The headline figures are surprising. Worldwide, INF/Autorun malware and Conficker take first and third position respectively. “Somehow INF/Autorun is still top of the pops, in spite of Microsoft's neutering of the Autorun vector,” ESET senior research fellow David Harley told Infosecurity. “And even though the Conficker botnet is essentially dormant, there are enough residual infections for our telemetry to keep picking up their presence.”
While the eye might be drawn to the headlines, ESET’s researchers tend to look lower down. “The most interesting statistics aren't necessarily the big numbers (unless there's a sudden explosion of something),” said Harley. “Because the infected population is so large and our detections are usually very generic, they tend to change fairly slowly. Often the interesting stories are related to comparatively low and often localized infected populations.” He singled out “Dorifel/Quervar in the Netherlands”, indicating that a new analysis may be published by ESET later today, and “Stuxnet and its siblings in Iran and the Middle East.”
Neither of these outbreaks are sufficiently widespread to figure highly in global league tables, but are of particular interest and concern to the researchers. Dorkut may be an exception to these general principles. It figures high on the global tables (coming in fifth) but is both local to South America and of great interest. Called Ngrbot by its author, Dorkut has rapidly become the weapon of choice for Latin American cybercriminals, spreading via removeable media and social networks. ESET has detected numerous small botnets being used to steal home banking credentials, and will be presenting a paper on the subject at next month’s VB2012 conference in Dallas.