New Malware Prevalence April 2008

Pedro Bustamante at  09 May 08 12:51

Even though we get thousands of new malware samples in the lab every day, only a fraction of these make it in-the-wild actively infecting users. These are the most interesting samples for us as they're the ones we need to concentrate on the most. The vast majority of the times we catch these either by generic signatures, heuristics or TruPrevent behavioral analysis and blocking and through a variety of sensors such as our own products installed at users' PCs, online scanners or through correlation by our Collective Intelligence.

During the month of April we've seen a total of 6.809 unique samples actively circulating and infecting users. Out of the total malware seen in-the-wild, approximately 10% of the samples are completely new and not seen in previous months. Of this new malware 81% are non-replicating Trojans while the rest are self-replicating viral/worm code.

Following below is an overview of the prevalence statistics and family details broken down by type (non-replicating and self-replicating) and use of runtime packer or obfuscator.

 

New Non-Replicating Trojans

Let's take a look first at the new Trojans sighted this month. As usual adware/spyware leads the list with the largest number of variants being distributed. It's obvious that the return on investment is greatest with this type of malware as there are plenty of "marketing companies" out there that offer pay-per-install affiliate programs of their malware.

An interesting trends we're seeing lately is the increase in Banking Trojan activity. These are mostly distributed via Web Exploitation Kits and Trj/Downloaders. They are best represented this month by the Banker and Sinowal families.

The following table details the new non-replicating Trojans found in-the-wild with an indication of their prevalence, from * (seen on at least two unique computers) to ***** (massive distribution). 

Prevalence	Name
****	 Adware_Netproject
***	 Spyware_Virtumonde
***	 Adware_VideoAccessCodec
***	 Adware_Netproject
***	 Adware_NaviPromo
**	 Trj_Nabload.DEX
**	 Trj_Mitglieder.TJ
**	 Trj_Lineage.IGA
**	 Trj_Lineage.IDJ
**	 Trj_Lineage.IDE
**	 Trj_Lineage.HZI
**	 Trj_Downloader.TIN
**	 Trj_Downloader.THP
**	 Trj_Downloader.TCC
**	 Trj_dmRandom.TW
**	 Trj_Banker.KWQ
**	 Trj_Banker.KWP
**	 Trj_Banker.KWO
**	 Trj_Banker.KWH
**	 Malicious Packer
**	 Adware_WinReanimator
**	 Adware_VirusHeat
**	 Adware_VideoPlugin
**	 Adware_VideoAccessCodec
**	 Adware_VapSup
**	 Adware_UltimateDefender
**	 Adware_Suurch
*	 W32_Lineage.ICJ.worm
*	 Trj_Zlob.IF
*	 Trj_SysW.G
*	 Trj_Spammer.AHH
*	 Trj_Spammer.AHD
*	 Trj_Spamine.G
*	 Trj_Sinowal.VKF
*	 Trj_Sinowal.VKE
*	 Trj_Sinowal.VKB
*	 Trj_Sinowal.VJZ
*	 Trj_QQPass.BGT
*	 Trj_QQPass.BGN
*	 Trj_QQPass.BGM
*	 Trj_QQPass.BGL
*	 Trj_Nabload.DEU
*	 Trj_Nabload.DET
*	 Trj_Multidropper.RMN
*	 Trj_Mitglieder.TI
*	 Trj_Lineage.IFH
*	 Trj_Lineage.IFG
*	 Trj_Lineage.IFF
*	 Trj_Lineage.IFE
*	 Trj_Lineage.IFC
*	 Trj_Lineage.IFB
*	 Trj_Lineage.IEY
*	 Trj_Lineage.IEW
*	 Trj_Lineage.IEU
*	 Trj_Lineage.IEM
*	 Trj_Lineage.IDV
*	 Trj_Lineage.IDE
*	 Trj_Lineage.ICA
*	 Trj_Lineage.IAN
*	 Trj_Lineage.IAL
*	 Trj_Lineage.HTK
*	 Trj_Lineage.HNA
*	 Trj_Hosts.V
*	 Trj_Hosts.U
*	 Trj_Gamania.GS
*	 Trj_FireByPass.BP
*	 Trj_Exchanger.D
*	 Trj_Downloader.TME
*	 Trj_Downloader.TLU
*	 Trj_Downloader.TLL
*	 Trj_Downloader.TJR
*	 Trj_Downloader.TJF
*	 Trj_Downloader.TJE
*	 Trj_Downloader.TJA
*	 Trj_Downloader.TIL
*	 Trj_Downloader.TIK
*	 Trj_Downloader.THZ
*	 Trj_Downloader.THI
*	 Trj_Downloader.TEG
*	 Trj_Downloader.TDA
*	 Trj_Downloader.TCQ
*	 Trj_Downloader.TAU
*	 Trj_dmRandom.UB
*	 Trj_Dadobra.AOR
*	 Trj_Busky.DE
*	 Trj_BHO.AT
*	 Trj_Banker.KXI
*	 Trj_Banker.KWX
*	 Trj_Banker.KWV
*	 Trj_Banker.KWR
*	 Trj_Banker.KTU
*	 Trj_Banbra.FQI
*	 Trj_Banbra.FQB
*	 Trj_Banbra.FON
*	 Trj_Autorun.TS
*	 Trj_Autorun.JN
*	 Trj_Agent.IPR
*	 Trj_Agent.IPI
*	 Trj_Agent.IOH
*	 Trj_Agent.IOD
*	 Trj_Agent.IOB
*	 Spyware_Virtumonde
*	 Generic Malware
*	 Bck_Sdbot.LUN
*	 Bck_SDBot.LUF
*	 Bck_SDBot.LTW
*	 Bck_Sdbot.LTR
*	 Bck_PoisonIvy.U
*	 Bck_Oderoor.Q
*	 Bck_Oderoor.P
*	 Bck_LanMan.CN
*	 Bck_IRCBot.BYY
*	 Bck_IRCBot.BYO
*	 Bck_IRCBot.BYI
*	 Bck_IRCBot.BYH
*	 Bck_IRCBot.BXW
*	 Bck_IRCBot.BXU
*	 Bck_IrcBot.BXT
*	 Bck_IRCBot.BXL
*	 Bck_Hupigon.LAB
*	 Bck_Agent.IPD
*	 Bck_Agent.IOG
*	 Application_VirusHeat
*	 Application_SpyShredder
*	 Application_PCCleaner
*	 Adware_Zenosearch
*	 Adware_XXXHoliday
*	 Adware_WinSecureDisc
*	 Adware_WinReanimator
*	 Adware_WinIFixer
*	 Adware_WebHancer
*	 Adware_VirusIsolator
*	 Adware_VirusHeat
*	 Adware_VideoPorn
*	 Adware_VideoKeyCodec
*	 Adware_VapSup
*	 Adware_TopSpyware
*	 Adware_SpywareSoftStop
*	 Adware_SpyAway
*	 Adware_SecuritySystem
*	 Adware_SecurityError
*	 Adware_SearchVideo
*	 Adware_PCCleaner
*	 Adware_MalwareAlarm
*	 Adware_Lop
*	 Adware_ChristmasPorn
*	 Adware_BaiduBar
*	 Adware_AntiSpywareReview
*	 Adware_Alexa

