Our next foray into malware droppers takes us to Brazil. The most common malware dropper there is explorer.exe (aggregating all versions). As we noted in earlier posts in this series, when you see explorer.exe as a dropper, that means users are actually double clicking on a malicious file and getting infected that way - i.e., there is a clear cut social engineering mechanism at play. Even when you account for version numbers, explorer.exe remains on top, with version 6.0.2900.5512. being the one to most commonly drop malware.
![]()
The next most common dropper in Brazil in called, "Ev~NeN^e.eXe." This is a common malware name and in this particular case it represents the W32.Sality virus, which is the most commonly seen threat we see in non-English speaking countries.
In terms of web browsers, their ordering as droppers is the exact opposite of what you typically see. In particular, Firefox is the most popular dropper among the browsers, followed by Chrome, and then Internet Explorer. When accounting for version numbers among browsers, Firefox version 3.6.23.0 drops the most malware. In contrast, at a global level, we typically see Internet Explorer, followed by Chrome followed by Firefox. From what we can gather, none of these instances appear to be the result of an actual browser exploit. Rather, users seem to be unwittingly downloading and executing malicious files from the web.
The third most common dropper in Brazil is reader_sl.exe, which is associated with Adobe Reader - suggesting that many Brazilians are getting infected via PDF exploits and other PDF-related threat vectors (or even getting tricked into running non-authentic versions of Adobe Reader). Infections via PDF are a growing concern in general, since users often perceive a false sense of safety when it comes to opening documents. At the same time, however, PDF is a highly expressive language and the underlying reader is a complex piece of software. Users, therefore, have to continue to be cautious when downloading any content from the Internet - regardless of what risks they perceive that content as having.
On a related note, rounding out the top 5 droppers in Brazil is uTorrent.exe (version 2.2.1.25302), which represents a common Bit Torrent application. The presence of this dropper suggests people are getting infected by downloading malicious torrents (perhaps under the guise of pirated software, movies and music). Infections via pirated content are quite common. Users often take unnecessary risks thinking they will get a free copy of a game, movie or song. In far too many of these cases they get an extra helping of malware on the side.![]()
![]()
In terms of web browsers, their ordering as droppers is the exact opposite of what you typically see. In particular, Firefox is the most popular dropper among the browsers, followed by Chrome, and then Internet Explorer. When accounting for version numbers among browsers, Firefox version 3.6.23.0 drops the most malware. In contrast, at a global level, we typically see Internet Explorer, followed by Chrome followed by Firefox. From what we can gather, none of these instances appear to be the result of an actual browser exploit. Rather, users seem to be unwittingly downloading and executing malicious files from the web.
The third most common dropper in Brazil is reader_sl.exe, which is associated with Adobe Reader - suggesting that many Brazilians are getting infected via PDF exploits and other PDF-related threat vectors (or even getting tricked into running non-authentic versions of Adobe Reader). Infections via PDF are a growing concern in general, since users often perceive a false sense of safety when it comes to opening documents. At the same time, however, PDF is a highly expressive language and the underlying reader is a complex piece of software. Users, therefore, have to continue to be cautious when downloading any content from the Internet - regardless of what risks they perceive that content as having.
On a related note, rounding out the top 5 droppers in Brazil is uTorrent.exe (version 2.2.1.25302), which represents a common Bit Torrent application. The presence of this dropper suggests people are getting infected by downloading malicious torrents (perhaps under the guise of pirated software, movies and music). Infections via pirated content are quite common. Users often take unnecessary risks thinking they will get a free copy of a game, movie or song. In far too many of these cases they get an extra helping of malware on the side.
©2011 blog.sourcefire.com. Content provided by Sourcefire, Inc., please do not reproduce without permission.![]()
