Exploits – the cybercriminals' top tool during May 2010

07 Jun 2010
Virus News

Kaspersky Lab has released its monthly malware statistics detailing which malicious programs were detected and blocked by the company’s security software solutions during May 2010.

Exploits – dedicated programs designed to attack computers via vulnerabilities in legitimate software – and their Trojan counterparts dominated not only the Top Twenty rating for malware detected on computers protected by Kaspersky Lab solutions, but also the Internet-borne malware rating.

In recent months both these rankings have shown a marked increase in the use of exploits by cybercriminals. Their goal remains the same – the theft of confidential user data – but the propagation techniques and methods that prevent the analysis and detection of malware have varied.

One entry of note in the end-user Top Twenty malware list is a Trojan that steals account logins and passwords for popular online games. Players of CabalOnline, Metin2, Mu Online and various games developed by Nexon.net have all been affected by Trojan-GameThief.Win32.Magania.dbtv.

Eleven of May’s Internet malware Top Twenty are exploits of one sort or another and their accompanying Trojan sidekicks. These malicious programs occupy five consecutive Top Twenty places starting from second place and then appear on the list in groups of two or three. Three of the newcomers are exploits for Java and users of this platform are strongly advised to check for software updates on a regular basis.

First place on the Internet malware Top Twenty goes to Trojan-Clicker.JS.Iframe.bb. This particular piece of malware is designed to increase website hit counts by making the victim computers visit them without the users’ knowledge or consent. In May alone this Trojan infected almost 400,000 websites.

Malicious programs detected on computers protected by Kaspersky Lab

The first Top Twenty list immediately below shows malware, adware and potentially unwanted programs that were detected and neutralised by Kaspersky Lab’s on-access scanner when they were accessed for the first time.

PositionChange in positionNameNumber of infected computers
1  0Net-Worm.Win32.Kido.ir  339585  
2  0Virus.Win32.Sality.aa  210257  
3  0Net-Worm.Win32.Kido.ih  201746  
4  0Net-Worm.Win32.Kido.iq  169017  
5  9Trojan.JS.Agent.bhr  161414  
6  -1Worm.Win32.FlyStudio.cu  127835  
7  -1Virus.Win32.Virut.ce  70189  
8  0Trojan-Downloader.Win32.VB.eql  66486  
9  0Worm.Win32.Mabezat.b  54866  
10  0Trojan-Dropper.Win32.Flystud.yo  50490  
11  0Worm.Win32.AutoIt.tc  47044  
12  1Packed.Win32.Krap.l  44056  
13  NewTrojan.JS.Iframe.lq  38658  
14  NewTrojan.Win32.Agent2.cqzi  35423  
15  1Trojan.Win32.Autoit.ci  34670  
16  NewTrojan-GameThief.Win32.Magania.dbtv  31066  
17  NewTrojan-Downloader.Win32.Geral.cnh  30225  
18  NewTrojan.JS.Zapchast.dv  29592  
19  -2Virus.Win32.Induc.a  28522  
20  -8Exploit.JS.CVE-2010-0806.e  27606  

Malicious programs on the Internet

The second Top Twenty list below shows data generated by the web antivirus component and reflects the online threat landscape. This table includes malware detected on web pages and malware downloaded to victim machines from web pages.

PositionChange in positionNameNumber of attempted downloads
1  NewTrojan-Clicker.JS.Iframe.bb  397667  
2  NewExploit.Java.CVE-2010-0886.a  244126  
3  NewTrojan.JS.Redirector.cq  194285  
4  NewExploit.Java.Agent.f  108869  
5  NewTrojan.JS.Agent.bhr  107202  
6  NewExploit.Java.CVE-2009-3867.d  85120  
7  -2not-a-virus:AdWare.Win32.FunWeb.q  82309  
8  -6Exploit.JS.CVE-2010-0806.i  79192  
9  -5Exploit.JS.CVE-2010-0806.b  76093  
10  NewTrojan.JS.Zapchast.dv  73442  
11  -2Trojan-Clicker.JS.Agent.ma  68033  
12  NewTrojan.JS.Iframe.lq  59109  
13  NewTrojan-Downloader.JS.Agent.fig  56820  
14  5not-a-virus:AdWare.Win32.Shopper.l  50497  
15  2Exploit.JS.CVE-2010-0806.e  50442  
16  -4Trojan.JS.Redirector.l  50043  
17  NewTrojan.JS.Redirector.cj  47179  
18  -2not-a-virus:AdWare.Win32.Boran.z  43514  
19  -6Trojan-Dropper.Win32.VB.amlh  43366  
20  NewExploit.JS.Pdfka.chw  42362  

The full version of Kaspersky Lab’s Monthly Malware Statistics for May can be found at www.securelist.com/en.