Malware Statistics for April 2010

Monthly Malware Statistics: April 2010

Malicious programs detected on users’ computers

The first Top Twenty lists malicious programs, adware and potentially unwanted programs that were detected and neutralized when accessed for the first time, i.e. by the on-access scanner.

Position Change in position Name Number of infected computers
1 0 330025
2 0 Virus.Win32.Sality.aa 208219
3 0 Net-Worm.Win32.Kido.ih 183527
4 0 172517
5 0 125714
6 2 Virus.Win32.Virut.ce 70307
7 New Exploit.JS.CVE-2010-0806.i 68172
8 -2 Trojan-Downloader.Win32.VB.eql 64753
9 2 Worm.Win32.Mabezat.b 51863
10 5 Trojan-Dropper.Win32.Flystud.yo 50847
11 -1 49622
12 New Exploit.JS.CVE-2010-0806.e 45070
13 -4 Packed.Win32.Krap.l 44942
14 New Trojan.JS.Agent.bhr 36795
15 2 36408
16 Return 35877
17 -1 Virus.Win32.Induc.a 31846
18 New 30167
19 Return Packed.Win32.Black.a 29910
20 Return Worm.Win32.AutoRun.dui 28343
Source: Kaspersky Lab

Malware Statistics – March 2010

Malicious programs detected on users’ computers

Top twenty malicious programs detected on users computers throughout the month of March.

Position Change in position Name Number of infected computers
1 0 332833
2 0 Virus.Win32.Sality.aa 211229
3 0 Net-Worm.Win32.Kido.ih 186685
4 0 181825
5 0 121027
6 0 Trojan-Downloader.Win32.VB.eql 68580
7 New Trojan.Win32.AutoRun.abj 66331
8 1 Virus.Win32.Virut.ce 61003
9 1 Packed.Win32.Krap.l 55823
10 -2 55065
11 4 Worm.Win32.Mabezat.b 49521
12 -5 Exploit.JS.Aurora.a 43776
13 New 40912
14 New Trojan.Win32.AutoRun.aay 40754
15 3 Trojan-Dropper.Win32.Flystud.yo 40190
16 -4 Virus.Win32.Induc.a 38683
17 -4 38547
18 New Trojan.Win32.AutoRun.abd 37037
19 -5 not-a-virus:AdWare.Win32.Boran.z 36996
20 0 not-a-virus:AdWare.Win32.FunWeb.q 34177
Source: Kaspersky Lab

Most “Malware” is now “Crimeware”

Computer viruses, Trojans, and worms have evolved a great deal since their inception in the 1970s.  Originally the province of pranksters and glory seekers, then anarchists trying to see how much damage they can cause, the new generation of malicious hackers is in it for the money.

The first widespread virus outbreak occurred in 1982 and was known as “Elk Cloner.”  At every 50th boot, it would display a humorous poem, but was otherwise harmless.  Since then there have been many viruses and variants that caused no intentional damage to hardware or software, but at various or random intervals would display jokes, political messages, or humorous (to the virus authors, at least) messages.  Such “harmless” malware can still be disruptive though, by clogging networks, slowing system performance, and consuming storage space.

It wasn’t long after that first widespread outbreak that virus technology attracted a more despicable breed of hacker, those who create malware with intentionally destructive capabilities.  A prime example is the Jerusalem virus launched in 1987.  It was designed to destroy all executable program files every Friday the 13th.  This virus spawned a large number of variants which activated on different dates and created numerous symptoms – some intended and others accidental – but the majority of them, like the original, deleted or destroyed executable programs.  The motivations behind these attacks are perplexing because the destruction of resources seems pointless.  The question, “Why don’t these programmers put their skills to more productive use?” seems to have inspired the current mindset among malware authors, although not in the direction we would have liked.

While the pranksters and anarchists may still be around, of much greater concern these days is the alarming prevalence of viruses, Trojans, and worms whose creators are financially motivated, with connections to illegal gangs and organized crime.  Thus, the coinage of the term “crimeware.”  Far from trying to make the most dramatic impact possible as was the case with original malware, crimeware attempts to conceal its presence completely, avoiding detection as long as possible.  Indeed, hundreds of thousand – even millions – of PCs and servers are infected at any given time, in most cases without the knowledge of their owners.  Crimeware employs a number of techniques to allow it to run in stealth mode.  Rootkits for example install themselves deeply within an operating system and redirect standard system calls so that their processes run invisibly.  This makes it difficult even for antivirus and other security programs to detect and remove them.

Crimeware, as the name implies, exists to help its authors perpetrate crimes, such as identity theft, fraud, financial scams, theft of intellectual property and industrial secrets, access to confidential information.  Keyloggers, often delivered via a virus or worm, work to capture users’ keystrokes and transmit them to criminals, who in turn analyze the data to discover passwords and security phrases.  Why risk getting shot while robbing a bank, when one can simply use a stolen password and electronically clean out someone’s bank account?

As bad as this kind of crimeware is, there is one more trend that is even more disturbing.  Using worms, viruses, and Trojans, crimeware authors have been deploying agents which give them remote control over infected machines.  The average size of networks of such infected machines (referred to as “botnets”) is about 20,000 computers, but some have reportedly numbered in the millions.  Botnets give their criminal perpetrators control over enormous computing power heretofore unavailable except to agencies with access to super-computers.  They harness this power to launch phishing and denial-of-service attacks, send out massive amounts of spam, crack passwords, and perpetrate other types of internet crime.  Botnet controllers have gone so far as to create complete business models, licensing segments of their botnets to members of organized crime and other criminal elements for targeted attacks on specific businesses, government agencies, or market segments.  Sometimes these “services” come complete with technical support!

As an indication of just how serious the impact of crimeware is these days, the FBI recently issued a press release where they state that crimeware in general and botnets in particular represent “a growing threat to national security, the national information infrastructure, and the economy.”

Twitter says no to Koobface

With Koobface spreading throughout social networking sites, Twitter has taken action by suspending accounts known to be infected with Koobface malware.  Koobface takes control of logged in social network sites to post messages on behalf of the victim to convince friends to click on a link.  These links direct the friends to malicious websites that attempt to infect the visitor.  Koobface also attacks users on Facebook and MySpace using similar techniques.  Previous variants of Koobface have attacked Bebo, Friendster, LiveJournal, and Hi5 according to CERT.
Previously Koobface would use trending topics like Michael Jackson to fool users to click on links to malicious sites when the link advertised a Michael Jackson video.  Koobface is being developed on a regular basis to bypass security software and avoid detection.  Koobface is also able to obtain data from infected users machines and is considered a dangerous threat.

March Malware Statistics

This months top 20 lists comes from the Kaspersky Security Network. Ranking is made up of the malicious programs, adware and potentially unwanted programs most frequently detected on users’ computers. As suspected, Conficker (also known as Kido, Downadup) topped the list.

Position Change Name
1 1 Net-Worm.Win32.Kido.ih
2 -1 Virus.Win32.Sality.aa
3 2
4 4 Trojan-Downloader.Win32.VB.eql
5 2 Packed.Win32.Krap.g
6 0 Worm.Win32.AutoRun.dui
7 -4 Packed.Win32.Krap.b
8 -4 Packed.Win32.Black.a
9 New Trojan-Dropper.Win32.Flystud.ko
10 5 Virus.Win32.Sality.z
11 1 Worm.Win32.Mabezat.b
12 -2 Virus.Win32.Alman.b
13 1
14 New Trojan.JS.Agent.ty
15 2 Email-Worm.Win32.Brontok.q
16 3 Worm.Win32.Autoit.i
17 Return Virus.Win32.VB.bu
18 New Packed.Win32.Katusha.a
19 New Trojan.Win32.RaMag.a
20 New Trojan.Win32.Autoit.xp

Source: Kaspersky Lab

Spam is Back in Full Force

Symantec’s Monthly State of Spam report for March showed an increase in bounced messages that found spammers forging sent email addresses and using them in the “From” header of their own Spam messages.

Reminiscent of Backscatter, spammers are taking advantage of mail transfer agents configured to send back a list of failed email recipient addresses, an explanation of the cause of failure, and a copy of the original email. This opens a window for Spam attacks, as anti-spam filters do not block most “failed email” replies. Since spammers forge the sender’s address, this mail is going to be received by people who have nothing to do with the Spam.

Corporate networks will feel the greatest burden of the increased attacks. Using increased bandwidth and an increase of unwanted Spam messages in users’ inboxes will result in lost productivity. Networks are encouraged to configure mail transfer agents to not send back a copy of the original failed messages and require signatures for outgoing emails.