Professional Documents
Culture Documents
Q2 2012
ii
Introduction
The Kindsight Security Labs Q2 2012 Malware Report shows general trends for malware infections in home networks or infections in mobile devices and computers connected through mobile adapters. The numbers in this report are aggregated across the networks where Kindsight solutions are deployed.
7.7%
Q2 2012 Highlights
14% of home networks were infected with malware in Q2/2012, thats up from 13% in
the previous quarter.
The Mac Flashback infection led the top 20 lists for four weeks in a row, infecting 10% of home networks with Mac computers during the month of April. The p2p ZeroAccess Botnet changed its C&C protocol and grew to over 1.2 million super nodes resulting in ad-click fraud that can consume the equivalent bandwidth of downloading as many as 45 full length movies per month per subscriber.
0.7% of all devices on mobile networks were infected. The infected devices include Android
phones and laptops connected to the mobile network so this infection rate is significant since the total device count includes a large number of feature phones that are not targets for malware.
In Q2 there was a
three-fold increase
300%
Infection Methods
The main infection method continues to be e-mail messages luring victims to web sites running a variety of exploit kits. The victim would typically receive an e-mail message from a business or the government informing them of an issue with their account. This would contain a reasonable looking link a web site. The web site would actually host an exploit kit such as Blackhole. This would probe their system and attempt to infect it. Once infected the attacker would generally install a rootkit botnet such as Alureon or ZeroAccess which is then used to coordinate additional malware activity. In some cases they will directly download fake anti-virus software, a Spambot or a banking Trojan like Zeus or SpyEye. Often the e-mail will simply contain a zip file containing an executable malware file.
Infect ed
Moderat e
14%
6%
Hig h
9%
50%
Division of Infections by
Malware
Threat Level
Name
Hijacker.MyWebSearchToolbar Spyware.SCN-ToolBar Hijacker.StartPage.KS Adware.GameVance Mac.Bot.Flashback.K/I Adware.MarketScore Trojan.NineBall/Gumblar Trojan.Backdoor.TDSS Botnet.ZeroAccess Downloader.Agent.TK Spyware.SBU-Hotbar BankingTrojan.Zeus Trojan.Alureon/TDL Trojan.DNSChanger Hacktool.Binder Downloader.Cred.B Trojan.Agent.Gen Virus.Sality.AT Downloader.Ponmocup.A Trojan.Medfos.A
Threat Level
Moderate Moderate Moderate Moderate High Moderate High High High High Moderate High High High High High High High High High
Name
MAC.Bot.Flashback.K/I Win32.Botnet.ZeroAccess Win32.Trojan.NineBall/Gumblar Win32.Backdoor.TDSS Win32.Downloader.Agent.TK Win32.BankingTrojan.Zeus Win32.Trojan.Alureon/TDL DNS.Trojan.DNSchanger Win32.HackTool.Binder Win32.Downloader.Cred.B Win32.Trojan.Agent.Gen Win32.Virus.Sality.AT Win32.Downloader.Ponmocup.A Win32.Trojan.Medfos.A Win32.Backdoor.InstallCore.D Win32.Exploit.JS_Blacole Win32.Backdoor.Cycbot.B Win32.Trojan.Proxyier.qk Generic.Spambot Win32.BankingTrojan.SpyEye
PROLIFIC MALWARE
New Developments in Q2
Mac Flashback at number one for 4 weeks
For the first time ever, malware targeting the Macintosh platform was in the number one position on the Kindsight Security Labs home network infections list. Our detection statistics for the month of April show that 1.1% of homes were infected with this malware. Based on a Mac market share this translates into about 10% of homes with Mac computers being infected with this malware during the month of April. Security researchers at Symantec have discovered that in addition to stealing passwords, Flashback is also being use for ad-click fraud. The graph below shows the infections observed in network traffic throughout Q2. The percentage represents the number of home networks that have Macs that were infected on that date.
FLASHBACK FLASHBACK INFECTIONS INFECTIONS
6.00% 5.00% 4.00% 3.00% 2.00% 1.00% 2 June 9 June 16 June 23 June 14 April 21 April 28 April 30 June 5 May 12 May 19 May 26 May 0
The chart shows that the infection rate is on the decline, but still significant.
1 million+ peers
Internet
Kindsight Security Labs Malware Report Q2 2012
Internet
Home Networks
As can be seen in the bar chart below, the infected peers are widely distributed throughout the Internet with almost 18% in India and 10% in the United States.
IndiaIndia
United States United States Kazakhstan Kazakhstan Iran,Iran, Islamic Republic of Islamic Republic of Brazil Brazil Argentina Argentina Italy Italy ChileChile Venezuela Venezuela Algeria Algeria Romania Romania Russian Federation Russian Federation Japan Japan Ukraine Ukraine Morocco Morocco Colombia Colombia Spain Spain Turkey Turkey Sweden Sweden Indonesia Indonesia
12.00% 14.00% 16.00% 10.00% 18.00% 0.00% 2.00% 4.00% 6.00% 8.00%
The underlying structure and function of the bot remain the same, but the command and control (C&C) protocol also changed in Q2 to a combination of TCP and UDP. The botnet continues to be very prolific with this new variety infecting about 0.8% of the home networks observed by Kindsight. A detailed description of the new C&C protocol can be found in New C&C Protocol for ZeroAccess/Sirefef Malware Analysis Report.
In one example we observed in the lab, a single bot consumed 0.1 Mbits/second when averaged out. For the infected consumer, this adds up to 32GBytes per month which it is the equivalent of downloading 45 full length movies. For the
x45 service provider, the impact on their network depends on the number of infected subscribers. The observed infection rate
for this bot was about 0.8% of the user population. This means that at any instant this bot alone is consuming 800 Mbits/ sec of bandwidth for every 1M users on the network.
1 Infected Subscriber = 32GB of downloads
x45
Name
Trojan.GGTracker Trojan.Pjapps3.A Spyware.MobileSpy Trojan.DroidDream Adware.SndApp.B BankingTrojan.FakeToken Trojan.Dogowar Spyware.FlexiSpy Trojan.Geimini.A Trojan.DroidKungFu
300%
For the most part these are all trojanized apps that steal information about the phone or send SMS messages, but the list also includes a banking Trojan that intercepts access tokens for banking web sites and two spyware applications that are used to spy on family members or associates. The top 2 infections are the same as in the Q1 report and are covered in more detail there. Throughout Q2 Kindsight Security Labs continued to collect Android malware. Our sample library grew three-fold in that period.
Conclusion
In this report, we saw an increase in the number of home networks infected as compared to Q1/2012. We also saw a 0.7% infection rate for all devices on mobile networks but more concerning was the 3x increase in the number of Android malware samples. While it has not received the publicity of Flame, malware like the ZeroAccess botnet should be of more concern to consumers as it continues to grow to over 1 million super nodes. It tries to remain unobserved, uses P2P communications that changes to spread which makes it difficult to detect, and most importantly can generate enough ad-click traffic where it impacts bandwidth caps and costs the consumer money. This past quarter also confirmed that Apple is not immune to malware. For the first time ever, malware targeting the Macintosh platform, Flashback, was in the number one position on the Kindsight Security Labs home network infections list. And, an iPhone app called Find and Call uploads the users contact list to a remote server and then sends e-mail and text-message spam to the victims contacts. So while the increases in malware in this report are a concern, it is the types of malware that is driving this growth that is the thing to watch as we move into Q3.
There are four main activities that support our signature development and verification process. 1. Monitor information sources from major security vendors and maintain a database of currently active threats. 2. Collect malware samples (>10,000/day), classify and correlate them against the threat database. 3. Execute samples matching the top threats in a sandbox environment and compare against our current signature set. 4. Conduct a detailed analysis of the malwares behavior and build new signatures if a sample fails to trigger a signature As an active member of the security community, Kindsight Security Labs also shares this research by publishing a list of actual threats detected and the top emerging threats on the Internet and this report.
Kindsight, Inc 755 Ravendale Drive, Mountain View, CA 94043 U.S.A 555 Legget Drive, Tower B, Suite 132, Ottawa, ON K2K 2X3 Canada
Copyright 2012 Kindsight, Inc. Kindsight is a registerd trademark of Kindsight, Inc. All rights reserved.
T: +1.650.969.7770
info@kindsight.net www.kindsight.net