Lavasoft Security Bulletin: August 2013

Top20 Blocked Malware

Position Ad-Aware detection % of all threats Change in ranking
1 Win32.Trojan.Agent 30.04% +0.13%
2 Trojan.Win32.Generic!BT 25.85% +1.35%
3 Email-Worm.Win32.Brontok.a 3.79% new
4 Trojan.Win32.Generic.pak!cobra 2.90% +0.79%
5 Virus.Win32.Sality.at 1.27% -1.38%
6 Malware.JS.Generic 1.22% -0.77%
7 HackTool.Win32.Keygen 1.14% +0.04%
8 Virus.Win32.Ramnit.b 1.00% -0.06%
9 Trojan.Win32.Gframe 0.66% new
10 Virus.Win32.Neshta.a 0.58% -0.62%
11 Worm.Win32.Pykspa 0.50% new
12 Heur.HTML.MalIFrame 0.38% +0.06%
13 Virus.Win32.Sality.ah 0.38% -0.49%
14 Trojan.Win32.Jpgiframe 0.36% +0.02%
15 Trojan.Win32.Generic!SB.0 0.28% -0.15%
16 Trojan.Win32.Clicker!BT 0.27% new
17 Trojan.Win32.Sirefef.bb 0.27% new
18 INF.Autorun 0.24% -2.72%
19 Trojan-Clicker.HTML.Iframe 0.24% new
20 Trojan.Win32.Startpage.or 0.22% new

The Top 20 malicious programs blocked on PCs

August sees new detections in the Top 20 while Email-Worm.Win32.Brontok.a and Worm.Win32.Pykspa make a return to the prevalence list having last been seen in June 2013 and April 2013, Trojan.Win32.Gframe, detecting malicious IFrames embedded in GIF files, makes an appearance at position nine.

Trojan.Win32.Gframe (MD5: ffd89e57a371bec38a249354be8fff0e)

New Incomings to the Lab

Let’s review and consider information on the number of unique files with the same detection name.

Position Ad-Aware detection % of all threats Change in ranking
1 Trojan.Win32.Generic!BT 35.47% -0.75%
2 Trojan.Win32.Generic.pak!cobra 4.76% +0.18%
3 Virus.Win32.Expiro.bc 4.07% +0.89%
4 Trojan-Downloader.Win32.LoadMoney.u 4.06% new
5 Virus.Win32.Virut.ce 2.90% +2.13%
6 Worm.Win32.Gamarue.aa 1.26% +0.88%
7 Trojan.Win32.Desini.a  1.00% new
8 Malware.JS.Generic 0.99% +0.68%
9 Trojan-Dropper.Win32.Gepys.a  0.85% +0.04%
10 Trojan.Win32.Generic!SB.0 0.81% -0.25%
11 Win32.Malware!Drop 0.77% +0.29%
12 Trojan.Win32.Runner.a  0.71% new
13 Trojan.Win32.Dwnldr.y 0.66% +0.38%
14 FraudTool.Win32.FakeRean 0.65% +0.26%
15 Trojan.Win32.PSW.gz 0.61% -0.37%
16 Trojan.JS.Obfuscator.aa 0.55% -0.04%
17 Trojan.Win32.Reveton.a 0.51% new
18 Trojan.Win32.Vobfus.paa 0.45% +0.03%
19 TrojanPWS.Win32.OnLineGames.ahj 0.43% +0.13%
20 Worm.Win32.Mabezat.b 0.37% +0.10%

New malicious programs entered the Top 20

Fake antiviruses holding machines to ransom until a fee is paid to unlock their computers continue to blight users. In August, our systems detected the following fake antiviruses:

Fake AV (MD5: 54828dd3e11fc1b5401745bdb5ae4251) is detected by Ad-Aware as Trojan.Win32.Reveton.a

Fake AV (MD5: 8ca5e580c60e66d4c87f9aa408946fc3) is detected by Ad-Aware as Trojan.Win32.Generic!BT

Fake AV (MD5: f83ca10a393ec4759202c077d63c3a20) is detected by Ad-Aware as FraudTool.Win32.FakeAV.hdd

Another prevalent class of malware is ransomware. This month we discovered a new take on the ransom tactic, called “PRISM locker”. It tricks users by showing popups, supposedly from the “NSA”, claiming they have been caught downloading and distributing illegal content, forcing the victim to pay a fine of $300 to unlock the computer.

