Lavasoft Security Bulletin: January 2014

Top20 Blocked Malware

Position Ad-Aware detection % of all threats
1 Win32.Trojan.Agent 80.10%
2 Trojan.Win32.Generic!BT 8.10%
3 Malware.JS.Generic 3.34%
4 Heur.HTML.FakeLiker 0.96%
5 Virus.VBS.Ramnit.a 0.66%
6 Email-Worm.Win32.Brontok.a 0.62%
7 Trojan.Win32.Generic.pak!cobra 0.47%
8 Trojan-Downloader.Win32.Agent.ckhe 0.29%
9 Trojan.Win32.Generic!SB.0 0.26%
10 Worm.LNK.Jenxcus.aha 0.26%
11 Virus.Win32.Sality.at 0.23%
12 HackTool.Win32.Keygen 0.23%
13 Trojan.Win32.Zbot.aba 0.19%
14 FraudTool.Win32.InternetProtection.ek!a 0.19%
15 Trojan.Win32.Jpgiframe 0.19%
16 Virus.Win32.Sality.ah 0.15%
17 Worm.Win32.Autorun.ftc 0.15%
18 Trojan.Win32.Ramnit.c 0.14%
19 Backdoor.Win32.Bifrose.fsi 0.10%
20 Win32.Backdoor.Inject/C 0.09%

The Top 20 malicious programs blocked on PCs

Malware Prevalence Table - January 2014

The table below ranks the most prevalent families seen in January.

Position Ad-Aware detection % of all threats
1 Trojan.Win32.Generic!BT 35.97%
2 Trojan-Downloader.Win32.LoadMoney.u 12.95%
3 Virus.Win32.Virut.ce 7.41%
4 Virus.Win32.Expiro.gen 5.29%
5 Trojan.Win32.Ircbot!cobra  3.67%
6 Trojan.Win32.Generic.pak!cobra 1.48%
7 Trojan.HTML.Ransomware.b  0.87%
8 Trojan.Win32.Generic!SB.0 0.76%
9 Trojan.Win32.Loadmoney.aa 0.57%
10 Trojan.Win32.DelfInject.m 0.30%
11 Trojan.Win32.Zbot.aba 0.29%
12 Win32.Malware!Drop 0.27%
13 Malware.JS.Generic 0.25%
14 Trojan.Win32.DotNet.c 0.25%
15 Trojan.Win32.ZAccess.ma  0.24%
16 Trojan-Downloader.Win32.Wauchos.la 0.23%
17 Trojan.Win32.Autorun.dm 0.23%
18 Trojan.MSIL.Bladabindi.agxy  0.19%
19 Trojan-Spy.Win32.Usteal.da  0.19%
20 FraudTool.Win32.FakeRean 0.06%

New malicious programs entering the Top 20

A new Fake-AV interface named ‘Windows Diagnosis’ was discovered in the wild in January. It falsely claims that a user’s computer has security problems which are supposedly fixable with the help of paid technical support. It is detected by Ad-Aware as Adware.Generic.647515.

Fake AV (MD5: 342d20129481c90298dcb722c1f68c6c) is detected by Ad-Aware as Adware.Generic.647515

Bots Review

Table: Bots under analysis (January 2014, Lavasoft MAS).


Bot's name Dec 2013 Jan 2014 Changes
Zbot 499 259 -38.8%
Cycbot 30 17 -2.1%
Kelihos 224 193 -5.0%
NrgBot/Dorkbot 195 145 -8.1%
Blazebot 0 1 0.2%
Shiz 7 5 -0.3%
Total 1580 1045



Bot distribution in January:

Kelihos

The kelihos download URL can be easily recognized using the following url mask:

http://[IP Address]/mod[id]/[file name].exe

For example:

hxxp://123.240.9.110/mod2/tayran1.exe
hxxp://126.117.193.122/mod1/tayran1.exe
hxxp://89.47.95.27/mod1/yanicha.exe

This month we have the following file names mentioned in URLs that download Kelihos updates:

ssk0001.exe, ramps01.exe, tayran1.exe, keybex1.exe, gnomrea.exe

You can find the latest description on Kelihos here.

