- Kaspersky Security Bulletin. Malware Evolution 2011
- Kaspersky Security Bulletin. Statistics 2011
- Malicious programs on the Internet (attacks via the web)
- Local threats
- The big picture
- Network attacks
- Kaspersky Security Bulletin. Spam Evolution 2011
This section of the report forms part of the Kaspersky Security Bulletin 2011 and is based on data obtained and processed using the Kaspersky Security Network (KSN). KSN integrates cloud-based technologies into personal and corporate products and is one of Kaspersky Lab’s most important innovations.
KSN helps Kaspersky Lab experts swiftly detect new malware in real time, even when no corresponding signature or heuristic detection exists for these threats. KSN helps identify sources of malware proliferation on the Internet and blocks user access to them.
At the same time, KSN’s very rapid response to new threats – i.e. in real time – enables us to block new threats from launching on users’ computers within seconds of them being identified as malicious, and without having to update the antivirus database first.
The statistics in this report are based on data obtained from Kaspersky Lab products installed on users’ computers worldwide and was acquired with the full consent of the users involved.
The number of browser-based attacks in 2011 increased from 580,371,937 to 946,393,693. That means that Kaspersky Lab products protected users as they were surfing the Internet at an average of 2,592,859 times every day.
The number of web-based attacks in 2011 is 1.63 times the total for 2010, which points to a much slower rate of growth than we have seen over the course of the past three years. In 2010, we recorded a far greater surge in the number of attempted infections – 8 times as many as in 2009.
The slowed growth rate of web-based infection attempts is due to the fact that in 2011 malicious users did not use any fundamentally new mass-infection methods in launching attacks against computers. The main weapon of browser-based infection is still the exploit pack, which allows malicious users to launch drive-by attacks without the victim noticing a thing. Over the course of the year, two exploit collections were sold on the black market: BlackHole, and Incognito, which were an instant hit among cyber criminals and became two of the top five most commonly-used exploit packs. Incidentally, this business is almost completely built upon affiliate programs set up by hackers.
There is no significant evidence of any major changes to current conditions, so we can expect the growth rate of web-based attacks to continue to slow before the number of attempted attacks begins to stabilize.
The list below shows the most commonly used malicious programs involved in Internet attacks against users.
|Rank||Name||Number of attacks*||% of all attacks|
|1||Malicious URL||712 999 644||75.01%|
|2||Trojan.Script.Iframer||35 522 262||3.67%|
|3||Exploit.Script.Generic||17 176 066||1.81%|
|4||Trojan.Script.Generic||15 760 473||1.66%|
|5||Trojan-Downloader.Script.Generic||10 445 279||1.10%|
|6||Trojan.Win32.Generic||10 241 588||1.08%|
|7||AdWare.Win32.HotBar.dh||7 038 405||0.74%|
|8||Trojan.JS.Popupper.aw||5 128 483||0.54%|
|9||AdWare.Win32.FunWeb.kd||2 167 974||0.23%|
|10||Trojan-Downloader.Win32.Generic||1 979 322||0.21%|
|11||AdWare.Win32.Eorezo.heur||1 911 042||0.20%|
|12||AdWare.Win32.Zwangi.heur||1 676 633||0.18%|
|13||Hoax.Win32.ArchSMS.heur||1 596 642||0.17%|
|14||Trojan.HTML.Iframe.dl||1 593 268||0.17%|
|15||Trojan.JS.Agent.uo||1 338 965||0.14%|
|16||AdWare.Win32.FunWeb.jp||1 294 786||0.14%|
|17||Trojan-Ransom.Win32.Digitala.bpk||1 189 324||0.13%|
|18||Trojan.JS.Iframe.tm||1 048 962||0.11%|
These statistics represent detected verdicts of the web-based antivirus module and were submitted by the users of Kaspersky Lab products who consented to share their local data.
*The total number of unique incidents recorded by web-based antivirus on user computers.
The development of new detection technologies for KSN has helped increase the percentage of threats detected via heuristic methods – and without updating traditional antivirus databases – from 60% to 75%. Malicious websites detected using these methods were ranked in first place. Note that most of the malicious URL detections were for websites with exploits.
