IT Threat Evolution: Q2 2012

Contents

Q2 in figures

  • According to KSN data, Kaspersky Lab products detected and neutralized over 1 billion threats in Q2 2012.
  • A total of 89.5 million URLs serving malicious code were detected.
  • A total of 14,900 files from malicious programs targeting Android were detected.

Overview

Mobile malware

In Q2 2012, the number of Trojans targeting the Android platform nearly tripled from the first quarter of the year. Over the past three months, over 14,900 new malicious programs were added to our database.


The number of malware modifications targeting Android OS

The dynamic development of threats targeting Android points to the fact that more virus writers are changing gear and focusing more on developing malicious programs for mobile devices. The development of mobile threats has led to the development of a black market for malware distribution, just as with threats targeting Windows. The main channels of distribution are unofficial online app stores and affiliate programs. Incidentally, mobile malware is becoming more complex: malicious users have been working hard to come up with new code obfuscation and protection, which complicates the threat analysis process.

Nearly half (49%) of all Kaspersky Lab threat detections in the second quarter of 2012 were multi-functional Trojans that steal data from telephones (contact names, email addresses, telephone numbers, etc.), and are also capable of downloading additional modules from servers run by malicious users.

A quarter of the Android malware detected is made up of SMS Trojans. These malicious programs steal money from victims' accounts, and send the cash to fee-based numbers by text message from victims' mobile devices — and the victims don't notice a thing. A couple of years ago, these programs could be found in the republics of the former USSR, East Asia, and China. Today, they are found around the world: in Q2 2012, Kaspersky Lab protected users in 47 countries against SMS threats.

Some 18% of Android threats detected in the second quarter this year are backdoors that give malicious users the ability to gain full control over an infected device. These programs are used to build botnets out of mobile devices.


The distribution of malicious programs targeting the Android platform in Q2 2012, by behavior

For now, only a small number of Trojan Spy programs are targeting Android – just 2% of the total. However, these are the malicious programs that pose the greatest threat to users. These programs are on the hunt for the most valuable data that give malicious users access to bank accounts.

In June, Kaspersky Lab experts detected a new version of a malicious program designed to intercept incoming text messages. The threat is disguised as Android Security Suite Premium. But what makes this Trojan stand out is that all of its command servers were registered in the name of one person. Of course, the data was fake, but the very same data was used to register a number of command domains for Zbot (ZeuS). This leads us to the conclusion that the interception of text messages is ultimately aimed at obtaining authorization codes for bank transactions, and that the threat is part of the Trojan-Spy.AndroidOS.Zitmo family.

Threats targeting Mac

The number of threats targeting Mac detected in Q2 2012 fell from the first quarter of the year. Entries were added to our antivirus database detecting 50 new malicious programs for Mac OS X.

After the FlashFake botnet was detected last quarter — with over 700,000 Mac computers affected — Apple responded more actively to the security issues with its operating system. Examples include the issue of critical patches for Oracle Java at the same time as their Windows versions, and they announced security features for the next version of Mac OS X: default app installation settings only from the official store, plus the use of a sandbox for apps downloaded from the store, automatic installation updates, etc.


The number of new threats for the Mac OS X platform added to Kaspersky Lab's antivirus database in the second quarter of 2012

Kaspersky Lab's prediction that attacks against Mac users would continue into the second quarter turned out to be spot on. In late June 2012, our antivirus radars detected a new targeted attack against Uyghur Mac users in China. Unlike previous attacks, the malicious users did not employ exploits to deliver threats to the victim computers. This time, a specific group of people were sent emails with a ZIP attachment. The ZIP archive contained JPG files and an application for Mac with a text document icon. This is a classic example of social engineering. The main component of the attack was an executable file disguised as a text document — a backdoor for Mac OS X that functions both on the i386 and PowerPC architecture, and detected by Kaspersky Lab products as Backdoor.OSX.MaControl.b. Kaspersky Lab products also detected a Windows backdoor that was used in the same attack.

The backdoor performs a number of functions, but mainly it allows malicious users to obtain files from an infected machine. The configuration data from command servers are encrypted using a fairly simple method, which has enabled us to determine that the command center is located in China.

Apple products are quite popular among many influential political figures and prominent businessmen, and the information stored on these peoples' devices is of interest among a certain category of malicious users. That means that APT attacks targeting Mac users will certainly continue. The evolution of targeted attacks could mean the development of cross-platform threats that will have similar code and run on several of the most common operating systems.

LinkedIn data and passwords leaked

In Q2 this year, several prominent online services were in the headlines in connection with leakages of password hashing databases. One of the biggest stories was that parts of the database (6.5 million hashed passwords) of the popular social network LinkedIn were made public. On 6 June, one day after the data was published, the company confirmed the leak and reported that as a result of its prompt response, the published passwords were suspended and users had to create new passwords.

Unfortunately, by the time this announcement was published, more than half of the passwords had already been extracted from the database. How did they do it so quickly? It all comes down to the fact that LinkedIn, for some reason, stored its hashes without so-called salting — adding random bits to a source password before hashing. Since that technology was not used, the SHA-1 hash was very quickly found through a scan with pre-calculated hashes from popular passwords from dictionaries. Another reason it was possible to obtain the passwords so quickly is because over half of the user passwords were very simple, making it easier to hack them. After this incident, LinkedIn reported that they will now use both hashing and salting to store passwords.

In order to avoid becoming a victim in a similar attack, users should first and foremost use long, complex passwords that are more difficult to hack. One should also keep in mind that using the same password for different services greatly increases the scope of potential damages if one account is hacked.

Kaspersky Lab also recommends that website administrators use hashing and salting at the very least when storing passwords. Nevertheless, the use of secure hashing algorithms (such as SHA-1 or MD5) and salts with systems that generate GPU when scanning passwords will not always mean complete protection against hacking. A more reliable solution involves the use of algorithms such as PBKDF2 (Password-Based Key Derivation Function 2) or bcrypt, which not only use salting by default, but also help slow down the password scanning process.

Flame - the spyware saga continues

The biggest recent spyware event was the detection of the Flame worm.

The International Telecommunication Union asked Kaspersky Lab to assist in the search for an unknown malicious program that was deleting confidential data from computers located in the Middle East. During this process, Kaspersky Lab detected a new malicious program that we named Worm.Win32.Flame.

While Flame's primary function differs from that of known cyber weapons such as Duqu and Stuxnet, these malicious programs all have a lot in common: the geography of the attacks, and a specific target combined with the exploitation of specific software vulnerabilities. This puts Flame among the ranks of other cyber super-weapons released in the Middle East by unknown malicious users.

Flame is considerably more complex than Duqu and is comprised of a very cunning set of attack-launching tools. The size of the program is nearly 20 MB. It is a backdoor Trojan that also demonstrates the features of a worm: it can self-replicate on local networks and via removable media when it receives the appropriate commands. The most dangerous means of spreading Flame is via its replication in local networks that are already infected with malware disguised as Windows updates. Furthermore, the code has certificates that were initially issued by Microsoft. Microsoft found that its digital signatures were being used unlawfully, and the certificates in question were immediately recalled. The company promptly published a security advisory on the matter and issued update KB2718704.

Flame has stolen a variety of data from infected computers located in the Middle East (Iran, Sudan, Syria, etc.), including video and audio files, as well AutoCAD blueprints.

Flame is one of today's most complex cyber threats. The program is large, has an incredibly intricate structure, and is an excellent example of how espionage may develop in the 21st century.

Statistics

All of the statistics reported here are based on data collected by the Kaspersky Security Network and its security modules. The statistics were acquired from KSN users who consented to share their local data. Millions of users of Kaspersky Lab products in 213 countries take part in the global information exchange on malicious activity.

Online threats

The statistics in this section are derived from the web-based antivirus solution that protects users as soon as malicious code is uploaded from an infected web page. Infections can be found on web pages where users are allowed to create their own content (e.g. forums) and even on legitimate pages which have been compromised by hackers.

Malicious programs on the Internet (attacks via the web)

In Q2 2012, 434 143 004 attacks from web resources located in different countries were neutralized. Of those, 145 007 unique modifications of malicious and potentially unwanted programs were detected.

Top 20 malicious programs on the Internet

Rank Name* % of all attacks**
1 Malicious URL 85,8%
2 Trojan.Script.Iframer 3,9%
3 Trojan.Script.Generic 2,7%
4 Exploit.Script.Blocker 0,6%
5 Trojan.JS.Popupper.aw 0,4%
6 Trojan.Win32.Generic 0,4%
7 Trojan-Downloader.JS.Iframe.cxk 0,3%
8 Trojan-Downloader.JS.Expack.sn 0,2%
9 Exploit.Script.Generic 0,2%
10 Trojan-Downloader.Script.Generic 0,2%
11 Trojan-Downloader.JS.Agent.gqu 0,2%
12 Trojan-Downloader.Win32.Generic 0,2%
13 Hoax.HTML.FraudLoad.h 0,1%
14 Trojan-Downloader.SWF.FameGake.a 0,1%
15 Trojan.JS.Iframe.aaw 0,1%
16 Trojan.JS.Agent.bxw 0,1%
17 AdWare.Win32.IBryte.x 0,1%
18 AdWare.Win32.ScreenSaver.i 0,1%
19 Trojan-Downloader.JS.Agent.grd 0,1%
20 Trojan-Downloader.JS.JScript.ag 0,1%


*These statistics represent detection verdicts of the web-based antivirus module and were submitted by the users of Kaspersky Lab products who consented to share their local data.

**The total number of unique incidents recorded by web-based antivirus on user computers.

 

Blacklisted malicious links remained the most commonly uncovered malicious programs on the Internet in Q2. Their numbers have increased 1.5% since the first quarter of the year, and represent 85.5% of all detections. They mostly include a variety of websites that redirect users. Readers may recall that the most common means of infection are the result of drive-by attacks. Furthermore, users click on dangerous links themselves, for example when looking for bootlegged content. As usual, a considerable amount of malicious addresses were detected on websites with a connection to exploit packs.

Thirteen of the rankings in the top 20 are held by malicious programs that exploit vulnerabilities in software and are designed to deliver other malware to the victim's computer. Two of these are malicious programs that were heuristically detected: Exploit.Script.Blocker and Exploit.Script.Generic.

The amount of adware is still on the decline, and only two adware programs made the top 20 in the second quarter this year. These programs operate as browser add-ons in the form of a new search panel and change the homepage. They are essentially legitimate programs, and their writers pay affiliates to install them. However, there are some distributors of these programs who will happily accept payment without first obtaining user consent before installing the program.

Vulnerable applications targeted by malicious users

Most online attacks are launched using exploits that take advantage of software errors, allowing malicious users to execute malicious programs without the victim suspecting a thing.

Which apps are most susceptible to exploits? The answer is illustrated in the pie chart below: Adobe Acrobat Reader, Java, Android Root, and Adobe Flash Player. Users should install updates for these programs — or even better yet, allow automatic updates for these programs.


Software susceptible to exploits, Q2 2012

Countries where web resources are seeded with malware

In order to identify the geographical source of an attack, the domain name is compared to the actual IP address where the domain in question is located, and the geographical location of the IP address is determined (GEOIP).

In Q2 2012, 85% of online resources (1% more than in Q1 2012) were used to spread malicious programs and were located in dozens of countries around the world


A distribution of online resources seeded with malicious code, by country.
Q2 2012

This top 10 did not undergo any major changes — the same countries that made the rankings last quarter are back again in Q2. Over the past three months, the percentage of hosting services located in the US rose considerably (+7 percentage points). This was primarily the result of declines in the numbers seen in the other Top 10 countries: Russia (-1.5 percentage points), Germany (-1.9 percentage points), the Netherlands (-1.2 percentage points), Britain (-1 percentage points), and France (-1.7 percentage points). Russia took second place this quarter with a total of 14%, pushing the Netherlands (12%) down into third place.

Countries where users run the most serious risk of infection via the Internet

In order to assess a user's infection risk in any given country, Kaspersky Lab calculated the frequency of web antivirus detections in different countries throughout the quarter.


20 countries where users run the most serious risk of infection via the Internet*, Q2 2012

*When calculating, we excluded those countries in which the number of Kaspersky Lab product users is relatively small (less than 10,000).

**The percentage of unique users in the country with computers running Kaspersky Lab products that blocked web-borne threats.

 

The top 20 is largely comprised of former Soviet republics, as well as countries in Africa and South East Asia.

The countries can also be broken down into different risk groups.

  1. High risk. With an infection risk of 41-60%, this group includes the first 18 countries from the Top 20, including Russia (59.5%), Kazakhstan (54%), Ukraine (47.3%), India (48%), Indonesia (42.2%), and Malaysia (41.8%).
  2. Moderate risk. This past quarter, 103 countries were found to have an infection risk of 21-40% including Spain (37.8%), Italy (34.8%), Canada (36%), the US (35.7%), and Britain (31.6%).
  3. Low risk. The safest group in Q2 2012 included 16 countries with the scores ranging from 12.3–20%.

The lowest infection rates were seen in Taiwan (15.2%), Japan (18.1%), Denmark (18.9%), Luxembourg (19.7%), and the Czech Republic (20%). We want to point out that this group also includes some countries in Africa, although these countries face higher rates of local infection.


The risk of online infection around the world in Q2 2012

On average, 39.7% of computers running KSN (i.e. four out of every ten computers around the world) were subjected to attacks while surfing the web in the second quarter of the year. This average has risen 11 percentage points from first quarter figures.

Local threats

This section of the report contains an analysis of statistics based on data obtained from the on-access scanner and scanning statistics for different disks, including removable media (the on-demand scanner).

Objects detected on user computers

During the second quarter of 2012, Kaspersky Lab solutions successfully blocked 1 041 194 194 local infection attempts on user computers participating in Kaspersky Security Network.

In total, the on-access scanner module recorded 383 667 unique modifications of malware and potentially unwanted programs attempting to launch on user computers.

Objects detected on user computers: Top 20

Rank Name % of individual users*
1 Trojan.Win32.AutoRun.gen 17,8%
2 Trojan.Win32.Generic 17,.4%
3 DangerousObject.Multi.Generic 16,1%
4 Trojan.Win32.Starter.yy 7,4%
5 Virus.Win32.Sality.bh 6,7%
6 Virus.Win32.Virut.ce 5,4%
7 Net-Worm.Win32.Kido.ih 5,1%
8 Virus.Win32.Sality.aa 4,2%
9 HiddenObject.Multi.Generic 3,6%
10 Virus.Win32.Nimnul.a 3,1%
11 Trojan.WinLNK.Runner.bl 2,2%
12 Worm.Win32.AutoRun.hxw 2,0%
13 Trojan.Win32.Hosts2.gen 1,4%
14 Virus.Win32.Sality.ag 1,4%
15 Worm.Win32.Mabezat.b 1,0%
16 AdWare.Win32.GoonSearch.b 0,8%
17 AdWare.Win32.BHO.aqbp 0,7%
18 Trojan-Dropper.Script.Generic 0,5%
19 AdWare.Win32.HotBar.dh 0,3%
20 Trojan-Downloader.WMA.Wimad.ag 0,3%


These statistics are compiled from the malware detection verdicts generated by the on-access and on-demand scanner modules on user computers running Kaspersky Lab products; these users have consented to submit their statistical data.
* The number of individual users on whose computers the antivirus module detected these objects as a percentage of all individual users of Kaspersky Lab products on whose computers a malicious program was detected.

At the top of the chart with 17.8% we see an updated, heuristically detected threat that spreads through removable media, primarily flash drives. The fact that this verdict has made first place on this quarter's rankings shows that traces of malicious programs were found on a very high proportion of removable media.

In second place is a verdict provided by the heuristic analyzer during proactive detection of a variety of malicious programs: Trojan.Win32.Generic (17.4%).

Malicious programs detected using cloud technologies (16.1%) fell from first to third place this past quarter. These technologies work when antivirus databases still do not have signatures or heuristics for detecting malicious programs, but antivirus company 'clouds' already have data about a threat. In this case, the threat is assigned the name DangerousObject.Multi.Generic.

Adware programs were seen in 16th, 17th, and 20th places in the ranking this past quarter. We saw one new arrival: the AdWare.Win32.GoonSearch family (0.8%). These programs are IE add-ons, although there have been cases when they have ended up on computers without the user's consent; these programs also counter antivirus operations.

Net-Worm.Win32.Kido (5.1%) continued to fall in the rankings in Q2 2012. Meanwhile, another representative of file infectors climbed the chart: in addition to the viruses Virus.Win32.Sality.bh, Virus.Win32.Sality.аа, Virus.Win32.Nimnul.a and Trojan.Win32.Starter.yy, Kaspersky Lab also noted the appearance of Virus.Win32.Virut.ce (5,4%), which infects machines and makes them part of a large botnet that is used to spread other malware.

Countries with the highest risk of local infection

These figures show the average rate of infection in different countries. Some 36.5% of computers participating in KSN have experienced positive detections of a malicious file at least once (either on the computer itself, or on removable media connected to the computer). That is 5.7 percentage points lower than in the first quarter of the year.


Top 20: Computer infection levels by country in Q2 2012

* We did not include countries where the number of KL users is relatively low (less than 10,000) in our calculations.
** The percentage of all local threats on user computers, compared to all unique users of KL products in the country.

The Top 20 is largely comprised of countries in Africa and South East Asia. In Bangladesh, Kaspersky Lab products detected malicious programs on 98 out of every 100 computers.

Local infection rates can also be categorized into separate categories.

  1. Maximum level of local infection (over 60%): 20 countries, primarily in Asia (India, Vietnam, Mongolia etc.), Middle Eastern countries (Iraq, Afghanistan) and Africa (Sudan, Angola, Nigeria, Cameroon, and others).
  2. High level of local infection (41-60%): 51 countries, including Indonesia (58.3%), Kazakhstan (46.1%), China (43.9%), Ecuador (43.8%), Russia (42.6%) and the UAE (42.3%).
  3. Moderate level of local infection (21-40%): 43 countries including Turkey, Mexico, Israel, Latvia, Portugal, Italy, the US, Australia and France.
  4. Lowest level of local infection: 23 countries including Canada, New Zealand, Puerto Rico, 13 European countries (including Norway, Finland, the Netherlands, Ireland, Germany, and Estonia), plus Japan and Hong Kong.


The risk of local PC infection around the world, Q2 2012.

The 10 countries where users face least risk of local infection are:

Rank Country % of unique users
1 Denmark 12,0
2 Reunion 13,4
3 Czech Republic 13,6
4 Japan 14,6
5 Luxembourg 15,0
6 Sweden 15,0
7 Switzerland 16,2
8 Finland 16,3
9 Germany 17,2
10 Netherlands 17,7

Denmark, Luxembourg, the Czech Republic, and Japan are all on the list of the lowest-risk countries for surfing on the Internet. But even in Denmark, malicious programs can be found on 12 out of every 100 computers.

Vulnerabilities

During the second quarter of 2012, a total of 31 687 277 vulnerable programs and files were detected on the computers of KSN users. On average, Kaspersky Lab detected nine different vulnerabilities on each affected computer.

The Top 10 vulnerabilities are listed in the table below.

Secunia ID - Unique vulnerability number Vulnerability name and link to description What the vulnerability lets malicious users do "Percentage of users on whose computers the vulnerability was detected " Date of latest change Rating
1 SA 48009 Oracle Java JDK / JRE / SDK Multiple Vulnerabilities "Gains access to a system and executes arbitrary code with local user privileges
Gains access to sensitive data
Manipulates data
DoS attacks "
31,4% 4/10/2012 Highly Critical
2 SA 48281 Adobe Flash Player Two Vulnerabilities Gains access to a system and executes arbitrary code with local user privileges, and gains access to sensitive data 20,9% 4/10/2012 Highly Critical
3 SA 48500 VLC Media Player Multiple Vulnerabilities Gains access to a system and executes arbitrary code with local user privileges 19,3% 3/21/2012 Highly Critical
4 SA 49472 Oracle Java Multiple Vulnerabilities "DoS attacks
Gains access to a system and executes arbitrary code with local user privileges.
XSS
Gains access to sensitive data Manipulates data "
16,5% 7/18/2012 Highly Critical
5 SA 47133 Adobe Reader/Acrobat Multiple Vulnerabilities "Gains access to a system and executes arbitrary code with local user privileges. " 14,4% 1/11/2012 Extremely Critical
6 SA 23655 Microsoft XML Core Services Multiple Vulnerabilities "Gains access to a system and executes arbitrary code with local user privileges.
DoS attacks
XSS "
13,5% 7/13/2011 Highly Critical
7 SA 49086 Adobe Shockwave Player Multiple Vulnerabilities "Gains access to a system and executes arbitrary code with local user privileges. " 11,4% 5/10/2012 Highly Critical
8 SA 47447 Apple QuickTime Multiple Vulnerabilities "Gains access to a system and executes arbitrary code with local user privileges. " 11,3% 6/29/2012 Highly Critical
9 SA 47932 Adobe Shockwave Player Multiple Vulnerabilities "Gains access to a system and executes arbitrary code with local user privileges. " 9,8% 2/15/2012 Highly Critical
10 SA 49388 Adobe Flash Player Multiple Vulnerabilities "Gains access to a system and executes arbitrary code with local user privileges.
Bypasses the security system. "
9,2% 6/18/2012 Highly Critical

