Online threats: Steering clear of drive-by downloads
By far the biggest threat to users this month was drive-by downloads. This type of attack can result in users’ computers being infected even when visiting legitimate sites.
Here’s a quick reminder of how drive-by downloads infect computers. First of all, a user visits a legitimate site that has been infected or a site belonging to cybercriminals where a redirect script is located. A good example of just such a script is Downloader.JS.Pegel, one of the most prevalent redirects of recent times. The redirect leads to a script downloader which in turn is used to launch exploits. As a rule, exploits are downloaded to users’ computers and launch malicious executable files that are primarily backdoors to vulnerable programs.
The Top 20 malicious programs detected on the Internet in November included a total of nine exploits, three redirects and one script downloader that were used for carrying out drive-by downloads.
Redirects and script downloaders
The drive-by download process begins with redirects, several of which feature among the leading malicious programs detected on the Internet. November found Trojan.HTML.IFrame.dl in 5th place, Trojan.JS.IFrame.pg at 10th place and Trojan.JS.Redirector.lc appearing in 20th position. They were closely followed by Trojan.JS.Redirector.np at 25th in the table and Trojan-Downloader.JS.Iframe.bzn at 29th.
Users in the USA, Russia, France and the UK were most at risk of infection by Trojan-Downloader.JS.Agent.frs.
Java-based downloaders and exploits
The last two months has seen an explosion in the number of malicious programs that go to make up the Trojan-Downloader.Java.OpenConnection family. These programs act in just the same way as exploits do in a drive-by attack, but instead of using vulnerabilities to download malware to victims’ computers, they employ the OpenConnection method of a URL class.
In November, Trojan-Downloader.Java.OpenConnection.bu topped the ranking of malicious programs detected on the Internet, with two more programs that also use the OpenConnection method appearing in 21st and 26th places respectively.
The distribution of downloaders written in Java mirrored that of Trojan-Downloader.JS.Agent.frs, suggesting that Java downloaders and script downloaders are being used together by cybercriminals to carry out drive-by download attacks.
In addition to Java downloaders, Java-based exploits are appearing in increasing numbers as well, a good example being exploits for the relatively old CVE-2009-3867 vulnerability in the getSoundBank function. Not to be left out, the abovementioned Trojan-Downloader.JS.Agent.frs also makes use of Java exploits too.
What makes Java so appealing to the cybercriminals is that it is a multiplatform programming language, meaning that malware written in Java can be used on all operating systems where Java virtual machines are installed.
This is most probably linked to Adobe’s efforts to patch holes in its products. In November, the company released Adobe Reader X with a built-in sandbox feature that should allow exploits to be counteracted more effectively.
TOP 20 Malicious Programs on the Internet
|Position||Change in position||Name||Number of user|
We’ve already written about them, but there appears to be no let up in the popularity of fake archives. The method behind this scam is highly effective – when users look for something via a search engine, a page is automatically generated with a banner offering the desired information.
The user is then asked to send one or more SMSs to a premium-rate number so they can access the contents of an archive. The end result being that instead of receiving the information they wanted, users normally find that the archive is either empty, “corrupt” or contains a torrent file, etc.
The screenshot below shows an example of a fraudulent offer to download archived information:
Fake archives are detected by Kaspersky Lab products as variants of the Hoax.Win32.ArchSMS family. ArchSMS is primarily blocked on computers in the CIS.
Malware detected on users’ computers
For the cybercriminals, threats that spread via local networks and removable media are far too good to be ignored.
That is why it should be no surprise that Virus.Win32.Sality.aa made it to 3rd place in this month’s table, with Virus.Win32.Virut.ce in 6th place and Virus.Win32.Sality.bh in 8th position – these three being among some of the most common threats detected on users’ computers during November. What makes these threats all the more dangerous is the fact that they can also infect executable files.
Malware targeting vulnerabilities that have already been patched also pop up in this month’s Top 20 rating, with Kido, or Conficker as it is otherwise known, occupying the two top slots. However, exploits that target the CVE-2010-2568 vulnerability in shortcuts are still doing the rounds too, coming in at 13th and 14th places respectively. These two are renowned for spreading Stuxnet and other potent malware, which once again highlights how important it is for users to ensure that they install any patches and updates for their operating systems and software as soon as they become available.