By Sanjay Katkar, CTO, Quick Heal Technologies
Recently, I wrote about the continuing threat Windows users face. Despite the major advances Microsoft has made in terms of increased security safeguards available in the latest release, Windows 10, there are millions of PCs still running older versions of the popular operating system which are highly vulnerable and susceptible to external threats. Of the many flavors of Windows still widely used, Windows 7 remains the most popular version of the operating system and where cyber criminals continue to focus much of their efforts.
Given the vast number of Windows users, numbering in the billions, it should come as no surprise that, according to our research, the Windows platform alone was hit by more than 340 million samples during the first quarter of 2016, with January being the most active month of attacks with nearly 117 million samples detected. These numbers far surpassed malware detection from the same period in 2015, which should raise red flags for companies that rely on Windows to do the heavy lifting and keep their businesses running smoothly and efficiently.
It’s not just Windows that business owners should be extra vigilant about securing, the Microsoft Office suite and Java make up 92 percent of the most popular exploit targets. Our research found the following to be the two most damaging malware threats facing Windows users.
- Worm.AutoRun.A10 — Generally delivered through spam emails and bundled software, this worm steals personal and confidential information from infected systems, such as credit/debit card details, banking information, email passwords, account passwords, private photos, and more. Once it has invaded a system, it also downloads additional malicious programs without user consent, searches for vulnerabilities in installed programs on infected systems, and can cause system crashes. The worm also uses system resources in a manner that degrades system performance.
- Trojan.NSIS.Miner.SD — This Trojan comes bundled with freeware and shareware programs. After installation of this Trojan, users get redirected to other malicious websites. “SD” enters into a system through hacked websites or unverified links. The Trojan then downloads and installs free software on the system from malicious websites. These tasks are performed in the system background without the user’s consent. The Trojan automatically starts when the system is booted up and also modifies important system files and Windows registry settings. The Trojan makes excessive use of system resources, which further degrades system performance. It also opens a backdoor for other infections to enter into the vulnerable system.
Although not as likely to wreak havoc as the previous two threats, companies should be equally aware of and protect against the following exploits with the same diligence.
- PUA.Mindsparki.Gen — This Potentially Unwanted Application (PUA) comes from third-party bundled installer applications and software downloaders. It changes the browser’s homepage and default search engine to “ask.com” or “yahoo.com.” It also installs a toolbar powered by “ask.com” in the system and recommends software that is mentioned on the toolbar to the user as well. On occasion, this malicious behavior gets mentioned in the EULA (End User License Agreement) displayed during the installation of these applications. If a user does not read the EULA carefully nor check what is mentioned in the custom installation, the unwanted bundled applications may end up installed on the system.
- PUA.Clientconn.Gen —This PUA alters the default search engine settings for web browsers to services such as default-search.net, search.ask.com, and Trovi search. It promotes specific Adware program publishers whose programs are downloaded thanks to bundled software. They have the capability to change the default browser configuration settings and add entries of the aforementioned search engines. They also display an excessive number of ads when a user is browsing the web.
- W32.Sality.U — A polymorphic file infector, W32.Sality.U starts by enumerating and infecting all the executable files present on local drives, removable drives and remote shared drives. This malware injects its code into all running system processes and then spreads further by infecting the executable files on local, removable and remote shared drives. It also tries to terminate security applications and deletes all files related to security software installed on the system. The malware also has the additional ability of stealing sensitive information from infected systems.
- LNK.Exploit.Gen — This is an “exploit,” or a piece of software or a sequence of commands that take advantage of a bug or vulnerability in the system to cause unintended or unanticipated behavior on a computer. It enables an attacker to gain unauthorized remote access to an infected computer. An attacker can use a backdoor to spy on the targeted user, manage files, install more software or threats, shut down or reboot a computer or even attack other connected machines within the network. LNK.Exploit.Gen targets Windows vulnerabilities that allow malicious shortcuts to run themselves when the shortcut folder is viewed in Windows Explorer. It can easily compromise a system by installing rogue software or redirecting users to unsafe websites and suspicious advertisements, which slows down the infected system.
If 2015 was any indication, 2016 is shaping up to be a year of unpredictable attacks and the continuation of the disruptive ransomware trend. While Windows seems to be a popular target for cyber criminals, ransomware is a platform-agnostic threat that we all need to be wary of. Protecting against these threats must be proactive and ongoing. Not only must systems be monitored continually, but malicious software should be removed from each individual machine right away.
It goes without saying, but all applications, programs and operating systems, Windows especially, should be updated to avoid security vulnerabilities. From a user perspective, employees should be on guard and stay away from phishing pages, malicious emails, and more. All of these approaches and safeguards combined will go a long way in preventing a devastating attack.
Sanjay Katkar is the Co-Founder and Chief Technical Officer of Quick Heal Technologies, a leading global provider of IT security solutions. He holds bachelor’s and master’s degrees in computer science from University of Pune, India. Katkar, who has been associated with Quick Heal since its incorporation, has spearheaded the development of the company’s enterprise software, technology and services. Quick Heal’s Seqrite data security product line is specifically targeted at small to midsize enterprises and is sold in North America exclusively through channel partners.