Monthly Threat Report: July 2014

Top_10_ELG_julio_14_1200x627eng-01

The Top Ten Threats

 

1. Win32/Bundpil

Previous Ranking: 1
Percentage Detected: 2.3%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address, and it tries to download several files from the address. The files are then executed and the HTTP protocol is used.  The worm may delete the following folders:
*.exe
*.vbs
*.pif
*.cmd
*Backup.

 

2. JS/Kryptik.I

Previous Ranking: 2
Percentage Detected: 1.82%

JS/Kryptik is a generic detection of malicious obfuscated JavaScript code embedded in HTML pages; it usually redirects the browser to a malicious URL or implements a specific exploit.

 

3. Win32/RiskWare.NetFilter

Previous Ranking: n/a
Percentage Detected: 1.73%

Win32/RiskWare.NetFilter is an application that includes malicious code designed to force infeted computers to engage in unwanted behaviour. It allows an attacker to remotely connect to the infected system and control it in order to steal sensitive information or install other malware.

 

4. LNK/Agent.AK

Previous Ranking: 3
Percentage Detected: 1.55%

LNK/Agent.AK is a link that concatenates commands to run the real or legitimate application/folder and, additionaly runs the threat in the background. It could become the new version of the autorun.inf threat. This vulnerability was known as Stuxnet was discovered, as it was one of four that threat vulnerabilities executed.

 

5. Win32/Sality

Previous Ranking: 4
Percentage Detected: 1.38%

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature: http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_a

 

6. HTML/ScrInject

Previous Ranking: 8
Percentage Detected: 1.37%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

 

7. Win32/Adware.MultiPlug

Previous Ranking: n/a
Percentage Detected: 1.28%

Win32/Adware.Multiplug is a Possible Unwanted Application that once it’s present into the users system might cause applications to displays advertising popup windows during internet browsing.

 

8. INF/Autorun

Previous Ranking: 5
Percentage Detected: 1.24%

This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family.

Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem.

The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique.

While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case.

 

9. Win32/Conficker

Previous Ranking: 6
Percentage Detected: 1.15%

The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials. Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility enabled at present by default in Windows (though not in Windows 7).

Win32/Conficker loads a DLL through the svchost process. This treat contacts web servers with pre-computed domain names to download additional malicious components. Fuller descriptions of Conficker variants are available at http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en.

While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx. While later variants dropped the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun. The Research team in San Diego has blogged extensively on Conficker issues: http://www.eset.com/threat-center/blog/?cat=145.

It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with system patches, disable Autorun, and don’t use unsecured shared folders.

 

10. Win32/TrojanDownloader.Zurgop

Previous Ranking: n/a
Percentage Detected: 1.14%

Win32/TrojanDownloader.Zurgop it a family of malicious codes that once they infect a vulnerable system will downloder other malware from the Internet. Variants of this family use different techniques to avoid detection such as run-time compressed packers like PEncrypt or PECompact.

Monthly Threat Report: June 2014

Top_10_ELG_junio_14_1200x627eng-01

The Top Ten Threats of June 2014

1. Win32/Bundpil

Previous Ranking: 1
Percentage Detected: 2.59%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address, and it tries to download several files from the address. The files are then executed and the HTTP protocol is used.  The worm may delete the following folders:
*.exe
*.vbs
*.pif
*.cmd
*Backup.

2. JS/Kryptik.I

Previous Ranking: n/a
Percentage Detected: 2.35%

JS/Kryptik is a generic detection of malicious obfuscated JavaScript code embedded in HTML pages; it usually redirects the browser to a malicious URL or implements a specific exploit.

3. LNK/Agent.AK

Previous Ranking: 2
Percentage Detected: 1.91%

LNK/Agent.AK is a link that concatenates commands to run the real or legitimate application/folder and, additionaly runs the threat in the background. It could become the new version of the autorun.inf threat. This vulnerability was known as Stuxnet was discovered, as it was one of four that threat vulnerabilities executed.

4. Win32/Sality

Previous Ranking: 3
Percentage Detected: 1.49%

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature: http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

5.INF/Autorun

Previous Ranking: 5
Percentage Detected: 1.38%

This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family.

Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem.

The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique.

While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case.

6. Win32/Conficker

Previous Ranking: 7
Percentage Detected: 1.2%

The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials. Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility enabled at present by default in Windows (though not in Windows 7).

Win32/Conficker loads a DLL through the svchost process. This treat contacts web servers with pre-computed domain names to download additional malicious components. Fuller descriptions of Conficker variants are available at http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en.

While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx. While later variants dropped the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun. The Research team in San Diego has blogged extensively on Conficker issues: http://www.eset.com/threat-center/blog/?cat=145.

It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with system patches, disable Autorun, and don’t use unsecured shared folders.

7. Win32/Ramnit

Previous Ranking: 7
Percentage Detected: 1.16%

It is a File infector that executes on every system start. It infects dll and exe files and also searches htm and html files to write malicious instruction in them. It exploits vulnerability on the system (CVE-2010-2568) that allows it to execute arbitrary code. It can be controlled remotley to capture screenshots, send gathered information, download files from a remote computer and/or the Internet, run executable files or shut down/restart the computer.

8. HTML/ScrInject

Previous Ranking: 4
Percentage Detected: 1.06%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

9. HTML/Iframe

Previous Ranking: n/a
Percentage Detected: 1.04%

Type of infiltration: Virus
HTML/Iframe.B is generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL location with malicious software.

10. Win32/Dorkbot

Previous Ranking: 10
Percentage Detected: 0.96%

Win32/Dorkbot.A is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely. The file is run-time compressed using UPX. The worm collects login user names and passwords when the user browses certain web sites. Then, it attempts to send gathered information to a remote machine. This kind of worm can be controlled remotely.

 

Monthly Threat Report: May 2014

Top_10_ELG_mayo_14_1200x627eng

1. Win32/Bundpil

Previous Ranking: 1

Percentage Detected: 2.99%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address, and it tries to download several files from the address. The files are then executed and the HTTP protocol is used.  The worm may delete the following folders:
*.exe
*.vbs
*.pif
*.cmd
*Backup.

2 LNK/Agent.AK

Previous Ranking: 2

Percentage Detected: 1.87%

LNK/Agent.AK is a link that concatenates commands to run the real or legitimate application/folder and, additionaly runs the threat in the background. It could become the new version of the autorun.inf threat. This vulnerability was known as Stuxnet was discovered, as it was one of four that threat vulnerabilities executed.

3. Win32/Sality

Previous Ranking: 3

Percentage Detected: 1.56%

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature: http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

4. HTML/ScrInject

Previous Ranking: 4

Percentage Detected: 1.49%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

5.INF/Autorun

Previous Ranking: 5

Percentage Detected: 1.47%

This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family.

Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem.

The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique.

While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case.

6. Win32/Qhost

Previous Ranking: 6

Percentage Detected: 1.37%

This threat copies itself to the %system32% folder of Windows before starting. It then communicates over DNS with its command and control server. Win32/Qhost can spread through e-mail and gives control of an infected computer to an attacker.

7. Win32/Conficker

Previous Ranking: 7
Percentage Detected: 1.22%

The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials. Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility enabled at present by default in Windows (though not in Windows 7).

Win32/Conficker loads a DLL through the svchost process. This treat contacts web servers with pre-computed domain names to download additional malicious components. Fuller descriptions of Conficker variants are available at http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en.

While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx. While later variants dropped the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun. The Research team in San Diego has blogged extensively on Conficker issues: http://www.eset.com/threat-center/blog/?cat=145.

It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with system patches, disable Autorun, and don’t use unsecured shared folders.

8. Win32/Ramnit

Previous Ranking: 8

Percentage Detected: 1.19%

It is a File infector that executes on every system start. It infects dll and exe files and also searches htm and html files to write malicious instruction in them. It exploits vulnerability on the system (CVE-2010-2568) that allows it to execute arbitrary code. It can be controlled remotley to capture screenshots, send gathered information, download files from a remote computer and/or the Internet, run executable files or shut down/restart the computer.

9. Win32/TrojanDownloader.Waski

Previous Ranking: 9

Percentage Detected: 1.12%

Win32/TrojanDownloader.Waski is a trojan which tries to download other malware from the Internet. It contains a list of two URLs and tries to download a file from the addresses. The HTTP protocol is used. The file is stored in the location %temp%\­miy.exe, and is then executed.

10. Win32/Dorkbot

Previous Ranking: 10

Percentage Detected: 1.01%

Win32/Dorkbot.A is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely. The file is run-time compressed using UPX. The worm collects login user names and passwords when the user browses certain web sites. Then, it attempts to send gathered information to a remote machine. This kind of worm can be controlled remotely.

Monthly Threat Report: April 2014

Top_10_ELG_abril_14_1200x627eng

1. Win32/Bundpil

Previous Ranking: 1

Percentage Detected: 2.83%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address, and it tries to download several files from the address. The files are then executed and the HTTP protocol is used.  The worm may delete the following folders:
*.exe
*.vbs
*.pif
*.cmd
*Backup.

2. LNK/Agent.AK

Previous Ranking: 2

Percentage Detected: 1.96%

 

LNK/Agent.AK is a link that concatenates commands to run the real or legitimate application/folder and, additionaly runs the threat in the background. It could become the new version of the autorun.inf threat. This vulnerability was known as Stuxnet was discovered, as it was one of four that threat vulnerabilities executed.

3. Win32/Sality

Previous Ranking: 3
Percentage Detected: 1.66%

 

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature: http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

4. HTML/ScrInject

Previous Ranking: 6
Percentage Detected: 1.66%

 

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

5.INF/Autorun

Previous Ranking: 4
Percentage Detected: 1.58%

 

This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family.

Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem.

The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique.

While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case.

6. Win32/Qhost

Previous Ranking: 5
Percentage Detected: 1.54%

 

This threat copies itself to the %system32% folder of Windows before starting. It then communicates over DNS with its command and control server. Win32/Qhost can spread through e-mail and gives control of an infected computer to an attacker.

7. Win32/Conficker

Previous Ranking: 7
Percentage Detected: 1.31%

 

The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials. Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility enabled at present by default in Windows (though not in Windows 7).

 

Win32/Conficker loads a DLL through the svchost process. This treat contacts web servers with pre-computed domain names to download additional malicious components. Fuller descriptions of Conficker variants are available at http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en.

While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx. While later variants dropped the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun. The Research team in San Diego has blogged extensively on Conficker issues: http://www.eset.com/threat-center/blog/?cat=145.

 

It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with system patches, disable Autorun, and don’t use unsecured shared folders.

8. JS/Kryptik.I

Previous Ranking: n/a
Percentage Detected: 1.28%

JS/Kryptik is a generic detection of malicious obfuscated JavaScript code embedded in HTML pages; it usually redirects the browser to a malicious URL or implements a specific exploit.

9. Win32/Ramnit

Previous Ranking: 8
Percentage Detected: 1.26%

 

It is a File infector that executes on every system start. It infects dll and exe files and also searches htm and html files to write malicious instruction in them. It exploits vulnerability on the system (CVE-2010-2568) that allows it to execute arbitrary code. It can be controlled remotley to capture screenshots, send gathered information, download files from a remote computer and/or the Internet, run executable files or shut down/restart the computer.

10. Win32/TrojanDownloader.Waski

Previous Ranking: n/a
Percentage Detected: 1.07%

 

Win32/TrojanDownloader.Waski is a trojan which tries to download other malware from the Internet. It contains a list of two URLs and tries to download a file from the addresses. The HTTP protocol is used. The file is stored in the location %temp%\­miy.exe, and is then executed.

Monthly Threat Report: March 2014

Top_10_ELG_marz_14_1200x627eng

The Top Ten Threats

1. Win32/Bundpil

Previous Ranking: 1
Percentage Detected: 2.88%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address, and it tries to download several files from the address. The files are then executed and the HTTP protocol is used. The worm may delete the following folders:
*.exe
*.vbs
*.pif
*.cmd
*Backup.

2. LNK/Agent.AK

Previous Ranking: 2
Percentage Detected: 1.87%

LNK/Agent.AK is a link that concatenates commands to run the real or legitimate application/folder and, additionaly runs the threat in the background. It could become the new version of the autorun.inf threat. This vulnerability was known as Stuxnet was discovered, as it was one of four that threat vulnerabilities executed.

3. Win32/Sality

Previous Ranking: 3
Percentage Detected: 1.66%

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature: http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

4. INF/Autorun

Previous Ranking: 4
Percentage Detected: 1.57%

This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family.

Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem.

The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique.

While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case.

5. Win32/Qhost

Previous Ranking: 5
Percentage Detected: 1.51%

This threat copies itself to the %system32% folder of Windows before starting. It then communicates over DNS with its command and control server. Win32/Qhost can spread through e-mail and gives control of an infected computer to an attacker.

6. HTML/ScrInject

Previous Ranking: 6
Percentage Detected: 1.36%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

7. Win32/Conficker

Previous Ranking: 8
Percentage Detected: 1.28%

The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials. Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility enabled at present by default in Windows (though not in Windows 7).

Win32/Conficker loads a DLL through the svchost process. This treat contacts web servers with pre-computed domain names to download additional malicious components. Fuller descriptions of Conficker variants are available at http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en.

While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx. While later variants dropped the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun. The Research team in San Diego has blogged extensively on Conficker issues: http://www.eset.com/threat-center/blog/?cat=145.

It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with system patches, disable Autorun, and don’t use unsecured shared folders.

8. Win32/Ramnit

Previous Ranking: 7
Percentage Detected: 1.27%

It is a file infector. It’s a virus that executes on every system start.It infects dll and exe files and also searches htm and html files to write malicious instruction in them. It exploits vulnerability on the system (CVE-2010-2568) that allows it to execute arbitrary code. It can be controlled remotley to capture screenshots, send gathered information, download files from a remote computer and/or the Internet, run executable files or shut down/restart the computer.
9. Win32/Dorkbot

Previous Ranking: 9
Percentage Detected: 1.07%

Win32/Dorkbot.A is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely. The file is run-time compressed using UPX. The worm collects login user names and passwords when the user browses certain web sites. Then, it attempts to send gathered information to a remote machine. This kind of worm can be controlled remotely.

10. JS/FBook

Previous Ranking: n/a
Percentage Detected: 0.95%

JS/FBook is a trojan used for delivery of unsolicited advertisements. The trojan does not create any copies of itself, and the program code is usually embedded in HTML pages.

Monthly Threat Report: February 2014

Top_10_ELG_ene_14_1200x627br

The Top Ten Threats

1. Win32/Bundpil

Previous Ranking: 1
Percentage Detected: 2.9%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address, and it tries to download several files from the address. The files are then executed and the HTTP protocol is used.  The worm may delete the following folders:
*.exe
*.vbs
*.pif
*.cmd
*Backup.

2. LNK/Agent.AK

Previous Ranking: 5
Percentage Detected: 1.86%

LNK/Agent.AK is a link that concatenates commands to run the real or legitimate application/folder and, additionaly runs the threat in the background. It could become the new version of the autorun.inf threat. This vulnerability was known as Stuxnet was discovered, as it was one of four that threat vulnerabilities executed.

3. Win32/Sality

Previous Ranking: 2
Percentage Detected: 1.67%

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature: http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

4. INF/Autorun

Previous Ranking: 4
Percentage Detected: 1.57%

This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family.

Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem.

The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique.

While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case.

5. Win32/Qhost

Previous Ranking: 9
Percentage Detected: 1.55%

This threat copies itself to the %system32% folder of Windows before starting. It then communicates over DNS with its command and control server. Win32/Qhost can spread through e-mail and gives control of an infected computer to an attacker.

6. HTML/ScrInject

Previous Ranking: 3
Percentage Detected: 1.54%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

7. Win32/Ramnit

Previous Ranking: 6
Percentage Detected: 1.27%

It is a file infector. It’s a virus that executes on every system start.It infects dll and exe files and also searches htm and html files to write malicious instruction in them. It exploits vulnerability on the system (CVE-2010-2568) that allows it to execute arbitrary code. It can be controlled remotley to capture screenshots, send gathered information, download files from a remote computer and/or the Internet, run executable files or shut down/restart the computer.

8. Win32/Conficker

Previous Ranking: 7
Percentage Detected: 1.26%

The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials. Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility enabled at present by default in Windows (though not in Windows 7).

Win32/Conficker loads a DLL through the svchost process. This treat contacts web servers with pre-computed domain names to download additional malicious components. Fuller descriptions of Conficker variants are available at http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en.

While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx. While later variants dropped the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun. The Research team in San Diego has blogged extensively on Conficker issues: http://www.eset.com/threat-center/blog/?cat=145.

It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with system patches, disable Autorun, and don’t use unsecured shared folders.

9. Win32/Dorkbot

Previous Ranking: 10
Percentage Detected: 1.1%

Win32/Dorkbot.A is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely. The file is run-time compressed using UPX.  The worm collects login user names and passwords when the user browses certain web sites. Then, it attempts to send gathered information to a remote machine.  This kind of worm can be controlled remotely.

10. Win32/TrojanDownloader.Waski

Previous Ranking: n/a
Percentage Detected: 1.02%

Win32/TrojanDownloader.Waski is a trojan which tries to download other malware from the Internet. It contains a list of two URLs and tries to download a file from the addresses. The HTTP protocol is used. The file is stored in the location %temp%\­miy.exe, and is then executed.

Phishing Scam Update

by David Harley, ESET North America
by Urban Schrott, ESET Ireland

It may seem at the moment that I don’t write about anything apart from phishing scams and tech support scams. That’s not actually the case, but scammers don’t seem to take holidays, and a couple of things have come along that I couldn’t resist mentioning.

The first has the subject “RBS – Working to protect you and your card.” It appears to come from CreditCardOnlineServices(at)cards.rbs.co.uk.

RBS Credit Card Account Holder:

Your RBS Credit Card is designed to help keep you safe
Receive alerts when we spot a suspicious transaction
Sometimes we spot what looks like a fraudulent transaction on your credit card – so to make sure, we’ll call you and check. Better still, why not join our free fraud text alert service?
It’s just another way we’re working to keep your card and your money safe.
To sign-up for this service, simply visit our
fraud text alert website.

Why is this interesting? Well, there are a couple of things here that indicate a scam.

  • The giveaway absence of personalization – if you’re one of a financial institution’s customers, there’s no excuse for not addressing you by name and proving that they know something about you that a scammer wouldn’t.
  • We’ve neutralized the link to the so-called text alert website, but it led to a site that had nothing to do with RBS or even the UK – it appeared to have a Swedish domain name – and actually contained other pages masquerading as other banks.

Apart from that – and the fact that I don’t have an RBS card! – there isn’t much here to indicate to the average user that it’s a scam. The English isn’t ‘foreign’ and does a good job of capturing the tone of a chatty advertising mailshot.

And here’s another one from ‘Lloyds’. Bizarrely, though at first sight the sender appears to be Lloyds Personal Banking, the actual mail address is toilet@ebay.com. It pays to check the mailbox address as well as the display name (Lloyds Personal Banking in this case), even though there’s no guarantee that the address used is a genuine address.

Resolving An Issue With Your Account
Dear Valued Customer
We need your help resolving an issue with your account. To give us to to work together on this, we’ve temporarily limited what you can do with your account until the issue is resolved.
How you can help
It’s usually pretty easy to take care of things like this. Most of the time, we just need a little more information about your account or latest transactions.
To help us with this and to find out what you can and can’t do with your account until the issue is resolved.click on the ink below to resolve issue

Log in here to resolve issue.

Sincerely,
Lloyds Bank

 

This one also lacks personalization and also links to a URL with no connection to Lloyds or the UK. The proofreader was a bit slack, too – “click on the ink below…” – and the English is a little more – well, unEnglish… Still, it’s noticeable that the scammer was aiming for the same chattier, more idiomatic style, and there’s some novelty to that.

Meanwhile, my colleague Urban Schrott has been writing for ESET Ireland about scams that have crossed his radar. While there’s no disputing the lengths Apple goes to defend its customers from security threats, it’s not possible for an operating system provider or security vendor to provide absolute protection for the user of any platform or security software from his own lack of caution. As Urban points out, if users are overconfident of the absolute security of their computing environment, “…that confidence can work against them when it comes to social engineering, particularly phishing, as they tend to trust “official” looking websites more [than they should] and cybercriminals know and abuse this to the maximum.

As an example, he describes how a very realistic looking phishing email is being received by Irish users, using the usual Apple visual clues and leading to a faked ITunes Connect login site at an address is that several security vendors have noted is associated with malware distribution, and which harvests users’ iTunes login details. He notes that it “still lets you in if you enter any made-up nonsense though.”

The prospective victim (addressed generically, of course, as ‘Dear Apple Customer’, is told that “in order to get back into your apple account, you’ll need to confirm your account. It’s easy: Click the link below to open a secure browser window. Confirm that you’re the owner of the account and then follow the instructions. .“

itunesfake

While the mail looks fairly realistic (with an Apple logo and so on) there are one or two details that you might have spotted. The failure to capitalize Apple; a couple of proofing errors (the unfortunate space between ‘account’ and the following period character, two period characters separated by a space character at the end of the paragraph; and the capitalized Click after a colon, which is common US usage, but not common in the UK or Ireland.

The fake iTunes Connect login is even more US-centric. Once “logged in”, the page asks you to “confirm” many of your personal details, including your credit card number and security code, your password and sort code, but also your Social Security number. Are there that many Americans in Ireland, I wonder?

Monthly Threat Report: October 2013

Top_10_ELG_oct_13_eng

The Top Ten Threats

1. Win32/Bundpil

Previous Ranking: 1
Percentage Detected: 3.9%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address, and it tries to download several files from the address. The files are then executed and the HTTP protocol is used.  The worm may delete the following folders:
*.exe
*.vbs
*.pif
*.cmd
*Backup.

2. INF/Autorun

Previous Ranking: 2
Percentage Detected: 2.1%

This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family.

Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem.

The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique.

While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case.

3. Win32/Sality

Previous Ranking: 3
Percentage Detected: 2.05%

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature:
http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

4. HTML/Iframe

Previous Ranking: 4
Percentage Detected: 1.9%

Type of infiltration: Virus
HTML/Iframe.B is generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL location with malicious software.

5. HTML/ScrInject

Previous Ranking: 5
Percentage Detected: 1.78%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

6. Win32/Dorkbot

Previous Ranking: 6
Percentage Detected: 1.62%

Win32/Dorkbot.A is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely. The file is run-time compressed using UPX.
The worm collects login user names and passwords when the user browses certain web sites. Then, it attempts to send gathered information to a remote machine.  This kind of worm can be controlled remotely.

7. Win32/Conficker

Previous Ranking: 7
Percentage Detected: 1.61%

The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials. Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility enabled at present by default in Windows (though not in Windows 7).

Win32/Conficker loads a DLL through the svchost process. This threat contacts web servers with pre-computed domain names to download additional malicious components. Fuller descriptions of Conficker variants are available at http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en.

While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx. While later variants dropped the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun. The Research team in San Diego has blogged extensively on Conficker issues: http://www.eset.com/threat-center/blog/?cat=145

It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with system patches, disable Autorun, and don’t use unsecured shared folders.

8. Win32/Ramnit

Previous Ranking: 8
Percentage Detected: 1.45%

It is a file infector. It’s a virus that executes on every system start.It infects dll and exe files and also searches htm and html files to write malicious instruction in them. It exploits vulnerability on the system (CVE-2010-2568) that allows it to execute arbitrary code. It can be controlled remotley to capture screenshots, send gathered information, download files from a remote computer and/or the Internet, run executable files or shut down/restart the computer.

9. Win32/TrojanDownloader.Small.AAB

Previous Ranking: n/a
Percentage Detected: 1.34 %

Win32/TrojanDownloader.Small.AAB is a trojan which tries to download other malware from the Internet. When executed, it copies itself into the %temp%\­hcbnaf.exe location. The trojan contains a URL address, and it tries to download a file from the address.

10. Win32/Qhost

Previous Ranking: 9
Percentage Detected: 1.09 %

This threat copies itself to the %system32% folder of Windows before starting. It then communicates over DNS with its command and control server. Win32/Qhost can spread through e-mail and gives control of an infected computer to an attacker.

Monthly Threat Report: September 2013

Top_10_ELG_sept_13_eng

1. Win32/Bundpil

Previous Ranking: 2
Percentage Detected: 3.69%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address, and it tries to download several files from the address. The files are then executed and the HTTP protocol is used.  The worm may delete the following folders:
*.exe
*.vbs
*.pif
*.cmd
*Backup.

. INF/Autorun

Previous Ranking: 5
Percentage Detected: 2.08%

This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family.

Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem.

The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique.

While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case.

3. Win32/Sality

Previous Ranking: 4
Percentage Detected: 2.05%

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature:
http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

4. HTML/Iframe

Previous Ranking: 1
Percentage Detected: 1.78%

Type of infiltration: Virus
HTML/Iframe.B is generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL location with malicious software.

