It’s that time of the month again – when a young man’s mind turns to browsing virus collections.

1. Greediest Trojan Targeting Banks - Trojan-PSW.Win32.Agent.km takes this title this month. Not only does this Trojan wage war against 42 banks at once, it also attempts to intercept TAN-codes, which once again proves that this kind of protective measure does not present much of an obstacle for cyber criminals. The Trojan’s victims include many leaders in the global banking sector.

2. Greediest Trojan Targeting E-payment Systems - this title goes to one of the modifications of Trojan-Spy.Win32.Banker.clu, which is programmed to gain access into three different electronic money systems.

3. Greediest Trojan Targeting Plastic Cards – the title goes to Trojan-Spy.Win32.Banker.ciy. Last month, the malicious program that took this title was programmed to access three plastic card systems at once. Banker.ciy wins because it targets 5 systems instead of 3.

4. Stealthiest Program - this month Backdoor.Win32.Hupigon.elw takes the title – it is seven times with different .exe file packers.

5. Smallest Malicious Program - is the 51 byte Hoax.Bat.AlotWindows.a, which plays a mean joke on Internet users. When this program is launched, it begins to open a series of windows on the user's computer with the text "DDoS DOS!" In reality, opening windows is all Windows.a is capable of.

6. Biggest Malicious Program - Trojan.Win32.Haradong.ao weighs in at a hefty 182 MB (!). This file is spread under the guise of a video file, with the extension “avi.scr.” It’s very large size is attributed solely to that fact.

7. Most Malicious Program - Backdoor.Win32.Rbot.aeu blocks security solutions using a variety of methods.

8. Most Common Malicious Program in Email Traffic - Email-Worm.Win32.NetSky.q, which has been around for years, but still managed to account for 14% of all malicious email traffic in March, which just goes to show that the older malware is still going strong.

9. Most Common Trojan Family - once again it is the Chinese Backdoor.Win32.Hupigon family, with a mere 326 modifications instead of the 368 we saw last month.

10. Most common virus\ worm family - goes to the well known Warezov worm again; with 44 new modifications detected this month.

Even after two miscellanies it is possible to draw some preliminary conclusions: malware that is used to make money is growing visibly and malware writers follow trends, with the popular malware showing up in the ratings consistently.

After its silent demise last year in Congress, a revamped computer-crimes bill once again made its way onto the dockets of this year's 110th Congress. H.R. 1525 – an amendment to part one of Title 18 (Chapter 47, section 1030 of U.S. Code) – was approved by the House Energy and Commerce subcommittee. H.R. 1525 is ongoing evolution to the original (I-SPY) Internet Spyware Protection Act of 2005. Specifically, the new bill is “to discourage spyware, and for other purposes”.

One of the other purposes of the bill is to ensure that major security breaches do not go unreported. In certain cases, reporting a computer intrusion to authorities is not just an option, it is mandatory. Because attackers are increasingly going after data stored at large data warehouses (DSW Shoes, TJ Maxx, ChoicePoint, etc.), and then using the stolen information to commit fraud and ID theft-related crimes, this is important protection for consumers.

The bill also protects the company (or person) being attacked. When there is a computer intrusion that results in the potential disclosure of confidential information, details of the attack may not have to be reported to the public. The bill proposes that companies work with law enforcement agencies to investigate the incident before releasing details to the public. This offers the company time to harden its computer security and put into place monitors and procedures for affected clients. Both are preemptive actions that could save the company additional millions in costly lawsuits.

But while the new legislation serves an important purpose, it won't bring an end to computer crime. We've seen attackers regularly target low-hanging fruits. The relatively easy money that can be made from mass-spammed phish e-mails fits in with that model. Too, the anonymity that attackers think the Internet affords to them is empowering; legislation in one country doesn't necessarily affect somebody in another country. We can thus expect computer fraud and computer invasion crimes to continue for the foreseeable future.

http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=110_cong_bills&docid=f:h1525ih.txt.pdf

Yesterday, all of Russia was saying farewell to Boris Yeltisn Russia’s first president. All? Not spammers – they were too busy flooding email traffic with messages that had headers saying “Boris Yeltsin lives”.

Inside, the emails had the following text:

The text was naturally followed by a link to read more. Thankfully, in this case the links did not lead to malware.

Spammers are well known for using hot topics as social engineering tools to get naïve users to respond to spam. Deaths or purported deaths of well known figures are a popular topic.

The links in the Yeltsin spam led to a community board where people can ask doctors questions. Many upset victims left angry posts, but the moderators have not responded to date. The point of the spam attack? The target site is a community effort, so unless one of advertisers on the site paid, there really doesn’t seem to have been a real point.

In any case, the spammers have once again demonstrated their lack of respect for basic human values.

A range of cases show that compromised computers can be found in almost any field of business. We have seen phishing pages hosted on school and university sites as well as banking and government websites. This week we came across a rather rare case of a Paypal phishing scam planted on a machine apparently belonging to a provider of IT security solutions.

This is one of the many examples that show that even if a network is maintained by qualified specialists, you can't let your guard down for a minute.

Of course we notified the company the minute we discovered the glitch and 8 hours later the phish had been removed.

Incidentally, the phishing setup contained "Trojan-Spy.HTML.Paylap.hp" as well as "Trojan-Spy.HTML.Paylap.hn", both of which are detected by Kaspersky products since January 2006.

We've just confirmed multiple reports about asus.com, a very well known hardware manufacturer, being compromised. There's an iframe added which leads to the recent ANI exploit.

The URLs in the exploit variants which we've detected are currently down.

We're trying to get in touch with ASUS. This latest case shows that you can get infected when visiting legitimate sites, so you should always install patches as soon as you can.

Do you think that installing Linux on an iPod is a waste of time? If you work in an anti-virus company it's not – you’re preparing the device to play with the first known virus for iPod.

It’s a typical proof of concept sample, showing that here’s another device that can be infected. It took us time to run the sample because the virus has bugs and sometimes crashes the system with Linux debug messages.

Overall, I don't think iViruses will cause serious problems in the future. The iPod world is very different from the PC and smartphone world. Users aren’t constantly installing new software and downloading a wide range of files, so that cuts down on the possible infection vectors. And what’s there to steal from an iPod? Multimedia files, and that's about all.

So – it was an interesting little puzzle, this proof of concept, but nothing more.

This year we've started to see an vastly increased number of attacks directed at online banking systems. For instance, last month, Roel blogged about Banker.cmb, which targeted ABN-AMRO customers, an operation which received lots of attention.

It's clear that criminals around the world have figured out that the weakest link in any security system is the user.

Earlier today we have intercepted a phishing attack against the Romanian branch of Groupe Societe Generale. This was the third phishing attempt against BRD in the past few days. What really caught my eye was the method the criminals are using this time. They sent out an email claiming that the website www.brd-net.ro has been used in previous phishing attacks and that any BRD users should now use a new, secure website.

What's surprising is that www.brd-net.ro actually is the website which BRD uses for e-banking in Romania. This is in contrast to other banks which simply use a page on their main website.

I think it's very bad practice for a bank to use different domains for their main website and the website used for e-banking operations. It just causes confusion and makes it easier for lowlifes to trick customers into giving away their data.

Microsoft has just released an out-of-cycle security patch to address a vulnerability in Windows' handling of animated cursor [ANI] files that allows hackers to inject malicious code into vulnerable systems. The release is rated 'Critical' and has been brought forward from the scheduled 'Patch Tuesday' update on 10 April because Microsoft believes there's an increased risk of attack to its customers.

Those of you running Kaspersky Lab products will be pleased to know that we have been detecting this vulnerability since 30 March. So far we've seen 10 new modifications of this exploit represented by more than 60 samples.