 |
|
|
| News archive about antivirus software, virus threats, trojans |
|
April 2007
31 percent of all threats were Trojan Horses -- Posted by Igor_Donchenko on Friday, April 27 2007
Trojans were responsible for more infections than any other malware during the first quarter of 2007. They accounted for 31 percent of all threats detected by ActiveScan, the free online solution from Panda Software.
"In 2006, spyware was the most widely-distributed malware. However, during the final months of last year, Trojans increased significantly. This trend has been confirmed in the first three months of this year and Trojans are now the most damaging malware," explains Luis Corrons, Technical Director of PandaLabs.
Adware, responsible for 28 percent of infections, was the second most active category of malware in the first quarter.
"It is no surprise that Trojans and adware are the most widely-distributed categories, as they are both easy to profit from, which is now the main aim of malware creators. Both are designed to compile information about users, which cyber-crooks can rapidly convert into cash," claims Corrons.
Other less relevant categories during the first quarter were worms (8%), dialers (5%) and spyware (3 %).
Despite the dominance of Trojans, the most active specific example of malware was the Sdbot.ftp worm. This is a script created by several members of the Sdbot family to download themselves onto computers. After this came Puce.E, a worm that uses P2P networks to spread.
| Technical name of the virus | % frequency | | W32/Sdbot.ftp.worm | 1.95 | | W32/Puce.E.worm | 1.3 | | Trj/Torpig.A | 1.23 | | W32/Brontok.H.worm | 1.21 | | Trj/Abwiz.A | 1.14 | | W32/Bagle.HX.worm | 1.13 | | Bck/PcClient.DU | 1.01 | | W32/Netsky.P.worm | 0.95 | | Trj/QQPass.JZ | 0.94 | | Trj/KillAV.FG | 0.74 |
Third on the list was Torpig.A, a Trojan that steals confidential user data, such as passwords stored on specific Windows services.
In fourth was the Brontok.H worm followed by Abwiz.A, a Trojan designed to steal passwords stored on the system. Bagle.HX, a representative of the dangerous Bagle family was in sixth position. This variant has rootkit features to hide its processes and it disables some security solutions' functions. The aim in both cases is to make it more difficult to detect.
PcClient.DU came seventh. This backdoor Trojan opens a port in the targeted computer so that a remote attacker can control it.
In eighth place was Netsky.P, a Trojan that exploits several vulnerabilities in Internet Explorer to spread. QQpass.JZ, a Trojan that steals confidential data was in the ninth place.
Last on the list was KillAV.FG, a Trojan that ends several processes on the compromised computer, security tool processes among them.
Source: http://www.pandasoftware.com
Top 10 viruses reported to Sophos in March 2007 -- Posted by Igor_Donchenko on Thursday, April 12 2007
| Malware | Percentage | | Netsky | 32.7% | | Mytob | 30.4% | | Sality | 7.8% | | MyDoom | 5.2% | | Bagle | 4.1% | | Zafi | 3.4% | | Stratio | 2.6% | | Nyxem | 2.6% | | Clagger | 2.4% | | DwnLdr | 2.0% |
Source: http://www.sophos.com
|
Spyware, the most active malware in March (Panda Software report) -- Posted by Igor_Donchenko on Wednesday, April 11 2007
Spyware accounted for 31 percent of all infections recorded by ActiveScan, Panda Software's online scanner, in March. These spy programs compile information about users' Internet activity for various purposes, such as displaying personalized adverts.
"Spyware accounts for so many infections largely due to the way it spreads. Lately e have witnessed a notable increase in the number of exploits that use web pages to install adware. Users do not even have to agree to the terms and conditions for installation of the malicious code, as before. Also, since users have not installed these codes knowingly, it is more difficult to detect them, and they remain on computers for longer," indicates Luis Corrons, technical director of PandaLabs.
Trojans were the second most frequent malware type in March (25 percent of all infections). The reason why spyware and Trojans are the most widespread malware is due to the fact that they are the most widely used for financial gain, cyber-crooks' main objective.
Six percent of infections in March were caused by worms, and 5 percent by dialers. Backdoor Trojans and bots were the culprits in 4 percent of cases.
As with previous months, a large number of infections fall into the 'Other' category. "This is just another example of how inaccurate it is to call all malicious code viruses, as malware is nowadays more diverse than ever. This category includes viruses as such, but also jokes, hacking tool, cookies:", explains Corrons.
As for the most active malware, there has been a large number of new additions to the list. Lozyt.A has risen rapidly in the list. This malware appeared only a month ago but is already the second most virulent code.
Lozyt.A is a Trojan that ends processes belonging to several security tools. In this way, it exposes the target system to new threats. Then, it connects to the server and downloads the ErrorSafe adware.
The malware that caused most infections in March was Sdbot.ftp, the generic detection of the script created by the members of the Sdbot family of worms to perform downloads. This malicious code has been at the top of the most active malware list for over a year.
Brontok.H occupies third place. This is a worm that spreads by copying itself to the affected system. In fourth place comes the Clicker.ZJ Trojan, which allows attackers to enter infected computers. This is one of the new codes on this month's list.
Puce.E has dropped from third place to fifth in March. This is a worm that uses P2P networks to spread. Bagle.HX, in sixth place, is a member of the Bagle family of worms that tries to evade detection by using rootkit features to end processes belonging to several security solutions.
| Malware | Percentage | | W32/Sdbot.ftp.worm | 1.72 | | Trj/Lozyt.A | 1.36 | | W32/Brontok.H.worm | 1.33 | | Trj/Clicker.ZJ | 1.26 | | W32/Puce.E.worm | 1.24 | | W32/Bagle.HX.worm | 1.16 | | Application/SpyDawn | 1.01 | | Bck/PcClient.DU | 0.96 | | Trj/KillAV.FG | 0.93 | | Trj/Downloader.NBT | 0.91 |
SpyDawn, a PUP (Potentially Unwanted Program) is in seventh place. This is another new in the list. SpyDawn is a false anti-spyware program that installs on the system without the user knowing.
PcClient.DU is eighth. This is a backdoor Trojan that opens a port in the target computer so that a remote attacker can control it.
The last two places are occupied by codes that make their debut in the list. KillAV.FG is a Trojan that prevents several security solutions from operating correctly and connects to a server to allow the infected computer to be controlled remotely.
The Downloader.NBT Trojan reduces the computer security level by changing the Internet Explorer security settings.
Source: http://www.pandasoftware.com
Online Scanner Top Twenty for March 2007 from Kaspersky Labs -- Posted by Igor_Donchenko on Tuesday, April 3 2007
| Position | Change in position | Name | Percentage | | 1. | New | Backdoor.Win32.Padodor.gen | 11.29 | | 2. | +2 | not-a-virus:Monitor.Win32.Perflogger.163 | 1.23 | | 3. | +2 | Email-Worm.Win32.Brontok.q | 1.01 | | 4. | +4 | not-a-virus:PSWTool.Win32.RAS.a | 0.86 | | 5. | +4 | Trojan-Downloader.Win32.Small.ddp | 0.72 | | 6. | -3 | Email-Worm.Win32.Rays | 0.72 | | 7. | New | Worm.Win32.AutoIt.d | 0.66 | | 8. | New | Trojan-Dropper.Win32.Agent.bdy | 0.61 | | 9. | +4 | not-a-virus:Monitor.Win32.Perflogger.ad | 0.61 | | 10. | New | not-a-virus:AdWare.Win32.Virtumonde.bq | 0.51 | | 11. | -9 | Trojan.Win32.Agent.qt | 0.50 | | 12. | New | Trojan-Spy.VBS.Marang.a | 0.50 | | 13. | New | Trojan.Win32.Obfuscated.ev | 0.50 | | 14. | New | Email-Worm.Win32.Warezov.jx | 0.46 | | 15. | New | Email-Worm.Win32.Zhelatin.bq | 0.45 | | 16. | New | Email-Worm.Win32.Warezov.mi | 0.44 | | 17. | -5 | not-a-virus:AdWare.Win32.Virtumonde.ha | 0.43 | | 18. | -2 | Trojan-Spy.Win32.Bancos.zm | 0.39 | | 19. | Return | Virus.Win32.Hidrag.a | 0.38 | | 20. | New | not-a-virus:AdWare.Win32.Dm.y | 0.38 | | Other malicious programs | 77.35 |
Online Scanner Top Twenty continues to surprise with its rotation of malicious programs. A few months ago Trojan-Dialers were being spread very actively. In February, Warezov worms took their place. Rays, Brontok, and Mydoom, three older worms, also managed to gain places near the top of the rankings. This month there was another big shake-up.
In March, Backdoor.Win32.Padodor.gen ended up in first place. This was completely unexpected, as Padodor is a historical relic. This family of malicious programs first appeared in 2004 and used the MS04-011 vulnerability in order to spread. Padodor has received a fair amount of media attention over the past few years, being tagged as one of the most dangerous and widespread backdoors in the course of 2004 and 2005. The Russian mass media also noted the fact that the backdoor was created by a notorious Russian virus writing group called Hang Up Team.
And now Padodor is back again. We think that this may be connected to the activity shown by Zhelatin worms in February and March. Files which are part of Padodor have been detected on machines infected by Zhelatin, and a figure of 11% shows the scale of the problem.
The top half of our March rankings provides a fairly accurate picture of the threats targeting users these days. It includes nearly all types of malicious program, including four from the category ‘not-a-virus’; This is the first time programs from this category have gained so many places in our rankings. It’s worrying that three out of the four programs have keylogging functionality - even though they are legitimate software, they can be used for criminal ends. Even more worrying, many antivirus programs are unable to detect such applications.
The March Online Scanner Top Twenty includes two variants of Virtumonde, an adware program, indicating that is continuing to spread for the fourth month in a row. It has been joined in the ratings by Dm, another adware program.
Among the other new programs which have appeared in this month's rankings are a number of worms: two new Warezov variants, one Zhelatin variant, and the very mysterious Worm.Win32.Autoit.d. This worm is only able to propagate via local network resources with write access, a characteristic very similar to Rays and Brontok. Both these worms have managed to stay in our rankings for a long time; it remains to be seen whether Autoit will be able to do the same.
Source: http://www.viruslist.com
|
Therat.B, dangerous password stealer -- Posted by Igor_Donchenko on Monday, April 2 2007
PandaLabs has informed about the new Trojan Therat.B. This malicious code is designed to steal all types of passwords. However, it also has an extremely dangerous function, which is the capacity to steal the passwords that could be stored in the AutoComplete feature in the user's Internet browser. By simply entering one or two characters of usernames or passwords, this feature automatically completes them in forms for accessing the most common Internet services used by the user.
To do this, it accesses an entry in the Windows Registry where this information is logged. Although it is encrypted, applications are available that are designed to decrypt it.
Furthermore, Therat.B has a keylogger function. This means that it logs the keystrokes entered by the user through the keyboard, which could contain interesting information for the cyber-criminal: user names, passwords, bank account numbers or credit card numbers, PINs, etc.
"This is yet another example of how cyber-criminals combine several functions in one malicious code to exploit each infection they cause to the full. In this case, the keylogger function has been combined with theft of information stored in certain parts of the computer. By doing this, they ensure that they get at least some confidential data from each successful attack," explains Luis Corrons, Technical Director of PandaLabs.
Once installed on the computer, the Trojan creates several files in the Windows system directory. These files include SOCKETIME.EXE, which is a copy of the Trojan, and 32THERAT.LOG, in which it stores the stolen information. This information is then sent to the cyber-criminal at a predetermined email address.
Therat.B also modifies an entry in the Windows Registry in order to ensure it is run whenever the computer is restarted.
This Trojan is not designed to spread through its own means, and therefore, needs intervention from a malicious user to do so. Therefore, it could be found in all types of email messages, files downloaded from the Internet or P2P networks, etc.
Source: http://www.pandasoftware.com
|
|
