McAfee maintain a list of the current top tracked viruses and their characteristics.

The current list of prime suspects is most illuminating. Most are trojans, but two are worms:

• Exploit-ObscuredHtml
• Exploit-MS06-006
• Generic!atr
• HTML/FakeAV
• Exploit-PDF.b.gen
• Generic PWS.ak
• W32/Conficker.worm!inf
• W32/Rimecud
• Generic FakeAlert!cr
• Bredolab.gen.d.

As to which are trojans and which are viruses, the clue is in the title of one, but it’s not so easy in the other. The infamous W32/Conficker.worm!inf is one and the other is W32/Rimecud.

But lets have a look at one of the trojans first. Exploit-ObscuredHtml. To remind ourselves, this is a trojan and it’s so-called because its takes it lesson from ancient Greece mythology. They are spread inadvertently by people who think that they are downloading, or swapping to someone else, a file which is of some use. In reality, it’s an illegal gateway to someone’s computer. And because unlike viruses they don’t replicate, they rely on manual distribution methods such as email, malicious, or hacked web pages, Internet Relay Chat (IRC), or peer-to-peer networks.

Now Exploit-ObscuredHtml is an exploit by sub-type and it exists as code in an email message, web page, or HTML document.

Interestingly, certain non-ascii characters are ignored by Microsoft Internet Explorer, allowing an attacker to obfuscate malicious code. And still have it rendered by Internet Explorer. But the detection of this particular trojan covers HTML documents that have been crafted with the intention of evading antivirus detection. And there are other documents that mix HTML with non-ascii characters which could also trigger this detection.

Now lets take a brief look at the W32/Conficker.worm!inf. The Conficker caused virtual panic in the media earlier in 2009 and its was dubbed the mother of all viruses. Actually it has been around for some years, although this version was particular virulent.
The sub-type is a worm and it is a file which is usually dropped onto the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accessed.

IT people can spot infection when they see the prescence of autorun.inf files on the root of all removable drives or mapped network drives containing specific information.

Guest Article by Neil Camp

Top malware in May according to computer security company BitDefender is an Autorun trojan.

May’s top malware goes by the name of Trojan.AutorunInf.Gen and represents just over 13% of all global malware. It’s designed to use external hard drives, memory cards and flash drives to spread malware. And although Microsoft may have discarded its Windows Autorun feature from its latest operating systems and from Vista SP2, early versions are still vulnerable.

Next on the top malware list for May is the infamous Kido, or Conficker, which goes by the tag of Win32.Worm.Downadup. This nasty virus takes a bow for around 6% of global infections and attacks a Windows vulnerability. It spreads via local network computers and stops users trying to access Windows updates and security companies web pages. Latest versions of Windows has removed the vulnerability, but people using older operating systems should ensure that they have updated their operating systems and anti-virus applications.

In third place and close behind the Conficker on the top malware list is another Trojan which accounts for some 5% of all infections. It’s official name is Trojan.FakeAV.KUE and it’s based on JavaScript code. It creates anti-virus scams and the malware gets hosted either on sites that unknowingly carry the virus, or malicious sites. Once people download this type of malware, it triggers various fake alerts offering rogue antivirus software.

Coming fourth is the May top malware list is Win32.Sality.OG. It’s the only file infector virus in the top ten and it’s a device which appends its encrypted code to executable files (.exe and .scr binaries). It does this by deploying a rootkit which kills any antivirus applications on the computer. This means that it remains undetected and unable to carry out its malicious tasks.

In the fifth place is a new one to the top malware charts. It’s a Trojan and is responsible for a tad over 2% of infections. Called the Trojan.Swizzor.2, it acts as a pathfinder for a number of other pieces of malicious software.

BitDefender’s top malware chart for May includes:

1. Trojan.AutorunINF.Gen 13,24%
2. Win32.Worm.Downadup.Gen 5,84%
3. Trojan.FakeAV.KUE 5,11%
4. Win32.Sality.OG 2,68%
5. Gen:Variant.Swizzor.2 2,12%
6. Trojan.Autorun.AET 2,02%
7. Gen:Heur.Krypt.24 2,01%
8. Worm.Autorun.VHG 1,97%
9. Gen:Variant.Rimecud.2 1,91%
10. Exploit.PDF-JS.Gen 1,76%

One things is for sure, try to avoid any of the top malware for May.

Guest Article by Neil Camp

The latest threat report from BitDefender shows that top of the nasty parade for March was a USB Trojan.

Known by the tag Trojan.Autoruninf.Gen, it accounted, says BitDefender, for 13% of total global malware in March. Trojan.Autoruninf.Gen is a mechanism of a generic nature which is designed to spread via removable drives. It exploits an established vulnerability when people swap files using physical devices such as memory sticks.

Number two in March was that old favourite the Conficker, or Kido as its otherwise known. Although at 6% of total global malware in March less than half the threat posed by Trojan.Autoruninf.Gen, it is still being a nuisance and hanging around. Its trick is to exploit a Microsoft Windows vulnerability and to get rid of it, users have to update their operating system and ensure that their anti virus software is up to date.

In third is another old favourite, one which gets hold of Adobe’s PDF Reader’s JavaScript engine and uses it to piggy back malicious code into a computer. It’s known as Exploit.PDF-JS.Gen and it’s a nasty piece of work which uses a very commonly used application.

But talking of nasties, in fourth is one that takes the biscuit. It’s a file infector known as Win32.Sality.OG. What’s makes this family of infectors so bad, is that it’s protected by a polymorphic code, which makes it extremely difficult to firstly detect and then remove. What’s more, the rootkit part of the virus does its best to disable antivirus applications on the computer its attacking. One to be avoided at all costs.

In at number five this is the Trojan.JS.Downloader.BIO. Inserted into legimate webpages via SQL injection methods and tactics, this is actually JavaScript. It only targets those websites built with ASP. Another characteristic of Trojan.JS.Downloader.BIO. is that is forms cookies from bits of information about a victim’s browsing habits which are then sent to a website based in China.

That’s the top five, but here’s the complete BitDefender run for March:

1. Trojan.AutorunINF.Gen 13,40
2. Win32.Worm.Downadup.Gen 6,19
3. Exploit.PDF-JS.Gen 5,30
4. Win32.Sality.OG 2,58
5. Trojan.JS.Downloader.BIO 2,13
6. Trojan.Autorun.AET 1,95
7. Gen:Heur.Krypt.21 1,921
8. Worm.Autorun.VHG 1,78
9. Exploit.PDF-Payload.Gen 1,67
10. Trojan.Wimad.Gen.1 1,42.

Guest Article by Neil Camp

Trojans dominated the top ten e–threats for September according to a top security software company.

BitDefender, creator of one of the industry’s fastest and most effective lines of internationally certified security software, produce a table of malware that represents the biggest threat on a month to month basis.

And in number one spot for September is the Trojan.Clicker.CM. The reason for this, ponder BitDefender, may be due to Tojan.Clicker’s popularity as a weapon of choice amongst purveyors of "warez." This a term used by malware developers to describe compromised software.

In second place is Trojan.AutorunINF.Gen and this is a generic detection for Trojans that use Autorun. Number three spot in this line-up of nasties goes to the Trojan.Wimad.Gen.1.

The infamous Conficker is never far away from any malware list and in this particular chart it occupies the fourth slot. BitDefender labels Conficker, in all its various guises, as Win32.Worm.Downadup.Gen.

At number five is an exploit which uses a vulnerability in the way some versions of the Adobe PDF reader parse embedded JavaScript is gaining popularity again. Exploit.PDF-JS.Gen is one to be careful of.

Trojan.Exploit.JS.Y slots into the number six position. It’s a malicious piece of JavaScript, usually found on compromised or malicious websites.

In the number seven spot, down from number five, and a long-time star of the BitDefender’s Top 10 E-Threat is Win32.Sality.OG. It’s an encrypted, polymorphic file infector and appears set for a very long cybercrime "career".

In the eight and nine slots are two threats which use the Autorun security loophole found in older versions of Windows. BitDefender point out that the lower-spreading of the two threats is actually a downloader component used to spread the ever-present Conficker, or Kido worm (aka Downadup).

Bringing up the rear in tenth is Trojan.Skintrim.HTML.A, a type of HTML page usually found associated with adware programs such as Navipromo.

BitDefender’s September 2009 Top 10 E-Threat list is made up of:

1. Trojan.Clicker.CM 10.98%
2. Trojan.AutorunINF.Gen 9.58%
3. Trojan.Wimad.Gen.1 5.52%
4. Win32.Worm.Downadup.Gen 4.68%
5. Exploit.PDF-JS.Gen 4.09%
6. Trojan.Exploit.JS.Y 3.44%
7. Win32.Sality.OG 2.75%
8. Trojan.Autorun.AET 2.27%
9. Worm.Autorun.VHG 1.78%
10. Trojan.Skintrim.HTML.A 1.49%
11. Others 53.41%

Guest Article by Neil Camp

The second quarter threat report from McAfee has some bad news for all computer users out there. The main finding is that Spam volumes have increased by 141% since March, 2009, continuing the longest streak of increasing spam volumes ever. But that’s not all, as there has been a dramatic expansion of botnets and auto-run malware.

The report highlighted the fact that 14 million computers have been enslaved by cybercriminal botnets, a 16% increase over last quarter.

Auto-run is becoming an increasing problem and over a test period of 30 days, it was discovered to have infected over 27 million files. Auto-Run malware, which exploits Windows Auto-Run capabilities, does not require any user clicks to activate. It is most often spread through portable USB and storage devices. Depressingly, the rate of detection surpasses the infamous Conficker worm by 400%, making it the number one piece of malware detected around the world.

Mike Gallagher, Senior Vice President and Chief Technology Officer of McAfee Avert Labs, said:
“The jump in bot and spam activity we saw in the last three months is alarming, and the threat from Auto-Run malware continues to grow. The expansion of these infections is a grave reminder of the potential harm that can be caused by unprotected computers in homes and businesses.”

McAfee also provides some background showing the a generally worsening computer security situation.

It is noted that fourteen million additional computers have been turned into botnets this quarter. This equates to more than 150,000 computers infected every day, or 20% of the personal computers bought daily.

It also said that South Korea accounted for the largest boost in bot activity. The country saw a 45% increase in new infected computers over the last quarter. And such botnets were used to execute the recent DDoS cyber attacks against the White House, the New York Stock Exchange and South Korean government Web sites.

But although South Korea has its problems, it only accounts for less than four percent of the world’s new bots. And its the U.S. which tops the list with 15% of the new zombie computers.

And its this bot expansion that is behind the increasing volume of spam, which is now 92% of all email. Spam volumes have now exceeded the highest volume on record by 20%, increasing at a steady rate of roughly 33% each month. This equates to spam volumes growing by over 117 billion emails every day.

What’s most disturbing, is that as the number of bots continues to grow, malware writers have begun to offer malicious software as a service to those who control botnets. By exchanging, or selling resources, cybercriminals distribute new malware to wider audiences instantaneously. And the creation of and management of malware is becoming even easier, thanks to programmes like Zeus.

Programs like Zeus – an easy-to-use Trojan creation tool – continue to make the creation and management of malware even easier.

And cyber criminals are increasingly turning their attention to the popular social networking sites, including Twitter, Facebook and MySpace.

Guest Article by Neil Camp

McAfee’s latest security threat report (covering January to March, 2009), reveals that since January, over 12 million new IP addresses have been hi-jacked by cybercriminals, a 50% increase since 2008.

IP addresses are hijacked and their computers used as zombies within worldwide botnets. A zombie will then be used to send out spam email, infecting other machines which will in turn send out even more email, and so the process goes on, creating billions of spam emails which clog up the system.

The U.S. is home to the greatest percentage of botnet infected computers, accounting for nearly 20% of all zombie machines.

Cybercriminals are rushing to create new botnets after the shakedown of a major spam hosting ISP, McColo Corp, in November 2008 which cut spam levels by some 60%.

And the cybercriminals are quickly recovering the ground that they had lost, with spam volumes now about 70% of what they were before McColo was stopped.

Jeff Green, senior vice president of McAfee Avert Labs, said: “The massive expansion of these botnets provides cybercriminals with the infrastructure they need to flood the web with malware. Essentially, this is cybercrime enablement.”

The report came up with a number of other findings, including that the Koobface virus has made a resurgence. More than 800 new variants of the virus have been discovered in March 2009 alone.

Also, malware writers are increasingly using servers which host legitimate content to launch malicious and illegal content.

URL redirects are being used more often by cybercriminals and the use of web 2.0 sites are being used to hide their location.

Ironically, given the recent media fuss about Conficker, the report concludes that this worm, and all its variants, only accounted for some 10% of detections reported during the first quarter. But whether this means it was over-hyped, or hasn’t yet had the affect feared, remains to be seen.

Guest Article by Neil Camp

Conficker is coming alive.

The virus that threatened to cause chaos on April Fool’s Day and was eventually labelled by some as a prank, is having the last laugh as it becomes activated across a number of personal computers.

Conficker, also spelt Conflicker, and also known as Downadup, or Kido, is a particularly insidious form of worm which sits covertly on a computer and turns them into a zombie, part of a botnet. The zombie sits and awaits instructions, mostly opening the way for a piece of malware with a specific task. This might be a virus called Waledac, which sends out millions of spam emails from the computer’s mail box.

Accompanying the spam emails are false anti-spyware programmes which eventually renders the receiving computer open to attack. The receiving computer is then recruited into the botnet, in turn sending out more spam email. The receiving computer is also sitting there with its defences down, awaiting the virus to send back personal and financial details of its user back to the originator of the worm.

Computer security experts are worried because the worm appears very sophisticated and operates in a stealth mode, sitting on machines until activated. It’s feared that the Conficker has infiltrated thousands of computers, awaiting instructions. Experts also fear that there is a twist that no-one is aware of yet, as the Conficker has yet to show its true colours.

The Conficker and its botnets are thought to be controlled by cyber crime syndicates based in China, Eastern Europe, Latin America and Southeast Asia.

The worm is designed to exploit operating system weaknesses, with Windows being particularly vulnerable. It can by-pass many corporate firewalls as people swap files from one infected computer to a clean one, using a USB memory stick.

Computer users worldwide are being warned to be on their guard against the Conficker.

Guest Article by Neil Camp

The Conficker worm (or is it Conflicker, no-one seems quite sure), did not wreak the havoc expected of it on the first day of April and many are now saying that the whole thing was an elaborate hoax, or, at the very least, a media scare story.

But, for others, the panic was justified. The Conficker worm does exist and has already affected many millions of computers. And if anything, at least the scare provoked many people into getting protection for their computers.

And for those that think it was all over played, then lets just remind ourselves what the Conficker is capable of. It’s a very invidious piece of malware which can effectively sit on your computer and when activated, will allow another pieces of software to be loaded which will then take control of your computer. It starts by deactivating your security programme and prevents it from getting crucial updates.

It will then install programmes which do a number of nefarious things. It might track your bank balance, or once you pay online for something, it might send off your credit card details to a person who will then start using it themselves. And once on your computer, it will await instructions from its creator, who will update it via thousands of random web addresses. And for a lot of people, they won’t even realise that they have a problem, as the worm will sit there, biding its time before it can inflict maximum damage.

Let’s not kid ourselves, the Conficker is a true technological parasite.

Yet incredibly, recent reports show that in the U.S. for example, nearly 20% of business computers remain unprotected against viruses.

Microsoft have quickly offered updates and patches to help close the hole that the Conficker was exploiting, but what worries many is that the worm loves networked computers and once in, can quickly work its way to thousands of machines which are linked together. The major concern is that the Conficker could be sitting in the networks of many large corporations, waiting for a key moment to strike. Imagine if a major utility was seriously struck by such a worm, the results could be catastrophic.

