Monthly Threat Report: July 2012

Analysis of ESET Live Grid, a sophisticated malware reporting and tracking system, shows that the highest number of detections this month, with almost 5.46% of the total, was scored by the INF/Autorun class of threat.

Phishing Phrenzy

David Harley, ESET Senior Research Fellow

The Anti-Phishing Working Group (APWG) has recently made available its “Phishing Activity Trends Report” for the first quarter of 2012. It makes interesting reading, at any rate if you’re a collector of statistics, and most researchers are to an extent. What does it tell us about the contemporary phishing scene, or at least that part of it that APWG and its members are able to monitor? Well, for the detail, you really need the 11-page report, but here are some highlights.

  • In February, the number of unique phishing sites recorded by APWG reached an all-time high of 56,859. Well, I don’t suppose you thought that criminal activity is decreasing.
  • On the other hand, the average number of infected PCs (that means compromised by some form of malware, not just – or even primarily – viruses, of course) has declined by three points since 2011. It’s still a scary 35.51 percent, though.

You might find the breakdown of that malware by type interesting, though. The average over the three-month period looks like this:

  • Data-stealing malware and generic trojans associated with remote access to and control of compromised machines through backdoors: 35.67 percent.
  • Crimeware (malware specifically intended to attack the customers of financial institutions): 1.52 percent.
  • Other malware (all the other stuff we try to detect): 62.81 percent.

By the way, those aren’t necessarily the exact definitions ESET would use, but they’re close enough to give the general idea. What they don’t give, though, is a feel for the proportion of targeted attacks that business faces. Proofpoint polled roughly 330 attendees at the Microsoft TechEd conference in June, and concluded that 51 percent believed that their organization had definitely been targeted by spear-phishing attacks aimed at its employees. That’s a tiny survey population compared to the big numbers in the APWG report. Nevertheless, it’s based on the opinions of business users you’d expect to be knowledgeable about IT security within their companies. And that figure probably tells us spear-phishing is long past being something that only big security companies and political activists need to worry about.

ACAD/Medre.A used for scareware

Righard Zwienenberg, Senior Research Fellow, wrote a post about a free standalone cleaner for remediation of ACAD/Medre.A malware. The title of the post was “Scareware on the Piggy-Back of ACAD/Medre.A”.

ACAD/Medre.A had impact in one geographical location and the threat has effectively been neutralized. Meanwhile, ESET Researchers found a puzzling website that claims to help in removing this threat. The website describes ACAD/Medre.A’s symptoms as if it was an ordinary malware. The described symptoms are the following:

  • Google, Yahoo searches are redirected.
  • Desktop background image and browser homepage settings are changed.
  • Low system performance.
  • Corruption of Windows’ registry for deploying pop up ads.

None of these symptoms are real in the case of ACAD/Medre.A.

The website also gives some false advices for manually removal:

  • Stop ACAD/Medre.A process using the windows task manager.
  • Uninstall ACAD/Medre.A program from control panel.
  • Remove all ACAD/Medre.A Registry Files.
  • Search for ACAD/Medre.A Files on the computer and delete it.

It is worth to say that there isn’t a process for ACAD/Medre.A and there is no ACAD/Medre.A program to uninstall. Also, there aren’t real ACAD/Medre.A registry files.

Finally, different software is provided behind the promise of doing all this tasks automatically, although the real intention behind all this false information is t offer a service.

To read Righard’s experience, please visit Scareware on the Piggi-Back of ACAD/Medre.A

An updated version of an old scam

ASIA domain name scams still go strong. This topic was covered by our Distinguished Researcher, Aryeh Goretsky in his post “.ASIA Domain Name Scams Still Going Strong”. Aryeh received a message in his mailbox that claimed to be from the Asian Domain Registration Service and warned him that the “ESET brand” was in danger of being registered by a third-party company. This was an updated version of an old scam that’s been circulating the web since 2004.

The scam mechanics in based on:

  • Abuse the trust of the recipient.
  • Social Engineering.
  • Convince people to register domains with names that are not needed and aren’t used by anyone else.

Some techniques are specified in order to counter social engineering-based scams such as the fake Asian domain registration scam:

  • If is it possible that the message was legitimate, open a new instance of the web browser, visit a search engine and type the name of the domain name registrar along with keywords spam, hoax or scam.
  • Messages often suffer small modifications in order to make it more difficult for anti-spam tools to detect them. For this reason, it is important to flag the messages as spam to help better classify them in the future.
  • Review email addresses available on your website. Those addresses no longer needed could be obfuscated or replaced by a contact form.
  • Is recommended not to reply to messages sent by scammers.

You can read the whole story at .ASIA Domain Name Scams Still Going Strong

Passwords exposed: unfortunately Yahoo! is not alone

Our colleague Stephen Cobb wrote a post entitled “Password Party Weekend? Millions exposed now include Phandroid, Nvidia, me” where he explains that he found out that one of his email addresses was in the list of Yahoo! logins that were exposed in a period of 45 days. Although the initial reports put the highlight on the breach of Yahoo! they were other affected websites such as:

  • LinkedIn
  • Nvidia
  • Phandroid

For more detailed information please visit Password Party Weekend? Millions exposed now include Phandroid, Nvidia, me.