PRISM locker (MD5: e1988e7512bb18dc0e3ed946ca466d0f) is detected by Ad-Aware as Trojan.Win32.Generic

Once launched the Trojan adds a reference to the registry Run key ensuring the infected computer will be locked with the next system start up:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"

You can find more details about that malware here.

New Features of Kelihos

Recently we published a report on Kelihos Update, where we presented new app targets and installation features in the backdoor. The paper also revealed that the botnet was still in operation and all six job servers were up and running.

Thanks to VirusTotal we can see several cached requests to the Kelihos job server:

The most remarkable change was in the installation procedure. Previous versions added “SonyAgent” values in a system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SonyAgent"=""
[HKCU\Software\Sony]
"SonyID"="DCmkXuRtjruvB1iHVBkEJlW2S+BimFp/lF4WuQjFyUZiEEBn51H4u+8OsvFwcsEfxA=="
"SonyID1"=dword:00000050
"SonyID2"=hex:00,00,00,00,00,00,00,00
"SonyID3"= (data_in_hex)

This time it uses randomization for registry entries and filenames, which complicates recognizing the infection for an ordinary user. The backdoor tries to mimic names of system files and services:

Kelihos uses random names from the list when spreading via removable drives by creating its copies and lnk files:

X:\{password, screensaver, click, installer, hentai, run, porn, game}.exe
X:\Shortcut to %file name from the list%.lnk

The additional dummy user-agents are used to avoid blocking http connections. The number of fake agents increased from 28 to 47 since March.
There are new incomings among targeted applications where the backdoor looks for user credentials as well:

Cyberduck, FreshFTP, FTPShell, Global Downloader, Notepad++, TFTPInfo, MyFTP, Sherrod, NovaFTP, CoolNovo

We scanned again fast-flux network for “ditojtap.ru” and harvested 4543 IP addresses that help to deliver updates to zombie computers.

It looks pretty similar to the map built for 6244 proxy-bots in March:

Both maps reveal that Ukraine is the most affected country with 47% of infected computers in the botnet’s fast-flux network.
The VirusTotal cached some of the DNS requests:

The main finding is that the botnet is still in operation despite all attempts to take it down. You can find a description of the latest downloaded sample in our Malware Encyclopedia.

Top20 Potentially Unwanted Programs

Below are the Top20 Potentially Unwanted Programs blocked by Ad-Aware on user’s PCs. These are advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings.

Position Ad-Aware detection % of all threats Change in ranking
1 MyWebSearch 4.54% -21.70%
2 Adware.Linkury 1.52% -13.43%
3 Win32.PUP.Bandoo 1.33% -6.51%
4 Win32.Toolbar.Iminent 1.06% -7.37%
5 Iminent 0.49% -7.94%
6 Bprotector 0.42% -2.76%
7 SweetIM 0.40% -4.16%
8 InstallCore 0.37% -1.89%
9 Yontoo 0.25% -1.92%
10 Win32.Adware.ShopAtHome 0.22% -1.07%
11 Wajam 0.19% -1.08%
12 CoolMirage Ltd 0.18% -0.87%
13 ExpressFiles Installer 0.17% new
14 DownloadMR 0.16% -1.06%
15 AirInstaller 0.16% new
16 Artua Vladislav 0.15% -1.20%
17 Babylon 0.15% -1.55%
18 DomaIQ 0.14% -0.86%
19 InstallBrain 0.13% -1.21%
20 Win32.Toolbar.Mediabar 0.13% -0.65%

Top20 PUPs detected on user’s PC

Operating Systems

Infections by OS

Geographic Location

Infections by country of origin

We will keep investigating the epidemiological situation in the world and informing our readers about new malicious code samples in the next Lavasoft Security Bulletin.

  • Back to articles


  • Share this post:    Twitter Facebook