Kaspersky reveals six newcomers

Johannesburg, 10 Sept 2009

Six newcomers have made their way onto the Kaspersky Top 20 lists for August. One in particular, Virus.Win32.Induc, was the highlight of the month, as this malware uses a distinctive approach to infect users' computers.

This is according to Kasperky Lab, which says in order to replicate, this virus uses Delphi's two-stage method for creating executable files. The application source code is first compiled into intermediate DCU modules which are then assembled into Windows executable files.

Software products compiled on machines which had infected versions of Delphi were consequently infected with the virus when they were compiled, as there were a lot of these products.

Another newcomer to the first top 20, which lists malicious programs, adware and potentially unwanted programs that were detected and neutralised when accessed for the first time, AdWare.Win32.Boran.z, entered the first ratings at number three.

“This program is a component of the Baidu Toolbar for Internet Explorer, which is popular in China. It uses a range of rootkit technologies to prevent users from removing the toolbar using standard methods,” says Kaspersky.

According to the company, Trojan.Win32.Swizzor.b and Packed.Win32.Katusha.b came in at 14 and 15 respectively, replacing earlier versions of the same programs, but featuring more sophisticated and innovative obfuscation methods.

In last place was Palevo.jaj, which spreads via file exchange networks and IM, infects removable media, and includes a backdoor which gives an attacker the ability to control infected computers.

The malicious Net-Worm.Win32.Kido.ih and Virus.Win32.Sality.aa remain at the top of the first ratings.

Criminals get creative

Discussing the second top 20, Kaspersky says over half the entries in August are new examples of cyber criminals' creativity. The second top 20 presents data generated by the Web anti-virus component, and reflects the online threat landscape, including malicious programs detected on Web pages and malware downloaded to victim machines from Web pages.

AdWare.Win32.Boran.z took first place in this rating. “A month ago we wrote about a vulnerability in Internet Explorer. The script that exploits this vulnerability is detected by Kaspersky Lab products as Exploit.JS.DirektShow,” says Kaspersky.

“This month, there are four versions in the rankings, up one from last month, showing that exploiting this vulnerability is apparently still a very popular approach. It seems that cyber criminals assume lots of users won't have installed the security patch, and so they keep trying to attack systems via this loophole.”

Fake, or rogue anti-virus applications were spread from a number of Web pages during August, says the security giant. One of the scripts that facilitates this, Trojan Downloader.JS.FraudLoad.d, took 12th place in the rankings. Anyone who visits a Web site infected with this script are notified that their computer is infected with lots of malicious programs and that these programs can be removed. If the user agrees to this, a rogue anti-virus (classified as FraudTool) is then downloaded onto their computer.

“Trends seen in July are continuing, with cyber criminals still actively exploiting vulnerabilities in popular software products. Rogue anti-virus applications and basic iframe-clickers are also spreading fast. It's unlikely that this situation will change next month, as cyber criminals have tried and tested these approaches and found them to be successful,” explains Kaspersky.

China was the country where most attempts to infect computers via the Web were recorded, with 39.4% of the total. This was followed by the US, with 8.7%; India, with 7.2%; and Russia, with 6.9%.