Virus Top 20 for October 2007

If this month’s Top Twenty had been prepared using data from the first 26 days of October, two important malware related events would have been missing.

We’re talking about two mass mailings that took place right at the end of the month. They turned out to be among the biggest mass mailings we’ve seen in the last few months, especially on the Russian Internet.

The first pushed Fraud.ay, a phishing attack, into second place in the rankings. This was caused by unidentified cybercriminals who were once again trying to get access to Yandex.Money user accounts. To this end, they created dozens of fake websites and organized a spam mailing “requesting” that users follow the link provided in the message and enter their account information. It’s interesting that the cybercriminals were so laid back that they didn’t even bother to check the links they included in the phishing message. They made an error in the website address which prevented the site from being opened from within Microsoft Outlook and Outlook Express, both standard email clients. The only email client that ignored the error and opened the web page was The Bat! This was the client used to create the message, and the cybercriminals hadn’t bothered to check if it worked with other mail clients.

Furthermore, the phishing sites were located on resources that had previously been used for similar attacks and which were denylisted by the Anti-Phishing Working Group. As a result, anti-phishing filters built into Internet Explorer 7 and Firefox blocked these sites.

As a result, the whole affair turned out to be a storm in a teacup. The attack was on a large scale, but ineffective for all that.

The second attack, which started on Friday, October 26, was more interesting. Email traffic was flooded with messages that included a PDF file. This file contained a known and recently discovered exploit for a vulnerability in Adobe products. When the PDF file was opened, this resulted in malicious code being executed and a Trojan downloader being installed. The attack is in sixth place in our rankings: Exploit.Win32.PDF-URI.k

The third newcomer is a classic file virus, Virut.a. It was first detected in May 2006, but now it has made it to the Virus Top Twenty. How? The method is common enough among today’s viruses: it infects the files of email worms. This case demonstrates how malicious code can act in the same way as a sucker fish, an approach which is not new in the world of malware. Virut uses this method to spread across the globe by piggybacking on other worms.

All other positions in the Virus Top Twenty are occupied by the old worms that we know so well: NetSky, Mydoom, Bagle, Feebs, Nyxem and Scano. Even the re-entry of Lovegate.w is not unexpected, since this worm remains relatively active in countries near its region of origin, South-East Asia.

The only newcomer to September’s Top Twenty, the Paylap.bg phishing attack, has sunk to last place.

Other malicious programs made up just over 8% of all malicious code in mail traffic, indicating that there is still a relatively large number of other worm and Trojan families in circulation.

Summary:

• New: Trojan-Spy.HTML.Fraud.ay, Exploit.Win32.PDF-URI.k, Virus.Win32.Virut.a
• Went up: Worm.Win32.Feebs.gen, Email-Worm.Win32.NetSky.t, Net-Worm.Win32.Mytob.t, Net-Worm.Win32.Mytob.u
• Went down: Email-Worm.Win32.NetSky.aa, Email-Worm.Win32.Mydoom.l, Email-Worm.Win32.Bagle.gt, Email-Worm.Win32.Nyxem.e, Net-Worm.Win32.Mytob.c, Email-Worm.Win32.NetSky.b, Net-Worm.Win32.Mytob.dam, Exploit.Win32.IMG-WMF.y, Trojan-Spy.HTML.Paylap.bg
• Re-entry: Email-Worm.Win32.LovGate.w