Top Malware Threats of 2013

On a daily bases security researchers are discovering and reversing more sophisticated malwares. Over 2013 there were new malwares that were created and aims to steal users information or control remote systems. some of them are using old techniques but with a slight update that makes the attack more effective against the security measures implemented.

Gapz

This malware is another version of bootkits, Bootkit are widely used to have a full access on victim machine so it allows attacker  to hook the operating system activity without being observed by the security software.

Win32/Gapz implements several functions and is able to effectively hide its presence on the infected system. The malware exploit Windows vulnerabilities to escalate user privileges including (CVE-2011-3402 , CVE-2010-4398 (Driver Improper Interaction with Windows Kernel Vulnerability) COM Elevation (UAC white list)).

Gapz also allows capturing pictures from user’s webcam and displaying them with a payment request in the upper right corner on the infected host. It locks the computer asking to pay for a code to unlock victims PC.

gapzScreenshot for a system infected with Gapz

Rootkit.Avatar

Avatar was firstly discovered in February 2013, the malware is able to bypass antivirus software as it is loaded in the memory without being saved to the hard drive. The Avater C&C server is configured to use Yahoo group services to get the information and update to the Bot in case it loses connection with the bot network. This makes the malware resilient and to not lose the compromised servers on internet. The malicious code will search in Yahoo Groups messages using special parameters such as «hxxp://finance.groups.yahoo.com/group/I62TUUWM/».

b5d19f4ac70af846cff83d5ad75acfe0

Caphaw

Win32/Caphaw Banking malware was used by cybercriminals to conduct an attack on major European banks, the attack lasted for more than a year. Win32/Caphaw differs from other similar threats that it is one of the few Trojans which can automatically steal money from your bank account during the normal work without victim knowledge.

Win32/Caphaw is able to test the environment in which it is going to be executed. This test allows detecting/avoiding honeypots and environments that are designed to reversing the malware it also injects its code into all running processes and has a multithreaded architecture for tasks execution.

Hesperbot

This malware is similar to the Zues and SpyEye, the malware aims to grab sensitive login information for users by logging the keystrokes and making screenshots for victim computer. Hundreds of victims were found in European countries including Turkey, Portugal, Czech Republic and the UK.

Main functionality for the malware is:

  • Intercepting network traffic
  • keylogger
  • creating desktop screenshots
  • video capture
  • Creating a remote proxy connections
  • VNC for a hidden server.

Some components of the malware can be installed on mobile devices running Symbian, Blackberry or Android.

Atrax
This crime-ware is a backdoor that is using TOR. It is one of the most dangerous malware at the moment. When Atrax infect the system attacker will have the following information:

  • Infected machine IP address
  • Hostname
  • Operating system version
  • The CPU type

also he can execute the following command:

  • dlexec – download and execute file
  • dlrunmem – download file and inject it to browser
  • dltorexec – download TOR executable file and execute
  • dltorrunmem – download TOR executable file inject it to browser
  • update – update itself
  • install – download file, encrypt with AES and save to %APPDATA%
  • installexec – download file, encrypt with AES and save to %APPDATA% and execute afterward
  • kill – terminate all own threads

Atrax have many plugins that will add functionality to the botnet.  there are also plugins to use victim computer to launch a DDoS from distributed network , UDP/TCP flood,  HTTP Slowloris for slow DOS attack on apache, HTTP RUDY, it also supports IPv6 and IPv4.

2013 been full with new malwares that are updating the technique to bypass and avoid antiviruses so it is important that you keep your security software updated with latest definition to have the protection against new threats.

References:

Share