The Lavasoft Security Bulletin presents statistics on threat information provided by users who send suspicious files to the Lavasoft Laboratory via Ad-Aware. To understand these threats, descriptions for malware families most frequently detected are presented below.

The Top 20 malicious programs blocked on PCs

Top20 Blocked Malware

At the top of the list is Trojan.Win32.Generic!BT, a generic signature that detects malicious programs which are typical representatives of the Trojan family. This malware category accounts for approximately one third of all cases of during March – April 2012. Generic signatures allow for a 1:many detection ratio which helps to reduce the detection database size. However, there can be disadvantages. The generic nature of this family’s detection rules makes it difficult to accurately describe these threats. In fifth place, Trojan.Win32.Generic.pak!cobra, resembles the malware described above, the main difference being that it is packed.

In second position is Win32.Trojan.Agent. It is a less extensive group which describes common Trojans.

In third and fourth positions are viruses from the Sality family. The family first appeared in 2003, although these variants first appeared in 2008 and 2009 respectively. Files infected by viruses considered to be infectors still exist even though antiviruses successfully detect and remove this malware. Sality combines the functionality of viruses and Trojans. Merging several functions is a common tactic for malicious programs - they are designed not only to infect files but to get an access to the infected computer’s resources (to perform DDoS attacks, sending spam) or personal data. The infection is usually considered to be both a means for spreading and self-protection. The Trojan functionality can extend possibilities by downloading additional modules and active counteraction to antiviruses. Executable files with .EXE and .SCR extensions can be infected. Malware has been observed to make attempts to counteract antiviruses by trying to end processes of well-known antivirus programs and utilities. A list of services which are responsible for the computer protection also exists. It pursues the same aim of disabling the computer’s protection. The ability to search for and remove files which have the .vdb, .key, .avc extensions and contains a "drw" string in its name is also of interest - certain antivirus program keys fall under the rules. As a result, security software can be disabled if these files are deactivated or antivirus definitions are not updated. The latest Sality virus modifications have extended their Trojan capabilities. They can now check window titles, ending the processes that created those windows, hide system files, and block attempts to open URLs of antivirus companies, etc.

The first four positions in the Top 20 rating account for 50% of all infection cases.

Malware.JS.Generic is a malware family written in JavaScript. Malicious programs of this type usually spread via the Internet and are embedded within web-pages. The infection can be initiated by the site owners and can also occur when cracking websites.

Trojan.Win32.Jpgiframe is a simple but unusual Trojan. It comprises of an html-page attached at the end of files with the “JPG” extension. It is intended for server infection. While processing .jpg files (for example, in a gallery), the server script can execute a file and its attachment. An attacker creates an infected jpg-image, uploads it to the server being attacked and waits until a vulnerability is found in the script-executor before continuing its attack: for example, spreading all files on the server which supply a user with a hidden frame redirecting to another site.

Exploit.PDF.CVE-2011-2437 is an exploit family which takes advantage of vulnerabilities in Adobe Reader and Acrobat. In this case, the “PCX” image processing feature is vulnerable.

Virus.Win32.Neshta.a is one of those viruses that seem to be written for entertainment. The virus infects almost all executable files (except those exceeding 41472 bytes and are located neither on portable storage devices nor in Windows and Program Files catalogs). In addition, the malware modifies the system registry to allow it to run all executable files (HKCR\exefile\shell\open\command). With that, an infected file being executed is cured. Thus, only rarely used files stay infected. The virus rights belong to an unknown resident of Belarus: the virus body contains a message partially written in Belarusian. Russian and Belarusian Wikipedia has an article about the malware (http://ru.wikipedia.org/wiki/Neshta).

Author signature in the Virus.Win32.Neshta.a code

The email worm, Email-Worm.Win32.Brontok.a, also makes the top twenty list. Email addresses from address books are gathered from the compromised PC and the following files are scanned: documents, tables, saved emails, text files, and even saved web pages. The worm creates emails, attaches itself and sends them to the harvested email addresses. An immediate system reboot is an interesting peculiarity for the worm. It occurs if the malware finds an open window whose title contains strings from a special list of antivirus product names and system utilities.

Sality, Virus.Win32.Ramnit.a!dam and Virus.Win32.Virut.ce closes the Top 20.

Virus.Win32.Ramnit.a spreads via portable storage devices using a vulnerability in shortcut processing mechanisms (.lnk and .pif files) in Windows versions from Windows XP SP3 to Windows 7 CVE-2010-2568. The vulnerability allows the execution of code upon opening a catalog containing the previously mentioned shortcuts via Windows Explorer. The vulnerability became well-known in 2010 after Siemens SCADA System had been attacked (http://en.wikipedia.org/wiki/Stuxnet).

The malware infection operation function has its peculiarities. The virus infects not only executable files (common for computer viruses), but also saved html pages.

Virus.Win32.Virut.ce has similar behavior. Unlike Ramnit, that uses infected html pages only for restoring itself (upon opening a booby-trapped page, a virus binary embedded body is extracted and the infection reoccurs), Virut uses this technique to update itself. It adds a hidden frame to the pages for redirecting to the constantly updated virus file. To draw the user’s attention away from the active hard drive performance, the virus not only infects all files but also tracks the create and file/process open functions by adding its code to the system library “ntdll.dll” and further infects them. Thus, files being mostly used are infected. In addition, Virut has a backdoor function. To receive commands, it uses IRC.

New Incomings to the Lab

Let’s review and consider information on the number of unique files with the same detection name. We can not only specify the number of machines (4%) the Virus.Win32.Sality.at has been found on, but also indicate how many files are of this signature. Based on the information, the table below describes ratings:

New malicious programs entered the Top 20

Unsurprisingly, the top positions are for known viruses and generic Trojans. For such ratings, the situation is normal as each infected file is detected the same way. With that, the variety and amount of files at risk of being infected is enormous.

Let’s consider other viruses which have not been covered earlier.

On the whole, Virus.Win32.Expiro.nab is similar to the viruses described above. Its special interest features are as follows: first, files which have shortcuts on the Desktop and Start menu shortcut program catalog are infected. System service executables are also infected. Windows File Protection is disabled, auto run of the infecting service is disabled and the infection process is postponed until the next system startup as it is impossible to infect a file which has been already run. After successful infection, auto run of the earlier infected service is restored. A backdoor function is also applied. By the C&C server request, Expiro can download files and execute them on the compromised PC. Collected user credentials (login and password) are sent back to the server.

Virus.Win32.Alman.b is a virus which combines both worm and rootkit features. As a worm, it copies its executable file to all logical drives and adds a reference to itself to autorun.inf which automatically runs the malicious file at each attempt to open an infected logical drive. The malware tries to spread not only via logical drives but also via net drives. Using Administrator privileges, the virus tries to access those network drives with limited access permissions. It makes use of lists of common passwords (for example, password, qwerty, 12345, etc.).

Infecting the executable files occurs using the standard scheme: the last PE-section of the file being infected is extended and a decrypted virus body is added to it. Then, the original entry point is modified to allow the malicious functionality to be applied; afterwards, the code of the infected file starts operating. The virus’ peculiarity lies in the fact that it contains a list of file names it does not infect. The list contains random file names, such as: main.exe, game.exe or asktao.exe.

One more list is used. It contains the names of processes and files the malware removes. Names the other malware often uses are presented in the list. For example, these are run1132.exe or svch0st.exe (named to resemble legitimate system files).

A rootkit part is presented by a driver that is added to the system as a NVIDIA video card driver component in the system registry. A service is specially created to run it. The service’s name is “nvmini” and is labelled “NVIDIA Compatible Windows Miniport Driver” in its description.

One more detection deserving special attention is FraudTool.Win32.FakeRean – a fake antivirus family. The main purpose of these programs is to make a user believe that his/her computer is infected with an enormous number of viruses and Trojans, offering to cure it for a fee. The fee often exceeds the cost of popular antivirus programs. The example below illustrates the situation: a 1 Year license costs $60 and a 3 Year license costs $90.

Example of Fake Antivirus 

Top 20 Potentially Unwanted Programs

Top20 PUPs detected on user’s PC

Advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings without first securing the user’s affirmative consent belong to this category. Such programs can make use of low computer awareness and inattention of users.

Operating Systems

The majority of infections occur on Microsoft Operating Systems (OS). Thus, these operating systems are the focus for investigation.

Infections by OS

The above diagram illustrates percentage of malware being sent to Lavasoft’s lab, per operating system.

The highest levels of infection are seen on Windows XP. Interestingly, the 64-bit version of Windows 7 has a greater percentage of infections than the 32-bit version.

The diagram illustrates that number of malicious programs on each platform is proportional to its popularity.

Nevertheless, the fact that malicious programs were observed running on Windows 7 x64 does not necessarily mean that the platform is more popular among malware developers - compatibility mode allows running those malicious programs on both 32- and 64-bit versions.

Geographic Location

The below diagram illustrates percentage of malware being sent to Lavasoft’s lab distributed according to country of origination.

Infections by originating country

We will keep investigating the epidemiological situation in the world and informing our readers about new malicious code samples in the next Lavasoft Security Bulletin.

• Leave your Comments here