Trojans, viruses, worms: How does malware get on PCs and Macs?

Trojans, viruses, worms: How does malware get on PCs and Macs?

Summary: What's the best way to deal with malicious software on PCs and Macs? You can't answer that question until you know how malware gets installed in the first place. Here's a reality check.

SHARE:

<-- Previous page

Where does malware come from?

On Windows machines, some malware comes from drive-by downloads. You visit a website, you get infected by a piece of script that triggers a buffer overflow that allows the malware to stealthily install.

If you keep your system fully patched, you are almost certainly not that victim. Those types of attacks are typically successful only with PC owners who haven’t installed the latest security updates. Most such exploits, in fact, target vulnerabilities that were patched years earlier. A 2009 Kaspersky report concluded, “With very few exceptions, the exploits in circulation target software vulnerabilities that are known – and for which patches are available.”

The number of drive-by installations is small. So how does the majority of malware get on a PC or Mac? Most attacks today succeed by convincing the victim to do the actual work.

A 2010 study by Bruce Hughes of AVG Technologies, says “Social engineering trumps a zero-day every time.” It concludes that “users are four times more likely to come into contact with social engineering tactics as opposed to a site serving up an exploit.”

How do those big numbers translate into the actual families of malware that end up on user’s machines? You can get a pretty good idea by looking at data from Microsoft’s most recent Security Intelligence Report. The report contains two interesting top 10 lists representing threats faced by consumer and enterprise populations, respectively. In all, this combined list accounts for between 54% and 56% of all malware that was detected on Windows PCs by any Microsoft security product in 2010.

Let’s go through the list (note that because of overlap between the consumer and enterprise lists there are fewer than 20 entries here).

The biggest infection of 2010, by far, was Conficker. This is a worm that spreads via file shares, mostly on corporate networks. At its peak, it represented 22% of all infections detected on domain-joined computers.

Conficker’s means of propagation is a vulnerability in the Windows Server service. This vulnerability was fixed in October 2008 by Security Bulletin MS08-067, which patched Windows 2000, XP, Vista, Server 2003, and Server 2008. (Windows 7 was never affected.)  There’s no excuse for that patch not being installed nearly two years later, in 2010.

The lists contain multiple families classed as Trojans, which typically rely on social engineering to spread:

  • Frethog and Taterf are password-stealing Trojans that show up in both the consumer and enterprise populations. They were originally identified in May and June 2008, respectively.
  • Alureon (aka Zlob) is a data-stealing Trojan found mostly in the enterprise space. It dates all the way back to March 2007.
  • Renos is a family of fake security software that’s classified as a Trojan Downloader & Dropper, much like Mac Defender. It dates back to April 2007. FakeSpypro, a more recent variant, was originally identified in May 2010.

RealVNC, a legitimate remote terminal program, also made it on the list, under the category Potentially Unwanted Software. If it’s installed by an intruder, it can be used for malicious purposes. It was detected on more than 5% of domain-joined PCs.

In the consumer populations, four browser-based families of threats—not malicious, just annoying—made the Top 10 list. All are typically installed by means of social engineering.

  • Adware:JS/Pornpop.A, added to the encyclopedia in August 2010, isn’t a piece of software at all. It’s a snippet of script from a web page that is activated within an iFrame in any browser. Microsoft’s security software usually picks up on this one when it scans the browser’s cache.
  • Zwangi is a browser hijacker, first spotted in October 2009.
  • Hotbar, which has been around as long as I can remember, is an annoying adware program.
  • ClickPotato is a relatively new family of “multi-component adware” that displays pop-ups and ads. It often tags along with Hotbar.

The latter three programs are typically installed along with smileys and other bits of fluffy software aimed at noobs and rubes.

Finally, there are a family of interesting Trojans that combine social engineering with the AutoRun feature of USB drives and file shares:

  • Autorun is a generic worm that attempts to copy itself to mapped drives, then writes an autorun configuration file (Autorun.inf) pointing to the executable file. It’s usually accompanied by other malware variants
  • Rimecud is a backdoor that spreads by way of removable drives and instant-messaging programs.
  • Hamweq is an IRC-based backdoor program that spreads via flash drives.

The AutoRun feature doesn’t actually install the malware. Instead, it uses the AutoRun feature to open a dialog box that tries to trick the user into running an installer.

The behavior that made this social engineering possible was changed before Windows 7 was released. The behavior was modified in the same fashion for Windows XP and Windows Vista by means of Optional updates that were published in February 2009 (KB967940) and August 2009 (KB971029). As of February 2011, they are delivered as Important updates through Windows Update.

So add it all up. Among the top 10 threats in both the consumer and enterprise populations, one exploited a vulnerability that had been patched more than a year earlier, and the rest consisted of Trojans and worms that relied on social engineering to land on a victim’s PC.

Page 3: Malware, viruses, and worms -->

Topics: Security, Apple, Hardware, Malware, Windows, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

271 comments
Log in or register to join the discussion
  • RE: Trojans, viruses, worms: How does malware get on PCs and Macs?

    My father-in-law still doesn't get it when I explain about "viruses" for Windows. He's just damn lucky he doesn't have an Intel Mac ;)
    Imrhien
    • Still there is no non-laboratory scenario of getting a virus on a Mac, and

      @Imrhien: ... the trojans Edward talks about only work when user intentionally and voluntary installs (even if installer autostarts, it can not do anything on its own) them. But, before that, user has to believe that he/she got "a virus", what is practically not a real-life scenario. So there are no serious chances for these trojans to be installed on Macintoshes since the "phishing" trick is not really believable.<br><br>And, even if user is clueless or reads for years all of these articles about how Macintosh is the same as PCs and believes that he/she got "a virus", and installs this "Mac Defender" which promises to cure the computer, then still he/she has to be clueless twice, since the following trick is when "Mac Defender" tells that it lied and it will not cure the computer until user would pay for full version. And even then user has to be clueless thrice to pay money for application he/she neither ever heard about it, nor checked it out.<br><br>Seriously, it is three level of cluelessness -- no wonder the cases of problem are so microscopic in scale of Macintosh's fifty five million installed base.
      DDERSSS
      • RE: Trojans, viruses, worms: How does malware get on PCs and Macs?

        @DeRSSS The trouble with both Macs and PCs is that they rely on people. People are inherently the weak link in any security system. If you believe that it can never happen to you because 1) You are smart., and/or 2)Because you bought a Mac. Good luck!
        bobfastner
      • Yeah, and Ed tells us the same thing ...

        @DeRSSS ... when he states ...

        "The overwhelming majority of malware is installed by the victim, who is fooled by social engineering."

        Whether it is Windows malware or Macintosh malware, it cannot get in if you don't let it!
        M Wagner
      • RE: Trojans, viruses, worms: How does malware get on PCs and Macs?

        @DeRSSS
        Well then with that reasoning, it is probably a LOT easier to get a virus on MAC since most of the userbase buys them because they ARE in fact clueless when it comes to computers. That is why they buy them isn't it? So they have to learn less about how it all actually works and they can be further entrenched into the Apple Eco(distortion field) system?
        JimmyFal
      • RE: Trojans, viruses, worms: How does malware get on PCs and Macs?

        @DeRSSS

        Your points are all valid. Imrhien and others don't realize this has nothing to with someone not having a PC or having a PC. It's about ignorance in the user and nothing more. I work on both PC and Mac at work and user beware is the appropriate response.
        spikedstrider
      • RE: Trojans, viruses, worms: How does malware get on PCs and Macs?

        @DeRSSS
        If a Mac user REALLY believes that Macs are totally immune to every and any kind of malicious software, then that becomes like a self-fulfilling prophecy. Indeed, the Mac of such a user will never get infected, because a user who has such faith in the Mac will never click on any "your computer is infected" message, because by definition, Macs can't get infected by anything.
        arminw
      • RE: Trojans, viruses, worms: How does malware get on PCs and Macs?

        @DeRSSS

        It sounds as if you do not directly support end users, whether they are friends and family or in a business environment.

        If you did, you would be well aware that users are clueless. As Ed points out in his post, security breaches that are the direct result of vulnerabilities in the OS have been on the decline for years - the most dangerous and abundant threat is any type of malware that relies on social engineering. It is because of clueless users that they are so wide spread.

        And most importantly of all, <b>Mac users are not by default more educated, tech savvy, or immune to social engineering.</b> It is exactly the "I'm immune because I use a MAC, therefore I can stick my head in the sand" mentality that the creators of Mac Defender were targeting, and many of you fell for it!
        smtp4me@...
      • @JimmyFal

        You do realize that most Mac buyers have bought or used Windows computers in the past, right? So tell me how a user is more clueless buying a Mac than he was when he owned a Windows machine?
        fr_gough
      • RE: Trojans, viruses, worms: How does malware get on PCs and Macs?

        @DeRSSS

        If all it takes is clueless users, it is amazing to me that infections aren't more common.
        DLClark
      • RE: Trojans, viruses, worms: How does malware get on PCs and Macs?

        @DeRSSS you fail to realize that many windows and mac trojans are obtained on a hijacked website that is trusted by the user, it doesnt matter if the executable is called "fluffy puppies.exe" or "i will kill you and your family with a rusty spoon.zip.exe.7z" if that pops up on your favorite news website like usatoday or your local news website, then many people will allow it, and who said that all mac trojans/virus'/malware tell you that they are anti malware, i fixed my aunt's computer after she downloaded and installed something that said it was an addon for iMovie, it wasn't.
        Feds Against Guns
      • RE: Trojans, viruses, worms: How does malware get on PCs and Macs?

        @fr_gough
        """You do realize that most Mac buyers have bought or used Windows computers in the past, right? So tell me how a user is more clueless buying a Mac than he was when he owned a Windows machine? """

        Because they just paid twice as much money for a computer that still gets viruses. And most people go from the 10 year old XP to a brand new MAC, and are still complaining about a 10 year old OS, 10 years after it was created. I fix pc's for a living. The virus calls on Windows 7 are far and few between. And REALLY easy to get rid of when it does happen. I can talk any user through it over the phone in about 10 minutes.

        Windows 7 is pretty darn easy to use as well. Every bit as easy as a MAC. I'll give you a pass on the Pads and the Pods, because they dont' look or act like anything MAC OS.

        So now the argument isn't about Windows getting infected. It's about price. And anyone that pays double or more to check their email, is by definition, clueless.
        JF
        JimmyFal
      • even if installer autostarts, it can not do anything on its own

        @DeRSSS
        That is not my experience. I clicked on the 3rd result of a Google search, on a link that looked legit, and I could do nothing to stop the trojan from installing itself 12 times on my laptop! And apparently Mac users now have the same problem. Now, my Linux machine is a different story....
        danindenver
      • Oh Special Eddie... Wrong again... As usual...

        "If you install security updates regularly, your risk of being affected by a drive-by download is virtually zero."

        Wrong again brainiac... Updates are 99.5% reactive, it is extremely rare that they are ever proactive... Those updates come weeks, sometimes months after threats have been spreading in the wild... The known threats are easy... It's the unknown threats that are more dangerous, they can quietly do damage until they are discovered.

        So rephrase that lame statement you made to the following:

        If you install security updates regularly, your risk of being affected by a KNOWN drive-by download is virtually zero.

        The only way you are going to get proactive protection is with white listing or freezing the PC... And you might as well be completely honest, only a Windows PC is vulnerable to drive-by downloads, they are indigenous to Windows.
        i8thecat3
      • spin

        @DeRSSS
        of course ed is lying - as always. he even contradicts himself in one sentence: "The Mac Defender gang already proved they can sidestep the requirement to enter an Administrator password. They already convinced tens of thousands of victims to install a small program..."

        how is that "small program" installed on a mac without entering an administrator password, ed? right, not possible. absolutely not possible.

        it is a trojan, a simple trojan. as there have been trojans on the mac for ages. nothing about this mac defender thing is new, or more serious no matter how hard ed tries to spin it. a user has to download if by hand from the internet and type in his administrator password to install it.

        please ed, i know you get desperate, your mothership in redmond is sinking. but stop the laughable spin. just jump ship, become a google enthusiast or samsung or whatever and stop the ms defending lunacy please.
        bannedfromzdnetagainandagain
      • RE: Trojans, viruses, worms: How does malware get on PCs and Macs?

        @DeRSSS How delish. Ed says the kneejerk reaction from Apple fanboies is "Macs don't get viruses, and even if they did, only morons would get them," and here you are. Virus, worm, trojan -- who cares. Macs get malware.
        Vesicant
      • RE: Trojans, viruses, worms: How does malware get on PCs and Macs?

        @DeRSSS <a href="http://www.facebook.com/notes/black-friday-deals/nikon-lens-black-friday-sale-2011-black-friday-nikon-lens-deals-2011/253684421351007">black friday nikon lens</a>
        <a href="http://www.facebook.com/notes/black-friday-camera/black-friday-camcorder-sale-camcorder-black-friday-deals-black-friday-camcorder-/250683621650695">black friday canon lens</a>
        <a href="http://www.facebook.com/notes/black-friday-camera/black-friday-canon-lens-sale-canon-lens-black-friday-deals-black-friday-canon-le/250682674984123">black friday camcorder</a>
        <a href="http://www.facebook.com/notes/black-friday-camera/black-friday-camcorder-sale-camcorder-black-friday-deals-black-friday-camcorder-/250683621650695">camcorder black friday</a>
        <a href="http://www.facebook.com/notes/black-friday-camera/black-friday-canon-lens-sale-canon-lens-black-friday-deals-black-friday-canon-le/250682674984123">canon lens black friday</a>
        <a href="http://www.facebook.com/notes/black-friday-camera/nikon-d5100-black-friday-sale-black-friday-nikon-d5100-2011-nikon-d5100-black-fr/250710044981386">Nikon D5100 Black Friday</a>
        <a href="http://www.facebook.com/notes/black-friday-camera/black-friday-nikon-d7000-sale-nikon-d7000-black-friday-2011-black-friday-nikon-d/250717538313970">Black Friday Nikon D7000</a>
        <a href="http://www.facebook.com/notes/black-friday-camera/black-friday-nikon-d3100-sale-nikon-d3100-black-friday-deals-black-friday-nikon-/250723248313399">Black Friday Nikon D3100</a>
        delpi99
    • RE: Trojans, viruses, worms: How does malware get on PCs and Macs?

      The difference between Pc and Mac is how each company deals with the problem. In case of Microsoft, they initially ignored the problem letting third party anti-virus companies to deal with it. What happened was that the user experience suffered, full hard drive scans, slowdowns, interruptions and so on. That caused a great damage to the brand and the user experience.<br><br>I think that Apple will deal with the problem differently, providing virus protection seamlessly like they do all their software. Apple also has the option to allow installs only from the App Store or at least set that option as default.<br><br>My prediction is that viruses will be a much smaller problem for Mac users than people like Ed try to convince you...
      prof123
      • RE: Trojans, viruses, worms: How does malware get on PCs and Macs?

        @prof123
        "Apple also has the option to allow installs only from the App Store or at least set that option as default."

        Oh yeah, that'll work great.

        Apple really shouldn't allow people to run MS Office or Adobe PhotoShop. Or any actual big brand software.

        Yup, great ideia!
        CarlitosLx
      • RE: Trojans, viruses, worms: How does malware get on PCs and Macs?

        @prof123
        It's great being forced to only be able to buy software from the app store. Or not, I happen to like buying my software anywhere I want. It's that kind of thinking that will drive away consumers in the future. Apple has made many great strides so why ruin it with a communist tactic?
        kenpofighta@...