April Threats - Big "C" Ran Wild, Trojans Multiplied

By Matthew Hines  |  Posted 2009-05-07 Print this article Print

It's no surprise that the virus that-shall-not-be-named topped the charts in terms of the most commonly observed attacks during April 2009, but a list of other threats, mainly Trojans, blanketed the Web and infected users' machines as the world's most famous malware celeb stole the spotlight.

It seems like it's been hard to write nearly anything malware-related without mentioning yes, Conficker, for some time now, but as loathsome as the mere mention of the media darling has become, it was the most ubiquitous attack detected by researchers, including those working at security software vendor ESET, last month. The C-worm aka Win32/Conficker snuck its way onto almost 9 percent of the endpoints scanned by ESET in April, despite the fact that Microsoft has had a patch available for the involved Windows vulnerability for months.

However, sneaking up behind the C-bomb were INF/Autorun attacks, which the company found on just over 8.5 percent of the machines it tracked. Like versions of le C, that threat utilizes Microsoft's Windows Autorun feature (newly remodeled) to embed itself as soon as someone connects a device to their PC that carries the virus.

More and more it seems we're hearing of dirty USB sticks finding their way into people's hands. At RSA, even some of the white hats were tossing the things around to see who was stupid enough to plug them in. I've got a couple here that were handed to me by people whom I know, and I'm still slightly afraid to use them. So much for the era of free USBs...

As many people have noted for years, and ESET researcher Randy Abrams points out in his blog, it's really just smart to turn off Autorun for security's sake. But, of course, as we all know, most end users have no idea what Autorun is let alone that they can shut it down. To its credit, Microsoft has allowed that it will disable the feature by default going forward, even if it claims that Autorun is not dangerous.

Well, of course it's not dangerous... it's just unnecessary!

In third place for April, the Trojan/rootkit W32/PSW.OnLineGames set of attacks, aimed at online gamers, continued to thrive as well, making it onto 7 percent of the endpoints tested. Like losing your entire social life to WoW isn't bad enough.

A broad, generic malware family, Win32/Agent, took home fourth place, far behind on only 3.5 percent of machines. The Win32/TrojanDownloader attacks stood in fifth, found in only 1 percent of the involved systems.

Despite its popularity, even ESET's researchers recognized that the attack-from-C became too big of a deal in terms of exposure to do anyone any good, in particular since it allowed other major campaigns to flow more freely by not garnering as much attention from market watchers. The 1.9 million endpoint "superbotnet" discovered by Finjan probably deserves some increased scrutiny, for instance, ESET's experts maintain.

Also lost in the fray is the fact that there are gaping zero days in ubiquitous programs from leading vendors such as Adobe that attackers are flocking to in droves, Abrams said in a recent blog post regarding the report's findings.

"Personally, Conficker is far less worrying to me than whatever is out there trying to exploit the vulnerabilities in Adobe Acrobat. Adobe has recommended disabling JavaScript in their products. If they had shipped Acrobat in a proper configuration, with JavaScript disabled, there would be far less impact from their recurring vulnerabilities," he said. "Give Adobe time. One day they'll catch up to where Microsoft was with security back in 2003."

Ouch! Now that is taking the gloves off.

But as much as Adobe might hate to hear it... at least we can be glad all the news isn't about...

Not going to say it.

Go figure.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.

del.icio.us | digg.com

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel