One amazing capability that we get from both our FireAMP (Advanced Malware Protection) enterprise product as well as its consumer counterpart, Immunet, is the ability to get insight into how malware arrives on a given system; i.e., how it was “dropped.”
I decided to take a cross section of this data, and segment it geographically, so we could identify trends related to how malware arrives across different endpoints.
I’ll start by talking about data from the United States, and in subsequent blog entries, will touch upon other countries.
The most common malware dropper in the United States is winlogon.exe, which is a common target for malware. That is, malware essentially injects itself into this application.
In terms of web browsers, Internet Explorer was the most popular malware dropper (in order of number of malware instances seen from that browser) followed by Google Chrome, and then Firefox. The version of Internet Explorer associated with the most malware downloads is 9.0.8112.16421.
In these cases, users were likely socially engineered into getting infected (i.e., they followed a malicious link and downloaded/executed a threat) rather than the attacker exploiting a web browser vulnerability.
The fourth most popular dropper is Dropbox.exe (version 1.0.0.1), suggesting that people have malware in their Dropbox folders (in large numbers). It appears that in many of these cases people have assorted key generators and similar cracking tools in their Dropbox folders. This particular example is interesting because these types of file synching applications have become popular only in the last year or two. Because they can be used to share software applications, it should come as no surprise that they are peppered with malware.
Finally, the seventh most popular dropper is MaxSync.exe (version 5.0), which is associated with Maxtor Hard Drives – suggesting that people have been infected, and that the infection has affected their back-up drive as well (so that whenever they sync, the malware finds itself back on the system). While backing up data is generally a good practice, there may still be some risks involved!
In terms of actual threats, the three most popular are W32.ET.mywebsearch, W32.Agent, and W32.Clam.Adware.ShopAtHome-3. These threats are largely those that affect search and advertisements – further suggesting that consumerism needs to breed caution.
Thanks for the info and sharing
ReplyDelete