Malicious programs detected on users’ computers
The first Top Twenty lists malicious programs, adware and potentially unwanted programs that were detected and neutralized when accessed for the first time, i.e. by the on-access scanner.
Position | Change in position | Name | Number of infected computers |
1 | 0 | Net-Worm.Win32.Kido.ir | 330025 |
2 | 0 | Virus.Win32.Sality.aa | 208219 |
3 | 0 | Net-Worm.Win32.Kido.ih | 183527 |
4 | 0 | Net-Worm.Win32.Kido.iq | 172517 |
5 | 0 | Worm.Win32.FlyStudio.cu | 125714 |
6 | 2 | Virus.Win32.Virut.ce | 70307 |
7 | New | Exploit.JS.CVE-2010-0806.i | 68172 |
8 | -2 | Trojan-Downloader.Win32.VB.eql | 64753 |
9 | 2 | Worm.Win32.Mabezat.b | 51863 |
10 | 5 | Trojan-Dropper.Win32.Flystud.yo | 50847 |
11 | -1 | Worm.Win32.AutoIt.tc | 49622 |
12 | New | Exploit.JS.CVE-2010-0806.e | 45070 |
13 | -4 | Packed.Win32.Krap.l | 44942 |
14 | New | Trojan.JS.Agent.bhr | 36795 |
15 | 2 | not-a-virus:AdWare.Win32.RK.aw | 36408 |
16 | Return | Trojan.Win32.Autoit.ci | 35877 |
17 | -1 | Virus.Win32.Induc.a | 31846 |
18 | New | Trojan.JS.Zapchast.dj | 30167 |
19 | Return | Packed.Win32.Black.a | 29910 |
20 | Return | Worm.Win32.AutoRun.dui | 28343 |
The list of the twenty most frequently occurring malicious programs detected on users’ computers traditionally remains fairly stable, so it comes as no surprise that Kido and Sality continue to occupy the top two places.
April saw four new entries. Two of them (7th and 12th places) are variants of the CVE-2010-0806 exploit which we mentioned last month, while the other two (14th and 18th places) are Trojans that turned out to be directly connected to the CVE-2010-0806 exploit. The exploit itself is usually encrypted or obfuscated and broken up into several parts. When an infected page is opened in the browser, the component parts of the exploit download in a particular order. The part of the code to be downloaded last is the part that unpacks and launches the exploit. The two new Trojans in this ratings list are components of one of the CVE-2010-0806 exploit variants.
To recap, the exploit is for a vulnerability that was detected in Internet Explorer back in March. Since then, it has been actively used by cybercriminals who spotted a description of it that went into rather too much detail. In March the number of unique downloads of the CVE-2010-0806 exploit had already reached the 200,000 mark. In April two variants of the exploit were neutralized on more than 110,000 computers. We’ll discuss the rapid rise of the CVE-2010-0806 exploit in more detail below.
It’s also worth mentioning Virut.ce’s slow but steady rise towards the top five. Over the past three months it has climbed from 10th place to 6th and in April alone was neutralized on more than 70,000 computers.
Malicious programs on the Internet
The second Top Twenty presents data generated by the web antivirus component, and reflects the online threat landscape. This ranking includes malicious programs detected on web pages and malware downloaded to victim machines from web pages.
Position | Change in position | Name | Number of attempted downloads |
1 | 1 | Exploit.JS.CVE-2010-0806.i | 201152 |
2 | New | Exploit.JS.Pdfka.cab | 117529 |
3 | 7 | Exploit.JS.CVE-2010-0806.b | 110665 |
4 | New | not-a-virus:AdWare.Win32.FunWeb.q | 99628 |
5 | New | Trojan-Downloader.JS.Twetti.с | 89596 |
6 | New | Trojan-Downloader.JS.Iframe.bup | 85973 |
7 | New | Trojan.JS.Agent.bhl | 76648 |
8 | Return | Trojan-Clicker.JS.Agent.ma | 76415 |
9 | New | Trojan-Clicker.JS.Iframe.ev | 74324 |
10 | New | Exploit.JS.Pdfka.byp | 69606 |
11 | -8 | Trojan.JS.Redirector.l | 68361 |
12 | New | Trojan-Dropper.Win32.VB.amlh | 60318 |
13 | New | Exploit.JS.Pdfka.byq | 60184 |
14 | -10 | Trojan-Clicker.JS.Iframe.ea | 57922 |
15 | -8 | not-a-virus:AdWare.Win32.Boran.z | 56660 |
16 | New | Exploit.JS.CVE-2010-0806.e | 53989 |
17 | -11 | Trojan.JS.Agent.aui | 52703 |
18 | 0 | not-a-virus:AdWare.Win32.Shopper.l | 50252 |
19 | New | Packed.Win32.Krap.gy | 46489 |
20 | New | Trojan.HTML.Fraud.am | 42592 |
In contrast to our first Top Twenty, this rating is far more volatile.
The leader for the last two months running, Gumblar.x, is nowhere to be seen in the April Top Twenty after its activity fell off sharply. Like previous Gumblar epidemics, this one exploded onto the scene, peaked in February when over 450,000 websites were infected by Gumblar, and disappeared just as quickly as it came two months later. This should act as a warning sign, because this is typical of Gumblar.x’s behavior and is reminiscent of events back in February. It remains to be seen when the next epidemic will strike, or if there will even be one, but we’ll be keeping an eye on developments.
The rapid spread of the CVE-2010-0806 exploit this month means it claimed top spot in our second rating. The exploit usually imports small downloader programs such as members of the Trojan-Downloader.Win32.Small, Trojan-Dropper.Win32.Agent, Trojan.Win32.Inject, and Trojan.Win32.Sasfis families to victims’ computers. These Trojans then download other malicious programs to the infected machines – usually various modifications of Trojan-GameTheif.Win32.Magania, Trojan-GameTheif.Win32.WOW and Backdoor.Win32.Torr. It looks as if the main aim for cybercriminals using the CVE-2010-0806 exploit during April was the theft of confidential data from users with accounts for popular online games. The total amount of attempted downloads of the three exploit variants in 1st, 3rd and 16th places exceeded 350,000 in all.
Among the newcomers in April were three exploits (2nd, 10th, and 13th places) that target vulnerabilities in Adobe Reader and Acrobat. The vulnerabilities that these three PDF exploits use are relatively old and were detected back in 2009. The exploits themselves are PDF documents containing scenarios in JavaScript. These scripts then seek out various Trojan-Downloaders on the Internet which they install and then these in turn download and run lots of other malicious programs. The malware downloaded to computers infected by Pdfka.cab (2nd place) included variants of the PSWTool.Win32.MailPassView family. The programs from this group are used to steal logins and passwords for email accounts.
Packed.Win32.Krap.gy in 19th place, like most of the representatives from that family of packers, conceals rogue antivirus programs. One of the sources behind the spread of these fake security programs is an HTML page detected by Kaspersky Lab as Trojan.HTML.Fraud.am (20th place).
The number of attempted downloads of Twetti.c (5th place) totaled 90,000. The functionality of this Trojan is no different from its less obfuscated predecessor Twetti.a, which we mentioned in December.
Looking at April’s ratings, one of the main trends of recent months is clearly visible: cybercriminals are making active use of exploits whose source codes are widely available. In the vast majority of cases, the target of such attacks is confidential data. The cybercriminals try to gain access to email and online gaming services’ accounts along with various websites. These types of attempts numbered hundreds of thousands in April. The stolen data may well be sold and/or used for spreading malicious programs.
Monthly Malware Statistics: April 2010