DOCSLIB.ORG

Quick Heal Threat Report Q2 2018

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Quick Heal Threat Report Q2 2018 QUICK HEAL QUARTERLY THREAT REPORT | Q2 2018 www.quickheal.com QUICK HEAL QUARTERLYANNUAL THREAT THREAT REPORT REPORT | |Q2 2018 2018 Contributors • Quick Heal Security Labs • Quick Heal Marketing Team QUICK HEAL QUARTERLYANNUAL THREAT THREAT REPORT REPORT | |Q2 2018 2018 Table of contents Introduction 01 About Quick Heal 02 About Quick Heal Security Labs 02 Windows 1. Quick Heal Detection on Windows | Q2 2018 04 2. Windows Malware Detection in Q2 2018 05 3. Top 10 Windows Malware 06 4. Category-wise Windows Malware Detection 10 5. Top 10 Potentially Unwanted Applications (PUA) and Adware 11 6. Top 10 Windows Exploits 12 7. Trends in Windows Security Threats 14 Android 1. Quick Heal Detection on Android | Q2 2018 18 2. Top 10 Android Malware of Q2 2018 19 3. Android Security Vulnerabilities Discovered in Q2 2018 23 4. Trends in Android Security Threats 24 Conclusion 25 QUICK HEAL QUARTERLYANNUAL THREAT THREAT REPORT REPORT | |Q2 2018 2018 Introduction In the second quarter of 2018, Quick Heal Security Labs detected over 180 million Windows malware. May clocked the highest detection - on a daily basis, Quick Heal detected around 2,004,728 malware, 16,165 ransomware, 141,079 exploits, and 40,488 PUA & adware. The Trojan horse family retained its position as the most dominant malware in the entire quarter. It grew 4.03% compared with its detection in Q1 2018. The top malware of the year is a destructive Trojan called Trojan.Starter.YY4. Quick Heal Security Labs noticed a spike in EternalBlue exploit (used in the biggest ransomware attack in 2017 – WannaCry). Other important trends include the increase of MBR (Master Boot Record) infecting ransomware and cryptocurrency mining. The most worrying trend, however, is cryptojacking – experts are calling it the new ransomware. Quick Heal Security Labs recorded over 631,000 detection (malware + PUA + adware) on the Android OS in Q2 2018. The PUA (Potentially Unwanted Application) family comprised 46.2% of the total detection of the year. The main trends observed in the Android threat landscape include the rise in cryptocurrency mining malware and banking Trojans that are targeting popular banking and social media apps. 1 QUICK HEAL QUARTERLYANNUAL THREAT THREAT REPORT REPORT | |Q2 2018 2018 About Quick Heal Quick Heal Technologies Ltd. (Formerly Known as Quick Heal Technologies Pvt. Ltd.) is one of the leading IT security solutions company. Each Quick Heal product is designed to simplify IT security management for home users, small businesses, Government establishments, and corporate houses. About Quick Heal Security Labs A leading source of threat research, threat intelligence and cybersecurity, Quick Heal Security Labs analyses data fetched from millions of Quick Heal products across the globe to deliver timely and improved protection to its users. www.quickheal.com Follow us on: 2 WINDOWS 3 QUICK HEAL QUARTERLYANNUAL THREAT THREAT REPORT REPORT | |Q2 2018 2018 Malware Per Day: 2,004,728 Per Hour: 83,530 Per Minute: 1,392 Ransomware Per Day: 16,165 Per Hour: 674 Quick Heal Per Minute: 11 Detection on Exploit Per Day: 141,079 Per Hour: 5,878 Windows Per Minute: 98 Q2 2018 PUA and Adware Per Day: 40,488 Per Hour: 1,687 Per Minute: 28 Cryptojacking Malware Per Day: 13,427 Per Hour: 559 Per Minute: 9 Source: Quick Heal Security Labs 4 QUICK HEAL QUARTERLYANNUAL THREAT THREAT REPORT REPORT | |Q2 2018 2018 Windows Malware Detection in Q2 2018 The below graph represents the statistics of the total count of malware detected by Quick Heal during the period of April to June in 2018. Windows malware detection count in Q2 2018 80M 74M 70M 60M 55M 51M 50M 40M 30M 20M 10M K Apr May June Fig 1 Observations • Quick Heal detected over 180 million Windows malware in Q2 2018. • May clocked the highest detection of Windows malware. 5 QUICK HEAL QUARTERLYANNUAL THREAT THREAT REPORT REPORT | |Q2 2018 2018 Top 10 Windows Malware Fig 2 represents the top 10 Windows malware of Q2 2018. These malware have made it to this list based upon their rate of detection from April to June. Top 10 Windows malware of Q2 2018 6% Trojan.Starter.YY4 6% 14% LNK.Exploit.Gen 6% W32.Sality.U LNK.Browser.Modifier 7% 14% LNK.Cmd.Exploit.F W32.Ramnit.A 7% W32.Pioneer.CZ1 13% W32.Virut.G 13% W32.Brontok.Q 13% Trojan.Suloc.YY4 Fig 2 6 QUICK HEAL QUARTERLYANNUAL THREAT THREAT REPORT REPORT | |Q2 2018 2018 1. Trojan.Starter.YY4 Threat Level: High Category: Trojan Method of Propagation: Email attachments and malicious websites Behavior: • Creates a process to run the dropped executable file. • Modifies computer registry settings which may cause the infected system to crash. • Downloads other malware like keyloggers and file infectors. • Slows down the booting and shutting down process of the infected computer. • Allows hackers to steal confidential data like credit card details and personal information from the infected system. 