The emergence of Email-Worm.Win32.Hlux was arguably the main event in January. This new mail worm spreads via emails containing malicious links that prompt users to install a fake Flash Player, purportedly to view an e-card. The link leads to a dialog window that asks if the user agrees to download a file. Regardless of the response, the worm attempts to penetrate the system. In addition to propagating via email, Hlux also has bot functionality and adds infected computers to a botnet before connecting to its command center and executing its commands, which are primarily directed at sending pharmaceutical spam.

Cybercriminals often exploit the popularity of an online service or product. In January, a web page was detected that offered users the chance to install an updated version of Microsoft Internet Explorer and to activate it by sending an SMS to a premium-rate number. These fraudulent web pages are detected as Hoax.HTML.Fraud.e, and appear in 17th place in the Top 20 most malicious programs on the Internet. The popularity of Kaspersky Lab products has not escaped the notice of cybercriminals either. January’s Top 20 most popular programs detected on users’ computers included two potentially unwanted programs (PUPs) belonging to the Kiser family – in 9th and 11th places – that allow some Kaspersky Lab products to be used without being activated.

In the first half of the month, the experts at Kaspersky Lab also detected a Trojan dropper masquerading as a key generator for the company’s products. The old adage “There’s no such thing as a free lunch” is particularly fitting here as the dropper goes on to install and launch two malicious programs. One of them steals program registration data and passwords for online games. The second is a backdoor that also has keylogger functionality.

The company’s experts also witnessed the mass distribution of malicious short links on Twitter. After a number of redirects, the attention-grabbing links led users to a page promoting a rogue AV program.

Adware is still spreading fast. AdWare.Win32.WhiteSmoke.a at 12th place in the online malware rating adds the shortcut “Improve your PC” to a computer’s desktop without seeking the user’s permission first. If it is clicked, a program is downloaded that demands payment to rectify errors it supposedly detects on the system.

“Cyber fraud requires the participation of users. To prevent users falling victim to the various scams out there, it’s very important that they know about them,” the author of the report warns.

More detailed information about the IT threats detected by Kaspersky Lab on the Internet and on users’ computers in January 2011 is available at http://www.securelist.com

Related Posts

No related posts.

August saw a dramatic growth in malware targeting the CVE-2010-2568 vulnerability. It was first used by Worm.Win32.Stuxnet, a network worm which gained notoriety back in late July, and then again by Virus.Win32.Sality.ag, the Trojan-Dropper program that installs the latest variant of the Sality virus. Quite predictably, the cybercriminals homed in on this new security breach in the most popular version of Windows. However, on 2 August Microsoft released MS10-046, which patched the vulnerability. This update was labeled ‘Critical’, meaning that it should be installed on every susceptible computer as soon as possible.

The CVE-2010-2568 vulnerability occurs in Windows LNK and PIF shortcuts and the worms can spread via infected USB devices. Vulnerable computers become infected when users access USB-connected devices either automatically via the autorun function, or manually through Windows Explorer or another similar file management utility. A specifically created shortcut makes the Windows Shell download an external DLL, which then executes any code using the privileges of the user who has launched Explorer.

Three programs associated with CVE-2010-2568 appear in the ranking of malware most frequently blocked on users’ computers. Two of the exploits, known as Exploit.Win32.CVE-2010-2568.d (in 9th place) and Exploit.Win32.CVE-2010-2568.b (in 12th place) directly target the vulnerability, while Trojan-Dropper.Win32.Sality.r (in 17th place) uses this vulnerability for propagation purposes. It generates vulnerable LNK shortcuts with names designed to attract attention and spreads these across local area networks. The malware is launched when a user opens a folder containing one of these shortcuts.

Both of the exploits targeting CVE-2010-2568 that appear in the ranking are frequently found in Russia, India and Brazil; as is Trojan-Dropper.Win32.Sality.r. Curiously, India is also the primary source of the Stuxnet worm.

A full version of the August malware ranking from Kaspersky Lab is available at: www.securelist.com/en.

Related Posts

No related posts.

Kaspersky Lab announces the publication of its Monthly Malware Statistics for September 2010. The onset of autumn brought with it advances in the Sality virus and an increase in the number of adware programs on the web.

According to Kaspersky Lab statistics, a new variant of the notorious polymorphic Sality virus, dubbed ‘bh’, was found to be particularly widespread on users’ computers. A newcomer to the ranking, Sality.bh claimed eleventh position and spread with the help of Trojan-Dropper.Win32.Sality.cx which uses vulnerability in Windows LNK files. This is the first detected zero-day vulnerability to be used by the now infamous Stuxnet worm. This same vulnerability was exploited by Trojan-Dropper.Win32.Sality.r back in August. The geographical distribution of the droppers in question mirrors that of the Stuxnet worm, both of them appearing most prolifically in India, followed by Vietnam and then Russia.

“Cybercriminals are usually very quick to release exploits when new vulnerabilities are discovered. The fact that huge numbers of users fail to update their software on a regular basis only encourages them. The extensive media coverage afforded to Stuxnet has only served as an advertisement for the vulnerabilities used by various cybercriminal groups,” commented Vyacheslav Zakorzhevsky, Senior Virus Analyst and author of the review.

