Tales of the unexpected…and the expected

Kaspersky Lab has announced the publication of its Monthly Malware Statistics for June 2010. There was a surprise return to the Top 20 list of malware detected on the Internet for Trojan-Downloader.JS.Pegel.b.

This script downloader, designed to infect legitimate websites, returned to the list in third place after a period of relative obscurity. When a user visits an infected page, Pegel redirects them to a site controlled by a cybercriminal, which in turn surreptitiously downloads various malicious programs to the victim’s computer.

Pegel.b makes use of a variety of PDF exploits and the Java CVE-2010-0886 exploit. Unlike Pegel.b, the presence of the Exploit.JS.Pdfka family in our rating came as no surprise. The release of every new update from Adobe is now accompanied by several variants of this exploit which inevitably make it into the Top 20 malicious programs. In June 2010 alone, three variants of Exploit.JS.Pdfka entered the list of Internet-borne malware at sixth, eighth and fourteenth places.

A total of six exploits made it into this Top 20 list in June 2010. Unfortunately, users are still relatively blas√© about security updates that are issued on a regular basis by software vendors, leaving their computers vulnerable to malicious attacks, exploit Agent.bab in second place being a case in point. It uses the CVE-2010-0806 Windows vulnerability, detected back in March of this year, to download different malicious programs to users’ computers. In June 2010 the number of individual attempts to download this piece of malware from websites exceeded 340,000.

The very same Agent.bab also made it into the first Top 20 that lists the malware detected and neutralised on users’ computers appearing in fifth place this time. That was the only change to the top half of the June 2010 rating, which is still dominated by variants of the Kido worm in first, third and fourth places and the Sality virus in second place.

For the majority of cybercriminals, confidential data offers rich pickings and a new variant of the popular P2P-Worm.Palevo in eleventh place actively seeks out any confidential data entered into a user’s browser window. Peer-to-Peer file sharing, using programs such as BearShare, iMesh, Shareaza and eMule, is one of the main methods by which this worm propagates. It makes multiple copies of itself in folders used to store files that are commonly downloaded and uploaded, giving catchy names to those copies in the hope that they will attract the attention of potential victims. Other means by which P2P-Worm.Win32.Palevo.fuc propagates include multiple copying to network folders and other network resources, sending links via instant messengers and by teaming up with Trojan.Win32.Autorun to infect any kind of removable device that it may come into contact with.

Software that gathers user data also made it into the list of malware detected on the Internet. The raison d’√™tre of AdWare.Win32.FunWeb.ds in twelfth place is to gather data about users’ search requests and more often than not, this data is then used by a system for displaying the banners that frequently pop up during online surfing sessions.

The full version of the malware statistics for June 2010 can be found at: www.securelist.com/en