This taxonomy definiton refers to so called
"Malware" - i.e. unwanted software which gets installed on a PC without a users' consent, knowledge or full understanding.
Problem description
There is a multitude of different types of malware. The
Wikipedia article on malware as well as
Techtarget have good articles on the types, purposes and effects of different types of malware. Our taxonomy defintion of "malware" emcompasses any type of infection on a PC, Server or device which is connected to the Internet.
In order to help remediation efforts, CERT.at will always add a more specific hint (field "malware.name", "taxonomy.identification") on what type of malware the report talks about (disclaimer: as known to CERT.at. We do not inspect individual PCs or devices if the claim of a malware infection is true or not).
The following table lists the 20 most common types of malware in our CERT.at reports (as of Nov 2017).
Count | Malware Family name |
93630 | sprotect |
|
93145 | adware |
|
74780 | zeus |
|
72570 | genieo |
|
64856 | crossrider |
|
59932 | pirrit |
|
58330 | botnet |
|
52406 | nivdort |
|
43014 | conficker_b |
|
24307 | conficker |
|
18852 | necurs |
|
15619 | ramnit |
|
15564 | mobidash |
|
12255 | virut |
|
8023 | androidbauts |
|
6293 | sality |
|
5792 | zeroaccess |
|
5259 | 4shared |
|
5181 | pushdo |
|
4694 | multiplug |
|
The count column denotes the number of occurrences in our database for the interval Jan 2017 - end of Oct 2017. Please also note that there is no common schema for malware family names. Hence, the names are as we received them.
Checks
There is no gold standard on how to check against a malware infection since each type of malware might use different techniques. However, there are a couple of general principles which we can recommend:
- Boot the PC from a known good read-only medium (such as a CD-ROM, DVD, ...) which contains a set of Antivirus (AV) tools.
- Run these tools in order to check an infected PC
- Look out for other tell-tale signs of infections: suspicious network traffic, hashes of binary programs, etc.
- In some cases, re-installation from a known good software release might be the only last option
- In some (as of the time of this writing) rather rare cases, hardware implants (or rogue BIOS / firmware updates) might exist. These will be rather undetectable for non-specialists.
Note well
CERT.at will only
report a suspected malware infection based on the reports which we receive. We
do not check these reports thoroughly. We rather pass these reports of
indicators of compromises (IoCs) as-is to our constituency as quickly as possible so that you can inspect these IoCs directly.
Hence we can give no guarantees for correctness of the IoCs. We welcome feedback in any case however.
Solution
Make sure that the PC or device is in a guaranteed clean state.