In second place are malicious scripts that are planted into the code of legitimate websites by hackers. The injection of hidden iframe tags with links to malicious web resources are used in drive-by attacks: a user will visit a legitimate website, and the browser redirects the user (who does not see anything suspicious) to an online resource containing an exploit kit. Similar malicious scripts detected using simpler, signature-based methods also came in at 14th and 18th place.
The threats in 3rd and 6th places are different heuristic verdicts that detect malicious codes in the form of scripts and executable PE files. These programs download and launch other malicious programs. They also steal data from online banking and social network accounts, and similar login and account details for other services.
Another seven threats on the Top 20 are adware programs from the Zwangi, FunWeb, Eorezo, Shopper, and HotBar families, which have been on our radar for years now. These programs attempt to get onto users’ computers using a variety of methods, sometimes pushing the boundaries of legality.
Two types of malicious programs are new to this year’s Top 20. The first is Hoax.Win32.ArchSMS.heur (in 13th place), which includes programs that are used in short text number scams. Kaspersky Lab products have recorded over one million incidents using these scams, and the lion’s share of these cases are traced back to the Russian-language segment of the Internet. The second is Digitala, a Blackmail Trojan (17th place). This threat prevents computers from functioning normally and demands that the victims pay a ransom to cyber criminals to restore their system.
In launching 946 393 693 web attacks, cyber criminals used 4 073 646 domains. Servers seeded with malicious code were detected in the Internet zones of 198 countries around the world, but just 20 of those accounted for 86.4% of all malicious hosting detected by Kaspersky Lab.
|Rank||Country*||Number of attacks**||% of all attacks|
|1||United States||240 022 553||25.4%|
|2||Russian Federation||138 554 755||14.6%|
|3||Netherlands||92 652 499||9.8%|
|4||Germany||82 544 498||8.7%|
|5||Ukraine||47 886 774||5.1%|
|6||China||46 482 840||4.9%|
|7||United Kingdom||44 676 036||4.7%|
|8||British Virgin Islands||26336323||2.8%|
|10||Sweden||15 472 406||1.6%|
|11||France||14 706 167||1.6%|
|13||South Korea||7 220 494||0.8%|
|15||Latvia||5 371 299||0.6%|
|17||Japan||3 468 602||0.4%|
|19||Brazil||2 712 440||0.3%|
|20||Belize||2 660 150||0.3%|
These statistics are based on the detection verdicts of the web antivirus module, and were provided by users of Kaspersky Lab products who gave their consent to transfer their statistical data.
* In order to determine the geographical source of an attack, the domain name is compared to the actual IP address where the domain in question is located, and the geographical location of the IP address is determined (GEOIP).
** The total number of unique attacks from web resources originating in the country as recorded by the web antivirus module.
The first two entries in the Top 20 are the same countries we saw one year ago: the US (25.4%) and Russia (14.6%). It’s important to point out that the active growth in the percentage of malicious hosting services recorded by Kaspersky Lab in these countries in prior years has stopped, thanks to law enforcement efforts in shutting down botnets. However, despite the decline in the percentage of malicious hosting services in these countries, it remains at a very high level.
The strict regulation of domains in China continues to have a positive impact. Just two years ago, China was one of the biggest hosts of malicious services, with other countries trailing behind. At the peak of the problem 52% of threats around the world came from Chinese domains. However, over the most recent reporting period, this number plummeted to 13%. In 2011, the percentage of Chinese malicious hosting services fell again, this time by 8.2%, and the country is now in 6th place, down from 3rd.
The Netherlands and Germany are ranked at 3rd and 4th. This is in part due to the presence of inexpensive, yet high-quality providers in these countries which attract both honest and dishonest clients.
In addition to drive-by downloads, malicious users’ arsenals are also equipped with several other methods to lure potential victims to malicious websites: black SEO, social network spam, and posting links with alluring comments or subjects on popular websites.
We categorized the sites which most frequently attempted to lure KSN users via malicious links, and in 2011 the 20 websites which prompted the most frequent redirect attempts fit into the following groups.
The Top 20 websites with the most frequent redirects via malicious links
Percentage of redirects, 2011
In first place, we saw a variety of entertainment websites with video content, such as YouTube.
Search engines came in second, as users sometimes click malicious links directly from major search engine sites like Google and Yandex.
Just one per cent behind were social networks in third place. Users should be extra cautious when using sites like Facebook and Vkontakte — these are the social networks that malicious users specifically target and where they spread harmful content.
Fourth and fifth places were taken by different advertising sites (mostly banner ads) and adult content websites.
As we noted above, for the second year in a row, exploits continue to be the weapon of choice among cyber criminals launching online attacks. An analysis of the most commonly used exploits has helped identify the programs which most often saw their vulnerabilities targeted by hackers in 2011.
A total of 35% of all exploit-related incidents targeted vulnerabilities in Adobe Acrobat Reader.
In 2011, the prevalence of exploits targeting Java increased notably, and as a result, Java vulnerabilities took second place among our top targets, as they represented a quarter of all incidents. Incidentally, about 50% of today’s exploit packs are comprised of Java exploits.
The vulnerabilities in Windows components came in third place. The most notable of these were exploits targeting the vulnerabilities in the 2010 MS10-042 Help and Support Center. Some 4% is represented by vulnerabilities found in default settings in all versions of Windows’ Internet Explorer web browser.
Remarkably, exploits for the Android mobile platform came in 6th place with 4% — no one had expected such a high rating before 2011. These programs enable malicious programs to obtain admin rights and full control over a phone or tablet device (i.e., jailbreak).
For the purposes of mass infection, malicious users often take advantage of vulnerabilities that have been well known for a long time, while zero-day exploits are saved for more targeted attacks. The reason is simple: there are plenty of computers around the world still running with outdated software and operating systems. Specifically, within the KSN network 63% of computers that were attacked were running on Windows XP, while only 37% of attacks targeted Windows 7 and Vista.
Local infection statistics for user computers are a critically important indicator. This data points to threats that have penetrated a computer system through something other than the Internet, email, or network ports.
Kaspersky Lab antivirus solutions successfully detected over 2 367 130 584 viral incidents on user computers within the Kaspersky Security Network.
In total, 1 590 861 different malicious and potentially unwanted programs were detected.
|Rank||Object detected||Number of unique users*||%%|
|1||Trojan.Win32.Generic||12 804 003||24.2%|
|2||DangerousObject.Multi.Generic||12 327 029||23.3%|
|3||Net-Worm.Win32.Kido.ih||5 073 357||9.6%|
|4||Virus.Win32.Sality.aa||4 017 673||7.6%|
|5||Net-Worm.Win32.Kido.ir||3 927 070||7.4%|
|6||Virus.Win32.Sality.bh||3 222 166||6.1%|
|7||Trojan.Win32.Starter.yy||2 985 017||5.7%|
|8||Worm.Win32.Generic||2 113 422||4.0%|
|9||Hoax.Win32.ArchSMS.heur||1 771 798||3.4%|
|10||Virus.Win32.Sality.ag||1 566 186||3.0%|
|11||Packed.Win32.Katusha.o||1 507 697||2.9%|
|12||HiddenObject.Multi.Generic||1 416 697||2.7%|
|13||Virus.Win32.Nimnul.a||1 310 704||2.5%|
|14||Worm.Win32.VBNA.b||1 136 110||2.2%|
|15||HackTool.Win32.Kiser.zv||1 102 150||2.1%|
|16||Hoax.Win32.Screensaver.b||1 067 025||2.0%|
These statistics are based on the detection verdicts of the antivirus module, and were provided by users of Kaspersky Lab products who gave their consent to transfer their statistical data.
*The number of unique users with computers running an antivirus program that detected this particular threat.
Infection attempts were blocked on more than 18 million (18 230 930) computers after they were detected using various heuristic methods: Trojan.Win32.Generic (1st place), Worm.Win32.Generic (8th place), HiddenObject.Multi.Generic (12th place), Exploit.Script.Generic (18th place).
In second place, we have a variety of malicious programs that were detected using ‘cloud’ technology, such as DangerousObject.Multi.Generic. Cloud technologies are effective when there are not yet any signatures in antivirus databases nor heuristics for detecting a particular malicious program, but an antivirus company already has data about the threat in its cloud. With the help of the instant threat detection system in Kaspersky Security Network, over 12 million computer users were protected in real time.
Eight of the Top 20 malicious programs have self-replication mechanisms, or are one component in a worm’s means of proliferation: Net-Worm.Win32.Kido.ih (3rd place), Virus.Win32.Sality.aa (4th place), Net-Worm.Win32.Kido.ir (5th place), Virus.Win32.Sality.bh (6th place), Trojan.Win32.Starter.yy (7th place), Virus.Win32.Sality.ag (10th place), Virus.Win32.Nimnul.a (13th place), and Worm.Win32.VBNA.b (14th place).
Nearly 2 million users (1 771 798) have encountered text message scams that use short numbers (Hoax.Win32.ArchSMS.heur, 9th place). These typically promise access to the contents of an archive or an installer for a game or program or something else. Cyber scammers use these as bait to try to lure users to send a text message to a paid short number. In most cases, after sending the text, users receive nothing in return.
There’s a new addition to the classic file viruses: Virus.Win32.Nimnul.a. This malicious program is spread in two ways: using infected executable files, and via removable storage devices with autorun. The infection is most common in Asian countries, such as India (21%), Indonesia (16%), Vietnam (18%), and Bangladesh (10%), where operating systems are updated much less frequently and security solutions are few and far between. This threat primarily delivers Backdoor.Win32.IRCNite.yb to a computer, and then connects to a remote server and joins the victim computer to a botnet.
Obfuscation and packing are still among the more common tactics used by cyber criminals to protect their malicious programs against detection: 11th, 14th, and 17th places are held by these types of programs and represent the Katusha, VBNA and Klone families. Remarkably, all three programs were detected at basically the same time, in late August/early September 2010.
One of the most interesting questions that we can answer with statistics is: “where in the world are computer users encountering cyber threats?” Essentially, this is an indicator of the aggressiveness of the environment in which a computer is running.
In order to assess the risk of infection to which computers in any given country are exposed, we have calculated the frequency at which antivirus programs on user computers detected threats in 2011 for each country.
|Rank||Country||% of unique users*|
These statistics are based on the detection verdicts of the web antivirus module, and were provided by users of Kaspersky Lab products who gave their consent to transfer their statistical data. When calculating, we excluded those countries in which the number of Kaspersky Lab product users is relatively small (less than 10,000).
*The percentage of unique users in the country with computers running Kaspersky Lab products that blocked online threats.
In 2011 the percentages of developed and developing countries changed within the Top 20. Last year, just one developed country was on this list (the US), and in 2011, the UK and Canada made the Top 20 as well.
Some changes also took place among the top three. Over the course of the year, the web surfing risk level fell from 61.8% to 45.4% in Iraq. This country fell from first place in our ratings to eighth. Russia rose +2.2 percentage points from third place to first, with the total percentage of users attacked while using the Internet in this country coming to 55.9%. Oman was in second place with 54.8%. The US rose to third place with 50.1%. A substantial amount of attacks against US users in 2011 were launched from hacked sites using the BlackHole Exploit Pack. As a result of successful attacks, victim computers were infected with a full array of malicious programs: Zbot (ZeuS) Banker Trojans, ZeroAccess multifunction backdoor clickers, fake antivirus programs, and blackmailers.
All of the countries can be put into three main categories based on their online risk level:
- High risk
This group includes 22 countries with results ranging from 41-60%. In addition to the Top 20 countries, Australia (41.5%) and China (41.4%) were also found to be high-risk for web surfing.
- Moderate risk
This group has a risk level ranging from 21-40% and includes 118 countries, including Italy (38.9%), the UAE (38.2%), France (37%), Sweden (32%), the Netherlands (37.1%), and Germany (26.6%).
- Low risk (0 – 20%).
In 2011, nine countries were found to be low-risk for web surfing: Ethiopia (20.5%), Haiti (20.2%), Denmark (19.9%), Nigeria (19.9%), Togo (19.6%), Burundi (18.6%), Zimbabwe (18.6%), Benin (18.0%), and Myanmar (17.8%).
