International Journal of Pure and Applied Mathematics Volume 116 No. 22 2017, 479-489 ISSN: 1311-8080 (printed version); ISSN: 1314-3395 (on-line version) url: http://www.ijpam.eu Special Issue ijpam.eu

Study on Emerging Trends in Variants 1Yellepeddi Vijayalakshmi, 2Neethu Natarajan, 3P. Manimegalai and 4Suvanam Sasidhar Babu 1Department of Computer Science and Engineering, Karpagam University, Coimbatore, India. 2Department of Computer Science and Engineering, SNGCE, Kadayiruppu, Ernakulam (Dt.), India. 3Department of Computer Science and Engineering, Karpagam University, Coimbatore, India. 4Department of Computer Science and Engineering, SNGCE, Kadayiruppu, Ernakulam (Dt.), India.

Abstract This survey is based on the new trendsin malware and its classification. Security researchers discovered an average four to five new malware variants emerged every second over the past years. This is a big problem to our computer security. To defeat those variants we must know more about its family and its features. This survey will helps to get an aware about and its causes. Index Terms:Malware, , backdoor, ransom ware, spyware, scare ware, cookie, window small ware.

479 International Journal of Pure and Applied Mathematics Special Issue

1. Introduction The ever-increasing volume of new malware variants produced every day is a challenging problem in security field. Security researchers have added more than 115 million malware samples to their databases so far this year, with Windows viruses making a comeback. Researchers discovered an average four to five new malware variants every second over the past year and recorded a surprising comeback of reproducing Windows-based viruses, according to a new study [2]. The number of new malware variants that emerged in February 2017 was three times higher compared to January, nearly reaching the record- high levels registered in October 2016, Symantec reports[3,4,5] .27% of all malware variants in history were created in the year 2015. The predominant platform for malware is still Windows. It covers 99.1% of the malware specimen. Trailing behind are scripts, Java applets, macros and other operating systems like OSX, Android, and Unix/Linux [7,8].

Malware, short for malicious software, including computer viruses, worms, Trojan horses,

The remainder of this paper is organized as follows. Section II gives an overview of malware. Section III describes top 10 windows malwares in 2016 and 2017.In section IV top ransom ware families detected in 2017 .A brief summary of the predictions in the security field introduced in section V. We conclude this paper in section VI. 2. Malware , spyware, adware, scareware, and other malicious programs. It can take the form of executable code, scripts, active content, and other software [9,10]. Malware is defined by its malicious intent, acting against the requirements of the computer user - and so does not include software that causes unintentional harm due to some deficiency. Programs supplied officially by companies can be considered malware if they secretly act against the interests of the computer user. An example is the Sony rootkit, a Trojan horse embedded into CDs sold by Sony, which silently installed and concealed itself on purchasers' computers with the intention of preventing illicit copying; it also reported on users' listening habits, and unintentionally created vulnerabilities that were exploited by unrelated malware [9].

A computer virus is a type of malicious software program ("malware") that, when executed, replicates itself by modifying other computer programs and inserting its own code [10]. Infected computer programs can include, as well, data files, or the "boot" sector of the hard drive. When this replication succeeds, the affected areas are then said to be "infected" with a computer virus.

480 International Journal of Pure and Applied Mathematics Special Issue

A Trojan horse is a malicious computer program which misrepresents itself to appear useful, routine, or interesting in order to persuade a victim to install it. The term is derived from the Ancient Greek story of the Trojan horse used to invade the city of Troy by stealth.

Rootkits a malicious program is installed on a system, it is essential that it stays concealed, to avoid detection. Software packages known as rootkits allow this concealment, by modifying the host's operating system so that the malware is hidden from the user. Rootkits can prevent a malicious process from being visible in the system's list of processes, or keep its files from being read kits.

A backdoor is a method of bypassing normal authentication procedures, usually over a connection to a network such as the Internet. Once a system has been compromised, one or more backdoors may be installed in order to allow access in the future [14] invisibly to the user.

Ransomware is a type of malicious software from crypto virology that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called crypto viral extortion, in which it encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them.[10][11][12][13] In a properly implemented crypto viral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as Ukash and Bitcoin are used for the ransoms, making tracing and prosecuting the perpetrators difficult. Ransomware attacks are typically carried out using a Trojan that is disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. However, one high-profile example the "WannaCry worm", traveled automatically between computers without user interaction.

