The first Top Twenty lists malicious programs, adware and potentially unwanted programs that were detected and neutralized when accessed for the first time, i.e. by the on-access scanner.

Position	Change in position	Name	Number of infected computers
1	0	Net-Worm.Win32.Kido.ir	274729
2	1	Virus.Win32.Sality.aa	179218
3	1	Net-Worm.Win32.Kido.ih	163467
4	-2	Net-Worm.Win32.Kido.iq	121130
5	0	Worm.Win32.FlyStudio.cu	85345
6	3	Trojan-Downloader.Win32.VB.eql	56998
7	New	Exploit.JS.Aurora.a	49090
8	9	Worm.Win32.AutoIt.tc	48418
9	1	Virus.Win32.Virut.ce	47842
10	4	Packed.Win32.Krap.l	47375
11	-3	Trojan-Downloader.WMA.GetCodec.s	43295
12	0	Virus.Win32.Induc.a	40257
13	New	not-a-virus:AdWare.Win32.RK.aw	39608
14	-3	not-a-virus:AdWare.Win32.Boran.z	39404
15	1	Worm.Win32.Mabezat.b	38905
16	New	Trojan.JS.Agent.bau	34842
17	3	Packed.Win32.Black.a	32439
18	1	Trojan-Dropper.Win32.Flystud.yo	32268
19	Return	Worm.Win32.AutoRun.dui	32077
20	New	not-a-virus:AdWare.Win32.FunWeb.q	30942

There was no change to the top 5 malicious programs this month and judging by the number of infections, the Kido epidemic has eased off slightly.

Exploit.JS.Aurora.a, which, as its name suggests, is a program designed to take advantage of vulnerabilities in a variety of software products. This exploit was widely used in February and consequently entered in the ratings in seventh place. Further details are given in the section “Malicious programs on the Internet”.

Other newcomers in February included two adware programs.
FunWeb.q in 20th place is a perfect example of an adware program. It’s a toolbar for popular browsers and provides users with easy access to resources on some websites (usually those with multimedia content). It also modifies the pages visited so that these pages display adverts.

The case of not-a-virus: AdWare.Win32.RK.aw (in thirteenth place) is rather more complex. This RelevantKnowledge application spreads and is installed along with other software products. The company’s privacy policy and ULA states that the program tracks virtually all user activity, particularly Internet activity, automatically collecting personal information and saving it to the company’s servers. It also says that all the data collected is used exclusively to “help shape the future of the Internet” and that the data is well secured. Whether this is true or not is up to the individual to decide.

Malicious programs on the Internet

The second Top Twenty presents data generated by the web antivirus component, and reflects the online threat landscape. This ranking includes malicious programs detected on web pages and malware downloaded to victim machines from web pages.

Position	Change in position	Name	Number of attempted downloads
1	Return	Trojan-Downloader.JS.Gumblar.x	453985
2	-1	Trojan.JS.Redirector.l	346637
3	New	Trojan-Downloader.JS.Pegel.b	198348
4	3	not-a-virus:AdWare.Win32.Boran.z	80185
5	-2	Trojan-Downloader.JS.Zapchast.m	80121
6	New	Trojan-Clicker.JS.Iframe.ea	77067
7	New	Trojan.JS.Popupper.ap	77015
8	3	Trojan.JS.Popupper.t	64506
9	New	Exploit.JS.Aurora.a	54102
10	New	Trojan.JS.Agent.aui	53415
11	New	Trojan-Downloader.JS.Pegel.l	51019
12	New	Trojan-Downloader.Java.Agent.an	47765
13	New	Trojan-Clicker.JS.Agent.ma	45525
14	New	Trojan-Downloader.Java.Agent.ab	42830
15	New	Trojan-Downloader.JS.Pegel.f	41526
16	Return	Packed.Win32.Krap.ai	38567
17	New	Trojan-Downloader.Win32.Lipler.axkd	38466
18	New	Exploit.JS.Agent.awd	35024
19	New	Trojan-Downloader.JS.Pegel.k	34665
20	New	Packed.Win32.Krap.an	33538

The state of affairs regarding malware on the Internet in February was quite remarkable, which is reflected in our second rating.

