Malware reports

Virus Top 20 for October 2007

Table of Contents

Position Change in position Name Proactive Detection Flag Percentage
1 Email-Worm.Win32.NetSky.q Trojan.generic 20.11
2
New
Trojan-Spy.HTML.Fraud.ay (phishing email) 10.83
3
-1
Email-Worm.Win32.NetSky.aa Trojan.generic 9.07
4
+3
Worm.Win32.Feebs.gen Hidden Data Sending 5.97
5
-2
Email-Worm.Win32.Mydoom.l Trojan.generic 5.85
6
New
Exploit.Win32.PDF-URI.k (PDF exploit) 5.17
7
+1
Email-Worm.Win32.NetSky.t Trojan.generic 4.94
8 -4 Email-Worm.Win32.Bagle.gt Trojan.generic 4.31
9 -4 Email-Worm.Win32.Nyxem.e Trojan.generic 4.16
10
-4
Net-Worm.Win32.Mytob.c Trojan.generic 4.12
11 Email-Worm.Win32.NetSky.x Trojan.generic 2.72
12 Email-Worm.Win32.Scano.gen Trojan.generic 2.61
13 +1 Net-Worm.Win32.Mytob.t Worm.P2P.generic 2.37
14
New
Virus.Win32.Virut.a (file infector, not operational if KAV installed) 1.87
15
+3
Net-Worm.Win32.Mytob.u Worm.P2P.generic 1.75
16
-6
Email-Worm.Win32.NetSky.b Trojan.generic 1.40
17
Return
Email-Worm.Win32.LovGate.w Trojan.generic 1.28
18
-3
Net-Worm.Win32.Mytob.dam (damaged files) 1.28
19
-6
Exploit.Win32.IMG-WMF.y (WMF exploit) 1.07
20
-11
Trojan-Spy.HTML.Paylap.bg (phishing email) 1.07
Other malicious programs 8.05
 

 

If this month’s Top Twenty had been prepared using data from the first 26 days of October, two important malware related events would have been missing.

We’re talking about two mass mailings that took place right at the end of the month. They turned out to be among the biggest mass mailings we’ve seen in the last few months, especially on the Russian Internet.

The first pushed Fraud.ay, a phishing attack, into second place in the rankings. This was caused by unidentified cybercriminals who were once again trying to get access to Yandex.Money user accounts. To this end, they created dozens of fake websites and organized a spam mailing “requesting” that users follow the link provided in the message and enter their account information. It’s interesting that the cybercriminals were so laid back that they didn’t even bother to check the links they included in the phishing message. They made an error in the website address which prevented the site from being opened from within Microsoft Outlook and Outlook Express, both standard email clients. The only email client that ignored the error and opened the web page was The Bat! This was the client used to create the message, and the cybercriminals hadn’t bothered to check if it worked with other mail clients.

Furthermore, the phishing sites were located on resources that had previously been used for similar attacks and which were denylisted by the Anti-Phishing Working Group. As a result, anti-phishing filters built into Internet Explorer 7 and Firefox blocked these sites.

As a result, the whole affair turned out to be a storm in a teacup. The attack was on a large scale, but ineffective for all that.

The second attack, which started on Friday, October 26, was more interesting. Email traffic was flooded with messages that included a PDF file. This file contained a known and recently discovered exploit for a vulnerability in Adobe products. When the PDF file was opened, this resulted in malicious code being executed and a Trojan downloader being installed. The attack is in sixth place in our rankings: Exploit.Win32.PDF-URI.k

The third newcomer is a classic file virus, Virut.a. It was first detected in May 2006, but now it has made it to the Virus Top Twenty. How? The method is common enough among today’s viruses: it infects the files of email worms. This case demonstrates how malicious code can act in the same way as a sucker fish, an approach which is not new in the world of malware. Virut uses this method to spread across the globe by piggybacking on other worms.

All other positions in the Virus Top Twenty are occupied by the old worms that we know so well: NetSky, Mydoom, Bagle, Feebs, Nyxem and Scano. Even the re-entry of Lovegate.w is not unexpected, since this worm remains relatively active in countries near its region of origin, South-East Asia.

The only newcomer to September’s Top Twenty, the Paylap.bg phishing attack, has sunk to last place.

Other malicious programs made up just over 8% of all malicious code in mail traffic, indicating that there is still a relatively large number of other worm and Trojan families in circulation.

Summary:

  • New: Trojan-Spy.HTML.Fraud.ay, Exploit.Win32.PDF-URI.k, Virus.Win32.Virut.a
  • Went up: Worm.Win32.Feebs.gen, Email-Worm.Win32.NetSky.t, Net-Worm.Win32.Mytob.t, Net-Worm.Win32.Mytob.u
  • Went down: Email-Worm.Win32.NetSky.aa, Email-Worm.Win32.Mydoom.l, Email-Worm.Win32.Bagle.gt, Email-Worm.Win32.Nyxem.e, Net-Worm.Win32.Mytob.c, Email-Worm.Win32.NetSky.b, Net-Worm.Win32.Mytob.dam, Exploit.Win32.IMG-WMF.y, Trojan-Spy.HTML.Paylap.bg
  • Re-entry: Email-Worm.Win32.LovGate.w

Virus Top 20 for October 2007

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox