Win32/Obfuscated was the top threat during August, according to ESET, who have created a global infection reporting system called “ThreatSense.Net” ©. Out of the top 10 ranking threats, obfuscated threats constituted more than 7.58% of all threats.
Obscured by codes…
During the month of August, close to 7.58% of all detections were for obfuscated threats. The label Win32/Obfuscated is used to identify malicious software that uses various methods of code obfuscation to hide the malicious functionality from detection by ESET’s NOD32 and other scanners. This is a generic name that ESET uses to apply to a variety of Windows threats using obfuscation techniques such as runtime packing, polymorphism and junk code injection, often these threats are part of the same family, with slight alterations.
Secret Agents…
Second in the ranking for August, we find Win32/Agent which reached 3.40 % of detections during last month. Once again, the label "Agent" is given to a wide range of malware threats that have Trojan capabilities, and act as ‘agents’ on the compromised machine. These files can either connect back to a central command server to receive their instructions or open a backdoor on the victim's system which can be used by an attacker to control the machine. These detections are based on the generic detection algorithms in ESET’s NOD32 which are able to detect a wide variety of new threats without the need for updating.
Animania…
In third place we find Win32/TrojanDownloader.Ani.gen. This threat is designed to exploit a recent vulnerability discovered in the way Windows processes animated cursor files. Attackers exploit this security flaw to install malicious code onto the system, and then download additional malicious files to the victim’s system. Again, this is a generic detection that detects any attempt to exploit this vulnerability.
2
The Fourth Protocol…
Win32/Agent.ARK was number 4 in August with around 2.33 % of detections. This malware connects to a command and control server that seems to be located in Singapore. The purpose of this malicious software is to keep control of an infected system for future use; it can be used to execute commands on the infected host and download additional software. Very often such botnet software is able to update itself with new components which add new functionality, and which help it to evade detection by signature based anti-virus software.
Taking the Fifth…
The fifth place in the rankings for August was once again held by Win32/Adware.Virtumonde. This is a potentially unwanted application, and it’s used to deliver advertisement to user’s PC. It’s optional whether to detect such objects in ESET’s NOD32, but many users don’t realize they’ve installed these ad-servers, and don’t want them on their systems.
Six of the worst…
Below Virtumonde we find Win32/Adware.Ezula, a piece of malware that comes with the icon of a normal installer but, when a user double clicks on the file, no dialog is displayed to the user. The installation of this unwanted software is completely silent and does not
Global Threat Trends
3
give any information to the user on what is installing on the system; an important component in deciding whether something is malware or not is how much consent or information the user is given. Once installed on a victim's system, this software downloads and executes additional software components from a website currently located in the Philippines. Furthermore, this malware keeps tracks of search keywords that are then sent to a pre defined list of websites. Finally, this software also sporadically displays ads when the user is browsing the Internet, often targeted according to the victims’ browsing habits
Unlucky Seven…
In seventh place we find INF/Autorun, which, once again identifies a generic variety of malware theats that use the file autorun.inf to load. The file autorun.inf contains information on programs that run automatically when media (USB keys, CD’s etc) are inserted into a computer. Viruses that install via or modify autorun.inf files are detected as INF/Autorun by ESET NOD32. Malware that spread on USB sticks are often detected as INF/Autorun
Final Remains…
In the last three positions of the August TOP 10 we find two Trojans (Win32/Rjump.A – last month’s number two - and Win32/Agent.AB), and a mass mailing worm (Win32/Pacex.gen). The three threats garner between 1.32% and 1.67% of all detections each.
Worldwide Coverage with ESET’s ThreatSense.Net
Currently, most of the spreading malware out there has different features and capabilities, and often there are several variants of each type. Because of this, in addition to frequently updating your anti-virus solution, it is important to have proactive detection features, such as those in ESET’s NOD32, to be protected against the new and unknown threats that appear daily.
ThreatSense.Net, which reports detection statistics from millions client computers around the world is believed to be the most comprehensive malware reporting system in existence.
4
From an original idea, realized in VIRUS RADAR® http://www.virusradar.com, the reporting system has evolved to what is now ThreatSense.Net, vastly improving the statistical data gathered. Rather than only being email based, as with VIRUS RADAR, the information from ThreatSense.Net includes data about all types of threats seen attacking user systems. The (anonymous) statistical information is collected from NOD32 users who enable the reporting service in the product, and it gives a more comprehensive view of the behavior and spread of malware in the real world. Currently data is collected from more than 10 million systems, and has tracked more than 10,000 different threats and malware families.# # #
610 West |