Websense partners only reach Platinum status once they are able to implement and support the Websense suite of products to the high standards customers expect in today’s fast moving environment. Nclose has reached and exceed these standards. This achievement firmly solidifies Nclose's ability as a premium IT Security solutions provider in South Africa.

Malicious programs detected on users’ computers

The first Top Twenty lists malicious programs, adware and potentially unwanted programs that were detected and neutralized when accessed for the first time, i.e. by the on-access scanner.

Position	Change in position	Name	Number of infected computers
1	0	Net-Worm.Win32.Kido.ir	330305
2	New	Net-Worm.Win32.Kido.iq	174351
3	-1	Net-Worm.Win32.Kido.ih	145332
4	0	Virus.Win32.Sality.aa	128737
5	0	Worm.Win32.FlyStudio.cu	93848
6	-3	not-a-virus:AdWare.Win32.Boran.z	84825
7	-1	Trojan-Downloader.Win32.VB.eql	63287
8	9	Trojan-Downloader.WMA.GetCodec.s	48426
9	1	Virus.Win32.Virut.ce	47812
10	-3	Virus.Win32.Induc.a	46252
11	-2	Worm.Win32.AutoRun.awkp	36453
12	-4	Packed.Win32.Black.d	36422
13	-2	Packed.Win32.Black.a	35094
14	-1	Trojan-Dropper.Win32.Flystud.yo	34638
15	-3	Worm.Win32.AutoRun.dui	32493
16	-1	Packed.Win32.Klone.bj	31963
17	1	Worm.Win32.Mabezat.b	29804
18	New	Packed.Win32.Krap.ag	26041
19	New	Trojan-GameThief.Win32.Magania.ckqi	25529
20	New	Trojan.Win32.Genome.bjgu	24730

Overall, there was little change to the first rating, although there are a few points worth highlighting.

First of all, there is the new entry of Kido.iq that came straight in at 2nd place. This malicious program has very similar functionality to the leader, Kido.ir, which entered the ratings back in September.

Secondly, GetCodec.s rose 9 places overall, with the number of computers on which GetCodec was detected more than doubling in November. To recap, GetCodec.s spreads together with P2P-Worm.Win32.Nugg, just like GetCodec.r which we wrote about last December. It looks as though cybercriminals are making another attempt to spread P2P-Worm.Win32.Nugg via the Gnutella file sharing network Gnutella (and in this case, using the popular LimeWire application). This worm downloads other malicious programs, which act as an additional threat to users’ computers.

Another newcomer of note is Packed.Win32.Krap.ag. Just as other representatives of the Packed family do, Krap.ag detects a special packing program used to pack malicious programs. In this particular case, the malicious programs, which are concealed by a standard, but modified, packing program, are fake antivirus programs such as those we wrote about recently. In other words, 18th place in the rankings is effectively occupied by a rogue antivirus solution.

After returning to the ratings the Magania family of gaming Trojans has held on to 19th place, albeit with the new version Magania.ckqi replacing last month’s entry Magania.cbrt.

Malicious programs on the Internet

The second Top Twenty presents data generated by the web antivirus component, and reflects the online threat landscape. This ranking includes malicious programs detected on web pages and malware downloaded to victim machines from web pages.

Position	Change in position	Name	Number of attempted downloads
1	0	Trojan-Downloader.JS.Gumblar.x	1714509
2	1	Trojan-Downloader.HTML.IFrame.sz	189881
3	New	Trojan-Clicker.JS.Iframe.be	170319
4	0	not-a-virus:AdWare.Win32.Boran.z	136748
5	0	Trojan.JS.Redirector.l	130271
6	New	Trojan.JS.Ramif.a	115163
7	1	Trojan.JS.Agent.aat	55291
8	-2	Trojan-Clicker.HTML.Agent.aq	47873
9	New	Trojan.HTML.Fraud.r	47473
10	-8	Trojan-Downloader.JS.Gumblar.w	41977
11	New	Trojan.JS.Iframe.dy	35152
12	-5	Trojan-Downloader.JS.Zapchast.m	31161
13	New	Trojan-Downloader.JS.IstBar.cy	30806
14	New	Trojan-Clicker.JS.Iframe.u	30553
15	Return	Trojan-Downloader.JS.Psyme.gh	30078
16	New	Trojan-Downloader.HTML.FraudLoad.b	29466
17	New	Trojan-Clicker.HTML.IFrame.ajn	29455
18	New	Trojan.JS.PrygSkok.a	27804
19	New	Packed.Win32.Krap.ag	26770
20	-5	Trojan-Downloader.JS.LuckySploit.q	26175

Gumblar continues to dominate this rating with a huge gap separating it from the program in 2nd place. The number of unique attempts to download this malicious program increased nearly four times in November.