* Percentage of all users on whose computers at least one vulnerability was detected.

In first place, just like in the first quarter of the year, we see Java products (developed by Oracle). Vulnerabilities in Java represent 31% of the vulnerabilities found on computers. There are two Java vulnerabilities in our Top 10.

Five of the 10 rankings are still filled by Adobe products: Flash Player and Shockwave, as well as the very widespread Adobe Reader.

The only new product on our Top 10 this quarter is a vulnerability detected in the free VLC media player.


Vendors of products with the Top 10 vulnerabilities, Q2 2012

All of the vulnerabilities in the Top 10 give malicious users the ability to use exploits to gain full control over the victim's system. There are vulnerabilities that allow malicious users to launch DoS attacks, as well as gain access to confidential information. This quarter's Top 10 also includes vulnerabilities that allow malicious users to manipulate data, bypass security systems, and launch XSS attacks.


Distribution of the Top 10 vulnerabilities by type of system impact

Conclusion

In the second quarter of this year we saw the steady growth in the number of threats targeting the Android platform continue. Over the course of the past three months, we have added nearly 15,000 new malicious dex-files to our collection. The complexity of malicious programs targeting the Android OS is also evolving — virus writers are coming up with different ways to frustrate the detection and analysis of their programs. That tells us that there has been an increase in the number of virus writers who have turned to developing mobile malware. The range of black market services to proliferate mobile threats is also developing, and in the near future that will lead to increased attacks against the users of mobile devices, while the attacks themselves become more sophisticated.

Leakages suffered by major services organized by hacktivist groups have become more common, and in the last quarter, this led to the disclosure of the passwords of millions of Internet users. Unfortunately, a large number of users pick the same username and password combination for many websites, which only increases their risk of losing valuable personal data. However, one should keep in mind that users have no one to blame but themselves when it comes to the rapid deciphering of archived password databases when they use simple passwords. The same goes for website administrators who use encryption methods that are too simple. This is not a new problem, and there are several ways to go about resolving it. One would hope that as a result of frequent hacking activity, admins will start to use more reliable algorithms for storing passwords.

Next quarter, we will see two major hacker conferences — BlackHat and Defcon. Both events typically showcase a number of new attack techniques which are typically put to use immediately by cybercriminals. That said we can expect malicious users to start trying out their new tricks in the third quarter.

The main topic in the news in Q2 2012 was the detection of the Flame cyber-espionage program. In addition to its enormous size and the broad spectrum of tools it can use to extract data from infected machines, Flame also demonstrates an interesting means of replication within local networks by creating a fake Windows updates server. Furthermore, code that is similar to a section of Flame's code was detected in one of the versions of the notorious Stuxnet worm, which came onto the scene back in 2009. That tells us that the developers of these two programs are somehow connected to one another.

The cyber-weapon situation is reminiscent of Pandora's Box which, once opened, can no longer be shut. Many countries around the world have issued official statements that they will be drawing up standards for operations in cyberspace, in addition to forming specialized units. Consequently, the history of cyber-weapons will not be limited to Duqu and Flame. The main challenge here is the absence of any type of control in the form of international cyberspace regulation.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *