Malware reports

Monthly Malware Statistics: May 2010

Malicious programs detected on users’ computers

The first Top Twenty list immediately below shows malware, adware and potentially unwanted programs that were detected and neutralized by the on-access scanner when they were accessed for the first time.

Position Change in position Name Number of infected computers
1   0 Net-Worm.Win32.Kido.ir   339585  
2   0 Virus.Win32.Sality.aa   210257  
3   0 Net-Worm.Win32.Kido.ih 201746  
4   0 Net-Worm.Win32.Kido.iq   169017  
5   9 Trojan.JS.Agent.bhr   161414  
6   -1 Worm.Win32.FlyStudio.cu   127835  
7   -1 Virus.Win32.Virut.ce   70189  
8   0 Trojan-Downloader.Win32.VB.eql   66486  
9   0 Worm.Win32.Mabezat.b   54866  
10   0 Trojan-Dropper.Win32.Flystud.yo   50490  
11   0 Worm.Win32.AutoIt.tc   47044  
12   1 Packed.Win32.Krap.l   44056  
13   New Trojan.JS.Iframe.lq   38658  
14   New Trojan.Win32.Agent2.cqzi   35423  
15   1 Trojan.Win32.Autoit.ci   34670  
16   New Trojan-GameThief.Win32.Magania.dbtv   31066  
17   New Trojan-Downloader.Win32.Geral.cnh   30225  
18   New Trojan.JS.Zapchast.dv   29592  
19   -2 Virus.Win32.Induc.a   28522  
20   -8 Exploit.JS.CVE-2010-0806.e   27606  

During May there were five new entries to the list.

Variants of the CVE-2010-0806 exploit left the Top 20 list as swiftly as they had joined it a month ago. However, malware writers are nowhere near through with exploiting the CVE-2010-0806 vulnerability. In May, Trojan.JS.Agent.bhr, a component of one of the CVE-2010-0806 exploit versions, moved up nine places to take up 5th position. The newcomer, Trojan.JS.Iframe.lq (13th place) is nothing but an intermediate link of a drive-by attack: it is used to redirect the user to Exploit.JS.CVE-2010-0806.i. Another piece of malware with a direct relationship to the CVE-2010-0806 vulnerability is Trojan.JS.Zapchast.dv. This Trojan is part of Exploit.JS.CVE-2010-0806.e which is currently in 20th place.

Trojan-GameThief.Win32.Magania.dbtv in 16th place lends support to the assumption that we made around a month ago concerning the purpose of the above exploits. Malware writers mainly use them to steal online gaming identities. This particular credential thief has impacted players of CabalOnline, Metin2, Mu Online and various games developed by Nexon.net.

The general scheme of infection is as follows:

  1. The user first visits a website contaminated by Trojan.JS.Iframe.lq, Trojan.JS.Zapchast.dv or either of the two versions of the CVE-2010-0806 exploit.
  2. The exploit then downloads Trojan-Downloader.Win32.Geral.cnh. This is a Trojan downloader that packs a pretty massive payload. Its malicious arsenal includes: two rootkits to help it hide from any security software; the Worm.Win32.Autorun component to ensure that the Trojan can propagate via detachable memory devices, and a download algorithm to allow the cybercriminals to use to-download lists.
  3. The Geral component downloads various versions of Trojan-PSW.Win32.QQPass, Trojan-GameTheif.Win32.OnlineGames/WOW/Magania, including Trojan-GameThief.Win32.Magania.dbtv, to the victim computer.

Malicious programs on the Internet

The second Top Twenty list below shows data generated by the web antivirus component and reflects the online threat landscape. This table includes malware detected on web pages and malware downloaded to victim machines from web pages.

