August 4, 2008

Doctor Web, Ltd presents the virus activity review for July 2008.

Virus epidemics causing uproar and panic among Internet users have long since passed. Nowadays malicious activities are less overt and in most cases remain unnoticed by inexperienced users. The July reaffirmed this tendency making “Trojan activity review” somewhat more appropriate title for this article for it is Trojans of all sorts that are brought in focus here.

Concerning Trojans

Trojans of the Virtumod family are the most interesting species from the point of view of analysis and working out a curing algorithm. Other anti-virus vendors classify them as Virtumonde/Vundo/Monder. By now these malicious programs have not paved their way to enter the glorious top ten spread malware but one can quite often come across with them in the wild. Very few anti-viruses can boast successful detection of such Trojans, let alone successfully cure them. The reason behind this complexity for anti-virus vendors is an operation algorithm employed by virus makers who are very consistent in the three or even four-way development of their polymorphic packer. Recent months saw over 10 modifications with dozens of thousands of samples for each type of the packer. The figures are based on data of other anti-virus vendors along with Dr.Web and also take into account samples found during an online virus scan.

Virtumod is not the sole active example of the off-line polymorphism. Now it is clear that without the centralized development of counteraction to this trend and without a versatile technology for prompt implementation of identifying of polymorphic packers in an anti-virus kernel the anti-virus industry may soon find itself inept in the face of emerging challenges.

Trojan.Clb is another malicious program spreading rather rapidly. It contains a rootkit and uses the splicing technology to hide files on disks and entire branches of the registry. Besides, there is also Trojan.DnsChange.967 that substitutes DNS server IP addresses on routers that support configuration via the web-interface. It imposes a real danger for users connected to wireless networks where the web-interface is typically used to configure routers. Users connecting to the Internet via a Wi-Fi access point can fall a victim of the DNS IP address substitution with their private data leaked to an unknown recipient.

Trojan.Okuks getting to a PC can also become a rather unpleasant surprise. Most anti-viruses have no problems detecting it. Meanwhile curing the malware is something entirely different. Incorrect curing of a system file infected by the Trojan or deletion of such a file without fixing the registry will get a Windows user a permanent BSOD after the first reboot.

The leaders

Actually there is only one leader that wanders up and down the top ten and seems to be reluctant to step down. Here we speak about worms belonging to the Autorunner family which are in abundance received by Doctor Web, Ltd. for the online virus scan.

Flash drives we got used to at home or in the office become the primary carrier for the worm. Virtually every user owns a flash drive. Employees carry data on flash drives on a business trip or take their work to their homes. However, along with the increased labour productivity the convenient storage device also imposes a threat because becoming one of the preferred means of spreading for viruses. But the most remarkable thing is that a flash drive is not the only USB device that can be compromised by the worm. It can get to a photo or a video camera or a mobile phone as easily. An Autoranner worm took the top notch in the anti-virus stats on the global infection level for servers protected by Dr.Web anti-viruses.

Malware in the mail traffic

01.07.2008 00:00 - 31.07.2008 23:00
1	Win32.HLLW.Autoruner.437	239451 (18.39%)
2	Win32.Dref	109607 (8.42%)
3	Win32.HLLM.Netsky.35328	89795 (6.90%)
4	Win32.HLLM.Netsky.based	45561 (3.50%)
5	Win32.HLLM.Beagle	42279 (3.25%)
6	Win32.HLLM.MyDoom.based	28334 (2.18%)
7	Win32.HLLM.Generic.440	26898 (2.07%)
8	Adware.Cydoor	26143 (2.01%)
9	Win32.HLLP.Jeefo.36352	24710 (1.90%)
10	Win32.Virut	22588 (1.73%)
11	Trojan.MulDrop.16727	22380 (1.72%)
12	Trojan.Starter.544	21632 (1.66%)
13	Win32.Sector.20480	21616 (1.66%)
14	Win32.Alman	21354 (1.64%)
15	VBS.Igidak	19669 (1.51%)
16	Danish.based	18572 (1.43%)
17	Trojan.MulDrop.6474	18481 (1.42%)
18	Win32.HLLW.Gavir.ini	17191 (1.32%)
19	Win32.HLLW.Autoruner.1831	15596 (1.20%)
20	Trojan.Packed.511	13550 (1.04%)

Malware detected on workstations

01.07.2008 00:00 - 31.07.2008 23:00
1	Trojan.Starter.516	202341 (18.09%)
2	Win32.HLLW.Gavir.ini	106435 (9.51%)
3	Win32.HLLW.Autoruner.274	91205 (8.15%)
4	Trojan.Recycle	90006 (8.05%)
5	Win32.HLLW.Autoruner.437	76710 (6.86%)
6	Trojan.Starter.544	72730 (6.50%)
7	JS.Nimda	40157 (3.59%)
8	VBS.Redlof	38242 (3.42%)
9	Win32.HLLM.Generic.440	37992 (3.40%)
10	Win32.HLLP.Whboy	24129 (2.16%)
11	Win32.HLLW.Autoruner.2272	21893 (1.96%)
12	Adware.SaveNow.128	17982 (1.61%)
13	Program.RemoteAdmin	17230 (1.54%)
14	BackDoor.IRC.Sdbot.55	15902 (1.42%)
15	Win32.HLLP.PissOff.36864	15670 (1.40%)
16	Win32.HLLP.Jeefo.36352	13282 (1.19%)
17	Trojan.Packed.511	11425 (1.02%)
18	VBS.Generic.548	8984 (0.80%)
19	Win32.HLLP.Sector	8273 (0.74%)
20	Exploit.IFrame.41	8101 (0.72%)