Anonymized statistics from free requests to the Kaspersky Threat Intelligence Portal have revealed that almost three quarters (72%) of the analyzed malicious files fell into three categories: Trojans, Backdoors, and Droppers. The statistics also show that the types of malware that researchers most frequently investigate do not coincide with the most widespread ones.
Malicious activity detection is only the starting point for attack investigation. To develop response and remediation measures, security analysts need to identify the target of attack, the origin of a malicious object, its popularity, etc. The Kaspersky Threat Intelligence Portal helps analysts to reveal the background of an attack more quickly. Kaspersky experts examined free requests to the Kaspersky Threat Intelligence Portal to reveal which threats malicious objects processed by the portal are most often associated with.
In most cases, submitted hashes or suspicious uploaded files turned out to be Trojans (25% of requests), Backdoors (24%)– malware that gives an attacker remote control over a computer – and Trojan-Droppers (23%) that install other malicious objects. Statistics from Kaspersky Security Network, the infrastructure dedicated to processing cybersecurity-related data streams from millions of voluntary participants around the world, also show that Trojans are usually the most widespread type of malware. However, Backdoors and Trojan-Droppers are not as common – they only make up 7% and 3% of all malicious files blocked by the Kaspersky endpoint products.
This difference can be explained by the fact that researchers are often interested in the final target of the attack, while endpoint protection products are seeking to prevent it at an early stage. For example, they don’t allow an end user to open a malicious email or follow a malicious link, preventing backdoors from reaching the user’s computer. On top of that though, security researchers need to identify all the components inside the dropper.
Also, the popularity of these categories can be explained by the interest in particular threats and the researchers’ need to analyze them in more detail. For example, many users actively searched for information about Emotet, as several news articles appeared about this malware at the beginning of the year. A number of requests were related to Backdoors on the Linux and Android operating systems. Such malware families are of interest for security researchers, but their levels are relatively low in comparison to threats targeting Microsoft Windows.
“We have noticed that the number of free requests to the Kaspersky Threat Intelligence Portal to check viruses, or pieces of code that insert themselves in over other programs, is extremely low – less than one percent, but it is traditionally among the most widespread threats detected by endpoint solutions. This threat self-replicates and implements its code into other files, which may lead to the appearance of a large number of malicious files on an infected system. As we can see, viruses are rarely of interest to researchers, most likely because they lack novelty compared to other threats,” commented Denis Parinov, Acting Head of Threats Monitoring and Heuristic Detection.