Malware reports

Malware Miscellany, September 2009

Table of Contents

After a lengthy interlude, we’re renewing our monthly malware almanac by popular demand. We’ve made quite a few changes to it, hopefully for the better – we’ll let you be the judge of that.

Категория Наименование
Top
3 countries for malicious URLs

Canada takes first
place, hosting more than 21% of the world’s malicious URLs. The US is
second with 16%, followed by China with 15%.

 

Top
3 countries hosting sites which spread malware

China claims first
place, hosting 26% of all malicious sites globally.
The US comes second with 18%, and Russia is third with 12%.

 

Malicious
site which affects the biggest number of Internet users

www.langlangdor.com
accounted for 1.62% of all online infections globally. This is a porn
site located in China. Porn always attracts a lot of visitors, and it’s
no secret that it’s often used by cybercriminals to spread malicious or
suspicious content. There’ve been attempts (which were blocked) to
spread a wide variety of Trojans from this site – most of them are
Trojan-Downloader.Win32.Agent and Trojan.Win32.StartPage variants.

 

Site
spreading the biggest number of unique malicious programs

 1142 unique
malicious programs were spread from www.gddsz.store.qq.com. The
programs vary widely, and cover virtually all the different types of
malware behavior in Kaspersky Lab’s classification.

 

Biggest
malicious program

In September, this
category was led by Trojan.Win32.Chifrax.d at 388 MB. There are
numerous modifications of this Trojan, all larger than 300 MB.
Trojan.Win32.Chifrax.d is the name used to detect CAB archives which
have been specially modified by virus writers in order to evade
antivirus solutions.

 

Smallest
malicious program

Trojan.BAT.Shutdown.ab
is a mere 30 bytes. It’s part of another Trojan that uses it to shut
down the victim computer without asking the user’s consent.

 

Most
widespread vulnerability on users’ computers

In late July, Adobe
Flash Players 9 and 10 were found to have multiple vulnerabilities that
can be exploited by cybercriminals to gain access to a system, run
arbitrary code, gain access to confidential data or bypass security
systems. More information about the vulnerabilities and how to fix
them, can be found at: https://threats.kaspersky.com/en/


 

Most
common exploit

Exploit.JS.DirektShow:
in combination with Exploit.Win32.DirektShow, this malware family
exploits a critical vulnerability in Internet Explorer 6.0 and 7.0 and
has recently become extremely widespread on the Internet.

 

Most
widespread malware on the Internet

In just a month, Packed.Win32.TDSS.z tried to penetrate
computers in 108 countries around the world.
 

Worst
joke (hoax programs that scare or annoy users but don’t have a clearly
malicious payload)
Hoax.JS.Agent.c
displays an obscene video clip and bombards victims with offensive
messages which can’t be stopped. 

Malware Miscellany, September 2009

Your email address will not be published. Required fields are marked *

 

Reports

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Subscribe to our weekly e-mails

The hottest research right in your inbox