November 1,2008
Doctor Web reviews activity of malware in October 2008 that turned out to be quite eventful. Numerous modifications of fake anti-viruses, tricks employed by spammers to hide malware in messages, new modifications of polymorphic and file viruses and various social engineering techniques. Below we’ll take a look at most widely used tricks and techniques and see how to counter them.
Critical updates of Windows
A release of an extra security update by Microsoft became a notable event. The security patch fixed vulnerability in Windows 2000, Windows XP, Windows Vista, Windows
Server 2003, Windows Server 2008 with all registered customers urged to install the update via-email. It is even more remarkable that the critical flaw was also found in he upcoming Windows 7 that has only hit Pre-Beta. According to a description the vulnerability concerns the security system of Windows that allows a remote attacker to pass validation and get full control of a targeted machine. An exploit of the vulnerability spreading over the Internet made Microsoft rush with the update. The exploit entered the Dr.Web virus database as Win32.HLLW.Jimmy. This incident shows that prompt installation of critical security updates is essential for the security of a system.
File viruses
A lot of reports from users concerned another modification of the Win32.Sector file virus — Win32.Sector.12. Users of Dr.Web software with the updated virus database were protected against attempt of this malicious program to get into a system. If a system has been infected by the virus, curing Win32.Sector.12 can be troublesome because it injects its code in the memory of running processes, can disrupt operation of an anti-virus and is equipped with rootkit technologies. Malicious programs from the Win32.Sector family can download malware from the Internet and install it on user machines and update the malware from web-sites that spread it. If curing such a virus causes any problems to a user of Dr.Web software, our technical specialists are always ready to support customers of Doctor Web.
Mailings
In October a large amount of spam messages was aiming to spread various modifications of Trojan.DownLoad.4419. This Trojan was already described in our September virus review.
Usually such messages were brief and contained a link to a supposed pornographic video. While earlier such links lead a user to a fake YouTube web-page, in October careless users clicking on the link were displayed a simpler interface (see the image below). Regardless of the appearance download of an executable file started as soon as the page was loaded. A wide variety and similarity of modifications of Trojan.DownLoad.4419 made it possible for analysts of Doctor Web to create several entries that ensured detection of almost any sample from this Trojan family.
In October entries for Trojan.Packed.1207 and Trojan.Packed.1219 were also added to the database.
In October virus makers also reminded Internet community about malware placed in an archive protected by a password. Typically the password was placed in the message body while the contents of an archive was detected by Dr.Web anti-viruses as Trojan.PWS.GoldSpy.2268.
Anti-virus vendors have recently urged users to check the address bar of a browser as they follow a link provided in a message. Virus makers often replace an address displayed in a link by something quite different. Trojan.Click.21207 shoed that a faked page is not necessary for a virus trying to get to a computer and that an offered link can also look harmless. In this case a user saw a link to a .jpeg file which turned out to be malicious JavaScript code.
Among most significant Trojan mailings of October we’d like to mention Trojan.Packed.1198 which is remarkable for its mentioning of Angelina Jolie in the message subject. There was also a mailing of messages in German prompting a receiver to look through an important financial document that turned out to be malicious programs detected as Trojan.DownLoad.3735 or Trojan.DownLoad.8932.
Warming! Beware of scams!
October was also marked by the increase in the number of scams that lured a user to send an SMS that would cost a certain amount of money. In Russia one of such mailings offered a user to participate in a bonus offer from one of the leading mobile operators in the country. Scammers have been luring users to send short messages more and more often. The main reason for growing popularity of such frauds is worldwide popularity of mobile phones.
ICQ as the transport of ill-intended messages
Spam has become an ordinary thing for users of ICQ. Spam-messages provide links to malicious programs the same way as e-mail. In October ICQ spammers advertised Adware.FieryAds.4, and many others. They also attempted to persuade a user into sending a paid short message using a mobile phone.
It should also be mentioned that in October ICQ spam was more often sent from a registered UID belonging to a user whose machine had been compromised. In such cases there were no other indication of malicious activates in the system. The only way for a user to learn about the infection was from people included in his contact list.
Virus makers kept exploiting social networking web-sites number of which was growing steadily in the Internet. One of the ways to spread Trojan.Packed.673 using a social network was the creation of a special account that was used to rate images of other members of the network. A registered member of the social networking web-site loaded a page displaying information about the account and came across with a link to a personal page of a supposed owner of the account. Clicking on the link started downloading of malware.
October revealed new spammer tricks and growing yet growing amount of spam. Unfortunately in most cases users launch malicious programs themselves. That’s why specialists of our company do their best to inform users about basics of information security.
Viruses detected in e-mail traffic
01.10.2008 00:00 - 01.11.2008 00:00 | ||
1 | Trojan.Click.19754 | 29330 (15.85%) |
2 | Trojan.PWS.GoldSpy.2268 | 15475 (8.36%) |
3 | Win32.HLLM.MyDoom.based | 14635 (7.91%) |
4 | Win32.Virut | 13743 (7.43%) |
5 | Trojan.DownLoad.3735 | 11076 (5.99%) |
6 | Trojan.PWS.GoldSpy.2277 | 10715 (5.79%) |
7 | Trojan.Inject.3742 | 10262 (5.55%) |
8 | Trojan.MulDrop.17829 | 7002 (3.78%) |
9 | Win32.HLLM.Netsky.35328 | 6208 (3.35%) |
10 | Win32.HLLW.Autoruner.2640 | 5096 (2.75%) |
11 | Trojan.MulDrop.13408 | 4090 (2.21%) |
12 | Trojan.MulDrop.16727 | 3950 (2.13%) |
13 | Trojan.Copyself | 3484 (1.88%) |
14 | Win32.HLLW.Autoruner.1252 | 3376 (1.82%) |
15 | Win32.HLLM.Alaxala | 3321 (1.79%) |
16 | Trojan.PWS.Panda.31 | 3299 (1.78%) |
17 | Win32.HLLM.Beagle | 2646 (1.43%) |
18 | Trojan.MulDrop.18280 | 2622 (1.42%) |
19 | BackDoor.Bulknet.237 | 1985 (1.07%) |
20 | Trojan.PWS.GoldSpy.2278 | 1977 (1.07%) |
Viruses detected on workstations
01.10.2008 00:00 - 01.11.2008 00:00 | ||
1 | Win32.HLLW.Gavir.ini | 1336089 (17.58%) |
2 | DDoS.Kardraw | 402787 (5.30%) |
3 | Win32.Alman | 322084 (4.24%) |
4 | Trojan.MulDrop.18538 | 277195 (3.65%) |
5 | Win32.HLLP.Whboy | 239879 (3.16%) |
6 | VBS.Autoruner.10 | 224391 (2.95%) |
7 | Win32.HLLM.Lovgate.2 | 218691 (2.88%) |
8 | Win32.HLLM.Generic.440 | 190744 (2.51%) |
9 | JS.Click.22 | 172206 (2.27%) |
10 | Win32.HLLW.Autoruner.2255 | 152617 (2.01%) |
11 | VBS.Generic.548 | 144545 (1.90%) |
12 | Trojan.DownLoader.22881 | 110771 (1.46%) |
13 | VBS.PackFor | 106047 (1.40%) |
14 | Win32.HLLP.Jeefo.36352 | 104866 (1.38%) |
15 | Win32.HLLW.Autoruner.2339 | 81624 (1.07%) |
16 | Win32.HLLO.Black.2 | 77968 (1.03%) |
17 | Trojan.MulDrop.9985 | 77118 (1.01%) |
18 | Win32.HLLW.Autoruner.1020 | 70904 (0.93%) |
19 | Win32.Sector.20480 | 70541 (0.93%) |
20 | Win32.Sector.5 | 69635 (0.92%) |
Tell us what you think
To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.
Other comments