Malware reports

Monthly Malware Statistics: April 2010

Malicious programs detected on users’ computers

The first Top Twenty lists malicious programs, adware and potentially unwanted programs that were detected and neutralized when accessed for the first time, i.e. by the on-access scanner.

Position Change in position Name Number of infected computers
1   0 Net-Worm.Win32.Kido.ir   330025  
2   0 Virus.Win32.Sality.aa   208219  
3   0 Net-Worm.Win32.Kido.ih   183527  
4   0 Net-Worm.Win32.Kido.iq   172517  
5   0 Worm.Win32.FlyStudio.cu   125714  
6   2 Virus.Win32.Virut.ce   70307  
7   New Exploit.JS.CVE-2010-0806.i   68172  
8   -2 Trojan-Downloader.Win32.VB.eql   64753  
9   2 Worm.Win32.Mabezat.b   51863  
10   5 Trojan-Dropper.Win32.Flystud.yo   50847  
11   -1 Worm.Win32.AutoIt.tc   49622  
12   New Exploit.JS.CVE-2010-0806.e   45070  
13   -4 Packed.Win32.Krap.l   44942  
14   New Trojan.JS.Agent.bhr   36795  
15   2 not-a-virus:AdWare.Win32.RK.aw   36408  
16   Return Trojan.Win32.Autoit.ci   35877  
17   -1 Virus.Win32.Induc.a   31846  
18   New Trojan.JS.Zapchast.dj   30167  
19   Return Packed.Win32.Black.a   29910  
20   Return Worm.Win32.AutoRun.dui   28343  

The list of the twenty most frequently occurring malicious programs detected on users’ computers traditionally remains fairly stable, so it comes as no surprise that Kido and Sality continue to occupy the top two places.

April saw four new entries. Two of them (7th and 12th places) are variants of the CVE-2010-0806 exploit which we mentioned last month, while the other two (14th and 18th places) are Trojans that turned out to be directly connected to the CVE-2010-0806 exploit. The exploit itself is usually encrypted or obfuscated and broken up into several parts. When an infected page is opened in the browser, the component parts of the exploit download in a particular order. The part of the code to be downloaded last is the part that unpacks and launches the exploit. The two new Trojans in this ratings list are components of one of the CVE-2010-0806 exploit variants.

To recap, the exploit is for a vulnerability that was detected in Internet Explorer back in March. Since then, it has been actively used by cybercriminals who spotted a description of it that went into rather too much detail. In March the number of unique downloads of the CVE-2010-0806 exploit had already reached the 200,000 mark. In April two variants of the exploit were neutralized on more than 110,000 computers. We’ll discuss the rapid rise of the CVE-2010-0806 exploit in more detail below.

It’s also worth mentioning Virut.ce’s slow but steady rise towards the top five. Over the past three months it has climbed from 10th place to 6th and in April alone was neutralized on more than 70,000 computers.

Malicious programs on the Internet

The second Top Twenty presents data generated by the web antivirus component, and reflects the online threat landscape. This ranking includes malicious programs detected on web pages and malware downloaded to victim machines from web pages.

Position Change in position Name Number of attempted downloads
1   1 Exploit.JS.CVE-2010-0806.i   201152  
2   New Exploit.JS.Pdfka.cab   117529  
3   7 Exploit.JS.CVE-2010-0806.b   110665  
4   New not-a-virus:AdWare.Win32.FunWeb.q   99628  
5   New Trojan-Downloader.JS.Twetti.с   89596  
6   New Trojan-Downloader.JS.Iframe.bup   85973  
7   New Trojan.JS.Agent.bhl   76648  
8   Return Trojan-Clicker.JS.Agent.ma   76415  
9   New Trojan-Clicker.JS.Iframe.ev   74324  
10   New Exploit.JS.Pdfka.byp   69606  
11   -8 Trojan.JS.Redirector.l   68361  
12   New Trojan-Dropper.Win32.VB.amlh   60318  
13   New Exploit.JS.Pdfka.byq   60184  
14   -10 Trojan-Clicker.JS.Iframe.ea   57922  
15   -8 not-a-virus:AdWare.Win32.Boran.z   56660  
16   New Exploit.JS.CVE-2010-0806.e   53989  
17   -11 Trojan.JS.Agent.aui   52703  
18   0 not-a-virus:AdWare.Win32.Shopper.l   50252  
19   New Packed.Win32.Krap.gy   46489  
20   New Trojan.HTML.Fraud.am   42592  

In contrast to our first Top Twenty, this rating is far more volatile.
The leader for the last two months running, Gumblar.x, is nowhere to be seen in the April Top Twenty after its activity fell off sharply. Like previous Gumblar epidemics, this one exploded onto the scene, peaked in February when over 450,000 websites were infected by Gumblar, and disappeared just as quickly as it came two months later. This should act as a warning sign, because this is typical of Gumblar.x’s behavior and is reminiscent of events back in February. It remains to be seen when the next epidemic will strike, or if there will even be one, but we’ll be keeping an eye on developments.

The rapid spread of the CVE-2010-0806 exploit this month means it claimed top spot in our second rating. The exploit usually imports small downloader programs such as members of the Trojan-Downloader.Win32.Small, Trojan-Dropper.Win32.Agent, Trojan.Win32.Inject, and Trojan.Win32.Sasfis families to victims’ computers. These Trojans then download other malicious programs to the infected machines – usually various modifications of Trojan-GameTheif.Win32.Magania, Trojan-GameTheif.Win32.WOW and Backdoor.Win32.Torr. It looks as if the main aim for cybercriminals using the CVE-2010-0806 exploit during April was the theft of confidential data from users with accounts for popular online games. The total amount of attempted downloads of the three exploit variants in 1st, 3rd and 16th places exceeded 350,000 in all.

Among the newcomers in April were three exploits (2nd, 10th, and 13th places) that target vulnerabilities in Adobe Reader and Acrobat. The vulnerabilities that these three PDF exploits use are relatively old and were detected back in 2009. The exploits themselves are PDF documents containing scenarios in JavaScript. These scripts then seek out various Trojan-Downloaders on the Internet which they install and then these in turn download and run lots of other malicious programs. The malware downloaded to computers infected by Pdfka.cab (2nd place) included variants of the PSWTool.Win32.MailPassView family. The programs from this group are used to steal logins and passwords for email accounts.

Packed.Win32.Krap.gy in 19th place, like most of the representatives from that family of packers, conceals rogue antivirus programs. One of the sources behind the spread of these fake security programs is an HTML page detected by Kaspersky Lab as Trojan.HTML.Fraud.am (20th place).

The number of attempted downloads of Twetti.c (5th place) totaled 90,000. The functionality of this Trojan is no different from its less obfuscated predecessor Twetti.a, which we mentioned in December.

Looking at April’s ratings, one of the main trends of recent months is clearly visible: cybercriminals are making active use of exploits whose source codes are widely available. In the vast majority of cases, the target of such attacks is confidential data. The cybercriminals try to gain access to email and online gaming services’ accounts along with various websites. These types of attempts numbered hundreds of thousands in April. The stolen data may well be sold and/or used for spreading malicious programs.

Countries launching the most web-borne infections:

Monthly Malware Statistics: April 2010

Your email address will not be published. Required fields are marked *

 

Reports

How to catch a wild triangle

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Subscribe to our weekly e-mails

The hottest research right in your inbox