The following statistics were compiled in March using data from computers running Kaspersky Lab products:
We have already written on a number of occasions that criminals are not averse to exploiting tragedies, and the Japanese earthquake and tsunami, plus the death of Elizabeth Taylor, did nothing to buck this trend.
Thousands of people in Japan have lost loved ones and have been left homeless, while the world looks on in trepidation as events unfold at the Fukushima nuclear plant. But that hasn’t stopped scammers and malware writers from spreading malicious links to their own versions of the “latest news”, creating malicious websites with content connected in some way to the disaster in Japan and sending out ‘Nigerian’ letters making emotional requests for money to be transferred to the message sender in order to help those who have suffered.
One spam message contained a link that claimed to lead to the latest news from Japan. Clicking on the link triggered a drive-by download attack that made use of exploit packs. If the attack was successful, Trojan-Downloader.Win32.CodecPack was downloaded to the user’s computer. Each variant of this family is inextricably linked to three command centers with which it communicates and receives lists of malicious files that are downloaded and run on infected computers. On one website that we detected, visitors were asked to download a video clip showing events from Japan. However, instead of a video, users ended up downloading a backdoor.
It seems the most switched-on cybercriminals use Twitter – malicious links exploiting Elizabeth Taylor’s death appeared on the social network within a day of the news being announced.
Exploits remain one of the favorite tools in the cybercriminals’ arsenals, so the appeals from IT security companies to regularly update computer software are as relevant as ever.
The number of Java exploits is considerable – they make up approximately 14% of all known exploits. Three of them made it into this month’s Top 20 malicious programs detected on the Internet. Two of them – Exploit.Java.CVE-2010-0840.d in 15th place and Exploit.Java.CVE-2010-0840.c in 19th – are new exploits for the CVE-2010-0840 vulnerability in Java. Active use of this loophole was recorded for the first time in February.
According to Kaspersky Security Network (KSN) statistics, malware writers are actively modifying the exploits they use in drive-by attacks in order to avoid detection. This is demonstrated in the graph below which shows detections for the Exploit.Java.CVE-2010-0840 family.
The peaks in the graph correspond to periods when exploits of this family were detected in drive-by attacks, while the troughs show when newer variants of the exploit replaced older versions.
Malware writers are surprisingly quick to react to announcements of new vulnerabilities. A good example of this is a vulnerability in Adobe Flash Player that was announced on 14 March. The vulnerability in question was in authplay.dll and because it offered cybercriminals an opportunity to gain control of a user’s computer it was rated as critical.
On 15 March, Kaspersky Lab had already detected an exploit for the vulnerability – an Excel file that contained a malicious SWF file and which is detected as Trojan-Dropper.SWF.CVE-2011-0609.a.
This story has a happy ending though – the vulnerability was quickly fixed. Adobe announced the problem had been resolved on 22 March. Of course, the happy ending will only apply to those users who updated the software on their computers in time.
We make regular announcements about the detection of HTML pages that cybercriminals use as part of their scams or to spread malware. The malevolent people behind such pages are constantly coming up with new ways to hide their creations from antivirus programs.
In our February report we wrote that cybercriminals were using Cascading Style Sheets (CSS) to protect scripts from being detected. Now, instead of CSS, they are using <textarea> tags on their malicious HTML pages.
The <textarea> tag is used to display an input field.
An input field implemented using a <textarea> tag
Cybercriminals use the tag as a container to store data that will later be used by the main script.
In March, Trojan-Downloader.JS.Agent.fun, a web page that used a combination of a malicious script and a <textarea> tag containing data for the script, appeared at 9th position in the Top 20 rating of malicious programs on the Internet. The script that uses the data in the <textarea> tag runs other exploits via a number of different methods.
We detect such polymorphic scripts as Trojan.JS.Fraud.bl, currently at 18th place in the rating of malicious programs on the Internet, and Trojan.JS.Agent.btv which is in 8th place.
One of the main news stories in March was the closure of the Rustock botnet. The network created by Rustock amounted to several hundred thousand infected computers and was used to send out spam. Its closure was orchestrated by Microsoft and the US authorities. On 17 March, Microsoft announced that all the botnet’s command servers had been shut down. A redirect to microsoftinternetsafety.net was installed on all the servers shut down by Microsoft.
According to Kaspersky Lab, the last copies of Rustock were downloaded to users’ computers from the botnet command center on 16 March and the last command to send spam was given on 17 March. Since then, no more commands have been recorded. Moreover, not one downloader capable of installing Rustock on users’ computers has been detected since 16 March.
Does this signal the end for one of the most infamous spam botnets? Or have the botnet owners gone to ground to wait until things have calmed down so they can restore their network? Only time will tell.
Malicious programs for Android are no longer so exotic. In March, cybercriminals managed to spread malware disguised as legitimate applications on Android Market.
We detected infected versions of legitimate apps on Android Market in early March. They contained the root exploits ‘rage against the cage’ and ‘exploid’ that allow a malicious program to obtain root access on Android smartphones, giving full administrator-level access to the device’s operating system.
As well as the root exploit in the malicious APK archive there were two other malicious components. After gaining root rights, one of them sent an XML file containing IMEI, IMSI and other device information to a remote server using the POST method and awaited further commands. The other component had Trojan-downloader functionality, though we have yet to receive any downloaded files.
2011 Apr 05, 22:43
Missing useful information