Malware reports

Monthly Malware Statistics, April 2011

The following statistics were compiled in April using data from computers running Kaspersky Lab products:

  • 221,305,841 network attacks blocked;
  • 73,211,764 attempted web-borne infections prevented;
  • 189,999,451 malicious programs detected and neutralized on users’ computers;
  • 86,630,158 heuristic verdicts registered.

DDoS attack on LiveJournal

The DDoS attack that targeted LiveJournal.com at the end of March continued into early April and was big news in Russia. The fact that we had been monitoring one of the botnets responsible for the attack meant we discovered quite a few details about the incident.

Initially, every computer in the botnet received commands to attack one or two links per day. On 4 April, however, the bots received a list of 36 links that included http://livejournal.com and http://livejournal.ru. The other links in the list led to popular pages in the Russian-language blogosphere. The pages in question were unavailable at various times on 30 March, 4 and 6 April. The attacks stopped after 6 April.

The botnet we monitored was based on the popular Optima bot which appeared for sale at the end of 2010. Several indicators suggest that the zombie network behind the DDoS attacks brought together tens of thousands of machines infected with Optima. Apart from DDoS attacks, the bot’s functionality includes downloading other executable files to infected computers and stealing passwords for a number of popular programs.

PDF exploits

Once again we have recorded a rise in the use of exploits that target vulnerabilities in Adobe products. One of these exploits – Exploit.JS.Pdfka.dmg – appeared in ninth position in the Top 20 malicious programs detected on the Internet. The number of users subjected to attacks by variations of Exploit.JS.Pdfka ran into the hundreds of thousands in April. The diagram below illustrates where the attacks were most prominent.

In April the Exploit.JS.Pdfka family was most prominent in Russia (1st place),
the USA (2nd) and Germany (3rd)

For the umpteenth time cybercriminals have used the tactic of placing a malicious script on a legitimate site that has been compromised. If someone using vulnerable software visits the compromised website, the script exploits the vulnerability almost instantly, downloading one or more malicious programs to the victim’s computer. In other words, this is a classic drive-by download attack.

In April, Adobe closed the latest series of vulnerabilities in its Adobe Reader and Adobe Acrobat products. The vulnerabilities were rated as ‘Critical’. We strongly recommend that all users update these applications if they have them installed on their computers. You can find patches for various versions of the products here: www.adobe.com/support/security/bulletins/apsb11-08.html.

Vulnerability MS11-020

April also saw Microsoft release 17 bulletins closing vulnerabilities in various Windows products. Among the 63 vulnerabilities addressed by Microsoft there is a patch for the critical MS11-020 loophole. The vulnerability was discovered in SMB Server. It allowed remote code execution if an attacker created a specially crafted SMB packet and sent the packet to a susceptible system. The vulnerability poses a serious risk – the discovery of similar vulnerabilities in the past has led to the appearance of worms such as Kido. Therefore, we strongly recommend that all users update their systems as quickly as possible.

SMS Trojans

SMS Trojans continued to spread rapidly in April, primarily in Russia. One of the ways SMS Trojans spread is via SMS spam and we received regular reports of this happening throughout the month.

There were similarities between several of the SMS spam mailings:

  • the messages were sent at approximately the same time (around 1 AM GMT)
  • the vast majority of the messages read as follows: “There’s an MMS for the subscriber <recipient’s telephone number>. See: http://******.do.am/имя_файла.jar
  • the malicious links used the file names YaZ.jar or 606.jar

Example of an SMS spam message

At the time the first SMS spam messages appeared, the files that the links led to were already detected by Kaspersky Lab as Trojan-SMS.J2ME.Smmer.f.

Another interesting detail is that the malicious sites that the links lead to appear to have been created using a free online website builder. The owner of the builder also offers hosting services which the criminals have used to host their malicious sites at the .do.am second level domain.

Coreflood botnet shut down

The anti-botnet campaign continues. Following the closure of the Rustock botnet, which we wrote about in last month’s report, the command centers of the huge Coreflood botnet were closed down. The majority of the 2 million zombie machines were located in the USA.

The closure was initiated by the US Department of Justice which received permission to seize control of the botnet. Commands were then sent to all the bots in the network to cease functioning.

This is not the first time that the authorities have intervened to neutralize a botnet. Rustock, for example, was shut down in a joint operation by Microsoft and US law enforcement agencies, while the Bredolab botnet was closed, and the alleged owners arrested, by Dutch police.

