Story image

Blog: More infections = a lot more malware

04 Sep 2009

This tool is available freely from ESET’s website at and can be accessed by anyone to scan their system without having to install a product. Data from our online scanner is interesting because it comes from systems that are not necessarily running one of our products (or do not have any antivirus installed at all). During the last three months, more than half a million PCs were scanned using this tool, with very interesting results.

First, we discovered that when a computer is infected, an average of 13 malicious files are found on the system. A malware infection does not equal one malicious file being installed on the system – many files on an infected computer can be corrupted or infected by the same piece of malware. And, it’s not just infected with malware, it’s often infested. This number can be explained by the comeback of file infecting viruses, which were considered almost extinct a couple years ago. Modern malware families such as WMA/TrojanDownloader.GetCodec infect multimedia files, and playing any of these files will result in an infection of a system. For example, if you have 500 songs on your computer and you get infected by that threat, you will have more than 500 malicious files on your PC. Another example of current file infector is the Win32/Virut family which, in addition to infecting executable files, changes HTML files to insert an IFRAME to a malicious site. Anyone viewing the modified HTML file with a vulnerable browser then becomes infected.

The second interesting point we found while analyzing our online scanner logs is that there are, on average, three malware families found on infected computers. This illustrates another trend we have been observing lately, which is “pay per install” malware distribution. Multiple malware families do not have any propagation mechanism built into their code. Instead, these pieces of malware are distributed and installed on computers by criminal gangs. One very good example of such malicious software are rogue antivirus programs. Rogue antivirus scams typically do not copy themselves to external drives, nor do they propagate through a network. Their operators simply pay other criminal gangs every time a copy of their rogue software is installed on a PC. Back in March, the Win32/Conficker worm installed a variant of the Win32/Waledac worm on systems it infected. In turn, Win32/Waledac downloaded and installed  a rogue antivirus. This is a typical scenario and explains the numbers of families we are seeing. This second statistic is different from the number of malicious files because each of these malware families can also infect multiple files.

Through our ThreatSense.Net monitoring system, we also gather statistics on malicious activity witnessed by computers running ESET’s antivirus software. On a daily basis, 3.3% of the computers detect and block at least one threat. If your company has 1,000 computers connected to the Internet, chances are that, during the next 24 hours, 33 of them will either try to access a malicious file on the Internet, receive something suspicious by email or be attacked by a network worm.

To sum up, we are seeing more malware per infected computer and also more malicious files on each of them. Our virus lab receives over 100,000 new pieces of malware every day. There are more malware authors than ever and their technologies are getting better to rapidly create new variants of malicious code. To build awareness around the problem of cybercrime and malware, ESET is launching a month-long campaign in San Francisco.

Pierre-Marc Bureau

Senior Researcher

ESET Global

Microsoft appoints new commercial and partner business director
Bowden already has almost a decade of Microsoft relationship management experience under her belt, having joined the business in 2010.
Zoom’s new Rooms and Meetings features
Zoom has released information about the upcoming releases for its Rooms and Meeting offerings for 2019.
Aussie company set to democratise direct-to-orbit IoT access
Adelaide-based Myriota has released a developer toolkit that has been trialled and tested by a smart waste management platform.
Apple's AirPods now come with 'Hey Siri' functionality
The new AirPods come with a standard case or a Wireless Charging Case that holds additional charges for more than 24 hours of listening time.
Dynatrace takes pole position in APM Magic Quadrant
It placed highest on Ability to Execute and furthest on Completeness of Vision in the 2019 Quadrant for Application Performance Monitoring (APM).
HCL and Xerox expand strategic partnership
Under the terms of the agreement, HCL will manage portions of Xerox’s shared services, including global administrative and support functions.
Avaya expands integration with Google Cloud AI
This includes embedding Google’s machine learning within conversation services for the contact centre, enabling integration of AI capabilities.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.