Date post: | 05-Apr-2018 |
Category: |
Documents |
Upload: | 4scribdreaders2 |
View: | 225 times |
Download: | 0 times |
of 12
7/31/2019 Kindsight Security Labs-Q212 Malware Report-Final
1/12
7/31/2019 Kindsight Security Labs-Q212 Malware Report-Final
2/12
Kindsight Security Labs Malware Report Q2 2012 ii
Kindsight Security Labs Malware Report Q2 2012
ContentsINTRODUCTION 1
Q2 2012 HIGHLIGHTS 1
Q2 2012 HOME MALWARE STATISTICS 2
Home Network Inection Rates 2
Inection Methods 2
Top 20 Home Network Inections 3
Top High Level Threats 3
Top 20 Internet Threats 4
NEW DEVELOPMENTS IN Q2 5
Mac Flashback at Number One or 4 Weeks 5
Zeroaccess Modifes C&C Protocol 5
Ad-click Fraud Burns Bandwidth 6
Flame is the Latest Espionage Bot 7
DNSChanger is Still Making News 7
Q2 2012 MOBILE MALWARE STATISTICS 8
Mobile Device Inection Rates 8
Top Android Malware 8
Find and Call Inects iPhones and Androids 8
CONCLUSION 9
ABOUT KINDSIGHT SECURITY LABS 10
7/31/2019 Kindsight Security Labs-Q212 Malware Report-Final
3/12
Kindsight Security Labs Malware Report Q2 2012 1
Introduction
The Kindsight Security Labs Q2 2012 Malware Report shows general trends or malware inections in home networks
or inections in mobile devices and computers connected through mobile adapters. The numbers in this report are
aggregated across the networks where Kindsight solutions are deployed.
Infection Rate = 14%7.7%
OVER PREVIOUS
QUARTER
Q2 2012 Highlights
14% of home networks were inected with malware in Q2/2012, thats up rom 13% inthe previous quarter.
The Mac Flashback infection led the top 20 lists or our weeks in a row, inecting 10% ohome networks with Mac computers during the month o April.
The p2p ZeroAccess Botnet changed its C&C protocol and grew to over 1.2 million supernodes resulting in ad-click raud that can consume the equivalent bandwidth o downloading as
many as 45 ull length movies per month per subscriber.
0.7% of all devices on mobile networks were inected. The inected devices include Androidphones and laptops connected to the mobile network so this inection rate is signifcant since the total
device count includes a large number o eature phones that are not targets or malware.
In Q2 there was a three-fold increase in the number o Android malware samples.
300%OVER PREVIOUS
QUARTERAndroid
Malware Samples
7/31/2019 Kindsight Security Labs-Q212 Malware Report-Final
4/12
Kindsight Security Labs Malware Report Q2 2012 2
Q2 2012 Home Malware Statistics
Home Network Inection Rates
In fxed broadband deployments we ound that in Q2/2012 an average o 14% o residential households show
evidence o malware inection. In Q1, 13% o residential households showed evidence o inection. 9% o
households were inected by high threat level malware such as a botnet, rootkit or a banking Trojan. 6% o
households were inected with a moderate threat level malware such as spyware, browser hijackers or adware. Some
households had multiple inections. The number o high level inections is a 50% increase rom Q1/2012 when only
6% o households were inected with a high-level threat.
Inection Methods
The main inection method continues to be e-mail messages luring victims to web sites running a variety o exploit
kits. The victim would typically receive an e-mail message rom a business or the government inorming them o an
issue with their account. This would contain a reasonable looking link a web site. The web site would actually host
an exploit kit such as Blackhole. This would probe their system and attempt to inect it. Once inected the attacker
would generally install a rootkit botnet such as Alureon or ZeroAccess which is then used to coordinate additional
malware activity. In some cases they will directly download ake anti-virus sotware, a Spambot or a banking Trojan
like Zeus or SpyEye. Oten the e-mail will simply contain a zip fle containing an executable malware fle.
