Top20 Blocked Malware

The Top 20 malicious programs blocked on PCs

February sees modifications of the Sality and Ramnit viruses and a decrease in the detection rate of generic Trojan.Win32.Generic!BT malware. The decrease can be attributed to the fact that more specific signatures for previously generically categorized malware have been created (http://www.lavasoft.com/mylavasoft/securitycenter/blog). An overview of the malicious programs that did not enter the Top 20 is available here.

New Incomings to the Lab

Let’s review and consider information on the number of unique files with the same detection name.

New malicious programs entered the Top 20

Several new and returning families, including Virus.Win32.PatchLoad.d are found amongst the most prevalent malware seen this month.
Virus.Win32.Expiro.bc is in third position. It infects PE-EXE executable files on all accessible USB removable logical drives and can disable WFP to infect files protected by the operating system.
The virus steals user data from the infected computer, for example, information about installed certificates and passwords saved by Internet Explorer, MSN Explorer and Outlook Express which are stored in Windows Protected Storage.
In eighteenth position is a fake antivirus, Trojan.Win32.FakeAV.gbd. Its main display looks as follows:

Fake AV (MD5: fdfcbd3f888a02e3b6499f7bf2506dfa) is detected by Ad-Aware as Trojan.Win32.FakeAV.gbd

Below are more examples of fake antiviruses detected by the Malware Lab in February. Be cautious if you discover a program detecting non-existent threats on your PC which then demands you purchase a full version of the fake application to remove those threats. Instead of paying the fee, scan files detected by the fake antivirus with the help of online multi scanner VirusTotal or use our Ad-Aware Free Antivirus+

Fake AV (MD5: 1fe584f2b162f70fd9f84db2f86c5512) is detected by Ad-Aware as Trojan.Win32.Fakeav.isa

Fake AV (MD5: 4ca5f1aefc7b50b999e55682e4a50b14) is detected by Ad-Aware as Trojan.Win32.Generic.pak!cobra

Fake AV (MD5: 9961487c0a45cb242cb1b3545d91a05a) is detected by Ad-Aware as Trojan.Win32.Generic.pak!cobra

Suspicious URL Attributes

To protect our customers against malicious URLs, we investigated different detection techniques and technologies that help identify “bad” URLs. These techniques include blacklisting (using antivirus engines and IDS for downloaded content analysis) and heuristic methods (lexical and host-based analysis). As a part of that, we investigated detecting a URL based on its attributes that can be obtained from public Internet services: WhoIs, GeoIP, DNS.
To build our URL heuristic engine we used the following information about URL:
• geographic location (GeoIP);
• registrar name (WhoIs);
• creation and expiration dates (WhoIs);
• content type.
We were able to detect 83% of known malicious URLs in our database based on publicly available attributes.

More information is available in the series of articles “Detecting Malicious URLs”:
Part 1
Part 2. “Where”
Part 3. “Suspicious Registrars”
Part 4. “Lifelines”

Kelihos Botnet Update

Last month we discovered an increase in Kelihos botnet activity despite attempts by Microsoft and Kaspersky Lab to shut it down in September 2011 and March 2012.
We disassembled both parts of Kelihos: the backdoor, which provides a remote control under victim’s computer, and the loader, which is used to download the latest version of the backdoor. The results have been published in Lavasoft's Malware Encyclopedia.

We made the following conclusions:

1. Despite shutdown announcements, the botnet continues to operate successfully. We counted more than 8000 active bots over a six day period.

2. Kelihos’ P2P architecture and fast-flux domains make the botnet incredibly resilient to the counteractive measures undertaken by the security industry. The fast-flux network is shown on a map:

3. The peers can play different roles in the botnet, operating as a spam-bot, fast-flux proxy-bot or C&C proxy-bot. The connections to C&C proxy-bots are projected to a map:

The spam-bots use a classic simplified metamorphism when sending emails, although the emails are frequently blocked by public SMTP servers.

4. The majority of bots are located in Ukraine. All associated domains were registered with the help of the Russian registrar “REGGI-REG-RIPN”, which has been already mentioned in the article devoted to suspicious registrars.

5. The advanced protection mechanism of backdoor’s data complicates the analysis of its functionality and communication protocol. Therefore, newly created backdoor samples have a low detection rate by the majority of AV scanners due to the compression and encrypting techniques being applied.

Top20 Potentially Unwanted Programs

Below are the Top20 Potentially Unwanted Programs blocked by Ad-Aware on user’s PCs. These are advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings.

Top20 PUPs detected on user’s PC

Infections by OS

Geographic Location

Infections by country of origin

We will keep investigating the epidemiological situation in the world and informing our readers about new malicious code samples in the next Lavasoft Security Bulletin.