 

New Self-Replicating Virus & Worms

Even though some security experts out there maintain that 'viruses are a thing of the past', the fact is that almost 20% of the new malware we see every month are self-replicating viruses and worms. This figure is not as high as it used to be years ago but it comes to prove that viruses are definitely not dead.

As with previous months, worms spreading through Instant Messaging such as the W32/MSN.worm and W32/MSNWorm lead the list by propagating via vulnerabilities and sending links to copies of itself to all IM contacts.

The prevalence, especially in corporate networks, of the particularly nasty W32/Virutas, is probably due to its effectiveness as a cavity, polymorphic, entry point obscuring and memory resident infector virus.

The remainder of the list is mostly made up by spam-spewing bots and game password stealers for World of Warcraft and Lineage.

As above, the following table details the new self-replicating viruses and worms found in-the-wild with an indication of their prevalence (* for low and ***** for massive distribution). 

Prevalence	Name
***	 W32_MSN.J.worm
***	 W32_Lineage.HXI.worm
**	 W32_Nuwar.SS.worm
**	 W32_MSNWorm.EJ.worm
**	 W32_Lineage.IFX.worm
**	 W32_Lineage.IEN
**	 W32_Lineage.ICM.worm
**	 W32_Lineage.IBW.worm
**	 W32_Lineage.HZE.worm
**	 W32_Bagle.SR.worm
*	 W32_Wow.SI.worm
*	 W32_Virutas.AB
*	 W32_VBS.H.worm
*	 W32_VanBot.AE.worm
*	 W32_UsbStorm.K.worm
*	 W32_Thanks.B.worm
*	 W32_SundMan.A.worm
*	 W32_Spamta.AGD.worm
*	 W32_Sohanat.EX.worm
*	 W32_Sohanat.AS.worm
*	 W32_Socks.C.worm
*	 W32_Socks.B.worm
*	 W32_SDBot.LUI.worm
*	 W32_Sdbot.LUB.worm
*	 W32_SdBot.LTV.worm
*	 W32_Sdbot.LTT.worm
*	 W32_Sality.AA
*	 W32_QQRob.OS
*	 W32_Oscarbot.TK.worm
*	 W32_Nuwar.TC.worm
*	 W32_Nuwar.SV.worm
*	 W32_Nuwar.SR.worm
*	 W32_MSNworm.EK.worm
*	 W32_MSNworm.EI.worm
*	 W32_Mabezat.C
*	 W32_Lineage.IFI.worm
*	 W32_Lineage.IEZ.worm
*	 W32_Lineage.IEN.worm
*	 W32_Lineage.IEG.worm
*	 W32_Lineage.IDS
*	 W32_Lineage.IDR.worm
*	 W32_Lineage.IDI.worm
*	 W32_Lineage.ICT.worm
*	 W32_Lineage.ICO.worm
*	 W32_Lineage.ICL.worm
*	 W32_Lineage.ICJ.worm
*	 W32_Lineage.ICB
*	 W32_Lineage.IBZ.worm
*	 W32_Lineage.IBX.worm
*	 W32_IRCBot.BYQ.worm
*	 W32_IRCBot.BYL.worm
*	 W32_IRCBot.BYC.worm
*	 W32_IRCBot.BYB.worm
*	 W32_IRCBot.BYA.worm
*	 W32_Gaobot.QGN.worm
*	 W32_DengDun.A.worm
*	 W32_Brontok.JL.worm
*	 W32_Bagle.SN.worm
*	 W32_Autorun.TU.worm
*	 W32_Autorun.TK.worm
*	 W32_Agent.INI.worm
*	 W32_Agent.ILD.worm
*	 VBS_Sasan.A.worm

