Malware by country: Location matters with beverages and malware

The main beverage served in a restaurant varies dramatically by location. In Casablanca, Morocco they are drinking strong mint tea. In Pilsen, Czech Republic, they have Pilsner beer. And in the USA, you will likely encounter cola beverage. But, you can probably find the exact same beverages on the menu at these three different locations – just like malware.

“What you get really depends on specific malware campaigns, local web security standards, and even individual behavior,” said Alexander Vukcevic, Director of Avira Protection Labs. “While there are trends and averages, there are no guarantees that you won’t encounter the same malware  – just distributed via a different cybercriminal group. You really have to be prepared for everything.”

Since malware is like going out to a restaurant at times, you might have many of the same questions: Why is my waiter so slow (cryptominers), why the meal was horrible – when it was perfect a week ago(HTML infections), and whether it is really important to change the oil in the car before heading out for a night on the town (CVE-2015-2426)? Most importantly, you would like to know how to have a great time out on the web regardless of your location.

The Malware Bar

Problem	Name	Activity	Defense
Why is my waiter so slow?	PUA/CryptoMiner.Gen (Germany)	Uses your device’s computing power to mine cryptocurrency.	Pay attention to PUA warnings from your security solution.
This place was great last time!	HTML/Infected.WebPage.Gen2 (USA)	Hidden in a trusted website, it injects a variety of malware into your device	Have a security solution which scans websites for infections
Why are there so many weird ads?	PUA/OpenCandy (UK)	Serves you an annoying stream of advertisements	Download apps carefully. Look out for PUAwarnings.
Lookin’ hot with bad intentions	TR/Dropper.Gen (Italy)	Often used in phishing attempts to bring in other malware.	Be careful opening suspect emails and their attachments.
Did you check the oil before dinner?	EXP/CVE-2015-2426 (France)	Take over unpatched devices through Windows vulnerability.	Keep your device updated. Make it easy, use a Software Updater.

Why is this taking so long?

PUA/CryptoMiner.Gen

Cryptomining has been booming all around the globe, fueled by the explosive growth in the market value of cryptocurrencies. It’s also a leading malware in Germany.

Creating cryptocurrency involves a process called “mining” where a computer’s computing power is used to solve complex mathematical equations. This depends on two expensive resources: electrical energy and hardware. Innovative hackers have realized that by surreptitiously incorporating cryptomining software into apps, they can do it all for free – and it’s easier to monetize their cryptocurrency gains than with traditional malware.

Users usually get infected by a CryptoMiner program while downloading and executing software from the internet or by visiting websites that secretly run cryptomining software in the background without their consent. As a Potentially Unwanted App, CryptoMiner does not directly harm the device, but will make it extremely slow at performing everyday tasks, and waste your limited time.

Lookin‘ gross in the corners

HTML/Infected.WebPage.Gen2 (USA)

HTML infections are like the façade of a swanky bar – might look great up front, but there are some dirty things hidden back there. Unlike a restaurant, you really can’t dive into your favorite website and check out if their WordPress is up to date and patched or if their host’s servers are clean.

Infected webpages are a major source of infections just for that reason. People trust that the infected pages are clean as they have been there many times before. So they try to bypass their security solution’s warnings – and they can then have some malware injected into their device.

The fight for a clean and secure website is a never ending cat-and-mouse struggle: Hackers endlessly search for vulnerable pages where they can inject their malicious code — .and system administrators on the hunt for vulnerabilities and signs of an attack. Perhaps it is just the size of the USA – or the greater number of businesses and individuals running their own web sites, but these infections are much more prevalent there then elsewhere.

Forget the show, just watch the ads

PUA/OpenCandy

PUA/OpenCandy is a traditional – and evolving – bit of PUA. It’s a PUA as that stands for Potentially Unwanted App – It’s quite sure you don’t want it, but security software can’t block it completely as it is not directly malicious. It will often try to sneak onto a device unannounced or hide under a false description in a in a bundle of other downloaded software. InstallCore was once known for taking over browsers’ search bars and slowing the device down to a crawl. In its latest incarnation, it distributes advertisements – lots of them.

The best defense is to be careful while downloading apps, particularly from off-market sources, and be careful read what you are agreeing to. A good security solution will warn you if you are downloading PUA or about to install them.

Well dressed with bad intentions

TR/Dropper.Gen Italy.

TR/Dropper.Gen is one of the best dressed malwares out there, often coming in the guise of an email from FedEx, PayPal, or the latest phishing campaign. As a dropper, it is designed to drop and execute a wide range of malicious code on your device. The malicious code can either be contained inside the dropper or downloaded on demand from the web whenever the dropper is executed. By downloading the bad stuff on demand, hackers are able to easily update or modify the malicious code to suit their needs. TR/Dropper.Gen code has been known to download and install other malware, record keystrokes, capture user names and passwords, hijack browsers, and give hackers remote access to your device.

Honey, did you change the oil?

EXP/CVE-2015-2426

The name CVE-2015-2426 looks as innocuous as the filing system for a library book – but this exploit packs quite a punch. The CVE stands for Common Vulnerabilities and Exposures – a standardized way of cataloguing computer vulnerabilities and the date – 2015 – shows that this has been around for four years. More popularly known as the “OpenType Font Driver Vulnerability,” this allows hackers with a specially crafted OpenType font to remotely execute code and take over a device. Unless the computer is up to date and patched, this exploit remains a possible attack vector across a wide range of Windows OS variants. That’s why it’s critical to keep your device updated and fully patched.