This report was compiled on the basis of data obtained and processed using the Kaspersky Security Network (KSN). KSN is one of the most important innovations in personal products and is currently in the final stages of development. Once completed, it will become an integral feature of Kaspersky Lab’s corporate product range.
The Kaspersky Security Network can, in real time, detect new malware for which no signatures or heuristic detection methods are currently available. KSN helps identify the source of malware proliferation on the Internet and block user access to it.
Additionally, KSN provides a must faster response to new threats. This technology makes it possible to block the launch of new malware on users’ computers running KSN within seconds of a program being found to be malicious — the process is not delayed by waiting for antivirus database updates.
The Quarter in Review
- A total of 327,598,028 attempts to infect users’ computers in different countries around the world were recorded — that’s 26.8% more than in the previous quarter.
- The vector of attack employed by the cybercriminals is changing: the percentage of attacks that targeted Chinese users dropped by 13%.
- The most dominant malware family on the Internet utilizes HTML code or scripts that the cybercriminals primarily use to infect legitimate sites.
- A total of 119,674,973 malicious host servers were identified. The US and Russia were both ahead of China in terms of the number of malicious hosting servers.
- Detected vulnerabilities increased by 6.9% from the previous quarter. Six of the ten most common vulnerabilities found were in Microsoft products.
- The number of exploits increased 21.3%. Roughly fifty percent of all exploits take advantage of vulnerabilities in Adobe programs due to the fact that Adobe’s programs are widespread and can be run on a number of different platforms.
- Almost any device that synchronizes with a computer is used by the cybercriminals as a carrier of malware these days. The most unusual of which has so far been a USB charger for Energizer batteries.
The most newsworthy events in the first quarter of 2010 are, in one way or another, connected to Internet threats. As usual, the most common tactic employed by the cybercriminals is the so-called ‘drive-by download.’ Key to these types of attacks is that the exploits are used to take advantage of different vulnerabilities in browsers and plug-ins.
There was a lot of press coverage of ‘Operation Aurora’ — a hacker attack targeting major corporations like Google and Adobe. In order to launch this large scale attack, the hackers used an exploit detected by Kaspersky Lab products as Exploit.JS.Aurora. This exploit takes advantage of the CVE-2010-0249 vulnerability which can be found in several versions of MS Internet Explorer, a common web browser. The attack was conducted using targeted mailings with links to a webpage containing the exploit. If everything went according to the fraudsters’ plan, after visiting the infected website, a user’s computer would covertly download a piece of malware without alerting the user. The hackers’ goal was to collect confidential user and corporate data, including source code for major projects.
The publication of information about the attack caused Germany, France and Australia to encourage their citizens to use browsers other than MS Internet Explorer — at least until a patch was released to eliminate the vulnerability. Microsoft developers had been aware of the vulnerability since September 2009. As many know, Microsoft releases patches for its products on a monthly basis, an event now commonly known as ‘Patch Tuesday’. The problem is that in between Patch Tuesdays, hackers can exploit new vulnerabilities safe in the knowledge that they will work swimmingly on most computers before the next round of patches are released.
The uproar surrounding the consequences of the Aurora exploits forced Microsoft to release a patch for the CVE-2010-0249 vulnerability earlier than scheduled. This is a small, yet significant victory for IT security professionals everywhere. Towards the end of the quarter, Microsoft released yet another unscheduled and urgent patch for Internet Explorer, the reason for which turned out to be the exploitation of vulnerabilities in yet another attack. This goes to show that the software developers are taking more responsibility when it comes to the security of their products. We hope this lesson won’t soon be forgotten.
In the light of recent events, we began to expect some improvements to Adobe’s policy on the release of automatic updates. On 13 April Adobe activated a new update service for Adobe Reader and Adobe Acrobat for the latest versions running on Windows and Mac OS X. This is of particular relevance as according to our quarterly statistics virus writers exploit more vulnerabilities in Adobe software than in Microsoft products. This continues to happen in spite of the fact that more unpatched vulnerabilities have been found in Microsoft solutions than in Adobe products. Adobe has become the prime target for virus writers because its software is so widespread and because it runs on a number of different platforms.
Of late, one of the most striking trends that cannot go unmentioned is that existing malicious programs are being updated and made more complex. Established hacker gangs are putting the finishing touches to their masterpieces, as we can see from the following examples: the addition of a new function to the ZeuS Trojan, allowing it total control over an infected computer, the development of fake antivirus programs and Sality, one of the most widespread viruses.
The fake antivirus programs that flourished across the English-language Internet last year are still evolving. Unlike other malicious programs that try to hide their activity, fake antivirus programs try to attract a user’s attention. Furthermore, the creators of these fake antivirus programs use a variety of tactics to confuse Internet users. One of these tactics involves copying the interfaces used by known antivirus manufacturers, such as Avira, AVG and Kaspersky Lab. Unfortunately, the more precise the copy, the better the chances are that even an experienced user will fall for the cybercriminals’ bait. Until recently, real antivirus programs were distinguished from their counterfeit others by multi-language and technical support. However, in the first few months of 2010 we recorded several instances in which fake antivirus programs had been localized into other languages. We have also seen more frequent instances of fake antivirus programs that purport to offer technical support. The reason for all of these tricks is that a serious war is being waged against fake antivirus programs and educating the user is top priority on the battlefield. Correspondingly, the cybercriminals have had to come up with new methods of persuading users to buy their counterfeit programs.
During the first quarter of the year, the cybercriminals took advantage of just about every major newsworthy event in order to lure as many potential victims as possible into visiting infected websites, leaving no doubts at all as to their complete lack of moral standards. The release of the iPad, the Avatar blockbuster, the devastating earthquake in Haiti and the terrorist attacks in Moscow are just a few of the topics seized upon by the unscrupulous cybercriminals. Virus writers used a number of different methods to distribute links to their handiwork, such as creating and using fake accounts on popular social networking sites to post messages, orchestrating spam mailings and poisoning search engines. Search engine poisoning is based on techniques used to promote websites dedicated to a particular subject and is also known as Black SEO. When search engines are compromised, a user’s common search request will return results in the form of links that lead to infected websites. In the overwhelming majority of cases, users’ computers will attempt to download fake antivirus programs from these sites. One would hope that the companies running search engines have started to pay closer attention to this problem.
December 2009 saw the introduction of far more stringent registration policies for Internet addresses using the ‘.cn’ domain. Following the implementation of legislation by the CNNIC, new domain registration rules now require a written statement in which the petitioner must provide verifiable identification and a license to run commercial operations. Websites that were already registered are now subject to an inspection and if the owner cannot provide the required documentation, then the website will be closed down. In order to streamline the ‘.cn’ domain inspection process, registration via foreign services is now prohibited. As we can see from the results for the first quarter of 2010, these stricter measures have had a positive impact: there has been a considerable decrease in the percentage of malicious content originating from this part of the Internet. We address this phenomenon in more detail in the section on the geographic distribution of threats that can be found further on in this report.
In general, this past quarter has seen an abundance of events that have served to emphasize the relevance of protection against malicious code for both home and corporate users. It is remarkable that attacks against corporate systems used essentially the same tactics and malicious code as attacks against home users. Established hacker gangs are creating and perfecting universal malware capable of being used for a variety of purposes — the evolutionary Zbot Trojan, or ZeuS as it is otherwise known, and constantly changing exploit packs are perfect examples of this.
The top targeted countries
Let us take a look at the countries in which users were most often subjected to cyberattacks. As our quarterly studies show, these statistics are very stable, although we have seen a few recent changes.
|№||Q1 2010||№||Q1 2009|
|2||Russian Federation||13.18%||2||Russian Federation||9.82%|
|4||United States||5.25%||4||United States||4.60%|
The distribution of attacks by country Q1 2010 and Q4 2009
In the first quarter of 2010 we recorded 327,598,028 attempts to infect users’ computers in different countries around the world. That is a 26.8% rise compared to the fourth quarter of 2009. The country ratings have changed only slightly, but the percentage of attacks targeting Chinese users fell by 13%. However, given that the total number of attacks increased by over 25%, we must conclude that the cybercriminals have merely chosen other targets.
