One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 459640 |
| Date de publication | 2018-01-23 14:00:00 (vue: 2018-01-23 14:00:00) |
| Titre | OTX Trends Part 2: Malware |
| Texte |
By Javvad Malik and Christopher Doman
This is the second of a three part series on trends identified by AlienVault.
Part 1 focused on the exploits tracked by OTX. This blog will talk about the malware, and Part 3 will discuss trends we’re seeing in threat actors.
Which malware should I be most concerned about?
Most security incidents that a security team will respond to involve malware. We took a look at three sources of malware telemetry to help prioritise popular malware families:
Malware families AlienVault customers detect the most;
Which malware domains are observed the most frequently by Cisco’s Umbrella DNS; and
Malware families with the highest number of individual samples
Which malware families do our customers detect the most?
The following table describes the malware that we detected most frequently on our customers networks:
This table represents malware detected by AlienVault as it communicates across a network, in 2017. This data is biased towards families that we have named network detections for. That means this table is a good representation of malware that is actively running on networks, though it’s important to also review other statistics on malware that has been blocked from running.
The #1 ranked malware, njRat, is particularly popular in the Middle East. It’s a fairly simple .NET backdoor and Youtube is full of videos of how amateur users can deploy it. We often see it packed with a seemingly endless supply of custom packers to evade anti-virus. Whilst the vast bulk of njRat users are low-level criminals, it is also frequently used in targeted political attacks in the Middle East.
A Youtube guide for using njRat
The #2 ranked malware, NetWire, is primarily used by low-end criminals to steal banking details. Again, it is a freely available tool and has also been abused by targeted attackers too.
The top malware we saw for Linux was China ELF DDoS.
We saw little malware for Mac, though the adware MacKeeper was popular.
Which malware domains are observed the most frequently?
We matched known malicious domains from AlienVault OTX against Umbrella DNS’s record of the most visited domains by their customers.
From that we produced this table of the “most popular malicious domains”:
The column |
| Envoyé | Oui |
| Condensat | “most 2017 4/10 about abused across actively actors adware again against alienvault also amateur anti are attackers attacks available backdoor bad banking been before being biased blocked blog both bulk but can check checks china christopher cisco’s classed collect collected column com communicates concerned connectivity control count criminals custom customers data ddns ddos delay deploy describes details detect detected detections different discuss dns’s dns; domain domains domains”: doman each east elf end endless enforcement enough evade example exploits extremely fairly families families: family file focused following freely frequently from full generally good google guide has hash hashes have heavily help highest hours: how i’m iamback idea identified important incidents indicates indicator individual infections installed interesting involve isn’t it’s javvad known law level likely linux little long look low mac machines mackeeper make malicious malik malware malwaretech many marked matched means middle mitigate most most; named net netwire network networks networks: njrat not notable number observed often organisations other otx packed packers part particularly pointing political polymorphic poor popular posture prevalent preventing previous primarily prioritise produced produces prominently quickly rank ranked ranking record related reliable remain remains report representation represents researchers respond rest result results review running sample samples saw script second security see seeing seemingly seen series set shadowserver should significantly similar simple single sinkholing somewhat sources spread statistics stay steal supply table take talk targeted team telemetry these though threat three through too took tool top towards tracked trends tuned umbrella unique unsure use used users uses using valid vast vendor videos virus visited visualbasic wannacry we’ll we’re when which whilst will worm written youtube |
| Tags | |
| Stories | APT33 Wannacry APT 33 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.