Analysis of ESET's ThreatSense.Net®, a sophisticated malware reporting and tracking system, shows that the highest number of detections this month, with almost 9.90%, was the Win32/Conficker class of threat.
More detail on the most prevalent threats is given in this white paper, including their previous position (if any) in the "Top Ten" and their percentage values relative to all the threats detected by ThreatSense.Net®.
The leaner, faster, superior computer protection
EEEESSSSEEEETTTT GGGGlllloooobbbbaaaallll TTTThhhhrrrreeeeaaaatttt TTTTrrrreeeennnnddddssss January 2010
FFFFiiiigggguuuurrrreeee 1111:::: TTTThhhheeee TTTToooopppp TTTTeeeennnn TTTThhhhrrrreeeeaaaattttssss ffffoooorrrr JJJJaaaannnnuuuuaaaarrrryyyy 2222000011110000 aaaatttt aaaa GGGGllllaaaannnncccceeee
Analysis of ESET's ThreatSense.NetŪ, a sophisticated malware reporting and tracking system, shows that the highest number of detections this month, with almost 9.90%, was the Win32/Conficker class of threat. More detail on the most prevalent threats is given below, including their previous position (if any) in the "Top Ten" and their percentage values relative to all the threats detected by ThreatSense.NetŪ.
1111.... WWWWiiiinnnn33332222////CCCCoooonnnnffffiiiicccckkkkeeeerrrr Previous Ranking: 1 Percentage Detected: 9.90% The Win32/Conficker threat is a network worm originally propagated by exploiting a recent vulnerability in the Windows operating system. This vulnerability is present in the RPC sub-system and can be remotely exploited by an attacker without valid user credentials. Depending on the variant, it may also spread via unsecured shared folders and by removable media, making use of the Autorun facility enabled at present by default in Windows (though not in Windows 7). Win32/Conficker loads a DLL through the svchost process. This threat contacts web servers with pre-computed domain names to download additional malicious components. Fuller descriptions of Conficker variants are available at http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en. What does this mean for the End User? While ESET has effective detection for Conficker, it's important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since Autumn 2008, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx. Whilst following variants dropped the code for infecting via Autorun, it can't hurt to disable it. This will reduce the impact of the many threats we detect as INF/Autorun. The Research team in San Diego has blogged extensively on Conficker issues: http://www.eset.com/threat-center/blog/?cat=145 It's important to note that it is possible to avoid most Conficker infection risks generically, by practicing "safe hex": keep up-to-date with system patches, disable Autorun and don't use
ESET UK, 242 Charminster Road, Bournemouth, Dorset, BH8 9RP Tel: 0845 838 0832, Fax: 0845 838 0834, Email: marketing@eset.co.uk, www.eset.co.uk The leaner, faster, superior computer protection
unsecured shared folders. In view of all the publicity Conficker has received and its extensive use of a vulnerability that's been remediable for so many months, we'd expect Conficker infections to be in decline by now if people were taking these commonsense precautions.
2222.... IIIINNNNFFFF////AAAAuuuuttttoooorrrruuuunnnn Previous Ranking: 2 Percentage Detected: 7.37% This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family. What does this mean for the End User? Removable devices are useful and very popular and malware authors are well aware of this, as INF/Autorun's frequent return to the number one spot clearly indicates. Here's why it's a problem: The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices. While this isn't always the program's primary distribution mechanism, malware authors are always ready to build in a little extra "value" by including an additional infection technique. While using this mechanism can make it easy to spot, as Randy Abrams has suggested in our blog (http://www.eset.com/threat-center/blog... [download for more]