An advertising theme is also evident in the second ranking of web threats – for the first time the number of adware programs was equal to the number of exploits, which remain popular with cybercriminals. A total of seven AdWare.Win32 programs made it into this month’s Top Twenty ranking. These types of adware are more annoying than harmful. Their main aim is to attract the attention of users with advertising banners that are integrated into conventional software. Although they are generally harmless, such programs do slow down the operating speed of a computer.

Something of a curiosity in September’s web-borne threat ranking is the newcomer Exploit.SWF.Agent.du which is a Flash file. Until now, it’s been relatively rare to see vulnerabilities in Flash technology being exploited.

The full version of the September malware ranking from Kaspersky Lab is available at: www.securelist.com/en.

Related Posts

No related posts.

August saw a dramatic growth in malware targeting the Windows CVE-2010-2568 vulnerability according to Kaspersky Lab, who has just announced the publication of its Monthly Malware Statistics for August 2010.

The vulnerability was first targeted by Worm.Win32.Stuxnet, a network worm which gained notoriety back in late July, and then again by Virus.Win32.Sality.ag, the Trojan-Dropper program that installs the latest variant of the Sality virus. However, Microsoft subsequently patched the vulnerability on 2 August with a ‘critical’ update for all users.

The CVE-2010-2568 vulnerability occurs in Windows LNK and PIF shortcuts and the worms can spread via infected USB devices. Vulnerable computers become infected when users access USB-connected devices. A specifically created shortcut makes the Windows Shell download an external DLL, which then executes any code using the privileges of the user who has launched Explorer.

Three programs associated with the vulnerability appear in Kaspersky Lab’s ranking of malware most frequently blocked on users’ computers. Two of the exploits, known as Exploit.Win32.CVE-2010-2568.d (in 9th place) and Exploit.Win32.CVE-2010-2568.b (in 12th place) directly target the vulnerability, while Trojan-Dropper.Win32.Sality.r (in 17th place) uses this vulnerability for propagation purposes. It generates vulnerable LNK shortcuts with names designed to attract attention and spreads these across local area networks. The malware is launched when a user opens a folder containing one of these shortcuts.

A full version of the August malware ranking from Kaspersky Lab is available at: www.securelist.com.

If you’d like to speak with David Emm, senior regional researcher at Kaspersky Lab UK, about the threats posed by malware and how those targeted can protect themselves, please contact the team at Berkeley PR on 0118 988 2992 or kasperskylab@berkeleypr.co.uk.

Related Posts

No related posts.

August saw a dramatic growth in malware targeting the CVE-2010-2568 vulnerability. It was first used by Worm.Win32.Stuxnet, a network worm which gained notoriety back in late July, and then again by Virus.Win32.Sality.ag, the Trojan-Dropper program that installs the latest variant of the Sality virus. Quite predictably, the cybercriminals homed in on this new security breach in the most popular version of Windows. However, on 2 August Microsoft released MS10-046, which patched the vulnerability. This update was labeled ‘Critical’, meaning that it should be installed on every susceptible computer as soon as possible.

The CVE-2010-2568 vulnerability occurs in Windows LNK and PIF shortcuts and the worms can spread via infected USB devices. Vulnerable computers become infected when users access USB-connected devices either automatically via the autorun function, or manually through Windows Explorer or another similar file management utility. A specifically created shortcut makes the Windows Shell download an external DLL, which then executes any code using the privileges of the user who has launched Explorer.

Three programs associated with CVE-2010-2568 appear in the ranking of malware most frequently blocked on users’ computers. Two of the exploits, known as Exploit.Win32.CVE-2010-2568.d (in 9th place) and Exploit.Win32.CVE-2010-2568.b (in 12th place) directly target the vulnerability, while Trojan-Dropper.Win32.Sality.r (in 17th place) uses this vulnerability for propagation purposes. It generates vulnerable LNK shortcuts with names designed to attract attention and spreads these across local area networks. The malware is launched when a user opens a folder containing one of these shortcuts.

Both of the exploits targeting CVE-2010-2568 that appear in the ranking are frequently found in Russia, India and Brazil; as is Trojan-Dropper.Win32.Sality.r. Curiously, India is also the primary source of the Stuxnet worm.

A full version of the August malware ranking from Kaspersky Lab is available at: www.securelist.com/en.

Related Posts

No related posts.

The first Top Twenty lists malicious programs, adware and potentially unwanted programs that were detected and neutralized when accessed for the first time, i.e. by the on-access scanner.

