Kaspersky Security Bulletin

Kaspersky Security Bulletin 2009. Statistics, 2009

  1. Kaspersky Security Bulletin 2009. Malware Evolution 2009
  2. Kaspersky Security Bulletin 2009. Statistics, 2009
  3. Kaspersky Security Bulletin: Spam Evolution 2009

The statistics used in this report are generated by the Kaspersky Security Network (KSN), a major innovation implemented in Kaspersky Lab personal products. The system is currently being adapted for implementation in Kaspersky Lab’s corporate product offerings.

KSN enables our analysts to detect, in real time, new malicious programs for which signature or heuristic detection does not yet exist. KSN is also able to identify sources which are spreading malware on the Internet, and to prevent users from accessing these sources.

KSN increases the speed of reaction to new threats (at the moment we are able to prevent new malicious programs being launched on computers using KSN mere tenths of a second after the program has been identified as malicious) without it being necessary to update antivirus databases in the normal way.

Malicious programs on the Internet (attacks via the Web)

The problem of Gumblar has been covered in some detail in another section of this report. In fact, the Gumblar epidemic is merely the tip of the iceberg in terms of web infections; infecting via the Web has, over the past few years, become the main method used to infect victim machines.

Cybercriminals have quickly adapted to take advantage of these new opportunities, and have succeeded in creating fully functional, self-populating botnets using compromised web sites. They have also been quick to exploit the possibilities offered by social networks, and the high level of trust between members of social networks. The likelihood that a member of a social network will launch a file or click on a link sent to him/her by a “friend” is approximately 10 times greater than if the file or the link arrives via email. Cybercriminals actively exploit this trust in order to spread malware and spam.

In the past, we’ve written several times about drive-by downloads, a technique used to stealthily infect victim machines while the user is browsing the Internet. In 2009, the number of such attacks approximately tripled – and it should be stressed that the total number of attacks is in the tens of millions.

KSN has been used to quantify the number of attacks and analyse attempts to infect machines running KSN.

In 2009, 73,619,767 attacks on KSN users were identified, in contrast to 23,680,646 in 2008. In addition to attempts made to download malicious or potentially unwanted programs to victim machines, the total number of incidents also includes 14,899,238 attempts to access phishing and malicious sites which were blocked by our antivirus product.

Top twenty malicious programs on the Internet in 2009

The twenty malicious programs most commonly used in Internet attacks are listed below. Each program has been identified more than 170,000 times and, overall, the programs listed below were involved in more than 37% (27,443,757) of all identified incidents.

Name Number of attacks % of total
1 HEUR:Trojan.Script.Iframer 9858304 13.39
2 Trojan-Downloader.JS.Gumblar.x 2940448 3.99
3 not-a-virus:AdWare.Win32.Boran.z 2875110 3.91
4 HEUR:Exploit.Script.Generic 2571443 3.49
5 HEUR:Trojan-Downloader.Script.Generic 1512262 2.05
6 HEUR:Trojan.Win32.Generic 1396496 1.9
7 Worm.VBS.Autorun.hf 1131293 1.54
8 Trojan-Downloader.HTML.IFrame.sz 935231 1.27
9 HEUR:Exploit.Script.Generic 752690 1.02
10 Trojan.JS.Redirector.l 705627 0.96
11 Packed.JS.Agent.bd 546184 0.74
12 Trojan-Clicker.HTML.Agent.aq 379872 0.52
13 HEUR:Trojan-Downloader.Win32.Generic 322166 0.44
14 Trojan.JS.Agent.aat 271448 0.37
15 Trojan-Downloader.Win32.Small.aacq 265172 0.36
16 Trojan-Clicker.HTML.IFrame.ani 224657 0.31
17 Trojan-Clicker.JS.Iframe.be 216738 0.3
18 Trojan-Downloader.JS.Zapchast.m 193130 0.27
19 Trojan.JS.Iframe.ez 175401 0.24
20 not-a-virus:AdWare.Win32.GamezTar.a 170085 0.23
Total: 27443757 37.3

The leader by a significant amount is a heuristic detection used to identify malicious links injected by hackers and malware into the code of compromised sites. These links cause the browser to stealthily contact other sites, which generally contain exploit bundles designed to target browser or application vulnerabilities.

Second place is taken by Gumblar; this is no surprise given the scale of the Gumblar epidemic. Kaspersky Lab products detected that our clients’ machines attempted to contact Gumblar botnet servers almost 3,000,000 times, which gives an idea of the size of the problem.

