Trojans dominate BitDefender’s top ten e-threats for January
Autorun and Javascript – January’s main vectors of infection
SYDNEY & AUCKLAND – February 2, 2010 – BitDefender today released a list of the top ten e-threats detected during the month of January, with six of the ten e-threats being Trojans.
Trojan.Clicker.CM ranks first, with 8.30 percent of the total amount of infected computers and is mostly found on file sharing websites such as torrent portals, ‘warez’ communities and other services hosting pirated content. The Trojan is in fact a small script forcing advertisements into your browser. While some of the advertisements are related to free online games, others may expose the computer user to pornography or other types of inappropriate content.
The second most prevalent e-threat for January is Trojan.AutorunInf.Gen, a generic mechanism to spread malware using removable devices such as flash drives, memory cards or external hard-disk drives. For instance, Win32.Worm.Downadup and Worm.Zimuse are two of the most famous families of malware to use this approach to infect other systems. Attention should be paid to the use of such external devices: they may be a convenient solution when it comes to data transportation, but also poses the risk of harming your machine if used carelessly. Libraries, internet cafes and other public hotspots have the highest potential for infection.
Ranking third in this month’s e-threat report, Win32.Worm.Downadup.Gen is responsible for 6.18 percent of global infections. Exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (MS08-67), this worm spreads on other computers in the local network and restricts users’ access to Windows Update and security vendors’ web pages. Newer variants of the worm also install rogue antivirus applications, among others. The worm’s persistence after more than one year since its original appearance reveals that most users are reluctant to updating both the operating system and their locally-installed antimalware solution.
BitDefender’s fourth e-threat for January is Exploit.PDF-JS.Gen, with 5.76 percent of the total amount of infections. This generic detection deals with malformed PDF files exploiting different vulnerabilities found in Adobe PDF Reader’s Javascript engine in order to execute malicious code on users’ computer. Upon opening an infected PDF file, a specially crafted Javascript code triggers the download and automatic execution of malicious binaries from remote locations.
Ranking fifth with 4.30 percent of the global infections, Trojan.Wimad.Gen.1 is mostly found on Torrent websites disguised as an episode of your favorite series that has not been aired yet. These fake video files are able to connect to a specific URL and download malware posing as the appropriate codec required for playing the file. Trojan.Wimad.Gen.1 is particularly active when box-office titles are expected to appear on file-sharing websites.
The sixth place with 2.73 percent of the infections triggered globally is taken by Win32.Sality.OG. This malicious e-threat is a polymorphic file infector that appends its encrypted code to executable files (.exe and .scr binaries). The Sality family is extremely difficult to detect and annihilate because these viruses constantly change their code, while the rootkit component tries to disable various antivirus applications installed on the infected system.
Trojan.Autorun.AET, a malicious code spreading via the Windows shared folders, as well as through removable storage devices, ranks seventh with 2.01 percent of the worldwide infections. The Trojan exploits the Autorun feature implemented in Windows operating systems prior to Vista SP2 for automatically launching applications when an infected storage device is plugged in. Given the potentially harmful side effects of the Autorun feature, Microsoft decided to disable it in Windows Vista SP2 and Windows 7.
Worm.Autorun.VHG is an Internet / network worm that exploits the Windows MS08-067 vulnerability in order to execute itself remotely using a specially crafted RPC (remote procedure call) package (an approach also used by Win32.Worm.Downadup). The worm ranks eighth with 1.69 percent of the global infections.
Trojan.Script.254568 ranks ninth with 1.40 percent of the global malware detection in January. This heavily-encrypted JavaScript code looks for a cookie file called “CoreBeta”; if the cookie is not on the computer, then it will be created and set to expire in a day. The cookie’s presence signals the Trojan that the system had already been infected. If the script finds the cookie, then it would inject some masked components in various webpages, while other web resources will be hijacked to “about:blank” pages.
With 1.40 percent, Trojan.JS.QAF is tenth in Top Ten e-threats. This highly obfuscated Java Script is hard to be read, making its detection quite difficult. Trojan.JS.QAF creates an “IFrame” that redirects the users to http://google-cn.msn.ca.shoplocal-com.[removed].ru:8080/interia.pl/interia.pl/ google.com/ empflix.com/debonairblog.com/
BitDefender’s January 2009 Top 10 E-Threat list includes:
1 | Trojan.Clicker.CM | 8.30 |
2 | Trojan.AutorunINF.Gen | 8.17 |
3 | Win32.Worm.Downadup.Gen | 6.18 |
4 | Exploit.PDF-JS.Gen | 5.76 |
5 | Trojan.Wimad.Gen.1 | 4.30 |
6 | Win32.Sality.OG | 2.73 |
7 | Trojan.Autorun.AET | 2.01 |
8 | Worm.Autorun.VHG | 1.69 |
9 | Trojan.Script.254568 | 1.40 |
10 | Trojan.JS.QAF | 1.40 |
OTHERS | 58.01 |
To stay up-to-date on the latest e-threats, sign-up for BitDefender’s RSS feeds here.
# # #
About BitDefender®
BitDefender is the creator of one of the industry’s fastest and most effective lines of internationally certified security software. Since its inception in 2001, BitDefender has continued to raise the bar and set new standards in proactive threat prevention, emerging as the industry’s anti-malware innovator. Every day, BitDefender protects tens of millions of home and corporate users across the globe — giving them the peace of mind of knowing that their digital experiences will be secure. BitDefender solutions are distributed by a global network of value-added distribution and reseller partners in more than 100 countries worldwide. More information about BitDefender and its products are available at the company’s security solutions press room. Additionally, BitDefender’s www.malwarecity.com provides background and the latest updates on security threats helping users stay informed in the everyday battle against malware.