Password-stealing malware on the rise

 

Gallery

Posted on 3 Nov 2009 at 11:05

The number of password-stealing programs found on the internet are increasing at an enormous rate, far outstripping the growth of computer viruses. Microsoft reports an 8.3 per cent rise in detected viruses but claims that password stealing and monitoring programs have increased by 450.6 per cent.

In its Microsoft Security Intelligence Report the company compares the number of threats that it has detected in the second half of 2008 with figures from the first half of 2009. Although it found that computer viruses continue to dominate the threat landscape (it records over 68 million viruses in 2009), the growth of password stealers is notable. There were just 1.2 million unique samples found last year, compared to seven million this year. No other threat type in its records comes close to this level of growth.

Other increasing (but lesser) trends were observed in adware, spyware, Trojans and exploits.

Password stealing software is designed to record a victim's passwords and will usually transmit them to a criminal, who will either use or sell these details for financial gain. If the passwords are for web hosting accounts then the criminal can log in, infect the site and thus attack visitors to that site.

Microsoft notes that such malware is usually either packages or downloaded by other threats, such as Trojans. For example, a rogue anti-virus program (e.g. Win32/InternetAntivirus) that infects systems through social engineering techniques may then download further software, including a password stealer. From the report:

"Like most rogue security software, Win32/InternetAntivirus is heavily dependent on social engineering to spread. Misleading victims into paying for worthless software is the usual method by which attackers make money with rogue security software, and InternetAntivirus is no different, displaying warnings about a number of nonexistent threats on the user??s computer and offering to remove them for a price. In addition to typical rogue security software behavior, however, InternetAntivirus also downloads a password stealer, Win32/Chadem, when installed. Chadem monitors network traffic on the affected computer and attempts to steal user names and passwords for File Transfer Protocol (FTP) sites. The attacker uses the captured credentials to compromise servers and use them to host malware. Chadem was found on 27.5 percent of the computers that were infected with InternetAntivirus, more than any other family."

Author: Simon Edwards