‫ Q2 2012 Malware Report– Kindsight Security Labs

IRCRE201207106
Date: 2012-07-21
 
Q2 2012 Home Malware Statistics
Infection Methods
The main infection method continues to be e-mail messages luring victims to web sites running a variety of exploit kits. The victim would typically receive an e-mail message from a business or the government informing them of an issue with their account. This would contain a reasonable looking link a web site. The web site would actually host an exploit kit such as Blackhole. This would probe their system and attempt to infect it. Once infected the attacker would generally install a rootkit botnet such as Alureon or ZeroAccess which is then used to coordinate additional malware activity. In some cases they will directly download fake anti-virus software, a Spambot or a banking Trojan like Zeus or SpyEye. Often the e-mail will simply contain a zip file containing an executable malware file.
Top 20 Home Network Infections
The chart below shows the top home network infections detected in Kindsight deployments. The results are aggregated and the order is based on the number of infections detected over the 3-month period of this report.
New Developments in Q2
Mac “Flashback” at number one for 4 weeks
For the first time ever, malware targeting the Macintosh platform was in the number one position on the Kindsight Security Labs home network infections list. Our detection statistics for the month of April show that 1.1% of homes were infected with this malware. Based on a Mac market share this translates into about 10% of homes with Mac computers being infected with this malware during the month of April. Security researchers at Symantec have discovered that in addition to stealing passwords, Flashback is also being use for ad-click fraud.
The graph below shows the infections observed in network traffic throughout Q2.
The chart shows that the infection rate is on the decline, but still significant.
ZeroAccess Modifies C&C Protocol
We have been investigating the appearance of a new variation of the ZeroAccess/Sirefef bot. The main purpose of this botnet is to distribute malware responsible for ad-click fraud, which we explain in more detail below.
Over the last week of June on one network, we observed 3321 infected computers actively communicating with over 1.2 million Internet peers. This is almost a 2.5x increase in the number of infected computers and an over 50% increase in the number of Internet peers when compared to the last week of Q1.
As can be seen in the bar chart below, the infected peers are widely distributed throughout the Internet with almost 18% in India and 10% in the United States.
The underlying structure and function of the bot remain the same, but the command and control (C&C) protocol also changed in Q2 to a combination of TCP and UDP.
Flame is the latest espionage bot
In May 2012 a new espionage bot was discovered by the Iranian National CERTwhich was referred as Flame. Flame is a large complex bot written in the Lua scripting language and can spread via USB sticks or via file-sharing on a LAN. Kaspersky estimated in May that about 1000 computers in the Middle East were infected, mostly in Iran. This appears to be a highly targeted attack, focused on espionage.
DNSChanger is still making news
The FBI took down the DNSChanger domain name servers in November 2011, but despite that it continues to make the news. During Q2 2012, malware related to DNSChanger was consistently on our top 20 infection list. This is because infected computers remain infected even after the takedown.
The FBI and major security vendors have been working with service providers to get the infections resolved before the interim DNS servers were decommissioned on July 9th. These efforts have been partially successful and over the first half of the year the number of computers using the rogue DNS servers has been significantly reduced. However about 10% of the infected computers remain unfixed.
Q2 2012 Mobile Malware Statistics
Mobile Device Infection Rates
In mobile networks we found that 0.7% of devices were infected. The infected devices include Android phones and laptops tethered to a phone or connected directly through a mobile hub/USB stick. The infection rate is low because the total device count includes a large number of feature phones that are not malware targets. We also saw a three-fold growth in the number of Android malware samples.
Top Android Malware
The following table shows the top 10 Android infections of Q2.
For the most part these are all “trojanized” apps that steal information about the phone or send SMS messages, but the list also includes a banking Trojan that intercepts access tokens for banking web sites and two spyware applications that are used to spy on family members or associates. The top 2 infections are the same as in the Q1 report.
“Find and Call” infects iPhones and Androids
After years with a solid security record, Apple was being hit a couple of times in Q2 2012. First Flashback infected the Mac and now it appears that an iPhone app called “Find and Call” uploads the users contact list to a remote server. The server then sends e-mail and text-message spam to the victim’s contacts. The messages are in Russian and encourage the recipient to download the app. The app has been removed from the Apple Store. There is also an Android version of the app.
 
References:
Kindsight Security Labs Malware Report, Q2 2012

نظرات

بدون نظر
شما برای نظر دادن باید وارد شوید

نوشته

 
تاریخ ایجاد: 1 مرداد 1391

دسته‌ها

امتیاز

امتیاز شما
تعداد امتیازها:0