> Enterprise > Security Response > Internet Security Threat Report > View the Report > Malicious Code Trends

Malicious Code Trends

Malicious Code Trends | Top Malicious Code Families | Analysis of Malicious Code Activity by Geography, Industry Sector and Company Size | Propagation Mechanisms | Industrial Espionage: Targeted Attacks and Advanced Persistent Threats (APTs) | TRIAGE Analysis of Targeted Attacks

Top Malicious Code Families


Symantec analyzes new and existing malicious code families to determine which threats types and attack vectors are being employed in the most prevalent threats. This information also allows system administrators and users to gain familiarity with threats that attackers may favor in their exploits. Insight into emerging threat development trends can help them to bolster security measures and mitigate future attacks.
The endpoint is often the last line of defense and analysis; however, the endpoint can often be the first-line of defense against attacks that spread using USB storage devices and insecure network connections. The threats found here can shed light on the wider nature of threats confronting businesses, especially from blended attacks and threats facing mobile workers. Attacks reaching the endpoint are likely to have already circumvented other layers of protection that may already be deployed, such as gateway or cloud-based filtering.


A malicious code family is initially compromised up of a distinct malicious code sample. As variants to the sample are released, the family can grow to include multiple variants. Symantec determines the most prevalent malicious code families by collating and analyzing anonymous telemetry data gathered for the reporting period. Over the course of 2011, such products reported 1.8 billion such malicious code detections, compared with 1.5 billion in 2010. This figure includes malicious code detections identified in Symantec endpoint technology, including Norton as well as the security services for email and Web.
Malicious code is classified into families based on variants in the signatures assigned by Symantec when the code is identified. Variants appear when attackers modify or improve existing malicious code to add or change functionality. These changes alter existing code enough that antivirus sensors may not detect the threat as an existing signature. The total number of variants identified in 2011 was 403.8 million, compared with 286 million in 2010.
Overall, the top-ten list of malicious code families accounted for 47.2% of all potential infections blocked in 2011.


Figure B.1. Overall Top Malicious Code Families, 2011. Source: Symantec
Figure B.2: Relative volume of reports of top 10 malicious code families in 2011, by percentage. Source: Symantec
Figure B.3: Relative proportion of top 10 malicious code blocked in email traffic by in 2011, by percentage and ratio. Source:
Figure B.4: Relative proportion of top 10 malicious file types blocked in email traffic by in 2011. Source:
Figure B.5: Trend of malicious code blocked in email traffic by in 2011. Source:
Figure B.6: Relative proportion of top 10 malicious code blocked in Web traffic by in 2011, by percentage and ratio. Source:
Figure B.7: Relative proportion of top 10 malicious file types blocked in Web traffic by in 2011. Source:


