Kaspersky Lab, a leading developer of Internet threat management solutions that protect against all forms of malicious software including viruses, spyware, hackers and spam, has released two malware ratings compiled from data generated by the Kaspersky Security Network (KSN) in August 2009.
The first Top Twenty list malicious programs, adware and potentially unwanted programs that were detected and neutralised when accessed for the first time, i.e. by using the on-access scanner.
Net-Worm.Win32.Kido.ih and Virus.Win32.Sality.aa, our two long-standing leaders, are still at the top of the rating. There are six newcomers to this month’s Top Twenty and some of them deserve a special mention.
By far the most interesting is Virus.Win32.Induc.a, which Kaspersky Lab has written about a number of times in recent weeks (news and weblog). To recap: in order to replicate, Virus.Win32.Induc.a makes use of the fact that Delphi has a two stage method for creating executable files - the application source code is first compiled into intermediate DCU modules which are then assembled into Windows executable files. Software products compiled on machines which had infected versions of Delphi were consequently infected with the virus when they were compiled; as there were a lot of these products, it's no surprise that Induc went straight into tenth place.
Another newcomer, not-a-virus:AdWare.Win32.Boran.z, entered the ratings even higher, coming straight in at third place. This program is a component of the Baidu Toolbar for Internet Explorer, which is popular in China. It uses a range of rootkit technologies to prevent users from removing the toolbar using standard methods.
Trojan.Win32.Swizzor.b and Packed.Win32.Katusha.b claimed 14th and 15th positions respectively. These two replace earlier versions of the same programs which previously figured in our ratings. In comparison to the previous versions, both these programs use very sophisticated and innovative obfuscation methods.
Palevo.jaj took last place in the Top Twenty, taking over from its relative P2P-Worm.Win32.Palevo.ddm that emerged back in May. As this version of Palevo spreads via file exchange networks, infects removable media, can also be spread by IM, and includes a backdoor which gives an attacker the ability to control infected computers, this malware poses quite a threat.
Overall, the appearance of Virus.Win32.Induc was the highlight of the month, as this malware does use a truly innovative approach to infecting users’ computers.
Overall, there were no significant changes to the first Top Twenty in August, unlike our second Top Twenty.
The second Top Twenty presents data generated by the web antivirus component, and reflects the online threat landscape. This ranking includes malicious programs detected on web pages and malware is downloaded to victim machines from web pages.
|Position||Change in position||Name||Number of infected web pages|
|1 ||New||not-a-virus:AdWare.Win32.Boran.z ||16760 |
|2 ||1||Trojan-Downloader.HTML.IFrame.sz ||5228 |
|3 ||New||Trojan.JS.Redirector.l ||4693 |
|4 ||-3||Trojan-Downloader.JS.Gumblar.a ||4608 |
|5 ||New||Trojan-Clicker.HTML.Agent.w ||4564 |
|6 ||New||Exploit.JS.DirektShow.k ||4475 |
|7 ||0||Trojan-GameThief.Win32.Magania.biht ||4416 |
|8 ||-4||Trojan-Downloader.JS.LuckySploit.q ||3416 |
|9 ||-7||Trojan-Clicker.HTML.IFrame.kr ||3323 |
|10 ||-4||Trojan-Downloader.JS.Major.c ||2688 |
|11 ||New||Exploit.JS.Sheat.c ||2684 |
|12 ||New||Trojan-Downloader.JS.FraudLoad.d ||2553 |
|13 ||-4||Trojan-Clicker.HTML.IFrame.mq ||2367 |
|14 ||-3||Trojan.JS.Agent.aat ||2246 |
|15 ||-3||Exploit.JS.DirektShow.j ||2128 |
|16 ||New||Trojan-Downloader.JS.IstBar.bh ||1973 |
|17 ||New||Trojan-Downloader.JS.Iframe.bmu ||1933 |
|18 ||New||Exploit.JS.DirektShow.l ||1838 |
|19 ||New||Exploit.JS.DirektShow.q ||1753 |
|20 ||New||Trojan-Downloader.Win32.Agent.ckwd ||1504 |
More than half the entries in August’s second Top Twenty are new examples of cybercriminals' creativity. AdWare.Win32.Boran.z, which has already been described, took first place in this rating. A month ago Kaspersky Lab wrote about a vulnerability in Internet Explorer. The script that exploits this vulnerability is detected by Kaspersky Lab products as Exploit.JS.DirektShow. The July Top Twenty included three modifications of this exploit: .a, .j and .o. This month, there are four versions in the rankings, showing that exploiting this vulnerability is apparently still a very popular approach. It seems that cybercriminals assume that lots of users won't have installed the security patch, and so they keep trying to attack systems via this loophole.
Another vulnerability, this time in Microsoft Office, was also actively exploited by cybercriminals in August. One modification of an exploit for this vulnerability – Exploit.JS.Sheat - took 11th place in the rating.
Fake, or rogue antivirus applications are spread from a number of web pages and one of the scripts that facilitates this took 12th place in the rating. Kaspersky Anti-Virus detects it as Trojan-Downloader.JS.FraudLoad.d. If a user visits a website infected with this script, they are notified that their computer is infected with lots of malicious programs and that these programs can be removed. If the user agrees to this, a rogue antivirus (classified as FraudTool) is then downloaded to their computer.
The Trojan Redirector.l works by redirecting user search requests to specific servers in order to increase the hit rate for these servers. The Trojan-Downloader program Iframe.bmu is a typical example of malware which contains a range of different exploits, in this case exploits for Adobe products.
The trends seen in July are continuing, with cybercriminals still actively exploiting vulnerabilities in popular software products. Rogue antivirus applications and basic iframe-clickers are also spreading fast. It's unlikely that this situation will change next month, as cybercriminals have tried and tested these approaches and found them to be successful.
Countries where most attempts to infect computers via the web were recorded: