View Full Version : Kaspersky (Top 10) malware miscellany
March 20, 2007 ~ "...I did a little digging, and here’s my first malware miscellany - a collection of facts in a range of semi-random categories.
1. Greediest Trojan Targeting Banks - this month, it’s Trojan- Spy.Win32.Banker.zd, which targets the clients of 33 banks. And just as we keep saying, the number of Trojans which target more than one bank is growing all the time.
2. Greediest Trojan Targeting E-payment Systems - The winner in this category is Trojan-Spy.Win32.Banker.z. This Trojan targets three plastic card systems, but also steals finance-related data from the customers of many banks. Apparently, its author prefers a comprehensive approach to making money.
3. Greediest Trojan Targeting Plastic Cards - The top malicious program in this category is Backdoor.Win32.Neodurk.13, which searches for access data for three plastic card systems, in addition to providing cybercriminals with remote control of victim computers, which is its main function.
4. Stealthiest Program - This category's winner is a modification of Backdoor.Win32.Rbot.gen, which is packed by eight different compression utilities in the hope that this will prevent antivirus programs from detecting the malicious code.
5. Smallest Malicious Program - This category of malware was won by Trojan.BAT.DeltreeY.af, which is just 19 bytes in size. This is a primitive Trojan, which (as its name suggests) deletes folders on infected computers. Its targets include the Windows system directory; of course, if this gets deleted, you may end up with some serious problems.
6. Biggest Malicious Program - February’s “giant” is Trojan-Spy.Win32.Bancos.rv. It is 13 MB in size, and is a bit of an oddity - you might expect extensive functionality, which this Trojan doesn't actually have.
7. Most Malicious Program - The winner from this category uses numerous methods to effectively combat antivirus protection installed on computers. February’s leader is Backdoor.Win32.Aebot.e, which uses a variety of methods to disable protection, including terminating processes in memory, stopping services and blocking updates. The malicious program terminates protection utilities by the dozen, including all kinds of firewalls, system monitoring utilities, antivirus products, etc.
8. Most Common Malicious Program in Email Traffic - In February 2007, the winner was Email-Worm.Win32.NetSky.t. Although this is a relatively old email worm, it still accounts for about 15% of all email traffic.
9. Most Common Trojan Family - We talk a lot about how the number of Trojans is on the increase. And Backdoor.Win32.Hupigon is a great example - in a single month we detected 368 modifications of this family.
10. Most common virus\ worm family - In February, the Warezov family was the most widespread among all virus and worm families. Samples of 118 different modifications were found in February alone..."
Malware Miscellany, March 2007
April 27, 2007 ~ "...
1. Greediest Trojan Targeting Banks - Trojan-PSW.Win32.Agent.km takes this title this month. Not only does this Trojan wage war against 42 banks at once, it also attempts to intercept TAN-codes, which once again proves that this kind of protective measure does not present much of an obstacle for cyber criminals. The Trojan’s victims include many leaders in the global banking sector.
2. Greediest Trojan Targeting E-payment Systems - this title goes to one of the modifications of Trojan-Spy.Win32.Banker.clu, which is programmed to gain access into three different electronic money systems.
3. Greediest Trojan Targeting Plastic Cards – the title goes to Trojan-Spy.Win32.Banker.ciy. Last month, the malicious program that took this title was programmed to access three plastic card systems at once. Banker.ciy wins because it targets 5 systems instead of 3.
4. Stealthiest Program - this month Backdoor.Win32.Hupigon.elw takes the title – it is seven times with different .exe file packers.
5. Smallest Malicious Program - is the 51 byte Hoax.Bat.AlotWindows.a, which plays a mean joke on Internet users. When this program is launched, it begins to open a series of windows on the user's computer with the text "DDoS DOS!" In reality, opening windows is all Windows.a is capable of.
6. Biggest Malicious Program - Trojan.Win32.Haradong.ao weighs in at a hefty 182 MB (!). This file is spread under the guise of a video file, with the extension “avi.scr.” It’s very large size is attributed solely to that fact.
7. Most Malicious Program - Backdoor.Win32.Rbot.aeu blocks security solutions using a variety of methods.
8. Most Common Malicious Program in Email Traffic - Email-Worm.Win32.NetSky.q, which has been around for years, but still managed to account for 14% of all malicious email traffic in March, which just goes to show that the older malware is still going strong.
9. Most Common Trojan Family - once again it is the Chinese Backdoor.Win32.Hupigon family, with a mere 326 modifications instead of the 368 we saw last month.
10. Most common virus\ worm family - goes to the well known Warezov worm again; with 44 new modifications detected this month.
