September saw an overwhelming number of news posts proclaiming the start to a cyber war sparked by Trojan.Stuxnet and providing suggestions as to what the virus maker’s goals might be. Meanwhile, cyber fraudsters were busy testing atypical extortion techniques, botnet owners took advantage of network system administrator carelessness, and makers of malware for Android carried out “surgical strikes.”

Trojan.Stuxnet and politics

In September, news headlines screamed about Trojan.Stuxnet whose appearance attracted tremendous publicity due to the geographical extent of its impact. Many news posts related to the Trojan dealt mainly with politics and proposed that the makers of Trojan.Stuxnet aimed to disrupt the launch of a nuclear power plant in Iran. In the last days of September, media reports claimed that the Trojan had spread widely in China and was targeting Chinese companies. Amid such speculations little attention was paid to ethnological innovations employed by the virus makers. Yet some experts resorted to a linguistic analysis of the comments found in the Trojan’s code to discern what the goals of its makers really were

Trojan.Stuxnet is indeed a technologically advanced piece of malware that exploits several previously unknown Windows vulnerabilities. Politics aside, Doctor Web’s analysts consider the Trojan to be merely another piece of malware from which Dr.Web users must be protected. Currently there are a number of no less technologically advanced viruses in the wild, for example, the 64-bit version of Trojan.Tdss (a.k.a. TDL) for which curing routines are also diligently being developed.

Internet fraud

In September Doctor Web’s support service registered 124 requests concerning the inability to access Windows UI, web sites, or popular software. This was up from 107 such requests in the previous month of August.

At the same time, Windows blockers were being superseded by other fraudware. In particular, several Trojans discovered in September used new redirection techniques for browsers. Some Trojans made it impossible to use instant messaging applications.

As for converting their illegal income into actual money, in September cyber fraudsters preferred to receive money via cell phone account refills (around 25%) and paid short messages (around 70%).

As before Doctor Web offers free technical support to users who have fallen victim to cyber fraud.

Redirection

In the last month criminals adopted two new techniques for directing users to fake web pages. As always the techniques involved modifying the hosts file, but new technologies were also applied.

Trojan.Hosts.1581 made the browser display fake pages of a Russian bank’s web site, allowing criminals to receive remote account access parameters submitted by duped victims. It has also been discovered that this modification of Trojan.Hosts features a rootkit component that allows it to filter file operations and operations performed with the Windows Registry.

Trojan.HttpBlock programs used another tactic: they launched their own web server in an infected system and used it to display pages that mimicked popular web sites–particularly search engine pages. Here criminals demanded a ransom from users in exchange for allowing them to regain access to the sites.

IM blocker

Trojan.IMLock, which blocks the launch of popular instant messaging clients such as ICQ and Skype, was discovered at the end of September. Instead of launching a program, the Trojan displayed a message, mimicking the design of the blocked messenger and informing the user that he had to send a paid short message in order to regain access to his IM account. To neutralize the Trojan, simply check your system with the Dr.Web scanner.

Malicious web site for Android only

A new malicious program for Android (Android.SmsSend.2) was discovered in September. Its functionality differed little from that of its predecessors (e.g. it sent paid short messages from infected mobile devices), with the exception of one significant difference: The downloading of the Trojan was initiated only if a potential victim loaded a bogus web page onto a device that was running Android. Perhaps, criminals believed that such a selective approach would make it more difficult to discover the malicious site.

New botnet trends

At the end of September, Doctor Web’s analysts discovered a botnet comprised of computers on which the server side of Radmin software was installed and running. This software is the most widely used for remote administration. The malicious program that infects computers and connects them to the botnet was classified by Dr.Web as Win32.HLLW.RAhack.

However, a system would only get infected if an administrator password used to access Radmin was found on the worm’s list. It turned out that many administrators were using weak passwords.

As for trends that could develop in October 2010, they will most likely be related to fraudware and new malicious programs that substitute fake web pages for real ones when certain sites are accessed. This is because criminals have found such programs to be the most profitable. Owners of botnets, which are often used to spread malware, will keep trying to create such networks using non-standard software and hardware solutions since such approaches ensure that infection remains undetected.

Viruses detected in e-mail traffic in September

Viruses detected on user machines in September