5. HTML/ScrInject

Previous Ranking: 3
Percentage Detected: 1.73%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

6. Win32/Dorkbot

Previous Ranking: 7
Percentage Detected: 1.59%

Win32/Dorkbot.A is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely. The file is run-time compressed using UPX.
The worm collects login user names and passwords when the user browses certain web sites. Then, it attempts to send gathered information to a remote machine.  This kind of worm can be controlled remotely.

7. Win32/Conficker

Previous Ranking: 6
Percentage Detected: 1.58%

The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials. Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility enabled at present by default in Windows (though not in Windows 7).

Win32/Conficker loads a DLL through the svchost process. This threat contacts web servers with pre-computed domain names to download additional malicious components. Fuller descriptions of Conficker variants are available at http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en.

While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx. While later variants dropped the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun. The Research team in San Diego has blogged extensively on Conficker issues: http://www.eset.com/threat-center/blog/?cat=145

It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with system patches, disable Autorun, and don’t use unsecured shared folders.

8. Win32/Ramnit

Previous Ranking: 8
Percentage Detected: 1.43%

It is a file infector. It’s a virus that executes on every system start.It infects dll and exe files and also searches htm and html files to write malicious instruction in them. It exploits vulnerability on the system (CVE-2010-2568) that allows it to execute arbitrary code. It can be controlled remotley to capture screenshots, send gathered information, download files from a remote computer and/or the Internet, run executable files or shut down/restart the computer.

9. Win32/Qhost

Previous Ranking: 9
Percentage Detected: 1.23 %

This threat copies itself to the %system32% folder of Windows before starting. It then communicates over DNS with its command and control server. Win32/Qhost can spread through e-mail and gives control of an infected computer to an attacker.

10. Win32/Virut

Previous Ranking: 10
Percentage Detected: 0.98%

Win32/Virut is a polymorphic file infector. It affects files with EXE and SCR extensions, by adding the threat itself to the last section of the files source code. Aditionally, it searches for htm, php and asp files adding to them a malicious iframe. The virus connects to the IRC network. It can be controlled remotely.

 

TLDs, Phishing, Business Security and Education

David Harley CITP FBCS CISSP ESET Senior Research Fellow

Recently we were asked about the security implications of the new wave of professional Top Level Domains (TLDs), notably .bank. This isn’t an issue I’ve really given much thought to: I only work seven days a week. But it seems to me that the central issue with gTLDs (generic TLDs) like .bank as opposed to specific brand TLDs like .barclays is how much trust you can place in the bona fides of a domain.

Some thought has been put into reducing the risk of trademark infringement and avoiding cybersquatting in terms of brand TLDs, and that has in indirect benefit to the user because it makes phishing somewhat less likely. However, once the domain is approved and launched, how safe it is depends on the good intent and security-awareness of the domain holder.

Very heavy use has been made in recent years of subdomains under TLDs such as .co.cc and .tk to host malicious URLs, as well as TLDs whose core business is to provide subdomains (or sub-subdomains) under their own *.com domain. There’s potential here for an expansion of such malicious activity, and I for one am not going to rush to click on any links in any email I receive from {mybank}.bank, let alone such gifts to typosquatting as .comm.

There’s recently been a revitalized discussion on Twitter about the much-heralded death of anti-virus. I’ve been hearing this since about 1994, so it must be going to happen soon. Well, Larry Bridwell and I will be discussing the demise of the industry that pays my bills at the AVAR conference in December, so I won’t devote a lot of space to that issue now, but one of the interesting facets of that Twitter threat came out of a blog by Blaze in which he suggests that there is a blame attribution model where various stakeholders – AV vendors, other security vendors, Microsoft, and other application vendors – attribute some blame to one or more of the other players, but all blame the end user.

I agree, that’s kind of close to a ‘blame the victim’ culture like the one that old-school virus writers and new age cybercriminals are both apt to subscribe to. Kurt Wismer points out though that “at the end of the day, no one is expecting the attackers to collectively vanish, so improving things is going to require changes on the part of other players as well, including the users.” Improving user awareness across the board – particularly for home users – is a bigger job than I can do justice to in a short article, but how about in the business world? As it happens, that’s something else we were asked about recently…

Every kind of business generates and store data that is potentially of interest to cyber criminals, and even the smallest business should assess how valuable or sensitive its data really is, by performing a formal security audit if appropriate. Businesses of any size are also subject to national data protection laws and need to be aware of these and of the penalties for non-compliance.

As part of their risk analysis, businesses (irrespective of their size) need to consider the impact of a security breach on the business, thinking about who or what would be affected and whether the business could continue to trade if a breach was successful. Once it has a clear view of the risks it can then decide how to communicate network security policies to its staff.

The first step is to make sure staff are aware of the risks from cyber-criminals. Although cybercrooks are sometimes very cunning and sophisticated, their impact can be drastically reduced by some simple preventative measures and education. Good user education is a filter, not a flood: you can’t educate effectively by hitting people with ‘everything they need to know about security’ in one massive hit: it’s an ongoing process that focuses on essentials, on teaching the user to extrapolate from one example scenario to others, and reinforcement of core messages over the whole period where the staff member works for the company.

It’s essential to create a culture of security awareness where all staff, regardless of level and role, take it for granted that they are part of the solution.

For cyber security efforts to be as successful as should be, everyone needs to know and understand what the organisation’s cyber security policies are, how to comply with them through proper use of controls, why compliance is important and the possible consequences of failure to comply (to the company and to the individual).

The goal should be the creation of a “security-aware workforce”: not a workforce comprised entirely of security gurus, but one where employees are empowered to report risky practices to management. Staff training sessions should make employees aware of such things as email safety, password usage, safe mobile use and the importance of data protection, and an Acceptable Use Policy (AUP) for all staff, including approved web and social media usage. Policies, controls and security education should also take into account data-sharing relationships with partners, vendors and clients. An authoritarian approach to security enforcement with draconian penalties won’t suit every environment, but employers should spell out that a breach of security can be very bad news for business and threaten its continued operation. If there are specific disciplinary consequences, they need to be clearly documented so that staff are in no doubt as to their existence.

Education is not a one-time, one-shot process. People forget what they don’t use, and have to be reminded and even re-trained. People are better at complying with policies when they understand the rationale behind them. Even assuming that they intend to comply, they’re likelier to remember to comply if they understand why they should do X and shouldn’t do Y.

Since education is an on-going process, HR can play an important role in ensuring that everyone receives suitable and consistent training in the form most appropriate to their role. IT and HR need to liaise to ensure that people have appropriate training and system privilege levels as they enter the organisation and change roles, and to ensure that they don’t retain inappropriate access once they leave.

Monthly Threat Report: August 2013

Top_10_ELG_agosto_13_eng

The Top Ten Threats

1. HTML/Iframe

Previous Ranking: 5
Percentage Detected: 4.26%

Type of infiltration: Virus
HTML/Iframe.B is generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL location with malicious software.

2. Win32/Bundpil

Previous Ranking: 1
Percentage Detected: 3.45%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address, and it tries to download several files from the address. The files are then executed and the HTTP protocol is used.  The worm may delete the following folders:
*.exe
*.vbs
*.pif
*.cmd
*Backup.

3. HTML/ScrInject

Previous Ranking: 2
Percentage Detected: 2.59%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

4. Win32/Sality

Previous Ranking: 4
Percentage Detected: 2.08%

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature:
http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

5. INF/Autorun

Previous Ranking: 3
Percentage Detected: 2.06%

This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family.

Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem.

The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique.

While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case.

6. Win32/Conficker

Previous Ranking: 7
Percentage Detected: 1.62%

The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials. Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility enabled at present by default in Windows (though not in Windows 7).

Win32/Conficker loads a DLL through the svchost process. This threat contacts web servers with pre-computed domain names to download additional malicious components. Fuller descriptions of Conficker variants are available at http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en.

While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx. While later variants dropped the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun. The Research team in San Diego has blogged extensively on Conficker issues: http://www.eset.com/threat-center/blog/?cat=145

It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with system patches, disable Autorun, and don’t use unsecured shared folders.

7. Win32/Dorkbot

Previous Ranking: 7
Percentage Detected: 1.52%

Win32/Dorkbot.A is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely. The file is run-time compressed using UPX.
The worm collects login user names and passwords when the user browses certain web sites. Then, it attempts to send gathered information to a remote machine.  This kind of worm can be controlled remotely.

8. Win32/Ramnit

Previous Ranking: 9
Percentage Detected: 1.35%

It is a file infector. It’s a virus that executes on every system start.It infects dll and exe files and also searches htm and html files to write malicious instruction in them. It exploits vulnerability on the system (CVE-2010-2568) that allows it to execute arbitrary code. It can be controlled remotley to capture screenshots, send gathered information, download files from a remote computer and/or the Internet, run executable files or shut down/restart the computer.

9. Win32/Qhost

Previous Ranking: 10
Percentage Detected: 1.15 %

This threat copies itself to the %system32% folder of Windows before starting. It then communicates over DNS with its command and control server. Win32/Qhost can spread through e-mail and gives control of an infected computer to an attacker.

10. Win32/Virut

Previous Ranking: n/a
Percentage Detected: 0.95%

Win32/Virut is a polymorphic file infector. It affects files with EXE and SCR extensions, by adding the threat itself to the last section of the files source code. Aditionally, it searches for htm, php and asp files adding to them a malicious iframe. The virus connects to the IRC network. It can be controlled remotely.

 

PC Support Scams: still keeping us amused

David Harley CITP FBCS CISSP ESET Senior Research Fellow

A version of this article previously appeared on the Chainmailcheck hoax/scam blog.

It’s been a while since I picked up the phone and found myself talking to a support scammer. That may be in part because I’m less likely to pick up a call that is flagged as ‘International’, ‘Withheld’ or ‘Unknown number’. But when I do pick up a suspiciously anonymous call, it’s usually a different kind of scam, PPI reclaim voice spam (mostly automated), and so on.

I haven’t missed it a bit. So when I got a phone call from someone with a hard-to-parse Asiatic accent came on the line and started a familiar spiel, it was never likely that I was going to play along for any length of time. Life is too short.

The spiel, by the way, opens something like this, in my experience. Your mileage may vary.

“Am I speaking [or 'Can I speak to'] to Mr Jones?”

In this case, as in most of the support scams I get, the fact that I wasn’t the person the scammer was expecting made no difference at all, though he did apologize profusely for getting my name wrong. Sometimes, though, the scammer will go to some length to tell you who you are and where you live, no doubt so that you will believe them when they tell you that they know that your PC is having problems (or causing them for someone else). However, if they manage to get your details right, that only really means that they’ve managed to check them in a directory.

Actually, the name they usually use when they call me isn’t Jones, and I sometimes get calls that appear to be legitimate asking for the same person, so I guess there is a wrong entry on a directory or customer lead list somewhere. My rule of thumb is that if the caller apologizes for bothering me and rings off, it’s probably a legitimate call that neither of us have any interest in. Though if the intended call was a sales call, that might raise a question as to whether they’d checked that the number was registered with the UK’s Telephone Preference Service, a “do not call” list. Still, if they thought they were dealing with a customer, it’s a grey area, at worst.

On this latest occasion, though, the scammer didn’t go into the ‘you are leaking viruses onto the entire Internet’ spiel: instead, having ascertained that I actually had a computer, he started to tell me about computer errors and how they were worse than viruses because anti-virus software doesn’t detect them. As he didn’t seem deterred by my bursting into laughter, I told him that I’m a security researcher specializing in exposing support scams. As he didn’t seem to know what a support scam is, I started to explain it to him, but he rang off. So I don’t know exactly where he was going: no doubt he was going to ‘prove’ to me – perhaps with Event Viewer or ASSOC – that my system was at risk. But while I’m always interested in the latest scammer ploys, sometimes you just don’t want to waste a Friday evening scammer baiting. Still, it seems that this is not an unusual approach: this, for instance, was a recent comment to one of my earlier blogs:

“…Said they were getting errors from my machine and my harddrive was corrupted. He prompted me to look at the event viewer, where I scrolled down and came to the first error which I tried to relate to him but he said that is all he needs and the error proves that my machine is infected. I have a good virus program and a good malware program I told him, but he said that the malware was undetectable.”

Other recent comments showed that some people are still getting a certain amount of amusement out of yanking the chains of these wretched people. One of them interrupted their spiel by coming over all Anonymous:

We are Anonymous
We are one we are Many
We do not forgive
We do not forget
Expect US….

It amused me, too. I can’t guarantee that this will work in all cases, though.

