Back in April, we released a list of common threats that were detected by Metascan® Online and later updated that page by adding statistics on how our Metascan packages compare in their detection of those threats. In order to demonstrate how these statistics can be used to analyze threats, we developed a malware analysis series. For our first post in this series, we took a look at the top malware of the week and analyzed their specific characteristics. This post continues that series by looking at which threats have stayed the same and what new threats have been introduced.
The data comes from the most searched-for threats from our database of hashes over the last seven days. This list is updated daily, and each of the threats is rescanned to determine whether the number of engines detecting them has changed. Many of the hash searches are performed as part of endpoint risk assessment, so many of the top threats are Windows and Mac system files or process files. Potentially Unwanted Programs (PUPs) and Potentially Unwanted Applications (PUAs) are also included in the top threats; while they may not be considered malware, they can still have security implications by acting as an entry point for malware to your system. Additional details for this data are posted on the bottom of the stats page if you want to learn more.
We decided to provide a more simplistic breakdown of our top 10 threats. The data is summarized using a collection of sources listed at the end of this post.
| SHA256 | Threat Name | Type | Severity | Detection (out of 43 Engines) | Action Performed |
A84E4FAFFBFC886AE15E49CF4F38B21BC8F2354EF573B78FA0090E596B64981C | Blacole | Trojan | Severe | 23 | Trojan that exploits a vulnerability in the Java Runtime Environment. Intended to steal information on computer (passwords, email, online accounts) |
| 4BE24A10114ABCBB48060354BC4A989F40E6AF67FD4663B3836CB4F557FF2703 | Madang | Virus | Severe | 14 | Windows virus that infects .exe and .scr files |
| 94DB695CBEA4F6FA0A6E6748F965DD08BB37AFDBB3A13A3B1545437AA0AA233E (new) | PUP | Severe | 3 | Trojan that lets hackers remotely access your computer system. | |
| 89E27DB4337FD500095AFA78A60FA9C794D44B99E270E0620606F617D1EB6378 | DomalQ | PUP | Medium | 31 | Windows PUP (Adware) that installs software, displays popups, etc. |
| 809BBFA3FB67C79F1901B159B754DD955C5DEFE28D5879F91972D269D706D55C (new) | MyWebSearch* | Adware | Low | 10 | Adware that is accompanied with "free" software. Changes browser and search settings on computer. |
| B7B2229140124DA77DB2A76CBD936CBD0AD9F96B159298B5037FC6C9A90841CF | InstallRex | PUP | Medium | 27 | PUP that contains adware and installs toolbars |
| E5AC415C65B8ED457F978325818402345DA3031BA04778D222C634FC5FBE652E | Vobfus | Trojan | Severe | 37 | Trojan that infect files downloaded from the internet. This can also be considered worm-like behavior |
| E5AC415C65B8ED457F978325818402345DA3031BA04778D222C634FC5FBE652E | Gamarue* | Worm | Severe | 38 | Worm that typically arrives in spam email. Can steal personal information and send it remotely. |
| 87B1F4E69E239FB15B5F4EE42C8417C1FAC87A69DAE43E48DF807EB7D432E88D | Expiro | Virus | Severe | 32 | Virus that infects files. It can allow a hacker to access the PC and steal stored user names and passwords |
| 9329CE85946F4767BD79876C68E54FDAD031AD7ADD64DADE71F8E9E49EF11424 | Trojan | Severe | 21 | Trojan that attempts to infect PC with other Trojans and viruses |
* new threat on list since our last analysis
Some Important Takeaways:
- A majority of the threats we saw last time are still in the top 10. Only a few new threats have bubbled up to this list.
- The malware types are much more diverse than we have seen in the past. Now, an adware application and a worm have made the list. This demonstrates the variety in the types of threats that are present.
- The majority of threats are on Windows and Mac platforms. This is expected as many of the hash searches on Metascan Online are performed as part of endpoint risk assessment. In addition, mobile malware rarely show up here.
- The majority of top threats are considered Severe. The majority of these hashes come from files that still exist on users systems today, which shows how widespread these particular threats are.
- Although not shown in this chart, all 10 threats were uploaded to Metascan Online over a year ago. Even after so much time has passed, these threats are still infecting files today.
Taking a Look at New Threats:
Let's take a look at some of the newcomers that made the list this time:
- MyWebSearch Adware — this is software that a person "allows" when installing so-called "free" software on their computer. It provides features that are generally already built into many web browsers. Although it doesn't have any directly malicious attributes, it will slow down the users' computers.
- Gamarue Worm — this malware infects a computer and is then able to spread to other computers. The Gamarue worm was part of a click fraud attack, spread predominantly on online home improvement forums.
Recurring Threats from Last Time:
Because a majority of the threats from last time have stayed in this list, we selected a few and looked at how impactful and influential they are today.
- In April of this year, a botnet called Beebone used Vobfus to help with its distribution. Beebone is a command-and-control botnet, sending instructions to the infected systems. About 12,000 computers were infected, and the intent was to spread more malware. Fortunately, Europol, along with other agencies such as the U.S. FBI and Dutch authorities, shut down the infected domains, limiting the spread of the malware.
- At the end of 2014, DomaIQ made its way into the news. It was found being included in an install software for a video player.
- To this day, Blacole continues to be a major inspiration to the malware community. It has inspired the development of Angler, another exploit kit. Angler is much more powerful and prevalent than Blacole. In early July of this year, the Angler exploit kit was found to exploit the recent Flash bug that was revealed during the Hacking Team breach.
You can subscribe to our blog to get future updates on this series as well as other posts. Check out the statistics page from time-to-time to see the latest malware, new statistics updates and more!
References:
1. Microsoft resource on Blacole Trojan
2. McAfee resource on Blacole Trojan
3. Malware Tips resource on Blacole Trojan
4. Microsoft resource on Madang Virus
5. ESET resource on Madang Virus
6. AVG ThreatLabs resource on Generic Trojan Spy
7. Microsoft resource on Generic Trojan Spy
8. Microsoft resource on MyWebSearch Adware
9. Malware Tips resource on MyWebSearch Adware
10. Avira resource on DomalQ PUP
11. Malware Tips resource on MyWebSearch Adware
12. Sophos resource on InstallRex PUP
13. Malware Tips resource on InstallRex
14. Microsoft resource on Vobfus Trojan
15. LavaSoft resource on Vobfus Trojan
16. Microsoft resource on Vobfus Trojan
17. Trend Micro resource on Gamarue Worm
18. Microsoft resource on Gamarue Worm
19. Sophos resource on Expiro Virus
20. Microsoft resource on Expiro Virus
21. Microsoft resource on Blacole Trojan
22. F-Secure resource on Blacole Trojan
23. Infosecurity Magazine resource on Gamarue Worm
24. Wikia resource on MyWebSearch Adware
25. Crazy Engineers resource on SSL Vulnerabilities
26. The Register resource on Adobe Flash Vuknerability
27. Softpedia resource on PUPs
