July’s Top 10 Most Wanted Malware

Check Point Software Technologies today revealed the number of active malware families decreased by 5 percent in July, as the company disclosed the most prevalent malware families attacking organizations’ networks in the month.

During July, Check Point detected 2,300 unique and active malware families attacking business networks, a 5 percent increase compared to June, with Conficker remaining the most commonly used malware.  Despite the overall decrease in active malware the prevalence of mobile malware increased, accounting for 9 percent of active malware – up by 50 percent from June.  For the fourth consecutive month HummingBad remained the most commonly used malware to attack mobile devices.

It was the first time in four months Check Point detected a drop in the number of unique malware families, but the total number seen still matches the second all-time highest number recorded in a calendar month this year.  The continually high-levels of active malware variants once again highlights the wide range of threats that organizations’ networks face and the scale of the challenges that security teams have in preventing an attack on their business critical information.

In July, Conficker was the most prominent family accounting for 13 percent of recognized attacks; second placed JBossjmx accounted for 12 percent; and third placed Sality was responsible for 8 percent. The top ten families were responsible for 60 percent of all recognized attacks.


July 2016 World Cyber Threat Map – click image to view the live interactive map
The map displays the risk index globally. Green = Low Risk   Beige = Medium Risk   Red = High Risk   White = Insufficient Data


July’s Top 10 “Most Wanted’ Malware

  1. Conficker – Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.
  2. ↑ JBossjmx – Worm that targets systems having a vulnerable version of JBoss Application Server installed. This Worm exploits the JMX Console vulnerability identified by CVE-2010-0738. The malware creates a malicious JSP page on vulnerable systems that executes arbitrary commands. Moreover, another Backdoor is created that accepts commands from a remote IRC server.
  3. ↓ Sality – Virus that allows remote operations and downloads of additional malware to infected systems by its operator. Its main goal is to persist in a system and provide means for remote control and installing further malware.
  4. ↓ Hummingbad – Android malware that establishes a persistent rootkit on the device, installs fraudulent applications, and with slight modifications could enable additional malicious activity such as installing a key-logger, stealing credentials and bypassing encrypted email containers used by enterprises.
  5. ↔ Cutwail – Botnet mostly involved in sending spam e-mails, as well as some DDOS attacks. Once installed, the bots connect directly to the command and control server, and receive instructions about the emails they should send. After they are done with their task, the bots report back to the spammer exact statistics regarding their operation.
  6. ↓ Zeus – Trojan that targets Windows platforms and often used to steal banking information by man-in-the-browser keystroke logging and form grabbing.
  7. ↓ Zeroaccess – Worm that targets Windows platforms allowing remote operations and malware download. Utilizes a peer-to-peer (P2P) protocol to download or update additional malware components from remote peers.
  8. ↑ Locky – Ransomware which started its distribution in February 2016, and spreads mainly via spam emails containing a downloader disguised as an Word or Zip attachment, which then downloads and installs the malware that encrypts the user files.
  9. ↑ RookieUA – Info Stealer designed to extract user account information such as logins and passwords and send them to a remote server.
  10. ↓ Tinba – Banking Trojan which steals the victim’s credentials using web-injects, activated as the users try to login to their bank website.


About the Check Point Threat Index

Check Point’s threat index is based on threat intelligence drawn from its ThreatCloud World Cyber Threat Map, which tracks how and where cyberattacks are taking place worldwide in real time.  The Threat Map is powered by Check Point’s ThreatCloudTM intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors.  The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, over 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.