Another told us:

“I did a quick search on Google for CLSID and found many examples of what a CLSID should look like. I quoted one of them to her and she freaked out because obviously I’m infected. So, I pretended to freak out too. I started screaming for my husband and quoting scripture. Having a blast by now. I kept yelling ‘save me Jesus!’ over and over. Then I begged her to please, please help me. What in the world am I to do? Poor helpless me!”

And finished off by telling the scammer in no uncertain terms what to expect if their paths crossed. Scary.

If you’re not familiar with this class of cold-call scam, here’s a paper a quartet of us (Martijn Grooten of Virus Bulletin, Steve Burn of Malwarebytes, my former colleague Craig Johnston and myself) presented at Virus Bulletin last year. It’s pretty comprehensive: My PC has 32,539 errors: how telephone support scams really work.

Other papers and blogs written or part-written by ESET researchers:

Education as Data Defense

Stephen Cobb, CISSP
Senior Security Researcher, ESET North America

One possible consequence of an information security failure is the compromise of personal information known as a data breach. Each year, the Ponemon Institute tracks the total cost of data breaches based on a broad sample of companies, then calculates the average cost per capita (or person exposed). The latest figure: $136 per record. That’s a global average, up from $130 in the previous year’s study (based on incidents at 277 companies in 9 countries, the May 2013 report was sponsored by Symantec).

Clearly, digital information systems that handle confidential personal data are crucial to much of what we do today, either as consumers or business people, and failure to protect those systems can have costly consequences. (Bear in mind that the Ponemon research found organizations in Germany and the U.S. experienced significantly higher costs, $199 and $188 respectively). Nevertheless, many people still seem to think we can keep these systems secure, always available, and always accurate, without providing the people who use them with relevant security training. That’s like thinking we can have a safe and reliable transportation system without well-trained mechanics and properly licensed vehicle operators.

Last year, ESET conducted two surveys in America to better understand this phenomenon of cybersecurity under-education. We asked employed Americans if they had ever received computer security training of any kind from their employer. Only 32% said they had. In a second study, we asked a different group of Americans if they had ever taken any classes or training related to protecting their computer and/or personal information. For 68% of respondents, the answer was never. In other words, we can assume that less than a third of the workforce has any cyber security training at all.

This is a serious problem and Verizon’s 2013 Data Breach Investigation Report speaks to this problem: The difficulty level of unauthorized intrusions into systems was rated as “low” in 78% of cases. Of course, the reality of a workforce under-educated in the realm of data defense is not news to criminals and other bad actors intent on abusing information technology for their own ends. They already know that employees are often the weakest link in an organization’s information security.

As long as high tech security measures can be beaten by low tech attacks that exploit human weaknesses—such as inadequate knowledge and understanding—our data and systems will remain at risk of serious compromise. If your organization needs to be persuaded to spend money on security awareness and training try sharing this calculation: 7,500 customer records exposed at a cost of $136 per record = more than $1 million.

When you consider that equation, spending money on information security training and awareness makes a lot of sense, on the organizational level and within society as a whole. After all, data breaches are not a rare occurrence these days. One reason for this is the underground market in stolen data that is now thriving. Yet some organizations still don’t realize that the personally identifiable information stored in their systems, be it customer records or employee records or data managed for a third party, is a target for cyber criminals.

Right now, the burden for security training falls mainly on companies, with some help from organizations like Security Our eCity and Ciber Seguridad. However, in the future your organization could be spared some of these costs if your country was committed to teaching cybersecurity hygiene to everyone, from an early age. We have not yet seen that kind of commitment in America, but that does not mean it is not possible. For example, in Estonia they have made cybersecurity training part of elementary-level school curriculum and they are working on expanding the program into preschool. Clearly, the time to invest in computer security training for employees is now, both at work and in our schools.

Monthly Threat Report: July 2013

Top_10_ELG_julio_13_eng

The Top Ten Threats

1.  WIN32/Bundpil

Previous Ranking: 1
Percentage Detected: 3.78%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address, and it tries to download several files from the address. The files are then executed and the HTTP protocol is used.  The worm may delete the following folders:
*.exe
*.vbs
*.pif
*.cmd
*Backup.

2. HTML/ScrInject

Previous Ranking: 2
Percentage Detected: 2.30%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

3. INF/Autorun

Previous Ranking: 3
Percentage Detected: 2.23%

This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family.

Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem.

The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique.

While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case.

4. Win32/Sality

Previous Ranking: 5
Percentage Detected: 2.18%

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature:
http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah


5. HTML/Iframe

Previous Ranking: 6
Percentage Detected: 2.04%

Type of infiltration: Virus
HTML/Iframe.B is generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL location with malicious software.

6. Win32/Dorkbot

Previous Ranking: 7
Percentage Detected: 1.75%

Win32/Dorkbot.A is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely. The file is run-time compressed using UPX.
The worm collects login user names and passwords when the user browses certain web sites. Then, it attempts to send gathered information to a remote machine.  This kind of worm can be controlled remotely.

7. Win32/Conficker

Previous Ranking: 8
Percentage Detected: 1.71%

The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials. Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility enabled at present by default in Windows (though not in Windows 7).

Win32/Conficker loads a DLL through the svchost process. This threat contacts web servers with pre-computed domain names to download additional malicious components. Fuller descriptions of Conficker variants are available at http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en.

While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx. While later variants dropped the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun. The Research team in San Diego has blogged extensively on Conficker issues: http://www.eset.com/threat-center/blog/?cat=145

It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with system patches, disable Autorun, and don’t use unsecured shared folders.

8. JS/Chromex.FBook

Previous Ranking: n/a
Percentage Detected: 1.55%

JS/Chromex.FBook is a trojan that posts messages to user profiles on Facebook. Depending the variant of the family, the threat could be a malicious Google Chrome or Mozilla Firefox extension/plugin.

9. Win32/Ramnit

Previous Ranking: 9
Percentage Detected: 1.41%

It is a file infector. It’s a virus that executes on every system start.It infects dll and exe files and also searches htm and html files to write malicious instruction in them. It exploits vulnerability on the system (CVE-2010-2568) that allows it to execute arbitrary code. It can be controlled remotley to capture screenshots, send gathered information, download files from a remote computer and/or the Internet, run executable files or shut down/restart the computer.

10. Win32/Qhost

Previous Ranking: 10
Percentage Detected: 1.26 %

This threat copies itself to the %system32% folder of Windows before starting. It then communicates over DNS with its command and control server. Win32/Qhost can spread through e-mail and gives control of an infected computer to an attacker.

Keyboards and Keywords

David Harley, ESET Senior Research Fellow

A version of this article also appeared on the Anti-Phishing Working Group blog.

The Wikipedia entry for ‘error message’ includes a number of infamous (and confusing) error messages, though it doesn’t include my all-time favourite:

Keyboard not found! Press any key to continue

And no, that’s not an urban legend. While I’m not sure that was the exact wording, I did see more or less that same error message two or three times back in the days when user support was part of my job.

The reason that I was scouring the web for links related to ‘error messages’ and  ‘security alerts’ is this: I happened across an article on the American Psychological Association web site that told me that Gary Brase (a psychologist) and Eugene Vasserman (a computer security researcher), of Kansas State University, have been given a $150,000 grant for research into developing more effective online alerts. I don’t know how many security companies have explored this approach – though I don’t believe for a moment that no security company has ever involved psychologists, focus groups, and ergonomists (amongst others with interest and expertise in aspects of human-computer interaction) in the development of a product and its user interface – but I’m sure we’ve all seen enough in the way of confusing software-generated alerts to agree that some software could do with a little more attention to the HCI dimension. There is a special place in my heart for the sort of alert that we often see along the lines of ‘EICAR test virus not-a-virus detected’.

In fact, while I may be biased – my own academic background was originally in social sciences, computer science being a later add-on – I don’t think that computer security that’s focused entirely on bits and bytes is ever going to solve the world’s problems with cybercrime, cyber-espionage, and all the other cyber-issues du jour. Certainly the kind of security alert that leaves the user wondering “What the heck does that mean? What does the darn thing want me to do?” is failing some kind of usability test.

The APA article includes a couple of examples cited by Brase:

“Do you want to trust this signed applet?” or “This application’s digital signature has an error; do you want to run the application?”

Frankly, I’ve seen far more confusing examples guaranteed to have the end user running to the nearest wall to bang his head against it. Such as any message that includes an error code or a hex string, or something like ‘unknown error scanning file [filename]’, or even a blank message box, but these examples do finger an essential problem with security alerts that I’m not sure $150k is going to be enough to fix.

The problem with Brase’s examples isn’t the wording, it’s conceptual. If the algorithm behind the program isn’t able to make a reliable determination of the risk, why should we expect the everyday user to be able to? Actually, he might: maybe he knows that a site is (normally) OK, even if he can’t be sure that it hasn’t been compromised in some way. Software has the disadvantage that it can only deduce intent from the programmatic characteristics of a program, or from automated textual analysis. And while filtering has progressed immeasurably from the days when phrases like ‘magna cum laude’ or the name Scunthorpe triggered porn detection algorithms all over the globe, there are still many contexts where an informed human being can make a better decision than an email or web filter. But ‘informed’ people aren’t the main target for research like this: rather, Brase states that “Good security alerts should be tailored for all types of users, no matter what their intent,” which suggests a wide range of skill/knowledge levels, as well as a wide range of target sites. There’s an important point there: I’m in agreement with being in touch with the intent of the user as well as that of the malefactor. In fact, Jeff Debrosse and I wrote a paper a few years ago in which we suggested that security companies could increase their effectiveness by incorporating analysis of the user’s behaviour into the software as well as analysis of programmatic behaviour – Malice Through the Looking Glass: Behaviour Analysis for the Next Decade – though I’m not holding my breath waiting for that approach to catch on. It is one way, potentially, of addressing another of Brase’s points: i.e. that ‘user education has not kept pace with the increasing complexity of Internet transactions.’ That, at least, is perfectly true. I’m all for making computers people-literate (the very apposite title of a book by Elaine Weiss).

The logical flaw here, though, is this: improving the presentation of security alerts won’t make security software (or other software with some security functionality, such as a browser using technology like Google’s Safe Browsing, for example) any more capable of discriminating between human motivation than it already is. That’s not such a negative comment as it sounds: programmatic filters don’t in themselves ‘detect’ malicious intent, but they do reflect the programmer’s understanding of some behaviour – programmatic or semantic – characteristic of malicious intent. But malicious behaviour is not a constant, not static. The average security program is a long way from achieving the same discrimination in analysing textual content that a moderately psychologically-aware human being is capable of.

The Google technology is actually a pretty good illustration of the limitations of technology for countering attacks that are primarily social engineering. Google tells us that Safe Browsing currently flags an impressive 10,000 sites per day as malicious, data that it now draws on for its Transparency Report. Yet phishing is considered to be a more effective attack than ever, many years after it first came to prominence as a major threat, though email is no longer its primary entry point, whereas web browsers and web-hosted services such as social media account for a high proportion of phish delivery.

This is by no means a criticism of Safe Browsing, which is a very useful layer of protection for web users (not just Chrome users – the technology is used by Firefox and Safari too), and I applaud their efforts. After all, anti-malware technology isn’t capable of detecting 100% of malicious programs and URLs either: if it were, this would be a very different world. For a start, we wouldn’t need to pop up any alerts asking users to answer questions they don’t understand: we’d simply tell them that the site or application they were trying to access would not be allowed to run, as the app believed it to be malicious.

But here in the real world, we need to bear in mind that there are plenty of malicious sites and other vectors out there – our lab processes several hundred thousand threats per day, and they don’t all come from those 10,000 web sites. So while Google’s Transparency Report statistics may prove interesting and useful – and no doubt have some PR value – end users should continue to be vigilant and take care in selecting which sites they visit, rather than assuming that they can click where they like because they have protection.

It’s not all bad news, though. I’ve just seen what may be the most inept 419 scam email of all time.

  • The sender is one Gen Peter Blay
  • The subject line reads “1”
  • The body text: well, technically, there is no body text. However, there is a signature: “your retrieve donation”

It’s hard to believe that there is anyone naïve enough to fall for that. Not least because it’s unclear from that what the scam actually is (presumably some form of advance fee fraud, though), let alone what the scammer needs the victim to do in order to execute the scam.

In other contexts, I’d probably write this off as an example of a spammer/scammer test run. In this case, though, I’m in some doubt as to whether he’ll work out how to do a 419 spam run before he expires from starvation. But perhaps I’m doing him an injustice. In that case, Gen Pete, just send the million dollars to me care of the ESET North America office.

Follow

Get every new post delivered to your Inbox.

Join 72 other followers