Each year, the United Nations observes the International Day of Families on May 15. It’s a day that focuses on the role families play in cultivating education and lifelong learning. By emphasizing the importance of caregivers, the International Day of Families encourages parents to teach their children about sustainable development, human rights, gender equality, and other values that form the basis of a culturally diverse, globalized citizenry.
We at The State of Security celebrate the International Day of Families. But given our interest in all things information security, we do so in a special way. We are firm believers in the idea that families cultivate education. Just look at how malware has given so many security firms their raison d’être and ignited countless research efforts. Malware is the source of continuing education in the security industry.
As such, we would be remiss to not recognize how some of the most prominent malware families continue to plague users and thereby spur on information security as a field of study. Here are 10 high-profile malware families* that are particularly worthy of recognition. These families are arranged alphabetically and are not ranked.
Conficker is a family of worms that’s capable of infecting PCs by exploiting vulnerabilities in a Windows system file. Upon successful installation, the malware disables services and security products. It also communicates with its command and control (C&C) server to download additional files and run malicious code if file-sharing is enabled on the infected machine.
At one time acknowledged as “the largest and most destructive ransomware threat on the Internet,” CryptoWall is a trojan that typically arrives on a computer via spam emails, exploit kits, compromised websites, or other malware. It then encrypts a user’s files before displaying a ransom note with payment instructions for how the victim can recover their data. The ransomware has evolved through many different versions and is still in development.
HackerDefender is a rootkit that affects machines running Windows NT 4.0, Windows 2000, and Windows XP. It tricks users into installing it by masquerading as legitimate software applications. Once downloaded, the malware installs backdoors onto the infected system and registers as a hidden system service to maintain persistent access to the machine.
An Android-based threat, Hiddad uses social engineering techniques to trick users into installing fake software applications. The malware leverages successful installation to undermine the security and privacy of a victim by stealing personal and/or financial information, sending SMS text messages to premium services, creating backdoors, and locking the device for payment.
Check Point researchers first detected HummingBad in February 2016. It’s “an extremely sophisticated and well-developed malware” that attempts to compromise Android users via a rootkit and chain-attack technique. For the first half of 2016, the threat dominated the mobile threat landscape. Another Android-based threat known as Triada eventually supplanted HummingBad as the most prevalent mobile malware family in January 2017.
The main risk of Necurs is the malware family’s ability to download other malware onto a computer. Oftentimes downloaded at the same time as fake security software, this threat can also create backdoors on a machine, thereby granting hackers backdoor access to an infected computer. Necurs also disables security software, steals information, strives to achieve persistence, and uses several techniques to avoid detection.
Nivdort is a trojan that typically arrives on a user’s computer as a .zip attachment. The threat is capable of stealing victims’ credentials including passwords, banking information, and login details for social network sites. In some cases, the malware also attempts to install other malware onto an infected machine.
For more than a decade, Sality has been preying upon Windows users. It spreads by infecting executable files on local, removable, and remote shared drives. It also tries to infect the executable files that run when Windows starts. Upon successful infection, the file infector disables security software, enlists the affected machine in a peer-to-peer (P2P) botnet, and receives URLs for additional files to download.
A type of Android-based malware, Triada is one payload of other malware that gain root privileges on a device and leverage that access to install apps and display aggressive advertising. The threat is modular in design and is capable of infecting Android’s Zygote, or the process that controls when apps start and stop on a device. In addition, it collects information about an affected phone and conceals itself in the device’s RAM, which makes detection difficult.
ZeuS tends to arrive on users’ machines via spam campaigns or drive-by downloads. It’s designed primarily to steal confidential information including usernames/passwords and banking credentials. However, attackers can also use the threat to execute additional files, shut down the computer, and delete system files.
Detecting Unknowns as Prevention
Given the persistence of the families discussed above, malware analysis in today’s world should involve monitoring for unknowns. It’s not an easy task by any stretch of the imagination. But via file integrity monitoring (FIM) of what matters in their IT environments, organizations can anticipate where attackers might deploy their malware as well as what those programs might change or affect.
To learn more about how FIM can assist with malware detection and response, click here.
*Hat tip to Check Point and its monthly “Most Wanted Malware” lists.