The latest Gumblar attack, which we described last month, continued unabated in November. Unlike the attack six months earlier this time all the components – the downloader, the exploits and the main executable file – were replaced or modified with alarming regularity.

Rogue antivirus programs also made it into the second rating. One method of spreading these programs is by downloading them to users’ machines from websites that are created using the same template and which are part of cybercriminal affiliate, or partner, programs. The web pages most commonly used to download fake antivirus solutions in November are detected by us as Trojan.HTML.Fraud.r and Trojan-Downloader.HTML.FraudLoad.b. Packed.Win32.Krap.ag, mentioned above, was also downloaded from these pages and this explains why it makes an appearance in the second Top 20 as well.

The other new entries (script downloaders which vary in sophistication and the degree of obfuscation used) follow recent trends.

November trends

The overall picture remained unchanged in November. At the moment, the most common strategy for spreading malware is to use a malicious script + exploit + executable file. More often than not, this is how malware designed to steal confidential data or extort money from users is spread. Such malware includes programs such as Trojan-PSW.Win32.Kates (the Gumblar attacks are primarily designed to download this malware); Trojan-Spy.Win32.Zbot, an extremely widespread Trojan that actively spreads using script downloaders and varied spam mass mailings; and numerous fake antivirus programs.

Another marked trend of recent months that continued in November was the use of websites created using standardized templates to spread rogue antivirus solutions.

Cybercriminals are also aggressively using packers (usually polymorphic) in the hope that this will help the packed malicious programs avoid detection, so they won't have to make significant modifications to the malicious programs themselves.

This month malware was also distributed via P2P networks using multimedia downloader programs, a method that the cybercriminals made use of last December.

Countries where most attempts to infect via the web originated.

Identify, Protect, and Monitor for Data Loss Prevention
From tarnished brand reputation and loss of customer confidence, to penalties and fines from regulators, the adverse impact of a data breach are clear. What isn't so clear is how to keep tabs on confidential data without it getting in the way of business.
Nclose now has a suite of solutions that can limit the loss of organisations intellectual property, with limited impact on the end user until policy is triggered.
For a Websense Data Security datasheet click here, or for a DLP executive overview please click here.

The latest video installment of the Websense Security Labs series "This Month in the Threat Webscape" is now available for viewing. The video presents a recap of the most pressing Web, email and data security threats from last month. The July 2009 report covers Zero Day threats, the Koobface worm, Twitter attacks, SEO poisoning and more.

http://www.youtube.com/watch?v=0RvGhgeg5mU&feature=player_embedded

Read a more detailed analysis of these topics in the Websense Security Labs blog at http://securitylabs.websense.com/content/blogs.aspx

This malware rating is compiled from data generated by the Kaspersky Security Network (KSN).

The first Top Twenty lists malicious programs, adware and potentially unwanted programs that were detected and neutralized when accessed for the first time, i.e. by using the on-access scanner. Using on-access statistics makes it possible to analyze the most recent, most dangerous and most widespread malicious programs that were blocked when launched on users' computers or when downloaded from the Internet.

Position	Change in position	Name	Number of infected computers
1	0	Net-Worm.Win32.Kido.ih	51126
2	0	Virus.Win32.Sality.aa	24984
3	1	Trojan-Downloader.Win32.VB.eql	9472
4	2	Trojan.Win32.Autoit.ci	8250
5	0	Worm.Win32.AutoRun.dui	6514
6	1	Virus.Win32.Virut.ce	5667
7	3	Virus.Win32.Sality.z	5525
8	1	Net-Worm.Win32.Kido.jq	5496
9	-1	Worm.Win32.Mabezat.b	4675
10	4	Net-Worm.Win32.Kido.ix	4055
11	-8	Trojan-Dropper.Win32.Flystud.ko	3764
12	5	Packed.Win32.Klone.bj	3677
13	-1	Virus.Win32.Alman.b	3571
14	1	Worm.Win32.AutoIt.i	3524
15	-2	Packed.Win32.Black.a	3472
16	-5	Trojan-Downloader.JS.LuckySploit.q	3335
17	1	Email-Worm.Win32.Brontok.q	3007
18	2	not-a-virus:AdWare.Win32.Shopper.v	2841
19	0	Worm.Win32.AutoRun.rxx	2798
20	New	IM-Worm.Win32.Sohanad.gen	2719

There were no significant changes to the first Top Twenty in July: Kido and Sality remain the runaway leaders.

