subscribe: Daily Newsletter

 

Big increase in active malware families

0 comments

Check Point Software Technologies has published its latest Threat Index for May 2016, revealing that the number of active global malware families increased by 15% in May 2016.

The May Threat Index presents a mixed view of Africa, with several countries making quite strong moves up and down the index – the higher their relative ranking in the index, the greater the threat of cyber-attack. There are four African countries in the top 10 of the index, including Malawi who currently sits at third (improving by one position from the previous month). The others include Djibouti, Namibia and Angola. Just outside of the top ten, at eleventh, sits Botswana. There are 112 countries on the overall Index.

West African technology and economic hub, Nigeria is currently ranked 19th – a significant improvement on April’s 11th position. While, in a reversal of fortunes of sorts, east African powerhouse, Kenya shifted a massive 46 positions to sit at just 37th.

Globally, Check Point detected 2 300 unique and active malware families attacking business networks in May. It was the second month running Check Point has observed an increase in the number of unique malware families, having previously reported a 50% increase from March to April.

The continued rise in the number of active malware variants highlights the wide range of threats and scale of challenges security teams face in preventing an attack on their business critical information. Most notably:

* Banking malware Tinba became the fourth most prevalent form of infection last month in Kenya, and ninth in Nigeria. This Trojan allows hackers to steal victims’ credentials using web-injects, activated as users try to log-in to their banking website. Tinba ranked second in the overall international threat list. The top malware in Nigeria in May was also a financial threat. Gamarue is a modular bot that hides in trusted processes and can be used to harvest financial information.

* Attacks against mobile devices also remained a high priority as Android malware HummingBad persisted in the overall top 10 of malware attacks across all platforms during the period. In both Kenya and Nigeria, Hummingbad ranks as the fifth most common malware form. Despite only being discovered by Check Point researchers in February, it has rapidly become commonly used; indicating hackers view Android mobile devices as weak spots in enterprise security and as potentially high reward targets.

Rick Rogers, area manager for East and West Africa at Check Point Software Technologies, believes that both of these threats are significant in the African context as Android phone sales and banking inclusion continue to climb.

“As bring your own device (BYOD) continues to be a trend and smartphone penetration on the continent grows, companies are at an increased risk from Hummingbad in particular, and other malware. Combined with the growth in malware family numbers overall, this represents a significant business risk.

“Enterprises of all sizes must educate themselves on the security threats they face and invest in solid measures to protect their networks and corporate data,” Rogers says.

In May, Sality, Virut and Conficker were the top malware families in Kenya, while Gamarue, Sality and Dorkbot featured in Nigeria’s top three. Internationally, Conficker was the most prominent malware family, accounting for 14% of recognised attacks. The top ten families were responsible for 60% of all recognised attacks around the world.

Sality is a virus that allows remote operations and downloads of additional malware to infected systems by its operator. Its main goal is to persist in a system and provide means for remote control and installing further malware.

Virut is one of the top malware and botnet distributors in the Internet, and uses DDoS attacks, spam distribution, data theft and fraud methods. Spread through executables originating from infected devices, Virut alters the local host files and opens a backdoor to remote attackers via an IRC channel.

Machines infected by Conficker are controlled by a botnet.  It also disables security services, leaving computers even more vulnerable to other infections.

Gamarue is a modular bot with a loader, downloads additional modules and injects into trusted processes to hide. Infected machines can be harvested for financial credentials.

Dorkbot is an IRC-based worm designed to allow remote code execution by its operator, as well as download additional malware to the infected system, with the primary motivation being to steal sensitive information and launch denial-of-service attacks.