Нет ответов в данной теме

[admin]

December 1, 2008

The closure of McColo Corporation responsible for 75 per cent of world
wide spam traffic divided the reported month into two equal parts.
Even though e-mail remains the most common means to spread malware
virus makers also find other ways to bring malicious code to user
machines


AutoIt-worms

A freeware automation language for Windows called AutoIt is very easy
to learn and provides wide opportunities for virus makers. The last
month showed their growing interest in this scripting language. Even
though an AutoIt program is written as a script, such a script can be
compiled into a packed executable with its shrouded code being very
hard to analyze. November saw an AutoIt worm spreading via removable
data storage devices instead of e-mail.

Viruses spreading on removable devices are especially dangerous for
companies and governmental institutions forced to introduce special
measures to contain the infection. Companies adopt software that
allows them to restrict usage of removable devices and sometimes
impose a temporary ban on use of removable drives.

Dr.Web anti-virus 5.0 currently undergoing open beta-testing allows to
unpack files of an AutoIt worm and to analyze its scripts. Viruses
written in this script language enter the Dr.Web database as
Win32.HLLW.Autoruner.


Mail viruses

Prior to the closure of McColo spam mailings distributing malware came
in high numbers. Below we will take a closer look at diverse methods
used to lure a user to launch a malicious file.

Trojan.PWS.GoldSpy.2454 was disguised as an e-card. Even though fake
cards have long been known to Internet community they still remain
efficient. The name of a malicious file is card.exe. Messages with a
link to a malicious file were used to spread another modification of
the malware – Trojan.PWS.GoldSpy.2466.

[IMAGE]

Trojan.DownLoad.3735 was spread as a file with a double extension –
the attached active_key.zip contained the active_keys.zip.exe file.
The message informed a user that his account was suspended upon a
corresponding request supposedly sent by the victim. A user was also
offered to activate the account. However, the message didn’t provide
any reference to a service related to the blocked account. No wonder
that details of the activation were said to be found in the attached
document which turned out to be an executable file containing
malicious code. Other messages spreading the same Trojan informed a
user upon changes in certain clauses of an agreement.

[IMAGE]

Messages with attached Trojan.PWS.GoldSpy.2456 threatened a user with
a forced disconnection from the Internet caused by a violation of the
copyright. Activates of a victim related to the alleged violation for
the last six months were said to be listed in an attached file
(user-EA49945X-activities.exe) which was nothing more than another
malicious program. The U.S presidential election was also used as a
message topic in e-mails spreading the Trojan.

[IMAGE]

Another mailing notified a user upon a failed delivery of a package
caused by an incorrect recipient address. An attached invoice was
detected by Dr.Web as Trojan.PWS.Panda.31

[IMAGE]

.Our analysts also registered several mailings advertising easy money
on eBay. An html-file attached to a message was detected by Dr.Web as
Trojan.Click.21795. The file contained an encrypted script that
directed a user to a web-site advertising training courses. Another
similar mailing advertised a new way of advertising using RSS and free
promotion of web-sites using services by Google and Yahoo

The closure of McColo Corporation reduced spam traffic significantly
but was only a short outage. Now mailings related to malware have been
short-term though the spam traffic sometimes has been rather high.
Such mailings included Trojan.PWS.Panda.31 spam e-mails and messages
containing an encrypted script detected by Dr.Web as
Trojan.Click.21795.

Authors of Trojan.DownLoad.4419 applied a new technique offering a
link to download a beta version of Internet Explorer 8 from a bogus
web-site.

[IMAGE]

A mailing in German described in the previous review from Doctor Web
also reemerged. It prompted a user to view important financial
information provided in an attached file. Earlier a shortcut and a
piece of malicious code had been placed on one folder contained in the
attachment while in November they were separated with the link placed
outside the folder. Dr.Web detects this Trojan program as
Trojan.DownLoad.16843.

[IMAGE]


Phishing

November 2008 also saw a wave of phishing targeting users of online
payment systems, Internet banking and other paid services in several
countries. In particular customers of JPMorgan Chase Bank, RBC Royal
Bank and usrs of AdWards and PayPal became victims of the phishing
attack.

[IMAGE]

[IMAGE]

Specialists of the virus monitoring service of Doctor Web added 25 461
entries to the virus database in November with average 850 new entries
per each day. Mind that one entry in the Dr.Web database allows the
software to detect numerous modifications of one virus. The figures
show that regular updating of anti-virus software as often as once per
hour becomes a necessity. Dr.Web automatic updating provides such an
updating frequency quite easily. In addition a good anti-spam module
becomes indispensable for normal work protecting against irrelevant
and harmful e-mail messages.


Malware detected in e-mail traffic in November

01.11.2008 00:00 - 01.12.2008 00:00

1

Win32.HLLM.MyDoom.based

13741 (15.33%)

2

Win32.Virut

13036 (14.55%)

3

Win32.HLLM.Alaxala

5705 (6.37%)

4

Trojan.MulDrop.13408

4534 (5.06%)

5

Win32.HLLM.Beagle

4426 (4.94%)

6

Trojan.MulDrop.16727

4206 (4.69%)

7

Trojan.PWS.GoldSpy.2456

4145 (4.63%)

8

Win32.HLLW.Autoruner.2640

3032 (3.38%)

9

Trojan.MulDrop.18280

2580 (2.88%)

10

Trojan.PWS.Panda.31

2228 (2.49%)

11

Trojan.DownLoad.16843

2192 (2.45%)

12

Win32.HLLM.Netsky.35328

1888 (2.11%)

13

Win32.Virut.5

1497 (1.67%)

14

Win32.HLLM.MyDoom.33

1442 (1.61%)

15

Win32.HLLM.Netsky

1361 (1.52%)

16

Trojan.PWS.GoldSpy.2454

1328 (1.48%)

17

Trojan.MulDrop.19648

1310 (1.46%)

18

Win32.HLLW.MyDoom.43010

1306 (1.46%)

19

Win32.HLLM.Mailbot

1305 (1.46%)

20

Trojan.DownLoad.3735

1212 (1.35%)


Malware detected on user machines in November

01.11.2008 00:00 - 01.12.2008 00:00

1

Win32.HLLW.Gavir.ini

2039696 (21.98%)

2

Win32.HLLM.Lovgate.2

414507 (4.47%)

3

VBS.Autoruner.7

310657 (3.35%)

4

Win32.HLLM.Generic.440

288404 (3.11%)

5

VBS.Autoruner.8

277825 (2.99%)

6

Win32.Alman

275230 (2.97%)

7

DDoS.Kardraw

252853 (2.72%)

8

Win32.HLLP.Whboy

198018 (2.13%)

9

Trojan.Recycle

192769 (2.08%)

10

Win32.HLLP.Neshta

177445 (1.91%)

11

Win32.HLLP.Jeefo.36352

168291 (1.81%)

12

Win32.Virut.5

154206 (1.66%)

13

Win32.HLLW.Autoruner.274

147315 (1.59%)

14

Trojan.DownLoader.42350

132782 (1.43%)

15

Win32.HLLW.Autoruner.3631

120982 (1.30%)

16

VBS.Generic.548

110152 (1.19%)

17

Win32.HLLO.Black.2

97456 (1.05%)

18

Win32.HLLW.Autoruner.2805

89892 (0.97%)

19

Win32.HLLW.Cent

88296 (0.95%)

20

Trojan.MulDrop.18538

86521 (0.93%)


View the full article