The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Monthly Malware Statistics, March 2011

March in figures

The following statistics were compiled in March using data from computers running Kaspersky Lab products:

  • 241,151,171 network attacks blocked;
  • 85,853,567 attempted web-borne infections prevented;
  • 219,843,736 malicious programs detected and neutralized on users’ computers;
  • 96,702,092 heuristic verdicts registered.

One man's misfortune is another man's gain

We have already written on a number of occasions that criminals are not averse to exploiting tragedies, and the Japanese earthquake and tsunami, plus the death of Elizabeth Taylor, did nothing to buck this trend.

Thousands of people in Japan have lost loved ones and have been left homeless, while the world looks on in trepidation as events unfold at the Fukushima nuclear plant. But that hasn’t stopped scammers and malware writers from spreading malicious links to their own versions of the “latest news”, creating malicious websites with content connected in some way to the disaster in Japan and sending out ‘Nigerian’ letters making emotional requests for money to be transferred to the message sender in order to help those who have suffered.

One spam message contained a link that claimed to lead to the latest news from Japan. Clicking on the link triggered a drive-by download attack that made use of exploit packs. If the attack was successful, Trojan-Downloader.Win32.CodecPack was downloaded to the user’s computer. Each variant of this family is inextricably linked to three command centers with which it communicates and receives lists of malicious files that are downloaded and run on infected computers. On one website that we detected, visitors were asked to download a video clip showing events from Japan. However, instead of a video, users ended up downloading a backdoor.

It seems the most switched-on cybercriminals use Twitter – malicious links exploiting Elizabeth Taylor’s death appeared on the social network within a day of the news being announced.


Exploits remain one of the favorite tools in the cybercriminals’ arsenals, so the appeals from IT security companies to regularly update computer software are as relevant as ever.

Java exploits

The number of Java exploits is considerable – they make up approximately 14% of all known exploits. Three of them made it into this month’s Top 20 malicious programs detected on the Internet. Two of them – Exploit.Java.CVE-2010-0840.d in 15th place and Exploit.Java.CVE-2010-0840.c in 19th – are new exploits for the CVE-2010-0840 vulnerability in Java. Active use of this loophole was recorded for the first time in February.

According to Kaspersky Security Network (KSN) statistics, malware writers are actively modifying the exploits they use in drive-by attacks in order to avoid detection. This is demonstrated in the graph below which shows detections for the Exploit.Java.CVE-2010-0840 family.

Detection of the Exploit.Java.CVE-2010-0840 family

The peaks in the graph correspond to periods when exploits of this family were detected in drive-by attacks, while the troughs show when newer variants of the exploit replaced older versions.

Exploits and vulnerabilities in Adobe Flash Player

Malware writers are surprisingly quick to react to announcements of new vulnerabilities. A good example of this is a vulnerability in Adobe Flash Player that was announced on 14 March. The vulnerability in question was in authplay.dll and because it offered cybercriminals an opportunity to gain control of a user’s computer it was rated as critical.

On 15 March, Kaspersky Lab had already detected an exploit for the vulnerability – an Excel file that contained a malicious SWF file and which is detected as Trojan-Dropper.SWF.CVE-2011-0609.a.

On 25 March, we detected one more variant of the exploit – an HTML page that contained shellcode in JavaScript and which loaded a malicious Flash file. The malicious SWF file exploited a security breach which allowed the shellcode to gain control. The malicious HTML and SWF files are detected as Exploit.JS.CVE-2011-0609 and Exploit.SWF.CVE-2011-0609 respectively.

A fragment of the Exploit.JS.CVE-2011-0609.d code

This story has a happy ending though – the vulnerability was quickly fixed. Adobe announced the problem had been resolved on 22 March. Of course, the happy ending will only apply to those users who updated the software on their computers in time.

Malicious HTML pages: avoiding detection

We make regular announcements about the detection of HTML pages that cybercriminals use as part of their scams or to spread malware. The malevolent people behind such pages are constantly coming up with new ways to hide their creations from antivirus programs.

Use of <textarea> tags

In our February report we wrote that cybercriminals were using Cascading Style Sheets (CSS) to protect scripts from being detected. Now, instead of CSS, they are using <textarea> tags on their malicious HTML pages.

The <textarea> tag is used to display an input field.

An input field implemented using a <textarea> tag

Cybercriminals use the tag as a container to store data that will later be used by the main script.

In March, Trojan-Downloader.JS.Agent.fun, a web page that used a combination of a malicious script and a <textarea> tag containing data for the script, appeared at 9th position in the Top 20 rating of malicious programs on the Internet. The script that uses the data in the <textarea> tag runs other exploits via a number of different methods.

Encrypted pages

In earlier reports covering December and January we discussed Rogue AVs. Now the web pages that imitate the scanning of a computer and try to pressurize users into buying an ‘antivirus’ solution are encrypted and use polymorphic JavaScript, making it more difficult for genuine antivirus programs to detect them.

Fragment of an encrypted page for a Rogue AV program

We detect such polymorphic scripts as Trojan.JS.Fraud.bl, currently at 18th place in the rating of malicious programs on the Internet, and Trojan.JS.Agent.btv which is in 8th place.


One of the main news stories in March was the closure of the Rustock botnet. The network created by Rustock amounted to several hundred thousand infected computers and was used to send out spam. Its closure was orchestrated by Microsoft and the US authorities. On 17 March, Microsoft announced that all the botnet’s command servers had been shut down. A redirect to microsoftinternetsafety.net was installed on all the servers shut down by Microsoft.

According to Kaspersky Lab, the last copies of Rustock were downloaded to users’ computers from the botnet command center on 16 March and the last command to send spam was given on 17 March. Since then, no more commands have been recorded. Moreover, not one downloader capable of installing Rustock on users’ computers has been detected since 16 March.

Does this signal the end for one of the most infamous spam botnets? Or have the botnet owners gone to ground to wait until things have calmed down so they can restore their network? Only time will tell.

Malware for Android

Malicious programs for Android are no longer so exotic. In March, cybercriminals managed to spread malware disguised as legitimate applications on Android Market.

We detected infected versions of legitimate apps on Android Market in early March. They contained the root exploits ‘rage against the cage’ and ‘exploid’ that allow a malicious program to obtain root access on Android smartphones, giving full administrator-level access to the device’s operating system.

As well as the root exploit in the malicious APK archive there were two other malicious components. After gaining root rights, one of them sent an XML file containing IMEI, IMSI and other device information to a remote server using the POST method and awaited further commands. The other component had Trojan-downloader functionality, though we have yet to receive any downloaded files.

TOP 20 malicious programs on the Internet

Current rank Delta Verdict
1   4 AdWare.Win32.FunWeb.gq  
2   New Hoax.Win32.ArchSMS.pxm  
3   3 AdWare.Win32.HotBar.dh  
4   8 Trojan.HTML.Iframe.dl  
5   New Hoax.HTML.OdKlas.a  
6   New Trojan.JS.Popupper.aw  
7   1 Exploit.JS.Pdfka.ddt  
8   -8 Trojan.JS.Agent.btv  
9   -9 Trojan-Downloader.JS.Agent.fun  
10 -10 Trojan-Downloader.Java.OpenStream.bi
11   -7 Exploit.HTML.CVE-2010-1885.ad  
12   New Trojan.JS.Agent.uo  
13   New Trojan-Downloader.JS.Iframe.cdh  
14   New Packed.Win32.Katusha.o  
15   New Exploit.Java.CVE-2010-0840.d  
16   1 Trojan.JS.Agent.bhr  
17   New Trojan-Clicker.JS.Agent.om  
18   New Trojan.JS.Fraud.bl  
19   New Exploit.Java.CVE-2010-0840.c  
20   New Trojan-Clicker.HTML.Iframe.aky  

TOP 20 malicious programs detected on users’ computers

Current rank Delta Verdict
1   0 Net-Worm.Win32.Kido.ir  
2   0 Virus.Win32.Sality.aa  
3   1 Net-Worm.Win32.Kido.ih  
4   New Hoax.Win32.ArchSMS.pxm  
5   0 Virus.Win32.Sality.bh  
6   -3 HackTool.Win32.Kiser.zv  
7   -1 Hoax.Win32.Screensaver.b  
8   -1 AdWare.Win32.HotBar.dh  
9   8 Trojan.Win32.Starter.yy  
10   1 Packed.Win32.Katusha.o  
11   1 Worm.Win32.FlyStudio.cu  
12   -2 HackTool.Win32.Kiser.il  
13   -4 Trojan.JS.Agent.bhr  
14   2 Trojan-Downloader.Win32.Geral.cnh  
15   New Porn-Tool.Win32.StripDance.d  
16   New Exploit.JS.Agent.bbk  
17   New Trojan.Win32.AutoRun.azq  
18   -5 Trojan-Downloader.Win32.VB.eql  
19   -5 Worm.Win32.Mabezat.b  
20   -5 Packed.Win32.Klone.bq  


pradeep sahoo

2011 Apr 05, 22:43

Missing useful information

I would like to inform you that No of infected computers/No of distinct users column is missing in both the above table that is TOP 20 malicious programs on the Internet and TOP 20 malicious programs detected on users’ computers.

If you would like to comment on this article you must first

Bookmark and Share


Vyacheslav Zakorzhevsky