Malware in February: Cybercriminals Perfect Drive-By Tactics

03 Mar 2011
Virus News

Kaspersky Lab’s latest monthly report on malware activity highlights the current popularity of using drive-by attacks to infect users’ computers. These attacks are particularly dangerous because they take place without the user’s knowledge and can be initiated from legitimate websites that have been hacked by cybercriminals. Visitors to infected sites are redirected to web pages containing script downloaders. Various types of exploits that launch script downloaders are quite often used to download malware to users’ computers.

In February, the majority of drive-by attacks made use of Cascading Style Sheets (CSS) to store some of the data for script downloaders. This new, enhanced method makes it much harder for many antivirus solutions to detect malicious scripts and allows cybercriminals to download exploits without them being detected.

Three entries in the Top 20 most malicious programs detected on the Internet in February corresponded to pages containing CSS data and a malicious script downloader. One of them claimed 1st place, while the others came in at 13th and 19th places. The script downloaders on these malicious web pages download two types of exploits. One of them, which targets the CVE-2010-1885 vulnerability in Microsoft Windows Help and Support Center, took 4th place in the same top 20 ranking. On average it was detected on approximately 10 thousand unique computers every day. The second type of exploit uses vulnerability CVE-2010-0840 in Java Virtual Machine and accounted for three entries (3rd, 7th and 9th places) in the rating of Internet-borne threats.

February showed that there are still potentially dangerous PDF vulnerabilities out there. The number of unique computers on which PDF exploits were detected exceeded 58 thousand in February. One such PDF exploit entered the Top 20 malicious programs on the Internet in 8th place.

A malicious packer that is used to help protect the Palevo P2P worm was detected on more than 67 thousand unique computers throughout the month. This worm was responsible for the creation of the Mariposa botnet that was shut down by Spanish police a while ago. It seems likely that the recent spread of this packed worm is linked to an attempt by cybercriminals to create a new botnet or restore the old one.

February saw the discovery of a number of new malicious programs for the Android platform. Malware for the J2ME platform was also popular among cybercriminals, with Trojan-SMS.J2ME.Agent.cd, for example, entering the Top 20 most widespread malicious programs on the Internet at 18th place. Its main function is to send SMSs to premium-rate numbers.

More detailed information about the IT threats detected by Kaspersky Lab on the Internet and on users' computers in February 2011 is available at: http://www.securelist.com