Malware in December: Beware Truncated Twitter Links

03 Jan 2011
Virus News

Kaspersky Lab presents its review of malware activity on users’ computers and on the Internet for December.

In the past month the company’s analysts once again recorded a high level of malicious activity. Kaspersky Lab products blocked over 209 million network attacks in December 2010, prevented over 67 million attempts to infect computers via the web, detected and neutralized over 196 million malicious programs and registered almost 71 million heuristic verdicts.

Social engineering and the exploitation of vulnerabilities in legitimate software remained the main methods employed by cybercriminals, though it appears they never cease to hone their skills in other areas. They certainly didn’t pass up the opportunity of jumping on the ‘shortened URL’ bandwagon. Users are increasingly using Internet addresses that have been shortened with the help of special URL shortening services, and they don’t always know that malicious links may be lurking among them. In December the top trends on Twitter’s main page included a number of entries with links that had been shortened using popular services such as bit.ly and alturl.com. After several redirects these links eventually led to infected websites. In another development, the authors of fake antivirus programs have been busy perfecting their tactics, so much so that two of their creations made it into December’s Top 20 malicious programs detected on the Internet – in 18th and 20th places. Genuine antivirus programs are now so effective at detecting their fake counterparts when they attempt to download to users’ computers that the cybercriminals have moved their wares to the Internet instead. In the latter scenario these rogue program don’t need to be downloaded to a computer; users just need to be lured to a fake antivirus website, which is a lot easier than bypassing real antivirus protection.

Representatives of the Trojan-Downloader.Java.OpenConnection family remain extremely active. Instead of using vulnerabilities in a Java virtual machine these Trojans employ the OpenConnection method of a URL class – standard functionality of the Java programming language. Two representatives of Trojan-Downloader.Java.OpenConnection were among the Top 20 malicious programs detected on the Internet in December in 2nd and 7th places. At the height of their activity the number of computers on which these programs were detected in a 24-hour period exceeded 40,000.

Topping the list of web-based threats, well ahead of its nearest rival, was the adware program AdWare.Win32.HotBar.dh. As a rule, this program is installed along with legitimate applications and then annoys the user by displaying intrusive advertising.

For the first time ever a malicious PDF file that makes use of Adobe XML Forms has made it into the Top 20 online threats. When a users opens the file Exploit.Win32.Pidief.ddl, a script exploit is launched that downloads and runs another malicious program from the Internet. Exploit.Win32.Pidief.ddl occupied 11th place in December’s rating of threats emanating from the Internet.

December also offered virus analysts the chance to monitor cybercriminal activity as it adapted to a new Russian Internet domain. November 2010 saw the beginning of domain name registration in the .рф (Cyrillic abbreviation for the Russian Federation) zone of the Internet. Online scammers turned out to be most active in the new domain, registering sites that were used to spread malicious programs and make enticing offers of a fraudulent nature. Three types of malware were detected most of all: fake archives resembling music, film and other media content; dummy programs masquerading as useful services for the Odnoklassniki social networking site; and script Trojans that redirected users to malicious web pages.

More detailed information about the IT threats detected by Kaspersky Lab in December 2010 is available at www.securelist.com/en.