Lavasoft Security Bulletin: August 2012

Top20 Blocked Malware 

Position Ad-Aware detection % of all threats  
1 Win32.Trojan.Agent 35.37% +4.82%
2 Trojan.Win32.Generic!BT 19.01% -4.36%
3 Virus.Win32.Sality.ah 2.53% +0.77%
4 Trojan.Win32.Generic.pak!cobra 2.53% -0.13%
5 Virus.Win32.Sality.at 2.12% +0.93%
6 Virus.Win32.Ramnit.a 2.11% +0.59%
7 Malware.JS.Generic 2.06% -0.04%
8 Virus.Win32.Virut.ce 1.54% new
9 Email-Worm.Win32.Brontok.a 1.42% -1.24%
10 Win32.Backdoor.Zaccess 1.39% +0.79%
11 Virus.Win32.Ramnit.b 1.30% -0.13%
12 Virus.Win32.Tenga.a 1.29% new
13 Win32.Trojan.Llac 1.15% new
14 Trojan.Win32.Generic!SB.0 1.10% -0,12%
15 Trojan.Win32.Ramnit.c 1.01% new
16 Heur.HTML.MalIFrame 0.98% -0.54%
17 Trojan.Win32.Jpgiframe 0.83% -0.4
18 Virus.Win32.Virut.a 0.66% new
19 HackTool.Win32.Keygen 0.57% -0.1%
20 Trojan-Clicker.HTML.Iframe 0.46% -0.16

The Top 20 malicious programs blocked on PCs

August sees changes in the Top positions for generic detections and viruses. Several malicious programs from the June Top 20 and two new families, Virus.Win32.Tenga.a and Trojan.Win32.Llac, entered the Top 20 in August:

Virus.Win32.Tenga.a is a typical file infector virus which affects PE-EXE files. It has functionality to download other malicious programs on the infected PC. In addition, it has network worm capabilities that exploits a DCOM RPC vulnerability (MS03-06).

Win32.Trojan.Llac is a multi-component Trojan which contains a backdoor and Trojan downloader behavior. It allows an attacker to gain remote access to the infected system and install additional modules for spam and DDoS attacks.

 New Incomings to the Lab

Let’s review and consider information on the number of unique files with the same detection name.

Position Ad-Aware detection % of all threats  
1 Trojan.Win32.Generic!BT 74.57% +11.48%
2 Trojan.Win32.Generic.pak!cobra 3.95% +0.37
3 Malware.JS.Generic 4.00% +2.75%
4 Trojan.Win32.Generic!SB.0 2.76% -0.37%
5 not-a-virus:AdWare.Win32.iBryte.x 2.75% -0.2%
6 Worm.Win32.Esfury.ta 2.30% new
7 Worm.Win32.Mabezat.b 1.87% +0.57%
8 Virus.Win32.Virut.ce 1.79% -0.33%
9 Trojan.Win32.Winwebsec.fd 1.31% -0.25
10 Trojan.Win32.Ransomer.afh 1.01% new
11 Trojan-Clicker.HTML.RemoteScript 0.57% new
12 Trojan.Win32.PWS.gz 0.46% -0.54
13 Trojan.JS.Obfuscator.aa 0.51% new
14 Backdoor.Win32.PcClient 0.40% new
15 TrojanDropper.Win32.Saldrop.a 0.35% +0.07
16 Trojan.Win32.Vobfus.paa 0.34% 0.05
17 Trojan-Clicker.HTML.Iframe 0.31% +0.07
18 Trojan.Win32.Autorun.dm 0.27% new
19 Trojan-Downloader.Win32.Small 0.26% new
20 Trojan.Win32.OnlineGames 0.24% new

New malicious programs entered the Top 20

August sees an increase in Trojan activity stealing game account information: Trojan.Win32.PWS.gz and Trojan.Win32.OnlineGames.

Online games have become massively popular globally and continue to attract huge numbers of players. Users of the following games should be aware that attackers focus on hijacking information from users of the following games: Dungeon & Fighter, MapleStory, Linage, - FIFA Online 2, Heroes of Might and Magic, Shock-Tera, OTP, WOW, Diablo III, Dragon Knights Online, and etc.:

Examples of games popular among attackers

Attackers actively use rootkit techniques to counteract antivirus scanners and disable User Account Control, (UAC) to counteract unauthorized PC use. All this allows the attacker to profit from selling stolen game characters and attributes.

World of Warcraft character prices

Trojan-Extortioners entered the Top 20 this month. Trojan.Win32.Ransomer is a malicious family attackers used to make a financial profit by restoring user PC performance. The Trojan can slow down the computer performance and block an access to the file system or Internet. The attackers also play on user’s fear: they threaten them with disclosure of personal data or informing the police about unauthorized and forbidden content such as pirated mp3 files contained on the user’s computer. However, paying the ransom does not guarantee that the user’s PC will be unblocked or the user can get an access to his/her own files. Below are examples of ransom program analysis by our automatic system:

Example1. Trojan.Win32.Ransomer

Example 2. Trojan.Win32.Ransomer

Example 3. Trojan.Win32.Ransomer

The Middle East Cyberwar: Gauss – a New Evidence

At the beginning of August, Kaspersky Lab announced that a new link had appeared in the Stuxnet/Duqu/Flame chain.

“In our opinion, all of this clearly indicates that the new platform which we discovered and which we called 'Gauss,' is another example of a cyber-espionage toolkit based on the Flame platform.”- Kaspersky Global Research & Analysis Team says.

According to the published information, Gauss started its activity in the Middle East in September 2011. It is interesting that the most affected state was Lebanon with more than 1600 infections, while in Iran only one infection was detected.

The Gauss platform was named after the main malware module. Each module has its own name associated with the famous mathematicians: Gauss, Lagrange, Godel, Tailor, Kurt.

The spy toolkit is designed to steal information about network connections, processes, folders, BIOS, CMOS RAM, removable drives, and send it to the C&C server. Gauss can inject specially designed modules into Internet browsers to steal user passwords, cookies and browsing history.

It also uses the previously discussed CVE-2010-2568 exploit, to infect and hide malicious files on USB drives.

The Trojan has unusual functionality: it installs the "Palida Narrow" font with, as yet, unknown purpose. Based on this peculiarity, CrySyS Lab suggested a simple online method to detect Gauss. The test checks if the "Palida Narrow" font is installed on user’s computer.

Gauss malware test

Ad-Aware antivirus currently detects Gauss toolkit.

Russian Intelligence Service Wants to Monitor and Control Social Networks

Like the US government participates in developing cyberweapons to disrupt Middle Eastern infrastructure, Russia has decided to invest around 1 million U.S. dollars to create automated monitoring systems and to potentially influence users of social networks.

According to the leading Russian news agencies (Interfax, Kommersant, RBC), the Foreign Intelligence Service held secret tenders in January 2012 for creating a software system that consists of three modules: “Disput” that is responsible for investigating the processes of information distribution in social networks, “Monitor-3” that is responsible for investigating control methods on the Internet and “Storm-12” that is responsible for the promotion of specially prepared information within social networks. According to the plan, the system is to be completed by 2013 and tested on Eastern European countries.

BlackHole Exploit Pack

At the beginning of summer 2012, information about Black Hole exploit kit update appeared on a hack forum. A new exploit pack uses 2 new exploits (CVE-2012-1723, CVE-2012-1889). July saw an increasing use of the exploit pack which attracted the attention of antivirus vendors. Our antivirus lab rapidly located a resource with a functioning exploit pack and started analyzing it. The pack is located on a web-resource which dynamically generates a new domain name at least once per day. It was possible to get access to the exploit pack modules via the IP address.

The following message appears while loading a malicious web page:

Methods of obfuscating Java scripts on the web-page have not been changed significantly compared to previous versions. To define plugins installed on a browser, the latest version of "Plugin Detect" is used.

Also the Flash exploit, CVE-2011-2110, has been noticed to appear in the kit.

Top20 Potentially Unwanted Programs

Below is Top20 Potentially Unwanted Programs blocked by Ad-Aware on user’s PCs. These are advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings.

Position Ad-Aware detection % of all threats  
1 MyWebSearch 34.18% +2.69%
2 Win32.Toolbar.Iminent 15.44% -1.28%
3 SweetIM 11.27% -1.48%
4 Win32.PUP.Bandoo 9.77% -0.73%
5 Win32.Toolbar.SearchQU 3.52% -0.06%
6 Win32.Toolbar.Mediabar 2.08% +0.02%
7 InstallBrain 1.74% new
8 Artua Vladislav 1.69% -0.09%
9 Win32.PUP.Predictad 1.50% -0.3%
10 Win32.Adware.ShopAtHome 1.42% +0.1%
11 Click run software 1.41% -0.18%
12 GamePlayLabs 1.37% -0.46%
13 Yontoo 1.22% -0.11%
14 GameVance 1.11% +0.15%
15 RelevantKnowledge 1,02% +0.11%
16 Via Advertising 0.92% -0.13%
17 Win32.Adware.Offerbox 0.55% -0.17%
18 Bprotector 0.61% new
19 Zango 0.24% +0.01%
20 Adware.Eorezo.a 0,13% -0,22%

Top20 PUPs detected on user’s PC

See below examples of PUPs collected by our laboratory:

Example 1. PUPs Win32.Adware.ShopAtHome

Once the toolbar is installed, it looks as follows:

Installed ShopAtHome Toolbar

Example 2. PUPs Win32.Toolbar.Mediabar

The main application window is as follows:

The application installs "Funmoods" toolbar components for Internet Explorer:

These components are Internet Explorer Browser Helper Objects (BHO) that Internet Explorer loads each time it starts:

Operating Systems

Infections by OS

Geographic Location

Infections by country of origin

We will keep investigating the epidemiological situation in the world and informing our readers about new malicious code samples in the next Lavasoft Security Bulletin.

  • Back to articles


  • Share this post:    Twitter Facebook