Malware in February: Cybercriminals Perfect Drive-By Tactics

Kaspersky Lab's latest monthly report on malware activity highlights the current popularity of using drive-by attacks to infect users' computers. These attacks are particularly dangerous because they take place without the user's knowledge and can be initiated from legitimate Web sites that have been hacked by cybercriminals. Visitors to infected sites are redirected to web pages containing script downloaders. Various types of exploits that launch script downloaders are quite often used to download malware to users' computers.

In February, the majority of drive-by attacks made use of Cascading Style Sheets (CSS) to store some of the data for script downloaders. This new, enhanced method makes it much harder for many antivirus solutions to detect malicious scripts and allows cybercriminals to download exploits without them being detected.

Three entries in the Top 20 most malicious programs detected on the Internet in February corresponded to pages containing CSS data and a malicious script downloader. One of them claimed 1st place, while the others came in at 13th and 19th places. The script downloaders on these malicious web pages download two types of exploits. One of them, which targets the CVE-2010-1885 vulnerability in Microsoft Windows Help and Support Centre, took 4th place in the same top 20 ranking. On average it was detected on approximately 10 thousand unique computers every day. The second type of exploit uses vulnerability CVE-2010-0840 in Java Virtual Machine and accounted for three entries (3rd, 7th and 9th places) in the rating of Internet-borne threats.

February showed that there are still potentially dangerous PDF vulnerabilities out there. The number of unique computers on which PDF exploits were detected exceeded 58 thousand in February. One such PDF exploit entered the Top 20 malicious programs on the Internet in 8th place.

A malicious packer that is used to help protect the Palevo P2P worm was detected on more than 67 thousand unique computers throughout the month. This worm was responsible for the creation of the Mariposa botnet that was shut down by Spanish police a while ago. It seems likely that the recent spread of this packed worm is linked to an attempt by cybercriminals to create a new botnet or restore the old one.

February saw the discovery of a number of new malicious programs for the Android platform. Malware for the J2ME platform was also popular among cybercriminals, with Trojan-SMS.J2ME.Agent.cd, for example, entering the Top 20 most widespread malicious programs on the Internet at 18th place. Its main function is to send SMSs to premium-rate numbers.

More detailed information about the IT threats detected by Kaspersky Lab on the Internet and on users' computers in February 2011 is available at: http://www.securelist.com/en/analysis/204792166/Monthly_Malware_Statistics_February_2011

About Kaspersky Lab
Kaspersky Lab is the largest antivirus company in Europe. It delivers some of the world's most immediate protection against IT security threats, including viruses, spyware, crimeware, hackers, phishing, and spam. The company is ranked among the world's top four vendors of security solutions for endpoint users. Kaspersky Lab products provide superior detection rates and one of the industry's fastest outbreak response times for home users, SMBs, large enterprises and the mobile computing environment. Kaspersky® technology is also used worldwide inside the products and services of the industry's leading IT security solution providers. Learn more at www.kaspersky.com. For the latest on antivirus, anti-spyware, anti-spam and other IT security issues and trends, visit www.securelist.com.