Java was top of the pops in March – for malware writers. This is one of the findings in Kaspersky Lab’s monthly report about malicious activity on users’ computers and on the Internet.
The following statistics were compiled in March using data from computers running Kaspersky Lab products:
* 241-million network attacks were blocked;
* 85,8-million attempted web-borne infections were prevented;
* 219-million malicious programs were detected and neutralised on users’ computers; and
* 96,7-million heuristic verdicts were registered.
Cybercriminals showed a soft spot for Java exploits – of the five exploits to appear in the Top 20 malicious programs on the Internet in March, three of them were for vulnerabilities in Java.
Malware writers are also surprisingly quick to react to announcements of new vulnerabilities. A good example of this is a vulnerability in Adobe Flash Player that allowed cybercriminals to gain control of a user’s computer. The vulnerability was announced by Adobe on 14 March and by the next day Kaspersky Lab had already detected an exploit for it.
Social engineering also remains a popular tool for the cybercriminals, who have no qualms about exploiting tragic events for their own benefit. The Japanese earthquake and tsunami, plus the death of Elizabeth Taylor, did nothing to buck this trend. Scammers and malware writers spread malicious links to their own versions of the “latest news”, created malicious websites with content connected in some way to the disaster in Japan and sent out ‘Nigerian’ letters making emotional requests for money to be transferred to the message sender in order to help those who have suffered.
The malevolent users behind HTML pages that are used in scams or to spread malware are constantly coming up with new ways to hide their creations from antivirus programs. In February cybercriminals were using Cascading Style Sheets (CSS) to protect scripts from being detected. Now, instead of CSS, they are using <textarea> tags on their malicious HTML pages. Cybercriminals use the tag as a container to store data that will later be used by the main script. For example, Trojan-Downloader.JS.Agent.fun at 9th position in the Top 20 rating of malicious programs on the Internet uses the data in the <textarea> tag to run other exploits.
In addition, according to Kaspersky Security Network (KSN) statistics, malware writers are actively modifying the exploits they use in drive-by attacks in order to avoid detection.
At the beginning of March, Kaspersky Lab’s experts detected infected versions of legitimate apps on Android Market. They contained root exploits that allow a malicious program to obtain root access on Android smartphones, giving full administrator-level access to the device’s operating system. As well as a root exploit, the malicious APK archive contained two other malicious components. One of them sent an XML file containing IMEI, IMSI and other device information to a remote server and awaited further instructions. The other component had Trojan-downloader functionality.