Malicious Code Trends | Top Malicious Code Families | Analysis of Malicious Code Activity by Geography, Industry Sector and Company Size | Propagation Mechanisms | Industrial Espionage: Targeted Attacks and Advanced Persistent Threats (APTs) | TRIAGE Analysis of Targeted Attacks
BackgroundWorms and viruses use various means to spread from one computer to another. These means are collectively referred to as propagation mechanisms. Propagation mechanisms can include a number of different vectors, such as instant messaging (IM), Simple Mail transfer protocol (SMTP), Common Internet File System (CIFS), peer-to-peer file transfers (P2P), and remotely exploitable vulnerabilities.4 Some malicious code may even use other malicious code as a propagation vector by locating a computer that has been compromised through a backdoor server and using it to upload and install itself.
MethodologyThis metric assesses the prominence of propagation mechanisms used by malicious code. To determine this, Symantec analyzes the malicious code samples that propagate and ranks associated propagation mechanisms according to the related volumes of potential infections observed during the reporting period. 5
CommentaryAs malicious code continues to become more sophisticated, many threats employ multiple mechanisms.
- Executable file sharing activity increases: In 2011, 76 percent of malicious code propagated as executables, an increase from 74 percent in 2010. This propagation mechanism is typically employed by viruses and some worms to infect files on removable media. For example, variants of Ramnit and Sality use this mechanism, and both families of malware were significant contributing factors in this metric, as they were ranked as the two most common potential infections blocked in 2011.
- Remotely exploitable vulnerabilities increase: The percentage of malicious code that propagated through remotely exploitable vulnerabilities in 2011 at 28 percent was 4 percentage points higher than in 2010. Examples of attacks employing this mechanism also include Downadup, which although seems to be in decline, is still a major contributing factor to the threat landscape, ranked on fourth position in 2011.
- File transfer using CIFS is in decline: It is worth noting that despite an increase in between 2009 and 2010, the percentage of malicious code that propagated through CIFS file transfer fell by four percentage points between 2010 and 2011. Fewer attacks exploited CIFS as an infection vector in 2011.
- File transfer via email attachments continues to decline: It is worth noting the continued decline in the percentage of malicious code that propagated through email attachments for the fifth year running. Between 2010 and 2011, the proportion of malware using this mechanism fell by four percentage points.
- While this propagation mechanism is still effective, Symantec anticipates that this downward trend will continue into the near future. This is in part owing to a shift in malicious attacks through malicious URLs contained in emails rather than attachments, compared with 2010. In 2011, 39.1% of email attacks used malicious URLs, compared with 23.7% in 2010.
4 CIFS is a file sharing protocol that allows files and other resources on a computer to be shared with other computers across the Internet. One or more directories on a computer can be shared to allow other computers to access the files within.
5 Because malicious code samples often use more than one mechanism to propagate, cumulative percentages may exceed 100 percent.