The first Top Twenty list below shows malware, adware and potentially unwanted programs that were detected and neutralized by the on-access scanner when they were accessed for the first time.
Position | Change in position | Name | Number of infected computers |
1 | 0 | Net-Worm.Win32.Kido.ir | 261718 |
2 | 0 | Virus.Win32.Sality.aa | 174504 |
3 | 0 | Net-Worm.Win32.Kido.ih | 158735 |
4 | 0 | Net-Worm.Win32.Kido.iq | 119114 |
5 | 0 | Exploit.JS.Agent.bab | 108936 |
6 | 0 | Trojan.JS.Agent.bhr | 104420 |
7 | 0 | Worm.Win32.FlyStudio.cu | 80196 |
8 | 0 | Virus.Win32.Virut.ce | 59988 |
9 | -1 | Trojan-Downloader.Win32.VB.eql | 47798 |
10 | -1 | Worm.Win32.Mabezat.b | 40859 |
11 | 1 | Trojan-Dropper.Win32.Flystud.yo | 31707 |
12 | new | Worm.Win32.Autoit.xl | 31215 |
13 | new | P2P-Worm.Win32.Palevo.aomy | 30775 |
14 | -3 | P2P-Worm.Win32.Palevo.fuc | 26027 |
15 | new | Exploit.JS.CVE-2010-0806.aa | 25928 |
16 | new | P2P-Worm.Win32.Palevo.aoom | 25300 |
17 | new | Hoax.Win32.ArchSMS.ih | 24578 |
18 | 2 | Trojan.Win32.AutoRun.ke | 24185 |
19 | new | Packed.Win32.Katusha.n | 23030 |
20 | -5 | Trojan-Downloader.Win32.Geral.cnh | 22947 |
The first half of this list remained unchanged from last month, with viruses such as Sality and Virut and the infamous Kido worm all maintaining their positions. The second half, however, threw up a few surprises with six new entries. Let’s look at each of them in turn.
Worm.Win32.Autoit.xl, in twelfth place, is a malicious AutoIt with a varied payload: it can disable Windows Firewall, apply software restriction policies, or download and install other malware. Interestingly, Brazil was responsible for almost a quarter of all infections detected, while approximately another 50% were in Russia and Ukraine.
P2P-Worm.Win32.Palevo.aomy, in thirteenth place, and P2P-Worm.Win32.Palevo.aoom in sixteenth are two new representatives of the P2P-Worm Palevo family already familiar from previous Top Twenty ratings.
Exploit.JS.CVE-2010-0806.aa, a new modification of an exploit for the CVE-2010-0806 vulnerability identified back in March, has entered the Top Twenty in fifteenth place. Cybercriminals are currently making active use of script obfuscation and anti-emulation techniques, which has led to the appearance of new variants of the exploit. Two other entries in this list – Exploit.JS.Agent.bab (fifth place) and Trojan.JS.Agent.bhr (sixth place) – also make use of the same vulnerability. These three programs also made it into the second set of rankings, which examines malware detected on the Internet.
Hoax.Win32.ArchSMS.ih in seventeenth place is yet another newcomer to our rating. It is used as part of a completely new type of scam. The program mainly spreads under the guise of a legitimate piece of freeware. When the application is opened, a window appears stating that the program is archived and that in order to get the password to unpack it, anywhere from one to three SMS messages need to be sent. Each message can cost anything up to 500 roubles (around $16), and in return the user receives either a malicious program, a link to a torrent site or even an error message or an empty archive file. The vast majority of computers where this program has been detected are located in Russian-speaking countries; users in Russia were the most affected, followed by those in Ukraine, Kazakhstan, Belarus, Azerbaijan and Moldova.
The malicious packer Packed.Win32.Katusha.n in nineteenth place is a program used to protect various malicious programs from antivirus software. This detection also covers rogue antivirus solutions which are packed using Katusha.
Malicious programs on the Internet
The second Top Twenty list below shows data generated by the web antivirus component and reflects the online threat landscape. This table includes malware and potentially unwanted programs which are detected on web pages or to victim machines from web pages.
Position | Change in position | Name | Number of attempted downloads |
1 | 1 | Exploit.JS.Agent.bab | 169086 |
2 | new | Trojan-Downloader.JS.Pegel.bp | 123446 |
3 | 1 | Exploit.Java.CVE-2010-0886.a | 65794 |
4 | 3 | AdWare.Win32.FunWeb.q | 58848 |
5 | new | Trojan-Downloader.VBS.Agent.zs | 58591 |
6 | -1 | Trojan.JS.Agent.bhr | 57978 |
7 | return | Exploit.Java.Agent.f | 53677 |
8 | new | Trojan-Downloader.Java.Agent.fl | 53468 |
9 | 2 | AdWare.Win32.FunWeb.ds | 45362 |
10 | new | Trojan.JS.Agent.bhl | 45139 |
11 | 3 | AdWare.Win32.Shopper.l | 37790 |
12 | new | Exploit.HTML.CVE-2010-1885.a | 36485 |
13 | new | AdWare.Win32.Boran.z | 28852 |
14 | new | Exploit.Win32.IMG-TIF.b | 28238 |
15 | new | Exploit.JS.Pdfka.bys | 28084 |
16 | new | Trojan.JS.Agent.bmh | 27706 |
17 | new | Exploit.JS.CVE-2010-0806.aa | 26896 |
18 | new | Exploit.JS.Pdfka.cny | 26231 |
19 | new | AdWare.Win32.FunWeb.ci | 26014 |
20 | new | Trojan.JS.Redirector.cq | 26001 |
As the table above shows, July saw twelve new entries in this list.
The notorious Pegel, which has remained active over the last three months, claimed second place in July with the .bp modification of the script downloader.
Half of the programs in this list are exploits, eight of which target known vulnerabilities.
Just like last month, Exploit.JS.Agent.bab, which targets the CVE-2010-0806 vulnerability, heads this rating. The same vulnerability is also used by the new entry Exploit.JS.CVE-2010-0806.aa in seventeenth place and Trojan.JS.Agent.bhr in sixth place. Thus, it appears that, contrary to expectations, there has been an upsurge in the targeting of CVE-2010-0806 rather than a decline.
The Java platform presence was bolstered in July by the return to this rating of Exploit.Java.Agent.f in seventh place and a new entry, Trojan-Downloader.Java.Agent.jl in eighth place. These two programs target the CVE-2010-3867 vulnerability and are downloaded by Trojan.JS.Agent.bmh script, which takes sixteenth place.
The new entry Exploit.HTML.CVE-2010-1885.a in third place is a script that exploits the CVE-2010-1885 vulnerability. We blogged about this vulnerability, before it became widely targeted. The file containing the malicious code is an HTML page which includes an iframe with a specially crafted address.
Fragment of Exploit.HTML.CVE-2010-1885.a
When this file is launched, another script (which Kaspersky Lab detects as Trojan-Downloader.JS.Psyme.aoy), is downloaded. This script in turn downloads and launches malware from the Trojan-GameThief.Win32.Magania family that steals passwords to online games. The intermediary script uses an interesting method to mask the malicious link – it is written back to front (see the screenshot below).
Fragment of the Trojan-Downloader.JS.Psyme.aoy script used by Exploit.HTML.CVE-2010-1885.a
We wrote about Exploit.Win32.IMG-TIF.b, which targets the CVE-2010-0188 vulnerability, back in March, but it has only started to actively spread very recently. It’s interesting to note that the virus writers made virtually no use of this vulnerability for two or three months after it was officially acknowledged.
Exploit.JS.Pdfka.bys, in fifteenth place, and Exploit.JS.Pdfka.cny in eighteenth are both scripts that exploit various vulnerabilities in Adobe products.
Five of the Top Twenty are adware programs: three variants of AdWare.Win32.FunWeb (in fourth, ninth and nineteenth places), AdWare.Win32.Shopper.l (eleventh place) and AdWare.Win32.Boran.z (thirteenth place). Boran.z is a new entry that was first detected in October 2009. It is a BHO module that comes together with a driver designed to protect it.
Trojan.JS.Agent.bhl is another program that displays irritating adverts, and yet another new entry. This script opens pop-up windows and uses a range of technologies to bypass pop-up blockers. The screenshot below shows displaying comments and the code the module uses to bypass Norton Internet Security.
The rest of the programs in this list are all designed to spread other malicious programs.
Conclusion
The figures for July once again reflect the trend for exploiting vulnerabilities in order to spread malware. Programs making use of vulnerabilities have even made it into the list of malicious programs detected on users’ computers.
The script downloader Pegel and the vulnerabilities it targets (CVE-2010-0806, CVE-2010-3867 etc.) are still very widespread despite the efforts of the antivirus industry, and Adobe and Microsoft who have been quick to release patches. A large number of programs that exploited the recently publicized vulnerabilities CVE-2010-0188 and CVE-2010-1885 were detected in July.It’s also worth mentioning the rapid spread of Stuxnet, a rootkit driver that uses genuine digital signatures. The worm is still making use of a vulnerability in LNK files (Microsoft Windows shortcut) that has yet to be addressed. The vulnerability allows a random dll to be run without user interaction if a shortcut icon for the program is displayed.
The one piece of good news is that Gumblar has stopped spreading. But for how long?
Monthly Malware Statistics July 2010