Malware in March: Cybercriminals Extend Repertoire of Tricks to Avoid Detection

05 Apr 2011
Virus News

The experts at Kaspersky Lab present their monthly report about malicious activity on users’ computers and on the Internet.

March in figures. The following statistics were compiled in March using data from computers running Kaspersky Lab products:

  • 241 mln network attacks blocked;
  • 85,8 mln attempted web-borne infections prevented;
  • 219,8 mln malicious programs detected and neutralized on users’ computers;
  • 96,7 mln heuristic verdicts registered.

Intrusion techniques. Cybercriminals obviously have a soft spot for Java exploits – of the five exploits to appear in the Top 20 malicious programs on the Internet in March, three of them were for vulnerabilities in Java.

Malware writers are also surprisingly quick to react to announcements of new vulnerabilities. A good example of this is a vulnerability in Adobe Flash Player that allowed cybercriminals to gain control of a user’s computer. The vulnerability was announced by Adobe on 14 March and by the next day Kaspersky Lab had already detected an exploit for it.

Social engineering also remains a popular tool for the cybercriminals, who have no qualms about exploiting tragic events for their own benefit. The Japanese earthquake and tsunami, plus the death of Elizabeth Taylor, did nothing to buck this trend. Scammers and malware writers spread malicious links to their own versions of the “latest news”, created malicious websites with content connected in some way to the disaster in Japan and sent out ‘Nigerian’ letters making emotional requests for money to be transferred to the message sender in order to help those who have suffered.

Protection against antivirus programs. The malevolent users behind HTML pages that are used in scams or to spread malware are constantly coming up with new ways to hide their creations from antivirus programs. In February cybercriminals were using Cascading Style Sheets (CSS) to protect scripts from being detected. Now, instead of CSS, they are using <textarea> tags on their malicious HTML pages. Cybercriminals use the tag as a container to store data that will later be used by the main script. For example, Trojan-Downloader.JS.Agent.fun at 9th position in the Top 20 rating of malicious programs on the Internet uses the data in the <textarea> tag to run other exploits.

In addition, according to Kaspersky Security Network (KSN) statistics, malware writers are actively modifying the exploits they use in drive-by attacks in order to avoid detection.

Mobile threats. At the beginning of March, Kaspersky Lab’s experts detected infected versions of legitimate apps on Android Market. They contained root exploits that allow a malicious program to obtain root access on Android smartphones, giving full administrator-level access to the device’s operating system. As well as a root exploit, the malicious APK archive contained two other malicious components. One of them sent an XML file containing IMEI, IMSI and other device information to a remote server and awaited further instructions. The other component had Trojan-downloader functionality.

More detailed information about the IT threats detected by Kaspersky Lab on the Internet and on users' computers in March 2011 is available at: www.securelist.com/en.