Cycbot. You can find the latest description on Cycbot here.
Shiz. The activity of the backdoor goes down. The latest example is here.
Zbot. You can find the latest description on Cycbot here
NrgBot/Dorkbot. The latest description shows that it is capable of running on Windows 7 64-bits, where it starts 32-bits mspaint.exe process and injects its code into the Paint process.

Rbot.
In January, Lavasoft’s Malware Analysis System continued to detect Rbot activity. At the time of writing the latest version of Rbot still connected to C&C "videos.p0rn-lover.us", which sends commands to tandem IRC bots.
The commands sent to IRC bots in January 2014 are:

In addition we discovered a new IRC channel ##USA:

The following files were downloaded by URLs in channels:

ftp://{censored}:{censored}@178.33.232.15:8989/sys.exe

The file is 581182 bytes in size (MD5: 87bdba077896af4cd51a2bfc3d0c080a).

hxxp://www.dropbox.com/s/riiuyej7lza32i3/ms.exe?dl=1

The file is 493122 bytes in size (MD5: 3dd4700eaeecf9d09f2816850d1be03a).

During the month we detected eight successful downloads from Dropbox by Rbot and other malware. We see that popular file sharing services are still in use by malware despite the security control measures implemented by the affected service providers.

Source: grahamcluley.com

SpyEye.
One of SpyEye actors, Aleksandr Panin, pleaded guilty in Atlanta, US on 28th of January 2014.

The SpyEye trojan described in Malware Encyclopedia here and here was the second most prevalent banking trojan after Zbot (Zeus backdoor).

Source: bbc.co.uk

In 2011 SpyEye attacked Android devices and became capable of bypassing TFA of online banking services.
During the investigation the FBI managed to locate the SpyEye C&C server which “contained the full suite of features designed to steal confidential financial information, make fraudulent online banking transactions, install keystroke loggers, and initiate distributed denial of service (or DDoS) attacks from computers infected with malware”. Panin was caught when selling new versions of SpyEye on hacker forums. The price of the trojan varied from $1500 to $8500.
It was not the first case where SpyEye developers were arrested. In summer 2012 three cyber criminals were arrested in connection with the SpyEye botnet.

In Spring 2013 Hamza Bendelladj of Algeria was also arrested in Thailand and brought to justice in the US for running the SpyEye botnet that stole money from victims’ bank accounts.

Top20 Potentially Unwanted Programs

Below are the Top20 Potentially Unwanted Programs blocked by Ad-Aware on user’s PCs. These are advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings.

Position Ad-Aware detection % of all threats
1 Conduit 25.37%
2 MyWebSearch 16.02%
3 Adware.JS.Conduit 13.45%
4 Win32.PUP.Bandoo 7.84%
5 Adware.Linkury 5.01%
6 Adware.DealPly 2.32%
7 Adware.Agent 2.29%
8 Win32.Toolbar.Iminent 2.21%
9 Crossrider 2.02%
10 InstallCore 1.58%
11 SweetIM 1.31%
12 Iminent 1.10%
13 Amonetize 0.98%
14 Opencandy 0.90%
15 Win32.Adware.Agent 0.88%
16 CoolMirage Ltd 0.85%
17 DomaIQ 0.84%
18 Besttoolbars 0.73%
19 Babylon 0.67%
20 Yontoo 0.61%

Top20 PUPs detected on user’s PC

Operating Systems

Infections by OS

Geographic Location

Infections by country of origin

We will keep investigating the epidemiological situation in the world and informing our readers about new malicious code samples in the next Lavasoft Security Bulletin.

  • Back to articles


  • Share this post:    Twitter Facebook