MalwareHome Networks Infected with
14%6%
9%
Threat LevelDivision of Infections by
ModerateHigh
Infected
HIGH LEVEL THREATS
50%OVER PREVIOUS
QUARTER
7/31/2019 Kindsight Security Labs-Q212 Malware Report-Final
5/12
Kindsight Security Labs Malware Report Q2 2012 3
Position Name
1 MAC.Bot.Flashback.K/I
2 Win32.Botnet.ZeroAccess
3 Win32.Trojan.NineBall/Gumblar
4 Win32.Backdoor.TDSS
5 Win32.Downloader.Agent.TK
6 Win32.BankingTrojan.Zeus
7 Win32.Trojan.Alureon/TDL
8 DNS.Trojan.DNSchanger
9 Win32.HackTool.Binder
10 Win32.Downloader.Cred.B
11 Win32.Trojan.Agent.Gen
12 Win32.Virus.Sality.AT
13 Win32.Downloader.Ponmocup.A
14 Win32.Trojan.Medfos.A
15 Win32.Backdoor.InstallCore.D
16 Win32.Exploit.JS_Blacole
17 Win32.Backdoor.Cycbot.B
18 Win32.Trojan.Proxyier.qk
19 Generic.Spambot
20 Win32.BankingTrojan.SpyEye
Top High Level Threats
The table shows the top 20 high threat level malware that leads to identity thet, cybercrime or other online attacks.
Well look at the signifcant ones in more detail below under New Developments.
Position Name Threat Level
1 Hijacker.MyWebSearchToolbar Moderate2 Spyware.SCN-ToolBar Moderate
3 Hijacker.StartPage.KS Moderate
4 Adware.GameVance Moderate
5 Mac.Bot.Flashback.K/I High
6 Adware.MarketScore Moderate
7 Trojan.NineBall/Gumblar High
8 Trojan.Backdoor.TDSS High
9 Botnet.ZeroAccess High
10 Downloader.Agent.TK High
11 Spyware.SBU-Hotbar Moderate
12 BankingTrojan.Zeus High
13 Trojan.Alureon/TDL High
14 Trojan.DNSChanger High
15 Hacktool.Binder High
16 Downloader.Cred.B High
17 Trojan.Agent.Gen High
18 Virus.Sality.AT High
19 Downloader.Ponmocup.A High
20 Trojan.Medfos.A High
Top 20 Home Network Inections
The chart below shows the top home network inections detected in Kindsight deployments. The results are
aggregated and the order is based on the number o inections detected over the 3-month period o this report.
7/31/2019 Kindsight Security Labs-Q212 Malware Report-Final
6/12
Kindsight Security Labs Malware Report Q2 2012 4
Top 20 Internet Threats
The chart below shows the top 20 most prolifc malware ound on the Internet. The sort order is based on the number
o distinct samples we have captured rom the wild. Finding a large number o samples indicates that the malware
distribution is extensive and that the malware author is making a serious attempt to evade detection by anti-virus products.
Adware:Win32/Hotbar
Rogue:Win32/Winwebsec
Worm:Win32/Allaple.A
Virus:Win32/Sality.AT
Worm:Win32/Mydoom.O@mm
PWS:Win32/Lolyda.BF
Trojan:Win32/Rimecud.A
Worm:Win32/Rebhip.A
TrojanDownloader:Win32/Beebone.BQ
TrojanDownloader:Win32/Beebone.BR
VirTool:Win32/VBInject.UG
Trojan:Win32/Otran
Backdoor:Win32/Zegost.L
Worm:Win32/Vobfus.EGWorm:Win32/Vobfus.gen!R
TrojanDropper:Win32/Sirefef.B
PWS:Win32/OnLineGames.IZ
Worm:Win32/Mydoom.L@mm
VirTool:Win32/VBInject.WX
Backdoor:Win32/Cycbot.G
PROLIFIC MALWARE
0.0
0%
0.5
0%
1.0
0%
1.5
0%
2.0
0%
2.5
0%
7/31/2019 Kindsight Security Labs-Q212 Malware Report-Final
7/12
Kindsight Security Labs Malware Report Q2 2012 5
New Developments in Q2
Mac Flashback at number one or 4 weeks
For the frst time ever, malware targeting the Macintosh platorm was in the number one position on the Kindsight
Security Labs home network inections list. Our detection statistics or the month o April show that 1.1% o homes
were inected with this malware. Based on a Mac market share this translates into about 10% o homes with Mac
computers being inected with this malware during the month o April. Security researchers at Symantec have
discovered that in addition to stealing passwords, Flashback is also being use or ad-click raud.
The graph below shows the inections observed in network trafc throughout Q2. The percentage represents the
number o home networks that have Macs that were inected on that date.
Home NetworksInternet
1 million+ peers 3321 infected users
Internet
The chart shows that the inection rate is on the decline, but still signifcant.
ZeroAccess Modifes C&C Protocol
We have been investigating the appearance o a new variation o the ZeroAccess/Siree bot. In February, we
published a detailed analysis o the network behavior o this bot and the encrypted p2p protocol that it uses to
communicate with its peers. The main purpose o this botnet is to distribute malware responsible or ad-click raud,
which we explain in more detail below.
Over the last week o June on one network, we observed 3321 inected computers actively communicating with over
1.2 million Internet peers. This is almost a 2.5x increase in the number o inected computers and an over 50%
increase in the number o Internet peers when compared to the last week o Q1.
14April
6.00%
4.00%
2.00%
5.00%
3.00%
1.00%
0
21April
28April
5May
12May
19May
26May
2June
9June
16June
23June
30June
FLASHBACK INFECTIONS
http://www.kindsight.net/en/blog/2012/02/28/malware-analysis-encrypted-p2p-cc-botnet-zeroaccesssirefefhttp://www.kindsight.net/en/blog/2012/02/28/malware-analysis-encrypted-p2p-cc-botnet-zeroaccesssirefef7/31/2019 Kindsight Security Labs-Q212 Malware Report-Final
8/12
Kindsight Security Labs Malware Report Q2 2012 6
As can be seen in the bar chart below, the inected peers are widely distributed throughout the Internet with almost
18% in India and 10% in the United States.
The underlying structure and unction o the bot remain the same, but the command and control (C&C) protocol
also changed in Q2 to a combination o TCP and UDP. The botnet continues to be very prolifc with this new variety
inecting about 0.8% o the home networks observed by Kindsight. A detailed description o the new C&C protocol
can be ound in New C&C Protocol or ZeroAccess/Siree Malware Analysis Report.
Ad-click Fraud Burns Bandwidth
The trafc generated by the ad-click raud can burn through your bandwidth cap. We have been ollowing a number
o bots such as ZeroAccess whose primary unction is ad-click raud. These bots receive instructions rom a controller
directing them to click on ads on specifc web sites. The web site owner gets paid by the advertiser on a per click
basis usually through the intermediary o an ad network. The advertisers and ad network operator have a number o
saeguards in place to protect against click raud.
The bot tries to circumvent these by simulating normal human browsing behavior. This involves using a relatively lowclick rate and responding to redirects, cookies and scripting as would a regular browser. Despite this low profle, the bot
operates 24 hour a day, seven days a week, so the bandwidth utilization or all that browsing adds up over time.
India
United States
Kazakhstan
Iran, Islamic Republic of
Brazil
Argentina
Italy
Chile
Venezuela
Algeria
Romania
Russian Federation
Japan
Ukraine
Morocco
Colombia
Spain
Turkey
Sweden
Indonesia
ZERO ACCESS SUPERNODES BY COUNTRY
12.0
0%
14.0
0%
16.0
0%
18.0
0%
2.0
0%
4.0
0%
6.0
0%
8.0
0%
10.0
0%
0.0
0%
http://www.kindsight.net/sites/default/files/Kindsight_Malware_Analysis-New_CC_protocol_ZeroAccess-final2.pdfhttp://www.kindsight.net/sites/default/files/Kindsight_Malware_Analysis-New_CC_protocol_ZeroAccess-final2.pdf7/31/2019 Kindsight Security Labs-Q212 Malware Report-Final
9/12
Kindsight Security Labs Malware Report Q2 2012 7
In one example we observed in the lab, a single bot consumed 0.1 Mbits/second when averaged out. For the inected
consumer, this adds up to 32GBytes per month which it is the equivalent o downloading 45 ull length movies. For the
service provider, the impact on their network depends on the number o inected subscribers. The observed inection rate
or this bot was about 0.8% o the user population. This means that at any instant this bot alone is consuming 800 Mbits/
sec o bandwidth or every 1M users on the network.
Service Provider
with 1M users
= 800 Mbits/sec
1 Infected Subscriber
= 32GB of downloads
x45
Flame is the latest espionage bot
In May 2012 a new espionage bot was discovered by the Iranian National CERT. Detailed analysis was made
available rom CrySyS Labs who reer to it as SkyWiper and Kaspersky who reer to it as Flame. Both drew parallels
with the previous Stuxnet and Duqu malware. Flame is a large complex bot written in the Lua scripting language and
can spread via USB sticks or via fle-sharing on a LAN. Kaspersky estimated in May that about 1000 computers in
the Middle East were inected, mostly in Iran. This appears to be a highly targeted attack, ocused on espionage and
we have not seen any evidence o this inection in any Kindsight deployments.
DNSChanger is still making news
The FBI took down the DNSChanger domain name servers in November 2011, but despite that it continues to make thenews. During Q2 2012, malware related to DNSChanger was consistently on our top 20 inection list. This is because
inected computers remain inected even ater the takedown. These computers will eectively lose Internet access i they
are not fxed beore the interim DNS service is decommissioned.
The FBI and major security vendors have been working with service providers to get the inections resolved beore the
interim DNS servers were decommissioned on July 9th. These eorts have been partially successul and over the frst
hal o the year the number o computers using the rogue DNS servers has been signifcantly reduced. However about
10% o the inected computers remain unfxed. In some cases, service providers have continued to route the trafc or
inected computers so that the subscriber does not lose Internet connectivity and has more time to fx the problem. By
working together, the industry did a good job o minimizing the number o aected homes.
7/31/2019 Kindsight Security Labs-Q212 Malware Report-Final
10/12
Kindsight Security Labs Malware Report Q2 2012 8
Q2 2012 Mobile Malware Statistics
Mobile Device Inection Rates
In mobile networks we ound that 0.7% o devices were inected. The inected devices include Android phones and
laptops tethered to a phone or connected directly through a mobile hub/USB stick. The inection rate is low becausethe total device count includes a large number o eature phones that are not malware targets. We also saw a three-
old growth in the number o Android malware samples.
Top Android Malware
The table below shows the top Android malware detected in the networks where the Kindsight Mobile Security
solution is deployed. The ollowing table shows the top 10 Android inections o Q2.
For the most part these are all trojanized apps that steal inormation about the phone or send SMS messages, but the
list also includes a banking Trojan that intercepts access tokens or banking web sites and two spyware applications that
are used to spy on amily members or associates. The top 2 inections are the same as in the Q1 report and are covered
in more detail there.
Throughout Q2 Kindsight Security Labs continued to collect Android malware. Our sample library grew three-old in
that period.
Find and Call inects iPhones and Androids
Ater years with a solid security record, Apple was being hit a couple o times in Q2 2012. First Flashback inected the
Mac and now it appears that an iPhone app called Find and Call uploads the users contact list to a remote server. Theserver then sends e-mail and text-message spam to the victims contacts. The messages are in Russian and encourage
the recipient to download the app. The app has been removed rom the Apple Store. There is also an Android version o
the app.
Position Name
1 Trojan.GGTracker
2 Trojan.Pjapps3.A
3 Spyware.MobileSpy
4 Trojan.DroidDream
5 Adware.SndApp.B
6 BankingTrojan.FakeToken
7 Trojan.Dogowar
8 Spyware.FlexiSpy
9 Trojan.Geimini.A
10 Trojan.DroidKungFu
300%OVER PREVIOUS
QUARTERAndroid
Malware Samples
7/31/2019 Kindsight Security Labs-Q212 Malware Report-Final
11/12
Kindsight Security Labs Malware Report Q2 2012 9
Conclusion
In this report, we saw an increase in the number o home networks inected as compared to Q1/2012. We also saw
a 0.7% inection rate or all devices on mobile networks but more concerning was the 3x increase in the number o
Android malware samples.
While it has not received the publicity o Flame, malware like the ZeroAccess botnet should be o more concern
to consumers as it continues to grow to over 1 million super nodes. It tries to remain unobserved, uses P2P
communications that changes to spread which makes it difcult to detect, and most importantly can generate enough
ad-click trafc where it impacts bandwidth caps and costs the consumer money.
This past quarter also confrmed that Apple is not immune to malware. For the frst time ever, malware targeting
the Macintosh platorm, Flashback, was in the number one position on the Kindsight Security Labs home network
inections list. And, an iPhone app called Find and Call uploads the users contact list to a remote server and then
sends e-mail and text-message spam to the victims contacts.
So while the increases in malware in this report are a concern, it is the types o malware that is driving this growth that
is the thing to watch as we move into Q3.
7/31/2019 Kindsight Security Labs-Q212 Malware Report-Final
12/12
Kindsight, Inc
755 Ravendale Drive, Mountain View, CA 94043 U.S.A
555 Legget Drive, Tower B, Suite 132, Ottawa, ON K2K 2X3 Canada
T: +1.650.969.7770
Copyright 2012 Kindsight, Inc. Kindsight is a registerd trademark of Kindsight, Inc. All rights reserved.
About Kindsight Security Labs
Kindsight Security Labs ocuses on the behavior o malware
communications to develop network signatures that detect current
threats with low alse positives. This approach enables the detection
o malware in the service provider network and the signatures
developed orm the oundation oKindsight Security Analytics and
Kindsight Security Services.
To accurately detect that a user is inected, our signature set looks or network behavior that provides unequivocal
evidence o inection coming rom the users computer. This includes:
Malware command and control (C&C) communications
Backdoor connections
Attempts to inect others (e.g. exploits)
Excessive e-mail
Denial o Service (DoS) and hacking activity
There are our main activities that support our signature development and verifcation process.
1. Monitor inormation sources rom major security vendors and maintain a database o currently active threats.
2. Collect malware samples (>10,000/day), classiy and correlate them against the threat database.
3. Execute samples matching the top threats in a sandbox environment and compare against our current
signature set.
4. Conduct a detailed analysis o the malwares behavior and build new signatures i a sample ails to trigger
a signature
As an active member o the security community, Kindsight Security Labs also shares this research by publishing a list
oactual threats detected and the top emerging threats on the Internet and this report.
http://www.kindsight.net/http://www.kindsight.net/en/serviceprovider/analyzing-traffic-for-malwarehttp://www.kindsight.net/en/serviceprovider/delivering-network-based-securityhttp://www.kindsight.net/en/securitylabs/home-network-infectionshttp://www.kindsight.net/en/securitylabs/internet-threatshttp://www.kindsight.net/en/securitylabs/internet-threatshttp://www.kindsight.net/en/securitylabs/home-network-infectionshttp://www.kindsight.net/en/serviceprovider/delivering-network-based-securityhttp://www.kindsight.net/en/serviceprovider/analyzing-traffic-for-malwarehttp://www.kindsight.net/