January 18, 2011

December capped off 2010 as a grand finale for virus writers, for this month witnessed the spread of malicious programs that featured all of the technologies developed over the course of the year. The ne’er-do-wells also used new technologies in their malicious programs to uninstall anti-virus software in compromised systems. And, as if that were not enough, Western European users were hit on Christmas day by an outbreak of malware that generates fake Internet search results.

Holidays — the best time to spread viruses

It’s hard to say why virus makers choose to spread the fruits of their labour during major holidays. Perhaps, they believe that anti-virus vendors won’t respond in a timely manner to emerging threats during holidays or that users won’t have the time or energy to deal with infections, and thus their chances of success will be higher. Even the fact that most company virus analysts work around the clock doesn’t affect the trend.

This past Christmas, Western European users experienced an outbreak of Trojan.Hottrend.32. This malicious program was added to the Dr.Web virus database on December 8, but the peak of its upsurge occurred on December 24 and 25.

Many anti-viruses failed to cure Trojan.Hottrend.32 completely. As a result, systems that were supposedly cured wouldn’t boot after a restart, but would crash and display a BSOD.

Trojan.Hottrend.32 is a multi-component program. Many anti-viruses were able to detect its malicious libraries found in Windows system directories and delete them. However, they didn’t restore the system files that were infected during the Trojan’s installation that made the respective processes use the malicious libraries. Yet users of Dr.Web didn’t have to deal with system crashes since their anti-virus cured the infection successfully by removing the malicious dll files and restoring the infected system files to their original state. Files infected by the Trojan are detected by Dr.Web as Win32.Dat.15..

Interestingly Trojan.Hottrend has a few features common to other malicious programs. For example, the installer of Trojan.Hottrend.34 exploits the vulnerability that was used earlier by BackDoor.Tdss (a.k.a. TDL4) to increase its privileges under the latest versions of Windows. And that was the vulnerability of the Windows Task Scheduler. This Trojan component incorporated into Trojan.Hottrend is detected by Dr.Web as Exploit.TaskScheduler.1. Trojan.Hottrend.34 can also take advantage of the vulnerability of the Windows printing subsystem. A similar stunt was pulled in a previous Trojan.PWS.Ibank.279 program.

Anti-viruses can be removed again

The Trojan.VKBase.1, a multi-component malicious program capable of removing the latest versions of anti-viruses from computers, was discovered in December. The Trojan restarted a system in the Safe mode to remove the installed anti-virus. Since the self-protection module of Dr.Web anti-viruses remains operational even in the Safe mode, the malicious program downloaded an additional module — Trojan.AVKill.2942 — that exploited a vulnerability in the Dr.Web software. The vulnerability was closed in a timely manner, so Dr.Web users were the first to be protected against such attacks.

The ultimate goal of Trojan.VkBase.1 was a trivial one—to block access to the system and demand a ransom from the user to unlock it. Yet once access to the system was regained, another surprise awaited the victim. Even though the installed anti-virus had been uninstalled, the user was tricked into thinking that it was still up and running. Virus makers used the Trojan.Fakealert.19448 module to maintain the illusion.

Internet fraud in December

The average number of requests per day from users falling victim to cyber fraud increased insignificantly (by 5%) and reached 164 requests per day.

The number of Windows blockers demanding a cell phone balance refill increased to 70% of all malicious programs related to Internet fraud. It seems that the criminals using the blockers have almost completely shifted their preferences from payments with short messages towards balance refills, but standard schemes involving short messages and other types of malware are still in use.

A new variant of the scheme involving user transfer of funds to criminal cell phone accounts also gained popularity in December. Here users didn't even have to search for a payment terminal. Instead, they were given the opportunity to transfer money from their cell phone accounts to those belonging to criminals. An account-to-account transfer service is now provided by all known mobile operators. The share of support requests related to the scheme reached 25% of the total number of user requests in December, while in November 2010, no such requests were received.

Other threats in December 2010

Statistics collected by Doctor Web during the month also indicate that botnet client malware (Trojan.Oficla) was spread widely over e-mail as well as malicious programs removing installed anti-virus software (Trojan.AVKill). Trojan.PWS.Panda, which steals passwords in user systems, was found in large numbers in the wild too.

If you take a look at the malware statistics found on user machines, you will see that malicious programs exploiting the Windows shortcut vulnerability (Exploit.Cpllnk) are still among the top 20 most widely spread viruses despite the fact that a patch closing the vulnerability was released by Microsoft in early August 2010. This demonstrates that many users still have not installed the critical system updates that were released several months ago, i.e. the failure to follow the most basic rules of information security have increased their risk for system infection.

Malicious files detected in mail traffic in December

Total scanned: 49,621,212,845

Infected: 5,489,646

Malicious files detected on user computers in December

Total scanned: 112,698,120,297

Infected: 74,550,079