The current list of prime suspects is most illuminating. Most are trojans, but two are worms:

• Exploit-ObscuredHtml
• Exploit-MS06-006
• Generic!atr
• HTML/FakeAV
• Exploit-PDF.b.gen
• Generic PWS.ak
• W32/Conficker.worm!inf
• W32/Rimecud
• Generic FakeAlert!cr
• Bredolab.gen.d.

As to which are trojans and which are viruses, the clue is in the title of one, but it’s not so easy in the other. The infamous W32/Conficker.worm!inf is one and the other is W32/Rimecud.

But lets have a look at one of the trojans first. Exploit-ObscuredHtml. To remind ourselves, this is a trojan and it’s so-called because its takes it lesson from ancient Greece mythology. They are spread inadvertently by people who think that they are downloading, or swapping to someone else, a file which is of some use. In reality, it’s an illegal gateway to someone’s computer. And because unlike viruses they don’t replicate, they rely on manual distribution methods such as email, malicious, or hacked web pages, Internet Relay Chat (IRC), or peer-to-peer networks.

Now Exploit-ObscuredHtml is an exploit by sub-type and it exists as code in an email message, web page, or HTML document.

Interestingly, certain non-ascii characters are ignored by Microsoft Internet Explorer, allowing an attacker to obfuscate malicious code. And still have it rendered by Internet Explorer. But the detection of this particular trojan covers HTML documents that have been crafted with the intention of evading antivirus detection. And there are other documents that mix HTML with non-ascii characters which could also trigger this detection.

Now lets take a brief look at the W32/Conficker.worm!inf. The Conficker caused virtual panic in the media earlier in 2009 and its was dubbed the mother of all viruses. Actually it has been around for some years, although this version was particular virulent.
The sub-type is a worm and it is a file which is usually dropped onto the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accessed.

IT people can spot infection when they see the prescence of autorun.inf files on the root of all removable drives or mapped network drives containing specific information.

Guest Article by Neil Camp

May’s top malware goes by the name of Trojan.AutorunInf.Gen and represents just over 13% of all global malware. It’s designed to use external hard drives, memory cards and flash drives to spread malware. And although Microsoft may have discarded its Windows Autorun feature from its latest operating systems and from Vista SP2, early versions are still vulnerable.

Next on the top malware list for May is the infamous Kido, or Conficker, which goes by the tag of Win32.Worm.Downadup. This nasty virus takes a bow for around 6% of global infections and attacks a Windows vulnerability. It spreads via local network computers and stops users trying to access Windows updates and security companies web pages. Latest versions of Windows has removed the vulnerability, but people using older operating systems should ensure that they have updated their operating systems and anti-virus applications.

In third place and close behind the Conficker on the top malware list is another Trojan which accounts for some 5% of all infections. It’s official name is Trojan.FakeAV.KUE and it’s based on JavaScript code. It creates anti-virus scams and the malware gets hosted either on sites that unknowingly carry the virus, or malicious sites. Once people download this type of malware, it triggers various fake alerts offering rogue antivirus software.

Coming fourth is the May top malware list is Win32.Sality.OG. It’s the only file infector virus in the top ten and it’s a device which appends its encrypted code to executable files (.exe and .scr binaries). It does this by deploying a rootkit which kills any antivirus applications on the computer. This means that it remains undetected and unable to carry out its malicious tasks.

In the fifth place is a new one to the top malware charts. It’s a Trojan and is responsible for a tad over 2% of infections. Called the Trojan.Swizzor.2, it acts as a pathfinder for a number of other pieces of malicious software.

BitDefender’s top malware chart for May includes:

1. Trojan.AutorunINF.Gen 13,24%
2. Win32.Worm.Downadup.Gen 5,84%
3. Trojan.FakeAV.KUE 5,11%
4. Win32.Sality.OG 2,68%
5. Gen:Variant.Swizzor.2 2,12%
6. Trojan.Autorun.AET 2,02%
7. Gen:Heur.Krypt.24 2,01%
8. Worm.Autorun.VHG 1,97%
9. Gen:Variant.Rimecud.2 1,91%
10. Exploit.PDF-JS.Gen 1,76%

One things is for sure, try to avoid any of the top malware for May.

Guest Article by Neil Camp

Known by the tag Trojan.Autoruninf.Gen, it accounted, says BitDefender, for 13% of total global malware in March. Trojan.Autoruninf.Gen is a mechanism of a generic nature which is designed to spread via removable drives. It exploits an established vulnerability when people swap files using physical devices such as memory sticks.

Number two in March was that old favourite the Conficker, or Kido as its otherwise known. Although at 6% of total global malware in March less than half the threat posed by Trojan.Autoruninf.Gen, it is still being a nuisance and hanging around. Its trick is to exploit a Microsoft Windows vulnerability and to get rid of it, users have to update their operating system and ensure that their anti virus software is up to date.

In third is another old favourite, one which gets hold of Adobe’s PDF Reader’s JavaScript engine and uses it to piggy back malicious code into a computer. It’s known as Exploit.PDF-JS.Gen and it’s a nasty piece of work which uses a very commonly used application.

But talking of nasties, in fourth is one that takes the biscuit. It’s a file infector known as Win32.Sality.OG. What’s makes this family of infectors so bad, is that it’s protected by a polymorphic code, which makes it extremely difficult to firstly detect and then remove. What’s more, the rootkit part of the virus does its best to disable antivirus applications on the computer its attacking. One to be avoided at all costs.

