Monthly Threat Report: June 2015

Top_10_ELG_jun_15_1200x627eng

The Top Ten Threats

1. Win32/Bundpil
Previous Ranking: 2
Percentage Detected: 3.36%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL from which it tries to download several files. The files are then executed and HTTP is used for communication with the C&C to receive new commands. The worm may delete the following file extensions:
*.exe
*.vbs
*.pif
*.cmd
*Backup

2. Win32/Adware.MultiPlug
Previous Ranking: 1
Percentage Detected: 2.71%

Win32/Adware.Multiplug is a Possible Unwanted Application that once it gets a foothold on the users system might cause applications to display pop-up advertising windows during internet browsing.

3. LNK/Agent.BO
Previous Ranking: N/A
Percentage Detected: 2.24%

LNK/Agent.BO is a link that concatenates commands to execute legitimate code while running the threat code in the background. It is similar in its effect to the older autorun.inf type of threat.

4. JS/Kryptik.I
Previous Ranking: 3
Percentage Detected: 1.86%

JS/Kryptik is a generic detection of malicious obfuscated JavaScript code embedded in HTML pages; it usually redirects the browser to a malicious URL or implements a specific exploit.

5. LNK/Agent.AV
Previous Ranking: 4
Percentage Detected: 1.52%

LNK/Agent.AV is another link that concatenates commands to execute legitimate code while running the threat code in the background. It is similar in its effect to the older autorun.inf type of threat.

6. Win32/AdWare.ConvertAd
Previous Ranking: 5
Percentage Detected: 1.48%

Win32/Adware.ConvertAd is an adware used for delivery of unsolicited advertisements. The adware is usually a component of other malware.

7. Win32/Sality
Previous Ranking: 6
Percentage Detected: 1.37%

Sality is a polymorphic file infector. When it is executed registry keys are created or deleted related to security applications in the system and to ensure that the malicious process restarts each time the operating system is rebooted.
It modifies EXE and SCR files and disables services and processes implemented by and associated with security solutions.

More information relating to a specific signature: http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

8. Win32/Ramnit
Previous Ranking: 7
Percentage Detected: 1.26%
 
This is a file infector that executes every time the system starts. It infects .dll (direct link library) and .exe executable files and also searches htm and html files so as to insert malicious instructions into them. It exploits a vulnerability (CVE-2010-2568) found on the system that allows it to execute arbitrary code. It can be controlled remotely to capture screenshots, send information it has gathered, download files from a remote computer and/or the Internet, and run executable files or shut down/restart the computer.

9. INF/Autorun
Previous Ranking: 8
Percentage Detected: 1.22%

INF/Autorun is a generic detection of multiple malicious versions of the autorun.inf configuration file created by malware. The malicious AUTORUN.INF file contains the path to the malware executable. This file is usually dropped into the root folder of all the available drives in an attempt to auto-execute a malware executable when the infected drive is mounted. The AUTORUN.INF file(s) may have the System (S) and Hidden (H) attributes present in an attempt to hide the file from Windows Explorer.

10. LNK/Agent.BM
Previous Ranking: N/A
Percentage Detected: 1.22%

LNK/Agent.BM is another link that concatenates commands to execute legitimate code while running the threat code in the background. It is similar in its effect to the older autorun.inf type of threat.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s