Monthly Threat Report: August 2014

Top_10_ELG_ago_14_1200x627eng-01

The Top Ten Threats

 

1. Win32/Bundpil

Previous Ranking: 1

Percentage Detected: 2.18%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address, and it tries to download several files from the address. The files are then executed and the HTTP protocol is used.  The worm may delete the following folders:
*.exe
*.vbs
*.pif
*.cmd
*Backup.

 

2. JS/Kryptik.I

Previous Ranking: 2

Percentage Detected: 1.83%

JS/Kryptik is a generic detection of malicious obfuscated JavaScript code embedded in HTML pages; it usually redirects the browser to a malicious URL or implements a specific exploit.

 

3. Win32/Adware.MultiPlug

Previous Ranking: 7

Percentage Detected: 1.53%

Win32/Adware.Multiplug is a Possible Unwanted Application that once it’s present into the users system might cause applications to displays advertising popup windows during internet browsing.

4. Win32/RiskWare.NetFilter

Previous Ranking: 3

Percentage Detected: 1.46%

Win32/RiskWare.NetFilter is an application that includes malicious code designed to force infeted computers to engage in unwanted behaviour. It allows an attacker to remotely connect to the infected system and control it in order to steal sensitive information or install other malware.

 

5. LNK/Agent.AK

Previous Ranking: 4

Percentage Detected: 1.4%

LNK/Agent.AK is a link that concatenates commands to run the real or legitimate application/folder and, additionaly runs the threat in the background. It could become the new version of the autorun.inf threat. This vulnerability was known as Stuxnet was discovered, as it was one of four that threat vulnerabilities executed.

 

6. Win32/Sality

Previous Ranking: 5

Percentage Detected: 1.38%

Sality is a polymorphic file infector. When run starts a service and create/delete registry keys related with security activities in the system and to ensure the start of malicious process each reboot of operating system.
It modifies EXE and SCR files and disables services and process related to security solutions.
More information relating to a specific signature: http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

7. INF/Autorun

Previous Ranking: 8

Percentage Detected: 1.2%

INF/Autorun is generic detection of the AUTORUN.INF configuration file created by malware. The AUTORUN.INF file contains the path to the malware executable. This file is usually dropped into the root folder of available drives in an attempt to autorun a malware executable when the infected drive is mounted. The AUTORUN.INF file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer

 

8. HTML/ScrInject

Previous Ranking: 6

Percentage Detected: 1.13%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

 

9. Win32/Ramnit

Previous Ranking: n/a

Percentage Detected: 1.1%

It is a File infector that executes on every system start. It infects dll and exe files and also searches htm and html files to write malicious instruction in them. It exploits vulnerability on the system (CVE-2010-2568) that allows it to execute arbitrary code. It can be controlled remotley to capture screenshots, send gathered information, download files from a remote computer and/or the Internet, run executable files or shut down/restart the computer.

 

10. Win32/Conficker

Previous Ranking: 9

Percentage Detected: 1.08%

Win32/Conficker is a worm that spreads by exploiting a vulnerability in Server Service. The file is run-time compressed using UPX. When executed, the worm copies itself into the %system% folder using the name %variable%.dll.

The worm starts a HTTP server on a random port and it connects to remote machines to port TCP 445 in attempt to exploit the Server Service vulnerability. If successful, the remote computer attempts to connect to the infected computer and download a copy of the worm.

The worm will attempt to download several files from the Internet, and then they are executed. The worm contains a list of (1) URLs. Windows Firewall is disabled. This vulnerability is described in Microsoft Security Bulletin MS08-067.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s