In at number five this is the Trojan.JS.Downloader.BIO. Inserted into legimate webpages via SQL injection methods and tactics, this is actually JavaScript. It only targets those websites built with ASP. Another characteristic of Trojan.JS.Downloader.BIO. is that is forms cookies from bits of information about a victim’s browsing habits which are then sent to a website based in China.

That’s the top five, but here’s the complete BitDefender run for March:

1. Trojan.AutorunINF.Gen 13,40
2. Win32.Worm.Downadup.Gen 6,19
3. Exploit.PDF-JS.Gen 5,30
4. Win32.Sality.OG 2,58
5. Trojan.JS.Downloader.BIO 2,13
6. Trojan.Autorun.AET 1,95
7. Gen:Heur.Krypt.21 1,921
8. Worm.Autorun.VHG 1,78
9. Exploit.PDF-Payload.Gen 1,67
10. Trojan.Wimad.Gen.1 1,42.

Guest Article by Neil Camp

BitDefender, creator of one of the industry’s fastest and most effective lines of internationally certified security software, produce a table of malware that represents the biggest threat on a month to month basis.

And in number one spot for September is the Trojan.Clicker.CM. The reason for this, ponder BitDefender, may be due to Tojan.Clicker’s popularity as a weapon of choice amongst purveyors of "warez." This a term used by malware developers to describe compromised software.

In second place is Trojan.AutorunINF.Gen and this is a generic detection for Trojans that use Autorun. Number three spot in this line-up of nasties goes to the Trojan.Wimad.Gen.1.

The infamous Conficker is never far away from any malware list and in this particular chart it occupies the fourth slot. BitDefender labels Conficker, in all its various guises, as Win32.Worm.Downadup.Gen.

At number five is an exploit which uses a vulnerability in the way some versions of the Adobe PDF reader parse embedded JavaScript is gaining popularity again. Exploit.PDF-JS.Gen is one to be careful of.

Trojan.Exploit.JS.Y slots into the number six position. It’s a malicious piece of JavaScript, usually found on compromised or malicious websites.

In the number seven spot, down from number five, and a long-time star of the BitDefender’s Top 10 E-Threat is Win32.Sality.OG. It’s an encrypted, polymorphic file infector and appears set for a very long cybercrime "career".

In the eight and nine slots are two threats which use the Autorun security loophole found in older versions of Windows. BitDefender point out that the lower-spreading of the two threats is actually a downloader component used to spread the ever-present Conficker, or Kido worm (aka Downadup).

Bringing up the rear in tenth is Trojan.Skintrim.HTML.A, a type of HTML page usually found associated with adware programs such as Navipromo.

BitDefender’s September 2009 Top 10 E-Threat list is made up of:

1. Trojan.Clicker.CM 10.98%
2. Trojan.AutorunINF.Gen 9.58%
3. Trojan.Wimad.Gen.1 5.52%
4. Win32.Worm.Downadup.Gen 4.68%
5. Exploit.PDF-JS.Gen 4.09%
6. Trojan.Exploit.JS.Y 3.44%
7. Win32.Sality.OG 2.75%
8. Trojan.Autorun.AET 2.27%
9. Worm.Autorun.VHG 1.78%
10. Trojan.Skintrim.HTML.A 1.49%
11. Others 53.41%

Guest Article by Neil Camp

The report highlighted the fact that 14 million computers have been enslaved by cybercriminal botnets, a 16% increase over last quarter.

Auto-run is becoming an increasing problem and over a test period of 30 days, it was discovered to have infected over 27 million files. Auto-Run malware, which exploits Windows Auto-Run capabilities, does not require any user clicks to activate. It is most often spread through portable USB and storage devices. Depressingly, the rate of detection surpasses the infamous Conficker worm by 400%, making it the number one piece of malware detected around the world.

Mike Gallagher, Senior Vice President and Chief Technology Officer of McAfee Avert Labs, said:
“The jump in bot and spam activity we saw in the last three months is alarming, and the threat from Auto-Run malware continues to grow. The expansion of these infections is a grave reminder of the potential harm that can be caused by unprotected computers in homes and businesses.”

McAfee also provides some background showing the a generally worsening computer security situation.

It is noted that fourteen million additional computers have been turned into botnets this quarter. This equates to more than 150,000 computers infected every day, or 20% of the personal computers bought daily.

It also said that South Korea accounted for the largest boost in bot activity. The country saw a 45% increase in new infected computers over the last quarter. And such botnets were used to execute the recent DDoS cyber attacks against the White House, the New York Stock Exchange and South Korean government Web sites.

But although South Korea has its problems, it only accounts for less than four percent of the world’s new bots. And its the U.S. which tops the list with 15% of the new zombie computers.

And its this bot expansion that is behind the increasing volume of spam, which is now 92% of all email. Spam volumes have now exceeded the highest volume on record by 20%, increasing at a steady rate of roughly 33% each month. This equates to spam volumes growing by over 117 billion emails every day.

What’s most disturbing, is that as the number of bots continues to grow, malware writers have begun to offer malicious software as a service to those who control botnets. By exchanging, or selling resources, cybercriminals distribute new malware to wider audiences instantaneously. And the creation of and management of malware is becoming even easier, thanks to programmes like Zeus.

Programs like Zeus – an easy-to-use Trojan creation tool – continue to make the creation and management of malware even easier.

And cyber criminals are increasingly turning their attention to the popular social networking sites, including Twitter, Facebook and MySpace.

Guest Article by Neil Camp