Oktoberfest 2011: beer, sausages and malware

If adware has been the key malicious factor in Germany for the past months, October brought a significant change in the regional malware landscape. It seems that Germany experiences a revolution in terms of e-threats targeting the local users. The resilient adware occupants of the top spots are now replaced by Java-based malware, in exploits and malware downloading Trojans.

Malware distribution for October 2011:

Java.Exploit.CVE-2010-0840.B saw a noteworthy spike from the tenth place straight to the top spot of the e-threat top in Germany. Furthermore, Java.Exploit.CVE-2010-0840.B is accompanied by three other members of its class – Trojan.Mailbot.DG (ranking fourth, with 3.16%), Trojan.Java.MailSend.A (fifth, with 2.97%) and Trojan.Exploit.ANSH (seventh, with 2.54%) together cumulating almost 14 percent of the total malware registered in Germany.

They share a couple of features as generic detections for pieces of malicious code that exploit a vulnerability in the Java virtual machine. The liability lies in the Java verification routine of some applets executing pieces of code that require certain privileges.The vulnerability allows an application to execute operations otherwise performed only by a logged-in user. These e-threats download a BHO and use it to download further malware on the compromised computer. Note that only the Windows OS users are in danger.

New entry in the top is the second ranking Trojan.Iframe.SC, a detection for iframe-injected html files with the purpose of redirecting the user”s search towards sites with randomly chosen pornographic content.

The infamous and industrious Win32.Worm.Downadup.Gen is again in third place. This is the most common e-threat to be found in people”s systems. Mainly it hinders users from updating operating systems or anti-virus solutions by restricting access to all related web pages. Sometimes, it may even download rogue AVs on compromised computers.

Germany”s top ranking e-threat for the past months, the Adware class, dropped five places in October. However, it is still well represented by no less than three e-threats: Gen:Variant.Adware.Hotbar.1, Dropped:Adware.Yabector.B and Adware.Yabector.B, ranking sixth, ninth and tenth, respectively.

Adware.Hotbar opens a browser toolbar and forces commercial pop-up messages on PC screens. It is actively used in the wild to monitor users” online activities by creating profiles based on search habits which crooks would afterwards use to redirect searches toward advertising websites or virtual stores. Adware.Yabector mainly hijack the user”s browser to redirect web searches to advertising pages and online shops.

Eighth is packed executable file – Gen:Trojan.Heur.RP.zyX@aqIOShci – a keygen component for some other widespread malicious application used to generate unauthorized registration keys in order to defeat the commercial protection of shareware software products.

This article is based on the technical information provided courtesy of Doina Cosovan, Bitdefender VirusAnalyst and Alexandru Dan Berbece, Bitdefender Database Administrator.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.