2. LNK.Exploit.Gen Threat Level: High Category: Trojan Method of Propagation: Bundled software and freeware Behavior: • It is a destructive Trojan virus that could hide in spam email attachments, malicious websites and suspicious pop-ups. • This kind of virus can be installed on Windows systems by using illegal browser extensions. • It changes some of the system files without the user knowing about it. Next time the user launches the Windows system, this virus will run in the system background and spy on their activities. In order to redirect the user to dubious websites, the virus modifies system hosts file and hijacks the IP address. 3. W32.Sality.U Threat Level: Medium Category: Polymorphic file infector Method of Propagation: Removable or network drives Behavior: • Injects its code into all running system processes. It then spreads further by infecting the executable files on local, removable, and remote shared drives. • Tries to terminate security applications and deletes all files related to any security software installed on the system. • Steals confidential information from the infected system. 7 QUICK HEAL QUARTERLYANNUAL THREAT THREAT REPORT REPORT | |Q2 2018 2018 4. LNK.Browser.Modier Threat Level: High Category: Trojan Method of Propagation: Bundled software and freeware Behavior: • Injects malicious codes into the browser which redirects the user to malicious links. • Makes changes to the browser’s default settings without user knowledge. • Generates ads to cause the browser to malfunction. • Steals the user’s information while browsing like banking credentials for further misuse. 5. LNK.Cmd.Exploit.F Threat Level: High Category: Trojan Method of Propagation: Email attachments and malicious websites Behavior: • Uses cmd.exe with ""/c"" command line option to execute other malicious files. • Executes simultaneously a malicious .vbs file with name "help.vbs" along with a malicious exe file. • The malicious vbs file uses Stratum mining protocol for Monero mining. 6. W32.Ramnit.A Threat Level: Medium Category: Virus Method of Propagation: USB Drives, other malware, Exploit Kits, Spoofing the URL, and Bundled applications Behavior: • This malware has several components embedded within it. After installer is dropped or downloaded, it drops its various components in memory or disk. Each component has specified task. This will also speed up the process of infection. • It infects all running processes. • It also infects HTML files by appending script in it while in the case of PE file infection it appends itself in the file. • It modifies registry entries to ensure its automatic execution at every system start up. 7. W32.Pioneer.CZ1 Threat Level: Medium Category: File Infector Method of Propagation: Removable or network drives Behavior: • The malware injects its code to files present on disk and shared network. 8 QUICK HEAL QUARTERLYANNUAL THREAT THREAT REPORT REPORT | |Q2 2018 2018 • It decrypt malicious dll present in the file & drops it. • This dll performs malicious activities and collects system information & sends it to a CNC server. 8. W32.Virut.G Threat Level: Medium Category: File infector Method of Propagation: Bundled software and freeware Behavior: • Creates a botnet that is used for Distributed Denial of Service (DDoS) attacks, spam frauds, data theft, and pay-per-install activities. • Opens a backdoor entry that allows a remote attacker to perform malicious operations on the infected computer. • The backdoor functionality allows additional files to be downloaded and executed on the infected system. 9. W32.Brontok.Q Threat Level: Medium Category: Worm Method of Propagation: Spreads through emails or infected USB & network drives Behavior: • This worm spreads through emails or infected USB drives. • It stores several copies of itself on different places on the hard disk, including system directories. • It gains persistence by modifying registry keys and creating an entry in the Startup directory. • It modifies several system configuration parameters to disable the registry editor and command prompt. • It also modifies the safe boot shell to prevent the user from cleaning the machine. 