Shortened URLs Direct Users to Infected Websites

03 Feb 2011
Virus News

December 2010 saw a high level of malicious malware activity, with cybercriminals turning to shortened URLs as a means to direct users to infected websites, according to Kaspersky Lab following the publication of its Monthly Malware Statistics for December 2010.

Kaspersky Lab blocked over 209 million network attacks in December 2010 alone, prevented over 67 million attempts to infect computers via the web, detected and neutralised over 196 million malicious programs and registered almost 71 million heuristic detections. A contributor to this was cybercriminals taking advantage of URLs shortened by popular services such as In December, the top trends on Twitter's main page included a number of entries with links that had been shortened and which, after several redirects, eventually led to infected websites.

The report also revealed two fake antivirus programs made it into December's Top 20 malicious programs detected on the Internet – in 18th and 20th places. Genuine antivirus programs are now so effective at detecting their fake counterparts when they attempt to download to users' computers that the cybercriminals have moved their wares to the Internet instead. In the latter scenario, these rogue programs don't need to be downloaded to a computer; users just need to be lured to a fake antivirus website, which is a lot easier than bypassing real antivirus protection.

Representatives of the Trojan-Downloader.Java.OpenConnection family remain extremely active. Instead of using vulnerabilities in a Java virtual machine, these Trojans employ the OpenConnection method of a URL class – standard functionality of the Java programming language. Two representatives of Trojan-Downloader.Java.OpenConnection were among the Top 20 malicious programs detected on the Internet in December in 2nd and 7th places. At the height of their activity the number of computers on which these programs were detected in a 24-hour period exceeded 40,000.

Topping the list of web-based threats, well ahead of its nearest rival, was the adware program AdWare.Win32.HotBar.dh. As a rule, this program is installed along with legitimate applications and then annoys the user by displaying intrusive advertising.

For the first time ever a malicious PDF file that makes use of Adobe XML Forms has made it into the Top 20 online threats. When a victim opens the file Exploit.Win32.Pidief.ddl, a script exploit is launched that downloads and runs another malicious program from the Internet. Exploit.Win32.Pidief.ddl occupied 11th place in December's rating of threats emanating from the Internet. December also offered virus analysts the chance to monitor cybercriminal activity as it adapted to a new Russian Internet domain. November 2010 saw the beginning of domain name registration in the .рф (Cyrillic abbreviation for the Russian Federation) zone of the Internet. Online scammers turned out to be most active in the new domain, registering sites that were used to spread malicious programs and make enticing offers of a fraudulent nature. Three types of malware were detected most of all: fake archives resembling music, film and other media content; dummy programs masquerading as useful services for the Odnoklassniki social networking site; and script Trojans that redirected users to malicious web pages.

More detailed information about the IT threats detected by Kaspersky Lab in December 2010 is available at