Conficker, Tinba and Sality make up the Top 3

Jun 22, 2016 13:25 GMT  ·  By

There's no way to pull aggregated data from all security vendors and have an overall look at the infosec industry in regards to malware infections.

Fortunately, once in a while, a security firm provides us with a glimpse into their data, revealing statistics about the number and type of current threats, and any noticeable spikes or dips in malware distribution.

According to security vendor Check Point, in the month of May 2016, the total number of active malware families grew by 15 percent. This is the second month in a row when the company has detected a visible growth after they recorded a 50 percent increase in malware numbers from March to April.

Infections weren't that diverse, though, even if the company reported seeing 2,300 different malware families, and Check Point says the top ten most popular malware variants accounted for 60 percent of all detected events. Below are the most prevalent malware families for May 2016, according to Check Point.

1. Conficker

Conficker is a worm that targets Windows computers, and it appeared in the fall of 2008. Despite targeting Windows XP in the beginning, the worm evolved.

Current Conficker versions are specialized in spreading from system to system, being an "infection" tool, but they can also download other malware when instructed by their C&C server, steal credentials, and disable security software.

2. Tinba

Tinba, also known as Tiny Banker or Zusy, is one of the world's smallest banking trojans, and in the past, it had an appetite for infecting users in Asian countries.

The trojan uses Web injects to compromise browsers and shows fake Web pages on top of authentic banking portals.

3. Sality

A virus that appeared in the early 2000s - in 2003, more precisely - Sality has the ability to infect computers via different methods and is believed to have originated in Russia.

Sality is a polymorphic piece of malware, one that constantly evolves, is hard to detect, and works by infecting executable files and then downloading more complex malware. Just like Conficker, Sality is controlled via a huge botnet.

4. JBossjmx

A worm that infects Web servers running older versions of the JBoss Application Server.

The worm infects the JBoss servers via a vulnerability in the JMX Console (CVE-2010-0738). JBossjmx is then used to run malicious code or to add backdoors to infected systems.

5. Hummingbad

Hummingbad is a new malware variant targeting Android devices that appeared this past February.

The malware is one of the most annoying and harder to remove threats in the Android ecosystem, and crooks use it to push ads or install unwanted apps on infected devices.

6. Zeroaccess

Another worm and malware dropper that targets Windows PCs. Zeroaccess has been a part of multiple malware distribution campaigns and was mainly used to download more dangerous malware on infected systems after the worm spread to as many targets as possible in the local network.

Zeroaccess works on top of a botnet operated via the P2P protocol. P2P botnets are extremely hard to take down because they allow crooks to easily pull out and then reinsert new C&C servers at any time.

7. Zeus

Famous banking trojan that had its source code leaked a few years back. Zeus is also the base for most of today's banking trojans that target desktop users.

Unlike Dridex or other Web Inject-based trojans, Zeus uses man-in-the-browser keystroke logging and form grabbing to steal customer data.

8. Angler EK

A Web-hosted exploit kit that has been around for years. The exploit kit is now believed to be dead after multiple security firms have reported seeing absolutely no activity after June 7.

It's ranked 8th in Check Point's statistics because the data is from May, when Angler was at the base of many malvertising campaigns.

9. Virut

A botnet of infected computers that appeared in 2006, it was shut down in 2013 but came back alive this past winter. The botnet was assembled using the Waledac malware.

Check Point says Virut bots have been the source of many DDoS attacks, spam email, ad fraud, and pay-per-install campaigns.

10. Cutwail

Another botnet, just like Virut, also used for DDoS attacks and sending spam email, and created with the Pushdo trojan.

Unlike the Zeroaccess botnet, this one uses a simple star architecture, with the C&C server in the middle, and it is astonishing that authorities have not been able to shut it down by now, since it's been active more than nine years.