The main targets for the cybercriminals were users in countries with a developed or actively developing economy. In the Americas the main targets were the US and Mexico, while Western European targets included Germany, France, Italy, Spain and the UK. The primary targets in Eastern Europe were Russia and Ukraine. These are the countries that already have the most developed Internet banking and e-commerce systems in place. Consequently, in attacking the users of these countries, the cybercriminals have a much greater chance of stealing money from their victims using the personal data harvested from their infected computers. One quarter of the most targeted countries are located in Asia, where the Internet is still developing at a rapid pace. However, legislators and law enforcement agencies aren’t always able to keep up with the speed of development — combine that with the deteriorating economic conditions and the result is a breeding ground for cybercriminals.
We begin our analysis with the Top 10 most common malware families to be found on the Internet. Note that the table below does not factor in the results of web antivirus subsystems, which detect malicious links, but not the content that the links lead to.
Table 1. The Top 10 most common malware families on the Internet in the first quarter of 2010
The majority of the ten programs above are malware families that utilize HTML code or scripts that the cybercriminals place on legitimate websites. These families include Iframer, Iframe, Redirector and Generic, most of which are detected heuristically. The main idea behind these programs is to redirect a user to a malicious user’s exploit-infected website without the user noticing. Malicious programs are often used to embed this kind of code. In third place is a family with the interesting name of ‘Hexzone’, which actually has nothing at all in common with the hexadecimal counting system associated with computing; it is in fact much more mundane than that. The main function of malware such as this is to display a window containing pornographic content at the bottom of the browser window. The user is informed that this window can only be closed by sending a text message to a short number, there being a different short number for each country. The Popupper family works in a similar way. Popuppers are essentially HTML documents that display persistent messages suggesting that the user send an SMS to a short number and use a certain service. Another two families — Zwangi and Boran — bring together different adware programs. These programs give cybercriminals the opportunity to make some money on the grey market, since it is very difficult to prove that this type of software actually contravenes any legislation. While the destructive activity of adware programs is not usually that apparent – they collect data about a user’s preferences and display advertisements – these programs sometimes employ hacker tactics in self defense. For example, Boran installs a driver that operates very much like a rootkit: it intercepts the functions of the operation system’s kernel and thus hinders the deletion of its main component.
In the first quarter of 2010, Kaspersky Lab detected 12,111,862 unpatched vulnerabilities on users’ computers, which is 6.9% more than in the previous quarter. The speed at which these new breaches in computer security are being found is growing, as is the speed at which patches are being released, but unfortunately, not every user bothers to install updates. In most cases more than one unpatched vulnerability can be found on an individual computer.
The Top 10 most common software vulnerabilities found on users’ computers in the first three months of 2010 are listed in Table 2.
|1||SA 35377||0||Microsoft Office Word Two Vulnerabilities||Gain access to the system and execute random code with local user privileges||28.62%||2009-
|2||SA 37231||6||Sun Java JDK / JRE Multiple Vulnerabilities||
Gain access to the system and execute random code with local user privileges
|3||SA 38547||New||Adobe Flash Player Domain Sandbox Bypass Vulnerability||Bypassing the security system||23.37%||2010-
|4||SA 34572||1||Microsoft PowerPoint OutlineTextRefAtom Parsing Vulnerability||Gain access to the system and execute random code with local user privileges||21.91%||2009-
|5||SA 38551||New||Adobe Reader/Acrobat Two Vulnerabilities||
|6||SA 31744||1||Microsoft Office OneNote URI Handling Vulnerability||Gain access to the system and execute random code with local user privileges||17.57%||2008-
|7||SA 35364||-5||Microsoft Excel Multiple Vulnerabilities||Gain access to the system and execute random code with local user privileges||17.55%||2009-
|8||SA 38805||New||Microsoft Office Excel Multiple Vulnerabilities||Gain access to the system and execute random code with local user privileges||16.65%||2010-03-09||High|
|9||SA 37690||New||Adobe Reader/Acrobat Multiple Vulnerabilities||
|10||SA 29320||-1||Microsoft Outlook “mailto:” URI Handling Vulnerability||Gain access to the system and execute random code with local user privileges||14.98%||2009-
Table 2. The Top 10 vulnerabilities detected on users’ computers
Six of the Top 10 vulnerabilities were detected in Microsoft products, three were found in Adobe products and one was found in a program from Sun Microsystems, now Oracle. In our last report there was only one new vulnerability; this time around we have four new vulnerabilities and the release dates of these new vulnerabilities once again demonstrates that users are in no particular hurry to install software updates. This Top 10 list still includes vulnerabilities that were announced over a year ago.
