Monthly Malware Statistics: August 2010

Contents

In August, there was a significant increase in exploits of the CVE-2010-2568 vulnerability. Worm.Win32.Stuxnet, which notoriously surfaced in late July, targets this vulnerability, as does the Trojan-Dropper program which installs the latest variant of the Sality virus - Virus.Win32.Sality.ag. Unsurprisingly, black hats lost no time in taking advantage of this latest vulnerability in the most commonly used version of Windows. However, on 2 August Microsoft released MS10-046 which provides a patch for the vulnerability. This update was rated 'Critical', meaning it should be installed as soon as possible on all computers running the vulnerable operating system.

Malicious programs detected on users' computers

The first Top Twenty ranking shown below lists malware, adware and potentially unwanted programs that were detected and neutralized by the on-access scanner when they were accessed for the first time.

 

Position Change in position Name Number of infected computers
1 0 Net-Worm.Win32.Kido.ir 280087
2 0 Virus.Win32.Sality.aa 172770
3 0 Net-Worm.Win32.Kido.ih 153825
4 0 Net-Worm.Win32.Kido.iq 107156
5 1 Trojan.JS.Agent.bhr 106796
6 -1 Exploit.JS.Agent.bab 90465
7 0 Worm.Win32.FlyStudio.cu 75394
8 0 Virus.Win32.Virut.ce 68010
9 new Exploit.Win32.CVE-2010-2568.d 52193
10 -1 Trojan-Downloader.Win32.VB.eql 48440
11 new P2P-Worm.Win32.Palevo.arxz 42145
12 new Exploit.Win32.CVE-2010-2568.b 40385
13 -3 Worm.Win32.Mabezat.b 38252
14 new Worm.Win32.VBNA.b 37461
15 new AdWare.WinLNK.Agent.a 37240
16 new Virus.Win32.Sality.ag 36144
17 new Trojan-Dropper.Win32.Sality.r 32352
18 new Trojan.Win32.Autoit.ci 31391
19 -8 Trojan-Dropper.Win32.Flystud.yo 29475
20 new Packed.Win32.Krap.ao 29309

 

As in July, the top half of the ranking remains virtually unchanged, with the exception of a few small changes.

Kido (aka Conficker) remains in first, third and fourth place, while the file infectors Virus.Win32.Virut.ce (eighth place) and Virus.Win32.Sality.aa (second place) have also held on to their positions. Trojan.JS.Agent.bhr (fifth place) and Exploit.JS.Agent.bab (sixth place) have also maintained their positions, merely swapping places.

The July rankings mentioned a new vulnerability in Windows LNK shortcuts, which was later dubbed CVE-2010-2568. As expected, cybercriminals started actively exploiting this vulnerability: the August rankings include three pieces of malware which are linked to CVE-2010-2568 in one way or another. Two of these - Exploit.Win32.CVE-2010-2568.d (ninth place) and Exploit.Win32.CVE-2010-2568.b (twelfth place) - directly exploit the vulnerability while the third, Trojan-Dropper.Win32.Sality.r (seventeenth place), uses it to propagate. It generates vulnerable LNK shortcuts with names designed to attract attention and spreads these across local networks. The malware is launched when a user opens a folder containing one of these shortcuts. The main function of Trojan-Dropper.Win32.Sality.r is to install the latest modification of Virus.Win32.Sality.ag (sixteenth place).

Trojan-Dropper.Win32.Sality.r code showing shortcut names created by the malware
Trojan-Dropper.Win32.Sality.r code showing shortcut names created by the malware

Curiously, both the exploits for CVE-2010-2568 which are included in the ranking are often found in Russia, India and Brazil. While India is the primary source of the Stuxnet worm (the first malicious program to target this vulnerability), it is not entirely clear what role Russia plays.

The geographical distribution of Trojan-Dropper.Win32.Sality.r matches that of the exploits.

Geographical distribution of Exploit.Win32.CVE-2010-2568.d
Geographical distribution of Exploit.Win32.CVE-2010-2568.d

Another newcomer to the ranking is a piece of adware - this time, AdWare.WinLNK.Agent.a (fifteenth place). This is a shortcut which, when launched, takes the user to a URL specified in an advertising link. The shortcut is installed by various adware programs.

Trojan.Win32.Autoit.ci, a new representative of the malware family which uses the AutoIt scripting language appeared on the ranking in August in eighteenth place. Other newcomers included a new modification of the Palevo P2P worm P2P-Worm.Win32.Palevo.arxz (eleventh place). Both malware families have been covered in previous reports, and they have wide-ranging payloads, including autorun functions, the ability to download and launch other malicious programs, and to spread over local networks.

The ranking also features two malicious packers: Packed.Win32.Krap.ao (twentieth place) makes its first appearance, whereas Worm.Win32.VBNA.b (fourteenth place) featured in the June rankings. Both programs are used to protect malware from being detected by security software, and can be used to pack virtually any malicious programs, from rogue antivirus software to complex backdoors, such as Backdoor.Win32.Blakken.

Malicious programs on the Internet

The second Top Twenty list below shows data generated by the web antivirus component and reflects the online threat landscape. This table includes malware and potentially unwanted programs which are detected on web pages or downloaded to victim machines from web pages.

 

Position Change in position Name Number of attempted downloads
1 new Trojan-Downloader.Java.Agent.ft 135755
2 -1 Exploit.JS.Agent.bab 127561
3 9 Exploit.HTML.CVE-2010-1885.a 85502
4 2 Trojan.JS.Agent.bhr 67061
5 4 AdWare.Win32.FunWeb.ds 60129
6 new Exploit.HTML.CVE-2010-1885.c 57988
7 new AdWare.Win32.FunWeb.di 50928
8 -4 AdWare.Win32.FunWeb.q 50504
9 new Exploit.HTML.HCP.b 46874
10 -6 Exploit.Java.CVE-2010-0886.a 45844
11 -5 Trojan-Downloader.VBS.Agent.zs 37578
12 8 Trojan.JS.Redirector.cq 37479
13 new Trojan-Clicker.JS.Iframe.fq 35181
14 5 AdWare.Win32.FunWeb.ci 33073
15 new Exploit.Java.CVE-2010-0094.a 30062
16 new Exploit.JS.Pdfka.cop 29588
17 new Exploit.HTML.CVE-2010-1885.d 28396
18 new Exploit.JS.CVE-2010-0806.b 26990
19 new AdWare.Win32.FunWeb.fb 26350
20 new Exploit.HTML.CVE-2010-1885.b 25820

 

Compared to recent months, there are relatively few (ten in all) newcomers to the August rankings. All of these are new modifications of exploits which target already known vulnerabilities. Overall, this month's rankings include twelve exploits which target six different vulnerabilities.

This month, cybercriminals focused their efforts on exploiting CVE-2010-1885. Five exploits listed in the ranking target this vulnerability: Exploit.HTML.CVE-2010-1885.a (third place), Exploit.HTML.CVE-2010-1885.c (sixth place), Exploit.HTML.HCP.b (ninth place), Exploit.HTML.CVE-2010-1885.d (seventeenth place) and Exploit.HTML.CVE-2010-1885.b (twentieth place). In contrast, the July rankings only listed one such exploit. CVE-2010-1885 is associated with a error in Windows Help and Support Center which makes it possible to run malicious code on systems running Windows XP and Windows 2003. It seems likely that the popularity of these two operating system versions led to the increasing number of exploits.

CVE-2010-0806 has been almost as widely exploited as CVE-20100-1885; the ranking include three different exploits which target this vulnerability. Two of them are scripts which have been covered in previous reports: namely Exploit.JS.Agent.bab (second place) and Trojan.JS.Agent.bhr (fourth place). The latest addition is Exploit.JS.CVE-2010-0806.b (eighteenth place).

Three more exploits in of the rankings target vulnerabilities in software using a Java engine. First place is taken by Trojan-Downloader.Java.Agent.ft which exploits CVE-2009-3867 - this vulnerability is quite old and was covered in the May report. Exploit.Java.CVE-2010-0886.a (tenth place), which exploits CVE-2010-0886 has stayed in the rankings since last month. Interestingly, CVE-2010-0094 was detected back in early April 2010, and the first exploit emerged this August. Exploit.Java.CVE-2010-0094.a (fifteenth place) successively calls a number of functions which ultimately lead to the execution of malicious code.

Fragment of Exploit.Java.CVE-2010-0094.a which exploits the vulnerability
Fragment of Exploit.Java.CVE-2010-0094.a which exploits the vulnerability

In August, this exploit was only used by cybercriminals in developed countries - the USA, Germany, and the UK. This may be related to the fact that programs using Java are popular in these countries.

top20_aug2010_pic02
Geographical distribution of Exploit.Java.CVE-2010-0094.a

Exploit.JS.Pdfka.cop in sixteenth place is another exploit, this time a fairly standard one; it relies on using the peculiarities of PDF documents to execute malicious code.

Trojan-Clicker.JS.Iframe.fq (thirteenth place) is a new addition, and falls into the category of malicious scripts which redirect victim browsers to a malicious link using the HTML tag "". Two more malicious scripts are Trojan-Downloader.VBS.Agent.zs (eleventh place) and Trojan.JS.Redirector.cq (twelfth place); both were discussed in last month's review.

Adware is as popular as ever. AdWare.Win32.FunWeb has superseded Shopper.l and Boran.z which were its competitors in July. Five representatives of the FunWeb family were present in the August rating. Three of those modifications ("ds", "ci", "q", occupying fifth, fourteenth, and eighth places respectively) were in the July rankings, while "fb" and "di" (nineteenth and seventh places) made it to the rankings for the first time in August.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *