Malware Prevalence - January 2012

HitmanPro is a second opinion malware scanner, designed to run alongside existing real-time antivirus programs. Its purpose is to find and remove malware that your existing antivirus program is currently unable to find and/or remove.

The list below is the top malware that HitmanPro found and removed from computers that were protected by up-to-date antivirus programs. It differs from other security companies because this list is about malware that is successful in hiding from or bypassing up-to-date virus protection programs. We are able to compile this list because HitmanPro also records if there was an up-to-date antivirus program on the computer, registered in the Windows Security Center.

Prevalence Top 25

# Malware Prevalence
1 FakeAV 11,97%
2 MyWebSearch 7,41%
3 Alureon 7,02%
4 ZeroAccess 5,16%
5 Sasfis 5,11%
6 Hotbar 4,03%
7 Pihar 3,51%
8 Zbot 3,26%
9 Gamevance 3,21%
10 Delf 2,64%
11 Buzy 2,64%
12 Virut 2,51%
13 Softomate 1,99%
14 Vundo 1,82%
15 Popuper 1,52%
16 Hacktool 1,46%
17 Small 1,14%
18 Zwangi 0,95%
19 Mebroot 0,93%
20 Sality 0,89%
21 Zango 0,80%
22 Bamital 0,80%
23 Cycbot 0,79%
24 Rebhip 0,79%
25 Hupigon 0,76%

Infected MBR Prevalence Top 5

# Bootkit Prevalence
1 Pihar 63.11%
2 TDL4 (Alureon) 27.99%
3 Sst 5.09%
4 Mebroot (Sinowal) 3.08%
5 Beast 0.33%

A bootkit is a variant of a kernel-mode rootkit and modifies the master boot record (MBR). They sucessfully subvert 64-bit kernel-mode driver signing in Windows 7.
More information on Wikipedia: Bootkits


February >>


In January 2012 the number 4 malware that we found on up-to-date protected computers is the ZeroAccess rootkit, also known as Max++ and Sirefef.

The ZeroAccess rootkit made its first appearance in 2009. How is it possible that so many computers are still affected by ZeroAccess and none of the security vendors show this in their Top X detected malware lists?

The virus protection on your computer simply lacks the technology to reveal, identify and remove the rootkit. That may sound like a bold statement, but know that the cybercriminals behind ZeroAccess know how antivirus programs work and designed ZeroAccess specifically to protect itself against antivirus programs. So the mere fact that HitmanPro detects the ZeroAccess rootkit on this large percentage of protected computers is a clear indication that it’s very successful at it.

The ZeroAccess dropper is known to be spread as silent drive-by download through the Blackhole Exploit Toolkit and the Bleeding Life Toolkit, which exploits certain software vulnerabilities. It is also often disguised as a crack or key generator for a wide range of applications, from Microsoft Office to games or porn downloaders.

Once the user downloads and executes the infected crack or patch in an attempt to pirate a commercial application, the dropper silently suspends a part of Windows File Protection (WFP) that handles the repair of protected Windows operating system files. Then the dropper randomly chooses a system driver, overwrites it with its own kernel mode driver and then loads it. Now active, a self-defense routine kills antivirus programs that try to access ZeroAccess’s code.

ZeroAccess’s main objective is to make money by redirecting your Google Search results to partners of ZeroAccess’s creators. It also blocks access to legitimate antivirus vendor sites and downloads additional malware like Trojans or rogue/fake antivirus programs that deceives or misleads users into paying for fake or simulated removal of malware.

Over time a few malware researchers from different security vendors have written technical briefs on the ZeroAccess rootkit. After reading these briefs you’d expect their antivirus products are able to find and remove this threat from your computer, but no (which explains the high position in our Top 25). Instead, these handful of security vendors provide a dedicated tool separate from their regular antivirus program, specifically designed to handle the ZeroAccess rootkit only.

But when do you go and look for this tool when your antivirus program is unaware of the threat and does not inform you?
That’s why we created HitmanPro, a universal second opinion scanner, designed to find and remove all forms of known and unknown malware. If you haven’t done so already, download your free copy and check your system for threats that your antivirus program does not detect.

For more information on the ZeroAccess rootkit, please read our blog article on this malware: http://hitmanpro.wordpress.com/2011/07/15/zeroaccess-rootkit-strikes-back/

© SurfRight 2015  |  Disclaimer  |  Sitemap