Malware distributors are increasingly using ‘passing off’ techniques to get their programs on to the PCs of UK-based users, new statistics from security vendor Webroot suggest.
The idea of passing off, packaging malicious functions with what appear to be legitimate programs, is nothing new. But Webroot’s latest analysis of UK-based spyware, Trojans and system monitors, shows that users are now being hit with a range of sometimes self-inflicted woes as a matter of course.
The top three adware programs for October were the Comet Cursor, a browser plug-in that masquerades as a mouse pointer utility, but which also tracks IP addresses and cookies; CoolWebSearch, a Google browser redirection pest that claims to be a way to improve searching; Starware Toolbar, a pop-up blocker that displays its own ads. All would likely have been installed by users who did not understand what they were signing up for.
In the category of ‘system monitors’, the picture is much the same, with many of the top programs mentioned, 007 Spy, Nok-Nok, and Win-Spy Monitor, being programs that claim to have a legitimate purpose, that of monitoring keystrokes on a PC for the purposes of surveillance. These programs don’t necessarily pass themselves off in an inaccurate way, but are open to abuse if installed on a PC without the owner’s knowledge.
Even the Trojans noted by Webroot, with Zlob and Trojan.Gen at the head of the list, will likely have found a home by packaging themselves with another apparently useful download.
The figures for October 2007 come from the company’s Phileas bot, an automatic malware tracking system that spiders for web threats in real time, and which can relate these to specific geographical areas. The figures measure threats directed against users, rather than specific reports.
“The technology behind spyware has become so far advanced, and is moving so quickly, that manual detection methods utilised by many security companies and freeware providers can’t keep up with it,” said Webroot’s CEO, Peter Watkins.
That said, the company’s October statistics suggest that most of the malware that affects UK users is remarkably old, in some cases years old. The Comet Cursor and Starware have been in circulation since September 2006, while the CoolWebSearch dates back to February 2004, circumstantial evidence that users are sometimes installing malware themselves in a way that circumvents security software.