Kaspersky Lab presents its monthly malware statistics for October 2009

05 Nov 2009
Virus News

Kaspersky Lab, a leading developer of Internet threat management solutions that protect against all forms of malicious software including viruses, spyware, hackers and spam, presents its monthly malware statistics for October 2009.

From this month onwards, the data used is gathered from all products that use the Kaspersky Security Network (KSN), i.e. products from both the 2009 and 2010 lines. As a result, the Top Twenties have changed somewhat and the figures in both ratings this month are significantly higher, due to an increased numbers of users participating in KSN.

The first Top Twenty lists malicious programs, adware and potentially unwanted programs that were detected and neutralised when accessed for the first time, i.e. by the on-access scanner.

PositionChange in positionNameNumber of infected computers
1  3Net-Worm.Win32.Kido.ir  344745  
2  -1Net-Worm.Win32.Kido.ih  126645  
3  0not-a-virus:AdWare.Win32.Boran.z  114776  
4  -2Virus.Win32.Sality.aa  87839  
5  6Worm.Win32.FlyStudio.cu  70163  
6  -1Trojan-Downloader.Win32.VB.eql  52012  
7  0Virus.Win32.Induc.a  49251  
8  NewPacked.Win32.Black.d  39666  
9  NewWorm.Win32.AutoRun.awkp  35039  
10  -3Virus.Win32.Virut.ce  33354  
11  ReturnPacked.Win32.Black.a  31530  
12  -1Worm.Win32.AutoRun.dui  25370  
13  4Trojan-Dropper.Win32.Flystud.yo  24038  
14  NewTrojan-Dropper.Win32.Agent.bcyx  22471  
15  ReturnPacked.Win32.Klone.bj  21919  
16  ReturnTrojan.Win32.Swizzor.b  19496  
17  NewTrojan-Downloader.WMA.GetCodec.s  18571  
18  -4Worm.Win32.Mabezat.b  19708  
19  NewTrojan-GameThief.Win32.Magania.cbrt  17610  
20  NewTrojan-Dropper.Win32.Agent.ayqa  16909  

Net-Worm.Win32.Kido.ir, which made its first appearance last month, has replaced the traditional leader, Kido.ih. This demonstrates once again that infected removable media are a major source of infection.

Still on the subject of removable media, Autorun.dui, which appears regularly in the ratings, has been joined by a very similar program, Autorun.awkp that entered in 9th place. These malicious programs, as the name suggests, automatically run malware on removable devices.

Packed.Win32.Black.a, Packed.Win32.Klone.bj and Trojan.Win32.Swizzor.b returned to the first Top Twenty this month. Moreover, Black.a has been joined by a new version – Black.d. To recap, the Packed.Win32.Black family includes programs that have been packed with unlicensed versions of legitimate utilities used to protect executable files. In this particular case the packer is ASProtect, a utility often used by cybercriminals.

Another new addition is the multimedia Trojan downloader program GetCodec.s. This Trojan is related to GetCodec.r that Kaspersky Lab wrote about in December 2008 (www.viruslist.com/en), and spreads with the help of P2P-Worm.Win32.Nugg, just as the previous variant did.

There has been a renewed surge of activity from the once notorious Magania family. In July, Trojan-GameThief.Win32.Magania.biht was among the top 20 most common malicious programs on the Internet. In October, a new version – Magania.cbrt – as well as Trojan-Dropper.Win32.Agent.ayqa, which is linked to Magania, were among the 20 malicious programs most often detected on users’ computers.

To summarise the first rating: malicious programs that spread via removable devices were again prevalent this month, and there was noticeable gaming Trojan activity (although this is has not yet reached significant levels).

The second Top Twenty presents data generated by the web antivirus component, and reflects the online threat landscape. This ranking includes malicious programs detected on web pages and malware downloaded to victim machines from web pages. As usual the second rating has undergone some major changes since last month.

PositionChange in positionNameNumber of attempted downloads
1  NewTrojan-Downloader.JS.Gumblar.x  459779  
2  NewTrojan-Downloader.JS.Gumblar.w  281057  
3  0Trojan-Downloader.HTML.IFrame.sz  192063  
4  -3not-a-virus:AdWare.Win32.Boran.z  171278  
5  -3Trojan.JS.Redirector.l  157494  
6  -1Trojan-Clicker.HTML.Agent.aq  118361  
7  NewTrojan-Downloader.JS.Zapchast.m  112710  
8  ReturnTrojan.JS.Agent.aat  107132  
9  NewTrojan-Downloader.JS.Small.oj  60425  
10  NewExploit.JS.Agent.apw  50939  
11  -7Exploit.JS.Pdfka.ti  46303  
12  NewTrojan.JS.Popupper.f  39204  
13  -1Trojan-Downloader.JS.IstBar.bh  34944  
14  NewTrojan.JS.Zapchast.an  30546  
15  -6Trojan-Downloader.JS.LuckySploit.q  29105  
16  NewTrojan-Downloader.JS.Agent.env  27405  
17  NewTrojan-Dropper.Win32.Agent.ayqa  26994  
18  ReturnTrojan-Clicker.HTML.IFrame.mq  26057  
19  NewTrojan-GameThief.Win32.Magania.bwsr  26032  
20  NewExploit.JS.Agent.anr  25517  

The top two positions have been claimed by new variants of Gumblar, a script Trojan-Downloader program. This program caused quite a stir at the end of May and went straight to the top of the ranking in June.

The new Gumblar variants use more sophisticated technologies than their predecessors to infect websites. Previously, legitimate web pages had code injected into them, which would run a script located on a cybercriminal site without the user's knowledge. Now, however, compromised sites contain links to malicious scripts placed on other legitimate, compromised sites: this makes analysis more difficult and neutralising the malicious network more complex. The script itself is designed to exploit several vulnerabilities in Adobe Acrobat/Reader (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-5659, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2992, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927), Adobe Flash Player (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0071), Microsoft Office (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2496) in order to download the main malicious program – Trojan-PSW.Win32.Kates.j. Some variants of the script contain the Trojan within their body; when the script is executed, it tries to download Kates.j to the victim machine and ensure it will be run automatically. The infections are designed to steal confidential data, including access details for websites that can then be used to infect additional sites.

The attack using Gumblar was carefully planned; however, a little careful work resulted in all the pieces of the puzzle falling into place and detection for all the malware involved being added to antivirus databases.

The technique of splitting a malicious script into several parts to hinder detection and analysis is becoming increasing popular. Around a quarter of the programs in this month's Top Twenty have been designed in this way: Trojan-Downloader.JS.Zapchast.n, Trojan-Downloader.JS.Small.oj, Exploit.JS.Agent.apw, Trojan.JS.Zapchast.an, and Trojan-Downloader.JS.Agent.env.

Also making it into the second Top Twenty were Trojan-Dropper.Win32.Agent.ayqa (mentioned above) and yet another program designed to steal passwords to online games, Trojan-GameThief.Win32.Magania.bwsr.

In conclusion, this month has been characterised by the mass infection of legitimate websites with the Trojan-Downloader program Gumblar. The splitting of malicious scripts is also a marked trend.

Finally, below is a list of countries where the most attempts to infect via the web originated:


To find out more about computer threats visit: www.kaspersky.co.uk/threats

To read the latest security news please visit: http://threatpost.com.