Malware writers rely on users not updating

When infecting PCs, online criminals are increasingly benefiting from uninstalled updates for browsers and their components. Research carried out by G Data SecurityLabs indicates that unclosed security holes in browser plug-ins are very much in fashion with cybercriminals.

This distribution concept means that current security holes are far from being the only ones exploited by the perpetrators, as evidenced in the current malware analysis for the month of May 2011.

In the previous month alone, four of the Top 10 computer malware programs had been targeting Java security holes for which Oracle had been offering an update since March 2010. There’s also been an increase in malware that installs adware or tries to lure users to install bogus antivirus programs.

The malware industry has been focusing on Java security holes since the end of last year. This kind of computer malware is already dominating the malware landscape and has recently ousted PDF security holes from the Top 10.

“Even though an enormous number of program updates are being provided, users should not be fooled into deactivating automatic update functions. Not only does this apply to Java, but it should also apply in general to all browser plug-ins used and all applications installed on the PC,” recommends Ralf Benzm??ller, head of G Data SecurityLabs.

Potentially Unwanted Programs (PUP)
Experts at G Data SecurityLabs have noted another increase, this time among malware that installs unwanted software, called PUPs, on PCs. In recent months two kinds of malware from this category have made it into the G Data malware Top 10 – Variant.Adware.Hotbar.1 and Trojan.FakeAlert.CJM.

The programs function in different ways to one another, ranging from unwanted advertising displays or installing spyware to marketing bogus antivirus programs (scareware).

For example, Trojan.FakeAlert.CJM tricks browser users into believing that the computer is infected. They can only disinfect their system by purchasing the “antivirus program” being advertised. Victims who fall for this scam purchase a completely useless and often dangerous software program which, instead of offering protection, only downloads and installs more malware, in order to steal personal data.

Below is a list of top 10 computer malware programs according to G Data.

Java.Trojan.Downloader.OpenConnection.AO
This Trojan downloader is contained within manipulated Java applets found on websites. When the applet is downloaded, a URL is generated from the applet parameters, which the downloader uses to upload a malicious executable file onto the user’s computer and run it. These kinds of files can be any type of malware. The downloader exploits the CVE-2010-0840 security hole to break out of the Java sandbox and write data to the system.

Trojan.Wimad.Gen.1
This Trojan pretends to be a normal .wma audio file, albeit one that can only be played after installing a special codec/decoder on Windows systems. If the user runs the file, the attacker can install malware of any kind on the user’s system. The infected audio file is mainly distributed via P2P networks.

Gen:Variant.Adware.Hotbar.1
This adware is generally secretly installed, as part of free software packages from programs such as VLC, XviD, etc., which are downloaded from sources other than the provider. The supposed sponsors of the current software version are ‘Clickpotato’ and ‘Hotbar’. All packages are digitally signed by “Pinball Corporation” and the adware is automatically launched every time Windows is started, integrating itself as a systray icon.

Worm.Autorun.VHG
This malware program is a worm that uses the autorun.inf function in Windows operating systems to distribute itself. It uses removable storage devices such as USB sticks or portable hard drives. It is an Internet and network worm and exploits the CVE-2008-4250 vulnerability.

Java.Trojan.Downloader.OpenConnection.AI
This Trojan downloader is contained in manipulated Java applets found on websites. When the applet is downloaded, a URL is generated from the applet parameters. The downloader uses this to upload a malicious executable file onto the user’s computer and run it. These kinds of files can be any type of malware. The downloader uses the CVE-2010-0840 vulnerability to circumvent the Java sandbox, which enables the downloader to write data locally.

Trojan.AutorunINF.Gen
This generic recognition software is able to recognise known and unknown malicious autorun.inf files. Autorun.inf files are autostart files that are exploited as computer malware distribution mechanisms on USB devices, removable storage devices, CDs and DVDs.

Java.Trojan.Downloader.OpenConnection.AN
This Trojan downloader is contained in manipulated Java applets found on websites. When the applet is downloaded, a URL is generated from the applet parameters. The downloader uses this to upload a malicious executable file onto the user’s computer and run it. These kinds of files can be any type of malware. The downloader exploits the CVE-2010-0840 security hole to break out of the Java sandbox and write data to the system.

Java:Agent-DU [Expl]
This Java-based malware program is a download applet that tries to use a security hole (CVE-2010-0840) to circumvent the sandbox protection mechanism and download additional malware onto the computer. Once the applet has fooled the sandbox, it can directly download and run .exe files. This is something that a simple applet cannot do, as the Java sandbox prevents it from doing so.

Trojan.FakeAlert.CJM
This malware program tries to tempt computer users into downloading fake antivirus software that is actually the FakeAV program. In doing so, the website imitates the user’s Windows Explorer and indicates that there are numerous alleged infections. As soon as the user clicks something on the website, a downloadable file is offered that contains the actual FakeAV program, e.g. a variant of System Tool.

HTML:Downloader-AU [Expl]
This Java-based malware is an applet that downloads an HTML page. This primed HTML site tries to use a security hole (described in CVE-2010-4452) to download a Java class from a URL to the vulnerable Java VM. The attacker uses this to try and bypass the VM protection mechanisms, thereby creating a way to carry out almost any kind of activity on the computer.