Lavasoft Security Bulletin: October 2012

Top20 Blocked Malware

Position Ad-Aware detection % of all threats Change in ranking
1 Win32.Trojan.Agent 41.85% +9.93%
2 Trojan.Win32.Generic!BT 20.55% +1.76%
3 Virus.Win32.Sality.ah 3.00% +0.14%
4 Trojan.Win32.Generic.pak!cobra 2.23% +0.36%
5 Malware.JS.Generic 2.19% +0.2%
6 Trojan.Win32.Ramnit.c 1.59% +0.41%
7 Win32.Backdoor.Zaccess 1.39% -1.41%
8 Virus.Win32.Sality.at 1.34% -2.52%
9 Email-Worm.Win32.Brontok.a 1.20% -0.49%
10 Heur.HTML.MalIFrame 0.95% -0.36%
11 Trojan.Win32.Delf.abt 0.88% +new
12 HackTool.Win32.Keygen 0.80% +0.17%
13 Trojan-Clicker.HTML.Iframe 0.64% +0.33%
14 Trojan.Win32.Generic!SB.0 0.63% -0.22%
15 Worm.LNK.Autorun.bqj 0.60% new
16 Trojan-Clicker.HTML.RemoteScript 0.57% new
17 Trojan.Win32.Jpgiframe 0.55% -0.37%
18 Virus.Win32.Ramnit.b 0.55% -0.37%
19 Virus.Win32.Virut.ce 0.50% -0.13%
20 Virus.VBS.Ramnit.a 0.47% -2.42%

The Top 20 malicious programs blocked on PCs

October sees changes in the top positions for generic detections and viruses. Trojan.Win32.Generic.pak!cobra moved from position 9 to position 4. Trojan.Win32.Generic.pak!cobra uses executable compression to avoid being detected on the system by antivirus scanners. Use of packers requires more time and effort to investigate malware.

Trojan.Win32.Delf.abt takes position 11. The Trojan includes downloader functionality that allows downloading other malicious programs or an updated version of itself on the infected system. A distinctive feature of the Trojan is the fact it is written in Delphi. The Trojan executes the functionality to steal confidential data, such as account information, from the online game Lineage.

Worm.LNK.Autorun.bqj entered the Top 20 ranking position 15. It was mentioned in Lavasoft Security Bulletin in June. Despite the fact that Microsoft released updates on August 2, 2012 which closed the vulnerability, attackers continue exploiting the vulnerability in LNK files to run their malicious programs in the background on the infected system.

Trojan-Clicker.HTML.RemoteScript, a new generic detection, entered the Top 20 ranking at position 16. Similar to Malware.JS.Generic Heur.HTML.MalIFrame and Trojan-Clicker.HTML.Iframe, this type of malicious program spreads through infected HTML pages into which attackers embed, as a rule, malicious JavaScript and Visual Basic Script. Attackers redirect users to these pages when they surf the Internet (for example, after visiting legitimate sites which have been compromised). In addition, attackers send spam messages and use social engineering techniques such as sending infected messages from hacked accounts of friends from within the victim’s social networks. The Trojan, exploiting browser vulnerabilities, may install other malicious programs on the target computer. As a rule, the attacker’s aim is to create massive bot nets to facilitate illegal activity on the PC.

New Incomings to the Lab

Let’s review and consider information on the number of unique files with the same detection name.

Position Ad-Aware detection % of all threats Change in ranking
1 Trojan.Win32.Generic!BT 66.85% +5.45%
2 Trojan.Win32.Generic.pak!cobra 6.72% +1.37%
3 Malware.JS.Generic 6.71% -1.52%
4 Virus.Win32.Virut.ce 5.03% +0.76%
5 Trojan.Win32.Winwebsec.fd 2.43% +2.15%
6 Trojan.Win32.Generic!SB.0 2.12% +0.91%
7 Trojan-Downloader.Win32.Harnig 1.29% new
8 Virus.Win32.Xpaj.A 1.38% new
9 Trojan.Win32.Medfos.r 1.15% -0.81%
10 Virus.Win32.PatchLoad.d 0.93% +0.32%
11 Trojan.Win32.Ransomer.afh 0.77% +0.05%
12 Backdoor.Win32.PcClient 0.64% +0.42%
13 Trojan-Clicker.HTML.RemoteScript 0.60% +0.11%
14 Trojan-Downloader.Win32.Beebone.br 0.58% new
15 Trojan.Win32.VB.qms 0.57% new
16 Worm.Win32.Esfury.ta 0.56% -0.19%
17 Trojan.Win32.Vobfus.paa 0.46% +0.17%
18 Trojan-Clicker.HTML.Iframe 0.40% +0.05%
19 Trojan-PWS.Win32.OnLineGames 0.44% +0.14%
20 Trojan.JS.Obfuscator.aa 0.39% +0.01%

New malicious programs entered the Top 20

Except for Virus.Win32.Xpaj.A, which entered the Top 20 in May, more new malicious programs appear.

Trojan-Downloader.Win32.Harni is a malicious family used by attackers to spread other malicious programs. Downloaded files are saved with randomly generated names to the root folder on the C: drive, and are then launched for execution. The Trojan modifies the "%System%\drivers\etc\hosts" file that is used to match domain names DNS to IP addresses. Thus, attackers can block visiting any Internet resource (depending on functionality) by redirecting requests to the local host. In addition, some modifications can end system processes indicated by the attacker.

Trojan-Downloader.Win32.Beebone.br is a Trojan downloader written in Visual Basic. A distinctive feature of the malware is the ability to download other malicious programs from the server to the user’s PC:

Fragment of full memory dump of Trojan-Downloader.Win32.Beebone.br process

As well as reading a location of the Internet Explorer cookie file storage from the registry, it steals cookie files, sending them to the attacker’s server. Thus, in the interactive session, the attacker can get access to the sites the user has visited using the stolen cookie files.

Trojan.Win32.VB.qms is a multifunctional malicious program which allows an attacker to get remote access to the infected PC, to steal user’s confidential data, to perform DDoS attacks as well as using the infected PC as a proxy server. A distinctive feature of the Trojan is that it has a self-protection mechanism which can prevent its removal from the infected PC; when the user attempts to end the Trojan’s process using the Task Manager, BSOD is displayed.

Let’s consider functionality of the backdoor botnet Kelihos. Backdoor.Win32.Kelihos is a multifunctional spam bot that sends spam messages to email addresses found on the infected PC.

Example of email message sent by Backdoor.Win32.Kelihos

Attackers use a vulnerability in LNK files – CVE-2010-2568 to spread the spam bot’s executable file through portable computer media. As well as stealing confidential data from FTP, SFTP, WebDAV clients installed on the infected PC, the malicious program steals Bitcoin wallets. In addition, it can function as a proxy server and perform DDoS attacks against internet resources indicated by the attacker.

The Middle East Cyberwar: MiniFlame News

New information from Kaspersky Lab recently emerged describing a pre-version of the Flame Trojan – "miniFlame". Last month we discussed the methods different Flame versions used to connect to sinkhole server.

The Kaspersky Lab determined four types of Flame clients: SP, SPE, FL(Flame) and IP. This month we obtained information about a new client type – SPE or "miniFlame".

Type of clients connected to the server

The miniFlame (SPE) malware is a previous version of Flame and contains similar espionage functionality. It collects information about computer and network configuration, makes screenshots by receiving a special command from C&C, infects available USB drives, executes processes and sends gathered data to the attacker’s server. In case of server migration, there is a special command. Interestingly, miniFlame can work independently or in conjunction with Gauss and Flame malware. This suggests further evidence that miniFlame comes from the same origins as other government Trojans within the Middle East cyberwar. SPE modification was launched on October 1, 2010.

Visual Basic Is Becoming Popular

According to the latest statistics, we saw an increase in VB malware last month. A couple of new verdicts: Trojan.Win32.VB.qms (Trojan.Win32.Diacam) and Trojan-Downloader.Win32.Beebone.br entered the "Top20 New Incomings". Another Trojan.Win32.Vobfus.paa rating was raised as well.

Let us consider how the VB malware numbers have changed during last two months using samples collected by the Lab.

VB samples detected by Lavasoft Sep-Oct 2012

We can see that VB malware has raised based on our internal detection engines from 3% in September to 7% in October 2012.

If we consider the most widespread VB families according to AV companies’ detection rates, we notice the following statistics:

VB samples detected by other antiviruses Sep-Oct 2012

According to Avast detections of our collection, we can see that the amount of samples flagged, as being written in VB, increased from 6% in September to 8% in October 2012.

You can read more about the possible reasons of such growth in the whitepaper "Visual Basic Platform is Becoming Increasingly Popular among Malware Writers".

Top20 Potentially Unwanted Programs

Below are the Top20 Potentially Unwanted Programs blocked by Ad-Aware on user’s PCs. These are advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings.

Position Ad-Aware detection % of all threats Change in ranking
1 MyWebSearch 30.39% -2.39%
2 Win32.Toolbar.Iminent 15.75% +0.32%
3 SweetIM 11.87% -2.06%
4 Win32.PUP.Bandoo 10.35% +1.85%
5 Win32.Toolbar.SearchQU 3.05% -0.12%
6 Win32.Toolbar.Mediabar 2.22% +0.3%
7 Win32.PUP.Predictad 2.17% +0.76%
8 Win32.Adware.ShopAtHome 2.05% +1%
9 RelevantKnowledge 1.67% +0.54%
10 Win32.Adware.Agent 1.44% new
11 GamePlayLabs 1.15% +0.51%
12 Yontoo 1.11% -0.08%
13 Click run software 1.03% -0.3%
14 Win32.Adware.Offerbox 0.98% +0.48%
15 Artua Vladislav 0.96% -0.7%
16 GameVance 0.95% +0.18%
17 Via Advertising 0.85% -0.03%
18 Adware.Eorezo.a 0.83% +0.69%
19 Zango 0.79% +0.59%
20 InstallBrain 0.73% new

Top20 PUPs detected on user’s PC

Below are examples of PUPs collected by our laboratory:

Example 1. PUPs Artua Vladislav

Example 2. PUPs Artua Vladislav

Example 3. PUPs Click run software

Operating Systems

Infections by OS

Geographic Location

Infections by country of origin

We will keep investigating the epidemiological situation in the world and informing our readers about new malicious code samples in the next Lavasoft Security Bulletin.

  • Back to articles


  • Share this post:    Twitter Facebook