Even though we get thousands of new malware samples in the lab every day, only a fraction of these make it in-the-wild actively infecting users. These are the most interesting samples for us as they're the ones we need to concentrate on the most. The vast majority of the times we catch these either by generic signatures, heuristics or TruPrevent behavioral analysis and blocking and through a variety of sensors such as our own products installed at users' PCs, online scanners or through correlation by our Collective Intelligence.

During the month of April we've seen a total of 6.809 unique samples actively circulating and infecting users. Out of the total malware seen in-the-wild, approximately 10% of the samples are completely new and not seen in previous months. Of this new malware 81% are non-replicating Trojans while the rest are self-replicating viral/worm code.

Following below is an overview of the prevalence statistics and family details broken down by type (non-replicating and self-replicating) and use of runtime packer or obfuscator.

New Non-Replicating Trojans

Let's take a look first at the new Trojans sighted this month. As usual adware/spyware leads the list with the largest number of variants being distributed. It's obvious that the return on investment is greatest with this type of malware as there are plenty of "marketing companies" out there that offer pay-per-install affiliate programs of their malware.

An interesting trends we're seeing lately is the increase in Banking Trojan activity. These are mostly distributed via Web Exploitation Kits and Trj/Downloaders. They are best represented this month by the Banker and Sinowal families.

The following table details the new non-replicating Trojans found in-the-wild with an indication of their prevalence, from * (seen on at least two unique computers) to ***** (massive distribution).

Prevalence	Name****	 Adware_Netproject***	 Spyware_Virtumonde***	 Adware_VideoAccessCodec***	 Adware_Netproject***	 Adware_NaviPromo**	 Trj_Nabload.DEX**	 Trj_Mitglieder.TJ**	 Trj_Lineage.IGA**	 Trj_Lineage.IDJ**	 Trj_Lineage.IDE**	 Trj_Lineage.HZI**	 Trj_Downloader.TIN**	 Trj_Downloader.THP**	 Trj_Downloader.TCC**	 Trj_dmRandom.TW**	 Trj_Banker.KWQ**	 Trj_Banker.KWP**	 Trj_Banker.KWO**	 Trj_Banker.KWH**	 Malicious Packer**	 Adware_WinReanimator**	 Adware_VirusHeat**	 Adware_VideoPlugin**	 Adware_VideoAccessCodec**	 Adware_VapSup**	 Adware_UltimateDefender**	 Adware_Suurch*	 W32_Lineage.ICJ.worm*	 Trj_Zlob.IF*	 Trj_SysW.G*	 Trj_Spammer.AHH*	 Trj_Spammer.AHD*	 Trj_Spamine.G*	 Trj_Sinowal.VKF*	 Trj_Sinowal.VKE*	 Trj_Sinowal.VKB*	 Trj_Sinowal.VJZ*	 Trj_QQPass.BGT*	 Trj_QQPass.BGN*	 Trj_QQPass.BGM*	 Trj_QQPass.BGL*	 Trj_Nabload.DEU*	 Trj_Nabload.DET*	 Trj_Multidropper.RMN*	 Trj_Mitglieder.TI*	 Trj_Lineage.IFH*	 Trj_Lineage.IFG*	 Trj_Lineage.IFF*	 Trj_Lineage.IFE*	 Trj_Lineage.IFC*	 Trj_Lineage.IFB*	 Trj_Lineage.IEY*	 Trj_Lineage.IEW*	 Trj_Lineage.IEU*	 Trj_Lineage.IEM*	 Trj_Lineage.IDV*	 Trj_Lineage.IDE*	 Trj_Lineage.ICA*	 Trj_Lineage.IAN*	 Trj_Lineage.IAL*	 Trj_Lineage.HTK*	 Trj_Lineage.HNA*	 Trj_Hosts.V*	 Trj_Hosts.U*	 Trj_Gamania.GS*	 Trj_FireByPass.BP*	 Trj_Exchanger.D*	 Trj_Downloader.TME*	 Trj_Downloader.TLU*	 Trj_Downloader.TLL*	 Trj_Downloader.TJR*	 Trj_Downloader.TJF*	 Trj_Downloader.TJE*	 Trj_Downloader.TJA*	 Trj_Downloader.TIL*	 Trj_Downloader.TIK*	 Trj_Downloader.THZ*	 Trj_Downloader.THI*	 Trj_Downloader.TEG*	 Trj_Downloader.TDA*	 Trj_Downloader.TCQ*	 Trj_Downloader.TAU*	 Trj_dmRandom.UB*	 Trj_Dadobra.AOR*	 Trj_Busky.DE*	 Trj_BHO.AT*	 Trj_Banker.KXI*	 Trj_Banker.KWX*	 Trj_Banker.KWV*	 Trj_Banker.KWR*	 Trj_Banker.KTU*	 Trj_Banbra.FQI*	 Trj_Banbra.FQB*	 Trj_Banbra.FON*	 Trj_Autorun.TS*	 Trj_Autorun.JN*	 Trj_Agent.IPR*	 Trj_Agent.IPI*	 Trj_Agent.IOH*	 Trj_Agent.IOD*	 Trj_Agent.IOB*	 Spyware_Virtumonde*	 Generic Malware*	 Bck_Sdbot.LUN*	 Bck_SDBot.LUF*	 Bck_SDBot.LTW*	 Bck_Sdbot.LTR*	 Bck_PoisonIvy.U*	 Bck_Oderoor.Q*	 Bck_Oderoor.P*	 Bck_LanMan.CN*	 Bck_IRCBot.BYY*	 Bck_IRCBot.BYO*	 Bck_IRCBot.BYI*	 Bck_IRCBot.BYH*	 Bck_IRCBot.BXW*	 Bck_IRCBot.BXU*	 Bck_IrcBot.BXT*	 Bck_IRCBot.BXL*	 Bck_Hupigon.LAB*	 Bck_Agent.IPD*	 Bck_Agent.IOG*	 Application_VirusHeat*	 Application_SpyShredder*	 Application_PCCleaner*	 Adware_Zenosearch*	 Adware_XXXHoliday*	 Adware_WinSecureDisc*	 Adware_WinReanimator*	 Adware_WinIFixer*	 Adware_WebHancer*	 Adware_VirusIsolator*	 Adware_VirusHeat*	 Adware_VideoPorn*	 Adware_VideoKeyCodec*	 Adware_VapSup*	 Adware_TopSpyware*	 Adware_SpywareSoftStop*	 Adware_SpyAway*	 Adware_SecuritySystem*	 Adware_SecurityError*	 Adware_SearchVideo*	 Adware_PCCleaner*	 Adware_MalwareAlarm*	 Adware_Lop*	 Adware_ChristmasPorn*	 Adware_BaiduBar*	 Adware_AntiSpywareReview*	 Adware_Alexa

New Self-Replicating Virus & Worms

Even though some security experts out there maintain that 'viruses are a thing of the past', the fact is that almost 20% of the new malware we see every month are self-replicating viruses and worms. This figure is not as high as it used to be years ago but it comes to prove that viruses are definitely not dead.

As with previous months, worms spreading through Instant Messaging such as the W32/MSN.worm and W32/MSNWorm lead the list by propagating via vulnerabilities and sending links to copies of itself to all IM contacts.

The prevalence, especially in corporate networks, of the particularly nasty W32/Virutas, is probably due to its effectiveness as a cavity, polymorphic, entry point obscuring and memory resident infector virus.

The remainder of the list is mostly made up by spam-spewing bots and game password stealers for World of Warcraft and Lineage.

As above, the following table details the new self-replicating viruses and worms found in-the-wild with an indication of their prevalence (* for low and ***** for massive distribution).

Prevalence	Name***	 W32_MSN.J.worm***	 W32_Lineage.HXI.worm**	 W32_Nuwar.SS.worm**	 W32_MSNWorm.EJ.worm**	 W32_Lineage.IFX.worm**	 W32_Lineage.IEN**	 W32_Lineage.ICM.worm**	 W32_Lineage.IBW.worm**	 W32_Lineage.HZE.worm**	 W32_Bagle.SR.worm*	 W32_Wow.SI.worm*	 W32_Virutas.AB*	 W32_VBS.H.worm*	 W32_VanBot.AE.worm*	 W32_UsbStorm.K.worm*	 W32_Thanks.B.worm*	 W32_SundMan.A.worm*	 W32_Spamta.AGD.worm*	 W32_Sohanat.EX.worm*	 W32_Sohanat.AS.worm*	 W32_Socks.C.worm*	 W32_Socks.B.worm*	 W32_SDBot.LUI.worm*	 W32_Sdbot.LUB.worm*	 W32_SdBot.LTV.worm*	 W32_Sdbot.LTT.worm*	 W32_Sality.AA*	 W32_QQRob.OS*	 W32_Oscarbot.TK.worm*	 W32_Nuwar.TC.worm*	 W32_Nuwar.SV.worm*	 W32_Nuwar.SR.worm*	 W32_MSNworm.EK.worm*	 W32_MSNworm.EI.worm*	 W32_Mabezat.C*	 W32_Lineage.IFI.worm*	 W32_Lineage.IEZ.worm*	 W32_Lineage.IEN.worm*	 W32_Lineage.IEG.worm*	 W32_Lineage.IDS*	 W32_Lineage.IDR.worm*	 W32_Lineage.IDI.worm*	 W32_Lineage.ICT.worm*	 W32_Lineage.ICO.worm*	 W32_Lineage.ICL.worm*	 W32_Lineage.ICJ.worm*	 W32_Lineage.ICB*	 W32_Lineage.IBZ.worm*	 W32_Lineage.IBX.worm*	 W32_IRCBot.BYQ.worm*	 W32_IRCBot.BYL.worm*	 W32_IRCBot.BYC.worm*	 W32_IRCBot.BYB.worm*	 W32_IRCBot.BYA.worm*	 W32_Gaobot.QGN.worm*	 W32_DengDun.A.worm*	 W32_Brontok.JL.worm*	 W32_Bagle.SN.worm*	 W32_Autorun.TU.worm*	 W32_Autorun.TK.worm*	 W32_Agent.INI.worm*	 W32_Agent.ILD.worm*	 VBS_Sasan.A.worm

By Runtime Packers & Obfuscators

I've blogged quite a bit in previous occasions about the use of packers and obfuscators, especially in money-driven Trojans, in order to avoid detection by AV signature and emulator-driven heuristics.

One of the latest key trends to watch out for is the rapidly increasing use of 'private' purpose-made packers and multi-layered packers. Also especially worrying is the ever-increasing use of "virtualization obfuscators" such as EXECryptor and Themida. Our colleague from Sophos Boris Lau gave a very good speech last week at the CARO Workshop about promising strategies for dealing with these.

UPX		581Upack		302'Private'	150FSG		101PECompact	94AS-Pack		88EXECryptor	62Themida		53Multi-layer	38Nspack		38ASProtect	37nPack		22Adware_Lop	17RLPack		16PKLite32	14tElock		14UPolyX		13Wsnpoem		11Armadillo	8MEW 11 SE	7Thinstall	7Expressor	6Cexe		4PolyCryptA	4PUSH/RET	4PE Crypt	3Virtumonde	3YodaProtect	3DalKrypt	2Molebox		2PESpin		2Petite		2CryptFF.b	1NiceProtect	1DragonArmor	1EPProt		1Exe32pack	1Kkrunchy	1MaskPE		1Morphine	1NTKrnl		1PCShrink	1PEncrypt	1PEP		1RCryptor	1RPCrypt		1SDProtect	1SimplePack	1UltraProtect	1WWPack32	1yzpack		1