Lavasoft Security Bulletin: January 2013

Top20 Malware in 2012

Position Ad-Aware detection % of all threats
1 Trojan.Win32.Generic!BT 42.51%
2 Win32.Trojan.Agent 23.95%
3 TMalware.JS.Generic 6.01%
4 Trojan.Win32.Generic.pak!cobra 4.32%
5 Virus.Win32.Sality.at 4.11%
6 Trojan.Win32.Sirefef.bb 1.58%
7 Email-Worm.Win32.Brontok.a 1.37%
8 Trojan.Win32.Ircbot!cobra 1.05%
9 Win32.Backdoor.Inject 1.05%
10 Heur.HTML.MalIFrame 0.95%
11 FraudTool.Win32.AVSoft 0.84%
12 Virus.VBS.Ramnit.a 0.84%
13 Trojan.FakeAlert 0.84%
14 Trojan.Win32.Jpgiframe 0.63%
15 Trojan.Win32.Generic!SB.0 0.63%
16 Win32.Malware!Drop 0.53%
17 HackTool.Win32.Keygen 0.42%
18 Virus.Win32.Sality.bh 0.42%
19 Virus.Win32.Ramnit.b 0.32%
20 Trojan-Downloader.Win32.Agent 0.32%

 The Top 20 malicious programs blocked on PCs

The top positions have remained unchanged this year. Generic detections covering a wide range of malicious programs for the Win32 platform dominate; Trojans written in Java Script, Trojans using various packers for their executive files and the Sality virus. Of significance is a modification of the multifunctional Trojan.Win32.Sirefef.bb, at position six, that uses advanced stealth techniques to hide its presence. Some examples were mentioned in a Lavasoft whitepaper published last year. Besides, new generic detections have entered the Top 20.

Trojan.Win32.Ircbot!cobra is a Trojan which grant attackers unauthorized access to infected system using IRC. Once infected, the PC becomes a part of a botnet. It connects to the IRC command and control server and waits for commands from the attacker. The following is an example of the IRC bot.

Win32.Backdoor.Inject injects malicious code into running processes. Using the injected code, attackers can take full control of an infected system allowing them to implement any functionality they wish. In most cases, such programs join infected computers into centralized botnets allowing attackers to simultaneously control the infected computers in whatever way they choose, such as launching DDoS attacks.

Trojan.FakeAlert displays fake messages informing the user that their security software is corrupted in an attempt to trick the user into installing additional software to secure the user’s operating system. As a rule, attackers use such Trojans to promote fake antivirus software.

FraudTool.Win32.AVSoft imitates antivirus solutions. Attackers hold machines to ransom until users pay a fee for fake antivirus software or technical support to remove the malicious software.

Win32.Malware!Drop & Trojan-Downloader.Win32.Agent. A peculiarity of these families is that they are designed to be installed on the infected systems. Being activated, Win32.Malware!Drop extracts the other malicious programs from its body, then Trojan-Downloader.Win32.Agent proceeds to download additional files from the Internet.

New Incomings to the Lab

Let’s review and consider information on the number of unique files with the same detection name.

Position Ad-Aware detection % of all threats
1 Trojan.Win32.Generic!BT 30.15%
2 Trojan.Win32.Generic.pak!cobra 2.47%
3 Trojan.Win32.Medfos.m 1.61%
4 Trojan.Win32.Winwebsec.fd 1.40%
5 Virus.Win32.Virut.ce 1.21%
6 Trojan.JS.IFrame.i 0.54%
7 Trojan.Win32.Vobfus.paa 0.54%
8 Worm.Win32.Mabezat.b 0.51%
9 FraudTool.Win32.FakeRean 0.30%
10 Trojan-PWS.Win32.Zbot.aql 0.30%
11 Win32.Malware!Drop 0.29%
12 Malware.JS.Generic 0.22%
13 Worm.Win32.Esfury.ta 0.20%
14 Trojan.Win32.Reveton.a 0.19%
15 Backdoor.Win32.IRCBot.pbr 0.16%
16 Trojan.Win32.Generic!SB.0 0.16%
17 Trojan.Win32.Dwnldr.y 0.15%
18 Trojan.HTML.Framer.do 0.15%
19 Trojan.JS.Obfuscator.aa 0.11%
20 Trojan-Downloader.Win32.Agent 0.11%

 New malicious programs entered the Top 20

January sees a growth in fake antivirus software, as revealed by our automated malware analysis systems. In most cases, attackers do not spend time on GUI modifications changing only the fake product’s name. The pricing for the fake antivirus is equal to legitimate antivirus software.

