Top 10 Most Wanted Malware

Check Point Software Technologies today published its latest Threat Index, revealing the number of active malware families increased by nearly two-thirds in the first half of 2016, led by the number of threats to business networks and mobile devices.

During June, Check Point detected 2,420 unique and active malware families attacking business networks, a 61 percent increase compared with January 2016 and a 21 percent increase since April.  The continued rise in the number of active malware variants once again highlights the wide range of threats organizations’ networks face, and the scale of the challenges security teams must overcome to prevent an attack on their business critical information.

Conficker remained the most commonly used malware in June, while the HummingBad mobile malware returned to the overall top-three threats across all platforms globally.  In a detailed research report, Check Point revealed 85 million devices globally are infected by HummingBad, generating an estimated $300,000 per month in fraudulent ad revenue for the criminals behind it – highlighting how hackers are increasingly targeting mobile devices.

In June, Conficker accounted for 14 percent of recognized attacks for the second month running; while second-placed Sality accounted for 10 percent and third-placed HummingBad for 6 percent of all attacks. The top 10 families were responsible for 50 percent of all recognized attacks.


June 2016 World Cyber Threat Map – click image to view the live interactive map

The map displays the risk index globally. Green = Low Risk   Beige = Medium Risk   Red = High Risk   White = Insufficient Data


June’s Top 10 “Most Wanted” Malware

  1. ↔ Conficker – Worm that allows remote operations, malware downloads and credential theft by disabling Microsoft Windows systems security services. Infected machines are controlled by a botnet, which contacts its Command & Control server to receive instructions.
  2. ↑ Sality – Virus that infects Microsoft Windows systems to allow remote operations and downloads of additional malware. Due to its complexity and ability to adapt, Sality is widely considered to be one of the most formidable malware to- date.
  3. ↑ Hummingbad – Android malware that establishes a persistent rootkit on the device, installs fraudulent applications and enables additional malicious activity such as installing a key-logger, stealing credentials and bypassing encrypted email containers used by enterprises. To-date the malware has infected 85 million mobile devices.
  4.  ↑Zeus – Trojan that targets Windows platforms and often used to steal banking information by man-in-the-browser keystroke logging and form grabbing.
  5. ↑ Cutwail – Botnet mostly involved in sending spam e-mails, as well as some DDOS attacks. Once installed, the bots connect directly to the command and control server, and receive instructions about the emails they should send. After they are done with their task, the bots report back to the spammer exact statistics regarding their operation.
  6. ↔ Zeroaccess – Worm that targets Windows platforms allowing remote operations and malware download. Utilizes a peer-to-peer (P2P) protocol to download or update additional malware components from remote peers.
  7. ↓ JBossjmx – Worm that targets systems having a vulnerable version of JBoss Application Server installed. This Worm exploits the JMX Console vulnerability identified by CVE-2010-0738. The malware creates a malicious JSP page on vulnerable systems that executes arbitrary commands. Moreover, another Backdoor is created that accepts commands from a remote IRC server.
  8. ↑ Dorkbot – IRC-based Worm designed to allow remote code execution by its operator, as well as download additional malware to the infected system, with the primary motivation being to steal sensitive information and launch denial-of-service attacks. It install a user-mode rootkit to prevent viewing or tampering with its files and modifies the registry to ensure that it executes each time the system starts. It will send messages to all of the infected user’s contacts, or hijack an existing thread, to contain a link to the worm’s copy.
  9. ↓ Tinba – Banking Trojan which steals the victim’s credentials using web-injects, activated as the users try to login to their bank website.
  10. ↑ Cryptodef – Ransomware that is considered the predecessor of the infamous Cryptowall ransomware. It encrypts non-binary user files such as text, documents, images, videos and more. It then displays a text file with instructions on how to decrypt the files and demanding payment for using the decryption service. It is usually dropped by other malware which have been installed on the machine, or downloaded directly when browsing a malicious or compromised website.


About the Check Point Threat Index

Check Point’s Threat Index is based on threat intelligence drawn from its ThreatCloud World Cyber Threat Map, which tracks how and where cyberattacks are taking place worldwide in real time. The Threat Map is powered by Check Point’s ThreatCloudTM intelligence, the largest collaborative network to fight cybercrime, which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, over 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.