Position	Change in position	Name	Number of infected computers
1	0	Net-Worm.Win32.Kido.ir	332833
2	0	Virus.Win32.Sality.aa	211229
3	0	Net-Worm.Win32.Kido.ih	186685
4	0	Net-Worm.Win32.Kido.iq	181825
5	0	Worm.Win32.FlyStudio.cu	121027
6	0	Trojan-Downloader.Win32.VB.eql	68580
7	New	Trojan.Win32.AutoRun.abj	66331
8	1	Virus.Win32.Virut.ce	61003
9	1	Packed.Win32.Krap.l	55823
10	-2	Worm.Win32.AutoIt.tc	55065
11	4	Worm.Win32.Mabezat.b	49521
12	-5	Exploit.JS.Aurora.a	43776
13	New	Packed.Win32.Krap.as	40912
14	New	Trojan.Win32.AutoRun.aay	40754
15	3	Trojan-Dropper.Win32.Flystud.yo	40190
16	-4	Virus.Win32.Induc.a	38683
17	-4	not-a-virus:AdWare.Win32.RK.aw	38547
18	New	Trojan.Win32.AutoRun.abd	37037
19	-5	not-a-virus:AdWare.Win32.Boran.z	36996
20	0	not-a-virus:AdWare.Win32.FunWeb.q	34177

There was no major change in the first Top Twenty leader board in March.

Three variants to the Autorun Trojan are worthy of mention. As was the case a couple of months back, they are autorun.inf files that use removable devices to spread the notorious P2P-Worm, Win32.Palevo and Trojan-GameThief.Win32.Magania.

This month’s rating once again has an entry displaying ‘packed’ characteristics, and this time it’s called Packed.Win32.Krap.as and conceals a rogue antivirus program. Currently this is in thirteenth place. In recent months the cybercriminals have demonstrated a penchant for specially designed packers of executable files. New methods of packing and concealing the true function of popular malware are being developed all the time, which explains why new variants of families such as Krap appear in our Top Twenty virtually every month.

Malicious programs on the Internet

The second Top Twenty presents data generated by the web antivirus component, and reflects the online threat landscape. This ranking includes malicious programs detected on web pages and malware downloaded to victim machines from web pages.

Position	Change in position	Name	Number of attempted downloads
1	0	Trojan-Downloader.JS.Gumblar.x	178965
2	New	Exploit.JS.CVE-2010-0806.i	148721
3	-1	Trojan.JS.Redirector.l	126277
4	2	Trojan-Clicker.JS.Iframe.ea	102226
5	4	Exploit.JS.Aurora.a	88196
6	4	Trojan.JS.Agent.aui	80654
7	-3	not-a-virus:AdWare.Win32.Boran.z	75911
8	New	Trojan.HTML.Fraud.aj	68809
9	New	Packed.Win32.Krap.as	64329
10	New	Exploit.JS.CVE-2010-0806.b	50763
11	New	Trojan.JS.FakeUpdate.ab	49412
12	New	Trojan.HTML.Fraud.aq	48927
13	3	Packed.Win32.Krap.ai	47601
14	Return	Trojan-Downloader.JS.Twetti.a	46858
15	New	Exploit.JS.Pdfka.bub	45762
16	New	Trojan-Downloader.JS.Iframe.byo	44848
17	New	Trojan.JS.FakeUpdate.aa	42352
18	Return	not-a-virus:AdWare.Win32.Shopper.l	41888
19	New	Trojan-Clicker.HTML.IFrame.fh	38266
20	New	Packed.Win32.Krap.ao	36123

As usual, when it comes to rating malicious programs on the Internet, there was plenty to discuss.

Let’s start with the latest Internet Explorer vulnerability CVE-2010-0806. A rather detailed description of the problem led to the exploit for it becoming extremely widespread. Now only the laziest of cybercriminals haven’t hopped on the bandwagon and two variants are already in our second Top Twenty – Exploit.JS.CVE-2010-0806.i (in second place) and Exploit.JS.CVE-2010-0806.b (in tenth place).

The latest Gumblar epidemic is still in full swing. As well as the older version of this script Trojan-Downloader, which shows up as Gumblar.x and occupies first place, a new updated version has appeared which is detected as HEUR:Trojan-Downloader.Script.Generic.

The Aurora.a exploit, which we wrote about last month, is still being used extensively by cybercriminals and has risen from ninth to fifth place in our rating.

The rather curious Twetti.a downloader, which we wrote about back in December, reared its none-too-pleasant head again in March, coming in at fourteenth place after a two-month hiatus. As was the case with Gumblar, it appears the black hats took some time-out and then started using this piece of malware to infect large numbers of websites again.

It’s also no coincidence that Exploit.JS.Pdfka.bub finds itself in fifteenth place – this malicious PDF file is a component in drive-by attacks that use Twetti.a to get a foot in the door.

Our second rating also includes four new entries – Trojan.HTML.Fraud.aj, Trojan.JS.FakeUpdate.ab, Trojan.HTML.Fraud.aq and Trojan.JS.FakeUpdate.aa – that distribute fake antivirus solutions and ransomware.

Countries launching the most web-borne infections:

The overall picture remains pretty much unchanged: attacks on users are predominantly Internet-borne and make use of the vulnerabilities that regularly appear in some of the most popular software products. Fortunately, these vulnerabilities are quickly patched by the vendors, but still, too many users fail to install these patches in time. Malware is also increasingly taking advantage of user gullibility and naivety. The most common malware of this kind used by the cybercriminals in March included rogue antivirus solutions and ransomware.

Related Posts

No related posts.