A Look Back At The Worst Infections Of 2009

It’s not clear whether the past year will go down in history as a particularly bad year for malware, but one thing is certain: It was bad enough, at times, that fighting infections and cleaning PCs took priority over virtually all other work.

Neither home users nor businesses were immune from wave after wave of increasingly nasty malware tricks, though there were a few bright spots: A fix issued by Microsoft mid-year meant that worms are far less likely to be able to spread using portable storage like thumbdrives or digital photo frames; A corresponding dropoff in overall worm detections has borne out the effectiveness of that update.

And the social engineering tricks employed by malware gangs are, at least for the moment, repetitive enough that they’ve become fairly easy to identify. What follows is my company’s list of the five most egregious examples of malicious software that, even if some of them didn’t initially appear in 2009, progressed to serious threats throughout the past year.


Also ringing in the new year with 2009, the Koobface worm has now become the most serious threat facing users of social networks. Initially targeting users of Facebook, the worm — actually a complex, well-coordinated combination of malicious applications, each of which is designed to carry out specific tasks — continues to circulate within more than a dozen social networks.

Koobface also brought to the fore the utility of social engineering (through PT Barnum-esque trickery) as a means for malware to propagate itself, not just infect an initial victim’s PC. Koobface almost represents its own branch on the family tree of malware, a malicious organism that can be used to distribute any number of undesirable files to an infected computer. The success of Koobface, and its continued development and improvement throughout 2009, shows no sign of abating into next year.


With Koobface highlighting the effectiveness of social engineering, others have joined the bandwagon. The second half of 2009 showed how trickery could lead to infections even with keyloggers as mature as Zbot, which has been seen in the wild in various forms since 2006.

However, 2009 saw Zbot infections on the rise, as one or more malware gangs crafted coordinated spam campaigns that fooled recipients into believing that the messages’ legitimate origin were banks, or government organizations (both in the US and elsewhere), trade groups, or financial institutions, or even Microsoft itself.

The A-list organizations spoofed by these campaigns read like a Fortune 100 who’s who list: Visa International, the IRS (and its UK counterpart the HMRC), DHL, FedEx, Chase, Bank of America, the US Postal Service, and the Federal Deposit Insurance Corporation, just to name a few. These spam messages, leading to fairly sophisticated fake Web pages, were put together with one goal in mind: To convince potential victims to download and execute the Trojan horse installer themselves. These campaigns show no sign of letup, and it’s not hard to foresee more of the same continuing into 2010.


Virtually ignoring home users, Conficker spread like wildfire through business, government, and military networks, infecting an estimated 9 to 15 million networked Windows systems by the beginning of 2009.

The worm’s effects, though indirect, were significant: Infected critical systems grounded French fighter jets, fubared hospitals, and forced corporations worldwide to spend months cleaning infected networks. But the worst problems were never realized, possibly due to the massive global attention drawn to the worm. Thanks to significant updates by Microsoft to Windows, the worm is essentially unable to propagate on up-to-date PCs.


One of the nastiest downloaders of recent memory, a Trojan we call Stinkbreath (others call it Bredolab) became more prominent in 2009, along with a simultaneous rise in the number of rogue antivirus infections (the rogue installers downloaded, natch, by this threat).

Initially, the infection spreads when a spam message — almost always about some sort of product shipment or online order confirmation — containing a Trojan file attachment is opened, read, and the attachment executed.

The downloader outwardly appears to be a distribution method-for-hire, as we observed the Trojan being used to distribute initially only rogue AVs, but later found it was used to push adware, ad clickers (a type of Trojan which commits fraud against advertising networks), rootkits, other downloaders, and remote backdoors, including Zbot, into the PCs of victims. While not as flashy or prominent as other downloaders, Stinkbreath has proven resilient and will probably continue to be seen into the coming year.


Along with Stinkbreath, Trojan-Backdoor-TDSS is one of the most pervasive downloaders in the wild. It also appears to be used as a gun-for-hire method of distribution for a wide array of malicious programs.

Its bundled rootkit (which, in early versions, prepended “TDSS” to the file names of various malicious payloads) is among the most challenging to remove, and remains a thorn in the side of victims. Its use appears to have fallen off in recent months, but not due to any apparent reason. As it remains an enigmatic, difficult spy to remove, I’m not willing to write it off just yet. I don’t think it’s unreasonable to predict that the world may see a resurgence of TDSS infections next year, though I sincerely hope we don’t.

Andrew Brandt researches malware for Webroot Software, and contributes to the Webroot Threat Blog. As a member of the Threat Research team, he and his colleagues help identify malicious software trends and improve the Webroot Antivirus with Antispyware product. Andrew joined the team in 2006. Prior to coming to Webroot, he worked for PC World magazine as a Senior Associate Editor, covering computer security and privacy issues for nearly a decade. In that role, he also wrote the Privacy Watch column. He lives in Boulder, Colorado.