Information Security Threats in the First Quarter of 2010


This report was compiled on the basis of data obtained and processed using the Kaspersky Security Network (KSN). KSN is one of the most important innovations in personal products and is currently in the final stages of development. Once completed, it will become an integral feature of Kaspersky Lab's corporate product range.

The Kaspersky Security Network can, in real time, detect new malware for which no signatures or heuristic detection methods are currently available. KSN helps identify the source of malware proliferation on the Internet and block user access to it.

Additionally, KSN provides a must faster response to new threats. This technology makes it possible to block the launch of new malware on users' computers running KSN within seconds of a program being found to be malicious -- the process is not delayed by waiting for antivirus database updates.

The Quarter in Review

  • A total of 327,598,028 attempts to infect users' computers in different countries around the world were recorded -- that's 26.8% more than in the previous quarter.
  • The vector of attack employed by the cybercriminals is changing: the percentage of attacks that targeted Chinese users dropped by 13%.
  • The most dominant malware family on the Internet utilizes HTML code or scripts that the cybercriminals primarily use to infect legitimate sites.
  • A total of 119,674,973 malicious host servers were identified. The US and Russia were both ahead of China in terms of the number of malicious hosting servers.
  • Detected vulnerabilities increased by 6.9% from the previous quarter. Six of the ten most common vulnerabilities found were in Microsoft products.
  • The number of exploits increased 21.3%. Roughly fifty percent of all exploits take advantage of vulnerabilities in Adobe programs due to the fact that Adobe's programs are widespread and can be run on a number of different platforms.
  • Almost any device that synchronizes with a computer is used by the cybercriminals as a carrier of malware these days. The most unusual of which has so far been a USB charger for Energizer batteries.

General overview

The most newsworthy events in the first quarter of 2010 are, in one way or another, connected to Internet threats. As usual, the most common tactic employed by the cybercriminals is the so-called 'drive-by download.' Key to these types of attacks is that the exploits are used to take advantage of different vulnerabilities in browsers and plug-ins.

There was a lot of press coverage of 'Operation Aurora' -- a hacker attack targeting major corporations like Google and Adobe. In order to launch this large scale attack, the hackers used an exploit detected by Kaspersky Lab products as Exploit.JS.Aurora. This exploit takes advantage of the CVE-2010-0249 vulnerability which can be found in several versions of MS Internet Explorer, a common web browser. The attack was conducted using targeted mailings with links to a webpage containing the exploit. If everything went according to the fraudsters' plan, after visiting the infected website, a user's computer would covertly download a piece of malware without alerting the user. The hackers' goal was to collect confidential user and corporate data, including source code for major projects.

The publication of information about the attack caused Germany, France and Australia to encourage their citizens to use browsers other than MS Internet Explorer -- at least until a patch was released to eliminate the vulnerability. Microsoft developers had been aware of the vulnerability since September 2009. As many know, Microsoft releases patches for its products on a monthly basis, an event now commonly known as 'Patch Tuesday'. The problem is that in between Patch Tuesdays, hackers can exploit new vulnerabilities safe in the knowledge that they will work swimmingly on most computers before the next round of patches are released.

The uproar surrounding the consequences of the Aurora exploits forced Microsoft to release a patch for the CVE-2010-0249 vulnerability earlier than scheduled. This is a small, yet significant victory for IT security professionals everywhere. Towards the end of the quarter, Microsoft released yet another unscheduled and urgent patch for Internet Explorer, the reason for which turned out to be the exploitation of vulnerabilities in yet another attack. This goes to show that the software developers are taking more responsibility when it comes to the security of their products. We hope this lesson won't soon be forgotten.

In the light of recent events, we began to expect some improvements to Adobe's policy on the release of automatic updates. On 13 April Adobe activated a new update service for Adobe Reader and Adobe Acrobat for the latest versions running on Windows and Mac OS X. This is of particular relevance as according to our quarterly statistics virus writers exploit more vulnerabilities in Adobe software than in Microsoft products. This continues to happen in spite of the fact that more unpatched vulnerabilities have been found in Microsoft solutions than in Adobe products. Adobe has become the prime target for virus writers because its software is so widespread and because it runs on a number of different platforms.

Of late, one of the most striking trends that cannot go unmentioned is that existing malicious programs are being updated and made more complex. Established hacker gangs are putting the finishing touches to their masterpieces, as we can see from the following examples: the addition of a new function to the ZeuS Trojan, allowing it total control over an infected computer, the development of fake antivirus programs and Sality, one of the most widespread viruses.

The fake antivirus programs that flourished across the English-language Internet last year are still evolving. Unlike other malicious programs that try to hide their activity, fake antivirus programs try to attract a user's attention. Furthermore, the creators of these fake antivirus programs use a variety of tactics to confuse Internet users. One of these tactics involves copying the interfaces used by known antivirus manufacturers, such as Avira, AVG and Kaspersky Lab. Unfortunately, the more precise the copy, the better the chances are that even an experienced user will fall for the cybercriminals' bait. Until recently, real antivirus programs were distinguished from their counterfeit others by multi-language and technical support. However, in the first few months of 2010 we recorded several instances in which fake antivirus programs had been localized into other languages. We have also seen more frequent instances of fake antivirus programs that purport to offer technical support. The reason for all of these tricks is that a serious war is being waged against fake antivirus programs and educating the user is top priority on the battlefield. Correspondingly, the cybercriminals have had to come up with new methods of persuading users to buy their counterfeit programs.

During the first quarter of the year, the cybercriminals took advantage of just about every major newsworthy event in order to lure as many potential victims as possible into visiting infected websites, leaving no doubts at all as to their complete lack of moral standards. The release of the iPad, the Avatar blockbuster, the devastating earthquake in Haiti and the terrorist attacks in Moscow are just a few of the topics seized upon by the unscrupulous cybercriminals. Virus writers used a number of different methods to distribute links to their handiwork, such as creating and using fake accounts on popular social networking sites to post messages, orchestrating spam mailings and poisoning search engines. Search engine poisoning is based on techniques used to promote websites dedicated to a particular subject and is also known as Black SEO. When search engines are compromised, a user's common search request will return results in the form of links that lead to infected websites. In the overwhelming majority of cases, users' computers will attempt to download fake antivirus programs from these sites. One would hope that the companies running search engines have started to pay closer attention to this problem.

December 2009 saw the introduction of far more stringent registration policies for Internet addresses using the '.cn' domain. Following the implementation of legislation by the CNNIC, new domain registration rules now require a written statement in which the petitioner must provide verifiable identification and a license to run commercial operations. Websites that were already registered are now subject to an inspection and if the owner cannot provide the required documentation, then the website will be closed down. In order to streamline the '.cn' domain inspection process, registration via foreign services is now prohibited. As we can see from the results for the first quarter of 2010, these stricter measures have had a positive impact: there has been a considerable decrease in the percentage of malicious content originating from this part of the Internet. We address this phenomenon in more detail in the section on the geographic distribution of threats that can be found further on in this report.

In general, this past quarter has seen an abundance of events that have served to emphasize the relevance of protection against malicious code for both home and corporate users. It is remarkable that attacks against corporate systems used essentially the same tactics and malicious code as attacks against home users. Established hacker gangs are creating and perfecting universal malware capable of being used for a variety of purposes -- the evolutionary Zbot Trojan, or ZeuS as it is otherwise known, and constantly changing exploit packs are perfect examples of this.

The top targeted countries

Let us take a look at the countries in which users were most often subjected to cyberattacks. As our quarterly studies show, these statistics are very stable, although we have seen a few recent changes.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *