Information Security Threats in the Second Quarter of 2010

The Quarter in Review

• Over 540 million infection attempts were detected.
• The majority of attacks targeted China (17.09%), Russia (11.36%), India (9.30%), the USA (5.96%) and Vietnam (5.44%)
• 27% of all malicious programs detected on the Internet were malicious scripts injected into a range of sites by cybercriminals.
• A total of 157,626,761 attacks were counteracted. These attacks stemmed from a range of Internet resources located in various countries.
• The percentage of exploits in the total number of malicious programs increased by 0.7%, with 8,540,223 exploits being detected.
• Exploits targeting vulnerabilities in Adobe programs continued to dominate, although the share decreased by 17% compared to Q1.
• 33,765,504 unpatched vulnerabilities were identified on users’ computers.
• 203,997,565 malicious programs were blocked and neutralized on users’ computers.

Overview

Botnets

The majority of the biggest malware incidents that took place in the second quarter of 2010 were linked in some way to botnets. New bots were created and existing bots further developed, such as TDSS, an article on which has been published by our virus analysts, and Zbot (ZeuS), which we discuss below.

ZeuS

The evolution of the ZeuS (Zbot) Trojan, which is used to build botnets, is worth describing. A new modification of the malicious program was detected in late April. It included file virus functionality, which meant it could infect executable files. The malware writers decided to use relatively unsophisticated code and a similarly simple infection routine. Instead of the Trojan itself, a 512-byte-long fragment of code was added to .exe files, after which the infected file’s entry point was changed so that the appended code would be executed prior to the original code.

The injected code is designed to download the new versions of the Trojan to the infected computer if the main ZeuS component has been removed. The malware writers used computers in the US to test the new version of the Trojan. ZeuS primarily targets online banking accounts and as online banking is more evolved in the US than anywhere else, computers located in the US users are tasty morsels for cybercriminals. The ZeuS version that the injected piece of code loaded was detected by Kaspersky Lab products as Trojan-Spy.Win32.Zbot.gen and had been created specifically to steal accounts from customers of Bank of America, a major US bank.

Another notable innovation is that ZeuS is distributed using pdf files. An independent researcher has discovered that executable files embedded in pdf documents can be executed without having to exploit any vulnerabilities. The file is executed using the Launch function described in the pdf format specification. Just a few days after this information was published on March 29, people started to get emails with a specially crafted pdf document, which used the file launching method described above to infect computers with the ZeuS Trojan. In order for the computer to become part of a botnet, all the user needed to do was open the attachment.

TwitterNET Builder

In our previous quarterly reports we wrote about cybercriminals’ first attempts to control botnets via social networks. Those were only proof-of-concept efforts and we expected further developments. We did not have to wait long. A bot building utility called TwitterNET Builder appeared on the Web in May. The program builds a botnet using a Twitter account as a command and control center.

Since no programming skills are required to use the builder, it’s an ideal toy for script kiddies, who are able build a bot with only a couple of mouse clicks. Kaspersky Lab classifies this ‘toy’ as Backdoor.Win32.Twitbot. The resulting bot has the following features: it can be used to downloads and run files, conduct DDoS attacks and open websites specified by the bot’s owners. To receive commands, the bot searches for the relevant Twitter account, which is used by the bot master to publish commands in text form.

Fortunately, this bot never became widespread, because security researchers were tracking such tricks. A botnet with such primitive control system (the commands were sent unencrypted via a social network) is easy to detect and disconnect from the command and control center by closing the cybercriminal’s account. To the credit of the network’s security service, there were no such command centers on Twitter by the end of June.

Attacks via social networks

Social networks have become a popular means of exchanging information. Cybercriminals take advantage of this by increasingly using them for fraudulent attacks, to send spam and distribute malware. Below we focus on the most notable incidents that took place on social networks in the second quarter.

Malware distribution

Recently, we’ve seen links to social networks being actively distributed in spam messages. Eventually, social networks may, to a great extent, replace email in spreading malware.

One example is Brazil, where, until recently, banking Trojans were primarily spread by email. Brazilian cybercriminals must have realized that social networks are much more suitable for this purpose: since the start of Q2, social networks have seen significant amounts of spam targeting Brazilian bank customers.

Statistics confirm that social network spam is effective: in just one attack on Twitter, over 2,000 people followed the link sent by spammers within the space of an hour.

A notable iPhone-related story took place on Twitter. On May 19, the social network’s administration officially announced a new application, Twitter for iPhone. Cybercriminals decided to ride the wave of interest caused by the announcement. Less than an hour after the news was published, Twitter was flooded with messages that included the words “twitter iPhone application” and links leading to malware: Worm.Win32.VBNA.b.

This particular piece of malware is notable for several reasons. One is that this worm has relatively good self-protection: it uses anti-emulation tricks to disable some Windows system programs and spreads via USB devices. Another is that its principal function is to steal information required to conduct financial operations. The piece of news that was used to spread the worm wasn’t chosen at random: most smartphone owners have bank accounts and cards which are a prime target for cybercriminals. Therefore, it’s not surprising that about a third of all VBNA.b attacks (27-33%) targeted US computers, which are of greatest interest for cybercriminals.

Likejacking

Click fraud has always been a lucrative proposition for cybercriminals and it has became even more profitable with the advent of social networks, since the major social networks have as many users as the world’s largest countries.

A new type of attack appeared on Facebook in May in response to the introduction of the new Like feature. As can be easily guessed, the feature is associated with a list of the things that the owner of an account liked on the Internet. Thousands of users fell victim to an attack that was dubbed “likejacking” (by analogy with clickjacking.)

An enticing link was placed on Facebook, e.g., “WORLD CUP 2010 in HD” or “101 Hottest Women in the World”. The link led to a specially created page, where a Javascript script placed an invisible Like button at the cursor’s location. The button kept following the cursor, and it was pressed regardless of where the user clicked. As a result, a copy of the link was added to the user’s Wall and information that the user liked the link appeared on his or her friends’ feeds. The attack had a snowball effect: the link was followed by friends, then friends of friends and so forth.

Naturally, the aim of this was to make money. Once the link was added to the Wall, the user was redirected to a page which contained an imitation player which supposedly showed World Cup games or pictures of girls. The page also hosted a small piece of JavaScript code. The script provided the cybercriminals who had set up the fraudulent scheme with a small sum every time a user was redirected to the page. Since thousands of people fell victim to the scheme, the cybercriminals must have made a tidy profit.

Luckily, so far we have not seen any cases of links to malware being distributed in this way.

Vulnerability disclosure

Two unexpected events involving vulnerabilities and Google took place in Q2. In both cases, a Google employee disclosed full information about vulnerabilities. Since at the time of disclosure there were no patches for the vulnerabilities, this predictably led to mass exploitation by black hats.

A zero-day vulnerability in Java Web Start (CVE-2010-0886) was disclosed on April 9. Oracle worked hard to develop a patch, which was released on April 16. However, cybercriminals beat them to it: a couple of days after the vulnerability disclosure, an exploit was widely available and even added to an exploit pack. Exploits are clearly mass-produced by cybercriminals these days: the domain that was subsequently used to conduct attacks was registered one day before information on that particular vulnerability was published.

In the second instance, the same Google employee disclosed a vulnerability in the Windows Help and Support Center (CVE-2010-1885). The situation repeated itself and working exploits became available on the Internet very soon after the information had been disclosed.

A researcher disclosing information about vulnerabilities is probably impelled to do so by an acute sense of justice. He believes that by making that information public, he is doing a good deed. But is this really the case?

On the one hand, when a vulnerability is disclosed, software vendors try to release a patch as quickly as possible. On the other hand, all cybercriminals receive a brand new weapon that is nearly 100% effective. In addition, while fixing today’s software that is made up of millions of lines of code takes much longer than a day, cybercriminals can take advantage of the vulnerability virtually at once. Isn’t this too high a price to pay for fixing bugs?

Our research demonstrates that such attempts to do good lead in quite the opposite direction. According to our data, exploits that target the CVE-2010-0886 vulnerability became widespread very soon. In their heyday, they boasted a 17% share of all vulnerabilities! The situation with the exploit that targets the HSC vulnerability (CVE-2010-1885) is similar. It is rapidly gaining ground and has risen as high as thirteenth in the quarterly exploit ranking, in spite of the fact that it only appeared in the last month of the quarter. It can only be hoped that this will be a good lesson to all researchers.

Non-Windows platforms

On May 31, Google announced that it was abandoning Windows and migrating to Linux and Mac OS. Security issues were among the reasons for this decision cited by Google representatives. However, Linux and Mac OS are, in fact no better protected than Windows.

The second quarter saw malware for alternative platforms gaining new ground. A new backdoor for Mac OS X, Backdoor.OSX.Reshe.a, appeared on April 20. Once on the victim machine, the malware protects itself by disguising as iPhoto, a popular application, and configures itself to start at system startup. The backdoor offers an attacker full control of the infected computer, with the ability to send spam, search for and steal files, download and execute programs, take screenshots and much, much more. It is written in RealBasic and can run on Apple computers based on both PowerPC and Intel processors. So far, mass use of this malware has not been detected, but it nevertheless remains a weapon in the hands of cybercriminals.

On June 3, several days after Google’s announcement that it was migrating to alternative operating systems, Kaspersky Lab detected a new Trojan Spy for Mac OS X. The malware was disguised as an advertising system and was distributed in a bundle with legitimate software. In addition to stealing information from the computer, the malware has backdoor functionality, enabling attackers to send commands to the computer.

