Lavasoft Security Bulletin: August 2012
Top20 Blocked Malware
| Position | Ad-Aware detection | % of all threats | |
| 1 | Win32.Trojan.Agent | 35.37% | +4.82% |
| 2 | Trojan.Win32.Generic!BT | 19.01% | -4.36% |
| 3 | Virus.Win32.Sality.ah | 2.53% | +0.77% |
| 4 | Trojan.Win32.Generic.pak!cobra | 2.53% | -0.13% |
| 5 | Virus.Win32.Sality.at | 2.12% | +0.93% |
| 6 | Virus.Win32.Ramnit.a | 2.11% | +0.59% |
| 7 | Malware.JS.Generic | 2.06% | -0.04% |
| 8 | Virus.Win32.Virut.ce | 1.54% | new |
| 9 | Email-Worm.Win32.Brontok.a | 1.42% | -1.24% |
| 10 | Win32.Backdoor.Zaccess | 1.39% | +0.79% |
| 11 | Virus.Win32.Ramnit.b | 1.30% | -0.13% |
| 12 | Virus.Win32.Tenga.a | 1.29% | new |
| 13 | Win32.Trojan.Llac | 1.15% | new |
| 14 | Trojan.Win32.Generic!SB.0 | 1.10% | -0,12% |
| 15 | Trojan.Win32.Ramnit.c | 1.01% | new |
| 16 | Heur.HTML.MalIFrame | 0.98% | -0.54% |
| 17 | Trojan.Win32.Jpgiframe | 0.83% | -0.4 |
| 18 | Virus.Win32.Virut.a | 0.66% | new |
| 19 | HackTool.Win32.Keygen | 0.57% | -0.1% |
| 20 | Trojan-Clicker.HTML.Iframe | 0.46% | -0.16 |
The Top 20 malicious programs blocked on PCs
August sees changes in the Top positions for generic detections and viruses. Several malicious programs from the June Top 20 and two new families, Virus.Win32.Tenga.a and Trojan.Win32.Llac, entered the Top 20 in August:
Virus.Win32.Tenga.a is a typical file infector virus which affects PE-EXE files. It has functionality to download other malicious programs on the infected PC. In addition, it has network worm capabilities that exploits a DCOM RPC vulnerability (MS03-06).
Win32.Trojan.Llac is a multi-component Trojan which contains a backdoor and Trojan downloader behavior. It allows an attacker to gain remote access to the infected system and install additional modules for spam and DDoS attacks.
New Incomings to the Lab
Let’s review and consider information on the number of unique files with the same detection name.
| Position | Ad-Aware detection | % of all threats | |
| 1 | Trojan.Win32.Generic!BT | 74.57% | +11.48% |
| 2 | Trojan.Win32.Generic.pak!cobra | 3.95% | +0.37 |
| 3 | Malware.JS.Generic | 4.00% | +2.75% |
| 4 | Trojan.Win32.Generic!SB.0 | 2.76% | -0.37% |
| 5 | not-a-virus:AdWare.Win32.iBryte.x | 2.75% | -0.2% |
| 6 | Worm.Win32.Esfury.ta | 2.30% | new |
| 7 | Worm.Win32.Mabezat.b | 1.87% | +0.57% |
| 8 | Virus.Win32.Virut.ce | 1.79% | -0.33% |
| 9 | Trojan.Win32.Winwebsec.fd | 1.31% | -0.25 |
| 10 | Trojan.Win32.Ransomer.afh | 1.01% | new |
| 11 | Trojan-Clicker.HTML.RemoteScript | 0.57% | new |
| 12 | Trojan.Win32.PWS.gz | 0.46% | -0.54 |
| 13 | Trojan.JS.Obfuscator.aa | 0.51% | new |
| 14 | Backdoor.Win32.PcClient | 0.40% | new |
| 15 | TrojanDropper.Win32.Saldrop.a | 0.35% | +0.07 |
| 16 | Trojan.Win32.Vobfus.paa | 0.34% | 0.05 |
| 17 | Trojan-Clicker.HTML.Iframe | 0.31% | +0.07 |
| 18 | Trojan.Win32.Autorun.dm | 0.27% | new |
| 19 | Trojan-Downloader.Win32.Small | 0.26% | new |
| 20 | Trojan.Win32.OnlineGames | 0.24% | new |
New malicious programs entered the Top 20
August sees an increase in Trojan activity stealing game account information: Trojan.Win32.PWS.gz and Trojan.Win32.OnlineGames.
Online games have become massively popular globally and continue to attract huge numbers of players. Users of the following games should be aware that attackers focus on hijacking information from users of the following games: Dungeon & Fighter, MapleStory, Linage, - FIFA Online 2, Heroes of Might and Magic, Shock-Tera, OTP, WOW, Diablo III, Dragon Knights Online, and etc.:
Examples of games popular among attackers
Attackers actively use rootkit techniques to counteract antivirus scanners and disable User Account Control, (UAC) to counteract unauthorized PC use. All this allows the attacker to profit from selling stolen game characters and attributes.
World of Warcraft character prices
Trojan-Extortioners entered the Top 20 this month. Trojan.Win32.Ransomer is a malicious family attackers used to make a financial profit by restoring user PC performance. The Trojan can slow down the computer performance and block an access to the file system or Internet. The attackers also play on user’s fear: they threaten them with disclosure of personal data or informing the police about unauthorized and forbidden content such as pirated mp3 files contained on the user’s computer. However, paying the ransom does not guarantee that the user’s PC will be unblocked or the user can get an access to his/her own files. Below are examples of ransom program analysis by our automatic system:
Example1. Trojan.Win32.Ransomer
Example 2. Trojan.Win32.Ransomer
Example 3. Trojan.Win32.Ransomer
The Middle East Cyberwar: Gauss – a New Evidence
At the beginning of August, Kaspersky Lab announced that a new link had appeared in the Stuxnet/Duqu/Flame chain.
