High levels of Trojan and rogue malware circulating during December are continuing, with data revealing a surge in activity, boosted by themed activity around the Christmas and New Year holiday period.

Users were targeted with a variety of infected email, web links and other delivery mechanisms promising festive information, discount offers, Christmas e-cards and free software. The month also saw the big movie release of the season, Disney’s TRON Legacy, targeted by a wide array of SEO poisoned links, unwanted installs and other malware fakery, while a spate of fake iTunes emails caught several people off-guard, resulting in users running afoul of a malicious script that took advantage of a known Java exploit.

Researchers also uncovered an Amazon receipt generator scam aimed at fooling retailers during the busy holiday shopping season into honouring fraudulent receipts.

December once again saw significant activity from Trojan threats, which continue to dominate the overall malware landscape. Seven of the top 10 malware detections were Trojans, with those seven accounting for almost 35% of all malware detections for the month. In addition to a range of Trojans, Worms also created major problems during December. Most significant was Worm.Win32.Downad.Gen (v), appearing at number seven in December’s top 10, a detection for the Downadup worm, otherwise known as Conficker and Kido.

Taking advantage of a vulnerability in a Windows Server service that allows remote code execution when file sharing is enabled, the Worm spreads across networks as well as removable drives, taking advantage of weak administrator passwords along the way. It commonly turns off some system services and anti-malcode protection, exposing infected systems to additional infection from other malware.

Following on from the increased themed threat traffic we saw in November around Thanksgiving, Black Friday and Cyber Monday, criminals once again attempted to take advantage of Christmas and the holiday season with themed attacks designed to drive users towards infected sites and to trick them into opening infected email and executables. Themed attacks, along with themed SEO poisoning and fake application installs, are firmly established as a successful means for malware creators to distribute malcode and create disruption for organizations and families alike.

December is a challenging month for computing security, with many businesses shut for a prolonged period and consumers at home for the holidays. Casual computer use rises and vigilance can drop, creating opportunities for malware infection that would otherwise not happen the rest of the year. The top 10 serves as a stark reminder that IT security should not be taken for granted at any time.

The problem of fake software was highlighted by FraudTool.Win32.FakeVimes!delf (v), number nine on this month’s top 10. This is a heuristic detection for files associated with the FakeVimes family of rogue security products, illustrating the continued growth of fake and compromised security applications as a means to circulate and covertly install malware onto PCs.

Top 10 detections for December


  1. Trojan.Win32.Generic!BT/Trojan/21.93
    2. Trojan-Spy.Win32.Zbot.gen/Trojan/3.79
    3. Trojan.Win32.Generic.pak!cobra/Trojan/3.14
    4. Trojan.Win32.Generic!SB.0/Trojan/2.78
    5. Exploit.PDF-JS.Gen (v)/PDF Exploit/1.79
    6. INF.Autorun (v)/Trojan/1.63
    7. Worm.Win32.Downad.Gen (v)/Worm/1.27
    8. Trojan.ASF.Wimad (v)/Trojan/0.77
    9. FraudTool.Win32.FakeVimes!delf (v)/Fake App/0.73
    10. Trojan.Win32.Meredrop/Trojan/0.72