First of all, there was a dramatic surge in Gumblar.x, which has once again regained top spot after virtually disappearing completely in January. Last month, we suggested there might be another Gumblar attack and it didn’t take long to materialize. However, this time the black hats haven’t changed their approach in any significant way; they’ve simply been gathering new data that can be used to access websites prior to infecting them en masse. We’ll be keeping track of any further developments.

Secondly, the Pegel epidemic that started in January grew almost six-fold – there are four representatives of this family among the new entries, one of which made it straight to third place. This is a downloader program and in some ways it’s not unlike Gumblar, in that it also infects perfectly legitimate websites. A user that visits an infected site is redirected by the malicious script to a cybercriminal resource. To ensure users don’t suspect anything, the names of popular websites are used in the addresses of malicious pages, for example:

These links lead to pages containing another script which uses a number of different methods to download the main executable file. The methods used are mostly traditional – exploiting vulnerabilities in major software products such as Internet Explorer (CVE-2006-0003) and Adobe Reader (CVE-2007-5659, CVE-2009-0927 as well as downloading via a special Java applet. The main executable file is the now familiar Backdoor.Win32.Bredolab, packed using various malicious packers (several of which are detected as Packed.Win32.Krap.ar and Packed.Win32.Krap.ao). We have already written in some detail about this malware but it’s worth mentioning again that in addition to its main payload – remote management of infected machines – it can also download other malicious files.

And now back to Exploit.JS.Aurora.a, which was mentioned above. At number nine in the second rating, Aurora.a is the exploit targeting the CVE-2010-0249 vulnerability. It was identified after a massive targeted attack on several versions of Internet Explorer in January.

The attack, which received wide coverage in the IT media, targeted major organizations (including Google and Adobe) and was named Aurora after part of the file path name used in one of the main executable files. The attack was designed to gain access to personal data and corporate intellectual property such as project source code. The attack was carried out using emails with links to malicious sites; these sites contained exploits which resulted in the main executable file being stealthily downloaded to victim machines.

Remarkably, the programmers at Microsoft had been aware of this loophole for a number of months, but it was only patched a month after it began being exploited. It’s worth pointing out that in that time the source code of the exploit became publicly available and only the laziest cybercriminals failed to use it in their attacks: our collection already has more than a hundred malware variants that exploit this vulnerability.

The facts speak for themselves. Vulnerabilities in popular software continue to pose the main threat to users and their data. The fact that cybercriminals are still attempting to exploit vulnerabilities which were detected several years ago is evidence that these vulnerabilities still pose a security threat. Unfortunately, even updating software from major vendors on a regular basis does not guarantee security, as vendors may not always release patches promptly. It’s therefore important to exercise caution – particularly when surfing the Internet – and of course an up-to-date antivirus solution is a must!

Related Posts

No related posts.

The first Top Twenty lists malicious programs, adware and potentially unwanted programs that were detected and neutralized when accessed for the first time, i.e. by the on-access scanner.

Position	Change in position	Name	Number of infected computers
1	0	Net-Worm.Win32.Kido.ir	276021
2	0	Net-Worm.Win32.Kido.iq	197376
3	1	Virus.Win32.Sality.aa	169101
4	-1	Net-Worm.Win32.Kido.ih	164421
5	0	Worm.Win32.FlyStudio.cu	109898
6	21	Trojan-Downloader.JS.Zapchast.m	65476
7	21	Trojan-Downloader.JS.Small.oj	64767
8	1	Trojan-Downloader.WMA.GetCodec.s	63266
9	-1	Trojan-Downloader.Win32.VB.eql	61852
10	2	Virus.Win32.Virut.ce	51944
11	-4	not-a-virus:AdWare.Win32.Boran.z	51868
12	1	Virus.Win32.Induc.a	44432
13	New	Trojan.Win32.AutoRun.sj	39530
14	New	Packed.Win32.Krap.l	38944
15	New	Trojan.Win32.AutoRun.sl	38742
16	1	Worm.Win32.Mabezat.b	37365
17	New	Worm.Win32.AutoIt.tc	36162
18	New	Trojan.Win32.AutoRun.ws	36149
19	-5	Trojan-Dropper.Win32.Flystud.yo	35883
20	-4	Packed.Win32.Black.a	35462

For the third month in a row the top five programs have led the rest of the rating by some distance.

January, however, did see seven new entries, which is unusual for the first Top Twenty. The two script downloaders that entered right behind the leading pack have already made an appearance in our second rating for web-borne malware, but this is the first time they have made it into this rating.

Among the newcomers are three modifications of Trojan.Win32.Autorun that help spread the notorious P2P-Worm.Win32.Palevo and Trojan-GameThief.Win32.Magania via removable devices.

AutoIt, which we have already discussed on a number of occasions, is gaining in popularity with two new malicious programs – Packed.Win32.Krap.l and Worm.Win32.AutoIt.tc – created using this script language.

Malicious programs on the Internet

The second Top Twenty presents data generated by the web antivirus component, and reflects the online threat landscape. This ranking includes malicious programs detected on web pages and malware downloaded to victim machines from web pages.

Position	Change in position	Name	Number of attempted downloads
1	1	Trojan.JS.Redirector.l	615521
2	3	Trojan-Clicker.JS.Iframe.db	299222
3	Return	Trojan-Downloader.JS.Zapchast.m	208056
4	New	Trojan.JS.Iframe.hw	166755
5	-1	Trojan-Downloader.HTML.IFrame.sz	138843
6	21	Trojan-Downloader.JS.Agent.ewo	116110
7	-1	not-a-virus:AdWare.Win32.Boran.z	99567
8	New	Trojan-Downloader.JS.Agent.exc	82147
9	Return	Trojan-Downloader.JS.Small.oj	77659
10	New	Exploit.Win32.Pidief.cvl	75687
11	New	Trojan.JS.Popupper.t	73028
12	2	Trojan-Downloader.JS.Shadraem.a	43592
13	New	Trojan-Clicker.JS.Iframe.dh	39441
14	New	Packed.JS.Agent.bp	39420
15	New	Trojan.JS.Fraud.s	38088
16	-9	Trojan.JS.Iframe.ez	36156
17	New	Trojan-Downloader.JS.Pegel.c	35977
18	New	Trojan.JS.Iframe.ef	34700
19	-2	Trojan-Downloader.JS.Twetti.a	32544
20	-9	Packed.Win32.Krap.ag	31148

The second rating remains a kaleidoscope of the latest cybercriminal creations.

New entries include Trojan.JS.Iframe.hw (4th place), Trojan-Downloader.JS.Agent.ewo (6th), and Trojan-Downloader.JS.Pegel.c (17th) – all of them similar script downloaders that redirect users to other malicious scripts which in turn exploit vulnerabilities in popular software products.

Trojan.JS.Fraud.s in 15th place detects web pages which are cloned from a template and used to spread rogue antivirus applications.

All the other new entries are various script downloaders that infect users’ computers with malicious programs.

It’s worth pointing out that the second Gumblar epidemic fizzled out fairly quickly. We’ll have to wait and see if there is to be a third.

Overall, there has been no major change to recent trends. Malware is actively spreading via removable media with the help of script downloaders, and for the most part exploiting vulnerabilities in popular software products.

Countries where most attempts to infect via the web originated:

Related Posts

No related posts.

The first Top Twenty lists malicious programs, adware and potentially unwanted programs that were detected and neutralized when accessed for the first time, i.e. by the on-access scanner.

Position	Change in position	Name	Number of infected computers
1	0	Net-Worm.Win32.Kido.ir	330305
2	New	Net-Worm.Win32.Kido.iq	174351
3	-1	Net-Worm.Win32.Kido.ih	145332
4	0	Virus.Win32.Sality.aa	128737
5	0	Worm.Win32.FlyStudio.cu	93848
6	-3	not-a-virus:AdWare.Win32.Boran.z	84825
7	-1	Trojan-Downloader.Win32.VB.eql	63287
8	9	Trojan-Downloader.WMA.GetCodec.s	48426
9	1	Virus.Win32.Virut.ce	47812
10	-3	Virus.Win32.Induc.a	46252
11	-2	Worm.Win32.AutoRun.awkp	36453
12	-4	Packed.Win32.Black.d	36422
13	-2	Packed.Win32.Black.a	35094
14	-1	Trojan-Dropper.Win32.Flystud.yo	34638
15	-3	Worm.Win32.AutoRun.dui	32493
16	-1	Packed.Win32.Klone.bj	31963
17	1	Worm.Win32.Mabezat.b	29804
18	New	Packed.Win32.Krap.ag	26041
19	New	Trojan-GameThief.Win32.Magania.ckqi	25529
20	New	Trojan.Win32.Genome.bjgu	24730

Overall, there was little change to the first rating, although there are a few points worth highlighting.