10. Trojan.Suloc.YY4 Threat Level: Medium Category: Trojan Method of Propagation: Bundled software and malicious websites Behavior: • Copies itself on the targeted drive, and startup drive. • Modifies registry entries to execute itself automatically and hides file extensions. • Nested process continuously queries the information of dropped files and copies itself in download folder. 9 QUICK HEAL QUARTERLYANNUAL THREAT THREAT REPORT REPORT | |Q2 2018 2018 Category-wise Windows Malware Detection Fig 3 represents the various categories of Windows
Load more

Recommended publications
  • Botection: Bot Detection by Building Markov Chain Models of Bots Network Behavior Bushra A
    BOTection: Bot Detection by Building Markov Chain Models of Bots Network Behavior Bushra A. Alahmadi Enrico Mariconti Riccardo Spolaor University of Oxford, UK University College London, UK University of Oxford, UK [email protected] [email protected] [email protected] Gianluca Stringhini Ivan Martinovic Boston University, USA University of Oxford, UK [email protected] [email protected] ABSTRACT through DDoS (e.g. DDoS on Estonia [22]), email spam (e.g. Geodo), Botnets continue to be a threat to organizations, thus various ma- ClickFraud (e.g. ClickBot), and spreading malware (e.g. Zeus). 10,263 chine learning-based botnet detectors have been proposed. How- malware botnet controllers (C&C) were blocked by Spamhaus Mal- ever, the capability of such systems in detecting new or unseen ware Labs in 2018 alone, an 8% increase from the number of botnet 1 botnets is crucial to ensure its robustness against the rapid evo- C&Cs seen in 2017. Cybercriminals are actively monetizing bot- lution of botnets. Moreover, it prolongs the effectiveness of the nets to launch attacks, which are evolving significantly and require system in detecting bots, avoiding frequent and time-consuming more effective detection mechanisms capable of detecting those classifier re-training. We present BOTection, a privacy-preserving which are new or unseen. bot detection system that models the bot network flow behavior Botnets rely heavily on network communications to infect new as a Markov Chain. The Markov Chains state transitions capture victims (propagation), to communicate with the C&C server, or the bots’ network behavior using high-level flow features as states, to perform their operational task (e.g.
    [Show full text]
  • 2015 Threat Report Provides a Comprehensive Overview of the Cyber Threat Landscape Facing Both Companies and Individuals
    THREAT REPORT 2015 AT A GLANCE 2015 HIGHLIGHTS A few of the major events in 2015 concerning security issues. 08 07/15: Hacking Team 07/15: Bugs prompt 02/15: Europol joint breached, data Ford, Range Rover, 08/15: Google patches op takes down Ramnit released online Prius, Chrysler recalls Android Stagefright botnet flaw 09/15: XcodeGhost 07/15: Android 07/15: FBI Darkode tainted apps prompts Stagefright flaw 08/15: Amazon, ENFORCEMENT bazaar shutdown ATTACKS AppStore cleanup VULNERABILITY reported SECURITYPRODUCT Chrome drop Flash ads TOP MALWARE BREACHING THE MEET THE DUKES FAMILIES WALLED GARDEN The Dukes are a well- 12 18 resourced, highly 20 Njw0rm was the most In late 2015, the Apple App prominent new malware family in 2015. Store saw a string of incidents where dedicated and organized developers had used compromised tools cyberespionage group believed to be to unwittingly create apps with malicious working for the Russian Federation since behavior. The apps were able to bypass at least 2008 to collect intelligence in Njw0rm Apple’s review procedures to gain entry support of foreign and security policy decision-making. Angler into the store, and from there into an ordinary user’s iOS device. Gamarue THE CHAIN OF THE CHAIN OF Dorkbot COMPROMISE COMPROMISE: 23 The Stages 28 The Chain of Compromise Nuclear is a user-centric model that illustrates Kilim how cyber attacks combine different Ippedo techniques and resources to compromise Dridex devices and networks. It is defined by 4 main phases: Inception, Intrusion, WormLink Infection, and Invasion. INCEPTION Redirectors wreak havoc on US, Europe (p.28) INTRUSION AnglerEK dominates Flash (p.29) INFECTION The rise of rypto-ransomware (p.31) THREATS BY REGION Europe was particularly affected by the Angler exploit kit.
