X hits on this document

PDF document

Symantec enterpriSe Security - page 52 / 97





52 / 97


Symantec Global internet Security threat report

in 2008, the Brisv141 trojan was the most widely reported new malicious code family. its prevalence rose in 2009 to the point that it was the second ranked sample causing potential infection. Brisv scans computers for a range of multimedia files.142 the trojan then modifies a data marker in the files with a malicious UrL. the marker is a part of the Windows Media® Audio (WMA) format. Although other applications appear to be unaffected, when the files are opened using Windows Media player the marker is automatically processed, causing the application to open a Web browser window and access the malicious UrL. Accessing the malicious UrL may expose the user to additional threats.

the effectiveness of Brisv is heightened by the possibility that unknowing victims may share the compromised multimedia files with others, through p2p networks, or email, etc. As a result, the compromised files can potentially affect users whose computers were not exposed to the trojan itself. Moreover, when Brisv scans for multimedia files, it converts all Mp2 and Mp3 files it encounters into the WMA format prior to injecting the malicious code, even while preserving the original file extensions of the (now) converted files. the reason for converting files into the WMA format is so that Windows media player will process the injected marker data properly. this is an example of increased sophistication in malicious code development.

the second highest percentage of the top 50 potential malicious code infections for 2009 belonged to worms, which increased to 43 percent from 29 percent in 2008. Six of the top 10 threats in 2009 had worm components, compared with only four in 2008. the Downadup worm is likely responsible for a significant amount of the increase in worm activity. nonetheless, although Downadup maintained a high profile in 2009, SillyFDC143 and Sality.AE were both more prolific.

Viruses made up the third highest percentage of the top 50 potential malicious code infections in 2009 increasing to 32 percent in 2009 from 19 percent previously. in total, five of the top 10 malicious code samples in 2009 were classified as viruses. Along with Sality.AE, the others were Brisv, Mabezat,144 Gammima,145 and Almanahe.146 in 2008, only three of the top 10 samples were classified as viruses.

Back doors continued to decline in 2009, dropping from 15 percent in 2008 to 13 percent in 2009. in 2008, there were two threats with back door components in the top 10. in 2009, Downadup was the only sample in the top 10 with a back door component to it.

Staged downloaders—multiple infections by type

Staged downloaders are threats that download and install other malicious code onto a compromised computer. these threats allow attackers to alter the downloadable component to any type of threat to suit their changing objectives over time. For example, attackers can install a trojan that relays spam, rather than one that steals confidential information. As the attackers’ objectives change, they can change any later components that will be downloaded to perform the requisite tasks.

Of the top 50 potential malicious code infections, 75 percent downloaded additional threats, down from 79 percent in 2008. in 2009, the Brisv trojan was the most prevalent downloader component (table 12). As noted previously, the Brisv trojan was also the second-ranked overall malicious code threat in 2009, moving up from 10th overall in 2008, when it was the top-ranked new malicious code family detected.

141 142 143 144 145 146

http://www.symantec.com/security_response/writeup.jsp?docid=2008-071823-1655-99 primarily .asf, .mp2, .mp3, .wma, and .wmv http://www.symantec.com/security_response/writeup.jsp?docid=2009-081106-1401-99 http://www.symantec.com/security_response/writeup.jsp?docid=2007-111202-0601-99 http://www.symantec.com/security_response/writeup.jsp?docid=2007-032206-2043-99 http://www.symantec.com/security_response/writeup.jsp?docid=2007-041317-4330-99

Document info
Document views257
Page views257
Page last viewedTue Dec 06 19:07:03 UTC 2016