First of all, there is the new entry of Kido.iq that came straight in at 2nd place. This malicious program has very similar functionality to the leader, Kido.ir, which entered the ratings back in September.

Secondly, GetCodec.s rose 9 places overall, with the number of computers on which GetCodec was detected more than doubling in November. To recap, GetCodec.s spreads together with P2P-Worm.Win32.Nugg, just like GetCodec.r which we wrote about last December. It looks as though cybercriminals are making another attempt to spread P2P-Worm.Win32.Nugg via the Gnutella file sharing network Gnutella (and in this case, using the popular LimeWire application). This worm downloads other malicious programs, which act as an additional threat to users’ computers.

Another newcomer of note is Packed.Win32.Krap.ag. Just as other representatives of the Packed family do, Krap.ag detects a special packing program used to pack malicious programs. In this particular case, the malicious programs, which are concealed by a standard, but modified, packing program, are fake antivirus programs such as those we wrote about recently. In other words, 18th place in the rankings is effectively occupied by a rogue antivirus solution.

After returning to the ratings the Magania family of gaming Trojans has held on to 19th place, albeit with the new version Magania.ckqi replacing last month’s entry Magania.cbrt.

Malicious programs on the Internet

The second Top Twenty presents data generated by the web antivirus component, and reflects the online threat landscape. This ranking includes malicious programs detected on web pages and malware downloaded to victim machines from web pages.

Position	Change in position	Name	Number of attempted downloads
1	0	Trojan-Downloader.JS.Gumblar.x	1714509
2	1	Trojan-Downloader.HTML.IFrame.sz	189881
3	New	Trojan-Clicker.JS.Iframe.be	170319
4	0	not-a-virus:AdWare.Win32.Boran.z	136748
5	0	Trojan.JS.Redirector.l	130271
6	New	Trojan.JS.Ramif.a	115163
7	1	Trojan.JS.Agent.aat	55291
8	-2	Trojan-Clicker.HTML.Agent.aq	47873
9	New	Trojan.HTML.Fraud.r	47473
10	-8	Trojan-Downloader.JS.Gumblar.w	41977
11	New	Trojan.JS.Iframe.dy	35152
12	-5	Trojan-Downloader.JS.Zapchast.m	31161
13	New	Trojan-Downloader.JS.IstBar.cy	30806
14	New	Trojan-Clicker.JS.Iframe.u	30553
15	Return	Trojan-Downloader.JS.Psyme.gh	30078
16	New	Trojan-Downloader.HTML.FraudLoad.b	29466
17	New	Trojan-Clicker.HTML.IFrame.ajn	29455
18	New	Trojan.JS.PrygSkok.a	27804
19	New	Packed.Win32.Krap.ag	26770
20	-5	Trojan-Downloader.JS.LuckySploit.q	26175

Gumblar continues to dominate this rating with a huge gap separating it from the program in 2nd place. The number of unique attempts to download this malicious program increased nearly four times in November.

The latest Gumblar attack, which we described last month, continued unabated in November. Unlike the attack six months earlier this time all the components – the downloader, the exploits and the main executable file – were replaced or modified with alarming regularity.

Rogue antivirus programs also made it into the second rating. One method of spreading these programs is by downloading them to users’ machines from websites that are created using the same template and which are part of cybercriminal affiliate, or partner, programs. The web pages most commonly used to download fake antivirus solutions in November are detected by us as Trojan.HTML.Fraud.r and Trojan-Downloader.HTML.FraudLoad.b. Packed.Win32.Krap.ag, mentioned above, was also downloaded from these pages and this explains why it makes an appearance in the second Top 20 as well.

The other new entries (script downloaders which vary in sophistication and the degree of obfuscation used) follow recent trends.

November trends

The overall picture remained unchanged in November. At the moment, the most common strategy for spreading malware is to use a malicious script + exploit + executable file. More often than not, this is how malware designed to steal confidential data or extort money from users is spread. Such malware includes programs such as Trojan-PSW.Win32.Kates (the Gumblar attacks are primarily designed to download this malware); Trojan-Spy.Win32.Zbot, an extremely widespread Trojan that actively spreads using script downloaders and varied spam mass mailings; and numerous fake antivirus programs.

Another marked trend of recent months that continued in November was the use of websites created using standardized templates to spread rogue antivirus solutions.

Cybercriminals are also aggressively using packers (usually polymorphic) in the hope that this will help the packed malicious programs avoid detection, so they won’t have to make significant modifications to the malicious programs themselves.

This month malware was also distributed via P2P networks using multimedia downloader programs, a method that the cybercriminals made use of last December.

Countries where most attempts to infect via the web originated.

Related Posts

No related posts.

The first Top Twenty lists malicious programs, adware and potentially unwanted programs that were detected and neutralized when accessed for the first time, i.e. by the on-access scanner.

Position	Change in position	Name	Number of infected computers
1	0	Net-Worm.Win32.Kido.ir	265622
2	0	Net-Worm.Win32.Kido.iq	211101
3	0	Net-Worm.Win32.Kido.ih	145364
4	0	Virus.Win32.Sality.aa	143166
5	0	Worm.Win32.FlyStudio.cu	101743
6	New	not-a-virus:AdWare.Win32.GamezTar.a	63898
7	-1	not-a-virus:AdWare.Win32.Boran.z	61156
8	-1	Trojan-Downloader.Win32.VB.eql	61022
9	-1	Trojan-Downloader.WMA.GetCodec.s	56364
10	New	Trojan.Win32.Swizzor.c	54811
11	New	Trojan-GameThief.Win32.Magania.cpct	42676
12	-3	Virus.Win32.Virut.ce	45127
13	-3	Virus.Win32.Induc.a	37132
14	0	Trojan-Dropper.Win32.Flystud.yo	33614
15	3	Packed.Win32.Krap.ag	31544
16	-3	Packed.Win32.Black.a	31340
17	0	Worm.Win32.Mabezat.b	31020
18	-2	Packed.Win32.Klone.bj	28814
19	-7	Packed.Win32.Black.d	28560
20	-5	Worm.Win32.AutoRun.dui	28551

Traditionally, the first Top Twenty is relatively stable and December was no exception.
The appearance of three newcomers in sixth, tenth and eleventh places pushed a few other programs down the rankings. The exception was Packed.Win32.Krap.ag, which first entered the rankings last month, and which rose three places this month. Krap.ag, like other representatives of the Packed family, detects a packing program used to pack malicious programs – in this case, rogue antivirus programs. The figures for this malicious program increased slightly, which suggests that cybercriminals are continuing to actively use these programs to turn a profit.

GamezTar.a, which entered in sixth place, is a noteworthy December newcomer. This program is presented as being a toolbar for popular browsers which provides quick access to online games. Of course, it also displays irritating adverts. Additionally, it installs a number of applications that run independently of the toolbar and interfere in online activity, whether it’s searching or displaying content. The EULA (www.gameztar.com/terms.do) does cover all these functions, but the user’s attention is usually focused on the large flashing “click here, get free games” button rather than the almost invisible “terms of service” at the bottom of the screen. It’s highly recommended to read the EULA (if it exists) before downloading any software.

Tenth place is taken by Trojan.Win32.Swizzor.c, a relative of Swizzor.b, which made an appearance in the rankings in August , and Swizzor.a, which dates back to May. The people behind this deftly obfuscated code are not resting on their laurels and regularly create new variants. The actual function of this Trojan is very simple – it downloads other malicious files from the Internet.

Malicious programs on the Internet

The second Top Twenty presents data generated by the web antivirus component, and reflects the online threat landscape. This ranking includes malicious programs detected on web pages and malware downloaded to victim machines from web pages.

