Malware reports

Monthly Malware Statistics for August 2008

Table of Contents

In its second month of compiling data, the new Kaspersky Security Network (KSN) technology revealed some significant changes amongst the most widespread malicious programs.

The first table is based on statistics provided by our 2009 antivirus products. This table shows the malicious programs detected on users’ computers.

Position Change in position Name
1 0 Trojan.Win32.DNSChanger.ech
2 New Trojan.Win32.Pakes.kab
3 New Trojan-Downloader.Win32.Agent.xqz
4 New Trojan-Downloader.Win32.Agent.yaw
5 New Trojan-Downloader.Win32.Agent.xws
6 New Trojan-Downloader.Win32.Small.zie
7 New Trojan-Downloader.Win32.Agent.xna
8 New Trojan-Downloader.JS.Agent.chk
9 New Trojan.Win32.Agent.tfc
10 6 not-a-virus:AdWare.Win32.BHO.ca
11 New not-a-virus:AdWare.Win32.Agent.cp
12 -3 Trojan.Win32.Agent.abt
13 New Trojan-Dropper.Win32.Agent.tbd
14 New not-a-virus:AdWare.Win32.BHO.sc
15 New not-a-virus:AdWare.Win32.BHO.vp
16 New Trojan-GameThief.Win32.OnLineGames.sjbb
17 New Trojan-Clicker.Win32.Agent.bkd
18 1 Trojan.Win32.Chifrax.a
19 New Trojan.RAR.Qfavorites.a
20 New Trojan-GameThief.Win32.OnLineGames.sgpq

 

Despite the changes, last month’s leader – Trojan DNSChanger.ech – remains at the top of this ranking. Overall, it is more than three times more widespread than the program which comes in second place. This indicates that there is quite a large-scale epidemic caused by DNSChanger which is affecting Western European countries in particular.

There were a total of 16 new entries to the rankings this month, all of which were added to our antivirus databases in August 2008. Prominent among the newcomers is a group of six Trojan-Downloaders that have occupied 3rd to 8th place. By preventing these Trojan-Downloaders from fulfilling their primary task of downloading the main body of a malicious program, our antivirus products have also blocked mass downloads of other malicious programs to users’ computers.

A number of Adware programs in the form of BHO (Browser Helper Object) also stand out. The large number of these programs is due to the fact that Internet Explorer – the browser such programs are designed to function on – is extremely popular.

Last month’s statistics contained four classes of malicious and potentially unwanted programs (TrojWare, AdWare, VirWare and other MalWare). In August only TrojWare and AdWare remained.

 

A total of 28940 different malicious and potentially unwanted programs were detected on users’ computers in August. That is an increase of more than 8000 on July’s figures and points to a significant increase in the number of in-the-wild threats.

The second table provides data about the most common malicious programs among all infected objects detected. The majority of the programs listed below have file-infection capabilities. The figures given are interesting as they indicate the spread of threats which need to be disinfected, rather than simply dealt with by deleting infected objects.

Position Change in position Name
1 3 Net-Worm.Win32.Nimda
2 8 Virus.Win32.Xorer.du
3 3 Virus.Win32.Parite.b
4 5 Virus.Win32.Virut.n
5 9 Virus.Win32.Parite.a
6 2 Virus.Win32.Alman.b
7 New Trojan.Win32.DNSChanger.ech
8 New Email-Worm.Win32.Runouce.b
9 4 Worm.Win32.Fujack.k
10 9 Worm.VBS.Headtail.a
11 4 Trojan-Downloader.WMA.GetCodec.d
12 New Virus.Win32.Downloader.ax
13 New Trojan-Clicker.HTML.IFrame.js
14 -13 Virus.Win32.Virut.q
15 New Virus.Win32.Small.l
16 -12 Virus.Win32.Hidrag.a
17 -5 Worm.Win32.Otwycal.g
18 New Virus.Win32.Virut.b
19 -14 Virus.Win32.Neshta.a
20 New Virus.Win32.Tenga.a

The changes in this list are less dramatic – only 7 new entries. However, there was some significant movement, with last month’s leader – Virut.q – falling 13 places and Fujack.ap dropping out of the rankings altogether after a second place finish last month.

The surprise leader turned out to be a worm that dates back to 2001. You could have been forgiven for thinking that such a worm would have disappeared from the Internet long ago, but the facts suggest otherwise: Nimda is still active and it’s likely that it’s still present in files that were infected during the epidemics of 2001-2002.

The appearance of Trojan.Win32.DNSChanger.ech in the second table also deserves a mention. This shows that it is constantly modifying itself and can exist in various guises on different computers.

Monthly Malware Statistics for August 2008

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox