Authors
Malicious programs detected on users’ computers
The first Top Twenty list immediately below shows malware, adware and potentially unwanted programs that were detected and neutralized by the on-access scanner when they were accessed for the first time.
| Position | Change in position | Name | Number of infected computers |
| 1 |  0 |
Net-Worm.Win32.Kido.ir | 339585 |
| 2 |  0 |
Virus.Win32.Sality.aa | 210257 |
| 3 |  0 |
Net-Worm.Win32.Kido.ih | 201746 |
| 4 |  0 |
Net-Worm.Win32.Kido.iq | 169017 |
| 5 |  9 |
Trojan.JS.Agent.bhr | 161414 |
| 6 |  -1 |
Worm.Win32.FlyStudio.cu | 127835 |
| 7 |  -1 |
Virus.Win32.Virut.ce | 70189 |
| 8 |  0 |
Trojan-Downloader.Win32.VB.eql | 66486 |
| 9 |  0 |
Worm.Win32.Mabezat.b | 54866 |
| 10 |  0 |
Trojan-Dropper.Win32.Flystud.yo | 50490 |
| 11 |  0 |
Worm.Win32.AutoIt.tc | 47044 |
| 12 |  1 |
Packed.Win32.Krap.l | 44056 |
| 13 |  New |
Trojan.JS.Iframe.lq | 38658 |
| 14 |  New |
Trojan.Win32.Agent2.cqzi | 35423 |
| 15 |  1 |
Trojan.Win32.Autoit.ci | 34670 |
| 16 |  New |
Trojan-GameThief.Win32.Magania.dbtv | 31066 |
| 17 |  New |
Trojan-Downloader.Win32.Geral.cnh | 30225 |
| 18 |  New |
Trojan.JS.Zapchast.dv | 29592 |
| 19 |  -2 |
Virus.Win32.Induc.a | 28522 |
| 20 |  -8 |
Exploit.JS.CVE-2010-0806.e | 27606 |
During May there were five new entries to the list.
Variants of the CVE-2010-0806 exploit left the Top 20 list as swiftly as they had joined it a month ago. However, malware writers are nowhere near through with exploiting the CVE-2010-0806 vulnerability. In May, Trojan.JS.Agent.bhr, a component of one of the CVE-2010-0806 exploit versions, moved up nine places to take up 5th position. The newcomer, Trojan.JS.Iframe.lq (13th place) is nothing but an intermediate link of a drive-by attack: it is used to redirect the user to Exploit.JS.CVE-2010-0806.i. Another piece of malware with a direct relationship to the CVE-2010-0806 vulnerability is Trojan.JS.Zapchast.dv. This Trojan is part of Exploit.JS.CVE-2010-0806.e which is currently in 20th place.
Trojan-GameThief.Win32.Magania.dbtv in 16th place lends support to the assumption that we made around a month ago concerning the purpose of the above exploits. Malware writers mainly use them to steal online gaming identities. This particular credential thief has impacted players of CabalOnline, Metin2, Mu Online and various games developed by Nexon.net.
The general scheme of infection is as follows:
- The user first visits a website contaminated by Trojan.JS.Iframe.lq, Trojan.JS.Zapchast.dv or either of the two versions of the CVE-2010-0806 exploit.
- The exploit then downloads Trojan-Downloader.Win32.Geral.cnh. This is a Trojan downloader that packs a pretty massive payload. Its malicious arsenal includes: two rootkits to help it hide from any security software; the Worm.Win32.Autorun component to ensure that the Trojan can propagate via detachable memory devices, and a download algorithm to allow the cybercriminals to use to-download lists.
- The Geral component downloads various versions of Trojan-PSW.Win32.QQPass, Trojan-GameTheif.Win32.OnlineGames/WOW/Magania, including Trojan-GameThief.Win32.Magania.dbtv, to the victim computer.
Malicious programs on the Internet
The second Top Twenty list below shows data generated by the web antivirus component and reflects the online threat landscape. This table includes malware detected on web pages and malware downloaded to victim machines from web pages.
| Position | Change in position | Name | Number of attempted downloads |
| 1 |  New |
Trojan-Clicker.JS.Iframe.bb | 397667 |
| 2 |  New |
Exploit.Java.CVE-2010-0886.a | 244126 |
| 3 |  New |
Trojan.JS.Redirector.cq | 194285 |
| 4 |  New |
Exploit.Java.Agent.f | 108869 |
| 5 |  New |
Trojan.JS.Agent.bhr | 107202 |
| 6 |  New |
Exploit.Java.CVE-2009-3867.d | 85120 |
| 7 |  -2 |
not-a-virus:AdWare.Win32.FunWeb.q | 82309 |
| 8 |  -6 |
Exploit.JS.CVE-2010-0806.i | 79192 |
| 9 |  -5 |
Exploit.JS.CVE-2010-0806.b | 76093 |
| 10 |  New |
Trojan.JS.Zapchast.dv | 73442 |
| 11 |  -2 |
Trojan-Clicker.JS.Agent.ma | 68033 |
| 12 |  New |
Trojan.JS.Iframe.lq | 59109 |
| 13 |  New |
Trojan-Downloader.JS.Agent.fig | 56820 |
| 14 |  5 |
not-a-virus:AdWare.Win32.Shopper.l | 50497 |
| 15 |  2 |
Exploit.JS.CVE-2010-0806.e | 50442 |
| 16 |  -4 |
Trojan.JS.Redirector.l | 50043 |
| 17 |  New |
Trojan.JS.Redirector.cj | 47179 |
| 18 |  -2 |
not-a-virus:AdWare.Win32.Boran.z | 43514 |
| 19 |  -6 |
Trojan-Dropper.Win32.VB.amlh | 43366 |
| 20 |  New |
Exploit.JS.Pdfka.chw | 42362 |
All of the malicious programs listed above have seen changes to their positions.
First place is occupied by Trojan-Clicker.JS.Iframe.bb, which infected almost 400,000 websites during May alone. This Trojan aims to increase website hit counts by making the victim computers visit them without the users’ knowledge or consent.
The new Trojan.JS.Redirector.cq (in 3rd place) redirects visitors to websites distributing rogue antivirus programs.
Seven malicious programs in the Top 20 are exploits. It is remarkable that three newcomers, namely Exploit.Java.CVE-2010-0886.a, Exploit.Java.Agent.f, and Exploit.Java.CVE-2009-3867.d are exploits for the Java platform.
One of them is Exploit.Java.CVE-2010-0886.a which ended up in 2nd place. This malicious program consists of two parts: a downloader written in JavaScript and a Java applet. The downloader uses the launch function from the Java Development Toolkit. This function uses as a parameter a string composed of several parameter keys and the URL where the malicious Java applet is located. The JavaScript code surreptitiously initiates execution of a Java program on the victim computer which in most cases is a Trojan downloader. The downloader in its turn downloads a malicious executable file and launches it on the victim computer. Interestingly, CVE-2010-0886.a gained much of its popularity because it used the Pegel downloader for one of its attacks. A description of Pegel is given in our February statistics overview.
The second newcomer, Exploit.Java.CVE-2009-3867.d is in 6th place. This exploit uses the stack overflow technique by calling the function getSoundBank. This function is used to download media content and expects to get the URL of a soundbank object as its parameter. This vulnerability enables the cybercriminals to use a shell code with which they can then run any code they want to on the victim computer.
The above exploits are typically associated with redirectors and legitimate, but infected, websites. The list of such ‘companion’ malware in May includes Trojan.JS.Agent.bhr (in 5th place), Trojan.JS.Zapchast.dv (in 10th place), Trojan.JS.Iframe.lq (in 12th place) and Trojan-Downloader.JS.Agent.fig (in 13th place).
Countries launching the most web-borne infections:
Conclusion
In recent months cybercriminals have actively used exploits in order to steal users’ confidential data. Changes have been affecting malware propagation techniques and methods that prevent the analysis and detection of malware.
Eleven of May’s Top 20 malicious programs from the Internet are different exploits and their related Trojans. These malicious programs occupy five consecutive Top 20 places starting from 2nd place and then appear on the list in groups of two or three variants.
It is also worth noting that users of Sun software are strongly advised to check for software updates on a regular basis. This advice is given as there is a lot of malware around exploiting the vulnerabilities in the Java platform.
Authors
From the same authors
In the same category
Monthly Malware Statistics: May 2010