Malware reports

Monthly Malware Statistics: August 2009

Kaspersky Lab presents its monthly malware statistics for August.

Two malware ratings have been compiled from data generated by the Kaspersky Security Network (KSN) in August 2009.

The first Top Twenty lists malicious programs, adware and potentially unwanted programs that were detected and neutralized when accessed for the first time, i.e. by using the on-access scanner.

Position Change in position Name Number of infected computers
1 0 Net-Worm.Win32.Kido.ih 48281
2 0 Virus.Win32.Sality.aa 23156
3 New not-a-virus:AdWare.Win32.Boran.z 16872
4 -1 Trojan-Downloader.Win32.VB.eql 8030
5 -1 Trojan.Win32.Autoit.ci 7846
6 0 Virus.Win32.Virut.ce 6248
7 -2 Worm.Win32.AutoRun.dui 5516
8 0 Net-Worm.Win32.Kido.jq 5446
9 -2 Virus.Win32.Sality.z 5157
10 New Virus.Win32.Induc.a 4476
11 -2 Worm.Win32.Mabezat.b 3982
12 -2 Net-Worm.Win32.Kido.ix 3579
13 -1 Packed.Win32.Klone.bj 3579
14 New Trojan.Win32.Swizzor.b 3327
15 New Packed.Win32.Katusha.b 3139
16 -2 Worm.Win32.AutoIt.i 3076
17 1 not-a-virus:AdWare.Win32.Shopper.v 2947
18 New Trojan-Dropper.Win32.Flystud.yo 2745
19 -2 Email-Worm.Win32.Brontok.q 2706
20 New P2P-Worm.Win32.Palevo.jaj 2664

Net-Worm.Win32.Kido.ih and Virus.Win32.Sality.aa, our two long-standing leaders, are still at the top of the rating.

There are six newcomers to this month’s Top Twenty and some of them deserve a special mention.

By far the most interesting is Virus.Win32.Induc.a, which we’ve written about a number of times in recent weeks (news and weblog). To recap: in order to replicate, Virus.Win32.Induc.a makes use of the fact that Delphi has a two stage method for creating executable files – the application source code is first compiled into intermediate DCU modules which are then assembled into Windows executable files. Software products compiled on machines which had infected versions of Delphi were consequently infected with the virus when they were compiled; as there were a lot of these products, it’s no surprise that Induc went straight into tenth place.

Another newcomer, not-a-virus:AdWare.Win32.Boran.z, entered the ratings even higher, coming straight in at third place. This program is a component of the Baidu Toolbar for Internet Explorer, which is popular in China. It uses a range of rootkit technologies to prevent users from removing the toolbar using standard methods.

Trojan.Win32.Swizzor.b and Packed.Win32.Katusha.b claimed 14th and 15th positions respectively. These two replace earlier versions of the same programs which previously figured in our ratings. In comparison to the previous versions, both these programs use very sophisticated and innovative obfuscation methods.

Palevo.jaj took last place in the Top Twenty, taking over from its relative P2P-Worm.Win32.Palevo.ddm that emerged back in May. As this version of Palevo spreads via file exchange networks, infects removable media, can also be spread by IM, and includes a backdoor which gives an attacker the ability to control infected computers, this malware poses quite a threat.

Overall, the appearance of Virus.Win32.Induc was the highlight of the month, as this malware does use a truly innovative approach to infecting users’ computers.

Overall, there were no significant changes to the first Top Twenty in August, unlike our second Top Twenty.

Our second Top Twenty presents data generated by the web antivirus component, and reflects the online threat landscape. This ranking includes malicious programs detected on web pages and malware is downloaded to victim machines from web pages.

Position Change in position Name Number of infected web pages
1 New not-a-virus:AdWare.Win32.Boran.z 16760
2 1 Trojan-Downloader.HTML.IFrame.sz 5228
3 New Trojan.JS.Redirector.l 4693
4 -3 Trojan-Downloader.JS.Gumblar.a 4608
5 New Trojan-Clicker.HTML.Agent.w 4564
6 New Exploit.JS.DirektShow.k 4475
7 0 Trojan-GameThief.Win32.Magania.biht 4416
8 -4 Trojan-Downloader.JS.LuckySploit.q 3416
9 -7 Trojan-Clicker.HTML.IFrame.kr 3323
10 -4 Trojan-Downloader.JS.Major.c 2688
11 New Exploit.JS.Sheat.c 2684
12 New Trojan-Downloader.JS.FraudLoad.d 2553
13 -4 Trojan-Clicker.HTML.IFrame.mq 2367
14 -3 Trojan.JS.Agent.aat 2246
15 -3 Exploit.JS.DirektShow.j 2128
16 New Trojan-Downloader.JS.IstBar.bh 1973
17 New Trojan-Downloader.JS.Iframe.bmu 1933
18 New Exploit.JS.DirektShow.l 1838
19 New Exploit.JS.DirektShow.q 1753
20 New Trojan-Downloader.Win32.Agent.ckwd 1504

More than half the entries in August’s second Top Twenty are new examples of cybercriminals’ creativity.

AdWare.Win32.Boran.z, which has already been described, took first place in this rating.

A month ago we wrote about a vulnerability in Internet Explorer. The script that exploits this vulnerability is detected by Kaspersky Lab products as Exploit.JS.DirektShow. The July Top Twenty included three modifications of this exploit: .a, .j and .o. This month, there are four versions in the rankings, showing that exploiting this vulnerability is apparently still a very popular approach. It seems that cybercriminals assume that lots of users won’t have installed the security patch, and so they keep trying to attack systems via this loophole.

Another vulnerability, this time in Microsoft Office, was also actively exploited by cybercriminals in August. One modification of an exploit for this vulnerability – Exploit.JS.Sheat – took 11th place in the rating.

Fake, or rogue antivirus applications are spread from a number of web pages and one of the scripts that facilitates this took 12th place in our rating. Kaspersky Anti-Virus detects it as Trojan-Downloader.JS.FraudLoad.d. If a user visits a website infected with this script, they are notified that their computer is infected with lots of malicious programs and that these programs can be removed. If the user agrees to this, a rogue antivirus (classified as FraudTool) is then downloaded to their computer.

The Trojan Redirector.l works by redirecting user search requests to specific servers in order to increase the hit rate for these servers. The Trojan-Downloader program Iframe.bmu is a typical example of malware which contains a range of different exploits, in this case exploits for Adobe products.

The trends seen in July are continuing, with cybercriminals still actively exploiting vulnerabilities in popular software products. Rogue antivirus applications and basic iframe-clickers are also spreading fast. It’s unlikely that this situation will change next month, as cybercriminals have tried and tested these approaches and found them to be successful.

Countries where most attempts to infect computers via the web were recorded:

Monthly Malware Statistics: August 2009

Your email address will not be published. Required fields are marked *

 

Reports

The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox