Malware reports

Monthly Malware Statistics: December 2009

Malicious programs detected on users’ computers

The first Top Twenty lists malicious programs, adware and potentially unwanted programs that were detected and neutralized when accessed for the first time, i.e. by the on-access scanner.

 

Position Change in position Name Number of infected computers
1 0 Net-Worm.Win32.Kido.ir 265622
2 0 Net-Worm.Win32.Kido.iq 211101
3 0 Net-Worm.Win32.Kido.ih 145364
4 0 Virus.Win32.Sality.aa 143166
5 0 Worm.Win32.FlyStudio.cu 101743
6 New not-a-virus:AdWare.Win32.GamezTar.a 63898
7 -1 not-a-virus:AdWare.Win32.Boran.z 61156
8 -1 Trojan-Downloader.Win32.VB.eql 61022
9 -1 Trojan-Downloader.WMA.GetCodec.s 56364
10 New Trojan.Win32.Swizzor.c 54811
11 New Trojan-GameThief.Win32.Magania.cpct 42676
12 -3 Virus.Win32.Virut.ce 45127
13 -3 Virus.Win32.Induc.a 37132
14 0 Trojan-Dropper.Win32.Flystud.yo 33614
15 3 Packed.Win32.Krap.ag 31544
16 -3 Packed.Win32.Black.a 31340
17 0 Worm.Win32.Mabezat.b 31020
18 -2 Packed.Win32.Klone.bj 28814
19 -7 Packed.Win32.Black.d 28560
20 -5 Worm.Win32.AutoRun.dui 28551

 

Traditionally, the first Top Twenty is relatively stable and December was no exception.
The appearance of three newcomers in sixth, tenth and eleventh places pushed a few other programs down the rankings. The exception was Packed.Win32.Krap.ag, which first entered the rankings last month, and which rose three places this month. Krap.ag, like other representatives of the Packed family, detects a packing program used to pack malicious programs – in this case, rogue antivirus programs. The figures for this malicious program increased slightly, which suggests that cybercriminals are continuing to actively use these programs to turn a profit.

GamezTar.a, which entered in sixth place, is a noteworthy December newcomer. This program is presented as being a toolbar for popular browsers which provides quick access to online games. Of course, it also displays irritating adverts. Additionally, it installs a number of applications that run independently of the toolbar and interfere in online activity, whether it’s searching or displaying content. The EULA (www.gameztar.com/terms.do) does cover all these functions, but the user’s attention is usually focused on the large flashing “click here, get free games” button rather than the almost invisible “terms of service” at the bottom of the screen. It’s highly recommended to read the EULA (if it exists) before downloading any software.

Tenth place is taken by Trojan.Win32.Swizzor.c, a relative of Swizzor.b, which made an appearance in the rankings in August , and Swizzor.a, which dates back to May. The people behind this deftly obfuscated code are not resting on their laurels and regularly create new variants. The actual function of this Trojan is very simple – it downloads other malicious files from the Internet.

Malicious programs on the Internet

The second Top Twenty presents data generated by the web antivirus component, and reflects the online threat landscape. This ranking includes malicious programs detected on web pages and malware downloaded to victim machines from web pages.

 

Position Change in position Name Number of attempted downloads
1 0 Trojan-Downloader.JS.Gumblar.x 445881
2 3 Trojan.JS.Redirector.l 178902
3 New not-a-virus:AdWare.Win32.GamezTar.a 165678
4 -2 Trojan-Downloader.HTML.IFrame.sz 134215
5 New Trojan-Clicker.JS.Iframe.db 128093
6 -2 not-a-virus:AdWare.Win32.Boran.z 109256
7 New Trojan.JS.Iframe.ez 91737
8 New Trojan.JS.Zapchast.bn 64756
9 New Packed.JS.Agent.bn 60361
10 New Packed.Win32.Krap.ai 43042
11 8 Packed.Win32.Krap.ag 41731
12 New Exploit.JS.Pdfka.asd 36044
13 New Trojan.JS.Agent.axe 35309
14 New Trojan-Downloader.JS.Shadraem.a 35187
15 Return Trojan.JS.Popupper.f 33745
16 New not-a-virus:AdWare.Win32.GamezTar.b 33266
17 New Trojan-Downloader.JS.Twetti.a 30368
18 New Trojan-Downloader.Win32.Lipler.iml 28634
19 New Trojan-Downloader.JS.Kazmet.d 28374
20 New Trojan.JS.Agent.axc 26198

 

The second Top Twenty has changed far more than the first, with only a quarter of the programs which featured last month remaining in the rankings. One malicious program re-entered the Top Twenty; however, the rest of the table underwent significant changes.

Gumblar.x remains the leader, but the sites infected with this malware are gradually being cleaned up by webmasters – the number of unique download attempts in December was around a quarter of those seen in November.

Krap.ag, which also figures in the first Top Twenty, moved up 8 places in this ranking. Attempted downloads of this program were up 50% on last month. Just above Krap.ag is Krap.ai, which also detects a dedicated packing program used to pack rogue antivirus programs.

GamezTar.a also makes an appearance in the second Top Twenty. This is unsurprising given the program’s connection to online games. Moreover, another modification of this malicious program – GamezTar.b – entered the rankings in sixteenth place.

In fifth place is Trojan-Clicker.JS.Iframe.db, a typical iframe-downloader with simple obfuscation.

Trojan.JS.Iframe.ez, Trojan.JS.Zapchast.bn, Packed.JS.Agent.bn, Trojan.JS.Agent.axe, Trojan-Downloader.JS.Shadraem.a, and Trojan-Downloader.JS.Kazmet.d are all scripts designed to exploit vulnerabilities in Adobe and Microsoft products in order to download executable files. These programs vary in terms of sophistication and the complexity of obfuscation employed.

Trojan-Downloader.JS.Twetti.a, in 17th place, is a very interesting example of cybercrime creativity. Lots of legitimate sites have been infected with this malware and it’s worth taking a closer look at how it works. Once decrypted, there is no trace of a link to the main executable file and no exploits or links to them! Analysis shows that the script uses an API (application programming interface) popular with both cybercriminals and Twitter.

The Trojan works in the following way: it creates a request to the API which results in data on so-called “trends” – i.e. the topics most discussed on Twitter. The data returned is then used to create an apparently random domain name, which the cybercriminals have registered in advance having used a similar method, and a redirect to this domain is created. The main part of the malware (whether it’s a PDF exploit or an executable file) will be placed on the domain. In other words, the malicious link and the redirect are created on the fly via an intermediary, which in this case happens to be Twitter.

It should be noted that both Packed.JS.Agent.bn and Trojan-Downloader.JS.Twetti.a use a specially crafted PDF file to infect users’ computers. This file is detected as Exploit.JS.Pdfka.asd and it also made it into the second Top Twenty, entering in twelfth place. We can therefore assume that at least three of December’s malicious programs were the handiwork of a single cybercriminal gang. Also a cause for concern is that fact that programs from the TDSS, Sinowal and Zbot families – some of the most dangerous threats currently in existence – were detected among the executable files downloaded to victim machines during drive-by attacks.

Overall, the trends remain the same. Attacks are becoming more sophisticated and more difficult to analyze. Their aim, in the vast majority of cases, is to make money in some way. Virtual threats are no longer purely virtual; they can cause real damage, and this is why is it vital to ensure that your computer and data are protected.

Monthly Malware Statistics: December 2009

Your email address will not be published. Required fields are marked *

 

Reports

How to catch a wild triangle

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Subscribe to our weekly e-mails

The hottest research right in your inbox