Fake AV (MD5: 02afe016759a326101679e3a1bf7b291) is detected by Ad-Aware as Trojan.Win32.Generic!BT

Fake AV (MD5: 3c7aa7a2962d226bc17515231dda4f42) is detected by Ad-Aware as Trojan.Win32.Winwebsec

Fake AV (MD5:31d5818bdc2c0c2ed96d546f44cff62e) is detected by Ad-Aware as FraudTool.Win32.FakeRean

Fake AV (MD5: 333f57cc749ba9d961b0c98205dfe65a) is detected by Ad-Aware as FraudTool.Win32.FakeRean

Fake AV (MD5: b938be095aa28d390c84d80a4d577288) is detected by Ad-Aware as Trojan.Win32.Generic!BT

Fake AV (MD5: ec71e0f2226014b37ae339c0176f4cfe) is detected by Ad-Aware as Trojan.Win32.Fakerean

"Red October" Cyber Espionage Campaign

In the middle of January 2013, Kaspersky Lab published research describing a series of attacks against computer networks of diplomatic, governmental and scientific research organizations in different countries, named "Red October". According to the report, a significant cyber-espionage campaign started in 2007 targeting mostly Eastern European, former Soviet Union and Central Asian countries to harvest confidential data from international agencies. According to the connection statistics registered by a sinkhole server, the majority of infected computers were located in Switzerland, Kazakhstan and Greece.

The attack is launched from an email attachments containing one of the following exploits: CVE-2009-3129 (MS Excel), CVE-2010-3333 (MS Word) and CVE-2012-0158 (MS Word). The last exploit has been already analyzed and you can find the detailed description in our Malware Encyclopedia. In an unusual twist, the documents containing exploits appear to have been originally stolen from victim computers.

The Kaspersky Lab experts assume that the attack is originated from Russian speaking country based on the code analysis of “Red October” modules where they have found slang typical for of Russian developers.

An Analysis of Malicious URLs

We analyzed host-based information of URLs used to download malware into user computers or to check in to botnet’s Command & Control servers.

The diagrams below show a geographical location of servers related to malware:

We can see that the majority of attackers’ servers are hosted in the United States (20%), Ukraine (15%) and Russian Federation (8%). Also we noticed that 2% of URLs that came from Antarctica. It could be a mistake within the GeoIP data or that research labs located in Antarctica contain malware and scientific computers are used to spread it, although this is doubtful because of the low Internet connection speed there.

Top20 Potentially Unwanted Programs

Below are the Top20 Potentially Unwanted Programs blocked by Ad-Aware on user’s PCs. They comprise mostly of advertising software, browser toolbars and other programs which change browser start pages and other system settings.

Position Ad-Aware detection % of all threats
1 MyWebSearch 36.86%
2 Win32.Toolbar.Iminent 12.88%
3 SweetIM 11.54%
4 Win32.PUP.Bandoo 10.70%
5 Babylon 5.21%
6 Win32.Adware.ShopAtHome 2.39%
7 Win32.Toolbar.Mediabar 1.94%
8 Yontoo 1.49%
9 Win32.PUP.Predictad 1.38%
10 Wajam 1.18%
11 Click run software 1.14%
12 GamePlayLabs 1.00%
13 Bprotector 0.90%
14 Win32.Toolbar.SearchQU 0.89%
15 RelevantKnowledge 0.83%
16 Artua Vladislav 0.56%
17 Win32.Adware.Altnet.GEN 0.40%
18 Via Advertising 0.39%
19 GameVance 0.34%
20 Win32.Adware.Offerbox 0.33%

 Top20 PUPs detected on user’s PC

Operating Systems

Infections by OS

Geographic Location

Infections by country of origin

We will keep investigating the epidemiological situation in the world and informing our readers about new malicious code samples in the next Lavasoft Security Bulletin.

  • Back to articles


  • Share this post:    Twitter Facebook