Cybercriminals expand repertoire of tricks to avoid detection

Ron

Kaspersky Lab announces the publication of its Monthly Malware Statistics and highlights the new lengths cybercriminals are going to

Abingdon, UK, 4 May 2011 – March was testament to the fact that cybercriminals are not averse to exploiting tragedies in order to spread malware, according to the recent monthly malware report from Kaspersky Lab.

In March, scammers and malware writers used the devastating events in Japan to spread malicious links to their own versions of the “latest news”. Cybercriminals created malicious websites with content connected in some way to the disaster and sent out letters making emotional requests for money to be transferred to the message sender in order to help those who have suffered.

Intrusion techniques
March also saw cybercriminals use Java exploits as a weapon of choice. Of the five exploits to appear in the Top 20 malicious programs on the Internet in March, three of them were for vulnerabilities in Java.

Malware writers were also surprisingly quick to react to announcements of new vulnerabilities. A good example of this is a vulnerability in Adobe Flash Player that allowed cybercriminals to gain control of a user’s computer. The vulnerability was announced by Adobe on 14 March and by the next day, Kaspersky Lab had already detected an exploit for it.

Protection against antivirus programs
Another notable trend was that the malevolent users behind HTML pages that are used in scams or to spread malware are constantly coming up with new ways to hide their creations from antivirus programs. In February cybercriminals were using Cascading Style Sheets (CSS) to protect scripts from being detected. Now, instead of CSS, they are using < textarea > tags on their malicious HTML pages. Cybercriminals use the tag as a container to store data that will later be used by the main script. For example, Trojan-Downloader.JS.Agent.fun at 9th position in the Top 20 rating of malicious programs on the Internet uses the data in the < textarea > tag to run other exploits.

In addition, according to Kaspersky Security Network (KSN) statistics, malware writers are actively modifying the exploits they use in drive-by attacks in order to avoid detection.

Mobile threats
At the beginning of March, Kaspersky Lab’s experts detected infected versions of legitimate apps on Android Market. They contained root exploits that allow a malicious program to obtain root access on Android smartphones, giving full administrator-level access to the device’s operating system. As well as a root exploit, the malicious APK archive contained two other malicious components. One of them sent an XML file containing IMEI, IMSI and other device information to a remote server and awaited further instructions. The other component had Trojan-downloader functionality.

For a complete version of Kaspersky Lab’s March malware report, please visit http://www.securelist.com/en/analysis/204792170/Monthly_Malware_Statistics_March_2011