  • Ramnit overtakes Sality to become the most prevalent malicious code family in 2011. Ranked sixth in 2010, the top malicious code family by volume of potential infections in 2011 was Ramnit.
  • Samples of the Ramnit family of malware were responsible for significantly more potential infections than the second ranked malicious code family in 2011, Sality. This is primarily the result of activity by W32.Ramnit!html, which accounts for 51% of all Ramnit malware blocked in 2011.
  • W32.Ramnit!html is a generic detection for .html files infected by W32.Ramnit.
  • First discovered in 2010, W32.Ramnit!html has been a prominent feature of the threat landscape since then, often switching places with Sality throughout the year as the two families jockey for first position.
  • Ramnit spreads by encrypting and then appending itself to DLL, EXE and HTML files. It can also spread by copying itself to the recycle bin on removable drives and creating an AUTORUN.INF file so that the malware is potentially automatically executed on other computers. This can occur when an infected USB device is attached to a computer. The reliable simplicity of spreading via USB devices and other media makes malicious code families such as Ramnit, Sality (as well as SillyFDC and others) effective vehicles for installing additional malicious code on computers.
  • The Sality family of malware, ranked second, remains attractive to attackers because it uses polymorphic code that can hamper detection. Sality is also capable of disabling security services on affected computers. These two factors may lead to a higher rate of successful installations for attackers. Sality propagates by infecting executable files and copying itself to removable drives such as USB devices. Similar to Ramnit, Sality also relies on AUTORUN.INF functionality to potentially execute when those drives are accessed.
  • Downadup is losing momentum: Downadup (a.k.a. Conficker) was ranked in fourth position in 2011, compared with 2010 when it was ranked second-most malicious code family by volume of potential infections in 2010. Downadup propagates by exploiting vulnerabilities in order to copy itself to network shares. Downadup was estimated still to be on more than 3 million PCs worldwide at the end of 20111 , compared with approximately 5 million at the end of 2010.
  • Overall in 2011, 1 in 238.8 emails was identified as malicious, compared with 1 in 284.3 in 2010; 39.1% of email-borne malware comprised hyperlinks that referenced malicious code, in contrast with malware that was contained in an attachment to the email. This figure was 23.7% in 2010, an indication that cyber criminals are attempting to circumvent security countermeasures by changing the vector of attacks from purely email to the Web.
  • In 2011, 17.9% of malicious code detected in 2011 was identified and blocked using generic detection technology. Many new viruses and Trojans are based on earlier versions, where code has been copied or altered to create a new strain, or variant. Often these variants are created using toolkits and hundreds of thousands of variants can be created from the same piece of malware. This has become a popular tactic to evade signature-based detection, as each variant would traditionally need its own signature to be correctly identified and blocked. By deploying techniques, such as heuristic analysis and generic detection, it’s possible to correctly identify and block several variants of the same malware families, as well as identify new forms of malicious code that seek to exploit certain vulnerabilities that can be identified generically.
  • Trojan.Bredolab was the most frequently blocked malware in email traffic by in 2011. This was owing to a rise in the number of strains of aggressively polymorphic malware, where variants of the Bredolab Trojan were contained in the payload of the email attachment.
  • Trojan.Bredolab is an example of highly polymorphic malware; malicious code that is continually changed (by structure or content) to hide its presence from security countermeasures and in 2011, stopped Trojan.Bredolab in substantial volumes using Skeptic™ technology.
  • Trojan.Bredolab frequently acts as a downloader or installer for many secondary threats, including Trojan.Fakeavalert, Backdoor.Rustock, Trojan.Srizbi, and W32.Waledac

    The email would often use social engineering to encourage the recipient into opening it. Many such variants were also deployed by URL hyperlinks contained in some variations of the attacks using embedded links or attachments of the HTML file type.

  • Attached HTML files were the most frequently blocked malicious email attachment in 2011.
  • Web-based ZIP file format archives were the most frequently blocked malicious file type in 2011.
  • Trojan.JS.Iframe.AOX was the most frequently blocked malicious activity in Web traffic filtered by in 2011. Detection for a malicious IFRAME is triggered in HTML files that contain hidden IFRAME elements with JavaScript code that attempts to perform malicious actions on the computer; for example, when visiting a malicious Web page, the code attempts to quietly direct the user to a malicious URL while the current page is loading.
  • Stuxnet in 2011: Despite being developed for a very specific type of target, the number of reports of potential Stuxnet infections observed by Symantec in 2011 placed the worm at rank 18 among malicious code families, compared with 29 in 2010. The Stuxnet worm generated a significant amount of attention in 2010 because it was the first malicious code designed specifically to attack Programmable Logic Controller (PLC) industry control systems.2 Notably, Stuxnet was the first malicious code family that may directly affect the physical world and proves the feasibility for malicious code to cause potentially dramatic physical destruction.
  • Duqu, the precursor to a new Stuxnet? In October 2011, Symantec received reports of a new threat (W32.Duqu3 ) that was created from the same code base as Stuxnet. Whilst the code base was near identical, and the methods around the attacks are similar, the purpose of the new threat appears to be completely different from Stuxnet. Where Stuxnet was primarily designed to sabotage industrial machinery, Duqu appears to be designed for information theft, particularly information related to industrial systems and other secrets. This activity could be carried out with a goal to use the stolen information to plan and mount future attacks of a similar nature to those made by Stuxnet.