Malware reports

Malware Miscellany, September 2009

Table of Contents

After a lengthy interlude, we’re renewing our monthly malware almanac by popular demand. We’ve made quite a few changes to it, hopefully for the better – we’ll let you be the judge of that.

Категория Наименование
Top
3 countries for malicious URLs

Canada takes first
place, hosting more than 21% of the world’s malicious URLs. The US is
second with 16%, followed by China with 15%.

 

Top
3 countries hosting sites which spread malware

China claims first
place, hosting 26% of all malicious sites globally.
The US comes second with 18%, and Russia is third with 12%.

 

Malicious
site which affects the biggest number of Internet users

www.langlangdor.com
accounted for 1.62% of all online infections globally. This is a porn
site located in China. Porn always attracts a lot of visitors, and it’s
no secret that it’s often used by cybercriminals to spread malicious or
suspicious content. There’ve been attempts (which were blocked) to
spread a wide variety of Trojans from this site – most of them are
Trojan-Downloader.Win32.Agent and Trojan.Win32.StartPage variants.

 

Site
spreading the biggest number of unique malicious programs

 1142 unique
malicious programs were spread from www.gddsz.store.qq.com. The
programs vary widely, and cover virtually all the different types of
malware behavior in Kaspersky Lab’s classification.

 

Biggest
malicious program

In September, this
category was led by Trojan.Win32.Chifrax.d at 388 MB. There are
numerous modifications of this Trojan, all larger than 300 MB.
Trojan.Win32.Chifrax.d is the name used to detect CAB archives which
have been specially modified by virus writers in order to evade
antivirus solutions.

 

Smallest
malicious program

Trojan.BAT.Shutdown.ab
is a mere 30 bytes. It’s part of another Trojan that uses it to shut
down the victim computer without asking the user’s consent.

 

Most
widespread vulnerability on users’ computers

In late July, Adobe
Flash Players 9 and 10 were found to have multiple vulnerabilities that
can be exploited by cybercriminals to gain access to a system, run
arbitrary code, gain access to confidential data or bypass security
systems. More information about the vulnerabilities and how to fix
them, can be found at: https://threats.kaspersky.com/en/


 

Most
common exploit

Exploit.JS.DirektShow:
in combination with Exploit.Win32.DirektShow, this malware family
exploits a critical vulnerability in Internet Explorer 6.0 and 7.0 and
has recently become extremely widespread on the Internet.

 

Most
widespread malware on the Internet

In just a month, Packed.Win32.TDSS.z tried to penetrate
computers in 108 countries around the world.
 

Worst
joke (hoax programs that scare or annoy users but don’t have a clearly
malicious payload)
Hoax.JS.Agent.c
displays an obscene video clip and bombards victims with offensive
messages which can’t be stopped. 

Malware Miscellany, September 2009

Your email address will not be published. Required fields are marked *

 

Reports

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

What did DeathStalker hide between two ferns?

While tracking DeathStalker’s Powersing-based activities in May 2020, we detected a previously unknown implant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this new malware “PowerPepper”.

Subscribe to our weekly e-mails

The hottest research right in your inbox