Malware reports

Malware Miscellany, february 2007

I was considering our collection the other day, and the analysis we’ve recently been publishing on this site. And I thought that some slightly different statistics might be interesting to help round out the picture. So I did a little digging, and here’s my first malware miscellany – a collection of facts in a range of semi-random categories.

1. Greediest Trojan Targeting Banks – this month, it’s Trojan- Spy.Win32.Banker.zd, which targets the clients of 33 banks. And just as we keep saying, the number of Trojans which target more than one bank is growing all the time.

2. Greediest Trojan Targeting E-payment Systems – The winner in this category is Trojan-Spy.Win32.Banker.z. This Trojan targets three plastic card systems, but also steals finance-related data from the customers of many banks. Apparently, its author prefers a comprehensive approach to making money.

3. Greediest Trojan Targeting Plastic Cards – The top malicious program in this category is Backdoor.Win32.Neodurk.13, which searches for access data for three plastic card systems, in addition to providing cybercriminals with remote control of victim computers, which is its main function.

4. Stealthiest Program – This category’s winner is a modification of Backdoor.Win32.Rbot.gen, which is packed by eight different compression utilities in the hope that this will prevent antivirus programs from detecting the malicious code.

5. Smallest Malicious Program – This category of malware was won by Trojan.BAT.DeltreeY.af, which is just 19 bytes in size. This is a primitive Trojan, which (as its name suggests) deletes folders on infected computers. Its targets include the Windows system directory; of course, if this gets deleted, you may end up with some serious problems.

6. Biggest Malicious Program – February’s “giant” is Trojan-Spy.Win32.Bancos.rv. It is 13 MB in size, and is a bit of an oddity – you might expect extensive functionality, which this Trojan doesn’t actually have.

7. Most Malicious Program – The winner from this category uses numerous methods to effectively combat antivirus protection installed on computers. February’s leader is Backdoor.Win32.Aebot.e, which uses a variety of methods to disable protection, including terminating processes in memory, stopping services and blocking updates. The malicious program terminates protection utilities by the dozen, including all kinds of firewalls, system monitoring utilities, antivirus products, etc.

8. Most Common Malicious Program in Email Traffic – In February 2007, the winner was Email-Worm.Win32.NetSky.t. Although this is a relatively old email worm, it still accounts for about 15% of all email traffic.

9. Most Common Trojan Family – We talk a lot about how the number of Trojans is on the increase. And Backdoor.Win32.Hupigon is a great example – in a single month we detected 368 modifications of this family.

10. Most common virus worm family – In February, the Warezov family was the most widespread among all virus and worm families. Samples of 118 different modifications were found in February alone.

I’ll be back with another malware miscellany fairly soon. If there’s any particular category that you’re interested in seeing included, do let me know.

Malware Miscellany, february 2007

Your email address will not be published. Required fields are marked *

 

Reports

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Operation TunnelSnake

A newly discovered rootkit that we dub ‘Moriya’ is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The victims are located in Africa, South and South-East Asia.

Subscribe to our weekly e-mails

The hottest research right in your inbox