However, the overall number of computers infected by the most common malicious programs has fallen slightly. This may have something to do with users spending less time in front of their PCs in midsummer, resulting in fewer machines becoming infected with malware.

Position	Change in position	Name	Number of infected web pages
1	0	Trojan-Downloader.JS.Gumblar.a	8538
2	2	Trojan-Clicker.HTML.IFrame.kr	7805
3	2	Trojan-Downloader.HTML.IFrame.sz	5213
4	-1	Trojan-Downloader.JS.LuckySploit.q	4719
5	New	Trojan-Downloader.HTML.FraudLoad.a	4626
6	0	Trojan-Downloader.JS.Major.c	3778
7	New	Trojan-GameThief.Win32.Magania.biht	2911
8	New	Trojan-Downloader.JS.ShellCode.i	2652
9	-1	Trojan-Clicker.HTML.IFrame.mq	2576
10	New	Exploit.JS.DirektShow.o	2476
11	-2	Trojan.JS.Agent.aat	2402
12	New	Exploit.JS.DirektShow.j	2367
13	New	Exploit.HTML.CodeBaseExec	2266
14	0	Exploit.JS.Pdfka.gu	2194
15	New	Trojan-Downloader.VBS.Psyme.ga	2007
16	New	Exploit.JS.DirektShow.a	1988
17	-10	Trojan-Downloader.Win32.Agent.cdam	1947
18	-5	Trojan-Downloader.JS.Agent.czm	1815
19	-17	Trojan-Downloader.JS.Iframe.ayt	1810
20	New	Trojan-Downloader.JS.Iframe.bew	1766

Everything is a lot more interesting in the second Top Twenty, which presents data generated by the web antivirus component and reflects the online threat landscape. This ranking includes malicious programs detected on web pages and malware which attempted to load from web pages. In other words, the second ranking answers two questions: “What malware most often infects web pages?” and “Which malicious programs are most often downloaded - with or without the user's knowledge - from malicious or infected pages?”

Looking at the rating, we can see three script exploits named DirektShow. We wrote about the Internet Explorer vulnerability this script exploits in early July (http://www.viruslist.com/en/weblog?weblogid=208187760). As Internet Explorer is the browser of choice for the majority of users, it's no surprise that this vulnerability was immediately heavily exploited by cybercriminals.

Recently there has been a tendency for cybercriminals to split malicious scripts into several parts – in the case of DirektShow, the main page with the exploit for the msvidctl vulnerability contains a link to another script that downloads shell code with its own malicious payload. Trojan-Downloader.JS.ShellCode.i, in eighth place in our rating, is the shell code most commonly used to exploit this vulnerability. This approach is straightforward and is particularly beneficial for the cybercriminal – the shell code script can be replaced at any time but the link to the main page remains the same. This set-up makes it more difficult to analyze and create detection for such malware, and where automated systems are used, it may be impossible.

In order to make spreading malware (specifically ransomware in the form of rogue antivirus applications) easier, the same web templates will be used over and over again. Trojan-Downloader.HTML.FraudLoad.a – a new entry in July – is an example of this approach; this detection actually detects one of the stock templates. Such malware is becoming increasingly popular in the world of cybercrime. As a result, a huge number of websites are appearing which claim that the user's computer is infected, and then download programs which are not only annoying, but also often pose a real threat. In twentieth place in July’s rating – Trojan-Downloader.JS.Iframe.bew – is one such script used to download malicious programs from such sites.

The second Top Twenty provides an overview of the current online threats as well as the underlying trends. Firstly, cybercriminals are focusing on finding new vulnerabilities in the most popular software with the aim of exploiting them to achieve their goal – infecting computers with one or, more often than not, several malicious programs. Secondly, cybercriminals attempt to hide their activity so that it either passes unnoticed, or seem to be resulting in minimal damage to the infected machine.

All this makes surfing the Internet without a fully-patched operating system or an up-to-date antivirus solution tantamount to swimming in shark-infested waters – and this applies to even the most experienced users.

Countries where most attempts to infect computers via the web were recorded:

03 Aug 2009