Monthly Malware Statistics: October 2009

05 Nov 2009
Virus News

Kaspersky Lab presents its monthly malware statistics for October. From this month onwards, the data used is gathered from all products which use the Kaspersky Security Network (KSN), i.e. products from both the 2009 and 2010 lines. As a result, the Top Twenties have changed somewhat, and the figures in both ratings this month are significantly higher, due to an increased numbers of users participating in KSN.

The first Top Twenty lists malicious programs, adware and potentially unwanted programs that were detected and neutralized when accessed for the first time, i.e. by the on-access scanner.


PositionChange in positionNameNumber of infected computers
1   3Net-Worm.Win32.Kido.ir  344745  
2   -1Net-Worm.Win32.Kido.ih  126645  
3   0not-a-virus:AdWare.Win32.Boran.z  114776  
4   -2Virus.Win32.Sality.aa  87839  
5   6Worm.Win32.FlyStudio.cu  70163  
6   -1Trojan-Downloader.Win32.VB.eql  52012  
7   0Virus.Win32.Induc.a  49251  
8   NewPacked.Win32.Black.d  39666  
9   NewWorm.Win32.AutoRun.awkp  35039  
10   -3Virus.Win32.Virut.ce  33354  
11   ReturnPacked.Win32.Black.a  31530  
12   -1Worm.Win32.AutoRun.dui  25370  
13   4Trojan-Dropper.Win32.Flystud.yo  24038  
14   NewTrojan-Dropper.Win32.Agent.bcyx  22471  
15   ReturnPacked.Win32.Klone.bj  21919  
16   ReturnTrojan.Win32.Swizzor.b  19496  
17   NewTrojan-Downloader.WMA.GetCodec.s  18571  
18   -4Worm.Win32.Mabezat.b  19708  
19   NewTrojan-GameThief.Win32.Magania.cbrt  17610  
20   NewTrojan-Dropper.Win32.Agent.ayqa  16909  

Net-Worm.Win32.Kido.ir, which made its first appearance last month, has replaced the traditional leader, Kido.ih. This demonstrates once again that infected removable media are a major source of infection.

Still on the subject of removable media, Autorun.dui, which appears regularly in the ratings, has been joined by a very similar program, Autorun.awkp, which entered in 9th place. These malicious programs, as the name suggests, automatically run malware on removable devices.

Packed.Win32.Black.a, Packed.Win32.Klone.bj and Trojan.Win32.Swizzor.b returned to the first Top Twenty this month. Moreover, Black.a has been joined by a new version – Black.d. To recap, the Packed.Win32.Black family includes programs that have been packed with unlicensed versions of legitimate utilities used to protect executable files. In this particular case the packer is ASProtect, a utility often used by cybercriminals.

Another new addition is the multimedia Trojan downloader program GetCodec.s. This Trojan is related to GetCodec.r which we wrote about in December of last year (www.viruslist.com/en), and spreads with the help of P2P-Worm.Win32.Nugg, just as the previous variant did.

There has been a renewed surge of activity from the once notorious Magania family. In July, Trojan-GameThief.Win32.Magania.biht was among the top 20 most common malicious programs on the Internet. In October, a new version – Magania.cbrt – as well as Trojan-Dropper.Win32.Agent.ayqa, which is linked to Magania, were among the 20 malicious programs most often detected on users’ computers.

To summarize the first rating: malicious programs that spread via removable devices were again prevalent this month, and there was noticeable gaming Trojan activity (although this is has not yet reached significant levels).

The second Top Twenty presents data generated by the web antivirus component, and reflects the online threat landscape. This ranking includes malicious programs detected on web pages and malware downloaded to victim machines from web pages.

As usual the second rating has undergone some major changes since last month.


PositionChange in positionNameNumber of attempted downloads
1   NewTrojan-Downloader.JS.Gumblar.x  459779  
2   NewTrojan-Downloader.JS.Gumblar.w  281057  
3   0Trojan-Downloader.HTML.IFrame.sz  192063  
4   -3not-a-virus:AdWare.Win32.Boran.z  171278  
5   -3Trojan.JS.Redirector.l  157494  
6   -1Trojan-Clicker.HTML.Agent.aq  118361  
7   NewTrojan-Downloader.JS.Zapchast.m  112710  
8   ReturnTrojan.JS.Agent.aat  107132  
9   NewTrojan-Downloader.JS.Small.oj  60425  
10   NewExploit.JS.Agent.apw  50939  
11   -7Exploit.JS.Pdfka.ti  46303  
12   NewTrojan.JS.Popupper.f  39204  
13   -1Trojan-Downloader.JS.IstBar.bh  34944  
14   NewTrojan.JS.Zapchast.an  30546  
15   -6Trojan-Downloader.JS.LuckySploit.q  29105  
16   NewTrojan-Downloader.JS.Agent.env  27405  
17   NewTrojan-Dropper.Win32.Agent.ayqa  26994  
18   ReturnTrojan-Clicker.HTML.IFrame.mq  26057  
19   NewTrojan-GameThief.Win32.Magania.bwsr  26032  
20   NewExploit.JS.Agent.anr  25517  

The top two positions have been claimed by new variants of Gumblar, a script Trojan-Downloader program. This program caused quite a stir at the end of May and went straight to the top of the ranking in June.

The new Gumblar variants use more sophisticated technologies than their predecessors to infect websites. Previously, legitimate web pages had code injected into them which would run a script located on a cybercriminal site without the user's knowledge. Now, however, compromised sites contain links to malicious scripts placed on other legitimate, compromised sites: this makes analysis more difficult and neutralizing the malicious network more complex. The script itself is designed to exploit several vulnerabilities in Adobe Acrobat/Reader (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-5659, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2992, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927), Adobe Flash Player (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0071), Microsoft Office (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2496) in order to download the main malicious program – Trojan-PSW.Win32.Kates.j. Some variants of the script contain the Trojan within their body; when the script is executed, it tries to download Kates.j to the victim machine and ensure it will be run automatically. The infections are designed to steal confidential data, including access details for websites which can then be used to infect additional sites.

The attack using Gumblar was carefully planned; however, a little careful work resulted in all the pieces of the puzzle falling into place and detection for all the malware involved being added to antivirus databases.

The technique of splitting a malicious script into several parts to hinder detection and analysis is becoming increasing popular. Around a quarter of the programs in this month's Top Twenty have been designed in this way: Trojan-Downloader.JS.Zapchast.n, Trojan-Downloader.JS.Small.oj, Exploit.JS.Agent.apw, Trojan.JS.Zapchast.an, and Trojan-Downloader.JS.Agent.env.

Also making it into our second Top Twenty were Trojan-Dropper.Win32.Agent.ayqa (mentioned above) and yet another program designed to steal passwords to online games, Trojan-GameThief.Win32.Magania.bwsr.

In conclusion, this month has been characterized by the mass infection of legitimate websites with the Trojan-Downloader program Gumblar. The splitting of malicious scripts is also a marked trend.

Finally, below is a list of countries where the most attempts to infect via the web originated: