Top 10 ranking of the spyware in 2006
PandaLabs has published its list of the spyware most frequently detected by Panda ActiveScan in 2006. The top ranking spyware is Gator. This adware offers free use of an application if users agree to view a series of pop-up messages downloaded by Gator. Some versions of this spyware replace banners on web pages visited with those created by the malicious code itself.
Second and third place in the Top Ten are occupied by Wupd and Ncase respectively. Both offer free use of an application in exchange for displaying advertising messages. They also monitor users’ Internet movements and gather data about habits and preferences. This information is then used to personalize the advertising displayed. Additionally, Ncase changes the Internet Explorer home page, as well as the default search options.
The adware CWS is in fourth place. This can be installed without users’ consent or without them being fully aware of the functionality of the tool. Emediacodec, in fifth place in the Top Ten, has similar characteristics. It uses a series of techniques in order to prevent it being detected by antivirus companies. It can even terminate its own execution if it detects that it is being executed in a virtual machine environment, such as VMWare.ÂÂ
In sixth place in the table is Lop, a type of adware with many variants. In most cases, this malicious code installs a toolbar with search features in Internet Explorer. It also displays numerous advertising pop-ups. Winantivirus, in seventh place, is categorized as a PUP, (Potentially Unwanted Program). It is downloaded onto computers by other malicious code, such as, Downloader.LHW and exploits application vulnerabilities in order to spread. Winantivirus is also capable of damaging users’ systems.
CWS.Searchpmeup is in eighth place in the list. This malicious program changes the Internet Explorer home page and the default search options. The web page that it sets as the home page uses several exploits to download malware onto computers. Next in the ranking is Winfixer2005, a PUP that searches the computer for supposed “errors’ and then demands that users buy the program in order to repair them. Finally, in tenth place comes New.net, a spy program that adds a toolbar to Internet Explorer and collects information about the user, including Internet pages visited, etc.
Position       Spyware 1      Adware/Gator   2      Adware/WUpd    3      Adware/nCase   4      Adware/CWS     5      adware/emediacodec     6      Adware/Lop     7      Application/Winantivirus2006   8      Adware/CWS.Searchmeup  9      Application/Winfixer2005       10     Spyware/New.net
The information gathered by PandaLabs about spyware in 2006 highlights the prevalence -seven of the Top Ten- of adware. This type of malware has grown continuously throughout the year and is expected to continue doing so in 2007. Similarly, in 2006 there has been an increase in rootkits and other malware that use similar techniques. A rootkit is a tool used to hide the processes of malicious codes, making them harder to detect.
Another significant aspect of the last year has been the appearance of a new category of malware. Rogue antispyware claims to detect spyware or to repair errors. This increasingly prevalent malware detects flaws or malicious code on computers but then demands that users pay for a registered version of the program if they want to delete these threats. WinAntivirus2006, in seventh place in the Top Ten, is a good example of this new category. Some of them, such as SpySheriff, 23rd in the ranking, not only detect real errors or attacks but also claim to have detected malware which actually does not exist. Winfixer2005, in ninth place, is another example of malicious code that promises to repair non-existent errors.
False codecs are variants of this type of malware. EmediaCodec, in fifth place in the Top Ten, is a good example of this type of malicious code. The way this malware operates is quite simple. While the user is viewing the Internet, they are offered certain videos, normally pornographic. In order to see them, they have to install a false codec which downloads adware. Normally these are not real codecs, but passwords that register in the system and have to be installed in order to see the videos.