Monthly Malware Statistics: December 2008

Two Top Twenties have been compiled from data provided by the Kaspersky Security Network (KSN) throughout December 2008.

The first Top Twenty is based on data collected by version 2009 antivirus products. The ranking is made up of the malicious programs, adware and potentially unwanted programs most frequently detected on users’ computers.

Position	Change in position	Name
1	0	Virus.Win32.Sality.aa
2	0	Packed.Win32.Krap.b
3	2	Trojan-Downloader.Win32.VB.eql
4	0	Worm.Win32.AutoRun.dui
5	New	Trojan.HTML.Agent.ai
6	-3	Trojan-Downloader.WMA.GetCodec.c
7	10	Virus.Win32.Alman.b
8	12	Trojan.Win32.AutoIt.ci
9	-2	Packed.Win32.Black.a
10	New	Worm.Win32.AutoIt.ar
11	3	Worm.Win32.Mabezat.b
12	3	Worm.Win32.AutoRun.eee
13	New	Trojan-Downloader.JS.Agent.czm
14	Return	Trojan.Win32.Obfuscated.gen
15	1	Email-Worm.Win32.Brontok.q
16	-3	Virus.Win32.VB.bu
17	-6	Trojan.Win32.Agent.abt
18	-8	Trojan-Downloader.JS.IstBar.cx
19	-1	Worm.VBS.Autorun.r
20	New	Trojan-Downloader.WMA.GetCodec.r

November’s leaders, Virus.Win32.Sality.aa and Packed.Win32.Krap.b, remained firmly at the top of the rankings. Overall, the composition of the ranking has not changed significantly. Nevertheless, there are some points worth noting.

Last month’s newcomers, the worms Mabezat.b and AutoRun.eee, both moved up three places in December. This reflects the effectiveness with which they spread via portable devices, in addition to using the classic method of spreading via shared network resources. Mabezat.b is also able to infect files. The virus Sality.aa used a similar approach and this propelled it to the top of the rankings. Now Mabezat.b is using the same tricks.

Virus.Win32.Alman.b made an interesting leap of 10 places this month. Part of Alman’s payload is to steal passwords to a variety of online games. Given that gamer activity peaks during the winter months, this rapid ascent is easily explained. It will be interesting to see what happens to this malicious program’s position in the following months.

Two more newcomers, Trojan.HTML.Agent.ai and Trojan-Downloader.JS.Agent.czm, are run-of-the-mill script downloaders and have no particularly interesting features.

A high percentage of malicious programs recently have been written using the AutoIt script language. This is because the language is easy to master, making it simple to create new programs. The sharp rise up the table by Trojan.Win32.AutoIt.ci and the appearance of Worm.Win32.AutoIt.ar among December’s newcomers confirm this development. Like Mabezat.b and AutoRun.eee, Autolt.ar spreads via portable devices.

The presence of two malicious programs representing a family of non-standard malware in the Top Twenty – Trojan-Downloader.WMA.GetCodec – is also of interest. One of them appeared in the Top Twenty for the first time last month, coming straight in at third place, although it did lose ground in December. The other, Trojan-Downloader.WMA.GetCodec.r, is an interesting program. Playing an infected multimedia file results in an executable file being downloaded – this file is P2p-Worm.Win32.Nugg.w, traditionally presented as a codec. When executed, it downloads several archive files containing executable and multimedia files from the Internet. These executables are different variants of P2P-Worm.Win32.Nugg, while the multimedia files are infected by different variants of Trojan-Downloader.WMA.Getcodec. The worm replaces the names of these files with ‘keygen RELOADED.zip’, ‘(hot remix).mp3’ and other names that are likely to interest users and makes them available on the popular peer-to-peer network Gnutella. Unsuspecting users then download these files, ensuring the malicious code continues to spread. This leads us to conclude that even ordinary multimedia files can no longer be trusted, and users who are encouraged to ‘download a codec’ should be on their guard.

All the malware, adware and potentially unwanted programs from this ranking can be broken down into the main categories of threat detected by Kaspersky Lab. The percentages have not changed significantly compared to November. Self-replicating malicious programs are holding their own at 45%, confirming fears that such programs are becoming more common. The percentage shares of self-replicating and Trojan programs have balanced out, accurately reflecting the current malware landscape.

A total of 38190 different malicious and potentially unwanted programs were detected on users’ computers in December. This means that the number of ITW threats has decreased somewhat: in December we detected 7500 fewer than in November (45690).

The second table provides data about the malicious programs most commonly detected in infected objects detected on users’ computers. The majority of the programs listed below have file-infection capability.

Position	Change in position	Name
1	1	Virus.Win32.Sality.aa
2	-1	Worm.Win32.Mabezat.b
3	1	Virus.Win32.Xorer.du
4	New	Trojan-Downloader.HTML.Agent.ml
5	-2	Net-Worm.Win32.Nimda
6	1	Virus.Win32.Alman.b
7	-2	Virus.Win32.Parite.b
8	-2	Virus.Win32.Virut.n
9	-1	Virus.Win32.Sality.z
10	1	Virus.Win32.Virut.q
11	1	Virus.Win32.Parite.a
12	-2	Email-Worm.Win32.Runouce.b
13	1	Worm.Win32.Otwycal.g
14	2	P2P-Worm.Win32.Bacteraloh.h
15	3	Trojan.Win32.Obfuscated.gen
16	New	Worm.Win32.Fujack.cf
17	0	Worm.VBS.Headtail.a
18	-3	Virus.Win32.Hidrag.a
19	-6	Worm.Win32.Fujack.k
20	-11	Virus.Win32.Small.l

The second ranking remains stable, with few changes compared to the November Top Twenty.

One newcomer is Agent.ml, a Trojan downloader. It includes a small amount of code – a malicious iframe block that is added at the end of web pages. When the main page is loaded, the one specified in the iframe is loaded as well. In this case, the page contains malicious JavaScript.

Another début in our Top Twenty is the worm Fujack.cf, a later variant of Fujack.bd, which appeared in October in 19th place and which disappeared from the rankings in November.