Adware is in third place, in the form of Boran.z. Adware, together with spam and pornographic content, became one of the major drivers of cybercrime a long time ago.

Almost all the other entries are linked in one way or another to various modifications of vulnerability exploits.

Top twenty countries hosting malware in 2009

The 73,619,767 attacks conducted via the Internet in 2009 were launched from resources in 174 countries around the world. More than 97% of these attacks originated in the twenty countries listed below.

Country Percentage of all attacks
1 China (mainland) 52.7%
2 USA 19.02%
3 Netherlands 5.86%
4 Germany 5.07%
5 Russia 2.58%
6 Great Britain 2.54%
7 Canada 2.22%
8 Ukraine 2.17%
9 Latvia 1.53%
10 France 0.6%
11 Spain 0.49%
12 North Korea 0.48%
13 Brazil 0.44%
14 Cyprus 0.34%
15 Sweden 0.32%
16 Taiwan 0.27%
17 Norway 0.23%
18 Israel 0.21%
19 Luxemburg 0.16%
20 Estonia 0.16%
Total: 97.38%

The top five countries are exactly the same as in 2008.

Although China remains the leader, the number of attacks conducted from Chinese resources fell from 79% of all attacks to slightly under 53%. The US remains in second place, but the number of infected servers on US territory rose significantly, with attacks increasing from 6.8% of all attacks to 19%. Russia, Germany and the Netherlands trail behind the two leaders, with percentages for these countries increasing only slightly.

China’s leading position (both in terms of the creation of new malware, and in terms of the number of infected websites) has attracted the attention of governmental bodies and law enforcement agencies. In order to improve the situation, regulatory agencies have already taken a number of steps designed to prevent the appearance of malicious resources. Registering a .cn domain name must now be done in writing, and registration will only be carried out once the person wishing to register the site provides – in person – ID and a commercial license. Several Chinese domain registrars have already been closed for failing to abide by these regulations.

These restrictions were introduced at the end of 2009, and there was an almost immediate reduction in the number of spam links leading to Chinese domains. It is to be hoped that this trend will continue in 2010 and that there will be a similarly noticeable effect on other methods which are used to infect victim machines and scam users.

Top twenty countries subject to attack in 2009

More than 86% of the 73,619,767 attacks targeted the machines of users in the twenty countries listed below:

Country Percentage of all attacks
1 China 46.75%
2 USA 6.64%
3 Russia 5.83%
4 India 4.54%
5 Germany 2.53%
6 Great Britain 2.25%
7 Saudi Arabia 1.81%
8 Brazil 1.78%
9 Italy 1.74%
10 Vietnam 1.64%
11 Mexico 1.58%
12 France 1.49%
13 Egypt 1.37%
14 Turkey 1.23%
15 Spain 1.2%
16 Ukraine 0.91%
17 Canada 0.81%
18 Malaysia 0.8%
19 Thailand 0.76%
20 Kazakhstan 0.71%
Total: 86.37%

This ranking has changed significantly since last year. China remains the leader in terms of numbers of potential victims, but the number of attacks dropped by 7%. Other countries which were near the top of the table last year, such as Egypt, Turkey, and Vietnam, now seem to be of less interest to cybercriminals. However, the number of attacks on users based in the US, Germany, Great Britain and Russia rose significantly.

It seems likely that these changes are yet another consequence of the global economic crisis. There is now less money on the Internet, and the initial surge of interest in online banking services, which was seen in a number of countries in online banking services, has now slowed. Cybercriminals are focussing their efforts on the “richest” markets, i.e. those which offer the most potential profit.

Chinese cybercriminals have also played a role, as they are conducting fewer attacks on their fellow citizens. We have written elsewhere about the decline in the number of gaming Trojans, and it may be that this has influenced attacks conducted via the Web.

Network attacks

A firewall is an essential part of any modern security solution. Firewalls block a wide range of attacks conducted on the potential victim machine from the outside – attacks which are not conducted via the browser – and also combat attempts to steal confidential data.

Kaspersky Internet Security includes a firewall with an Intrusion Detection System (IDS) that analyses incoming packets. Incoming packets can often be exploits which can either infect an unpatched system or give a cybercriminal full access to the system by exploiting vulnerabilities in operating system network services.

