The following statistics were compiled in May using data from computers running Kaspersky Lab products:
- 242,663,383 network attacks blocked;
- 71,334,947 attempted web-borne infections prevented;
- 213,713,174 malicious programs detected and neutralized on users’ computers;
- 84,287,491 heuristic verdicts registered.
Rogue antivirus for Mac OS X
In 2010, we saw an overall decrease in the number of rogue antivirus incidents: after peaking in February and March (about 200,000 incidents per month), the rate at which they spread fell about fourfold by the end of 2010. This may seem strange, since spreading fake antivirus solutions is a virtual goldmine for cybercriminals. It is true that the number of rogue antivirus offerings has gone down, but those blackhats who continued to be involved in this activity focused on specific countries (the US, France, Germany, Spain) instead of distributing rogue antivirus software globally.
Geographical distribution of one rogue antivirus family (May 2011)
In May, the number of incidents involving attempts to infect computers with rogue antivirus software via the web was 109,218. However, the decrease in the amount of rogueware does not mean that this type of malware has ceased being developed. In May, Mac users were attacked by different fake antivirus programs, including Best Mac Antivirus and MAC Defender. The first attacks were detected on 02 May, when the web was full of headlines about Osama bin Laden’s death. Some of the Google search queries related to this event resulted in the following appearing in the browser window:
Although the fake scanner was in the Windows style, after pressing the Remove all button the user was prompted to download an MPKG installation file for Mac OS X (MAC Defender in this case). Those users who launched the installation package were prompted to enter the root password to proceed with the installation.
After the installation of MAC Defender was completed, the rogue antivirus program displayed its main window:
It is definitely worth noting the number of ‘signatures’ in the ‘antivirus database’ of MAC Defender: 184,230! I’d like to put this figure into context: there are currently hundreds of known malicious programs for Mac, but certainly not tens of thousands.
Upon ‘detecting’ several non-existent malicious programs on the computer, MAC Defender asks a pretty penny for ‘removing’ them: US$59 – 80, depending on ‘subscription’ type. After paying for using the fake software, the victim will receive a key for registering it. After entering the key the fake antivirus program will imitate the removal of non-existent threats, after which it will display a window with the message that the system is now clean and protected:
Cybercriminals turn their attention to Mac OS X every once in a while, creating and distributing various malware for that operating system. Notably, in most cases such attacks are exact replicas of attacks on Windows users.
Malware for Win64
The continuing growth in the number of 64-bit operating system installations has naturally caused more malware to be created for this platform. Virus writers continue to port existing malware to x64. Versions of the popular TDSS rootkit for Win64 were detected back in 2010. In May 2011, Brazilian cybercriminals, as well as the developers of the popular Trojan ZeroAccess, ‘caught up’.
Brazilian bankers
Over the past few years, Brazilian cybercriminals have mostly specialized in banking Trojans. In May, the first ‘banker’ rootkit for 64-bit operating systems appeared. We detect it as Rootkit.Win64.Banker.
The cybercriminals were after logins and passwords to online banking systems. In the course of an attack, attempts were made to redirect users to phishing pages imitating the web pages of several banks. This was achieved by modifying the HOSTS file using a rootkit that infected the system in a drive-by attack.
The cybercriminals hacked a Brazilian website and inserted a malicious Java applet that included, in addition to an exploit, two .SYS files having the same functionality – for Win32 and for Win64. The attackers used a fake certificate and the standard bcdedit.exe utility to launch drivers which did not have proper digital signatures. The bcdedit.exe utility was executed with parameters (“DISABLE_INTEGRITY_CHECKS”, “TESTSIGNING ON” and “type= kernel start= boot error= normal”) that ensured that the .SYS files were copied to the standard driver folder and registered as standard drivers during the next reboot.
After launching, the malicious drivers modified the HOSTS file, adding redirections to phishing websites (users were redirected when attempting to visit online banking pages).
ZeroAccess Trojan
Until recently, only a 32-bit version of the ZeroAccess Trojan was known. Now we have to deal with a 64-bit version, as well. An attack starts with a ZeroAccess downloader being installed on a computer via a drive-by download. After determining whether the system is 32-bit or 64-bit, the downloader downloads the appropriate version of the backdoor.
If a 64-bit operating system is installed on the computer, the Win64 version of the installer will be downloaded.
Code used to determine whether the system is 32-bit or 64-bit
Unlike its 32-bit ‘sibling’, the 64-bit version of the backdoor does not include a rootkit. It is set to autorun using the following registry key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerSubSystems. The malicious program is located in the system32 folder and is named consrv.dll.
An additional payload (e.g., substitution of search results, clicker) installed by the malware on the infected machine is also designed for the x64 platform.
Necurs
There was another incident that was both noteworthy and somewhat strange.
The Trojan downloader Trojan-Downloader.Win32.Necurs.a, which is distributed using the BlackHole exploit pack, includes two rootkit drivers (one for x32, the other for x64) which have the same functionality. The malicious program is installed using the same mechanism as that described above in the Brazilian bankers section. After installing in the operating system, the rootkit prevents drivers installed by anti-rootkit and antivirus programs from launching.
Here is the curious part: the Necurs Trojan downloader attempts to download rogue antivirus programs for Win32 to the computer, but one of the links leads to… Hoax.OSX.Defma.f – a rogue antivirus program for Mac OSX, which is described above. Even more curiously, the malware attempts to run it under Windows!
The emergence of completely new malware for x64 is due to the fact that more and more users prefer 64-bit operating systems. Clearly, the amount of malicious code for x64 will continue growing.
Sony – new hacks
The consequences of the Sony Playstation Network and Sony Online Entertainment sites being hacked in late April and early May, which resulted in the personal data of tens of millions of users being leaked, was not the only problem faced by the corporation in the past two months.
After it was announced on 17 May that the PSN had come back online, users were asked to change their account passwords. To change the password, a user had to enter and email address and birth date. In other words, they had to enter the data stolen during the hack. Cybercriminals who had access to the data could use it in place of the rightful account owners. Sony said that they realized there could potentially be problems, but no new incidents were reported in the course of recovering user accounts.
Sony’s Thai website was compromised on 20 May. As a result, a phishing page targeting Italian credit card users was substituted for the content of hdworld.sony.co.th.
However, this was not the end of the company’s nightmares. SonyMusic.gr was compromised on 22 May. As a result, information about registered users (user handle, real name and email address) became publicly available.
Two days later, on 24 May, several vulnerabilities were found on sony.co.jp. However, this time the database that was stolen did not include users’ personal data.
In our forecast for 2011, we said that many attacks would target any information that could be stolen. Unfortunately, the series of Sony hacks provides further confirmation that this forecast was correct. Today, the security of personal data is more relevant than ever before. Services like the PSN or iTunes try to collect as much personal data as possible. Unfortunate, laws regulating the use of such data are not always entirely clear and there is little users can do except stop using such services.
Clearly, the attacks on Sony were well-planned and thoroughly prepared. More such attacks on services similar to the PSN cannot be ruled out. This means that both the users of such services and the companies offering them should be on their guard.
Top 20 malicious programs on the Internet
Current rank | Change in position | Verdict | Number of attacks |
1 | 0 | AdWare.Win32.HotBar.dh | 783931 |
2 | 0 | Trojan.JS.Popupper.aw | 739998 |
3 | 4 | AdWare.Win32.FunWeb.kd | 472777 |
4 | New | Trojan-Downloader.JS.IstBar.cx | 364197 |
5 | 1 | AdWare.Win32.FunWeb.jp | 243612 |
6 | New | Trojan-Downloader.JS.Agent.fxq | 233868 |
7 | New | Exploit.HTML.CVE-2010-4452.h | 182151 |
8 | New | Trojan.JS.Agent.bun | 180370 |
9 | New | Trojan-Downloader.JS.Iframe.cew | 172075 |
10 | New | Exploit.JS.CVE-2010-1885.k | 150738 |
11 | 4 | Trojan.HTML.Iframe.dl | 135098 |
12 | New | Trojan-Downloader.HTML.JScript.l | 127424 |
13 | New | Trojan-Downloader.SWF.Agent.ec | 123600 |
14 | New | Exploit.Java.CVE-2010-4452.a | 118110 |
15 | -3 | Trojan.JS.Agent.uo | 112662 |
16 | New | Trojan-Downloader.JS.Agent.fww | 81024 |
17 | -4 | Trojan-Downloader.JS.Iframe.cdh | 80158 |
18 | New | Trojan-Downloader.JS.Agent.fyk | 73666 |
19 | New | Hoax.Win32.Screensaver.b | 72975 |
20 | New | Hoax.Win32.ArchSMS.huey | 71125 |
Top 20 malicious programs detected on users’ computers
Current rank | Change in position | Verdict | Number of unique users |
1 | 0 | Net-Worm.Win32.Kido.ir | 465397 |
2 | 1 | Virus.Win32.Sality.aa | 200381 |
3 | -1 | Net-Worm.Win32.Kido.ih | 183936 |
4 | New | AdWare.Win32.FunWeb.kd | 179700 |
5 | 1 | Trojan.Win32.Starter.yy | 158218 |
6 | -1 | Virus.Win32.Sality.bh | 147599 |
7 | 2 | Trojan-Downloader.Win32.Geral.cnh | 93831 |
8 | 8 | Virus.Win32.Sality.ag | 84662 |
9 | 1 | HackTool.Win32.Kiser.il | 83925 |
10 | New | Trojan-Downloader.Win32.FlyStudio.kx | 70375 |
11 | New | Exploit.Win32.CVE-2010-2568.d | 67924 |
12 | 8 | Virus.Win32.Nimnul.a | 67094 |
13 | -5 | HackTool.Win32.Kiser.zv | 64813 |
14 | -2 | Worm.Win32.FlyStudio.cu | 64593 |
15 | -8 | Hoax.Win32.ArchSMS.pxm | 64074 |
16 | 2 | Worm.Win32.Mabezat.b | 62011 |
17 | -6 | Hoax.Win32.Screensaver.b | 60218 |
18 | -4 | Trojan.JS.Agent.bhr | 59722 |
19 | -2 | Trojan-Downloader.Win32.VB.eql | 58577 |
20 | New | Trojan.Win32.AutoRun.bhs | 55422 |
Monthly Malware Statistics, May 2011