What do these vulnerabilities allow the cybercriminals to do? Nine of the ten vulnerabilities give cybercriminals the ability to gain full access to a system. This means that the cybercriminal is at liberty to do anything on a victim’s computer so long as it is not protected by an antivirus program. Exploits for the vulnerabilities listed above are already in circulation. This once again reinforces the need to use a good antimalware solution and highlights the importance of prompt updates for all kinds of software, be they operating systems, web browsers, PDF viewing programs, media players, etc..
Let us examine the exploits used by the cybercriminals during the first quarter of 2010.
The Top 10 exploit families on the Internet
Kaspersky Lab has detected more unpatched vulnerabilities in Microsoft products than in Adobe programs, yet the situation with exploits is the other way round. Statistically, malicious users seek and use vulnerabilities in Adobe products much more often than they do for programs from other manufacturers — including Microsoft. Adobe is the number one target for virus writers because its products are very widespread and because they run on a number of different platforms.
The Aurora exploit (7.58%) mentioned above became public knowledge in January of this year — an event that did not go unnoticed by the cybercriminals. So, as Microsoft dragged their heels regarding the release of a patch, only the laziest of hackers were passing up the opportunity of using the loophole before it was closed.
The story of the CVE-2010-0806 exploit family is of concern as its prevalence can be explained by an overly detailed description of the vulnerability published by an employee of an IT security company. The employee disclosed the domain from which the attacks were being launched, as well as the name of the files used in the attacks (notes.exe and svohost.exe). Of course, full disclosure of the attack details gives experts an opportunity to obtain samples and create signatures. On the other hand, this same information can fall into the hands of cybercriminals. There is an unspoken rule within the industry that experts generally adhere to: if there are active threats on a domain, then part of the domain name is omitted. Unfortunately however, the information published was sufficiently detailed to allow the rapid creation of the PoC Metasploit exploit, leading to its widespread proliferation by MS Internet Explorer versions 6 and 7.
One interesting fact is the presence of the Smid family among the most common exploits. Smid programs can run on a number of different platforms and take advantage of a vulnerability in Sun Microsystems Java (CVE-2009-3867). For example, the Exploit.OSX.Smid.b variant runs on Windows, MacOS, and *nix operating systems and generates a link to a threat depending on the type of operating system used. Later, when the ‘getSoundbank’ function is invoked, this link is transmitted as the required parameter. The result is a buffer overflow and the execution of shellcode. In the future it can be expected that malicious users will create cross-platform threats more often.
Note that browser security is just one criterion for Internet security and not necessarily the most important. Any browser — even one that does not have any vulnerabilities in its code — will be used by cybercriminals to launch attacks, for example, by using vulnerabilities in media players, PDF viewing programs and other browser add-ons. The problems with vulnerabilities in add-ons are still critical and cannot be resolved by the browser manufacturers alone. Essentially, if you have a version of a Flash player or PDF viewer with vulnerabilities installed on your computer, then it doesn’t matter what web browser you use, be it MS Internet Explorer, Firefox or Opera, your computer is vulnerable to infection just the same.
It is important to remember that the primary means of protecting users’ computers against exploits is to install any patches as soon as they are released. Additional protection is provided by browsers via their inbuilt filters that are designed to block phishing and malicious websites (Mozilla Firefox 3.5, Internet Explorer 8.0, and Chrome 2.0). These filters do not allow users to visit malicious websites that contain exploits for known or unknown vulnerabilities, or that use social engineering methods to steal personal data. For reliable protection users should install and run an antivirus product that provides regular antivirus database updates. It is also critical that the antivirus program scans Internet traffic.
The geography of threats
In recent years, China has become a veritable malware factory, churning out huge amounts of malicious code and, naturally, the factory’s ‘products’ are also often found on servers located in the Celestial Empire itself — which is ultimately why China has been in the lead in terms of malicious servers for such a long time. Let us now take a look at the Top 20 countries with servers hosting malicious programs over the period of the fourth quarter of 2009 and the first quarter of 2010.
|№||Q1 2010||№||Q1 2009|
|2||Russian Federation||22.59%||2||United States||25.03%|
|7||United Kingdom||3.29%||7||United Kingdom||2.39%|
|17||Czech Republic||0.31%||17||South Korea||0.42%|
The Top 20 countries with servers hosting malicious code in Q1 2010 and Q4 2009
China is no longer in first place, having fallen to third. The reason behind the country’s drop is clearly the introduction by the Chinese authorities of an interesting New Year’s ‘gift’ to the cybercriminals. Namely the tightening of policy regarding the registration of Internet addresses using the Chinese ‘.cn’ domain. Unfortunately, as much as we would like more complex registration procedures in one country to mean less cybercrime, this is not the case. Instead, malicious code has essentially migrated to the US and Russia, with an emphasis on the latter. It would seem that the cybercriminals are keen to take advantage of Russia’s relatively lax domain registration laws, as we can see not only from the statistical distribution of the hosting of malicious code, but the statistics for spam and phishing as well. We can only hope that the measures introduced on 1 April, 2010 governing the registration of Russia’s ‘.ru’ domain, which require the provision of documents to substantiate the requesting parties’ identity, will have the same effect as in China and that malware will migrate from Russian servers.
Threats on users’ computers
If a threat is able to evade several layers of web and mail protection, then it will end up on a user’s computer, where an antivirus program should be ready and waiting. Let us see what was detected by the latter and examine the breakdown of the behaviors of detected threats in both Q4 2009 and Q1 2010.
The Top 10 threats detected on users’ computers in Q4 2009 and Q1 2010
Trojans are firmly out in front after having squeezed worms from the lead in the third quarter of 2009. The percentage of Trojans is growing and came to a total of 21.46% of all detected threats at the end of the quarter. Adware programs are in second place, they too having usurped the worms’ position following the introduction of more stringent legislation and more focused attention on the activities of the cybercriminals. Under these circumstances, both legal and semi-legal means of generating money using hacker tools are now becoming very popular. After all, malicious users can employ a botnet to install a whole host of adware programs. For instance, the common AdWare.Win32.Funweb program, which adds a toolbar for different browsers, is becoming increasingly widespread through bulk spam mailings sent from botnets.
The percentage of viruses in this quarter fell by 0.23% and amounted to 9.72%. The most popular virus today is Virus.Win32.Sality. Every twentieth item detected was infected with this very virus. At the end of the quarter Kaspersky Lab obtained a new variant — Virus.Win32.Sality.ag — which uses a completely new deciphering algorithm that makes it more difficult to detect the virus. Naturally, in this era of virus writing with criminal intent, nothing and no one is infected for no apparent reason. This virus is particularly threatening due to its backdoor function which allows malicious users to take full control of an infected computer.
As mentioned already, worms are now the third most prevalent threat and this is for the most part due to the Autorun worm epidemic which just doesn’t seem to go away. There was a small decrease in the number of these threats in the third quarter of 2009, but unfortunately this trend did not continue. Right now, just about any device that can be synchronized with a computer can be used by the Autorun worm as a means of infection. The number of these devices is constantly growing. They can run on Android and Symbian too and the infection of a number of different devices that have yet to be officially released has already been recorded.
Scripting languages are relatively simple, which is why it is fairly easy to use them to write any type of code, including malicious code. Over the past quarter the number of threats written in various scripting languages increased by 2.3% and included languages like FlyStudio (‘e’ language) and VisualBasic, although AutoIT is proving to be the most popular with malicious users.
During the last quarter a USB battery charger became the most unusual host for threats. It used a Trojan called Arucer.dll that runs on the Windows operating system and infiltrates a target computer via the software used to display the battery charging process. After infection, the malware connects itself to port 777 and waits for a command. It can delete, download and launch files. After installation the program configures the registry in such a way as to launch itself automatically.
