Kelihos Becomes King of the Malware Mountain
February 14, 2017
Seid Yassin (557 articles)

Kelihos Becomes King of the Malware Mountain

The beginning of 2017 has brought a series of changes on the malware charts, as the Kelihos botnet managed to climb to the top position, while the Conficker worm dropped to fourth on the list.

An eight-year old threat, Conficker managed to remain one of the most active malware families out there last yearl, although it didn’t make it to the headlines as often as other threats. In 2015, however, the malware returned to focus briefly, after security researchers found that it had infected police body cameras.

Check Point’s latest threat report shows that Conficker is now the fourth most active malware out there, with Kelihos, HackerDefender, and Cryptowall occupying the first three positions. Conficker was the top threat in the security firm’s Top 10 “Most Wanted” malware list for quite some time.

The current leader, Kelihos, is yet another long-standing threat, one that managed to withstand several takedown attempts. In August last year, Kelihos infections registered a spike and the botnet tripled in size overnight, a clear sign that the actors behind it were considering ramping up activity. The botnet uses peer-to-peer communications, with each individual node acting as a command and control center.

Although the botnet was focused mainly on spamming stock pump and dump schemes or pharmaceutical scams, it was seen dropping malware as well, including ransomware such as MarsJoke, Wildfire, and Troldesh, as well as Trojans, including Panda Zeus, Nymain and Kronos. Most recently, security researchers observed that Kelihos was also capable of infecting removable USB drives to spread to new hosts.

The second top malware family is the HackerDefender user-mode rootkit for Windows, which can be used to hide files, processes and registry keys, as well as to implement a backdoor and port redirector. The third Most Wanted malware in January was CryptoWall, a piece of file-encrypting ransomware that uses AES encryption and the Tor anonymity network.

Nemucod (JavaScript or VBScript downloader), RookieUA (info stealer), Nivdort (multipurpose bot also known as Bayrob), Zeus (banking Trojan), Ramnit (banking Trojan), and Necurs (spam botnet mainly associated with the distribution of Locky), round up the Top 10 Most Wanted malware list.

The mobile threat landscape registered changes as well last month, as the Triada modular backdoor for Android secured the first position on the Top 3 Most Wanted mobile threats. Detailed in March last year, Triada was considered the most advanced mobile malware to date.

HummingBad, an Android Trojan capable of establishing a persistent rootkit on a device and installing additional applications, dropped to the second position. Dubbed HummingWhale, a new variant of this malware was discovered a couple of weeks ago, after it managed to infect 20 apps in Google Play and supposedly infect millions of devices.

Hiddad, a piece of Android malware that repackages legitimate apps and then releases them to a third-party store, is currently the third “most wanted” mobile threat. The malware, security researchers note, was designed to display ads but can also be used to gain access to key security details built into the OS, thus enabling the attacker to obtain sensitive user data.

“The wide range of threats seen during January utilizes all available tactics in the infection chain to try and gain a foothold on enterprise networks. To counter this organizations need advanced threat prevention measures on networks, endpoints and mobile devices to stop malware at the pre-infection stage, to ensure that they are adequately secured against the latest threats,” Check Point concludes.

Source | securityweek