Top 10 Most Wanted Malware

Today Check Point published its Threat Index for May, revealing the number of active global malware families increased by 15 percent. Last month Check Point detected 2,300 unique and active malware families attacking business networks. It was the second month running Check Point observed an increase in the number of unique malware families, having previously reported a 50 percent increase from March to April. The continued rise in the number of active malware variants highlights the wide range of threats and scale of challenges security teams face in preventing an attack on their business critical information.

In May, Conficker was the most prominent family accounting for 14 percent of recognized attacks; while second and third placed Tinba and Sality were responsible for 9 percent each. The top ten families were responsible for 60 percent of all recognized attacks.


May 2016 World Cyber Threat Map

The map displays the risk index globally. Green = Low Risk   Beige = Medium Risk   Red = High Risk   White = Insufficient Data


May’s Top 10 “Most Wanted” Malware

  1. ↔ Conficker – Worm that allows remote operations, malware downloads, and credential theft by disabling Microsoft Windows systems security services. Infected machines are controlled by a botnet, which contacts its Command & Control server to receive instructions.
  1. ↑ Tinba – Also referred to as Tiny Banker or Zusy, Tinba is a banking trojan that steals the victim’s credentials using web injections. It becomes activated when users try to login to their banking website.
  1. Sality – Virus that infects Microsoft Windows systems to allow remote operations and downloads of additional malware. Due to its complexity and ability to adapt, Sality is widely considered to be one of the most formidable malware to date.
  1. ↑ JBossjmx – Worm that targets systems having a vulnerable version of JBoss Application Server installed. This Worm exploits the JMX Console vulnerability identified by CVE-2010-0738. The malware creates a malicious JSP page on vulnerable systems that executes arbitrary commands. Moreover, another Backdoor is created that accepts commands from a remote IRC server.
  1. ↑ Hummingbad – Android malware that establishes a persistent rootkit on the device, installs fraudulent applications, and enables additional malicious activity such as installing a keylogger, stealing credentials and bypassing encrypted email containers used by enterprises.
  1. ↓ Zeroaccess – Worm that targets Windows platforms allowing remote operations and malware download. Utilizes a peer-to-peer (P2P) protocol to download or update additional malware components from remote peers.
  1. ↑ Zeus – Trojan that targets Windows platforms and often used to steal banking information by man-in-the-browser keystroke logging and form grabbing.
  1. ↓ Angler EK – Exploit kit known for its early adoption of zero day vulnerabilities. Its landing page contains heavily obfuscated JavaScript and checks the plug-in version (of Flash as well as other programs) in order to use the relevant exploit. It also tries to check if the machine is a virtual machine in order to evade researchers.
  1. ↓ Virut – Botnet that is known to be used for cybercrime activities such as DDoS attacks, spam, fraud, data theft, and pay-per-install activities. It spreads through executable file infection (through infected USB sticks and other media), and more recently, through compromised HTML files (thus infecting vulnerable browsers visiting compromised websites)
  1. ↓ Cutwail – Botnet mostly involved in sending spam emails, as well as some DDoS attacks. Once installed, the bots connect directly to the command and control server, and receive instructions about the emails they should send. After they are done with their task, the bots report back to the spammer exact statistics regarding their operation.


About the Check Point Threat Index

Check Point’s Threat Index is based on threat intelligence drawn from its ThreatCloud World Cyber Threat Map, which tracks how and where cyberattacks are taking place worldwide in real time. The Threat Map is powered by Check Point’s ThreatCloudTM intelligence, the largest collaborative network to fight cybercrime, which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, over 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.