In 2009, the IDS in Kaspersky Internet Security 2010 deflected 219,899,678 network attacks. The corresponding figure for 2008 was slightly more than 30 million.

Name Number of attacks %
1 DoS.Generic.SYNFlood 156550484 71.192
2 Intrusion.Win.NETAPI.buffer-overflow.exploit 32605798 14.828
3 Intrusion.Win.MSSQL.worm.Helkern 23263431 10.579
4 Intrusion.Win.DCOM.exploit 3245943 1.476
5 Scan.Generic.UDP 1799685 0.818
6 Intrusion.Win.LSASS.exploit 812775 0.37
7 Intrusion.Generic.TCP.Flags.Bad.Combine.attack 604621 0.275
8 Intrusion.Win.LSASS.ASN1-kill-bill.exploit 555107 0.252
9 DoS.Generic.ICMPFlood 131925 0.06
10 Scan.Generic.TCP 101737 0.046
11 Intrusion.Win.HTTPD.GET.buffer-overflow.exploit 86511 0.039
12 Intrusion.Win.MediaPlayer.ASX.buffer-overflow.exploit 24375 0.011
13 Intrusion.Win.SMB.CVE-2009-3103.exploit 19378 0.009
14 Intrusion.Win.WINS.heap-overflow.exploit 15200 0.007
15 Intrusion.Generic.OmniWeb.Alert.format-string.exploit 14291 0.006
16 Intrusion.Win.Messenger.exploit 10296 0.005
17 DoS.Win.IGMP.Host-Membership-Query.exploit 8976 0.004
18 Intrusion.Win.PnP.exploit 8783 0.004
19 Intrusion.Win.EasyAddressWebServer.format-string.exploit 6561 0.003
20 DoS.Generic.Land 3505 0.002
Total: 99.986

Just as last year, Dos.Generic.SYNFlood is in first place; this widespread and simple attack will, if successful, cause the computer under attack to cease working. Attacks of this type can be successfully combated by the majority of today’s security solutions.

NETAPI.buffer-overflow.exploit, in second place, is an interesting threat which poses a serious risk; it targets the MS08-067 vulnerability. This is the vulnerability exploited by the notorious Kido (Conficker) worm. It was identified at the end of 2008, and took fourth place in last year’s rankings. Kido is undoubtedly responsible for the majority of the 32 million attacks designed to exploit MS08-067 which were detected and blocked in 2009.

In spite of the fact that Helkern (Slammer) has been in existence for seven years now, it continues to make its presence felt, and caused 23 million infection attempts. The RPC-DCOM (MS03-026) exploit, in fourth place in the rankings, is similarly long-lived; this was the vulnerability used by the Lovesan worm to cause a global epidemic in August 2003.

Local infections

The figures which indicate the number of local infections on victim machines are extremely important. These statistics provide data on the number of threats which penetrated victim machines via vectors other than the Web, email, or network ports.

Kaspersky Lab products successfully detected 107,370,258 virus incidents involving 703,700 malicious and potentially unwanted programs on computers which are part of KSN. The 100 most common of these programs caused 28,579,901 incidents, or 27% of all incidents.

The twenty most common threats are shown below:

Object Number of individual
computers on which
object was detected
1 HEUR:Trojan.Win32.Generic 3050753
2 Net-Worm.Win32.Kido.ih 2924062
3 Virus.Win32.Sality.aa 1407976
4 Net-Worm.Win32.Kido.ir 1176726
5 UDS:DangerousObject.Multi.Generic 620716
6 Packed.Win32.Black.d 527718
7 Net-Worm.Win32.Kido.iq 518120
8 HEUR:Worm.Win32.Generic 516467
9 Virus.Win32.Virut.ce 488852
10 not-a-virus:AdWare.Win32.Boran.z 466106
11 Virus.Win32.Induc.a 455798
12 HEUR:Trojan-Downloader.Win32.Generic 436229
13 HEUR:Trojan.Win32.StartPage 412245
14 MultiPacked.Multi.Generic 377741
15 Trojan-Downloader.Win32.VB.eql 362685
16 Worm.Win32.FlyStudio.cu 361056
17 Trojan-Dropper.Win32.Flystud.yo 356950
18 Packed.Win32.Black.a 333705
19 Packed.Win32.Klone.bj 320665
20 Trojan.Win32.Chifrax.a 296947

Heuristic methods were used to identify more than 3 million infection attempts which were subsequently blocked. The majority of these heuristic detections have a place in the rankings: HEUR:Trojan.Win32.Generic, HEUR:Worm.Win32.Generic, HEUR:Trojan-Downloader.Win32.Generic and HEUR:Trojan.Win32.StartPage

As has already been mentioned, the biggest epidemic of the year was caused by Kido (Conficker), a worm which infected millions of computers around the world. Three modifications of this worm feature in the rankings: Kido.ir, Kido.ih, and Kido.iq. Taken together, these three pieces of malware would trump the leader (HEUR:Trojan.Win32.Generic) by more than one and a half million infected machines.

Sality.aa follows Kido – this virus also caused a global epidemic last year, and headed the rankings in our annual report. It should be stressed, however, that Sality didn’t retain this position for long, being squeezed down the table by network worms.

In addition to Sality, the table features another two viruses – the first is a classic file virus, and the second is a creation which does not fit neatly into our current malware classification.

The first is Virus.Win32.Virut.ce, which in addition to its main payload (infecting executable files) also infects web servers and spreads via P2P networks. The epidemic caused by Virut was among the notable malware incidents of 2009.

The second is Virus.Win32.Induc.a, which is very non-standard: it exploits the two stage mechanism used to create executable files implemented in Delphi. What happens is that application source code is initially compiled into an intermediary .dcu module, and then into a Windows executable. At the moment, this virus has no malicious payload apart from its infection routine, but it does demonstrate this new potential infection vector. It should be noted that it took so long to identify Induc (infected files started appearing at the end of 2008, but the virus itself was only detected in August 2009) because it has no actual malicious payload apart from being able to self-propagate.

Thanks to the Urgent Detection System (UDS) which is part of the Kaspersky Security Network, more than 600,000 computers were protected in real time – new malicious files are quickly detected as UDS:DangersouObject.Multi.Generic.

The large number of malicious programs created using FlyStudio (a scripting language) should also be noted. There are three such programs in the rankings: Worm.Win32.FlyStudio.cu, Trojan-Dropper.Win32.Flystud.yo, and Packed.Win32.Klone.bj. Taking into account that FlyStudio is mostly used by Chinese cybercriminals, the fact that these programs are among the twenty most common malicious programs confirms our earlier statement that China is one of the leading creators of malware.

One more clearly marked trend in the virus-writing world this year was malware being packed and obfuscated using specially created packing programs. This is done to hinder detection and analysis of already known malware. Several such packers are included in the rankings: Packed.Win32.Black.a, Packed.Win32.Black.d, and Packed.Win32.Klone.bj.

Vulnerabilities

Software and operating system vulnerabilities are one of the most dangerous security issues, providing cybercriminals with opportunities to evade protection mechanisms and attack victim machines. Kido, the biggest epidemic of 2009, came to pass due to a critical vulnerability in the Windows operating system.

However, just as was the case a year ago, the browser remains the most common attack vector. Although the browser itself may not be vulnerable, a machine can still be infected if browser-related plug-ins and applications contain vulnerabilities.

In 2009, the system for analysing vulnerabilities identified 404 different vulnerabilities, and a total of 461,828, 538 vulnerable files and applications were detected on users’ computers.

We analysed the 20 most common vulnerabilities, which made up 90% (415,608,137) of all vulnerable files and applications identified on computers running our antivirus solution.