Botnets: in the heat of battle
The war with botnets is starting to hot up. The threat of cybercrime has at last been recognized by society, including by law enforcement agencies and other affiliated parties. The joint efforts of the different agencies and companies, from software developers to various authorities such as the US Federal Trade Commission, has already led to the closure of several major botnet command centers.
Early 2010 saw the closure of some botnet command centers that had been built using malware called Email-worm.Win32.Iksmas, also known as Waledac. This botnet is renowned for its spam mailing capabilities — up to 1.5 billion emails in one day, using hot topics in the subject lines and containing links to Iksmas, server-side polymorphic bots and fast-flux technologies. The end result was a formidable and relatively complex botnet. On 22 February the State Court of Virginia found in favor of a Microsoft lawsuit and permitted the suspension of service for 277 domains connected to the botnet control system. All of these domains were registered within the ‘.com’ zone and the service provider was the US-based company VeriSign. This was a victory, but it is just one battle won in an ongoing war. After the closure of some of the command centers, malicious users began setting up botnet control centers in other domain zones and continued to send spam. Singular actions against these types of adversaries aren’t as effective as regular operations aimed at shutting down botnet command centers. It is this kind of relentless pressure on the cybercriminals that must become the next stage in the fight against botnets and we hope that these types of measures will be put into practice in the foreseeable future.
In addition to the shutting down of control centers, there is also one other potential means of fighting botnets — granted it is a much more complex approach from the standpoint of the law enforcement agencies, but it is also much more effective: catching the virus writers. In Spain, law enforcement officials arrested the owners of one major botnet. The Mariposa botnet was created using P2P-worm.Win32.Palevo which has extensive functionality, such as self-propagation and the ability to execute malicious actions. It spreads via peer-to-peer networks, instant messaging and autorun actions, for example, via any personal devices like cameras and flash drives. After the malware installs itself on a victim’s computer, the cybercriminals effectively have full control of the machine and can download another module. The main aim was to generate money by selling and using personal data stolen from the owners of infected computers, particularly usernames and passwords for various online services, primarily online banking.
With assistance from service providers, the botnet’s command centers were shut down and one of the criminals running the botnet was identified. In most cases, it is extremely difficult to identify the source of the commands, but in the case of Palevo it turned out to be relatively simple. The people running the botnet did not have any in-depth technical knowledge or expertise which meant that one of the botnet’s owners was using his own home computer.
The Mariposa botnet has once again showed us that cybercriminals do not necessarily possess any advanced technical knowledge. These days, everything can be bought and sold and botnets are no exception. Even services to mask the command source controlling the botnet can be purchased without particular difficulty and there has not yet been any legal clampdown on those providing these types of services.
In order to achieve victory in the war against botnets, proactive efforts are necessary in the legislative field in combination with the application of the latest IT security technologies. One mustn’t forget that after botnet command centers are shut down, it doesn’t mean that botnets become any less potent: their legacy lives on. The changes that are made to a computer system by a piece of malware don’t just suddenly vanish — if user requests are redirected to malicious resources, then they will continue to be redirected, and if a hard drive was opened to public access, then it will remain so. Furthermore, malicious users can regain control over a previously infected computer. Only a comprehensive approach to resolving the botnet problem can forestall the activities of the cybercriminals and protect their potential victims.
Over the next three months, we expect to hear about a number of prosecutions relating to cybercrime. Happily, law enforcement agencies in various countries have started to take appropriate measures and play an important role in actively changing the geography of cybercrime. What is important is that the fight does not just take place on paper, but manifests itself in real life also. One does not need to be a programmer-extraordinaire to become a cybercriminal these days. A thriving black market where everything from malware to botnet command centers can be bought, coupled with a growing unemployment problem, can lead to a further rise in the number of cybercriminals already operating in a burgeoning cybercriminal market. It is a sure fact that Trojans are now fighting tooth-and-nail for control over users’ computers. Malware will become even more proactive in countering antivirus protection measures, as well as other threats. We can also expect to see the development and use of more streamlined methods for distributing existing Trojans.