Summary: This week I’m watching a gang of malware distributors preying on Windows users. How are traditional antivirus programs doing against this particular threat? The case study shows why signatures and scans offer imperfect protection.
The most consistent thing about the malware business is that it’s constantly changing. The field is dominated by gangs that use hit-and-run tactics. A new report by Blue Coat Systems, a security company that specializes in cloud-based services, provides some interesting (and rare) details about how the malware business ebbs and flows.
Between February and May 2011, for example, Blue Coat had 395 unique malware networks under observation. On any given day, their data show, “the number of unique malware networks … ranged from just under 100 … to fewer than 25 in operation.” The report specifically noted “a drop-off in mid-May as networks relocated and consolidated.”
Back in May, I observed the Mac Defender gang carefully. Lately, I’ve been watching a new round of attacks from a different network. Their product is a Trojan, aimed at Windows users. It arrives via e-mail, as a file attachment called RefundForm, in Zip format. It appears to be from a hotel. The subject line indicates it’s about a “wrong transaction” and the message body says the hotel overcharged the recipient’s credit card and says they need to fill out a claim form (attached) to get the money back