January 2, 2010

Trends of previous months continued to develop in December 2009 where ransomware accounted for a greater part of viral traffic. A large number of Trojans and web-sites were created by cybe-criminals to extort money from users.

Windows blockers

Numerous modifications of Windows blockers featuring new counter-analysis tehcnologies emerged in December. Under the Dr.Web classification such programs are named as Trojan.Winlock. In recent months these programs have become the main tool for extracting money in Russian and Ukraine.

Active Trojans of this class prevent launching of utilities used for analysis and may force a system shutdown. They also create numerous copies of themselves in Windows system folders to make manual removal of the malware from the system more difficult. The name of the Trojan process also differs from the name of the malicious executable file.

Trojans via e-mail

Spam remains one of the main channels for distribution of malware.

In December 2009 various modifications of Trojan.PWS.Panda were spread as VISA card transaction reports or as Facebook account passwords.

Such malicious programs as Trojan.NtRootKit.3226 and modifications of Trojan.Packed were delivered to users as “compromising photos” while Trojan.Botnetlog arrived at user machines as document from DHL.

Audio spam

December saw several types of spam mailings with attached audio files. As a rule such files are provided in the mp3 format and have a low bit rate (16 Kbit/s).

Messages with audio attachments advertised e-stores and healthcare products – an audio file contained a an address of the advertised web-site. Mailings that aimed to draw users into participating in pyramid schemes provided mp3 files larger than 6 MB with approximately sixty minutes length of a lecture.

From 2009 into 2010

In 2009 virus makers tended to focus on acquiring funds of users – an easy prey when large numbers of people follow links supposedly from credible organizations or friends, download programs serving different puporses. Criminals made money transfer demands appear in browser windows, on top of all other windows or right on a desktop. Traditional virus spreading channels — e-mail and instant messengers – were used along with new ones such as social networking web-sites and blogs.

The trend when cyber criminals target users of a wide range of operating systems and browsers simultaneously will most likely persist in 2010. In subsequent years developers of viruses will not merely focus on bypassing the conventional signature-based or heuristic detection but will be making a considerable effort in creating and refining methods to evade behaviour blockers. Examples of such evasions techniques can already be seen in the present. Most certainly rootkit technologies will continue to evolve as well and the technological contest between virus makers and anti-virus vendors will be as tough. It is also highly probable that a rootkit targeting Windows x64 will emerge in the wild in 2010. Yet makers of bogus web-sites will reach better efficiency by increasing the number of fraudulent web-resources. Even now anti-phishing technologies implemented in browsers to protect users from cyber-fraud often fail.

The number of malicious programs found in e-mail traffic in December increased 2.8 times compared to the November figures. The share of malicious files in the total number of files scanned on user machines increased 2.2 times. Cyber criminals raise the amount of money demanded from users for restoring their systems.

Viruses detected in e-mail traffic in December

Viruses detected on user machines in December