Israeli cybersecurity firm Check Point has released the list for the September’s most wanted malware. An astonishing feature of this report is that for the first time a ransomware has taken a spot in the first three. Ransomware are known to be very menacing malware but they have never occupied a top spot because of the relatively low number of infections as compared to the other Trojans. Locky, which has a new variant in the market is representing the ransomware family at number 3 among the September’s most wanted malware. In the month of August, there was a spike in the number of infections by the Locky ransomware across the globe which landed it at number 3 in the list.
Here is the list complied by Check Point:
It has once again topped the list of 10 most wanted Malware. First detected in November 2008, it is a computer worm which targets Microsoft Windows operating system. It is also known by several other names such as Downup, Downadup and Kido. It works by exploiting the flaws in Windows OS software and performs dictionary attacks on administrator passwords to propagate while forming a botnet. Countering it has remained difficult even as of now because of its combined use of many advanced techniques. It beat the infamous Welchia infection of 2003 and has emerged as the largest ever known computer worm infection by affecting millions of computers which include government, business and home computers in over 190 countries. Among the various key features of this malware is it’s ability to disable the Microsoft Windows System security thereby allowing remote operations and data theft. The infected machines are then controlled by a botnet, which receives instructions from Command and Control server upon contact.
First discovered in 2003,it is not an individual malware but a classification for a family of malware, which infects files on Microsoft Windows. Over the years it has advanced to become a dynamic and enduring malware which is what makes it quite deadly. Once infected by Sality, the systems tend to communicate over a peer-to-peer (P2P) network for various purposes like relaying spam, proxying of communications, exfiltrating sensitive data, and compromising web servers. In last 5 years few variants under this classification of malware have started using rootkit functions. Because of its continued advancement and increasing complexity and sophistication, Sality is considered to be one of most formidable forms of malware to deal with.
The Locky ransomware constitutes 97% of all the malicious emails sent in the Quarter 3, 2016. It is one of the most prevalent spam malware in the wild today. Locky e-mails usually come in with an attached zip archive and once extracted may contain a document or JavaScript. The Locky ransomware we discovered included a JavaScript that will potentially download and run an executable. The executable is the focal point of analysis and the latest version of the ransomware.
It was first founded in 2007 and affects systems with Microsoft Windows. It is especially a botnet which is involved in sending spam e-mails and DDOS attacks as well. It is not a self-installing bot but is installed infected machines by a Trojan component called Pushdo. After installation, the bot connects directly to the remote server and receives instructions about the emails they should send. Once the task is completed, the bots connect again to the spammer and report the statistics of their operation.
Also known as Zbot, it is a Trojan which infects different versions of Microsoft Windows. It is mostly used to steal banking information through various malicious activities like man-in-the-browser, keystroke logging and form grabbing. Add to this, it has been used to install the infamous ransomware CryptoLocker. It was first identified in 2007 when it was used to steal information from the United States Department of Transportation. Mainly spread through drive-by downloads and phishing schemes, it has gained notoriety for compromising over 75000 FTP accounts of organisations like Bank of America, NASA, Monster.com, ABC, Oracle and Amazon.
Chanitor, also known as Hancitor, is a malware that uses multiple attack vectors to succeed. The hackers behind Chanitor use many attack methods including uncommon API abuse and PowerShell methods. The Chanitor email campaigns contain malicious attachments that deliver Chanitor onto target’s computer. Once clicked by the target, the malware gets downloaded and executed. It then drops a payload that further downloads Pony DLL and Vawtrak malware which steal data from the victim’s computer and relay it back to command and control (C&C) server.
Tiny Banker Trojan also called Tinba, is a malware program that targets financial institution websites. Tinba is a modified form of an older form of viruses known as Banker Trojans, yet it is much smaller in size and more powerful. It works by establishing man-in-the-browser attacks and network sniffing. Since its discovery, it has been found to have infected more than two dozen major banking institutions in the United States, including TD Bank, Chase, HSBC, Wells Fargo, PNC and Bank of America. It is designed to steal users sensitive data, such as account login information and banking codes.
Cryptowall is another ransomware on the list that is mostly distributed through spam emails, however malicious Ads, infected websites and other malware are also used to distribute it. A typical email contains a malicious attachment that contains the ransomware and a message that attempts to socially engineer the user in downloading the file. The subject of the email mostly uses the excuses of invoices, undelivered packaged goods, fax reports etc. Once the user clicks on the attachment, the ransomware is executed and all files are encrypted. Another striking feature about Cryptowall is the use of Rig exploit kit and Nuclear exploit kit to spread it.
First released in 2012, Blackhole is an exploit kit that is designed to deliver a malicious payload to a victim’s computer. As per various reports, the majority of infections due to Blackhole exploit kit were done in a series of high volume spam runs. An interesting feature of Blackhole exploit kit is the tracking mechanism that it contains. This feature allows the people operating the kit to keep themselves updated about the victims who arrive on the kit’s landing page. The information tracked provides a detailed analysis about the victim’s country, operating system, browser and the software on victim’s computer that was exploited by it.
Nivodort is a malicious file that arrives as a .zip attachment in the spam emails. Once downloaded by the user, it gets installed and then downloads other malware. Apart from downloading other malware Nivodort can also steal victim’s sensitive data including online banking credentials and login credentials of email and social media accounts.
Publisher