Malware reports

Information Security Threats in the Second Quarter of 2010

Table of Contents

The Quarter in Review

  • Over 540 million infection attempts were detected.
  • The majority of attacks targeted China (17.09%), Russia (11.36%), India (9.30%), the USA (5.96%) and Vietnam (5.44%)
  • 27% of all malicious programs detected on the Internet were malicious scripts injected into a range of sites by cybercriminals.
  • A total of 157,626,761 attacks were counteracted. These attacks stemmed from a range of Internet resources located in various countries.
  • The percentage of exploits in the total number of malicious programs increased by 0.7%, with 8,540,223 exploits being detected.
  • Exploits targeting vulnerabilities in Adobe programs continued to dominate, although the share decreased by 17% compared to Q1.
  • 33,765,504 unpatched vulnerabilities were identified on users’ computers.
  • 203,997,565 malicious programs were blocked and neutralized on users’ computers.



The majority of the biggest malware incidents that took place in the second quarter of 2010 were linked in some way to botnets. New bots were created and existing bots further developed, such as TDSS, an article on which has been published by our virus analysts, and Zbot (ZeuS), which we discuss below.


The evolution of the ZeuS (Zbot) Trojan, which is used to build botnets, is worth describing. A new modification of the malicious program was detected in late April. It included file virus functionality, which meant it could infect executable files. The malware writers decided to use relatively unsophisticated code and a similarly simple infection routine. Instead of the Trojan itself, a 512-byte-long fragment of code was added to .exe files, after which the infected file’s entry point was changed so that the appended code would be executed prior to the original code.

The injected code is designed to download the new versions of the Trojan to the infected computer if the main ZeuS component has been removed. The malware writers used computers in the US to test the new version of the Trojan. ZeuS primarily targets online banking accounts and as online banking is more evolved in the US than anywhere else, computers located in the US users are tasty morsels for cybercriminals. The ZeuS version that the injected piece of code loaded was detected by Kaspersky Lab products as Trojan-Spy.Win32.Zbot.gen and had been created specifically to steal accounts from customers of Bank of America, a major US bank.

Another notable innovation is that ZeuS is distributed using pdf files. An independent researcher has discovered that executable files embedded in pdf documents can be executed without having to exploit any vulnerabilities. The file is executed using the Launch function described in the pdf format specification. Just a few days after this information was published on March 29, people started to get emails with a specially crafted pdf document, which used the file launching method described above to infect computers with the ZeuS Trojan. In order for the computer to become part of a botnet, all the user needed to do was open the attachment.

TwitterNET Builder

In our previous quarterly reports we wrote about cybercriminals’ first attempts to control botnets via social networks. Those were only proof-of-concept efforts and we expected further developments. We did not have to wait long. A bot building utility called TwitterNET Builder appeared on the Web in May. The program builds a botnet using a Twitter account as a command and control center.

Since no programming skills are required to use the builder, it’s an ideal toy for script kiddies, who are able build a bot with only a couple of mouse clicks. Kaspersky Lab classifies this ‘toy’ as Backdoor.Win32.Twitbot. The resulting bot has the following features: it can be used to downloads and run files, conduct DDoS attacks and open websites specified by the bot’s owners. To receive commands, the bot searches for the relevant Twitter account, which is used by the bot master to publish commands in text form.

Fortunately, this bot never became widespread, because security researchers were tracking such tricks. A botnet with such primitive control system (the commands were sent unencrypted via a social network) is easy to detect and disconnect from the command and control center by closing the cybercriminal’s account. To the credit of the network’s security service, there were no such command centers on Twitter by the end of June.

Attacks via social networks

Social networks have become a popular means of exchanging information. Cybercriminals take advantage of this by increasingly using them for fraudulent attacks, to send spam and distribute malware. Below we focus on the most notable incidents that took place on social networks in the second quarter.

Malware distribution

Recently, we’ve seen links to social networks being actively distributed in spam messages. Eventually, social networks may, to a great extent, replace email in spreading malware.

One example is Brazil, where, until recently, banking Trojans were primarily spread by email. Brazilian cybercriminals must have realized that social networks are much more suitable for this purpose: since the start of Q2, social networks have seen significant amounts of spam targeting Brazilian bank customers.

Statistics confirm that social network spam is effective: in just one attack on Twitter, over 2,000 people followed the link sent by spammers within the space of an hour.

A notable iPhone-related story took place on Twitter. On May 19, the social network’s administration officially announced a new application, Twitter for iPhone. Cybercriminals decided to ride the wave of interest caused by the announcement. Less than an hour after the news was published, Twitter was flooded with messages that included the words “twitter iPhone application” and links leading to malware: Worm.Win32.VBNA.b.

This particular piece of malware is notable for several reasons. One is that this worm has relatively good self-protection: it uses anti-emulation tricks to disable some Windows system programs and spreads via USB devices. Another is that its principal function is to steal information required to conduct financial operations. The piece of news that was used to spread the worm wasn’t chosen at random: most smartphone owners have bank accounts and cards which are a prime target for cybercriminals. Therefore, it’s not surprising that about a third of all VBNA.b attacks (27-33%) targeted US computers, which are of greatest interest for cybercriminals.


Click fraud has always been a lucrative proposition for cybercriminals and it has became even more profitable with the advent of social networks, since the major social networks have as many users as the world’s largest countries.

A new type of attack appeared on Facebook in May in response to the introduction of the new Like feature. As can be easily guessed, the feature is associated with a list of the things that the owner of an account liked on the Internet. Thousands of users fell victim to an attack that was dubbed “likejacking” (by analogy with clickjacking.)

An enticing link was placed on Facebook, e.g., “WORLD CUP 2010 in HD” or “101 Hottest Women in the World”. The link led to a specially created page, where a Javascript script placed an invisible Like button at the cursor’s location. The button kept following the cursor, and it was pressed regardless of where the user clicked. As a result, a copy of the link was added to the user’s Wall and information that the user liked the link appeared on his or her friends’ feeds. The attack had a snowball effect: the link was followed by friends, then friends of friends and so forth.

Naturally, the aim of this was to make money. Once the link was added to the Wall, the user was redirected to a page which contained an imitation player which supposedly showed World Cup games or pictures of girls. The page also hosted a small piece of JavaScript code. The script provided the cybercriminals who had set up the fraudulent scheme with a small sum every time a user was redirected to the page. Since thousands of people fell victim to the scheme, the cybercriminals must have made a tidy profit.

Luckily, so far we have not seen any cases of links to malware being distributed in this way.

Vulnerability disclosure

Two unexpected events involving vulnerabilities and Google took place in Q2. In both cases, a Google employee disclosed full information about vulnerabilities. Since at the time of disclosure there were no patches for the vulnerabilities, this predictably led to mass exploitation by black hats.

A zero-day vulnerability in Java Web Start (CVE-2010-0886) was disclosed on April 9. Oracle worked hard to develop a patch, which was released on April 16. However, cybercriminals beat them to it: a couple of days after the vulnerability disclosure, an exploit was widely available and even added to an exploit pack. Exploits are clearly mass-produced by cybercriminals these days: the domain that was subsequently used to conduct attacks was registered one day before information on that particular vulnerability was published.

In the second instance, the same Google employee disclosed a vulnerability in the Windows Help and Support Center (CVE-2010-1885). The situation repeated itself and working exploits became available on the Internet very soon after the information had been disclosed.

A researcher disclosing information about vulnerabilities is probably impelled to do so by an acute sense of justice. He believes that by making that information public, he is doing a good deed. But is this really the case?

On the one hand, when a vulnerability is disclosed, software vendors try to release a patch as quickly as possible. On the other hand, all cybercriminals receive a brand new weapon that is nearly 100% effective. In addition, while fixing today’s software that is made up of millions of lines of code takes much longer than a day, cybercriminals can take advantage of the vulnerability virtually at once. Isn’t this too high a price to pay for fixing bugs?

Our research demonstrates that such attempts to do good lead in quite the opposite direction. According to our data, exploits that target the CVE-2010-0886 vulnerability became widespread very soon. In their heyday, they boasted a 17% share of all vulnerabilities! The situation with the exploit that targets the HSC vulnerability (CVE-2010-1885) is similar. It is rapidly gaining ground and has risen as high as thirteenth in the quarterly exploit ranking, in spite of the fact that it only appeared in the last month of the quarter. It can only be hoped that this will be a good lesson to all researchers.

Non-Windows platforms

On May 31, Google announced that it was abandoning Windows and migrating to Linux and Mac OS. Security issues were among the reasons for this decision cited by Google representatives. However, Linux and Mac OS are, in fact no better protected than Windows.

The second quarter saw malware for alternative platforms gaining new ground. A new backdoor for Mac OS X, Backdoor.OSX.Reshe.a, appeared on April 20. Once on the victim machine, the malware protects itself by disguising as iPhoto, a popular application, and configures itself to start at system startup. The backdoor offers an attacker full control of the infected computer, with the ability to send spam, search for and steal files, download and execute programs, take screenshots and much, much more. It is written in RealBasic and can run on Apple computers based on both PowerPC and Intel processors. So far, mass use of this malware has not been detected, but it nevertheless remains a weapon in the hands of cybercriminals.

On June 3, several days after Google’s announcement that it was migrating to alternative operating systems, Kaspersky Lab detected a new Trojan Spy for Mac OS X. The malware was disguised as an advertising system and was distributed in a bundle with legitimate software. In addition to stealing information from the computer, the malware has backdoor functionality, enabling attackers to send commands to the computer.

Many Mac OS users have a false sense of security. They are convinced that there are simply no threats that target their operating system. At the same time, Apple Computers admits that malware for Macs does exist. In the latest update for OS X 10.6.4, Apple quietly added a new signature to its antivirus scanner to protect computers against Backdoor.OSX.Reshe.a, which we described above. However, these quiet updates provided by the vendor only support users’ false sense of security instead of dispelling it.

It should be noted that there are no operating systems that are completely safe. Today, Mac OS X is no more secure than, say, Windows 7 because, Mac OS X also requires anti-malware protection. Given the incidents described above, it is quite conceivable that targeted attacks on Macs are not far away.

Most commonly targeted countries

In the past three months, over 540 million attacks were blocked in 228 countries. Last quarter, even Norfolk Island with a population of 2,141 appeared on Kaspersky Lab’s antivirus radar. During the quarter, the average number of infection attempts increased globally by 4.5% per month.

As the table below shows, the likelihood of a computer becoming infected depends on its location.

Distribution of attacks by country Q2 2010 and Q1 2010

Information Security Threats in the Second Quarter of 2010

Your email address will not be published. Required fields are marked *



The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox