‫ Kindsight Security Labs Malware Report – Q2 2013 – 1st Section

Date: 2013-09-15
The Kindsight Security Labs Q2 2013 Malware Report examines general trends for malware infections in home networks or infections in mobile devices and computers connected through mobile adapters. The data in this report is aggregated across the networks where Kindsight solutions are deployed.
Q2 2013 Highlights
• 10% of home networks were infected with malware in Q2/2013, that’s up from the 9% figure in the previous quarter.
• 6% of broadband customers were infected with high-level threats such as a bots, rootkits, and
banking Trojans.
• The ZeroAccess Bot continues to be the most common malware threat in Q2, infecting about 0.8% of broadband users.
• In mobile networks 0.52% of devices exhibited high threat level malware. This is up slightly from the 0.50% in Q1. Of these, half were Android devices and the other half were Windows devices tethered to the mobile network via a phone, a dongle or MiFi.
• Mobile malware continues to grow. In Q2 the number of samples increased by a factor of six.
• The Cutwail SpamBot is being used to spread Android malware via spam (Stels/SmsSpy) .
• Vulnerabilities in Android application signing open new attack vectors.
• Kindsight to demo proof-of-concept Spy-Phone module at BlackHat 2013.
Q2 2013 Home Network Malware Statistics
Home Network Infection Rates
In fixed broadband deployments in Q2 2013 we found that 10% of residential households show evidence of malware infection. This has increased from 9% in Q1. 6% of households were infected by high threat level malware such as a botnet, rootkit or banking Trojan with 5% of households also infected with a moderate threat level malware such as spyware, browser hijackers or adware. Some households had multiple infections including both high and moderate threat level infections.

Top 20 Home Network Infections
The chart below shows the top home network infections detected in Kindsight deployments. The results are aggregated and the order is based on the number of infections detected over the three month period of this report.
Top 20 High Level Infections
The table shows the top 20 high threat level malware that leads to identity theft, cybercrime or other online attacks. We’ll look at the top three in more detail in the next section.
Top Infections
ZeroAccess2 is a p2p bot that uses rootkit technology to conceal its presence. It downloads additional malware that is used in a large scale ad-click fraud. This fraud can cost Internet advertisers millions of dollars each day. The bandwidth utilization is moderate at any given time, but when aggregated over a month can be quite significant for the user. We have observed this bot consuming up to 45 Gig of bandwidth over a month. A variant also makes money through bitcoin mining. Due to the p2p nature of this infection the C&C is everywhere with heavy concentrations of infection in the US, Europe and Asia.
Alureon.DX is a bootkit Trojan that steals usernames, passwords and credit card information and uploads the information to a remote command & control server. It was first seen in 2006 and has evolved through variety of versions since then. It gets control of the device by rewriting the master boot record and actively conceals itself from anti-virus software. C&C servers are located in the US, UK and the Netherlands as shown in the map below.
Zeus/Zbot is a banking Trojan that has been around in various forms since 2007. Zeus has evolved considerably since then and continues to cause havoc. The most recent version uses an encrypted p2p command and control protocol. This bot attaches itself to the victim’s browser and monitors online banking activity. Banking credentials and credit card numbers are then sent back to a command and control site. Over the years, various versions of Zeus have been responsible for millions of dollars in online backing fraud. Command and control sites are distributed globally, with concentrations in the US, Europe and China.
Top 25 Most Prolific Threats
The chart below shows the top 25 most prolific malware found on the Internet. The order is based on the number of distinct samples we have captured from the Internet at large. Finding a large number of samples indicates that the malware distribution is extensive and that the malware author is making a serious attempt to evade detection by anti-virus products.
Kindsight security Labs, MaLware report – Q2 2013,


بدون نظر
شما برای نظر دادن باید وارد شوید


تاریخ ایجاد: 24 شهریور 1392



امتیاز شما
تعداد امتیازها:0