Common Malwares in Bhutan

More than 1,400 different malware families were identified globally by Check Point during a survey carried out in  February 2016 and  39 per cent of malware attacks globally was found to be  caused by the Conficker, Sality, and Dorkbot.

The Bhutan Computer Incidence Response Team(BtCIRT) also found out that Conficker and Dorkbot are the most common Malwares affecting Systems in Bhutan.

1. Conficker

Conficker is a computer worm that can infect your computer and spreads to other computers across a network , through file sharing or removable drives. This infection allows an attacker to access users’ personal information such as banking information, credit card numbers, usernames & passwords by using a Keylogger.

Also Known as Downup, Downadup and Kido

2.  Dorkbot

This family of worms can Compromise Computers privacy and Security and  steal your usernames and passwords by spying on what you do online. They usually block websites that are related to security updates and launch a limited denial of service (DoS) attack.

They are distributed and spread through social networking sites,compromised websites with browser exploits,  instant messaging spam bots, drive-by-download, and autorun exploits on removable devices like USB-sticks.

Different Vendors have different names for this malware:

• AntiVir – BDS/Backdoor.Gen,
• Avast – Win32:Ruskill-EG [Trj],    
• AVG – Worm/Generic2.ASJP, 
• BitDefender – Worm.Dorkbot.A, 
• Emsisoft – Worm.Dorkbot.A (B),   
• ESET-NOD32 – Win32/Dorkbot.B,
• Kaspersky – Worm.Win32.Ngrbot.byu,  
•  McAfee – W32/IRCbot.gen.ax,
• Microsoft – Worm:Win32/Dorkbot.A, 
•  Norman – Dorkbot.U,
• Panda – W32/Lolbot.R.worm, 
• Symantec – W32.IRCBot.NG

Impact:

1. Modification of system settings;
2. Terminates\disables critical Windows services such as Windows Security Service, Windows Auto Update, Windows Defender and others and blocks Security related sites;
3. Checks for internet connectivity and redirects to malicious websites or downloads arbitrary malicious files;
4. Sluggish response due to increase in network traffic.
5. Infected system may be used to send spam, participate in DDoS attacks, or obtain users’ credentials, including credit card details.
6. It may redirect the browser to unwanted websites that contain more viruses or spywares or degrade the system performance and randomly crash down the system.

Mitigation:

1. Maintain a good antivirus product and periodically update and run full scan. While you can run any of the anti virus vendors software, Microsoft recommends using Microsoft essential for windows 7 and vista and Windows Defender for windows 8 and 10. Also to use Microsoft Safety Scanner and Microsoft Windows Malicious Software Removal Tool.
2. Turn on your firewall
3. Disable AutoRun.
4. Use strong passwords and change them after cleaning infection
5. Ensure that shared folders are secured.
6. Use anti-virus : Use windows Defender for Windows 8 and 10. Microsoft security Essential for Windows 7 and Windows Vista. Also run Microsoft Safety Scanner and Microsoft Windows Malicious Software Removal Tool. Most of the other antivirus also have capability to remove this malware.
7. Scan Removable Drives
8. Use Anti-Malware tools like  Malwarebytes Anti-Malware, HitmanPro and Emsisoft Anti-Malware.
9. Keep your operating system and application software up-to-date
10. Adwares on brousers like searching.com  can also download malwares if your browser behaves wierdly like changing default search engine run Adware Removal Tools

 

Recovery:

1. To clean your computer, Restart  in safe mode and run one full scan with at least two different up-to-date Virus and Malware removal tools. Most AntiVirus vendors(Symantec, SOPHOS, McAfee, Microsoft, Avast and many more) have developed removal tools and/or provided instructions for Malware Removal.
2. Now start your computer in normal mode, uninstall the infected antivirus and install new one , update and run full scan once more.
3. Once you clean your computer if you still cannot read files run command prompt and  type in “attrib -h -r -s /s /d drive letter:\*.*”, for example, “attrib -h -r -s /s /d F:\*.*”.
4. If above method fails EaseUS also provides a recovery tool please check https://www.easeus.com/file-recovery/virus-file-recovery.html
5. Always keep BACKUP from now on

Top desktop threads according to Microsoft and impact of most can be minimised following above safety practices and tools:

• Exploit:HTML/Axpergle.O
• Exploit:Win32/CplLnk.A
• Exploit:HTML/NeutrinoEK.G
• Exploit:HTML/Meadgive.K
• Exploit:JS/Axpergle.BQ
• Exploit:JS/Axpergle.BM
• Exploit:HTML/IframeRef.gen
• Exploit:Win32/CplLnk.B
• Exploit:Java/Anogre.E
• Exploit:Win32/ShellCode.gen!V

 

Reference

https://electronicsnews.com.au/mobile-malware-increasingly-threatening-android-devices
https://www.sans.org/security-resources/malwarefaq/conficker-worm.php
https://www.microsoft.com/en-us/security/pc-security/conficker.aspxhttps://www.microsoft.com/security/portal/threat/Encyclopedia/entry.aspx?Name=Win32%2FDorkbothttps://www.us-cert.gov/ncas/alerts/TA15-337A
https://cert.gov.ng/ngcert-2015-0081
https://www.microsoft.com/security/scanner/en-us/default.aspx