GFI Software’s ThreatNet™ statistics for December reveal that criminals took full advantage of Christmas and New Year holiday period by launching themed malware attacks on the public
GFI Software, a leading IT solutions provider for small and medium-sized enterprises, today revealed continuing high levels of Trojan and rogue malware circulating during December, with data revealing a surge in activity, boosted by themed activity around the Christmas and New Year holiday period. The top 10 data is compiled from monthly scans performed by GFI's award-winning anti-malware solution, VIPRE® Antivirus, and its antispyware tool, CounterSpy®, as a service of GFI Labs™.
Users were targeted with a variety of infected email, web links and other delivery mechanisms promising festive information, discount offers, Christmas e-cards and free software. The month also saw the big movie release of the season, Disney’s TRON Legacy, targeted by a wide array of SEO poisoned links, unwanted installs and other malware fakery, while a spate of fake iTunes emails caught several people off-guard, resulting in users running afoul of a malicious script that took advantage of a known Java exploit. GFI researchers also uncovered an Amazon receipt generator scam aimed at fooling retailers during the busy holiday shopping season into honoring fraudulent receipts.
December once again saw significant activity from Trojan threats, which continue to dominate the overall malware landscape. Seven of the top 10 malware detections were Trojans, with those seven accounting for almost 35% of all malware detections for the month. In addition to a range of Trojans, Worms also created major problems during December. Most significant was Worm.Win32.Downad.Gen (v), appearing at number seven in December's top 10, a detection for the Downadup worm, otherwise known as Conficker and Kido.
Taking advantage of a vulnerability in Windows Server service which allows remote code execution when file sharing is enabled, the Worm spreads across networks as well as removable drives, taking advantage of weak administrator passwords along the way. It commonly turns off some system services and anti-malcode protection, exposing infected systems to additional infection from other malware.
“Following on from the increased themed threat traffic we saw in November around Thanksgiving, Black Friday and Cyber Monday, criminals once again attempted to take advantage of Christmas and the holiday season with themed attacks designed to drive users towards infected sites and to trick them into opening infected email and executables. Themed attacks, along with themed SEO poisoning and fake application installs, are firmly established as a successful means for malware creators to distribute malcode and create disruption for organizations and families alike,” said Tom Kelchner, communications and research analyst for GFI Software.
“December is a challenging month for computing security, with many businesses shut for a prolonged period and consumers at home for the holidays. Casual computer use rises and vigilance can drop, creating opportunities for malware infection that would otherwise not happen the rest of the year. The top 10 serves as a stark reminder that IT security should not be taken for granted at any time,” Kelchner added.
The problem of fake software was highlighted by FraudTool.Win32.FakeVimes!delf (v), number nine on this month’s top 10. This is a heuristic detection for files associated with the FakeVimes family of rogue security products, illustrating the continued growth of fake and compromised security applications as a means to circulate and covertly install malware onto PCs.
ThreatNet is GFI Lab’s monitoring system that retrieves real-time data from VIPRE installations. Statistics come from tens of thousands of machines running VIPRE.
Top 10 detections for December
Detection | Type | Percent |
Trojan.Win32.Generic!BT | Trojan | 21.93 |
Trojan-Spy.Win32.Zbot.gen | Trojan | 3.79 |
Trojan.Win32.Generic.pak!cobra | Trojan | 3.14 |
Trojan.Win32.Generic!SB.0 | Trojan | 2.78 |
Exploit.PDF-JS.Gen (v) | PDF Exploit | 1.79 |
INF.Autorun (v) | Trojan | 1.63 |
Worm.Win32.Downad.Gen (v) | Worm | 1.27 |
Trojan.ASF.Wimad (v) | Trojan | 0.77 |
FraudTool.Win32.FakeVimes!delf (v) | Fake App | 0.73 |
Trojan.Win32.Meredrop | Trojan | 0.72 |
About GFI Labs
GFI Labs, formerly known as SunbeltLabs, specialises in the discovery and analysis of dangerous vulnerabilities (i.e., security holes, bugs, maligned features or combination of operations) that could be exploited for Internet and email attacks. The research team actively researches new malware outbreaks, creating and testing new threat definitions on a constant basis.
About GFI
GFI Software provides web and mail security, archiving, backup and fax, networking and security software and hosted IT solutions for small and medium-size businesses (SMBs) via an extensive global partner community. GFI products are available either as on-premise solutions, in the cloud or as a hybrid of both delivery models. With award-winning technology, a competitive pricing strategy, and a strong focus on the unique requirements of SMBs, GFI satisfies the IT needs of organizations on a global scale. The company has offices in the United States (North Carolina, California and Florida), UK (London and Dundee), Austria, Australia, Malta, Hong Kong, Philippines and Romania, which together support hundreds of thousands of installations worldwide. GFI is a channel-focused company with thousands of partners throughout the world and is also a Microsoft Gold Certified Partner.