Malware Trends: October - December 2024

Endpoint Malware

Malware identified as targeting endpoint devices decreased by more than 50% over the July - September 2024 reporting period.

WordPress blog sites used for malware accounted for 11,000 (87%) of the malicious documents reported this period. These often add malicious redirects or spam links to illegal pharma sites, or link to a drive-by malware executable.

We collected over 40,000 reports of malicious scripts during this period and nearly 16,000 reports of malicious executables. We believe that these numbers are very low, since nearly 145,000 of the reports we receive identify URLs or domain names reported for malware but do not provide metadata that we use to classify malware.

For other important measurements, visit Malware Activity: Key Statistics October 1,2024 - December 31,2024.

Attackware and Traffic Injectors

An increase of ~32,000 IPv4 addresses reported for exhibiting characteristics of attackware and traffic injectors pushed the total number of addresses reported to just over 1 million.

235,000 of the ~1 million IPv4 addresses reported as Malicious IP traffic sources were traffic injectors. These are malware that are used to probe and inject inappropriate or malicious content into web sites that use PHP or HTTP. Certain of these malware submit malicious or spam-like comments into Web forums.

Attackers continue to scan for opportunities to disrupt or break into targeted systems or services. For the period, approximately 57,000 IPv4 addresses were reported for hosting attackware.

    Attackware
    	 56,684 
  
    SSH
    	 27,179 
  
    Postfix
    	 11,732 
  
    Vulnerability Scanner
    	 5,111 
  
    Apache
    	 4,459 
  
    Brute-force
    	 4,122 
  
    IMAP
    	 4,081

Attackware	56,684
SSH	27,179
Postfix	11,732
Vulnerability Scanner	5,111
Apache	4,459
Brute-force	4,122
IMAP	4,081

    Traffic Injector
    235403
  
    PHP Forum Spammer
    113005
  
    HTTP Spammer
    40592
  
    Web bot
    10155
  
    Web Form Spammer
    351

Traffic Injector	235403
PHP Forum Spammer	113005
HTTP Spammer	40592
Web bot	10155
Web Form Spammer	351

IoT Malware

We saw a small increase in IPv4 addresses reported for hosting IoT malware but while Mozi continued to be the dominantly present IoT malware at 63%, Mirai grew to 35%.

The majority of ~139,000 IPv4 addresses associated with IoT Malware were again geolocated in China (~51,000) and India (~36,000).

Hosting Networks

ASNs in China and India again have the most IPv4 addresses reported for hosting malware. The complete top 20 can be found at Malware Activity in Hosting Networks (ASNs) October 1,2024 - Decmber 31,2024.