Spyware is software that aims to gather information about a person or organization without their knowledge that may send such information to another entity without the consumer's consent, or that asserts control over a device without the consumer's knowledge [10]."Spyware" is mostly classified into four types: adware, system monitors, tracking cookies, and Trojans[11] examples of other notorious types include digital rights management capabilities that "phone home", key loggers, rootkits, and web beacons. Spyware is mostly used for the purposes of tracking and storing Internet users' movements on the Web and serving up pop-up ads to Internet users. Whenever spyware is used for malicious purposes, its presence is typically hidden from the user and can be difficult to detect. Some spyware, such as key loggers, may be installed by the owner of a shared, corporate, or public computer intentionally in order to monitor users. Spyware can collect almost any type of data, including personal information like internet surfing habits, user logins, and bank or credit account information. Spyware can also interfere with a user's control of a computer by installing additional software or redirecting web browsers. Some spyware can

481 International Journal of Pure and Applied Mathematics Special Issue

change computer settings, which can result in slow Internet connection speeds, un-authorized changes in browser settings, or changes to software settings.

A cookie is just a bit of text in a file on your computer, containing a small amount of information that identifies you to a particular website, and whatever information that site wanted to retain about the user when they are visiting. Cookies are a legitimate tool used by many websites to track visitor information. As an example, I might go to an online computer store and place an item in the basket, but decide not to buy it right away because I want to compare prices. The store can choose to put the information about what products I put into my basket in a cookie stored on my computer. This is an example of a good use of cookies to help the user experience. The only websites that are supposed to be able to retrieve the information stored in a cookie are the websites that wrote the information in that particular cookie. This should ensure your privacy by stopping anyone other than the site you are visiting from being able to read any cookies left by that site. 3. Windows Malware a) Top 10 windows malwares in 2017

The top 10 malware listed below were responsible for approximately 56% of all new malware infections reported by the MS-ISAC in April 2017. This was an increase of almost eight percentage points from March 2017 and continues an upward trend since it bottomed out in January 2017 to 43% [15].

Figure 3.1: Top 10 Malware (MS-ISAC report)

The above figure shows the malware infections in April 2017 statistics. This is done by using open source observations and reports on each malware type. The MS-ISAC observed a continued increase in spam and malware droppers, while malvertising continued to decline [15].

Kovter is a Trojan, which has been observed acting as click fraud malware or a ransomware downloader. Recently, it is disseminated via spam email attachments containing malicious office macros. Kovter is fileless malware that evades detection by hiding in registry keys. Reports indicate that Kovter has received updated instructions from command and control infrastructure to serve

482 International Journal of Pure and Applied Mathematics Special Issue

as a remote access backdoor.

ZeuS/Zbot is a banking Trojan which uses keystroke logging to compromise victim credentials when a user visits a banking website. Since the release of the ZeuS source code in 2011, many malware variants have adopted parts of its code, meaning that events classified as ZeuS may actually be other malware using parts of the ZeuS code. The widespread use of ZeuS has led to multiple vectors being used for distribution.

Tinba, also known as Tiny Banker, is a banking Trojan, known for its small file size. Tinba uses web injection to collect victim information from login pages and web forms, and is primarily disseminated via exploit kits. Fleercivet is a click fraud Trojan that injects code into Internet Explorer, Firefox, and Opera in order to generate revenue from advertisements. Fleercivet is dropped by malware downloaders and drive-by downloads.

Virut is a polymorphic virus that mostly infects executable files and has worm- like behavior. Virut spreads by copying itself to hard drives and opening up a back door on the compromised device. Virut is disseminated via malvertising. DNSChanger is malware that was very prolific in the late 2000s and early 2010s, before being dismantled by a Federal Bureau of Investigation (FBI) takedown. Researchers identified a new variant in December 2017, which reportedly acts as an exploit kit targeting routers. Once infected, the malware modifies the routers’ DNS records to point to a malicious server. DNSChanger is disseminated via malvertising and uses steganography to obfuscate its initial actions. is a malware banking variant that uses malicious macros with either malicious embedded links or attachments. Dridex is disseminated via spam campaigns. Ponmocup is a downloader associated with one of the largest and longest running botnets, active since 2006. Ponmocup is usually disseminated through an infected webpage as a malvertisement. Cerber is an evasive ransomware that is capable of encrypting files in offline mode and is known for fully renaming files and appending them with a random extension. There are five versions of Cerber currently being disseminated via spam campaigns. Trend Micro has reported Cerber evolving specifically to evade detection by machine learning algorithms. Currently v1 is the only version of Cerber that has a decryption tool. PCRat/Ghost is downloader malware disseminated via phishing emails containing a malicious attachment with a macro and is known to obfuscate itself using PowerShell commands [15]. b) Top 10 Windows malwares in 2016

The below figure shows the top 10 Windows malware detected by Quick Heal in 2016 [8].

483 International Journal of Pure and Applied Mathematics Special Issue

Figure 3.2: Top 10 Malwares in 2016(Quick Heal report)

W32.Sality.U is a polymorphic file infector. After execution, it starts computing and infecting all the executable files present on local drives, removable drives, and remote shared drives.Injects its code into all running system processes. It then spreads further by infecting the executable files on local, removable, and remote shared drives. Tries to terminate security applications and deletes all files related to any security software installed on the system. Steals confidential information from the infected system. Trojan.Starter.YY4 is a Trojan that works by connecting to a remote server and installing other malware on the computer that it infects. In other words, it is used as an entry point by other malware. This malware is linked to various banking Trojans and worms designed to spread over networks. W32.Virut.G is a family of viruses associated with various botnets. It injects its code within running system processes and starts infecting the executable files present on local drives and removable drives. It also lets other malware enter the infected system. Trojan.NSIS.Miner.SD is a Trojan that comes with freeware and shareware programs. Once installed on the infected computer, it redirects malicious websites. PUA. Mindsparki. Gen is a Potentially Unwanted Application (PUA) that comes with third-party bundled installer applications and software downloaders. Worm. Conficker. Gen is a worm that can automatically spread from one system to the other in a network, without any human interaction. Worm.AutoRun.A10 is a worm designed to steal personal and confidential information from the infected system. TrojanDropper.Dexel.A5 is a Trojan that can break the infected system’s security. Worm.Strictor.S5 is a worm that spreads through spam emails that contain malicious links or malicious attachments. It modifies the infected system’s registry settings for auto start. It also drops other malware such as adware and spyware on the infected system. PUA.Clientconn.Gen is a PUA that protects its search engine settings for browsers like default-search.net, search.ask.com, and Trovi search.

484 International Journal of Pure and Applied Mathematics Special Issue

4. Top Ransom ware Families IN 2017 There are two important families of ransomware attacks, they are wannacry and .

The WannaCry ransomware attack was a May 2017 worldwide cyber-attack by the WannaCry ransom ware crypto worm, which targeted computers running the MicrosoftWindows operating system by encrypting data and demanding ransom payments in the Bit coin cryptocurrency. The attack began on Friday, 12 May 2017, and within a day was reported to have infected more than 230,000 computers in over 150 countries. Shortly after the attack began, Marcus Hutchins, a 22-year-old web security researcher from North Devon in England then known as MalwareTech discovered an effective kill switch by registering a domain name he found in the code of the ransomware. This greatly slowed the spread of the infection, effectively halting the initial outbreak on Monday, 15 May 2017, but new versions have since been detected that lack the kill switch. Researchers have also found ways to recover data from infected machines under some circumstances.

WannaCry Propagates using Eternal Blue, an exploit of Windows' Server Message

Block (SMB) protocol. Much of the attention and comment around the event was occasioned by the fact that the U.S. National Security Agency (NSA) had already discovered the vulnerability, but used it to create an exploit for its own offensive work, rather than report it to Microsoft. Microsoft eventually discovered the vulnerability, and on Tuesday, March 14, 2017, they issued security bulletin MS17-010, which detailed the flaw and announced that patches had been released for all Windows versions that were currently supported at that time, these being Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016, in addition to Windows Vista(which had recently ended support).

However, many Windows users had not installed the patches when, two months later on May 12, 2017, WannaCry used the EternalBlue vulnerability to spread itself. The next day, Microsoft released emergency security patches for Windows 7 and Windows 8.

Those still running older, unsupported versions of Microsoft Windows, such as Windows XP and Windows Server 2003, were initially at particular risk, but Microsoft released an emergency security patch for these platforms as well. Almost all victims of the cyber attack were running Windows 7, prompting a security researcher to argue that its effects on Windows XP users were "insignificant" in comparison [16].

Petya is a family of encrypting ransomware thatwas first discovered in 2016. The malware targets Microsoft Windows-based systems,

485 International Journal of Pure and Applied Mathematics Special Issue

infecting the master boot record to execute a payload that encrypts a hard drive's file

system table and prevents Windows from booting. It subsequently demands that the user make a payment in Bitcoin in order to regain access to the system. Variants of Petya were first seen in March 2016, which propagated via infected e-mail attachments. In June 2017, a new variant of Petya was used for a global cyberattack, primarily targeting Ukraine. The new variant propagates via the EternalBlue exploit, which is generally believed to have been developed by the U.S. National Security Agency (NSA), and was used earlier in the year by the WannaCry ransomware. Kaspersky Lab referred to this new version as NotPetya to disambiguate it from the 2016 variants, due to these differences in operation. In addition, although it purports to be ransomware, this variant was modified so that it is unable to actually revert its own changes [17].

