Monthly Threat Report: January 2016

Top_10_ELG_jan_16_1200x627eng

1. Win32/Bundpil
Previous Ranking: 1
Percentage Detected: 4.17%

Win32/Bundpil is a worm that spreads via removable media. The worm contains an URL from which it tries to download several files. The files are then executed and HTTP is used for communication with the command and control server (C&C) to receive new commands. The worm may delete files with the following file extensions:
*.exe
*.vbs
*.pif
*.cmd
*Backup

2. LNK/Agent.BZ
Previous Ranking: 3
Percentage Detected: 4.01%

LNK/Agent.BZ is a link that concatenates commands to execute legitimate code while running the threat code in the background. It is similar in its effect to the older autorun.inf type of threat.

3. Win32/Bayrob
Previous Ranking: N/A
Percentage Detected: 3.02%

Win32/Bayrob.D is a trojan that changes results returned by online search engines, usually related to eBay, UPS and AutoCheck; and acquires data and commands from a remote computer or the Internet. When executed, the trojan copies itself into the following location: %windir%\¬system32\¬WindowsUpdate.exe (163840 B). This copy is then executed.

4. LNK/Agent.AV
Previous Ranking: 5
Percentage Detected: 1.92%

LNK/Agent.AV is another link that concatenates commands to execute legitimate code while running the threat code in the background. It is similar in its effect to the older autorun.inf type of threat.

5. JS/TrojanDownloader.Iframe
Previous Ranking: 7
Percentage Detected: 1.71%

JS/TrojanDownloader.Iframe is a trojan that redirects the browser to a specific URL location serving malicious software. The malicious code is usually embedded in HTML pages.

6. HTML/iFrame
Previous Ranking: N/A
Percentage Detected: 1.54%

HTML/IFrame is a generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL location serving malicious software.

7. HTML/ScrInject
Previous Ranking: 4
Percentage Detected: 1.50%

Generic detection of HTML web pages containing obfuscated scripts or iframe tags that automatically redirect to the malware download.

8. Win32/Sality
Previous Ranking: 8
Percentage Detected: 1.46%

Sality is a polymorphic file infector. When it is executed registry keys are created or deleted related to security applications in the system and to ensure that the malicious process restarts each time the operating system is rebooted.
It modifies EXE and SCR files and disables services and processes implemented by and associated with security solutions.

More information relating to a specific signature: http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

9. LNK/Agent.BS
Previous Ranking: 6
Percentage Detected: 1.39%

LNK/Agent.BS is another link that concatenates commands to execute legitimate code while running the threat code in the background. It is similar in its effect to the older autorun.inf type of threat.

10. Win32/Ramnit
Previous Ranking: 9
Percentage Detected: 1.36%

This is a file infector that executes every time the system starts. It infects .dll (direct link library) and .exe (executable) files and searches for htm and html files into which it can insert malicious instructions. It exploits a vulnerability (CVE-2010-2568) found on the system that allows it to execute arbitrary code. It can be controlled remotely to capture screenshots, send information it has gathered, download files from a remote computer and/or the Internet, and run executable files or shut down/restart the computer.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s