Malware reports

Online Scanner Top Twenty for October 2007

Position Change in position Name Percentage
1
New
Packed.Win32.NSAnti.r 2.27
2
-1
Trojan.Win32.Dialer.qn 2.12
3 Email-Worm.Win32.Brontok.q 1.99
4
+5
not-a-virus:AdWare.Win32.BHO.cc 1.44
5
+1
Email-Worm.Win32.Rays 1.33
6
Return
Backdoor.IRC.Zapchast 1.31
7
-3
Trojan-Downloader.Win32.Small.ddp 1.27
8 Virus.VBS.Small.a 1.13
9
-4
not-a-virus:Monitor.Win32.Perflogger.ca 1.08
10
+2
IM-Worm.Win32.Sohanad.t 1.03
11
-4
not-a-virus:PSWTool.Win32.RAS.a 1.03
12
New
Trojan-Downloader.VBS.Psyme.ga 0.82
13
+2
IM-Worm.Win32.Sohanad.as 0.82
14 Trojan.Win32.Obfuscated.en 0.80
15
+2
Worm.Win32.AutoIt.c 0.78
16
New
Trojan.Win32.VB.atg 0.71
17
-6
not-a-virus:Monitor.Win32.Perflogger.ad 0.67
18
-5
Trojan-Spy.Win32.Perfloger.ab 0.65
19
New
Trojan-Downloader.Win32.AutoIt.q 0.64
20
New
not-a-virus:Porn-Dialer.Win32.AdultBrowser 0.61
Other malicious programs 77.50

 

Our online virus scanner’s October rankings are a bit unusual. What makes them stand out from previous months is a stability that we have not seen before. Three malicious programs managed to retain the same positions as they had last month. Most of the other malicious programs showed insignificant changes and what’s more, only five malicious programs are new to the rankings: this is an unprecedentedly low figure for our most volatile statistics.

Yet again, the leader has changed. October’s top position was taken by Packed.Win32.NSAnti.r, a whole family of different Trojans packed using the “hacker” protector NSAnti. The first variants appeared as long ago as last October, and since then we have detected over 8,000 modifications! It seems that this family has now reached a peak.

The Rays and Brontok worms have taken residence in the top quarter of the ranking, marking a triumphant comeback from beyond the Top Twenty. They spent July and August in the outer darkness beyond the bottom of the rankings. It’s likely that users will continue to experience problems with these worms, which for the most part spread via removable media (flash memory cards), for a long time to come.

The adware program BHO.cc, which was first detected in early July and which is distributed together with the BitAccelerator program, has gone up five positions. Interestingly, Google finds over 2,700,000 links for this word. If this program is so popular, fourth place, which is currently occupies, is clearly not the limit.

The script virus VBS.Small.a is September’s leader in terms of growth. Although it remains in 8th place, as it uses the same method as Rays and Brontok to spread it is likely to remain in our rankings and may even go up a few places.

The Sohanad IM worms are becoming increasingly widespread: the .t and .as variants have gone up two positions each, with Sohanad.t reaching 10th place.

The number of programs in the not-a-virus class is slightly smaller than last month. Five such programs made it into the Online Top Twenty in October, down from seven in September.

There are no other significant changes in the rankings. Even the return of Backdoor.IRC.Zapchast to sixth place can’t be regarded as significant: the program has been present in our statistics for so long that a single disappearance followed by a subsequent comeback can only be viewed as a one-off event rather than a stable trend.

As before, Trojan spies are represented by one program, a modified variant of the legitimate keylogging program Perflogger.

New: Packed.Win32.NSAnti.r, Trojan-Downloader.VBS.Psyme.ga, Trojan.Win32.VB.atg, Trojan-Downloader.Win32.AutoIt.q, not-a-virus:Porn-Dialer.Win32.AdultBrowser.

Moved up: not-a-virus:AdWare.Win32.BHO.cc, Email-Worm.Win32.Rays, IM-Worm.Win32.Sohanad.t, IM-Worm.Win32.Sohanad.as, Worm.Win32.AutoIt.c

Moved down: Trojan.Win32.Dialer.qn, Trojan-Downloader.Win32.Small.ddp, not-a-virus:Monitor.Win32.Perflogger.ca, not-a-virus:PSWTool.Win32.RAS.a, not-a-virus:Monitor.Win32.Perflogger.ad, Trojan-Spy.Win32.Perfloger.ab

No change: Email-Worm.Win32.Brontok.q, Virus.VBS.Small.a, Trojan.Win32.Obfuscated.en

Online Scanner Top Twenty for October 2007

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox