Malicious programs detected on users’ computers
The first Top Twenty lists malicious programs, adware and potentially unwanted programs that were detected and neutralized when accessed for the first time, i.e. by the on-access scanner.
|Position||Change in position||Name||Number of infected computers|
There was no change to the top 5 malicious programs this month and judging by the number of infections, the Kido epidemic has eased off slightly.
Exploit.JS.Aurora.a, which, as its name suggests, is a program designed to take advantage of vulnerabilities in a variety of software products. This exploit was widely used in February and consequently entered in the ratings in seventh place. Further details are given in the section “Malicious programs on the Internet”.
Other newcomers in February included two adware programs.
FunWeb.q in 20th place is a perfect example of an adware program. It’s a toolbar for popular browsers and provides users with easy access to resources on some websites (usually those with multimedia content). It also modifies the pages visited so that these pages display adverts.
Malicious programs on the Internet
The second Top Twenty presents data generated by the web antivirus component, and reflects the online threat landscape. This ranking includes malicious programs detected on web pages and malware downloaded to victim machines from web pages.
|Position||Change in position||Name||Number of attempted downloads|
The state of affairs regarding malware on the Internet in February was quite remarkable, which is reflected in our second rating.
First of all, there was a dramatic surge in Gumblar.x, which has once again regained top spot after virtually disappearing completely in January. Last month, we suggested there might be another Gumblar attack and it didn’t take long to materialize. However, this time the black hats haven’t changed their approach in any significant way; they’ve simply been gathering new data that can be used to access websites prior to infecting them en masse. We’ll be keeping track of any further developments.
Secondly, the Pegel epidemic that started in January grew almost six-fold – there are four representatives of this family among the new entries, one of which made it straight to third place. This is a downloader program and in some ways it’s not unlike Gumblar, in that it also infects perfectly legitimate websites. A user that visits an infected site is redirected by the malicious script to a cybercriminal resource. To ensure users don’t suspect anything, the names of popular websites are used in the addresses of malicious pages, for example:
These links lead to pages containing another script which uses a number of different methods to download the main executable file. The methods used are mostly traditional – exploiting vulnerabilities in major software products such as Internet Explorer (CVE-2006-0003) and Adobe Reader (CVE-2007-5659, CVE-2009-0927 as well as downloading via a special Java applet. The main executable file is the now familiar Backdoor.Win32.Bredolab, packed using various malicious packers (several of which are detected as Packed.Win32.Krap.ar and Packed.Win32.Krap.ao). We have already written in some detail about this malware but it’s worth mentioning again that in addition to its main payload – remote management of infected machines – it can also download other malicious files.
And now back to Exploit.JS.Aurora.a, which was mentioned above. At number nine in the second rating, Aurora.a is the exploit targeting the CVE-2010-0249 vulnerability. It was identified after a massive targeted attack on several versions of Internet Explorer in January.
The attack, which received wide coverage in the IT media, targeted major organizations (including Google and Adobe) and was named Aurora after part of the file path name used in one of the main executable files. The attack was designed to gain access to personal data and corporate intellectual property such as project source code. The attack was carried out using emails with links to malicious sites; these sites contained exploits which resulted in the main executable file being stealthily downloaded to victim machines.
Remarkably, the programmers at Microsoft had been aware of this loophole for a number of months, but it was only patched a month after it began being exploited. It’s worth pointing out that in that time the source code of the exploit became publicly available and only the laziest cybercriminals failed to use it in their attacks: our collection already has more than a hundred malware variants that exploit this vulnerability.
The facts speak for themselves. Vulnerabilities in popular software continue to pose the main threat to users and their data. The fact that cybercriminals are still attempting to exploit vulnerabilities which were detected several years ago is evidence that these vulnerabilities still pose a security threat. Unfortunately, even updating software from major vendors on a regular basis does not guarantee security, as vendors may not always release patches promptly. It’s therefore important to exercise caution – particularly when surfing the Internet – and of course an up-to-date antivirus solution is a must!