The Kaspersky Lab Monthly Malware Statistics: December 2009

11 Jan 2010
Virus News

Malicious programs detected on users' computers

The first Top Twenty lists malicious programs, adware and potentially unwanted programs that were detected and neutralised when accessed for the first time, i.e. by the on-access scanner.


PositionChange in positionNameNumber of infected computers
1  0Net-Worm.Win32.Kido.ir  265622  
2  0Net-Worm.Win32.Kido.iq  211101  
3  0Net-Worm.Win32.Kido.ih  145364  
4  0Virus.Win32.Sality.aa  143166  
5  0Worm.Win32.FlyStudio.cu  101743  
6  Newnot-a-virus:AdWare.Win32.GamezTar.a  63898  
7  -1not-a-virus:AdWare.Win32.Boran.z  61156  
8  -1Trojan-Downloader.Win32.VB.eql  61022  
9  -1Trojan-Downloader.WMA.GetCodec.s  56364  
10  NewTrojan.Win32.Swizzor.c  54811  
11  NewTrojan-GameThief.Win32.Magania.cpct  42676  
12  -3Virus.Win32.Virut.ce  45127  
13  -3Virus.Win32.Induc.a  37132  
14  0Trojan-Dropper.Win32.Flystud.yo  33614  
15  3Packed.Win32.Krap.ag  31544  
16  -3Packed.Win32.Black.a  31340  
17  0Worm.Win32.Mabezat.b  31020  
18  -2Packed.Win32.Klone.bj  28814  
19  -7Packed.Win32.Black.d  28560  
20  -5Worm.Win32.AutoRun.dui  28551  


Traditionally, the first Top Twenty is relatively stable and December was no exception. The appearance of three newcomers in sixth, tenth and eleventh places pushed a few other programs down the rankings. The exception was Packed.Win32.Krap.ag, which first entered the rankings last month, and which rose three places this month. Krap.ag, like other representatives of the Packed family, is detection for a packing program used to pack malicious programs – in this case, rogue antivirus programs. The figures for this malicious program increased slightly, which suggests that cybercriminals are continuing to actively use these programs to turn a profit.

GamezTar.a, which entered in sixth place, is a noteworthy December newcomer. This program is presented as being a toolbar for popular browsers which provides quick access to online games. Of course, it also displays irritating adverts. Additionally, it installs a number of applications that run independently of the toolbar and interfere in online activity, whether it’s searching or displaying content. The EULA (www.gameztar.com/terms.do) does cover all these functions, but the user's attention is usually focused on the large flashing “click here, get free games” button rather than the almost invisible “terms of service” at the bottom of the screen. It's highly recommended to read the EULA (if it exists) before downloading any software.

Tenth place is taken by Trojan.Win32.Swizzor.c, a relative of Swizzor.b, which made an appearance in the rankings in August , and Swizzor.a, which dates back to May. The people behind this deftly obfuscated code are not resting on their laurels and regularly create new variants. The actual function of this Trojan is very simple – it downloads other malicious files from the Internet.

Malicious programs on the Internet

The second Top Twenty presents data generated by the web antivirus component, and reflects the online threat landscape. This ranking includes malicious programs detected on web pages and malware downloaded to victim machines from web pages.


PositionChange in positionNameNumber of attempted downloads
1  0Trojan-Downloader.JS.Gumblar.x  445881  
2  3Trojan.JS.Redirector.l  178902  
3  Newnot-a-virus:AdWare.Win32.GamezTar.a  165678  
4  -2Trojan-Downloader.HTML.IFrame.sz  134215  
5  NewTrojan-Clicker.JS.Iframe.db  128093  
6  -2not-a-virus:AdWare.Win32.Boran.z  109256  
7  NewTrojan.JS.Iframe.ez  91737  
8  NewTrojan.JS.Zapchast.bn  64756  
9  NewPacked.JS.Agent.bn  60361  
10  NewPacked.Win32.Krap.ai  43042  
11  8Packed.Win32.Krap.ag  41731  
12  NewExploit.JS.Pdfka.asd  36044  
13  NewTrojan.JS.Agent.axe  35309  
14  NewTrojan-Downloader.JS.Shadraem.a  35187  
15  ReturnTrojan.JS.Popupper.f  33745  
16  Newnot-a-virus:AdWare.Win32.GamezTar.b  33266  
17  NewTrojan-Downloader.JS.Twetti.a  30368  
18  NewTrojan-Downloader.Win32.Lipler.iml  28634  
19  NewTrojan-Downloader.JS.Kazmet.d  28374  
20  NewTrojan.JS.Agent.axc  26198  

The second Top Twenty has changed far more than the first, with only a quarter of the programs which featured last month remaining in the rankings. One malicious program re-entered the Top Twenty; however, the rest of the table underwent significant changes.

Gumblar.x remains the leader, but the sites infected with this malware are gradually being cleaned up by webmasters – the number of unique download attempts in December was around a quarter of those seen in November.

Krap.ag, which also figures in the first Top Twenty, moved up 8 places in this ranking. Attempted downloads of this program were up 50% on last month. Just above Krap.ag is Krap.ai, which also detects a dedicated packing program used to pack rogue antivirus programs.

GamezTar.a also makes an appearance in the second Top Twenty. This is unsurprising given the program's connection to online games. Moreover, another modification of this malicious program – GamezTar.b – entered the rankings in sixteenth place.

In fifth place is Trojan-Clicker.JS.Iframe.db, a typical iframe-downloader with simple obfuscation.

Trojan.JS.Iframe.ez, Trojan.JS.Zapchast.bn, Packed.JS.Agent.bn, Trojan.JS.Agent.axe, Trojan-Downloader.JS.Shadraem.a, and Trojan-Downloader.JS.Kazmet.d are all scripts designed to exploit vulnerabilities in Adobe and Microsoft products in order to download executable files. These programs vary in terms of sophistication and the complexity of obfuscation employed.

Trojan-Downloader.JS.Twetti.a, in 17th place, is a very interesting example of cybercrime creativity. Lots of legitimate sites have been infected with this malware and it's worth taking a closer look at how it works. Once decrypted, there is no trace of a link to the main executable file and no exploits or links to them! Analysis shows that the script uses an API (application programming interface) popular with both cybercriminals and Twitter.

The Trojan works in the following way: it creates a request to the API which results in data on so-called "trends" – i.e. the topics most discussed on Twitter. The data returned is then used to create an apparently random domain name, which the cybercriminals have registered in advance having used a similar method, and a redirect to this domain is created. The main part of the malware (whether it's a PDF exploit or an executable file) will be placed on the domain. In other words, the malicious link and the redirect are created on the fly via an intermediary, which in this case happens to be Twitter.

It should be noted that both Packed.JS.Agent.bn and Trojan-Downloader.JS.Twetti.a use a specially crafted PDF file to infect users' computers. This file is detected as Exploit.JS.Pdfka.asd and it also made it into the second Top Twenty, entering in twelfth place. We can therefore assume that at least three of December’s malicious programs were the handiwork of a single cybercriminal gang. Also a cause for concern is that fact that programs from the TDSS, Sinowal and Zbot families - some of the most dangerous threats currently in existence - were detected among the executable files downloaded to victim machines during drive-by attacks.

Overall, the trends remain the same. Attacks are becoming more sophisticated and more difficult to analyze. Their aim, in the vast majority of cases, is to make money in some way. Virtual threats are no longer purely virtual; they can cause real damage, and this is why is it vital to ensure that your computer and data are protected.

To find out more about computer threats visit: http://www.kaspersky.co.uk/threats

To read the latest security news please visit: http://threatpost.com