Position Change in position Name Number of attempted downloads
1   New Trojan-Clicker.JS.Iframe.bb   397667  
2   New Exploit.Java.CVE-2010-0886.a   244126  
3   New Trojan.JS.Redirector.cq   194285  
4   New Exploit.Java.Agent.f   108869  
5   New Trojan.JS.Agent.bhr   107202  
6   New Exploit.Java.CVE-2009-3867.d   85120  
7   -2 not-a-virus:AdWare.Win32.FunWeb.q   82309  
8   -6 Exploit.JS.CVE-2010-0806.i   79192  
9   -5 Exploit.JS.CVE-2010-0806.b   76093  
10   New Trojan.JS.Zapchast.dv   73442  
11   -2 Trojan-Clicker.JS.Agent.ma   68033  
12   New Trojan.JS.Iframe.lq   59109  
13   New Trojan-Downloader.JS.Agent.fig   56820  
14   5 not-a-virus:AdWare.Win32.Shopper.l   50497  
15   2 Exploit.JS.CVE-2010-0806.e   50442  
16   -4 Trojan.JS.Redirector.l   50043  
17   New Trojan.JS.Redirector.cj   47179  
18   -2 not-a-virus:AdWare.Win32.Boran.z   43514  
19   -6 Trojan-Dropper.Win32.VB.amlh   43366  
20   New Exploit.JS.Pdfka.chw   42362  

All of the malicious programs listed above have seen changes to their positions.

First place is occupied by Trojan-Clicker.JS.Iframe.bb, which infected almost 400,000 websites during May alone. This Trojan aims to increase website hit counts by making the victim computers visit them without the users’ knowledge or consent.

The new Trojan.JS.Redirector.cq (in 3rd place) redirects visitors to websites distributing rogue antivirus programs.

Seven malicious programs in the Top 20 are exploits. It is remarkable that three newcomers, namely Exploit.Java.CVE-2010-0886.a, Exploit.Java.Agent.f, and Exploit.Java.CVE-2009-3867.d are exploits for the Java platform.

One of them is Exploit.Java.CVE-2010-0886.a which ended up in 2nd place. This malicious program consists of two parts: a downloader written in JavaScript and a Java applet. The downloader uses the launch function from the Java Development Toolkit. This function uses as a parameter a string composed of several parameter keys and the URL where the malicious Java applet is located. The JavaScript code surreptitiously initiates execution of a Java program on the victim computer which in most cases is a Trojan downloader. The downloader in its turn downloads a malicious executable file and launches it on the victim computer. Interestingly, CVE-2010-0886.a gained much of its popularity because it used the Pegel downloader for one of its attacks. A description of Pegel is given in our February statistics overview.

The second newcomer, Exploit.Java.CVE-2009-3867.d is in 6th place. This exploit uses the stack overflow technique by calling the function getSoundBank. This function is used to download media content and expects to get the URL of a soundbank object as its parameter. This vulnerability enables the cybercriminals to use a shell code with which they can then run any code they want to on the victim computer.

The above exploits are typically associated with redirectors and legitimate, but infected, websites. The list of such ‘companion’ malware in May includes Trojan.JS.Agent.bhr (in 5th place), Trojan.JS.Zapchast.dv (in 10th place), Trojan.JS.Iframe.lq (in 12th place) and Trojan-Downloader.JS.Agent.fig (in 13th place).

Countries launching the most web-borne infections:

Conclusion

In recent months cybercriminals have actively used exploits in order to steal users’ confidential data. Changes have been affecting malware propagation techniques and methods that prevent the analysis and detection of malware.

Eleven of May’s Top 20 malicious programs from the Internet are different exploits and their related Trojans. These malicious programs occupy five consecutive Top 20 places starting from 2nd place and then appear on the list in groups of two or three variants.

It is also worth noting that users of Sun software are strongly advised to check for software updates on a regular basis. This advice is given as there is a lot of malware around exploiting the vulnerabilities in the Java platform.

Monthly Malware Statistics: May 2010

Your email address will not be published. Required fields are marked *

 

Reports

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

APT trends report Q2 2024

The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox