During the month of August
we've seen 8165 unique samples actively circulating and infecting users. These
figures come mostly from people who use our online scanner Panda ActiveScan and have a variety of different AV products
installed as well as from our behavioral sensors. The vast mayority of the people who use
ActiveScan are Symantec, Nod32, McAfee, Kaspersky and AVG users. Out of the total seen infecting
these users only a portion are new and not seen in previous months, of which 82%
are non-self-replicating Trojans while the rest are self-replicating viruses and
worms. The following are the runtime
packing properties and most active families whose new variants have been making
the summer rounds.
August 2008 - Custom & Private
Packers
In our last
obfuscation study Packer (r)evolution we saw an increase in the use of private or customized versions of packers being
developed to evade AV signature detections. As a curiosity I've updated the
study to see how this trend is evolving. For this purpose our colleague Satur created a tool called "Detector" for advanced packer
identification which specializes on specific, generic and custom packer
identification but is also able to identify file infectors, polymorphism,
installers and much more. The results are pretty amazing. In April 2008 we
already saw an increase to over 30% of the packers being "private". This has
exploded now and in the August 2008 collection a whopping 75% of them are using
non-mainstream runtime packing.
August 2008 - New Variants of Self-Replicating
Virus/Worm Families
*** W32_Mandaph
*** W32_MSNPhoto
*** W32_Lineage
*** W32_IRCBot
** W32_Sohanat
** W32_Autorun
* W32_Bagle
* W32_Spamta
* W32_Socks
* W32_Sdbot
* W32_Rahack
* W32_Nuwar
* W32_MSNworm
* W32_Lineage
* W32_Kolabc
* W32_Gaobot
August 2008 - New Variants of
Non-Self-Replicating Trojan Families
***** Spyware_Virtumonde
*** Trj_Lineage
*** Bck_IrcBot
*** Adware_Zenosearch
** Trj_dmRandom
** Trj_Agysteo
** Trj_Agent
** Adware_Netproject
** Adware_NaviPromo
** Adware_AntivirusXP2008
* VBS_Autorun.ABM
* Trj_Zlob
* Trj_Sinowal
* Trj_QQPass
* Trj_ProxyServer
* Trj_Proxy
* Trj_Passtealer
* Trj_Nabload
* Trj_Multidropper
* Trj_Mailfinder
* Trj_KillAV
* Trj_Gamania
* Trj_Exchanger
* Trj_Downloader
* Trj_DNSChanger
* Trj_Clicker
* Trj_Buzus
* Trj_Banker
* Trj_Banbra
* Trj_Alanchum
* Spyware_Vundo
* Rootkit_Lineage
* Dialer
* Bck_RedGirl
* Bck_Nuclear
* Bck_Hupigon
* Bck_Flooder
* Bck_Bifrose
* Bck_Agent
* Application_AntivirusXP2008
* Application_Antivirus2009
* Application_AntiSpyCheck
* Adware_Xpantivirus2008
* Adware_XPSecurityCenter
* Adware_XPAntivirusPro
* Adware_WinAntispyware2008
* Adware_VapSup
* Adware_RogueAntimalware2009
* Adware_RogueAntimalware2008
* Adware_MediaCodec
* Adware_JavaCore
* Adware_IEAntivirus
* Adware_IEAntiSpyware
* Adware_Antivirus2009
* Adware_Antivirus2008XP
* Adware_Antivirus2008Pro
* Adware_Antivirus2008
* Adware_Antispyware2008
* Adware_AntiSpyCheck
* Adware_Adsmart
* Adware_AVMaster