Top 10 Internet Threats |Top 10 E-Threats

Conficker gains a position, while Trojan.Clicker.CM tops the list for the second month in a row by bypassing popup blockers

After more than eight months since it first entered the BitDefender Top 10 e-Threats, Win32.Worm.Downadup ranks first with 43 percent of the total amount of infected machines. Also known as Conficker or Kido, the worm restricts access to the websites associated with IT security vendors. More than that, the latest variant of the worm installs rogue security software on the compromised machines.

The second place is taken by Win32.Induc.A, a less-usual piece of malware infecting applications built with Borland (now Embarcadero) Delphi versions 4 through 7. The virus does not infect binary file, but rather modifies the SYSCONST.PAS file, injects its malicious code and then compiles the file back. All the applications built with the compromised compiler would be infected with the virus. Win32.Induc.A has no malicious payload, but its abrupt escalation in the list shows that only few Delphi developers are aware of the widespread infection.

Ranking third in the list, Win32.Sality.OG is a polymorphic file infector that appends its encrypted code to executable files (.exe and .scr binaries). In order to hide its presence on the infected machine, it deploys a rootkit and attempts to kill antivirus applications installed locally.

Worm.Autorun.VHG is an Internet/network worm that exploits the Windows MS08-067 vulnerability in order to execute itself remotely using a specially crafted RPC (remote procedure call) package (an approach also used byWin32.Worm.Downadup). The increasing presence of the worm in BitDefender’s top 10 e-threats reveals that users are still ignoring Microsoft’s security advisories and avoid deploying security patches.

Ranking fifth in the BitDefender monthly top, Win32.Virtob.Gen is a file infector written in assembly language. The piece of malware hides its presence by injecting hooks into other Windows processes, but avoids compromising system files. It also opens a backdoor that can be exploited by a remote attacker to seize control over the infected machine. This is a high-risk infection.

Packer.Malware.NSAnti.1 is a generic class uniting different families of malware packed/protected with the NSAnti protection scheme. The NSAnti packing technology allows files to be executed on-the-fly rather than being decompressed on the hard drive, which minimizes the probability of an antivirus scanner to intercept them. NSAnti is also making heavy use of polymorphism (the capacity to modify its code to deter signature-based detection) and is extremely resilient to emulation by crashing the virtual machine it runs into.

Win32.Worm.AutoIT.AC is an executable file that comes with a folder icon in order to trick users into clicking it. The worm drops a keylogger and starts collecting sensitive details the user may type in, such as e-banking accounts, e-mail and website passwords, etc. Win32.Worm.AutoIT.AC also creates a file named setup.ini in %System% , which allows it to spread using removable drives.

Win32.Sality.2.OE is one of the files dropped by Win32.Sality.OG explained above.

GEN:TDSS.Patched.1 is a generic routine that deals with Trojan.TDss.ATinfections. This e-threat drops other malicious files and injects them into in spoolsv.exe under the name dll.dll. Once infected, the computer’s DNS settings are changed in order to redirect legitimate traffic to specific phishing websites.

Win32.Worm.Downadup.Gen ranks last in the BitDefender monthly e-threats top. It is a worm that relies on the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (MS08-67) in order to spread on other computers in the local network. The worm is able to send itself from a computer on the network that had already been infected, to infect flash drives or a mapped network-attached storage device or to launch brute-force attacks against clean computers on the local network.