So, lets not be complacent. The Conficker is not a media creation. The Conficker is a clever, parasitic worm which is out to rob you. So, if you panicked after all the media stories, then good, because if you ignore it, you might see the results as someone clears out your bank account, or enjoys a spending free on your credit card.

Always run a reputable anti-virus programme. Never surf, email, or network without protection. It’s that simple.

But don’t let the scare-mongers fool you into buying free, or cheap anti-virus programme from a company you do not know. This, for many industry experts, was the true intention behind the Conficker scare stories. Get people worried, then offer them bogus anti-virus software which does the same as the Conficker. Don’t be fooled by that one. Use companies you know and pay a decent whack for your security.

Don’t let the Conficker make a fool out of you.

Guest Article by Neil Camp

Cyber criminals are currently exploiting people’s fears about being infected by viruses.

And the media’s frenzied reporting about Conficker hasn’t helped either, with people panicking about being hit by the April Fool’s Day bug.

Microsoft have warned that the hackers latest ruse is to hide their malicious malware in bogus computer software programmes and then get people to download them. So whilst they think they are fully protected, the fake anti-virus is happily loading malware into their computer.

In the latest security intelligence report prepared by Microsoft, the General Manager of their Trustworthy Computing Group, George Stathakopoulos, said: “Rogue security software is the number one threat worldwide…If you think about the Conficker case, how many people went looking for a security solution and downloaded rogue malware? That means when users downloaded the software they probably gave away credit card numbers and got infected. That’s a double hit.”

This kind of scam security software is known as “scareware”. Worried users download a version, it spots a virus (which actually isn’t there), asks for a fee to clean the non-existent virus, collects the money and then pretends to guard the computer against future attacks, whilst in reality its collecting all the computer user’s personal information.

Microsoft reckon that nearly six million computers have been infected with these type of viruses and that there has been a near 70% rise in their use over a six month period.

And Microsoft believes there will be a massive rise in the use of scareware over the next few months, especially given the media’s coverage of the Conficker virus which makes computer user’s unsure of their levels of protection and open to bogus offers.

Microsoft has a $250,000 reward out there for information about who is behind the Conficker virus.

Guest Article by Neil Camp

Don’t like being made a fool of, so now I’m in a panic about my computer being infected with the latest wretched computer virus, the Conflicker.

It’s meant to hit on April Fool’s day and it is a particularly nasty little *****! The Conficker – odd name that, maybe some geek’s sense of humour – is anything but fun. It penetrates your computer, shuts down your security software and prevents updates reaching you. It then sits there, waiting for orders from the mother ship, and once activated, will allow its creator to download onto your computer a piece of malware that will happily syphon off your personal details, bank details and anything else it feels like using. In other words, it’s a right little so and so.

So, I’m sitting here in a panic, with anti-virus software running in the background like a demon, wondering how I can beat back the Barbarians from my gates.

Right, calm down, have just read that all is not lost. First, they point out that although around 12 million computers are infected, this particular Conficker variant is really an update, and is looking for previous versions already sitting on computers. So, if you’re currently clean, then you should be okay. If not, then oh dear, but I’m just going to run a quick test myself.

Okay, deep breath, I have to first check that I’m connected to the internet. Right, yes, I can get the Google page, thank goodness for that, good old Google. Next, find the Microsoft site, or the site supplying my anti-virus software. Right, lets go to Microsoft, afterall, the Conficker is designed to penetrate Windows-based operating systems, so lets start at the top. Right, onto the Microsoft website and yes, if I can run the Windows Update successfully, I’m not infected with Conficker.

Yes, it works, thank the Gods; I’m clean.

For those that can’t successfully run the Windows Update, or indeed, can’t update their security programme from the company’s website, then you may have the Conficker burrowed somewhere deep inside your computer.

If so, you’ve got problems. Contact your anti-virus software company, maybe by email, and ask what to do. Look on the Microsoft site and follow their instructions. If that doesn’t work, you could back-up your data, reinstall Windows and then go straight onto the Windows site and download the latest security patches.

And finally, pray, that Conficker doesn’t come knocking again.

Guest Article by Neil Camp