Some highlights from the Cybercrime Corner

ESET Senior Research Fellow, David Harley, wrote the article “Low-Hanging Fruit in Walled Gardens” for SC Magazine Cybercrime Corner that focus on the DNSChanger problem. The article covers important issues like the problem with the assumption that some entity can accurately identify an unique infected system in every case. Some important topics treated on the documents are:

  • Inappropriate disconnection of systems because of false positives.
  • Cessation of Internet to be mappable in terms in terms of one IP address to one individual machine.

To learn more on this subject, please read the complete article Low-hanging fruit in walled gardens

Another article by David Harley is “Rovnix Revealed” that focuses on Win32/Rovnix, a malware which uses an innovative bootkit technique to take control of an infected PC ahead of security software in order, targeting the Volume Boot Record rather than the more-usually-targeted Master Boot Record.

Some special features of this malware are:

  • Utilization of techniques for bypassing the security measures build into 64-bit Windows.
  • The bypassing remains in the way used to evade antivirus scanning. This is done by modifying disk areas which constitute important parts of the Windows startup process.

To learn more about this malware you can read the complete article: Rovnix Revealed

The Top Ten Threats

1. INF/Autorun

Previous Ranking: 1
Percentage Detected: 5.46%

This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family.

Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem.

The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique.

While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better, as Randy Abrams has suggested in our blog ( ; to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case. You may find Randy’s blog at useful, too.

2. HTML/ScrInject.B

Previous Ranking: 3
Percentage Detected: 3.37%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

3. Win32/Conficker

Previous Ranking:  2
Percentage Detected: 3.29%

The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials. Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility enabled at present by default in Windows (though not in Windows 7).

Win32/Conficker loads a DLL through the svchost process. This threat contacts web servers with pre-computed domain names to download additional malicious components. Fuller descriptions of Conficker variants are available at

While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at While later variants dropped the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun. The Research team in San Diego has blogged extensively on Conficker issues:

It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with system patches, disable Autorun, and don’t use unsecured shared folders. In view of all the publicity Conficker has received and its extensive use of a vulnerability that’s been remediable for so many months, we’d expect Conficker infections to be in decline by now if people were taking these commonsense precautions. While the current ranking looks like a drop in Conficker prevalence, this figure is affected by the changes in naming and statistical measurement mentioned earlier: there’s no indication of a significant drop in Conficker infections covering all variants.

4. Win32/Sirefef

Previous Ranking: 6
Percentage Detected: 2.78%

Win32/Sirefef.A is a trojan that redirects results of online search engines to web sites that contain adware.

5. Win32/Dorkbot

Previous Ranking: 9
Percentage Detected: 1.65%

Win32/Dorkbot.A is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely. The file is run-time compressed using UPX.
The worm collects login user names and passwords when the user browses certain web sites. Then, it attempts to send gathered information to a remote machine.  This kind of worm can be controlled remotely.

6. Win32/Sality

Previous Ranking: 8
Percentage Detected: 1.33%

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature:

7. JS/TrojanDownloader.Iframe.NKE

Previous Ranking: 7
Percentage Detected: 1.26%

It is a trojan that redirects the browser to a specific URL location with malicious software. The program code of the malware is usually embedded in HTML pages.

8. Win32/Ramnit

Previous Ranking: 10
Percentage Detected: 1.17%

It is a file infector. It’s a virus that executes on every system start.It infects dll and exe files and also searches htm and html files to write malicious instruction in them. It exploits vulnerability on the system (CVE-2010-2568) that allows it to execute arbitrary code. It can be controlled remotley to capture screenshots, send gathered information, download files from a remote computer and/or the Internet, run executable files or shut down/restart the computer

9. JS/Iframe

Previous Ranking: 5
Percentage Detected: 0.98%

JS/Iframe.AS is a trojan that redirects the browser to a specific URL location with malicious software. The program code of the malware is usually embedded in HTML pages.

10. Win32/Spy.Ursnif

Previous Ranking:
Percentage Detected: 0.85%

This is a spyware application that steals information from an infected computer and sends it to a remote location, creating a hidden user account, in order to allow communication over Remote Desktop connections.

While there may be a number of clues to the presence of Win32/Spy.Ursnif.A on a system if you’re well-acquainted with esoteric Windows registry settings, its presence will probably not be noticed by the average user, who will not be able to see that the new account has been created.

In any case it’s likely that the detail of settings used by the malware will change over its lifetime. Apart from making sure that security software (including a firewall and, of course, anti-virus software) is installed, active and kept up-to-date, users’ best defense is, as ever, to be cautious and proactive in patching, and in avoiding unexpected file downloads/transfers and attachments.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s