The most significant changes in 2011 took place in the last group of countries, which is almost completely different. Germany, Japan, Luxembourg, Austria, and Norway, whose 2010 indicators ranged from 19-20%, all moved up to the ‘moderate-risk’ group in 2011. All of the ‘low-risk’ countries in 2011 are new, apart from Denmark.
Note that the countries in the low-risk group are actually in the high- and moderate-risk groups for local threats. They are in the low-risk group for online threats because of the way that files are typically shared in these countries, where the Internet is still not very developed. That’s why users often use different types of removable media to save and share data. As a result, our radar picks up little to no online threats in these countries, yet they host an enormous number of viruses and worms that spread via flash drives and infected files.
Around the world, online risks rose 2 percentage points in 2011 and came to 32.3%. Furthermore, the arrival of many western European countries and Japan in the moderate-risk group is a troubling sign: these users are targeted by the most professional cyber criminals.
In addition to online infections, detections of malicious programs directly on user computers or removable media are also of interest. Removable media devices include USB drives, camera memory cards, mobile phone memory cards, and external hard drives. Essentially, the following figures reflect the level of infection of PCs in different countries around the world.
These statistics are based on the detection verdicts of the antivirus module, and were provided by users of Kaspersky Lab products who gave their consent to transfer their statistical data. When calculating, we excluded those countries in which the number of Kaspersky Lab product users is relatively small (less than 10,000).
*The percentage of unique users in the country with computers running Kaspersky Lab products that blocked local threats.
The entire Top 20 is comprised of countries in Africa and Asia. The situation in some countries is particularly alarming. In Sudan and Bangladesh, for example, 9 out of every 10 computers have been infected. No culture of using antivirus solutions has taken shape at this point, and the poor level of computer literacy and knowledge of computer threats makes these countries especially vulnerable to malicious programs.
We can also break countries down into different risk groups for local threats. We have changed the calculation methods since last year to include data about threats found on on-demand scanners, which scan the data on the hard drive and external media. As a result, the overall level of infection increased, and we revised the thresholds for each group to more adequately portray the current situation.
- Maximum risk (over 75%): 9 countries in Asia and Africa.
- High Risk (56-75%): 70 countries around the world, including the Philippines (61%), Russia (60.6%), Ecuador (57.8%), and China (57.5%).
- Moderate Risk (35-55%): A total of 55 countries, including Mexico (55%), Turkey (55%), Brazil (54.1%), Romania (48.6%), Spain (44.9%), the US (40.2%), Australia (39.1%), France (37.9%), Canada (37.4%), and the UK (37%).
- Low Risk (0-35%): 14 countries.
Countries with the lowest percentages of infected computers:
The group of countries with the lowest risk is relatively unchanged from 2010, despite the changes made to the calculation methods.
Firewalls are a critical element of security programs today. They help block attacks on a computer, both those from within the system or from an online resource, and they also counter attacks to steal user data from a computer.
Kaspersky Internet Security includes a firewall that can detect incoming packets (IDS), many of which are exploits that take advantage of vulnerabilities in OS operating services, and are capable of infecting a system if vulnerabilities are not patched, potentially resulting in a malicious user’s complete control over the computer.
In 2011, our security system against network attacks detected 2 656 409 669 attempts to unlawfully penetrate user computers — that’s twice as many attempts as in 2010.
|Rank||Name||% of unique infection attempts*|
These statistics are based on IDS module verdicts, and were provided by users of Kaspersky Lab products who gave their consent to use their statistical data.
*The percentage of unique incidents recorded by the IDS on user computers.
Once again, the Slammer (Helkern) worm took first place. Its behavior throughout the course of the year was very odd, falling off the radar for several weeks, and then unexpectedly showing up again.
Last year’s leader Intrusion.Win.NETAPI.buffer-overflow.exploit moved to second place in the ratings. You may recall that this exploit targets the MS08-067 vulnerability that was first used in the Kido worm, and then later in the notorious Stuxnet worm.
Most of these threats are exploits that have been around for years now. Nine-figure numbers of infection attempts simply go to show the huge number of computers with Internet connections which are still not protected.