Probably it’s no longer a surprise that Conficker is still on the first place, considering the age of the versions. INF/AutoRun continues to “prosper” despite the fact that it’s pretty easy to deactivate the standard settings that makes this attack possible.
1. Win32/Conficker
The Win32/Conficker threat represents a network worm that initially propagated by exploiting a recent vulnerability of the Windows operating system. This vulnerability is present in the RPC subsystem and can be accessed from a remote location by the attacker, without requiring valid authentication data.
Based on the version, it can also spread itself through unsecured shared folders and mobile storage units, using the Autorun functionality activated by default in Windows ( however this is not the case with Windows 7).
Win32/Conficker loads a DLL through the help of the scvhost process. This threat contacts the web servers with preestablished domain names to download other malware programs.
It’s important to remember that most Conficker infections can be avoided by keeping your computer updated with the latest updates, disabling Autorun and not use unsecured shared folders. Considering the publicity made, and also the ease of fixing the vulnerability, it was expected a decrease of infections of users might have taken these security steps. Still, Conficker Working Group estimates that there still are around 6 million infected computers.
2. INF/Autorun
This name is used to describe a variety of malware programs that uses the autorun.inf file to compromise a computer. This file contains information about programs that run automatically when a mobile storage unit is detected ( like USB drives ).
The mobile storage units are very useful and very popular and of course malware developers are aware of this fact.
So, for this reason there is a problem. The default autorun settings allow the programs listed in the autorun.inf to run automatically when mobile storage units are detected. There are many types of malware programs that copies themselves on these devices. Although this can not be the main distribution mechanism of the program, malware developers are always working to improve it.
While the malware that uses this mechanism can easily be detected by anti virus solutions, it’s best to disable Autorun.
3. Win32/PSW.OnLineGames
Used especially for phishing attacks against gamers, this family of Trojans has keylogging and rootkit abilities, that collects information about the online games and login credentials. Usually, the obtained data are transmitted back to the PC of the attacker.
These trojans are found in many different types, and gamers should be on alert. Even if there always were people that “stole” the login credentials of a gamer just for the fun of it, selling virtual currency, treasures, vatars, etc, represents a major source of illegal income for hackers. Also, it’s important that MMORPG players like LineAge and World Of WarCraft to be aware of the threats that they might encounter.
4. Win32/Agent
To reach it’s purpose, the malware copies itself in a temporary location and ads key in the Registry.
This label covers a very large area of threats that it’s impossible to prescribe a single operating method to avoid infections. To avoid infections you can use a good anti malware solution, apply all the available pathches, disable Autorun and think really hard before clicking something.
5. JS/TrojanDowloader.Pegel.BR
This is a script injected in web pages. It redirects users to another infected web sites by injecting IFRAME Tags. Once a user is redirected to an infected web site, the user’s computer downloads and runs malware programs.
The malware scripts and iframes are a major cause of inection, this is why it’s a good idea to disable scripts even from the beginning, where this is possible, not only in browsers but also in PDF readers. For example, NoScript is an open source tool developed for Firefox, which allows the deactivation and selective activation of Java scripts and other potential vectors.
6. INF/Conficker
INF/Conficker is related to the INF/Autorun detection. It applies to a version of the autorun.inf file to spread some versions of the Conficker worm.
This is another reason to disable the Autorun option.
7. Win32/Sality
Sality is a polymorphic infection vector. When it is executed it starts a service and creates/erases registry keys that are related to security activities of the system and ensures that the threat starts automatically after each system restart.
It modifies EXE and SCR files and disables services and processes related to security solutions.
This is a classic example of malware that uses a wide range of techniques ( file infection, autorun infection, polymorphism, disabling anti virus solutions ) to ensure the best change of infection and survival. It is recommended to verify if your anti virus solution is still operational. Considering the spread of Sality, for years now, indicates the fact that these strategies are successful.
8. Win32/Qhost
This type of threat copies itself in the %system32% folder before Windows boots. Win32/Qhost can spread through email and the hacker gains control of the infected computer. This group of trojans modify the host files and redirects internet traffic to specific domain names.
This is a trojan example that modifies the DNS configuration of the infected computer to change the way in which domains are mapped. This is done so that the infected computer cannot connect anymore to the web site of an anti virus solutions provider to download updates.
9. Win32/Spy.Ursnif.A
This threat opens a spyware application that seals information from the infected PC and then sends them to a remote location, managing to create a hidden user account that allows connections through Remote Desktop.
Also there are many clues that can indicate this malware application presence on a computer, it will go unnoticed by a regular user.
Most likely the details of the used settings will change in time. Users need to be careful when downloading files from the Internet.
10. HTML/ScrInject.B
Represents a generic detection of HTML web sites that contains scripts of iframes that automatically redirects the user to a malware web site.
Malware scripts and iframes are a major cause of infection, this is why it’s recommended to disable scripts where it’s possible.