...Malware that is used to make money is growing visibly and malware writers follow trends, with the popular malware showing up in the ratings consistently."
Malware Miscellany, April 2007
May 14, 2007 ~ "April may be the cruelest month, but the malware has been breeding actively, mixing backdoors and BAT files, stirring users' systems by deleting libraries...
1. Greediest Trojan targeting banks - this month, the award goes to Backdoor.Win32.Delf.zq. This program not only targets almost a hundred banks; it's got other payment systems in its sights as well. Analysis of the code reveals the program's Russian origins.
2. Greediest Trojan targeting payment cards - the prize in this category goes to Backdoor.Win32.VB.asj, which targets users of four different payment cards.
3. Greediest Trojan targeting e-payment systems - April's statistics place Trojan-Dropper.Win32.Agent.ahp squarely in the frame. Just as Backdoor.Win32.VB.asj does, this Trojan targets users of four different e-payment systems.
4. Stealthiest malicious program - just like last month, there's a Hupigon variant creeping up on users' systems – this month it's Backdoor.Win32.Hupigon.ru, which is packed with 11 different packers.
5. Smallest malicious program - this month, we've got a program which falls in between the previous two winners in terms of size. It's Trojan.BAT.KillDll.b, a BAT file which is a mere 31 bytes in size. All it does is delete all DLL libraries from the Windows system directory. However, this is enough to crash the operating system.
6. Biggest malicious program - Trojan.Win32.Haradong.aa is the winner here. At 220MB, it outweighs last month's winner by 38MB.
7. Most malicious program - an extensive malicious payload makes Backdoor.Win32.Agobot.gen a standout this month; the program combats antivirus solutions by deleting program files and terminating processes and services.
8. Most common malicious program in email traffic - Email-Worm.Win32.NetSky.t repeated its February performance and again made up 14% of all malicious code in mail traffic. A variant from the same family also won this category last month, demonstrating that the NetSky saga is set to run and run.
9. Most common Trojan family - this month, Trojan-PSW.Win32.OnLineGames made its presence felt, with 1044 modifications. The huge number of variants indicates that the demand for property and passwords stolen from online game accounts shows no signs of drying up.
10. Most common virus\ worm family - the Warezov family is already a regular feature in our Miscellanies and reports. It continues its dominance in this category, with 72 modifications being detected in April...."
Malware Miscellany, May 2007
June 15, 2007 ~ "Virus writers didn't take any time off over the public holidays, and the results of their labour have made their way into our May miscellany.
1. Greediest Trojan targeting banks - in May, this title went to Trojan-Spy.Win32.Banker.aqu, a modification that targets 87 banks simultaneously.
2. Greediest Trojan targeting e-payment systems – this month's glutton is Trojan-PSW.Win32.VB.kq, which targets four e-payment systems.
3. Greediest Trojan targeting payment cards - Trojan-PSW.Win32.VB.kq wins the prize in this category; it targets four payment card systems, and interestingly also targets e-payment systems (see the above category).
4. Stealthiest malicious program – once again, it's a Hupigon variant winning out in this category. Backdoor.Win32.Hupigon.rc is packed ten times with a whole range of packers. Nevertheless, this didn't save the backdoor from detection.
5. Smallest malicious program - this prize goes to a tiny little program weighing in at a mere 9 bytes. Despite its very compact size, Trojan.DOS.DiskEraser.b is smart enough to delete data from disk.
6. Biggest malicious program - Trojan.Win32.KillFiles.ki was the most space-hungry malicious program in May. This file-deleting Trojan weighs in at a whopping 247GB. Interestingly enough, both May’s smallest and largest programs have the same malicious payload - but the difference in size is remarkable.
7. Most malicious program - the leader in this category in May is Backdoor.Win32.Agobot.afy, which deletes antivirus programs using a variety of methods.
8. Most common malicious program in email traffic - this title went to Email-Worm.Win32.Netsky.t this May. Despite being an old-timer, this worm is still causing major damage, accounting for over 15% of all malicious email traffic in May 2007.
9. Most common Trojan family - the winner of this category this month is the Backdoor.Win32.Rbot family, with 454 modifications in the course of just one month.
10. Most common virus/worm family - the Warezov family once again took this title this month. A total of 78 different variants of the Warezov family were detected in May, up from 72 in April.
The summer holidays are coming up, and although it's unlikely we'll see worm epidemics on the scale of those in 2004/5, we'll still have plenty of work to do..."
Malware Miscellany, June 2007
July 18, 2007 - "...Let's take a look at what the first month of summer brought us.
1. Greediest Trojan targeting banks - this month the award goes to Trojan-Spy.Win32.Small.cz, which targeted 84 financial organizations. That’s just slightly less than last month's 87.
2. Greediest Trojan targeting payment systems - this title goes to Backdoor.Win32.VB.bck this month after it tracked the users of three different e-currency systems.
3. Greediest Trojan targeting payment cards - Trojan-PSW.Win32.VB.kq, which took the same title in May, is really getting into its gluttonous stride. A new variant was detected in June which already targeting five different card systems, up from four last month.
4. Stealthiest malicious program - in June this title went to Backdoor.Win32.Amutius.143, packed eight times using a range of packers.
5. Smallest malicious program – this month we have the tiny 14-byte Trojan.BAT.DelTree.d. This puny program still packs a punch by deleting all directories from the disk.
6. Largest malicious program - Trojan-Spy.Win32Banbra.ha weighed in as the month's largest malicious program at nearly 30MB (almost nothing compared to last month's whopper).
7. Most malicious program - the leader in this category this month is Trojan.Win32.AddUser.k, which deletes antivirus solutions and services from the disk, from RAM, and all related registry keys.
8. Most common malicious program in email traffic - the prize for this category goes to Email-Worm.Win32.NetSky.q, which accounted for over 16% of all malicious email traffic.
9. Most common Trojan family - Trojan-Downloader.Win32.Agent is well ahead in this category, with 501 new variants detected in June.
10. Most common virus/ worm family – Zhelatin put in some effort this month, with a total of 49 modifications being intercepted in June.
With so many Trojan variants, virus writers are showing no signs of taking off for the beach. Which means, of course, that we won't either. Drop by the blog this time next month for an update..."
Malware Miscellany, July 2007
August 13, 2007 - "...Miscellaneous malware we saw at the height of summer 2007.
1. Greediest Trojan targeting banks - Summer is already halfway over. During the midsummer month of July, this category was led by Trojan-Spy.Win32.Banker.alv, which currently has its sights set on 33 banks.
2. Greediest Trojan targeting payment systems - the title this month goes to Trojan-PSW.Win32Steam.f, currently targeting three different e-payment systems at once.
3. Greediest Trojan targeting payment cards – here a Brazilian Trojan, Trojan-Spy.Win32Banbra.df, takes the category, targeting four different payment card systems.
4. Stealthiest malicious program - Trojan-Downloader.Win32.Delf.ain, which is packed 12 times, dominated this category in July.
5. Smallest malicious program – this month we have a tiny 14-byte program (the same size as last month's winner, incidentally) called Trojan.BAT.Formatcu. Despite its small size, this program is capable of doing a lot of damage by destroying all data on the C: drive.
6. Largest malicious program - the heavyweight champion in July, a modification of Trojan.Win32.KillFiles.mb, takes up a lot of space at -743-MB.
7. Most malicious program - the leader this month is Backdoor.Win32.Aebot.e. It deletes antivirus protection from files on disk, from processes running in RAM, and from registry auto run keys.
8. Most common malicious program in email traffic - July’s most common malicious program was Email-Worm.Win32.Warezov.pk, which accounted for nearly 23% of all mail traffic last month.
9. Most common Trojan family - last month’s leader in this category was the Trojan-Spy.Win32.Banload family. A total of 534 variants of this family that had not been previously detected emerged last month.
10. Most common virus/ worm family - The most common worm family in July was the email worm Warezov. 41 modifications of this family were detected in July..."
Malware Miscellany, August 2007
September 14, 2007
1. Greediest Trojan targeting banks: As summer came to an end, a new Trojan took the lead in this category. Trojan-Spy.Win32.Banker.cji can track the online clients of 44 different banking systems at once.
2. Greediest Trojan targeting payment systems: Trojan-Spy.Win32.Banker.dfj took this title in August after setting its sights on three different electronic payment systems at the same time.
3. Greediest Trojan targeting payment cards: The winner of this award in August is a one of the modifications of Trojan-Spy.Win32Banbra.hp, a Trojan hailing from Brazil that held this title in July as well. This malicious program not only targets the clients of three different plastic card systems, it also tracks the clients of a number of Brazilian banks.
4. Stealthiest Malicious Program: The leader in this category in the last summer month was Backdoor.Win32.Hupigon.rc, which is packed nine times over by a variety of different packers.
5. Smallest Malicious Program: In August, this title went to the tiny tot Trojan.BAT.Deltree.s. Don’t be fooled - this 16-byte program packs a punch and can destroy all of the directories on the C drive.
6. Largest Malicious Program: The heftiest malicious program in August was one of the modifications of Trojan.Win32.VB.aqy. This portly program weighs in at 237MB and spreads disguised as a screensaver.
7. Most Malicious Program: The winner of this title in August was Backdoor.Win32.IrcBot.aeo, which actively counters PC security systems by destroying them in the RAM and on the drive.
8. Most Common Malicious Program in Email Traffic: The most common malicious program in email traffic was the old familiar Email-Worm.Win32.NetSky.q, which accounted for 21% of email traffic in the last summer month.
9. Most Common Trojan Family: In August this title goes to Trojan-Spy.Win32.Banker, which racked up an impressive 736 different variants this month.
10. Most Common Virus / Worm Family: The leader of this category goes to the Bagle family of worms this August, with a total of 29 modifications detected over the course of the month.
Malware Miscellany - September 2007
October 19, 2007 - "September brings a change of seasons – has the colder weather caused any familiar malicious programs to go into hibernation? Let’s find out by taking a look at this month’s malware miscellany:
1. Greediest Trojan Targeting Banks: this title goes to a modification of Trojan-Spy.Win32.Small.dg, which manages to target the clients of 134 banks at once – quite an impressive feat!.
2. Greediest Trojan Targeting Payment Systems: Trojan-Spy.Win32.Agent.baa is the winner this month, and it’s designed to harvest access data for three different e-payment systems.
3. Greediest Trojan Targeting Plastic Cards: Once again the title goes to a Banbra variant – this month it’s Trojan-Spy.Win32.Banbra.df, which targets three payment card systems. And for the third month running, it’s a program with Brazilian roots that wins this category.
4. Stealthiest Malicious Program: Trojan.Win32.Delf.or, which is packed ten times with a variety of different packers, takes September’s title.
5. Smallest Malicious Program: This month brings us the tiny 19 byte Trojan.BAT.KillFiles.gc, but in spite of its small size, this program is able to delete plenty of data from the user’s computer.
6. Biggest Malicious Program: This title goes to a modification of Trojan.Win32.Haradong.bj, which weighs in at a hefty 234 MB – the authors of this Trojan don’t seemed to be at all concerned about efficient use of resources!
7. Most Malicious Program: Autumn’s leader so far is Trojan-Downloader.Win32.Agent.bxx, which uses a variety of methods to disable security solutions, including terminating processes in memory and deleting the security programs themselves.
8. Most Common Malicious Program in Email Traffic: Although Email-Worm.Win32.NetSky.q has been around for years, it still managed to account for 25.22% of all malicious email traffic in September - 4% higher than in August.
9. Most Common Trojan Family: The winner in this category is Trojan-Downloader.Win32.Agent, with a ‘mere’ 663 modifications – nearly a hundred fewer than August’s winner.
10. Most Common Virus/ Worm Family: This nomination goes to Zhelatin, back after two months off with 55 new modifications detected this month..."
Malware Miscellany, October 2007
November 15, 2007 - "...October's malware miscellany is in some ways remarkably similar to September's, with a number of familiar programs once again making an appearance...
1. Greediest Trojan targeting banks: This month's leader is a modification of Trojan-Spy.Win32.Banker.ezn, which targets 45 banks. This seems positively modest in comparison to last month's leader, which set its sights on 134 banks simultaneously.
2. Greediest Trojan targeting payment systems: Backdoor.Win32.Xhaker.c is very equitable in its approach – it attacks three e-payment systems and three plastic card systems.
3. Greediest Trojan targeting plastic cards: See above.
4. Stealthiest malicious program: The number 10 seems to be in favour at the moment – this month's winner, Backdoor.Win32.Hupigon.mrv, is packed with ten different packers, just as last month's leader was.
5. Smallest malicious program: In spite of its tiny 17 bytes, Trojan.BAT.DeltreeY.a packs a punch and wins the October nomination.
6. Biggest malicious program: Once again, a hefty representative of the Haradong family wins out – Trojan.Win32.Haradong.ct weighs in at -244MB-, slightly larger than its close relative Haradong.bj, last month's winner in this category.
7. Most malicious program: Backdoor.Win32.Rbot.ejs, like so many past winners of this category, disables security solutions by deleting them from memory and from the registry.
8. Most common malicious program in mail traffic: Email-Worm.Win32.Netsky.q retains its persistent presence in this category for the third month running, and made up 20.11% of all malicious programs in mail traffic in October.
9. Most common Trojan family: In spite of an impressive 563 modifications, Trojan-Spy.Win32.Banker's numbers are following last month's trend, with figures just over 100 down on September's.
10. Most common virus/ worm family: Email-Worm.Win32.Zhelatin (a.k.a the Storm worm) continues to reign in this category for the second month running, with 38 modifications in October..."