Trojans Continue to Dominate BitDefender’s Top Ten E-Threats in April

BitDefender today released the ten most prevelant threats facing Internet users in the month of April. The top is still dominated by Trojans, as it was in March. These threats rely solely on tricking users to spread the e-threat, and they occupy seven of the ten positions this month.

Only a couple of worms, exploits and viruses break up the "trojan parade."

Highlighting the importance of the Web as the infection vector du jour, in tenth position we find a "silent" trojan that gets injected into vulnerable, legitimate websites. It is only used to make visitors' browsers load exploit code, such as those detected by BitDefender as Exploit.SWF.Gen and Trojan.Exploit.ANPW in sixth and fifth place respectively (this combination actually exists and is found mainly on Chinese malicious websites.)

Trojan.Peed.Gen (aka the venerable Storm Worm) racks up 1.81-percent of detections for April, but is now a dropped component for a different threat. This could be a sign that while it is still useful, this worm has outlived its effectiveness as an infector and is now only being used for the control functionality it provides to an attacker.

A newcomer occupies the eigth spot - Trojan.KillAV.PT. This threat is a "utility" malware, which kills any antivirus or security process it can find (from a long list) on the target machine, preventing them from running. The threat then decrypts and executes a downloader, which in turn downloads and installs a game password stealer.

Ranking seventh, Win32.Sality is the only true virus in the April top ten. Win32.Sality is a polymorphic file infector which modifies executable files (.exe and .scr) appending its encripted body at the end of files in a newly created section. Its other means of spreading is a new – yet old – method, linking to an infected executable from the Autorun.INF file found on removable media or network shares, a trick that has served the much newer Downadup aka Conficker.

The Conficker worm occupies fourth place, under the Win32.Worm.Downadup.Gen. Its capabilities are well known by now, but the fact that it is still spreading vigourously enough to take up 3.05% of detections by itself is something of a surprise after all this time.

"We can only hope the high detection rate is due to the people who were previously infected finally running an antivirus,” explained Sorin Dudea, Head of BitDefender Antimalware Research.“However, we expect the reality is more along the lines of the worm being replicated by a sizeable network of infected machines."

Two rather old adware trojans, Wimad and Clicker occupy the third and second spots.

Trojan.AutorunINF.Gen occupies first place. It is not a single e-threat, but rather a generic name for trojans which use the Autorun.INF spreading mechanism outlined above, but for which a specific signature has not been added.

"We're pretty pleased with having this kind of generic, no-human-in-the-loop detection work, and work well," said Mr. Dudea. “The future of reliable antivirus detection depends on adapting to new e-threats in real time and such techniques pave the way there."

BitDefender’s April 2009 Top 10 E-Threat list includes:
Pos. Name %
1. Trojan.AutorunINF.Gen 9.0
2. Trojan.Clicker.CM 8.47
3. Trojan.Wimad.Gen.1 5.68
4. Win32.Worm.Downadup.Gen 3.05
5. Trojan.Exploit.ANPW 2.84
6. Exploit.SWF.Gen 2.4
7. Win32.Sality.OG 2.1
8. Trojan.KillAV.PT 1.91
9. Dropped:Trojan.Peed.Gen 1.81
10. Trojan.Exploit.SSX 1.74
  Other malware 60.99