Windows malware

A host of events took place in the world of IT threats during the first quarter of 2011.

The following statistics were compiled in April using data from computers running Kaspersky Lab products: 221 mln network attacks blocked,190 mln malicious programs detected, 86 mln heuristic verdicts registered.

The Artro botnet has been around since early 2008. However, a full description of its functionality is still not available, so to rectify this, we decided to publish the results of a study we undertook.

We recently discovered a new bootkit, i.e. a malicious program which infects the hard drive’s boot sector. Kaspersky Lab detects it as Rookit.Win32.Fisp.a.

We found a new malicious application that disguises itself as a Kaspersky Trial Resetter (an application that can be used to reset a software evaluation period that has expired).

A trojan called Bohu that was spreading earlier this year caught people’s attention. Amongst other things, Bohu also prevents access to a Kaspersky server – which can be turned into an online infection check.

This is Kaspersky Lab’s annual threat analysis report covering the major issues faced by corporate and individual users alike as a result of malware, potentially harmful programs, crimeware, spam, phishing and other different types of hacker activity.

A new variant of the rootkit, TDL-4, which can infect both 32-bit and 64-bit operating systems, appeared sometime between July and August, 2010.

Programs for cracking commercial software are, sadly, not unpopular. They have also caught the attention of malware writers, who prepared a couple of surprises for those who don’t mind a free ride every now and then.

The tactics used by the cybercriminals remained the same. Surfing the web is still a dangerous pastime, while social engineering is routinely used to entice users into opening malicious links or downloading malicious or fraudulent programs.

In early December, Kaspersky Lab experts detected samples of the malicious program TDL4 (a new modification of TDSS) which uses a 0-day vulnerability for privilege escalation under Windows 7/2008 x86/x64 (CVE: 2010-3888).

GpCode.ax is not the only piece of ransomware today. We’ve just discovered a malware which overwrites the master boot record (MBR) and demands a ransom to retrieve a password and restore the original MBR.

You may have noticed that we lowered our internet threat level to low risk. We have taken another look at Email-Worm.Win32.VBMania and its prevalence and came to the conclusion the increased threat level was not warranted.

We’ve identified a worm called VBMania. This might not sound like anything much, but in contrast to most worms today, it spreads via email. Real old school.

The TDSS rootkit first appeared in 2008. Since then, it has become far more widespread than the notorious rootkit Rustock. The rootkit’s malicious payload and the difficulties it presents for analysis are effectively similar to those of the bootkit.