    [Show full text]
  • Power-Law Properties in Indonesia Internet Traffic. Why Do We Care About It
    by Bisyron Wahyudi Muhammad Salahuddien Amount of malicious traffic circulating on the Internet is increasing significantly. Increasing complexity and rapid change in hosts and networks technology suggests that there will be new vulnerabilities. Attackers have interest in identifying networks and hosts to expose vulnerabilities : . Network scans . Worms . Trojans . Botnet Complicated methods of attacks make difficult to identify the real attacks : It is not simple as filtering out the traffic from some sources Security is implemented like an “add on” module for the Internet. Understanding nature behavior of malicious sources and targeted ports is important to minimize the damage by build strong specific security rules and counter measures Help the cyber security policy-making process, and to raise public awareness Questions : . Do malicious sources generate the attacks uniformly ? . Is there any pattern specific i.e. recurrence event ? . Is there any correlation between the number of some attacks over specific time ? Many systems and phenomena (events) are distributed according to a “power law” When one quantity (say y) depends on another (say x) raised to some power, we say that y is described by a power law A power law applies to a system when: . large is rare and . small is common Collection of System logs from Networked Intrusion Detection System (IDS) The NIDS contains 11 sensors installed in different core networks in Indonesian ISP (NAP) Period : January, 2012 - September, 2012 . Available fields : ▪ Event Message, Timestamp, Dest. IP, Source IP, Attacks Classification, Priority, Protocol, Dest. Port/ICMP code, Source Port/ICMP type, Sensors ID Two quantities x and y are related by a power law if y is proportional to x(-c) for a constant c y = .x(-c) If x and y are related by a power law, then the graph of log(y) versus log(x) is a straight line log(y) = -c.log(x) + log() The slope of the log-log plot is the power exponent c Destination Port Distribution .
    [Show full text]
  • Transition Analysis of Cyber Attacks Based on Long-Term Observation—
    2-3 nicterReport —TransitionAnalysisofCyberAttacksBasedon Long-termObservation— NAKAZATO Junji and OHTAKA Kazuhiro In this report, we provide a statistical data concerning cyber attacks and malwares based on a long-term network monitoring on the nicter. Especially, we show a continuous observation report of Conficker, which is a pandemic malware since November 2008. In addition, we report a transition analysis of the scale of botnet activities. Keywords Incident analysis, Darknet, Network monitoring, Malware analysis 1 Introduction leverages the traffic as detected by the four black hole sensors placed on different network We have been monitoring the IP address environments as shown by Fig. 1. space that is reachable and unused on the ● Sensor I : Structure where live nets and Internet (i.e. darknets) on a large-scale to darknets coexist in a class B understand the overall impact inflicted by network infectious activities including malware. This ● Sensor II : Structure where only darknets report analyzes the darknet traffic that has exist in a class B network been monitored and accumulated over six ● Sensor III : Structure where a /24 subnet years by an incident analysis center named in a class B network is a dark- *1 the nicter[1][2] to provide changing trends of net cyber attacks and fluctuation of attacker host ● Sensor IV : Structure where live nets and activities as obtained by long-term monitor- darknets coexist in a class B ing. In particular, we focus on Conficker, a network worm that has triggered large-scale infections The traffic obtained by these four sensors since November 2008, and report its impact on is analyzed by different analysis engines[3][4] the Internet and its current activities.
