Malware reports

Monthly Malware Statistics: October 2009

Table of Contents

Kaspersky Lab presents its monthly malware statistics for October. From this month onwards, the data used is gathered from all products which use the Kaspersky Security Network (KSN), i.e. products from both the 2009 and 2010 lines. As a result, the Top Twenties have changed somewhat, and the figures in both ratings this month are significantly higher, due to an increased numbers of users participating in KSN.

The first Top Twenty lists malicious programs, adware and potentially unwanted programs that were detected and neutralized when accessed for the first time, i.e. by the on-access scanner.

Position Change in position Name Number of infected computers
1   3 Net-Worm.Win32.Kido.ir   344745  
2   -1 Net-Worm.Win32.Kido.ih   126645  
3   0 not-a-virus:AdWare.Win32.Boran.z   114776  
4   -2 Virus.Win32.Sality.aa   87839  
5   6 Worm.Win32.FlyStudio.cu   70163  
6   -1 Trojan-Downloader.Win32.VB.eql   52012  
7   0 Virus.Win32.Induc.a   49251  
8   New Packed.Win32.Black.d   39666  
9   New Worm.Win32.AutoRun.awkp   35039  
10   -3 Virus.Win32.Virut.ce   33354  
11   Return Packed.Win32.Black.a   31530  
12   -1 Worm.Win32.AutoRun.dui   25370  
13   4 Trojan-Dropper.Win32.Flystud.yo   24038  
14   New Trojan-Dropper.Win32.Agent.bcyx   22471  
15   Return Packed.Win32.Klone.bj   21919  
16   Return Trojan.Win32.Swizzor.b   19496  
17   New Trojan-Downloader.WMA.GetCodec.s   18571  
18   -4 Worm.Win32.Mabezat.b   19708  
19   New Trojan-GameThief.Win32.Magania.cbrt   17610  
20   New Trojan-Dropper.Win32.Agent.ayqa   16909  

Net-Worm.Win32.Kido.ir, which made its first appearance last month, has replaced the traditional leader, Kido.ih. This demonstrates once again that infected removable media are a major source of infection.

Still on the subject of removable media, Autorun.dui, which appears regularly in the ratings, has been joined by a very similar program, Autorun.awkp, which entered in 9th place. These malicious programs, as the name suggests, automatically run malware on removable devices.

Packed.Win32.Black.a, Packed.Win32.Klone.bj and Trojan.Win32.Swizzor.b returned to the first Top Twenty this month. Moreover, Black.a has been joined by a new version – Black.d. To recap, the Packed.Win32.Black family includes programs that have been packed with unlicensed versions of legitimate utilities used to protect executable files. In this particular case the packer is ASProtect, a utility often used by cybercriminals.

Another new addition is the multimedia Trojan downloader program GetCodec.s. This Trojan is related to GetCodec.r which we wrote about in December of last year (https://securelist.com/monthly-malware-statistics-december-2008/36237/), and spreads with the help of P2P-Worm.Win32.Nugg, just as the previous variant did.

There has been a renewed surge of activity from the once notorious Magania family. In July, Trojan-GameThief.Win32.Magania.biht was among the top 20 most common malicious programs on the Internet. In October, a new version – Magania.cbrt – as well as Trojan-Dropper.Win32.Agent.ayqa, which is linked to Magania, were among the 20 malicious programs most often detected on users’ computers.

To summarize the first rating: malicious programs that spread via removable devices were again prevalent this month, and there was noticeable gaming Trojan activity (although this is has not yet reached significant levels).

The second Top Twenty presents data generated by the web antivirus component, and reflects the online threat landscape. This ranking includes malicious programs detected on web pages and malware downloaded to victim machines from web pages.

As usual the second rating has undergone some major changes since last month.

Position Change in position Name Number of attempted downloads
1   New Trojan-Downloader.JS.Gumblar.x   459779  
2   New Trojan-Downloader.JS.Gumblar.w   281057  
3   0 Trojan-Downloader.HTML.IFrame.sz   192063  
4   -3 not-a-virus:AdWare.Win32.Boran.z   171278  
5   -3 Trojan.JS.Redirector.l   157494  
6   -1 Trojan-Clicker.HTML.Agent.aq   118361  
7   New Trojan-Downloader.JS.Zapchast.m   112710  
8   Return Trojan.JS.Agent.aat   107132  
9   New Trojan-Downloader.JS.Small.oj   60425  
10   New Exploit.JS.Agent.apw   50939  
11   -7 Exploit.JS.Pdfka.ti   46303  
12   New Trojan.JS.Popupper.f   39204  
13   -1 Trojan-Downloader.JS.IstBar.bh   34944  
14   New Trojan.JS.Zapchast.an   30546  
15   -6 Trojan-Downloader.JS.LuckySploit.q   29105  
16   New Trojan-Downloader.JS.Agent.env   27405  
17   New Trojan-Dropper.Win32.Agent.ayqa   26994  
18   Return Trojan-Clicker.HTML.IFrame.mq   26057  
19   New Trojan-GameThief.Win32.Magania.bwsr   26032  
20   New Exploit.JS.Agent.anr   25517  

The top two positions have been claimed by new variants of Gumblar, a script Trojan-Downloader program. This program caused quite a stir at the end of May and went straight to the top of the ranking in June.

The new Gumblar variants use more sophisticated technologies than their predecessors to infect websites. Previously, legitimate web pages had code injected into them which would run a script located on a cybercriminal site without the user’s knowledge. Now, however, compromised sites contain links to malicious scripts placed on other legitimate, compromised sites: this makes analysis more difficult and neutralizing the malicious network more complex. The script itself is designed to exploit several vulnerabilities in Adobe Acrobat/Reader (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-5659, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2992, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927), Adobe Flash Player (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0071), Microsoft Office (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2496) in order to download the main malicious program – Trojan-PSW.Win32.Kates.j. Some variants of the script contain the Trojan within their body; when the script is executed, it tries to download Kates.j to the victim machine and ensure it will be run automatically. The infections are designed to steal confidential data, including access details for websites which can then be used to infect additional sites.

The attack using Gumblar was carefully planned; however, a little careful work resulted in all the pieces of the puzzle falling into place and detection for all the malware involved being added to antivirus databases.

The technique of splitting a malicious script into several parts to hinder detection and analysis is becoming increasing popular. Around a quarter of the programs in this month’s Top Twenty have been designed in this way: Trojan-Downloader.JS.Zapchast.n, Trojan-Downloader.JS.Small.oj, Exploit.JS.Agent.apw, Trojan.JS.Zapchast.an, and Trojan-Downloader.JS.Agent.env.

Also making it into our second Top Twenty were Trojan-Dropper.Win32.Agent.ayqa (mentioned above) and yet another program designed to steal passwords to online games, Trojan-GameThief.Win32.Magania.bwsr.

In conclusion, this month has been characterized by the mass infection of legitimate websites with the Trojan-Downloader program Gumblar. The splitting of malicious scripts is also a marked trend.

Finally, below is a list of countries where the most attempts to infect via the web originated:

Monthly Malware Statistics: October 2009

Your email address will not be published. Required fields are marked *

 

Reports

How to catch a wild triangle

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Subscribe to our weekly e-mails

The hottest research right in your inbox