The anti-malware company's fourth-quarter 2009 threats report said that Cutwail, Bagle-CB, and Grum were responsible for 50% of all botnet infections. Botnets operating in Brazil, Russia, India, and Vietnam were jointly responsible for a quarter of all infections, the report also found.
"We noticed last quarter, especially during the holidays, that the Grum, Lethic, and Cutwail botnets are on the rise, meaning that those are the fastest-growing botnets," the report said. "Even a relatively modest growth rate for a botnet the size of Cutwail still represents a whole lot of new bots."
McAfee also called 2009 a "transformative and evolutionary year" for computer threats. The volume of threats continued to increase last year, although it should be noted that the increasing popularity of polymorphic downloads is contributing to this trend. Many malware variants now create unique versions of themselves for individual users to avoid signature-based recognition.
Koobface, the social networking malware that has infected thousands of Facebook accounts, grew significantly in the fourth quarter of last year. In November, roughly 6000 unique Koobface samples were discovered. That number rose to roughly 27 000 in December.
"We have counted 41 582 new unique variations in this quarter," the report said of the Koobface phenomenon. "And the increase in URLs that distribute Koobface shows no sign of stopping." Almost half of those URLs were located in the US, with Germany, Denmark, and Italy next in line. Copycats are now making use of Koobface's distribution tactics. However, while North America continues to host the most malicious online content in general, China tops the charts as a source of SQL injection attacks. Of these attacks, 54.4% originated from behind the Golden Shield, whereas a quarter of SQL injection attacks came from the US.
It should be noted that it's difficult to match the source of SQL injection attacks with intent. It may be no coincidence that China rose to the top of the bot-producing countries in the fourth quarter, producing 12% of infected zombie computers. The US slid down to second place, producing 9.5% of the world's zombie machines, compared to 13.1% in the previous quarter. Zombie clients can be used to create SQL injection attacks on websites, and malware has been adapted in the past to turn zombie computers into automated SQL injection hacking machines.
In addition to a spike in the number of unique Koobface samples, December was also a banner month for the registration of new malicious URLs. During the week of December 20, the number of suspicious domains registered spiked dramatically, reaching around 17 000, from around 2500 a few days before.