Monthly Malware Statistics: December 2009

04 Jan 2010
Virus News

Malicious programs detected on users’ computers

The first Top Twenty lists malicious programs, adware and potentially unwanted programs that were detected and neutralized when accessed for the first time, i.e. by the on-access scanner.


Position Change in position Name Number of infected computers
1   0 Net-Worm.Win32.Kido.ir   265622  
2   0 Net-Worm.Win32.Kido.iq   211101  
3   0 Net-Worm.Win32.Kido.ih   145364  
4   0 Virus.Win32.Sality.aa   143166  
5   0 Worm.Win32.FlyStudio.cu   101743  
6   New not-a-virus:AdWare.Win32.GamezTar.a   63898  
7   -1 not-a-virus:AdWare.Win32.Boran.z   61156  
8   -1 Trojan-Downloader.Win32.VB.eql   61022  
9   -1 Trojan-Downloader.WMA.GetCodec.s   56364  
10   New Trojan.Win32.Swizzor.c   54811  
11   New Trojan-GameThief.Win32.Magania.cpct   42676  
12   -3 Virus.Win32.Virut.ce   45127  
13   -3 Virus.Win32.Induc.a   37132  
14   0 Trojan-Dropper.Win32.Flystud.yo   33614  
15   3 Packed.Win32.Krap.ag   31544  
16   -3 Packed.Win32.Black.a   31340  
17   0 Worm.Win32.Mabezat.b   31020  
18   -2 Packed.Win32.Klone.bj   28814  
19   -7 Packed.Win32.Black.d   28560  
20   -5 Worm.Win32.AutoRun.dui   28551  


Traditionally, the first Top Twenty is relatively stable and December was no exception. The appearance of three newcomers in sixth, tenth and eleventh places pushed a few other programs down the rankings. The exception was Packed.Win32.Krap.ag, which first entered the rankings last month, and which rose three places this month. Krap.ag, like other representatives of the Packed family, detects a packing program used to pack malicious programs – in this case, rogue antivirus programs. The figures for this malicious program increased slightly, which suggests that cybercriminals are continuing to actively use these programs to turn a profit.

GamezTar.a, which entered in sixth place, is a noteworthy December newcomer. This program is presented as being a toolbar for popular browsers which provides quick access to online games. Of course, it also displays irritating adverts. Additionally, it installs a number of applications that run independently of the toolbar and interfere in online activity, whether it’s searching or displaying content. The EULA (www.gameztar.com/terms.do) does cover all these functions, but the user's attention is usually focused on the large flashing “click here, get free games” button rather than the almost invisible “terms of service” at the bottom of the screen. It's highly recommended to read the EULA (if it exists) before downloading any software.

Tenth place is taken by Trojan.Win32.Swizzor.c, a relative of Swizzor.b, which made an appearance in the rankings in August , and Swizzor.a, which dates back to May. The people behind this deftly obfuscated code are not resting on their laurels and regularly create new variants. The actual function of this Trojan is very simple – it downloads other malicious files from the Internet.

Malicious programs on the Internet

The second Top Twenty presents data generated by the web antivirus component, and reflects the online threat landscape. This ranking includes malicious programs detected on web pages and malware downloaded to victim machines from web pages.


Position Change in position Name Number of attempted downloads
1   0 Trojan-Downloader.JS.Gumblar.x   445881  
2   3 Trojan.JS.Redirector.l   178902  
3   New not-a-virus:AdWare.Win32.GamezTar.a   165678  
4   -2 Trojan-Downloader.HTML.IFrame.sz   134215  
5   New Trojan-Clicker.JS.Iframe.db   128093  
6   -2 not-a-virus:AdWare.Win32.Boran.z   109256  
7   New Trojan.JS.Iframe.ez   91737  
8   New Trojan.JS.Zapchast.bn   64756  
9   New Packed.JS.Agent.bn   60361  
10   New Packed.Win32.Krap.ai   43042  
11   8 Packed.Win32.Krap.ag   41731  
12   New Exploit.JS.Pdfka.asd   36044  
13   New Trojan.JS.Agent.axe   35309  
14   New Trojan-Downloader.JS.Shadraem.a   35187  
15   Return Trojan.JS.Popupper.f   33745  
16   New not-a-virus:AdWare.Win32.GamezTar.b   33266  
17   New Trojan-Downloader.JS.Twetti.a   30368  
18   New Trojan-Downloader.Win32.Lipler.iml   28634  
19   New Trojan-Downloader.JS.Kazmet.d   28374  
20   New Trojan.JS.Agent.axc   26198  

The second Top Twenty has changed far more than the first, with only a quarter of the programs which featured last month remaining in the rankings. One malicious program re-entered the Top Twenty; however, the rest of the table underwent significant changes.

Gumblar.x remains the leader, but the sites infected with this malware are gradually being cleaned up by webmasters – the number of unique download attempts in December was around a quarter of those seen in November.

Krap.ag, which also figures in the first Top Twenty, moved up 8 places in this ranking. Attempted downloads of this program were up 50% on last month. Just above Krap.ag is Krap.ai, which also detects a dedicated packing program used to pack rogue antivirus programs.

GamezTar.a also makes an appearance in the second Top Twenty. This is unsurprising given the program's connection to online games. Moreover, another modification of this malicious program – GamezTar.b – entered the rankings in sixteenth place.

In fifth place is Trojan-Clicker.JS.Iframe.db, a typical iframe-downloader with simple obfuscation.

Trojan.JS.Iframe.ez, Trojan.JS.Zapchast.bn, Packed.JS.Agent.bn, Trojan.JS.Agent.axe, Trojan-Downloader.JS.Shadraem.a, and Trojan-Downloader.JS.Kazmet.d are all scripts designed to exploit vulnerabilities in Adobe and Microsoft products in order to download executable files. These programs vary in terms of sophistication and the complexity of obfuscation employed.

Trojan-Downloader.JS.Twetti.a, in 17th place, is a very interesting example of cybercrime creativity. Lots of legitimate sites have been infected with this malware and it's worth taking a closer look at how it works. Once decrypted, there is no trace of a link to the main executable file and no exploits or links to them! Analysis shows that the script uses an API (application programming interface) popular with both cybercriminals and Twitter.

The Trojan works in the following way: it creates a request to the API which results in data on so-called "trends" – i.e. the topics most discussed on Twitter. The data returned is then used to create an apparently random domain name, which the cybercriminals have registered in advance having used a similar method, and a redirect to this domain is created. The main part of the malware (whether it's a PDF exploit or an executable file) will be placed on the domain. In other words, the malicious link and the redirect are created on the fly via an intermediary, which in this case happens to be Twitter.

It should be noted that both Packed.JS.Agent.bn and Trojan-Downloader.JS.Twetti.a use a specially crafted PDF file to infect users' computers. This file is detected as Exploit.JS.Pdfka.asd and it also made it into the second Top Twenty, entering in twelfth place. We can therefore assume that at least three of December’s malicious programs were the handiwork of a single cybercriminal gang. Also a cause for concern is that fact that programs from the TDSS, Sinowal and Zbot families - some of the most dangerous threats currently in existence - were detected among the executable files downloaded to victim machines during drive-by attacks.

Overall, the trends remain the same. Attacks are becoming more sophisticated and more difficult to analyze. Their aim, in the vast majority of cases, is to make money in some way. Virtual threats are no longer purely virtual; they can cause real damage, and this is why is it vital to ensure that your computer and data are protected.