On 27 June 2017, a major global cyberattack began (Ukrainian companies were among the first to state they were being attacked, utilizing a new variant of Petya. On that day, Kaspersky Lab reported infections in France, Germany, Italy, Poland, the United Kingdom, and the United States, but that the majority of infections targeted Russia and Ukraine, where more than 80 companies initially were attacked, including the National Bank of Ukraine. ESET estimated on 28 June 2017 that 80% of all infections were in Ukraine, with Germany second hardest hit with about 9%.Russian president Vladimir Putin's press secretary, Dmitry Peskov, stated that the attack had caused no serious damage in Russia. Experts believed this was a politically-motivated attack against Ukraine, since it occurred on the eve of the Ukrainian holiday Constitution Day.

Kaspersky dubbed this variant "NotPetya", as it has major differences in its operations in comparison to earlier variants. McAfee engineer Christiaan Beek stated that this variant was designed to spread quickly, and that it had been targeting "complete energy companies, the power grid, bus stations, gas stations, the airport, and banks". 5. 2017 Predictions a) Payment System and Banking Malware

Today banking transactions over mobile devices are under malware threat. Malware families attack different banking apps and merchant sites from different countries. Banking malware threats increases day by day and going to be a major concern for security experts and more for users of mobile internet banking, in the near future. b) Internet of Things (IoT) Security

The main problem is that because the idea of networking appliances and other objects is relatively new, security has not always been considered in product design. IoT products are often sold with old and unpatched embedded operating

486 International Journal of Pure and Applied Mathematics Special Issue

systems and software. Furthermore, purchasers often fail to change the default passwords on smart devices -- or if they do change them, fail to select sufficiently strong passwords. To improve security, an IoT device that needs to be directly accessible over the Internet, should be segmented into its own network and have network access restricted. The network segment should then be monitored to identify potential anomalous traffic, and action should be taken if there is a problem. c) Ransomeware

It is possible that, with the major ransomware players taking the main stage at the end of the year, we are unlikely to see many, if any, new advanced ransomware families enter the market with the sophistication and mass penetration of Cerber and Locky. Many of them will be quickly developed just to take advantage of ransomware’s popularity amongst cybercriminals. This is a continuation of a trend started in 2016. Nearly 60 percent of the ransomware variants detected in the last six months of 2016 were less than one year old, further driving home the fact that most ransomware in existence today is developed by newcomers to the ransomware industry. We may see more variants that modify the infected computer’s Master Boot Record (MBR), which is a key part of a system’s ability to boot into its operating system. Once modified, the system will boot into a lock screen set up by the malware, demanding payment not only to decrypt files but also to restore access to the main operating system. The addition of this functionality reduces the options for a victim to two: either pay the ransom or have the system wiped completely. 6. Conclusion Malware variants produced day by day in the security field. According to the study we found that an average of four to five different type of malwares is emerged and possess a big threat to the computer security. Cyber criminals target every users who are connected to the internet and propagate different malwares, for example ransomwares to encrypt all the user data and demand the ransomed.We must take effective steps to protect our system. References [1] https://www.csoonline.com/article/3027598/cyber-attacksespionage/ 27-of-all-malware-variants-in-history-were-created-in-2015.html [2] http://www.silicon.co.uk/workspace/five-malware-variants-second 201602?inf_by=59b0df3a681db8dc788b4aaa [3] http://www.securityweek.com/new-malware-variants-near-record-highs- symantec [4] https://www.gdatasoftware.com/blog/2017/04/ 29666-malware-trends- 2017 [5] https://blog.barkly.com/cyber-security-statistics-2017 [6] https://securelist.com/it-threat-evolution-q1-2017-statistics/78475/

487 International Journal of Pure and Applied Mathematics Special Issue

[7] https://www.av-test.org/en/statistics/malware/ [8] http://dlupdate.quickheal.com/documents/others/Quick_Heal_Annual_ Threat_Report_2017.pdf [9] https://en.wikipedia.org/wiki/Malware. [10] “Defining Malware: FAQ". technet.microsoft.c om [11] Nash T., An undirected attack against critical infrastructure. Technical Report, US-CERT Control Systems Security Center (2005). [12] Russinovich M., Sony, rootkits and digital rights management gone too far, Mark’s Blog (2005). [13] Protect Your Computer from Malware. OnGuardOnline.gov. [14] Vincentas, Malware in SpyWareLoop.com, Spyware Loop (2013). [15] https://www.cisecurity.org/top-10-malware-of-april-2017/ [16] https://en.wikipedia.org/wiki/WannaCry_ransomware_attack [17] https://www.theguardian.com/technology/2017/jun/27/petya-ransom ware-cyber-attack-who-what-why-how

488 489 490