ESET Threat Blog

We’ve just finished working on our monthly Threat Report. There aren’t many surprises in the top ten threats for June.

Conficker has taken over the "top spot", relegating INF/Autorun to second place. It’s difficult to say for sure what the significance is, given the relatively small percentage point involved: minor fluctuations in proportions from month to month can be ascribed to factors other than overall upward or downward trends. ThreatSense.Net® doesn’t distinguish between sources: it simply reports when it detects a Conficker infection attempt over any vector (network shares, USB etc).

As we’ve pointed out previously, the real story with Conficker is less the actual malware than the number of people who still aren’t taking elementary precautions such as timely patching and disabling Autorun, properly securing network shares and so on. I would guess that right now, the continuing prominence of Conficker in the ratings is due to lots of machines, mainly home machines or botnetted business machines, that are never patched or properly protected by AV, often because the owner doesn’t bother with all that, or maybe sometimes because of a longstanding infection that’s blocking patches and updates and has never been noticed.

 Rather more notable, perhaps is the entry of Win32/TrojanDownloader.Bredolab.AA into the top ten at number 10. I feel like a DJ when I make a statement like that… (but where will I get one at this time of the afternoon?)

This is an example of a class of application that is intended to act as an intermediary to the infective process. This particular detection label is applied to a range of variants that commonly inject themselves into running processes and attempt to disable some security processes, while creating a registry key that ensures that the program is run at every system startup. It communicates with its command and control (C&C) server over HTTP. This malware has been associated with other malware activity such as Gumblar and Win32/Wigon.

The question, what does this mean to you?

We’re seeing a great deal of this activity in combination with Flash (SWF) and Acrobat (PDF) exploits, so it’s more important than ever to keep up with Adobe updates and patches as well as Microsoft’s. (Nowadays it pays to keep an eye on new patches for any applications and utilities you use!) Having been somewhat negative about Adobe’s updating processes in the past, I really hope that Adobe’s new patching mechanisms, bringing them into line with Microsoft’s, will help to reduce the impact of these exploits in the longer term.

When a Trojan downloader is installed and active on a system, its main (or only) job is to download malware from a remote site, but it may make changes to the system such as those described above in order to increase its chances of doing so successfully. Other vendors describe different variant suffixes (.G, .HW etc.) as referring to this detection: however, because of the varying detection algorithms used by different vendors, it’s unlikely that there will be an exact match in all cases. Because of ESET’s heavy use of generic signatures and advanced heuristics, our detection label actually picks up many close variants and sub-variants.

As we’re halfway through the year, we’ve also provided a look back at the past few months, and hope you’ll find it useful or at least interesting.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence