Malware Statistics – March 2010

Malicious programs detected on users’ computers

Top twenty malicious programs detected on users computers throughout the month of March.

Position Change in position Name Number of infected computers
1 0 332833
2 0 Virus.Win32.Sality.aa 211229
3 0 Net-Worm.Win32.Kido.ih 186685
4 0 181825
5 0 121027
6 0 Trojan-Downloader.Win32.VB.eql 68580
7 New Trojan.Win32.AutoRun.abj 66331
8 1 Virus.Win32.Virut.ce 61003
9 1 Packed.Win32.Krap.l 55823
10 -2 55065
11 4 Worm.Win32.Mabezat.b 49521
12 -5 Exploit.JS.Aurora.a 43776
13 New 40912
14 New Trojan.Win32.AutoRun.aay 40754
15 3 Trojan-Dropper.Win32.Flystud.yo 40190
16 -4 Virus.Win32.Induc.a 38683
17 -4 38547
18 New Trojan.Win32.AutoRun.abd 37037
19 -5 not-a-virus:AdWare.Win32.Boran.z 36996
20 0 not-a-virus:AdWare.Win32.FunWeb.q 34177
Source: Kaspersky Lab

UNC data breach exposes 163,000 SSNs

Another recent large scale breach has been identified as University of North Carolina at Chapel Hill notified around 163,000 women that there is a potential compromise that may result in the leak of personal information as well as their social security numbers.  This potential leak is due to a hacker breaching a system containing this data.

Although the breached server at UNC School of Medicine contained information on 236,000 women, only 163,000 contained social security information.   Matt Mauro, chairman of the university’s Department of Radiology said the breach was originally discovered in July but the intrusion may have taken place as long as two years ago.  Mauro said “We think we found some viruses that date back to 2007”.

The server was taken offline since July when the breach was detected and the sites sending information to UNC have temporarily stopped.  Forensic teams required time to piece together the extent of the damage and potential leaked information and is the main reason given for the delayed annoucement.  They do not believe the information was downloaded or modified in anyway at this point.

Keylogging: Malware or Legitimate Tool?

Long considered to be malware and a threat to privacy and security, keylogging software has been found on Microsoft Internet Explorer 8 and Google Chrome. However, these keyloggers were not placed there by hackers—the companies put them there on purpose.

Google and Microsoft added keyloggers to their browsers in an attempt to improve searches for their users. Keylogging allows the browser to determine common or most likely searches based on the user’s past usage. They also store user log-ins and passwords for the user’s convenience, track activity to help determine the cause of errors, and employers use keyloggers to track employee productivity. While this is all very useful for the companies doing the tracking, it makes anti-malware protection more complicated, because the malware filters like Kaspersky cannot simply delete all keyloggers as they have up until this point.

Cyber criminals use keylogging to capture and record each keystroke you make to steal personal information like user IDs, passwords and anything else they can use to steal your identity. However, some companies are now using keylogging for more legitimate purposes.

In order to determine the best course of action regarding keyloggers, Kaspersky Labs, an industry leader in anti-malware protection, is seeking legal counsel. While they do not want to accuse legitimate companies of wrongdoing, they still want to provide the best and most comprehensive anti-malware protection on the market. If it were up to Eugene Kaspersky, CEO of the company, users would not stand for these privacy-invading programs to be present on their browsers and request the companies to remove them. “That would save us a lot of work, and we already have plenty to do,” he told Computer Weekly. Google is already reacting to the public’s aversion to keylogging by promising to keep the information anonymous, but Microsoft has made no such announcements as of yet.

What it all comes down to is this: is the convenience provided by keylogging worth compromising the security of your computer?

Poisoning Google with Malware

There is a new threat that is filling Google search results with links to malicious links. CERT warns this threat is spreading quickly, especially over the last few days. According to CERT there are thousands of legitimate sites infected with this threat now called Gumblar attack.

The attack will steal FTP accounts on the victims machine to further spread its reach. It also will take control of the victims browser which is how it replaces Google search results. ScanSafe has reported out of the 3,000 known infected sites, 800 of those are within the last week.

As of right now, the Gumblar attack is considered relatively small scale. With access to victims FTP account information and strong obfuscation, it is expected the growth will continue. Typically the amount of sites infected with a known threat declines, this isn’t the case with the Gumblar attack.

The Gumblar attack uses known flaws in Adobe software products (that typically do not get patched quickly) to install the malicious software.

Crimeware kits for sale

Independent research reports from several different internet security firms are warning about the increased level of technology, sophistication, and organization that criminals are employing in their endeavors to steal, defraud, extort, and otherwise scam individuals and corporate entities for their money. Today’s hacker wannabe doesn’t even have to be particularly skilled technologically. He just has to be willing and able to cough up the money for a good crimeware kit, which can cost upwards of $3000.00 depending on the capabilities desired.

According to Symantec, 3 phishing kits were responsible for over 40 percent of the phishing attacks they observed during a recent 6 month interval. These kits come complete with sample phishing web sites and email messages, and their availability on the black market can be linked to the 53 percent increase in the number of phishing attacks observed during that same period.

Other crimeware kits such as MPack combine multiple attack types, exploiting both web server and client vulnerabilities. Additionally, kits are available that allow criminals to customize Trojans in order to target specific sectors or agencies. Finjan is reporting that these crimeware Trojan kits create new binary files with each use, making signature-based detection extremely difficult. These kits are also capable of generating Command and Control modules for remote control of distributed Trojans, in effect creating botnets.

These kits show all the traits of professionally developed software suites, utilizing the latest web 2.0 programming technologies. This has resulted in skyrocketing infections within the most popular web 2.0 sites, including social networks and P2P file-sharing sites. In fact, according to Websense, 60 percent of the most popular sites on the internet either hosted crimeware, or linked to malicious websites which hosted crimeware during the first 6 months of 2008. Various MySpace hacks for example allowed criminals to view private profiles and capture logon details, enabling the hackers to use the hacked accounts to send spam or host malware.

One of the newest kits available to hackers was discovered by Panda Security in June. It converts traditional Trojans into worms. This means that once a machine is infected with the Trojan, other computers sharing the same network could be infected without the users opening an infected email attachment or visiting a malicious site. Such hybrids spread much more quickly than the original Trojans from which they’re created.

Crimeware kits are distributed to potential buyers, who use private chat facilities to negotiate and consummate the transactions. Sites which host torrent trackers also index many hacking toolkits. Of course, the illegal gangs and cybercriminals have their own distribution and management channels. These organizations seem very much like a cross between modern high-tech business enterprises and mafia-style organized crime. The top managerial tier does not engage directly in hacking activities, but directs middle management layers which control the distribution of crimeware and crimeware kits to lower tiers. These lower tiers are the actual hackers collecting the stolen data, identities, credit card numbers, etc. They also control the botnets which are used to launch attacks, send spam, and expand their networks.

The growing sophistication of crimeware (and the ease with which it can now be developed and deployed), the increased use of blended attacks involving multiple attack vectors, and the continual refinement of the criminal organizations behind cybercrime are all symptoms of the trend away from malware created for glory or anarchistic destruction and toward crimeware geared for stealth and profit.

Sophisticated kits generate custom trojans for stealing data and conscripting into C & C networks (botnets). — Finjan Web Security Trends Report Q2 2008.

March Malware Statistics

This months top 20 lists comes from the Kaspersky Security Network. Ranking is made up of the malicious programs, adware and potentially unwanted programs most frequently detected on users’ computers. As suspected, Conficker (also known as Kido, Downadup) topped the list.

Position Change Name
1 1 Net-Worm.Win32.Kido.ih
2 -1 Virus.Win32.Sality.aa
3 2
4 4 Trojan-Downloader.Win32.VB.eql
5 2 Packed.Win32.Krap.g
6 0 Worm.Win32.AutoRun.dui
7 -4 Packed.Win32.Krap.b
8 -4 Packed.Win32.Black.a
9 New Trojan-Dropper.Win32.Flystud.ko
10 5 Virus.Win32.Sality.z
11 1 Worm.Win32.Mabezat.b
12 -2 Virus.Win32.Alman.b
13 1
14 New Trojan.JS.Agent.ty
15 2 Email-Worm.Win32.Brontok.q
16 3 Worm.Win32.Autoit.i
17 Return Virus.Win32.VB.bu
18 New Packed.Win32.Katusha.a
19 New Trojan.Win32.RaMag.a
20 New Trojan.Win32.Autoit.xp

Source: Kaspersky Lab