Malware reports

Monthly Malware Statistics: July 2009

Table of Contents

This malware rating is compiled from data generated by the Kaspersky Security Network (KSN).

The first Top Twenty lists malicious programs, adware and potentially unwanted programs that were detected and neutralized when accessed for the first time, i.e. by using the on-access scanner. Using on-access statistics makes it possible to analyze the most recent, most dangerous and most widespread malicious programs that were blocked when launched on users’ computers or when downloaded from the Internet.

Position Change in position Name Number of infected computers
1   0 Net-Worm.Win32.Kido.ih   51126  
2   0 Virus.Win32.Sality.aa   24984  
3   1 Trojan-Downloader.Win32.VB.eql   9472  
4   2 Trojan.Win32.Autoit.ci   8250  
5   0 Worm.Win32.AutoRun.dui   6514  
6   1 Virus.Win32.Virut.ce   5667  
7   3 Virus.Win32.Sality.z   5525  
8   1 Net-Worm.Win32.Kido.jq   5496  
9   -1 Worm.Win32.Mabezat.b   4675  
10   4 Net-Worm.Win32.Kido.ix   4055  
11   -8 Trojan-Dropper.Win32.Flystud.ko   3764  
12   5 Packed.Win32.Klone.bj   3677  
13   -1 Virus.Win32.Alman.b   3571  
14   1 Worm.Win32.AutoIt.i   3524  
15   -2 Packed.Win32.Black.a   3472  
16   -5 Trojan-Downloader.JS.LuckySploit.q   3335  
17   1 Email-Worm.Win32.Brontok.q   3007  
18   2 not-a-virus:AdWare.Win32.Shopper.v   2841  
19   0 Worm.Win32.AutoRun.rxx   2798  
20   New IM-Worm.Win32.Sohanad.gen   2719  

There were no significant changes to the first Top Twenty in July: Kido and Sality remain the runaway leaders.

However, the overall number of computers infected by the most common malicious programs has fallen slightly. This may have something to do with users spending less time in front of their PCs in midsummer, resulting in fewer machines becoming infected with malware.

Position Change in position Name Number of infected web pages
1   0 Trojan-Downloader.JS.Gumblar.a   8538  
2   2 Trojan-Clicker.HTML.IFrame.kr   7805  
3   2 Trojan-Downloader.HTML.IFrame.sz   5213  
4   -1 Trojan-Downloader.JS.LuckySploit.q   4719  
5   New Trojan-Downloader.HTML.FraudLoad.a  4626  
6   0 Trojan-Downloader.JS.Major.c   3778  
7   New Trojan-GameThief.Win32.Magania.biht   2911  
8   New Trojan-Downloader.JS.ShellCode.i   2652  
9   -1 Trojan-Clicker.HTML.IFrame.mq   2576  
10   New Exploit.JS.DirektShow.o   2476  
11   -2 Trojan.JS.Agent.aat   2402  
12   New Exploit.JS.DirektShow.j   2367  
13   New Exploit.HTML.CodeBaseExec   2266  
14   0 Exploit.JS.Pdfka.gu   2194  
15   New Trojan-Downloader.VBS.Psyme.ga   2007  
16   New Exploit.JS.DirektShow.a   1988  
17   -10 Trojan-Downloader.Win32.Agent.cdam   1947  
18   -5 Trojan-Downloader.JS.Agent.czm   1815  
19   -17 Trojan-Downloader.JS.Iframe.ayt   1810  
20   New Trojan-Downloader.JS.Iframe.bew   1766  

Everything is a lot more interesting in the second Top Twenty, which presents data generated by the web antivirus component and reflects the online threat landscape. This ranking includes malicious programs detected on web pages and malware which attempted to load from web pages. In other words, the second ranking answers two questions: “What malware most often infects web pages?” and “Which malicious programs are most often downloaded – with or without the user’s knowledge – from malicious or infected pages?”

Looking at the rating, we can see three script exploits named DirektShow. We wrote about the Internet Explorer vulnerability this script exploits in early July (The msvidctl Internet Explorer 0day). As Internet Explorer is the browser of choice for the majority of users, it’s no surprise that this vulnerability was immediately heavily exploited by cybercriminals.

Recently there has been a tendency for cybercriminals to split malicious scripts into several parts – in the case of DirektShow, the main page with the exploit for the msvidctl vulnerability contains a link to another script that downloads shell code with its own malicious payload. Trojan-Downloader.JS.ShellCode.i, in eighth place in our rating, is the shell code most commonly used to exploit this vulnerability. This approach is straightforward and is particularly beneficial for the cybercriminal – the shell code script can be replaced at any time but the link to the main page remains the same. This set-up makes it more difficult to analyze and create detection for such malware, and where automated systems are used, it may be impossible.

In order to make spreading malware (specifically ransomware in the form of rogue antivirus applications) easier, the same web templates will be used over and over again. Trojan-Downloader.HTML.FraudLoad.a – a new entry in July – is an example of this approach; this detection actually detects one of the stock templates. Such malware is becoming increasingly popular in the world of cybercrime. As a result, a huge number of websites are appearing which claim that the user’s computer is infected, and then download programs which are not only annoying, but also often pose a real threat. In twentieth place in July’s rating – Trojan-Downloader.JS.Iframe.bew – is one such script used to download malicious programs from such sites.

The second Top Twenty provides an overview of the current online threats as well as the underlying trends. Firstly, cybercriminals are focusing on finding new vulnerabilities in the most popular software with the aim of exploiting them to achieve their goal – infecting computers with one or, more often than not, several malicious programs. Secondly, cybercriminals attempt to hide their activity so that it either passes unnoticed, or seem to be resulting in minimal damage to the infected machine.

All this makes surfing the Internet without a fully-patched operating system or an up-to-date antivirus solution tantamount to swimming in shark-infested waters – and this applies to even the most experienced users.

Countries where most attempts to infect computers via the web were recorded:

Monthly Malware Statistics: July 2009

Your email address will not be published. Required fields are marked *

 

Reports

Lyceum group reborn

According to older public researches, Lyceum conducted operations against organizations in the energy and telecommunications sectors across the Middle East. In 2021, we have been able to identify a new cluster of the group’s activity, focused on two entities in Tunisia.

GhostEmperor: From ProxyLogon to kernel mode

While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to dub the cluster GhostEmperor.

APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

Subscribe to our weekly e-mails

The hottest research right in your inbox