G Data: Is the malware industry in crisis?

The number of new malware programs fell by about 30 percent in June

07/03/2009 | Bochum 

since the beginning of summer, the malware community appears to have been scaling back its activities; this is the outcome of the monthly evaluation by G Data Security Labs. The June analysis shows a clear retreat in new computer malware programs. While in May it was well over 120,000, the number of new appearances in the past month was just over 83,000 new malware models. In comparison with May, this corresponds to a reduction of more than 30 percent. This considerable reduction is, according to the estimates of G Data security expert Ralf Benzmüller, not solely due to the forthcoming holiday season. The global recession appears to have also hit the eCrime economy.



In spite of this pleasing development, it is not possible to expect a relaxation on the malware front. According to Ralf Benzmüller, manager of G Data Security Labs, it is more a question of a temporary drop.

"This phenomenon emerges every year as something new. At the start of the holiday season, the number of malware programs falls. One reason for this is the worldwide onset of the travel season, which, based on experience, causes a drop in the number of active Internet users. However, this does not explain a collapse of more than 30 percent," says Ralf Benzmüller. According to expert opinion, it seems much more likely that the global economic crisis has also hit the eCrime industry. "The black economy operates according to demanding economic criteria: supply and demand define business. The global economic crisis has not left the eCrime economy untouched. “Following on from dumping prices for the sending of spam, the downturn has now reached the writers of malware code. Order books for this particular branch of the industry seem currently to be falling back. Therefore we expect a stagnation in new malware figures for the current month. However there will definitely still be individual peaks. The latest global events and catastrophes constantly provide the online criminals with new ways of targeting their victims."


Top 5 malware categories:
Still unchallenged in the top spot of the malware top-5, with a share of 28.8 percent are Trojan horses.


Top five virus families:
Based on similarities in program code, G Data divides malware into families. The figures show the most prolific malware families.



Top 5 Malware categories
Malware samples are categorized according to their propagation mechanism and malicious function. The numbers show how many new Malware types have appeared in the according categories.

1. Trojan Horse:  28.8% (previous month 31.2%)
The name Trojan Horse refers to the historical prototype and describes a program which pretends to the user to contain a certain desired function. Instead of or in addition to that, Trojan Horses contain a hidden program part, which executes unwanted and/or malicious actions on the system without the user noticing this.
Trojan horses have no propagation routine of their own (as opposed to Viruses or Worms). They are sent by e-Mail or lurking within websites or P2P networks.

2. Downloader : 23.4 (previous month 25,6%)
A downloader is a piece of malicious software which –as the name implicates- downloads additional files from the Internet. Beforehand, they are often trying to lower the system’s security settings.

3. Backdoor: 19.9% (previous month 13.8%)
Backdoors open a rear side door into the infected system. That way, the system can be remote controlled by an attacker.In most cases, additional software can be installed and the system is integrated into a bot net along with other Zombie PCs. These Zombies are then used for sending spam, stealing data or executing
distributed denial of service attacks.

4. Spyware:  15.9 (previous month 13.6%)
The "Spyware" category contains malicious software whose purpose is to steal personal information from the victim’s system. This includes any kind of personal data, including passwords, banking information, or even login credentials for online games.

5. Worm:  4.0 (New entry to Top 5)
As opposed to a virus, a worm does not append itself to executable files. It propagates by transferring onto other machines through networks or system-to-system connections. There are different sub-types of worms which can be classified by their propagation mechanism, such as mail-, network-, or P2P-worms.


Top Five Virus families:
According to program code similarities, Malware is categorized into families. The numbers show the most productive virus families:

1. Buzus 5.2%
Trojan Horses of the Buzus family browse their victims’ infected systems for personal data such as credit card or online banking login information or E-Mail or FTP credentials.
In addition, they try to modify security settings of the affected system in order to make it even more vulnerable.

2. Bifrose 5.1 %
The Bifrose Backdoor provides attackers with access to infected systems and connects to an IRC server through which it receives commands from the attacker.

3. Huipgon 4.3%
Using the Hupigon Backdoor, an attacker can record keystrokes, access the file system or take screenshots using the infected system’s webcam.

4. Magania 3.5%
Trojan horses of the Magania family, which is originating from China, are specialized in stealing online gaming account credentials of the Taiwan-based game maker Gamania. Usually, Magania Trojans are spread through e-mails which contain a multi-packed, nested RAR-archive. On execution of the malicious software, a picture is displayed as decoy while in the background additional files are placed on the system. In addition, Magania hooks into Internet explorer using a DLL, which enables the Trojan horse to intercept WWW traffic.

5. Poison 2.5%
The Poison Backdoor enables unauthorized remote access to the victim’s system, which can then be used e.g. for Distributed Denial of Service attacks (DDoS).


Counting is based on Malware with equal code characteristics, equivalent to creation of signatures. Using this methodology, G Data does not count and categorize each and every individual malicious file. Instead, the Malware types are counted,  through which many different single files can be detected as the same Malware.


Thorsten Urbanski