    [Show full text]
  • Symantec Intelligence Report: June 2011
    Symantec Intelligence Symantec Intelligence Report: June 2011 Three-quarters of spam send from botnets in June, and three months on, Rustock botnet remains dormant as Cutwail becomes most active; Pharmaceutical spam in decline as new Wiki- pharmacy brand emerges Welcome to the June edition of the Symantec Intelligence report, which for the first time combines the best research and analysis from the Symantec.cloud MessageLabs Intelligence Report and the Symantec State of Spam & Phishing Report. The new integrated report, the Symantec Intelligence Report, provides the latest analysis of cyber security threats, trends and insights from the Symantec Intelligence team concerning malware, spam, and other potentially harmful business risks. The data used to compile the analysis for this combined report includes data from May and June 2011. Report highlights Spam – 72.9% in June (a decrease of 2.9 percentage points since May 2011): page 11 Phishing – One in 330.6 emails identified as phishing (a decrease of 0.05 percentage points since May 2011): page 14 Malware – One in 300.7 emails in June contained malware (a decrease of 0.12 percentage points since May 2011): page 15 Malicious Web sites – 5,415 Web sites blocked per day (an increase of 70.8% since May 2011): page 17 35.1% of all malicious domains blocked were new in June (a decrease of 1.7 percentage points since May 2011): page 17 20.3% of all Web-based malware blocked was new in June (a decrease of 4.3 percentage points since May 2011): page 17 Review of Spam-sending botnets in June 2011: page 3 Clicking to Watch Videos Leads to Pharmacy Spam: page 6 Wiki for Everything, Even for Spam: page 7 Phishers Return for Tax Returns: page 8 Fake Donations Continue to Haunt Japan: page 9 Spam Subject Line Analysis: page 12 Best Practices for Enterprises and Users: page 19 Introduction from the editor Since the shutdown of the Rustock botnet in March1, spam volumes have never quite recovered as the volume of spam in global circulation each day continues to fluctuate, as shown in figure 1, below.
    [Show full text]
  • An Adaptive Multi-Layer Botnet Detection Technique Using Machine Learning Classifiers
    applied sciences Article An Adaptive Multi-Layer Botnet Detection Technique Using Machine Learning Classifiers Riaz Ullah Khan 1,* , Xiaosong Zhang 1, Rajesh Kumar 1 , Abubakar Sharif 1, Noorbakhsh Amiri Golilarz 1 and Mamoun Alazab 2 1 Center of Cyber Security, School of Computer Science & Engineering, University of Electronic Science and Technology of China, Chengdu 611731, China; [email protected] (X.Z.); [email protected] (R.K.); [email protected] (A.S.); [email protected] (N.A.G.) 2 College of Engineering, IT and Environment, Charles Darwin University, Casuarina 0810, Australia; [email protected] * Correspondence: [email protected]; Tel.: +86-155-2076-3595 Received: 19 March 2019; Accepted: 24 April 2019; Published: 11 June 2019 Abstract: In recent years, the botnets have been the most common threats to network security since it exploits multiple malicious codes like a worm, Trojans, Rootkit, etc. The botnets have been used to carry phishing links, to perform attacks and provide malicious services on the internet. It is challenging to identify Peer-to-peer (P2P) botnets as compared to Internet Relay Chat (IRC), Hypertext Transfer Protocol (HTTP) and other types of botnets because P2P traffic has typical features of the centralization and distribution. To resolve the issues of P2P botnet identification, we propose an effective multi-layer traffic classification method by applying machine learning classifiers on features of network traffic. Our work presents a framework based on decision trees which effectively detects P2P botnets. A decision tree algorithm is applied for feature selection to extract the most relevant features and ignore the irrelevant features.
    [Show full text]
  • Fortinet Threat Landscape Report Q3 2017
    THREAT LANDSCAPE REPORT Q3 2017 TABLE OF CONTENTS TABLE OF CONTENTS Introduction . 4 Highlights and Key Findings . 5 Sources and Measures . .6 Infrastructure Trends . 8 Threat Landscape Trends . 11 Exploit Trends . 12 Malware Trends . 17 Botnet Trends . 20 Exploratory Analysis . 23 Conclusion and Recommendations . 25 3 INTRODUCTION INTRODUCTION Q3 2017 BY THE NUMBERS: Exploits nn5,973 unique exploit detections nn153 exploits per firm on average nn79% of firms saw severe attacks nn35% reported Apache.Struts exploits Malware nn14,904 unique variants The third quarter of the year should be filled with family vacations and the back-to-school hubbub. Q3 2017 felt like that for a nn2,646 different families couple of months, but then the security industry went into a nn25% reported mobile malware hubbub of a very different sort. Credit bureau Equifax reported nn22% detected ransomware a massive data breach that exposed the personal information of Botnets approximately 145 million consumers. nn245 unique botnets detected That number in itself isn’t unprecedented, but the public nn518 daily botnet comms per firm and congressional outcry that followed may well be. In a congressional hearing on the matter, one U.S. senator called nn1.9 active botnets per firm the incident “staggering,” adding “this whole industry should be nn3% of firms saw ≥10 botnets completely transformed.” The impetus, likelihood, and extent of such a transformation is yet unclear, but what is clear is that Equifax fell victim to the same basic problems we point out Far from attempting to blame and shame Equifax (or anyone quarter after quarter in this report.
    [Show full text]
  • Download Hong Kong Security Watch Report
    Hong Kong Security Watch Report 2019 Q1 1 Foreword Better Security Decision with Situational Awareness Nowadays, a lot of \invisible" compromised systems (computers and other devices) are controlled by attackers with the owner being unaware. The data on these systems may be mined and exposed every day, and the systems may be utilized in different kinds of abuse and criminal activities. The Hong Kong Security Watch Report aims to provide the public a better \visibility" of the situation of the compromised systems in Hong Kong so that they can make better decision in protecting their information security. The data in this report is about the activities of compromised systems in Hong Kong which suffer from, or par- ticipate in various forms of cyber attacks, including web defacement, phishing, malware hosting, botnet command and control centres (C&C) or bots. Computers in Hong Kong are defined as those whose network geolocation is Hong Kong, or the top level domain of their host name is \.hk". Capitalizing on the Power of Global Intelligence This report is the fruit of the collaboration of HKCERT and global security researchers. Many security researchers have the capability to detect attacks targeting their own or their customers' networks. Some of them provide the information of IP addresses of attack source or web links of malicious activities to other information security organizations with an aim to collaboratively improve the overall security of the cyberspace. They have good practice in sanitizing personal identifiable data before sharing information. HKCERT collects and aggregates such valuable data about Hong Kong from multiple information sources for analysis with Information Feed Analysis System (IFAS), a system developed by HKCERT.
    [Show full text]
  • CONTENTS in THIS ISSUE Fighting Malware and Spam
    OCTOBER 2010 Fighting malware and spam CONTENTS IN THIS ISSUE 2 COMMENT SPAM COLLECTING Changing times Claudiu Musat and George Petre explain why spam feeds matter in the anti-spam fi eld and discuss the 3 NEWS importance of effective spam-gathering methods. Overall fall in fraud, but online banking page 21 losses rise National Cybersecurity Awareness Month NEW KIDS ON THE BLOCK Dip in Canadian Pharmacy spam New anti-malware companies and products seem to spring up with increasing frequency, many 3 VIRUS PREVALENCE TABLE reworking existing detection engines into new forms, as well as several that are working on their MALWARE ANALYSES own detection technology. John Hawes takes a 4 It’s just spam, it can’t hurt, right? quick look at a few of the up-and-coming products which he expects to see taking part in the VB100 13 Rooting about in TDSS comparatives in the near future. page 25 16 TECHNICAL FEATURE Anti-unpacker tricks – part thirteen VB100 CERTIFICATION ON WINDOWS SERVER 2003 21 FEATURE This month the VB test team put On the relevance of spam feeds 38 products through their paces on Windows Server 2003. John Oct 2010 25 REVIEW FEATURE Hawes has the details of the VB100 Things to come winners and those who failed to make the grade. 29 COMPARATIVE REVIEW page 29 Windows Server 2003 59 END NOTES & NEWS ISSN 1749-7027 COMMENT ‘Ten years ago the While mostly very tongue-in-cheek, a substantial amount of what he wrote was accurate. idea of malware He predicted that by 2010 the PC would no longer be the writing becoming most prevalent computing platform in the world, having a profi t-making been overtaken in number by pervasive computing devices – in other words, PDAs and web phones.