Position	Change in position	Name	Number of attempted downloads
1	0	Trojan-Downloader.JS.Gumblar.x	445881
2	3	Trojan.JS.Redirector.l	178902
3	New	not-a-virus:AdWare.Win32.GamezTar.a	165678
4	-2	Trojan-Downloader.HTML.IFrame.sz	134215
5	New	Trojan-Clicker.JS.Iframe.db	128093
6	-2	not-a-virus:AdWare.Win32.Boran.z	109256
7	New	Trojan.JS.Iframe.ez	91737
8	New	Trojan.JS.Zapchast.bn	64756
9	New	Packed.JS.Agent.bn	60361
10	New	Packed.Win32.Krap.ai	43042
11	8	Packed.Win32.Krap.ag	41731
12	New	Exploit.JS.Pdfka.asd	36044
13	New	Trojan.JS.Agent.axe	35309
14	New	Trojan-Downloader.JS.Shadraem.a	35187
15	Return	Trojan.JS.Popupper.f	33745
16	New	not-a-virus:AdWare.Win32.GamezTar.b	33266
17	New	Trojan-Downloader.JS.Twetti.a	30368
18	New	Trojan-Downloader.Win32.Lipler.iml	28634
19	New	Trojan-Downloader.JS.Kazmet.d	28374
20	New	Trojan.JS.Agent.axc	26198

The second Top Twenty has changed far more than the first, with only a quarter of the programs which featured last month remaining in the rankings. One malicious program re-entered the Top Twenty; however, the rest of the table underwent significant changes.

Gumblar.x remains the leader, but the sites infected with this malware are gradually being cleaned up by webmasters – the number of unique download attempts in December was around a quarter of those seen in November.

Krap.ag, which also figures in the first Top Twenty, moved up 8 places in this ranking. Attempted downloads of this program were up 50% on last month. Just above Krap.ag is Krap.ai, which also detects a dedicated packing program used to pack rogue antivirus programs.

GamezTar.a also makes an appearance in the second Top Twenty. This is unsurprising given the program’s connection to online games. Moreover, another modification of this malicious program – GamezTar.b – entered the rankings in sixteenth place.

In fifth place is Trojan-Clicker.JS.Iframe.db, a typical iframe-downloader with simple obfuscation.

Trojan.JS.Iframe.ez, Trojan.JS.Zapchast.bn, Packed.JS.Agent.bn, Trojan.JS.Agent.axe, Trojan-Downloader.JS.Shadraem.a, and Trojan-Downloader.JS.Kazmet.d are all scripts designed to exploit vulnerabilities in Adobe and Microsoft products in order to download executable files. These programs vary in terms of sophistication and the complexity of obfuscation employed.

Trojan-Downloader.JS.Twetti.a, in 17th place, is a very interesting example of cybercrime creativity. Lots of legitimate sites have been infected with this malware and it’s worth taking a closer look at how it works. Once decrypted, there is no trace of a link to the main executable file and no exploits or links to them! Analysis shows that the script uses an API (application programming interface) popular with both cybercriminals and Twitter.

The Trojan works in the following way: it creates a request to the API which results in data on so-called “trends” – i.e. the topics most discussed on Twitter. The data returned is then used to create an apparently random domain name, which the cybercriminals have registered in advance having used a similar method, and a redirect to this domain is created. The main part of the malware (whether it’s a PDF exploit or an executable file) will be placed on the domain. In other words, the malicious link and the redirect are created on the fly via an intermediary, which in this case happens to be Twitter.

It should be noted that both Packed.JS.Agent.bn and Trojan-Downloader.JS.Twetti.a use a specially crafted PDF file to infect users’ computers. This file is detected as Exploit.JS.Pdfka.asd and it also made it into the second Top Twenty, entering in twelfth place. We can therefore assume that at least three of December’s malicious programs were the handiwork of a single cybercriminal gang. Also a cause for concern is that fact that programs from the TDSS, Sinowal and Zbot families – some of the most dangerous threats currently in existence – were detected among the executable files downloaded to victim machines during drive-by attacks.

Overall, the trends remain the same. Attacks are becoming more sophisticated and more difficult to analyze. Their aim, in the vast majority of cases, is to make money in some way. Virtual threats are no longer purely virtual; they can cause real damage, and this is why is it vital to ensure that your computer and data are protected.

Related Posts

No related posts.