Threat Management, Malware

Exploit kits, Slammer worm top April’s most wanted malware list, Check Point

Enterprises are increasingly being hit with exploit kits, especially Rig EK, and the Slammer worm has resurfaced, according to Check Point's latest monthly Global Threat Impact Index.

After a lull, Slammer has wormed its way back into Check Point's list of the top three malware families, affecting four percent of businesses. The worm– which exploits a buffer overflow bug in Microsoft's SQL Server and Desktop Engine database line – spread rapidly leading to numerous denial-of-service situations. It's the second time the worm, which first appeared in 2003, has entered the malware top 10 in recent months. It's evidence of how old bugs, for which patches have been issued, can still wreak havoc on unpatched systems, the Check Point Research Team remarked.

A similar trend is making waves on the exploit kit front as well, with older malware variants resurfacing for the second month in a row. In March, exploit kits reappeared intended to find flaws on devices onto which malicious code could be injected.

The Check Point team urged vigilance in staying on top of a wide range of threats and attack vectors, "even those that appear to have fallen out of general usage."

The company's top 10 global malware families illustrate this spectrum. The most common malware in April were Rig EK and HackerDefender, affecting 5 percent and 4.5 percent of enterprises across the globe respectively, while Slammer came in third impacting 4 percent of organizations.

"The old adage 'an ounce of prevention is worth a pound of cure' holds true to IT," Nicolas McKerrall, threat prevention researcher at Check Point Software, told SC Media on Thursday. "By keeping your systems updated you prevent minor events from turning into major incidents."

Everyone is focusing on the patching aspect, but really patching can be difficult to achieve uniformly inside an organization, McKerrall said. "Enterprises can take a multi-layered approach to security to safeguard against these attacks." 

This includes using intrusion prevention to block known exploits on the edge of their network, McKerrall said, as well as implementing segmentation between hosts, zones or subnets to prevent threats from spreading laterally in the organization, and implementing advanced threat prevention technology to scan files coming in from outside the enterprise.

"This resurgence of worms and the speed in which they've been proliferating just goes to show how many vulnerable and unpatched systems are sitting out there directly connected to the internet," McKerrall told SC. "We need organizations to start wrapping these vulnerable systems in security when patching just isn't feasible. Segmenting these systems and introducing security controls at the network layer will help keep these systems safe even if they're not easily patched."


April 2017's Top 10 ‘Most Wanted' Malware

Rig EK – Exploit Kit first introduced in 2014. Rig delivers Exploits for Flash, Java, Silverlight and Internet Explorer. The infection chain starts with a redirection to a landing page that contains JavaScript that checks for vulnerable plug-ins and delivers the exploit.

HackerDefender – User-mode Rootkit for Windows, can be used to hide files, processes and registry keys, and also implements a backdoor and port redirector that operates through TCP ports opened by existing services. This means it is not possible to find the hidden backdoor through traditional means.

Slammer – Memory resistant worm targeted to attack Microsoft SQL 2000. By propagating rapidly, the worm can cause a denial of service condition on affected targets.

Conficker – Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.

Cryptowall – Ransomware that started as a Cryptolocker doppelgänger, but eventually surpassed it. After the takedown of Cryptolocker, Cryptowall became one of the most prominent ransomwares to date. Cryptowall is known for its use of AES encryption and for conducting its C&C communications over the Tor anonymous network. It is widely distributed via exploit kits, malvertising and phishing campaigns.

Zeus – Banking Trojan that uses man-in-the-browser keystroke logging and form grabbing in order to steal banking information.

↑  Nivdort – Multipurpose bot, also known as Bayrob, that is used to collect passwords, modify system settings and download additional malware. It is usually spread via spam emails with the recipient address encoded in the binary, thus making each file unique.

↑  Sality – Virus that allows remote operations and downloads of additional malware to infected systems by its operator. Its main goal is to persist in a system and provide means for remote control and installing further malware.

↑  Necurs – Botnet used to spread malware by spam emails, mainly Ransomware and Banking Trojans.

Gamarue – Used to download and install new versions of malicious programs, including Trojans and AdWare, on victim computers.

Mobile malware also continues to escalate. The two families at the top of the list are the same as in March, while Lotoor returned to the list in the number three slot.

Top 3 ‘Most Wanted' mobile malware

Hiddad – Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.

Hummingbad – Android malware that establishes a persistent rootkit on the device, installs fraudulent applications, and with slight modifications could enable additional malicious activity such as installing a key-logger, stealing credentials and bypassing encrypted email containers used by enterprises.

Lotoor – Hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.

"Cybercriminals will always choose to adapt the tools they already have at their disposal if possible, rather than developing brand new ones, simply because it's faster and more cost-effective," the report stated.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.