into giving up their information. The technique involves using a person's contacts to make a particular message appear to be legitimate. Microsoft said the attacks remain primarily written for English speakers, which account for about 75% to 80% of active phishing pages tracked by the Microsoft Phishing Filter.

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.