Let’s hope that this is not the last time we see state authorities intervening to help shut down botnets.

PlayStation Network hacked

At the end of April, Sony reported that their PlayStation Network (PSN) had been compromised. The corporation confirmed that all kinds of user data, including names, email and postal addresses, dates of birth, logins and passwords, had become available to an unknown attacker. Sony could not rule out that credit card data had not been taken, though there was no evidence to suggest it had.

Sony announced it was investigating the incident in cooperation with an unnamed company.

There are around 75 million accounts registered with PSN, making the incident the biggest ever personal data leak. At the time of writing there was still no information about when PSN would be back up and running.

If you are a PSN member we highly recommend keeping an eye on your credit card info for signs of fraud. We further recommend that any passwords used on the PSN network that may have been reused elsewhere get changed immediately. Additionally be alert for any email purporting to be from Sony or its affiliates requesting any personal information.

P.S. On 2 May, Sony issued a statement saying that as a result of the hacker attack the criminals had gained access to the personal data (names, addresses, emails, gender, birth dates, telephone numbers, logins and hashed passwords) not only of PSN gamers but also users of Sony Online Entertainment. The company also said that the hackers accessed an outdated database from 2007 which contained 12,700 credit and debit card numbers and expiration dates.

TOP 20 malicious programs on the Internet

Current rank Change in position Verdict Number of attacks*
1   2 AdWare.Win32.HotBar.dh   855838  
2   4 Trojan.JS.Popupper.aw   622035  
3   New AdWare.Win32.Zwangi.fip   356671  
4   New AdWare.Win32.Agent.uxx   300287  
5   New AdWare.Win32.Gaba.eng   254277  
6   New AdWare.Win32.FunWeb.jp   200347  
7   New AdWare.Win32.FunWeb.kd   170909  
8   New AdWare.Win32.Zwangi.fmz   161067  
9   New Exploit.JS.Pdfka.dmg   140543  
10   New Trojan.JS.Redirector.oy   138316  
11   New Trojan-Ransom.Win32.Digitala.bpk   133301  
12   0 Trojan.JS.Agent.uo   109770  
13   0 Trojan-Downloader.JS.Iframe.cdh   104438  
14   New AdWare.Win32.Gaba.enc   96553  
15   -11 Trojan.HTML.Iframe.dl   95299  
16   -14 Hoax.Win32.ArchSMS.pxm   94255  
17   New Trojan-Downloader.Win32.Zlob.aces   88092  
18   New Trojan-Ransom.JS.SMSer.hi   83885  
19   New Trojan.JS.Iframe.ku   77796  
20   New AdWare.Win32.FunWeb.jt   65895  

* Total number of unique incidents detected by web antivirus on users’ computers

TOP 20 malicious programs detected on users’ computers

Current rank Change in position Verdict Number of unique users*
1   0 Net-Worm.Win32.Kido.ir   428587  
2   1 Net-Worm.Win32.Kido.ih   176792  
3   -1 Virus.Win32.Sality.aa   176171  
4   Returned Virus.Win32.Virut.ce   130140  
5   0 Virus.Win32.Sality.bh   121389  
6   3 Trojan.Win32.Starter.yy   113815  
7   -3 Hoax.Win32.ArchSMS.pxm   86908  
8   -2 HackTool.Win32.Kiser.zv   80900  
9   5 Trojan-Downloader.Win32.Geral.cnh   79573  
10   2 HackTool.Win32.Kiser.il   78526  
11   -4 Hoax.Win32.Screensaver.b   73664  
12   -1 Worm.Win32.FlyStudio.cu   71405  
13   -5 AdWare.Win32.HotBar.dh   68923  
14   -1 Trojan.JS.Agent.bhr   67435  
15   New AdWare.Win32.FunWeb.kd   62858  
16   New Virus.Win32.Sality.ag   55573  
17   1 Trojan-Downloader.Win32.VB.eql   53055  
18   1 Worm.Win32.Mabezat.b   52385  
19   -2 Trojan.Win32.AutoRun.azq   47865  
20   New Virus.Win32.Nimnul.a   47765  

* Number of unique computers where objects were detected

Monthly Malware Statistics, April 2011

Your email address will not be published. Required fields are marked *

 

Reports

How to catch a wild triangle

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Subscribe to our weekly e-mails

The hottest research right in your inbox