The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Monthly Malware Statistics: August 2010

In August, there was a significant increase in exploits of the CVE-2010-2568 vulnerability. Worm.Win32.Stuxnet, which notoriously surfaced in late July, targets this vulnerability, as does the Trojan-Dropper program which installs the latest variant of the Sality virus – Virus.Win32.Sality.ag. Unsurprisingly, black hats lost no time in taking advantage of this latest vulnerability in the most commonly used version of Windows. However, on 2 August Microsoft released MS10-046 which provides a patch for the vulnerability. This update was rated ‘Critical’, meaning it should be installed as soon as possible on all computers running the vulnerable operating system.

Malicious programs detected on users’ computers

The first Top Twenty ranking shown below lists malware, adware and potentially unwanted programs that were detected and neutralized by the on-access scanner when they were accessed for the first time.

Position Change in position Name Number of infected computers
1   0 Net-Worm.Win32.Kido.ir   280087  
2   0 Virus.Win32.Sality.aa   172770  
3   0 Net-Worm.Win32.Kido.ih   153825  
4   0 Net-Worm.Win32.Kido.iq   107156  
5   1 Trojan.JS.Agent.bhr   106796  
6   -1 Exploit.JS.Agent.bab   90465  
7   0 Worm.Win32.FlyStudio.cu   75394  
8   0 Virus.Win32.Virut.ce   68010  
9   new Exploit.Win32.CVE-2010-2568.d   52193  
10   -1 Trojan-Downloader.Win32.VB.eql   48440  
11   new P2P-Worm.Win32.Palevo.arxz   42145  
12   new Exploit.Win32.CVE-2010-2568.b   40385  
13   -3 Worm.Win32.Mabezat.b   38252  
14   new Worm.Win32.VBNA.b   37461  
15   new AdWare.WinLNK.Agent.a   37240  
16   new Virus.Win32.Sality.ag   36144  
17   new Trojan-Dropper.Win32.Sality.r   32352  
18   new Trojan.Win32.Autoit.ci   31391  
19   -8 Trojan-Dropper.Win32.Flystud.yo   29475  
20   new Packed.Win32.Krap.ao   29309  

As in July, the top half of the ranking remains virtually unchanged, with the exception of a few small changes.

Kido (aka Conficker) remains in first, third and fourth place, while the file infectors Virus.Win32.Virut.ce (eighth place) and Virus.Win32.Sality.aa (second place) have also held on to their positions. Trojan.JS.Agent.bhr (fifth place) and Exploit.JS.Agent.bab (sixth place) have also maintained their positions, merely swapping places.

The July rankings mentioned a new vulnerability in Windows LNK shortcuts, which was later dubbed CVE-2010-2568. As expected, cybercriminals started actively exploiting this vulnerability: the August rankings include three pieces of malware which are linked to CVE-2010-2568 in one way or another. Two of these – Exploit.Win32.CVE-2010-2568.d (ninth place) and Exploit.Win32.CVE-2010-2568.b (twelfth place) – directly exploit the vulnerability while the third, Trojan-Dropper.Win32.Sality.r (seventeenth place), uses it to propagate. It generates vulnerable LNK shortcuts with names designed to attract attention and spreads these across local networks. The malware is launched when a user opens a folder containing one of these shortcuts. The main function of Trojan-Dropper.Win32.Sality.r is to install the latest modification of Virus.Win32.Sality.ag (sixteenth place).

Trojan-Dropper.Win32.Sality.r code showing shortcut names created by the malware

Curiously, both the exploits for CVE-2010-2568 which are included in the ranking are often found in Russia, India and Brazil. While India is the primary source of the Stuxnet worm (the first malicious program to target this vulnerability), it is not entirely clear what role Russia plays.

The geographical distribution of Trojan-Dropper.Win32.Sality.r matches that of the exploits.

Geographical distribution of Exploit.Win32.CVE-2010-2568.d

Another newcomer to the ranking is a piece of adware – this time, AdWare.WinLNK.Agent.a (fifteenth place). This is a shortcut which, when launched, takes the user to a URL specified in an advertising link. The shortcut is installed by various adware programs.

Trojan.Win32.Autoit.ci, a new representative of the malware family which uses the AutoIt scripting language appeared on the ranking in August in eighteenth place. Other newcomers included a new modification of the Palevo P2P worm P2P-Worm.Win32.Palevo.arxz (eleventh place). Both malware families have been covered in previous reports, and they have wide-ranging payloads, including autorun functions, the ability to download and launch other malicious programs, and to spread over local networks.

The ranking also features two malicious packers: Packed.Win32.Krap.ao (twentieth place) makes its first appearance, whereas Worm.Win32.VBNA.b (fourteenth place) featured in the June rankings. Both programs are used to protect malware from being detected by security software, and can be used to pack virtually any malicious programs, from rogue antivirus software to complex backdoors, such as Backdoor.Win32.Blakken.

Malicious programs on the Internet

The second Top Twenty list below shows data generated by the web antivirus component and reflects the online threat landscape. This table includes malware and potentially unwanted programs which are detected on web pages or downloaded to victim machines from web pages.

Position Change in position Name Number of attempted downloads
1   new Trojan-Downloader.Java.Agent.ft   135755  
2   -1 Exploit.JS.Agent.bab   127561  
3   9 Exploit.HTML.CVE-2010-1885.a   85502  
4   2 Trojan.JS.Agent.bhr   67061  
5   4 AdWare.Win32.FunWeb.ds   60129  
6   new Exploit.HTML.CVE-2010-1885.c   57988  
7   new AdWare.Win32.FunWeb.di   50928  
8   -4 AdWare.Win32.FunWeb.q   50504  
9   new Exploit.HTML.HCP.b   46874  
10   -6 Exploit.Java.CVE-2010-0886.a   45844  
11   -5 Trojan-Downloader.VBS.Agent.zs   37578  
12   8 Trojan.JS.Redirector.cq   37479  
13   new Trojan-Clicker.JS.Iframe.fq   35181  
14   5 AdWare.Win32.FunWeb.ci   33073  
15   new Exploit.Java.CVE-2010-0094.a   30062  
16   new Exploit.JS.Pdfka.cop   29588  
17   new Exploit.HTML.CVE-2010-1885.d   28396  
18   new Exploit.JS.CVE-2010-0806.b   26990  
19   new AdWare.Win32.FunWeb.fb   26350  
20   new Exploit.HTML.CVE-2010-1885.b   25820  

Compared to recent months, there are relatively few (ten in all) newcomers to the August rankings. All of these are new modifications of exploits which target already known vulnerabilities. Overall, this month’s rankings include twelve exploits which target six different vulnerabilities.

This month, cybercriminals focused their efforts on exploiting CVE-2010-1885. Five exploits listed in the ranking target this vulnerability: Exploit.HTML.CVE-2010-1885.a (third place), Exploit.HTML.CVE-2010-1885.c (sixth place), Exploit.HTML.HCP.b (ninth place), Exploit.HTML.CVE-2010-1885.d (seventeenth place) and Exploit.HTML.CVE-2010-1885.b (twentieth place). In contrast, the July rankings only listed one such exploit. CVE-2010-1885 is associated with a error in Windows Help and Support Center which makes it possible to run malicious code on systems running Windows XP and Windows 2003. It seems likely that the popularity of these two operating system versions led to the increasing number of exploits.

CVE-2010-0806 has been almost as widely exploited as CVE-20100-1885; the ranking include three different exploits which target this vulnerability. Two of them are scripts which have been covered in previous reports: namely Exploit.JS.Agent.bab (second place) and Trojan.JS.Agent.bhr (fourth place). The latest addition is Exploit.JS.CVE-2010-0806.b (eighteenth place).

Three more exploits in of the rankings target vulnerabilities in software using a Java engine. First place is taken by Trojan-Downloader.Java.Agent.ft which exploits CVE-2009-3867 – this vulnerability is quite old and was covered in the May report. Exploit.Java.CVE-2010-0886.a (tenth place), which exploits CVE-2010-0886 has stayed in the rankings since last month. Interestingly, CVE-2010-0094 was detected back in early April 2010, and the first exploit emerged this August. Exploit.Java.CVE-2010-0094.a (fifteenth place) successively calls a number of functions which ultimately lead to the execution of malicious code.

Fragment of Exploit.Java.CVE-2010-0094.a which exploits the vulnerability

In August, this exploit was only used by cybercriminals in developed countries – the USA, Germany, and the UK. This may be related to the fact that programs using Java are popular in these countries.

Geographical distribution of Exploit.Java.CVE-2010-0094.a

Exploit.JS.Pdfka.cop in sixteenth place is another exploit, this time a fairly standard one; it relies on using the peculiarities of PDF documents to execute malicious code.

Trojan-Clicker.JS.Iframe.fq (thirteenth place) is a new addition, and falls into the category of malicious scripts which redirect victim browsers to a malicious link using the HTML tag “<iframe>”. Two more malicious scripts are Trojan-Downloader.VBS.Agent.zs (eleventh place) and Trojan.JS.Redirector.cq (twelfth place); both were discussed in last month’s review.

Adware is as popular as ever. AdWare.Win32.FunWeb has superseded Shopper.l and Boran.z which were its competitors in July. Five representatives of the FunWeb family were present in the August rating. Three of those modifications (“ds”, “ci”, “q”, occupying fifth, fourteenth, and eighth places respectively) were in the July rankings, while “fb” and “di” (nineteenth and seventh places) made it to the rankings for the first time in August.


If you would like to comment on this article you must first

Bookmark and Share


Vyacheslav Zakorzhevsky