Top20 Blocked Malware

 The Top 20 malicious programs blocked on PCs

September sees changes in the Top 20: a new generic detection LooksLike.Win32.Malware!vb has entered the Top 20 coming in 8th position. Malicious programs written on Visual Basic  are detected as LooksLike.Win32.Malware!vb. Malicious functions of such malware programs (email worms, Trojans stealing confidential data, viruses, Trojan-downloaders, etc.) may be extensive and sophisticated enough. The Win32.Trojan.Agent и Trojan.Win32.Generic!BT generic detections are still on the top positions. The Sality family sees some changes as well.

The Win32.Backdoor.Zaccess backdoor entered the Top 20 in July coming in 20th position. Rootkit-part of the malware is described here. In September, Sophos company released its second report for ZeroAccess botnet. Working on the new version of ZeroAccess, developers refused using components which run in the kernel mode both on x64 and x86 based systems. Mechanism in P2P networks, infection methods, generating network traffic characteristics, and communication with command server were updated.

According to research results, ZeroAccess reached 9 million installations; number of active bots exceeded one million infected computers all over the world. The United States had the most infected computers. It may be explained by the fact that botnet owners pay 500 USD per 1000 installations in the USA. According to experts, use of click fraud and Bitcoin mining allows botnet owners to earn 100 000 USD per day.

New Incomings to the Lab

Let’s review and consider information on the number of unique files with the same detection name.

 New malicious programs entered the Top 20

Trojan.Win32.Medfos.r  is a Trojan which installs additional components to modify search results in Internet Explorer and Mozilla Firefox. The malicious program may be installed on the system by Blackhole Exploit, recently updated.

Virus.Win32.PatchLoad.d is a virus which infects Windows libraries. To infect a system library, attackers use undocumented functions sfc_os.dll or end the utility threads monitoring the system file integrity in winlogon.exe, and disable System File Checker.

The Middle East Cyberwar: Flame Server Reveal

We have recently discussed Gauss which is a part of the Stuxnet/Duqu/Flame malicious chain. In September, Kaspersky Lab published an analysis of Flame’s C&C. According to data analyzed on servers, there are four types of clients with the following names: SP, SPE, FL and IP. Since Flame is denoted as FL, it reveals three more unknown types of Flame malware so far.

 Type of clients connecting to the server

Also antivirus experts revealed the server creation date: December 2006. It coincides with the Bush "Olympic Games" initiative to deal with Iran’s nuclear program. The first evidence of the project was the Stuxnet worm which had successfully destroyed the most of Natanz nuclear centrifuges.

Assessing the scripts’ code, experts saw comments indicating at least four different developers. An interesting fact is that the server has been designed as if it had no relation to the botnet operation. There were no such terms as "bot", "infection" and "command". It was a C&C interface contained such folders as "news", "ads" where a set of commands was stored in archives to be further downloaded by clients.

According to the Kaspersky Lab expert estimations, the amount of stolen data was 5.5 Gb per week (from 25th of March till 2nd of April) from more than 5 thousands unique IP addresses, mostly Iran and Sudan.

0-Day Exploit. Made in China

Several 0-day vulnerabilities were fixed by Microsoft on Friday 21st of October with Security Update MS012-063. The vulnerabilities could allow remote execution when a user opens a malicious html page by Internet Explorer 6-9. Two days early, Microsoft published "Fix it KB2757760" – a special configuration tool that blocks known exploits on user’s computers. The attack scheme was pretty simple and described by AlienVault Labs. The exploit.html page loaded a flash file "Moh2010.swf" ("Grumgog.swf") encrypted using the DoSWF tool.

 Encrypted SWF file (MD5: eb62e0051ad4ab3f626d148472dfa891)

The SWF file sprayed a shellcode with the malicious payload in the memory and loaded "Eternalian.html" ("Protect.html") which triggered the actual vulnerability.

Decrypted SWF file with exploit 

We could run SWF exploit under Internet Explorer version 8 with the latest Flash Player 11. Below IFrame, there is encrypted shellcode which downloads and executes "111.exe" file (MD5: 8d326300a6f4dfe93a456c4c185bf2a8) from the compromised website.

Now the web folder is clean except the "exp.txt" file with "eromang" string which points to the security researcher Eric Romang who has found this exploit.

The file "111.exe" which is supposed to be dropped to a user’s computer is detected by Ad-Aware as Trojan.Generic.BT and Microsoft as Backdoor:Win32/Poison.BR (VirusTotal). The backdoor could connect to C&C server to get commands for downloading and installing new pieces of malware.

Backdoor inject with C&C details

More information about Trojan’s payload you can find in our Malware Encyclopedia.

The AlienVault researchers assume that Chinese hacker WHG is behind of this attack. He seems to be also related to the “The Network Crack Program Hacker” group (NCPH) as one of the developers of the GinWui rootkit.

Top20 Potentially Unwanted Programs

Below is Top20 Potentially Unwanted Programs blocked by Ad-Aware on user’s PCs. These are advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings.

Top20 PUPs detected on user’s PC

See below examples of PUPs collected by our laboratory:

Example 1 PUPs Click run software

Example 2 PUPs Click run software

Example 3 PUPs Click run software

Operating Systems

Infections by OS

Geographic Location

Infections by country of origin

We will keep investigating the epidemiological situation in the world and informing our readers about new malicious code samples in the next Lavasoft Security Bulletin.