Introduction | EMEA Malicious Activity by Geography | Attack Origin by Country | Top Malicious Code Samples
Top Malicious Code Samples
BackgroundThis metric assesses the top malicious code samples in EMEA in 2011. Symantec analyses new and existing malicious code samples to determine which threats types and attack vectors are being employed in the most prevalent threats. This information also allows administrators and users to gain familiarity with threats that attackers may favor in their exploits. Insight into emerging threat development trends can help bolster security measures and mitigate future attacks.
MethodologyTo determine top malicious code samples, Symantec ranks each malicious code sample based on the volume of unique sources of potential infections observed during the reporting period.
Figure E.9: Top malicious code samples in EMEA, 2011:
- The Sality.AE virus continues to dominate in EMEA: The top malicious code sample by volume of potential infections in EMEA for 2011 was Sality.AE. Reported activity by this virus was the primary contributor to the Sality family being the second highest ranked malicious code family globally, by prevalence in 2011.
- Discovered in 2008, Sality.AE has been a prominent part of the threat landscape since then, including being the global top malicious code family identified by Symantec in 2010 and 2009.
- Sality may be particularly attractive to attackers because it uses polymorphic code that can hamper detection. Sality is also capable of disabling security services on affected computers. These two factors may lead to a higher rate of successful installations for attackers.
- Sality propagates by infecting executable files and copying itself to removable drives such as USB devices. The virus then relies on Microsoft Windows AutoRun functionality to execute when those drives are accessed. This can occur when an infected USB device is attached to a computer.
- The reliable simplicity of spreading via USB devices and other media makes malicious code families such as Sality.AE (as well as SillyFDC and others) effective vehicles for installing additional malicious code on computers.
- Ramnit becomes the second most prevalent malicious code family in 2011. Ramnit was ranked in third position in EMEA in 2010. In 2011, Ramnit is ranked in first position globally as the most prevalent malicious code family.
- This is primarily the result of activity by W32.Ramnit!html, which accounts for 51% of all Ramnit malware identified globally in 2011. W32.Ramnit!html is a generic detection for .html files infected by W32.Ramnit.
- First discovered in 2010, W32.Ramnit has been a prominent feature of the threat landscape since then, often switching places with Sality throughout the year as the two families jockey for first position.
- Ramnit spreads by encrypting and then appending itself to DLL, EXE and HTML files. It can also spread by copying itself to the recycle bin on removable drives and creating an AUTORUN.INF file so that the malware is potentially automatically executed on other computers. This can occur when an infected USB device is attached to a computer. The reliable simplicity of spreading via USB devices and other media makes malicious code families such as Ramnit, Sality (as well as SillyFDC and others) effective vehicles for installing additional malicious code on computers.