    [Show full text]
  • CONTENTS in THIS ISSUE Fighting Malware and Spam
    APRIL 2009 Fighting malware and spam CONTENTS IN THIS ISSUE 2 COMMENT ROGUE TRADERS Flooding the cloud Rogue anti-malware applications have been around for several years, 3 NEWS conning and causing Ghostly goings on confusion among users as well as posing problems for anti-malware Internet fraud complaints rise vendors. Gabor Szappanos takes a look at a piece of anti-virus scamware. page 9 3 VIRUS PREVALENCE TABLE APPLE CATCHER Mario Ballano Barcena and Alfredo Pesoli take 4 TECHNICAL FEATURE a detailed look at what appears to be the fi rst real attempt to create a Mac botnet. Anti-unpacker tricks – part fi ve page 12 VB100 ON WINDOWS XP MALWARE ANALYSES VB’s anti-malware testing team put 9 Your PC is infected a bumper crop of products through their paces on Windows XP. Find out 12 The new iBotnet which products excelled and which have some more work to do. page 15 15 COMPARATIVE REVIEW Windows XP SP3 36 END NOTES & NEWS This month: anti-spam news and events; and John Levine looks at message authentication using Domain Keys Identifi ed Mail (DKIM). ISSN 1749-7027 COMMENT ‘An even better mutated variations of malware in large volume. While this strategy won’t work against all technologies solution is to be (for example it is ineffective against HIPS, advanced proactive in the heuristics, generic detection etc.), it is well worth the cloud.’ effort for its ability to evade signature detection. I was interested to fi nd out whether these explanations Luis Corrons could be verifi ed by our detection data – for example Panda Security to see for how long each threat was active.
    [Show full text]
  • Botnet Detection Using On-Line Clustering with Pursuit Reinforcement Competitive Learning (PRCL)
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by EMITTER - International Journal of Engineering Technology EMITTER International Journal of Engineering Technology Vol. 6, No. 1, June 2018 ISSN: 2443-1168 Botnet Detection Using On-line Clustering with Pursuit Reinforcement Competitive Learning (PRCL) Yesta Medya Mahardhika, Amang Sudarsono, Aliridho Barakbah Postgradaute Applied Engineering of Technology Division of Information and Computer Engineering, Department of Information and Computer Engineering, Electronic Engineering Polytechnic Institute of Surabaya EEPIS Campus, Jalan Raya ITS, Sukolilo 60111, Indonesia Email: [email protected], {amang, ridho}@pens.ac.id Abstract Botnet is a malicious software that often occurs at this time, and can perform malicious activities, such as DDoS, spamming, phishing, keylogging, clickfraud, steal personal information and important data. Botnets can replicate themselves without user consent. Several systems of botnet detection has been done by using classification methods. Classification methods have high precision, but it needs more effort to determine appropiate classification model. In this paper, we propose reinforced approach to detect botnet with On- line Clustering using Reinforcement Learning. Reinforcement Learning involving interaction with the environment and became new paradigm in machine learning. The reinforcement learning will be implemented with some rule detection, because botnet ISCX dataset is categorized as unbalanced dataset which have high range of each number of class. Therefore we implemented Reinforcement Learning to Detect Botnet using Pursuit Reinforcement Competitive Learning (PRCL) with additional rule detection which has reward and punisment rules to achieve the solution. Based on the experimental result, PRCL can detect botnet in real time with high accuracy (100% for Neris, 99.9% for Rbot, 78% for SMTP_Spam, 80.9% for Nsis, 80.7% for Virut, and 96.0% for Zeus) and fast processing time up to 176 ms.
    [Show full text]
  • The Real Face of KOOBFACE: the Largest Web 2.0 Botnet Explained
    The Real Face of KOOBFACE: The Largest Web 2.0 Botnet Explained A technical paper discussing the KOOBFACE botnet Written by Jonell Baltazar, Joey Costoya, and Ryan Flores Trend Micro Threat Research THE REAL FACE OF KOOBFACE: THE LARGEST WEB 2.0 BOTNET EXPLAINED TABLE OF CONTENTS Table of Contents .................................................................................................................. i Introduction...........................................................................................................................The WALEDAC Botnet 1 Overview................................................................................................................................3 KOOBFACE DOWNLOADER................................................................................................ 5 SOCIAL NETWORK PROPAGATION COMPONENTS ................................................................... 6 WEB SERVER COMPONENT .................................................................................................. 7 ADS PUSHER AND ROGUE ANTIVIRUS INSTALLER................................................................... 8 CAPTCHA BREAKERS........................................................................................................ 8 DATA STEALERS.................................................................................................................. 9 WEB SEARCH HIJACKERS .................................................................................................. 11 ROGUE DNS CHANGERS...................................................................................................
    [Show full text]