Monthly Malware Statistics: September 2009

Contents

    The numbers both Top Twenty ratings are based on have decreased. This is due to a staggered launch of the new KAV/KIS products in different countries and many users migrating to Kaspersky Lab’s 2010 products. Data from the 2010 product line has not been used in compiling September’s ratings, but will be used in the future.

     

    Position Change in position Name Number of infected computers
    1 top20_noch 0 Net-Worm.Win32.Kido.ih 41033
    2 top20_noch 0 Virus.Win32.Sality.aa 18027
    3 top20_noch 0 not-a-virus:AdWare.Win32.Boran.z 12470
    4 top20_new New Net-Worm.Win32.Kido.ir 11384
    5 top20_down -1 Trojan-Downloader.Win32.VB.eql 6433
    6 top20_down -1 Trojan.Win32.Autoit.ci 6168
    7 top20_up 3 Virus.Win32.Induc.a 5947
    8 top20_down -2 Virus.Win32.Virut.ce 5433
    9 top20_new New P2P-Worm.Win32.Palevo.jdb 5169
    10 top20_down -2 Net-Worm.Win32.Kido.jq 4288
    11 top20_new New Worm.Win32.FlyStudio.cu 4104
    12 top20_down -5 Worm.Win32.AutoRun.dui 4071
    13 top20_down -4 Virus.Win32.Sality.z 4056
    14 top20_up 6 P2P-Worm.Win32.Palevo.jaj 3564
    15 top20_down -4 Worm.Win32.Mabezat.b 2911
    16 top20_new New Exploit.JS.Pdfka.ti 2823
    17 top20_new New Trojan-Downloader.WMA.Wimad.y 2544
    18 top20_noch 0 Trojan-Dropper.Win32.Flystud.yo 2513
    19 top20_new New P2P-Worm.Win32.Palevo.jcn 2480
    20 top20_new New Trojan.Win32.Refroso.bpk 2387

     

    Kido (Conficker) remains active. Kido.ih, the leader of this Top Twenty for the last six months, has been joined by another variant, Kido.ir, which is a newcomer to the rankings. This detection covers all the autorun.inf files which the worm creates in order to spread via removable media.

    The Palevo worm is spreading relatively quickly, with two new variants – Palevo.jdb and Palevo.jcn – making it into September’s rating. Meanwhile, Palevo.jaj, a new entry last month, has moved up 6 places, the biggest jump in the rating in September. The increase in the number of these two pieces of malware is mainly due to the fact that they can spread via removable devices, indicating that this propagation method remains extremely effective.

    FlyStudio.cu, a worm of Chinese origin confirms this, as it also spreads via removable devices. This malware also has the backdoor function so common in today’s malware.

    New entries in this month’s rating include a new variant of the Wimad multimedia downloader Wimad – Trojan-Downloader.WMA.Wimad.y – which has previously made an appearance in the ratings. This variant doesn’t differ fundamentally from previous variants: when it’s launched, it tries to download and execute a malicious file, in this case not-a-virus:AdWare.Win32.PlayMP3z.a.

    Another new entry, Exploit.JS.Pdfka.ti, is examined in more detail below, as it also entered the second Top Twenty.

    The most striking feature of the first Top Twenty is the amount of self-propagating malware, which continues to make its presence felt.

     

    Position Change in position Name Number of attempted downloads
    1 top20_noch 0 not-a-virus:AdWare.Win32.Boran.z 17624
    2 top20_up 1 Trojan.JS.Redirector.l 16831
    3 top20_down -1 Trojan-Downloader.HTML.IFrame.sz 6586
    4 top20_new New Exploit.JS.Pdfka.ti 3834
    5 top20_new New Trojan-Clicker.HTML.Agent.aq 3424
    6 top20_up 4 Trojan-Downloader.JS.Major.c 2970
    7 top20_down -3 Trojan-Downloader.JS.Gumblar.a 2583
    8 top20_new New Exploit.JS.ActiveX.as 2434
    9 top20_down -1 Trojan-Downloader.JS.LuckySploit.q 2224
    10 top20_down -3 Trojan-GameThief.Win32.Magania.biht 1627
    11 top20_new New Exploit.JS.Agent.ams 1502
    12 top20_up 4 Trojan-Downloader.JS.IstBar.bh 1476
    13 top20_new New Trojan-Downloader.JS.Psyme.gh 1419
    14 top20_new New Exploit.JS.Pdfka.vn 1396
    15 top20_ret Return Exploit.JS.DirektShow.a 1388
    16 top20_down -10 Exploit.JS.DirektShow.k 1286
    17 top20_ret Return not-a-virus:AdWare.Win32.Shopper.l 1268
    18 top20_ret Return not-a-virus:AdWare.Win32.Shopper.v 1247
    19 top20_new New Trojan-Clicker.JS.Agent.jb 1205
    20 top20_new New Exploit.JS.Sheat.f 1193

     

    Once again, there has been a lot of movement in the second Top Twenty since last month.

    This ranking includes two variants of Exploit.JS.Pdfka. This is the name given to JavaScript files which are detected in PDF documents and used to exploit a range of vulnerabilities in Adobe products. In this case, the malware exploits vulnerabilities in Adobe Reader. Pdfka.ti exploits a vulnerability in the Collab.collectEmailInfo function that has been around for two years now. Pdfka.vn exploits a slightly newer vulnerability in the getIcon function of the same Collab object.

    Cyber criminals have been making a concerted effort to exploit all vulnerabilities in Adobe products – a number of which have been detected in recent years – regardless of product version. This increases the possibility of malware being downloaded to unpatched computers. Because of this threat, commonly used software from major vendors (in this case, Adobe) should be updated as soon as security patches are released.

    Exploit.JS.DirektShow and Exploit.JS.Sheat are two malware families which figured in previous ratings; they remain active, with DirektShow.a making a comeback and Sheat.f making its first appearance.

    The other new entries in the second Top Twenty are either run-of-the-mill iframe-clickers or part of a malicious script (July’s Malware Statistics contains details on how malicious scripts are often split into several parts.)

    Overall, the trends of the last few months were maintained in September. Web malware bundles designed to exploit the myriad vulnerabilities found in major products are still increasing in number, giving cyber criminals plenty of opportunities for malicious activity. Simple iframe-clickers placed on legitimate, but infected sites, help spread these bundles. And cyber criminals are able to access these legitimate sites and place malware on them because they have previously used other malware designed to steal confidential data such as passwords. These steps all make up a cyclical process of compromise and infection which can be endlessly repeated.

    Image at the very end of the post

    Related Posts

    Leave a Reply

    Your email address will not be published. Required fields are marked *