Many Mac OS users have a false sense of security. They are convinced that there are simply no threats that target their operating system. At the same time, Apple Computers admits that malware for Macs does exist. In the latest update for OS X 10.6.4, Apple quietly added a new signature to its antivirus scanner to protect computers against Backdoor.OSX.Reshe.a, which we described above. However, these quiet updates provided by the vendor only support users’ false sense of security instead of dispelling it.

It should be noted that there are no operating systems that are completely safe. Today, Mac OS X is no more secure than, say, Windows 7 because, Mac OS X also requires anti-malware protection. Given the incidents described above, it is quite conceivable that targeted attacks on Macs are not far away.

Most commonly targeted countries

In the past three months, over 540 million attacks were blocked in 228 countries. Last quarter, even Norfolk Island with a population of 2,141 appeared on Kaspersky Lab’s antivirus radar. During the quarter, the average number of infection attempts increased globally by 4.5% per month.

As the table below shows, the likelihood of a computer becoming infected depends on its location.

Distribution of attacks by country Q2 2010 and Q1 2010

Authors Yury Namestnikov Information Security Threats in the Second Quarter of 2010 Your email address will not be published. Required fields are marked * Name * Email *   Cancel Δ Table of Contents The Quarter in Review Overview Botnets ZeuS TwitterNET Builder Attacks via social networks Malware distribution Likejacking Vulnerability disclosure Non-Windows platforms Most commonly targeted countries GReAT webinars 13 May 2021, 1:00pm GReAT Ideas. Balalaika Edition 26 Feb 2021, 12:00pm GReAT Ideas. Green Tea Edition 17 Jun 2020, 1:00pm GReAT Ideas. Powered by SAS: malware attribution and next-gen IoT honeypots 26 Aug 2020, 2:00pm GReAT Ideas. Powered by SAS: threat actors advance on new fronts 22 Jul 2020, 2:00pm GReAT Ideas. Powered by SAS: threat hunting and new techniques From the same authors Cybersecurity of connected healthcare 2020: Overview and predictions Cyberthreats to financial institutions 2020: Overview and predictions FIN7.5: the infamous cybercrime rig “FIN7” continues its activities Cyberthreats to financial institutions 2019: overview and predictions Cybercriminals vs financial institutions in 2018: what to expect Subscribe to our weekly e-mails The hottest research right in your inbox Email* * I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above. Subscribe Δ In the same category Android malware, Android malware and more Android malware The mobile malware threat landscape in 2023 FakeSG campaign, Akira ransomware and AMOS macOS stealer IT threat evolution in Q3 2023. Mobile statistics IT threat evolution Q3 2023 Latest Posts Malware descriptions SoumniBot: the new Android banker’s unique techniques Malware descriptions Using the LockBit builder to generate targeted ransomware Incidents XZ backdoor story – Initial analysis Malware descriptions DinodasRAT Linux implant targeting entities worldwide Latest Webinars Technologies and services 11 Dec 2023, 4:00pm 60 min The Future of AI in cybersecurity: what to expect in 2024 Threat intelligence and IR 30 Nov 2023, 4:00pm 70 min Responding to a data breach: a step-by-step guide Cyberthreat talks 14 Nov 2023, 4:00pm 60 min 2024 Advanced persistent threat predictions Cyberthreat talks 09 Nov 2023, 5:00pm 60 min Overview of modern car compromise techniques and methods of protection Reports ToddyCat is making holes in your infrastructure We continue to report on the APT group ToddyCat. This time, we’ll talk about traffic tunneling, constant access to a target infrastructure and data extraction from hosts. DuneQuixote campaign targets Middle Eastern entities with “CR4T” malware New unattributed DuneQuixote campaign targeting entities in the Middle East employs droppers disguised as Total Commander installer and CR4T backdoor in C and Go. HrServ – Previously unknown web shell used in APT attack In this report Kaspersky researchers provide an analysis of the previously unknown HrServ web shell, which exhibits both APT and crimeware features and has likely been active since 2021. Modern Asian APT groups’ tactics, techniques and procedures (TTPs) Asian APT groups target various organizations from a multitude of regions and industries. We created this report to provide the cybersecurity community with the best-prepared intelligence data to effectively counteract Asian APT groups. Subscribe to our weekly e-mails The hottest research right in your inbox Email* * I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above. Subscribe Δ Threats Threats APT (Targeted attacks) Secure environment (IoT) Mobile threats Financial threats Spam and phishing Industrial threats Web threats Vulnerabilities and exploits Categories Categories APT reports Malware descriptions Security Bulletin Malware reports Spam and phishing reports Security technologies Research Publications Other sections Archive All tags Webinars APT Logbook Statistics Encyclopedia Threats descriptions KSB 2023 © 2024 AO Kaspersky Lab. All Rights Reserved. Registered trademarks and service marks are the property of their respective owners. Privacy Policy License Agreement Cookies Subscribe to our weekly e-mails The hottest research right in your inbox Email* * I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above. Subscribe Δ