ID Vulnerability Number of
vulnerable
files and
applications
% of all
vulnerable
files and
applications
Rating Impact Release Date
1 33632 Apple QuickTime Multiple Vulnerabilities 165658505 35,87 Highly Critical System Access 22.01.2009
2 35091 Apple QuickTime Multiple Vulnerabilities 68645338 14.86 Highly Critical System Access 22.05.2009
3 31821 Apple QuickTime Multiple Vulnerabilities 58141113 12,59 Highly Critical System Access 10.09.2008
4 29293 Apple QuickTime Multiple Vulnerabilities 38368954 8,31 Highly Critical System Access 10.06.2008
5 23655 Microsoft XML Core Services Multiple Vulnerabilities 8906277 1,93 Highly Critical Cross Site Scripting, DoS, System access 09.01.2007
6 34012 Adobe Flash Player Multiple Vulnerabilities 7728963 1,67 Highly Critical Security Bypass, Exposure of sensitive information, Privilege escalation, System access 25.02.2009
7 34451 Sun Java JDK / JRE Multiple Vulnerabilities 6783414 1,47 Highly Critical Security Bypass, DoS, System access 26.03.2009
8 29320 Microsoft Outlook “mailto:” URI Handling Vulnerability 6336962 1,37 Highly Critical System Access 11.03.2008
9 35364 Microsoft Excel Multiple Vulnerabilities 6290278 1,36 Highly Critical System Access 09.06.2009
10 35377 Microsoft Office Word Two Vulnerabilities 6088207 1,32 Highly Critical System Access 09.06.2009
11 34572 Microsoft PowerPoint OutlineTextRefAtom Parsing Vulnerability 5704617 1,24 Extremely Critical System Access 03.04.2009
12 31744 Microsoft Office OneNote URI Handling Vulnerability 5652570 1,22 Highly Critical System Access 09.09.2008
13 32270 Adobe Flash Player Multiple Security Issues and Vulnerabilities 5078221 1,1 Moderately critical Security Bypass, Cross Site Scripting, Manipulation of data, Exposure of sensitive information 16.10.2008
14 35948 Adobe Flash Player Multiple Vulnerabilities 5073297 1,1 Highly Critical Security Bypass, Exposure of sensitive information, System access 23.07.2009
15 30285 Microsoft Office Word Multiple Vulnerabilities 4984582 1,08 Highly Critical System Access 09.12.2008
16 31453 Microsoft Office PowerPoint Multiple Vulnerabilities 4203122 0,91 Highly Critical System Access 12.08.2008
17 30150 Microsoft Publisher Object Handler Validation Vulnerability 3965019 0,86 Highly Critical System Access 13.05.2008
18 32991 Sun Java JDK / JRE Multiple Vulnerabilities 2980650 0,65 Highly Critical Security Bypass, Exposure of system information, Exposure of sensitive information, DoS, System access 04.12.2008
19 31593 Microsoft Excel Multiple Vulnerabilities 2604816 0,56 Highly Critical System Access 09.12.2008
20 26027 Adobe Flash Player Multiple Vulnerabilities 2413232 0,52 Highly Critical Exposure of sensitive information, System access 11.07.2007
Total 415608137 89,99

Of the five most common vulnerabilities, the first two were identified in 2009, those in third and fourth place in 2008, and the Microsoft XML Core Services Multiple Vulnerabilities, which occupy fifth place, were identified back in 2007.

In terms of vulnerable files and applications detected on users’ machines, the most common in 2009 were vulnerabilities in Apple’s QuickTime 7.x, which was responsible for more than 70% of all vulnerabilities. This is reminiscent of 2008, when QuickTime made up more than 80% of all vulnerabilities, and led the rankings with this figure.

The graph presents data on which company’s products contained the most vulnerabilities out of those listed in the table above.

In 2008, this graph was made up of 7 companies, but this number has now been reduced to four. Just as last year, Microsoft continues to lead with 10 vulnerabilities. This is not surprising, as we are looking specifically at the Windows platform. Nine out of the 10 vulnerabilities were found in applications which form part of Microsoft Office, such as Word, Excel, Outlook, PowerPoint, etc.

Apple’s four vulnerabilities were all found in QuickTime.

This data can be used to conclude that the situation remains the same as last year: the most vulnerable applications on modern Windows systems are still Microsoft Office and QuickTime.

However, Adobe is not far behind in the vulnerability stakes. All four vulnerabilities which were identified related to a single product: Adobe Flash Player. Two of these vulnerabilities were identified in 2009. Sadly, the situation has not improved since 2008, but actually worsened.

The list of the most dangerous applications for 2009 is as follows:

  1. QuickTime
  2. Microsoft Office
  3. Adobe Flash Player

The graph below shows data on the most common vulnerabilities grouped by type:

 

The twenty most common vulnerabilities all belong to the “remote” category, i.e. they can be exploited by cybercriminals even if they do not have direct local access to the victim machine.

Exploiting any of these vulnerabilities can have a range of effects on the victim machine. The most dangerous of these is “system access”, as this effectively gives a cybercriminal full access to the system. 19 out of the 20 vulnerabilities potentially provide “system access” and five can result in the loss of sensitive data.

Find everything about JavaScript and jQuery in the cheat sheets, read the JavaScript blog or use the free online tools.

Kaspersky Security Bulletin 2009. Statistics, 2009

Your email address will not be published. Required fields are marked *

 

Reports

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

APT trends report Q2 2024

The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox