Kido stays on top

Johannesburg, 07 Jul 2009

Kaspersky Lab's June Top 20 malware reports confirm that Kido remains the number one threat, and two additional modifications of the worm, Kido.jq and Kido.ix also appeared.

“This Kido family's popularity is due to its ability to be spread in varied ways, including via removable media which are then connected to unprotected computers,” says Kaspersky.

The first Top 20 lists malicious programs, adware and potentially unwanted programs that were detected and neutralised when accessed for the first time. The second Top 20 presents data generated by the Web anti-virus component and reflects the online threat landscape, including malicious programs detected on Web pages and malware which attempted to load from Web pages.

The June listings include a new feature, showing the countries that rank highest in terms of attempts to infect computers over the Internet. These are China, Russia, the US, India and Brazil, in that order.

Kaspersky adds that although the malware ratings are compiled as usual from data generated by the Kaspersky Security Network, slightly different methods have been used to select and analyse the data.

The company used on-access statistics to analyse the most recent, dangerous and widespread malware blocked when launched on users' computers or downloaded over the Internet. The company says although they analysed the threats slightly differently, this had no influence on the leaders in this ranking. However, the new method did result in two worms from the AutoRun family, AutoRun.dui and AutoRun.rxx, joining the ranking.

An adware program called Shopper.v came last in the rankings, and is one of the most common programs of its type. It installs various toolbars to the browser and mail client and uses them to display advertising banners. “Removing the toolbars can be difficult,” says Kaspersky.

Download danger

In the second ranking, a Trojan-downloader program called Gumblar.a, an example of malware used in drive-by downloads, took first place.

“Gumblar.a is a small encrypted script which, when executed, redirects the user to a malicious Web site. A series of vulnerabilities is then exploited to download a malicious executable file from the Web site and install it on the user's computer. Once installed, the file affects the user's Web traffic by modifying Google search results. It also searches the computer for passwords to FTP servers in order to infect them.”

The security giant says this results in a botnet of infected servers created by cyber crooks, that may be used to download malware to users' computers. According to Kaspersky, it has infected a massive number of computers and is still spreading to unprotected ones.

“Another notable example of drive-by download malware is a Trojan-downloader program, LuckySploit.q, which is in third place in the second ranking and is also present in the first Top 20.”

Kaspersky describes this as a skillfully obfuscated script, which first harvests browser configuration data from the user's computer, then encrypts the data using an RSA public key and sends it to a malicious Web site.

“Following this, the data is decrypted on the server using the private RSA key and a selection of scripts, and returned to the user. The script then takes advantage of vulnerabilities on the victim's machine and downloads malware onto it.”

Vendor vulnerabilities

The company adds that several malicious programs exploit vulnerabilities found in major vendors' products. Kaspersky says exploits such as Trojan-Clicker.SWF.Small.b, Exploit.JS.Pdfka.gu, Exploit.JS.Pdfka.lr, Exploit.SWF.Agent.az appearing in the ranking clearly illustrate the popularity and the vulnerability of Adobe Flash Player and Adobe Reader.

“Vulnerabilities in Microsoft products are also actively exploited: Trojan-Downloader.JS.Major.c attempts to exploit several vulnerabilities in different Windows and Microsoft Office components simultaneously,” says the security company.

Another trend cited by the company, is cyber criminals using a range of sophisticated drive-by downloads to install malware on victim machines, showing that they are becoming increasingly Web-oriented. Kaspersky says this highlights the importance of regularly updating operating systems and applications software, and keeping anti-virus up to date.