ThreatSense.Net® Report for July

Our July ThreatSense.Net® report has been released today, and will eventually be available from the Threat Center page here. Most of the top ten entries are old friends: well, familiar names might be a better way of putting it. One of the disadvantages of having a scanner that makes heavy use of advanced heuristics is that many of the most common detections don’t really map to single malware families the way that they do for companies that are more signature-oriented.

There are advantages, though, as we’ve discussed before, apart from the obvious (and important) advantage of proactive detection: it gives us more time to concentrate on processing detections rather than fussing with crossmatching samples to malware families, and it gives us a better picture of major threat trends, which we consider to be more useful. Unfortunately, some sectors of the media are still hung up on the minutiae of malware naming, which I don’t consider so important at a time when some sources are talking about collections of (much) more than 20 million individual samples. Hopefully they’ll catch up with the rest of us eventually…

Pierre-Marc and I presented a paper on the naming problem at Virus Bulletin last year, and I’ve developed the theme further in another conference paper that will be available on the white papers page in September.

As it happens, there aren’t a lot of surprises: the first few positions remain unchanged from June. However, Win32/TrojanDownloader.Bredolab.AA, despite a strong local showing in some countries, has dropped out of the worldwide top ten, while W32/FlyStudio is in at Number 5. FlyStudio is kind of interesting: it’s not exactly a malware family, but a development platform (a scripting language, to be more precise) much used in China. Unsurprisingly, the FlyStudio malware we’re seeing also seems to be targeting computer users in China, but is also being reported elsewhere, including North America. This may mean that it’s being deployed by another malware family.

 Elsewhere in the top ten section, we’ve updated some of the descriptions. Over the lifetime of a threat family, there are often substantial changes in the way the malware works, or in our understanding of it as more variants appear and more information becomes available. And, as usual, we’ve included some notes on other issues that have been addressed recently by the labs and/or the Research team, including:

  • Adobe and Microsoft patching issues
  • Twitter and Facebook problems
  • A little about AMTSO
  • Some white papers that are about to appear
  • Waledec and the Dewey Effect
  • ESET in Europe’s initiative on safe wi-fi.

Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled):
ESET Threatblog notifications on Twitter:
ESET White Papers Page:

Securing Our eCity community initiative:

Author David Harley, ESET

  • just to clear something up – the number of samples is orthogonal to the malware naming problem because you don’t name samples. you name families, you give variants within those families IDs, and you make darn sure that every sample of a particular variant is detected.

    at least that was the tradition before. i think it’s still true that you don’t name samples, but different families can be used in the same malware campaign and those also get names if i’m not mistaken.

  • A detection label is -not- the same as a malware/malware family name, and the broader the heuristic, the more malware families it’s likely to correspond to. More often than not, it tells you more about the detection algorithm than the relationship between samples or families. But that -is- directly related to the glut issue. It’s bad enough trying to keep ahead of the curve on detection without spending too much time on making sure it has the right family name.

    I don’t think the term variant means much any more. It certainly doesn’t mean that every sample that’s identified by a single variant name -or- detection label is identical, even once it’s unpacked so that you’re comparing base code.

  • ah, so it was unclear enough that i didn’t even realize what kind of naming you were originally talking about and thus clearing things up had to fall to you.

    what a scanner identifies a sample as does have diagnostic value when it comes to recovery but we hope to avoid reaching that point.

Follow us

Copyright © 2017 ESET, All Rights Reserved.