The Kido worm continues to dominate Kaspersky's Top 20 for November, but there are several new entrants to the threat landscape, adds the security company.
First is the entry of a modification of the notorious Kido worm, Kido.iq, coming straight in at second place.
“This malicious program has very similar functionality to the leader, Kido.ir, which entered the ratings back in September,” says Kaspersky Lab.
Another point in the first Top 20, which lists malicious programs, adware and potentially unwanted programs that were detected and neutralised when accessed for the first time, is GetCodec.s. It rose nine places overall, with the number of computers on which GetCodec was detected more than doubling in November.
According to Kaspersky, GetCodec.s spreads together with P2P-Worm.Win32.Nugg, just like GetCodec.r. “It looks as though cyber criminals are making another attempt to spread P2P-Worm.Win32.Nugg via the Gnutella file sharing network (and in this case, using the popular LimeWire application). This worm downloads other malicious programs, which act as an additional threat to users' computers.
Another newcomer, Packed.Win32.Krap.ag, detects a special packing program used to pack malicious programs. In this instance, the malicious programs, which are concealed by a standard, but modified, packing program, are fake anti-virus programs.
“After returning to the ratings the Magania family of gaming Trojans came in at number 19 again, although with a new version Magania.ckqi replacing last month's entry Magania.cbrt.”
Tracking rogue anti-virus
Gumblar continues to dominate the second Top 20, which Kaspersky says presents data generated by the Web anti-virus component, and reflects the online threat landscape including malicious programs detected on Web pages and malware downloaded to victim machines from Web pages.
“There is a huge gap separating Gumblar from the program in second place. The number of unique attempts to download this malicious program increased nearly four times in November,” adds the company.
Interestingly, rogue anti-virus programs have also appeared in the second rating. Kaspersky says these programs can be spread by downloading them to users' machines from Web sites that are created using the same template and which are part of cyber criminal affiliate, or partner, programs.
“The Web pages most commonly used to download fake ant-virus solutions in November are detected by us as Trojan.HTML.Fraud.r and Trojan-Downloader.HTML.FraudLoad.b. Packed.Win32.Krap.ag, mentioned above, was also downloaded from these pages.”
Overall picture
“As in other months, the most common way malware is spread is through a malicious script + exploit + executable file, which is mostly how malware designed to steal confidential data or extort money from users is spread,” explains Kaspersky.
“Such malware includes programs such as Trojan-PSW.Win32.Kates and Trojan-Spy.Win32.Zbot, an extremely widespread Trojan that actively spreads using script downloaders and varied spam mass mailings; and numerous fake anti-virus programs.”
According to Kasperky, another significant trend is the use of Web sites created using standardised templates to spread rogue anti-virus solutions.
“Cyber criminals are also aggressively using packers in the hope that this will help the packed malicious programs avoid detection, so they won't have to make significant modifications to the malicious programs themselves,” concludes Kaspersky.
Share
