Kaspersky Lab, a leading developer of Internet threat management solutions that protect against all forms of malicious software including viruses, spyware, hacker attacks and spam, reports that the script Trojan-Downloader program, Gumblar, has made a resurgence to dominate the Internet threat landscape throughout February 2010.
During last month, Kaspersky Lab recorded a dramatic surge in the variant, Gumblar.x, with 453,985 infections recorded, following a disappearance from the threat landscape altogether in January. Gumblar hit the headlines at the end of May 2009 when it went straight to the top of Kaspersky Lab’s Top Twenty ranking of threats on the Internet. In October, the company reported that new variants of the program (Gumblar.x and Gumblar.w) had been detected, using more sophisticated technologies than their predecessors, with the number of attempted downloads recorded at 740,836.
For the second consecutive month Trojan variants continue to dominate the online threat landscape. Kaspersky Lab expected a further resurgence of Gumblar and this new attack didn’t take long to materialise. However, this time the black hats haven’t changed their approach in any significant way and have simply been gathering new data that can be used to access websites prior to infecting them en masse.
The early incarnations of Gumblar demonstrated how Cybercriminals are able to take old attack methods and rework them. Initially, the program would contact dedicated malicious servers to fetch more malware. This evolved and later versions of Gumblar that are downloaded as password stealers, used to compromise legitimate websites.
The number of websites infected by Gumblar.x
Another Trojan-Downloader program worthy of note for its high level activity during February is Pegel, which grew almost six-fold throughout the month and has now reached epidemic proportions since being first detected in January. This program has similarities to Gumblar, in that it also infects perfectly legitimate websites. A user that visits an infected web site is redirected by the malicious script to a Cybercriminal resource and to ensure users don’t suspect anything, the names of popular websites are used in the addresses of malicious pages.
From the reports of the first two months of 2010 it is clear that Kaspersky Lab’s forecast of more sophisticated malware are being held to be true.
Top twenty ranking for February 2010 - Malicious programs, adware and potentially unwanted programs that were detected and neutralised when accessed for the first time, i.e. by the on-access scanner.
| Position | Change in position | Name | Number of infected computers |
| 1 |  0 |
Net-Worm.Win32.Kido.ir | 274729 |
| 2 |  1 |
Virus.Win32.Sality.aa | 179218 |
| 3 | 1 |
Net-Worm.Win32.Kido.ih | 163467 |
| 4 |  -2 |
Net-Worm.Win32.Kido.iq | 121130 |
| 5 | 0 |
Worm.Win32.FlyStudio.cu | 85345 |
| 6 | 3 |
Trojan-Downloader.Win32.VB.eql | 56998 |
| 7 |  New |
Exploit.JS.Aurora.a | 49090 |
| 8 | 9 |
Worm.Win32.AutoIt.tc | 48418 |
| 9 | 1 |
Virus.Win32.Virut.ce | 47842 |
| 10 | 4 |
Packed.Win32.Krap.l | 47375 |
| 11 | -3 |
Trojan-Downloader.WMA.GetCodec.s | 43295 |
| 12 | 0 |
Virus.Win32.Induc.a | 40257 |
| 13 | New |
not-a-virus:AdWare.Win32.RK.aw | 39608 |
| 14 | -3 |
not-a-virus:AdWare.Win32.Boran.z | 39404 |
| 15 | 1 |
Worm.Win32.Mabezat.b | 38905 |
| 16 | New |
Trojan.JS.Agent.bau | 34842 |
| 17 | 3 |
Packed.Win32.Black.a | 32439 |
| 18 | 1 |
Trojan-Dropper.Win32.Flystud.yo | 32268 |
| 19 |  Return |
Worm.Win32.AutoRun.dui | 32077 |
| 20 | New |
not-a-virus:AdWare.Win32.FunWeb.q | 30942 |
Top twenty ranking for February 2010 - Malicious programs on the Internet, reflecting the online threat landscape. This ranking includes malicious programs detected on web pages and malware downloaded to victim machines from web pages.
| Position | Change in position | Name | Number of attempted downloads |
| 1 | Return |
Trojan-Downloader.JS.Gumblar.x | 453985 |
| 2 | -1 |
Trojan.JS.Redirector.l | 346637 |
| 3 | New |
Trojan-Downloader.JS.Pegel.b | 198348 |
| 4 | 3 |
not-a-virus:AdWare.Win32.Boran.z | 80185 |
| 5 | -2 |
Trojan-Downloader.JS.Zapchast.m | 80121 |
| 6 | New |
Trojan-Clicker.JS.Iframe.ea | 77067 |
| 7 | New |
Trojan.JS.Popupper.ap | 77015 |
| 8 | 3 |
Trojan.JS.Popupper.t | 64506 |
| 9 | New |
Exploit.JS.Aurora.a | 54102 |
| 10 | New |
Trojan.JS.Agent.aui | 53415 |
| 11 | New |
Trojan-Downloader.JS.Pegel.l | 51019 |
| 12 | New |
Trojan-Downloader.Java.Agent.an | 47765 |
| 13 | New |
Trojan-Clicker.JS.Agent.ma | 45525 |
| 14 | New |
Trojan-Downloader.Java.Agent.ab | 42830 |
| 15 | New |
Trojan-Downloader.JS.Pegel.f | 41526 |
| 16 | Return |
Packed.Win32.Krap.ai | 38567 |
| 17 | New |
Trojan-Downloader.Win32.Lipler.axkd | 38466 |
| 18 | New |
Exploit.JS.Agent.awd | 35024 |
| 19 | New |
Trojan-Downloader.JS.Pegel.k | 34665 |
| 20 | New |
Packed.Win32.Krap.an | 33538 |
'IT 보안소식' 카테고리의 다른 글
| 안철수연구소(Ahnlab), IE 취약점 노린 제로데이 악성코드 주의보 (0) | 2010.03.11 |
|---|---|
| 소포스(SophosLab), Internet Explorer 0-day targeted in spam runs (2) | 2010.03.11 |
| 외환은행(Korea Exchange Bank), 인터넷뱅킹 보안에 좋은 화면키패드 설정 (2) | 2010.03.09 |
| Energizer DUO USB배터리 충전기프로그램을 통해 전파되는 악성코드주의 (0) | 2010.03.09 |
| 네이트온 악성코드 사진변경(2010-03-03) 파일 분석 (2) | 2010.03.09 |
댓글