 

By Runtime Packers & Obfuscators

I've blogged quite a bit in previous occasions about the use of packers and obfuscators, especially in money-driven Trojans, in order to avoid detection by AV signature and emulator-driven heuristics.

One of the latest key trends to watch out for is the rapidly increasing use of 'private' purpose-made packers and multi-layered packers. Also especially worrying is the ever-increasing use of "virtualization obfuscators" such as EXECryptor and Themida. Our colleague from Sophos Boris Lau gave a very good speech last week at the CARO Workshop about promising strategies for dealing with these. 

UPX		581
Upack		302
'Private'	150
FSG		101
PECompact	94
AS-Pack		88
EXECryptor	62
Themida		53
Multi-layer	38
Nspack		38
ASProtect	37
nPack		22
Adware_Lop	17
RLPack		16
PKLite32	14
tElock		14
UPolyX		13
Wsnpoem		11
Armadillo	8
MEW 11 SE	7
Thinstall	7
Expressor	6
Cexe		4
PolyCryptA	4
PUSH/RET	4
PE Crypt	3
Virtumonde	3
YodaProtect	3
DalKrypt	2
Molebox		2
PESpin		2
Petite		2
CryptFF.b	1
NiceProtect	1
DragonArmor	1
EPProt		1
Exe32pack	1
Kkrunchy	1
MaskPE		1
Morphine	1
NTKrnl		1
PCShrink	1
PEncrypt	1
PEP		1
RCryptor	1
RPCrypt		1
SDProtect	1
SimplePack	1
UltraProtect	1
WWPack32	1
yzpack		1
Category: ,

Comments

The most active threats stats seem to be wrong on your site

please fix this problem

   Posted by jon at 10 May 08 2:08 AM

Theres a duplicate entry  Adware_Netproject

   Posted by jon at 10 May 08 2:14 AM

Is anywhere more than a short summary available of the speech of Boris Lau? The summary sounds quite interesting.

   Posted by Moritz Kroll at 10 May 08 10:01 PM

Never mind, I found the download section to be filled with a bunch of very interesting papers and presentations, yay! Thank you very much for the link!

   Posted by Moritz Kroll at 10 May 08 10:42 PM

Dugg!

http://digg.com/security/Panda_Research_Blog_New_Malware_Prevalence_April_2008

   Posted by Ryan at 11 May 08 2:46 PM

As usual, so much malware

   Posted by MSBasic at 12 May 08 1:20 AM

Jon, the entries for Adware_Netproject belong to different variants of the same family, with different prevalence. Regarding the threats stats, which page are yuo referring to exactly?

   Posted by Pedro Bustamante at 12 May 08 10:19 AM

Here is the url that the active threats stas are wrong

http://www.pandasecurity.com/homeusers/security-info/default.aspx?lst=ac&sitepanda=particulares

fix stats and first appeared dates

   Posted by jon at 12 May 08 11:06 AM

You're right Jon. This incident is being fixed currently. Will be fixed as soon as possible.

   Posted by Pedro Bustamante at 12 May 08 12:15 PM

it been a long time all ready how long can it  take to reset the stats

I know it will take longer to fix the dates

thanks for checkin

   Posted by jon at 12 May 08 9:49 PM

Fixed already. Pls check again.

   Posted by Pedro Bustamante at 14 May 08 11:38 AM

thank for fixin it seems fixed I hope

   Posted by jon at 14 May 08 7:13 PM

The stats are currently wrong still and under the threat desciptions the stats dont match

http://www.pandasecurity.com/homeusers/security-info/default.aspx?lst=ac&sitepanda=particulares

sorry to bother you but the stats needs to be

fixed

I alway look at the stas every day

thank you

love jon

   Posted by jon at 25 May 08 9:55 PM

It shows OK for us here. Try clearing your browser cache and visit the site again.

   Posted by Pedro Bustamante at 27 May 08 5:21 PM

It stiil dont make sense   PerfectKeyLog.AJ is on top of list at 1.65% but under statistics  on this page it only at 0.08%

http://www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.aspx?lst=est&idvirus=143401&sitepanda=particulares

This cannot be normal

They should both match

I hope you can fix this problem

sorry to bother you

thanks

   Posted by jon at 31 May 08 10:10 PM

Post a comment

 
 

Share it: Print