Symantec Global internet Security threat report
Trojan Virus, worm Trojan
Infects media files and downloads files from remote addresses Downloads files from remote addresses
Uses Microsoft Windows Media Digital Rights Manager to trick user into downloading files
Trojan Worm Worm, back door Worm Worm, back door Trojan Worm
Redirects browser to malicious Web page Downloads files from remote addresses Downloads files from remote addresses Downloads files from remote addresses Downloads files from remote addresses Downloads files from remote addresses Downloads files from remote addresses
1 2 3
Brisv Sality.AE Wimad
Table 12. Top staged Source: Symantec.
the second most prevalent downloader component observed by Symantec in 2009 was the Sality.AE virus. Once it is installed on a computer, Sality.AE attempts to contact certain ip addresses to download and install its secondary components. One of the files it attempts to install is an adware program that will periodically display pop-up advertisements. if clicked, these ads will generate income for the malicious code author (and possibly the adware developer, if they happen to be separate people).
the Wimad trojan147 was the third most common staged downloader component in 2008. this trojan arrives on computers as a license-protected multimedia file. When the file is opened, Wimad exploits the intended functionality of digital rights management (DrM) technology in order to open a window and access an attacker-controlled UrL. When an attacker’s Web page is processed, a deceptive message is displayed that asks the user to click a button. if clicked, the trojan will download other threats, including adware and spyware.
the most prevalent downloaded component in 2009 was the Gampass148 trojan (table 13). Gampass uses keystroke-logging functionality to steal authentication credentials for online gaming accounts. popular targets include Lineage,149 rexue, Jianghu, and rohan, which are all popular games in the ApJ region. Gampass is commonly downloaded by worms such as Mummawow,150 Wowinzi,151 and Fubalca.152
147 148 149 150 151 152
http://www.symantec.com/security_response/writeup.jsp?docid=2005-011213-2709-99 http://www.symantec.com/security_response/writeup.jsp?docid=2006-111201-3853-99 http://www.symantec.com/security_response/writeup.jsp?docid=2005-011211-3355-99 http://www.symantec.com/security_response/writeup.jsp?docid=2007-032015-4300-99 http://www.symantec.com/security_response/writeup.jsp?docid=2008-050714-5642-99 http://www.symantec.com/security_response/writeup.jsp?docid=2007-062214-3636-99