“In our opinion, all of this clearly indicates that the new platform which we discovered and which we called 'Gauss,' is another example of a cyber-espionage toolkit based on the Flame platform.”- Kaspersky Global Research & Analysis Team says.
According to the published information, Gauss started its activity in the Middle East in September 2011. It is interesting that the most affected state was Lebanon with more than 1600 infections, while in Iran only one infection was detected.
The Gauss platform was named after the main malware module. Each module has its own name associated with the famous mathematicians: Gauss, Lagrange, Godel, Tailor, Kurt.
The spy toolkit is designed to steal information about network connections, processes, folders, BIOS, CMOS RAM, removable drives, and send it to the C&C server. Gauss can inject specially designed modules into Internet browsers to steal user passwords, cookies and browsing history.
It also uses the previously discussed CVE-2010-2568 exploit, to infect and hide malicious files on USB drives.
The Trojan has unusual functionality: it installs the "Palida Narrow" font with, as yet, unknown purpose. Based on this peculiarity, CrySyS Lab suggested a simple online method to detect Gauss. The test checks if the "Palida Narrow" font is installed on user’s computer.
Gauss malware test
Ad-Aware antivirus currently detects Gauss toolkit.
Russian Intelligence Service Wants to Monitor and Control Social Networks
Like the US government participates in developing cyberweapons to disrupt Middle Eastern infrastructure, Russia has decided to invest around 1 million U.S. dollars to create automated monitoring systems and to potentially influence users of social networks.
According to the leading Russian news agencies (Interfax, Kommersant, RBC), the Foreign Intelligence Service held secret tenders in January 2012 for creating a software system that consists of three modules: “Disput” that is responsible for investigating the processes of information distribution in social networks, “Monitor-3” that is responsible for investigating control methods on the Internet and “Storm-12” that is responsible for the promotion of specially prepared information within social networks. According to the plan, the system is to be completed by 2013 and tested on Eastern European countries.
BlackHole Exploit Pack
At the beginning of summer 2012, information about Black Hole exploit kit update appeared on a hack forum. A new exploit pack uses 2 new exploits (CVE-2012-1723, CVE-2012-1889). July saw an increasing use of the exploit pack which attracted the attention of antivirus vendors. Our antivirus lab rapidly located a resource with a functioning exploit pack and started analyzing it. The pack is located on a web-resource which dynamically generates a new domain name at least once per day. It was possible to get access to the exploit pack modules via the IP address.
The following message appears while loading a malicious web page:
Methods of obfuscating Java scripts on the web-page have not been changed significantly compared to previous versions. To define plugins installed on a browser, the latest version of "Plugin Detect" is used.
Also the Flash exploit, CVE-2011-2110, has been noticed to appear in the kit.
Top20 Potentially Unwanted Programs
Below is Top20 Potentially Unwanted Programs blocked by Ad-Aware on user’s PCs. These are advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings.
| Position | Ad-Aware detection | % of all threats | |
| 1 | MyWebSearch | 34.18% | +2.69% |
| 2 | Win32.Toolbar.Iminent | 15.44% | -1.28% |
| 3 | SweetIM | 11.27% | -1.48% |
| 4 | Win32.PUP.Bandoo | 9.77% | -0.73% |
| 5 | Win32.Toolbar.SearchQU | 3.52% | -0.06% |
| 6 | Win32.Toolbar.Mediabar | 2.08% | +0.02% |
| 7 | InstallBrain | 1.74% | new |
| 8 | Artua Vladislav | 1.69% | -0.09% |
| 9 | Win32.PUP.Predictad | 1.50% | -0.3% |
| 10 | Win32.Adware.ShopAtHome | 1.42% | +0.1% |
| 11 | Click run software | 1.41% | -0.18% |
| 12 | GamePlayLabs | 1.37% | -0.46% |
| 13 | Yontoo | 1.22% | -0.11% |
| 14 | GameVance | 1.11% | +0.15% |
| 15 | RelevantKnowledge | 1,02% | +0.11% |
| 16 | Via Advertising | 0.92% | -0.13% |
| 17 | Win32.Adware.Offerbox | 0.55% | -0.17% |
| 18 | Bprotector | 0.61% | new |
| 19 | Zango | 0.24% | +0.01% |
| 20 | Adware.Eorezo.a | 0,13% | -0,22% |
Top20 PUPs detected on user’s PC
See below examples of PUPs collected by our laboratory:
Example 1. PUPs Win32.Adware.ShopAtHome
Once the toolbar is installed, it looks as follows:
Installed ShopAtHome Toolbar
Example 2. PUPs Win32.Toolbar.Mediabar
The main application window is as follows:
The application installs "Funmoods" toolbar components for Internet Explorer:
These components are Internet Explorer Browser Helper Objects (BHO) that Internet Explorer loads each time it starts:
Operating Systems
Infections by OS
Geographic Location
Infections by country of origin
We will keep investigating the epidemiological situation in the world and informing our readers about new malicious code samples in the next Lavasoft Security Bulletin.
Share this post:
Twitter
Facebook