Monthly Malware Statistics: August 2011

August in Figures

The following statistics were compiled in August using data collected from computers running Kaspersky Lab products:

• 193,989,043 networks attacks were blocked;
• 64,742,608 web-borne infections were prevented;
• 258,090,156 malicious programs were detected and neutralized on user computers;
• 80,155,498 heuristic verdicts were registered.

August is traditionally one of the busiest months for the information security industry, despite the summer holiday season. Two of the top security conferences take place in August in the US: BlackHat and Defcon. These two events are a popular platform for announcing the results of top studies and not only discuss the results of the past year, but address the issues looming on the horizon. New attack methods are discussed at the conferences, in addition to different hacking technologies — some of which, unfortunately, are subsequently applied in malicious programs. Furthermore, the summer holiday season creates additional problems for individual computer users and organizations alike. People on vacation use the Internet more frequently at Internet cafes, free WiFi hotspots, airports, etc., which means they are outside of their usual security perimeter and have higher chances of becoming the victims of malicious users.

Out-of-the-box activity

Let’s take a closer look at some of the new malicious programs and malicious technologies employed by “the other side” in August.

Ice IX: the bastard child of ZeuS

The ZeuS Trojan (Trojan-Spy.Win32.Zbot) has been the most widespread threat for users of online banking services for several years now. Based on the number of incidents involving ZeuS and the damage it has caused, it could truly be viewed as a kind of malware ‘deity’ among cyber criminals. An entire industry of cybercrime – primarily Russian – has been built around ZeuS. Dozens of groups use it directly and indirectly as part of their illegitimate activities.

Last year, information came to light indicating that the creator of ZeuS sold his entire design to another virus writer, the author of the SpyEye Trojan. This meant that instead of two competing projects, we would see one that brought together the best technologies of the two. That is exactly what happened in the new versions of SpyEye, which are now being regularly detected and are the successors of old ZeuS.

However, more or less at the same time that this so-called merger took place, part of the ZeuS code was also leaked and subsequently became available to anyone who wanted it. Since the SpyEye’s creator sells his creations on the cybercrime market for several thousands of dollars, clearly anyone who did not want to pay but wanted to create their own clone would now be able to do so using the very same source code.

In August, one of these clones became relatively widespread and got the attention of information security professionals. Note that it appeared considerably earlier, in spring 2011, but did not become a common choice among cyber criminals until summer. The new modification has been dubbed Ice IX and is sold for $600-1,800. Just like with the backstories of ZeuS and SpyEye, once again we are dealing with the work of Russian-speaking cyber criminals. One of the most remarkable innovations in Ice IX is the altered web module for botnet control, which allows cyber criminals to use legitimate hosting services, instead of having to resort to costly bulletproof servers within the cybercriminal community. This difference is meant to keep hosting costs down for Ice IX owners.

The blatant theft of someone else’s code is typical in the cybercriminal community. The appearance of Ice IX, which not only competes with SpyEye but also considerable reduces the costs for running similar Trojans, will soon lead to the emergence of new “bastard children” of ZeuS and an even greater number of attacks against the users of online banking services.

Malware and Bitcoin

This summer, the Bitcoin e-money system became the center of attention among computer users and criminals alike. The computer-based ‘coin-generation’ system became yet another means of illegitimate earnings, and stands out due to the high level of anonymity. The quantity of coins that are generated depends on your computer’s capabilities. The larger the computers to which you have access, then the larger your potential earnings are. With a relatively quick attack against the owners of bitcoin wallets, cyber criminals were able to not only steal them and go a few steps further and use the victim machines for botnets.

Back in June we detected the first Trojan.NSIS.Miner.a, which generated bitcoins on an infected computer without the user noticing. This incident marked the beginning of our collaboration with a number of major bitcoin pools (servers where data about network participants and their accounts are stored), which helped us intercept several similar botnets. The beginning of the standoff between the antivirus industry and criminals in this new field has led to the emergence of many more new, more sophisticated types of bitcoin botnets.

In August, cyber criminals found new uses for technologies such as Twitter, P2P networks, and proxy servers.

The use of Twitter essentially worked as follows: a bot would send a request to a Twitter account, which provides commands that are left there by the botnet owner — i.e., where the bitcoin-generating program is downloaded, along with instructions for which bitcoin pools to work with. The use of Twitter as a botnet command center is not new, although this is the first time it has been used with the bitcoin system.

P2P botnets are not anything radically new per se, but the Trojan.Win32.Miner.h P2P botnet detected by Kaspersky Lab experts in August now has, at the most conservative count, nearly 40,000 different public IP addresses. In light of the fact that most computers are currently behind firewalls or gateways, the actual amount of infected machines could be several times higher. The bot installs a system of three bitcoin miners at once: Ufasoft miner, RCP miner, and Phoenix miner.

The two technologies described above make it easier for malicious users to maintain their botnets and use measures to counteract antivirus companies, which can more easily block centralized botnet command centers.

The bitcoin pool accounts held by malicious users always face the threat of being deleted by server owners who take a proactive stance against unlawful mining programs. In August, Kaspersky Lab discovered that one of the largest botnets was not only used to mine bitcoins, it was also now beginning to be used as a means of concealing actual accounts. To achieve this, the botnet owners created a special proxy server that interacts with infected computers, and their requests are then transferred to an unknown bitcoin pool. It is not possible to identify the way in which the bot code is analyzed, the specific pools that the botnet works with, and thus block the fraudulent accounts. The only means of intercepting this type of criminal activity in this situation is to gain full access to one of the proxy servers.

All in all, at the end of the month, Kaspersky Lab detected 35 unique malicious programs that targeted the bitcoin system in one way or another.

Remote-access worms

The Morto worm is a relatively interesting development; its rapid spread began in the second half of August. Unlike its most noteworthy predecessors, this worm does not exploit vulnerabilities in order to self-replicate. Furthermore, it spreads via the Windows RDP service, a method which has not been seen before. This service is used to provide remote access to a Windows desktop. The worm essentially attempts to find the access password. Based on early projections, at present this worm could have infected several tens of thousands of computers around the world. The primary threat stems from the fact that malicious users have the ability to manage the infected computers, since the worm contains a botnet function and communicates with several command servers. Furthermore, the botnet’s primary function is launching DDoS attacks.

Attacks against individual users: mobile threats

Just over one year ago (in early August 2010), the first-ever malicious program for the Android operating system was detected: the SMS Trojan FakePlayer. Since its emergence, the global malware situation — both for mobile threats in general and Android in particular — has changed dramatically. Less than one year ago, the number of malicious programs targeting Android caught up with the number of malicious programs targeting the Symbian platform (the first threat for Symbian appeared in 2004). Today, threats designed for Android represent approximately 24% of the overall number of detected threats targeting mobile platforms. Since the arrival of FakePlayer, we have detected 628 modifications of malicious programs targeting Android.

The distribution of malicious programs targeting mobile platforms, by operating system

A total of 85% of all smartphone threats (i.e. excepting J2ME) detected from August 1, 2010 through August 31, 2011 target the Android system.

These days, 99% of all detected threats targeting mobile platforms are malicious programs that are after one and the same goal: generating money unlawfully, either directly or indirectly. In August, the standout among these types of threats was the Nickspy Trojan, the distinguishing characteristic of which is the ability to record all of the conversations of the infected device’s owner into audio files and upload these files to a remote server managed by the malicious owner. One of the modifications of this Trojan is disguised as a Google+ add-on and is capable of accepting incoming calls from malicious user numbers written into the program’s configuration file. When an infected phone receives this kind of call without the user noticing, the malicious user is then able to listen in on everything within the infected device’s range, including its owner’s conversations. Additionally, the Trojan also takes note of messages, information about calls, and GPS coordinates. All of these data are sent to the malicious user’s remote server.

“Non-commercialized” malicious programs targeting mobile devices are becoming more common, although some of them are rather odd. In August, the Dogwar Trojan was detected. It appears that this program was developed by people (or a person) supporting PETA’s cause of the protection of animal rights. Having taken the beta version of the Dog Wars game, a malicious user replaced the BETA in the program’s icon with PETA, and planted malicious code, which:

• Sends a text message to all of the contacts listed on the infected device reading “I take pleasure in hurting small animals, just thought you should know that.”
• Sends one text message to a short number (73822) reading ‘text.’ This number works in the US and is used by PETA so that users can subscribe to PETA text messages.

Attacks against the networks of corporations and major organizations

Internet-based corporate espionage and reconnaissance led by a variety of countries around the world is gradually becoming one of the most widely discussed information security problems, spinning off from traditional cybercrime. However, the newness of the field and its relative inaccessibility to most users means that most news about this kind of activity is needlessly sensationalized.

In August, the IT community was shaken by a news item from McAfee (acquired by Intel one year ago) about their detection of what was potentially the largest cyber-attack in history, lasting over five years and targeting numerous organizations around the world, from the US Department of Defense, to the Sports Committee of Vietnam. The attack was dubbed Shady Rat. All would have been well and good if the publication of that information had not coincided with the opening of the BlackHat conference in Las Vegas, and covered by a special feature in Vanity Fair. One can’t help but agree that exclusive material about a threat to national security in a fashion magazine is a bit odd — the security industry does not typically use that route to inform the public about recently detected problems.

A close look at what McAfee reported resulted in even more confusion. First of all, the malicious user-run server that was allegedly “detected by researchers” had in fact already been known for several months to the experts at many other antivirus companies. Second, at the time of the article’s publication, the server was still up and running, and all of the information that McAfee used in its report had already been public. Next, the long sought-after spyware that had allegedly been used in the most complex and largest attack in history had already been detected by many antivirus programs using simple heuristics. In addition to these and other factors, the McAfee gives rise to some other questions. These questions were asked publically, including by Kaspersky Lab experts.

Our studies have confirmed that Shady Rat was neither the longest-running or the largest, nor even the most sophisticated attack in history. Moreover, we believe that it is unacceptable to publish information about any attacks without a full description of all of the components and technologies used, since these incomplete reports do not allow experts to make all possible efforts to protect their own resources.

The publication of information about so-called Advanced Persistent Threats (APTs) should involve an even greater degree of responsibility. Recently, APTs have been making media outlet headlines featuring terms such as ‘cyberwar’ and ‘cyberweapons.’ There is a major gap in the public perception and actual meaning of these terms. Incidentally, terminology issues are of secondary importance when the issue at hand is truly about corporate espionage or special force operations. In these cases, it is much more important to remember that when too much focus is directed at these incidents, and the disclosure of any kind of information is not carefully coordinated, it could harm ongoing investigations and deal an even greater blow to attack victims.

August’s hacking scandals

August turned out to be an eventful month in the hacking world. Attacks against companies and government agencies take place around the world and, in contrast to attacks launched by unknown parties, this year many incidents were launched by groups that have gone public, such as AntiSec and Anonymous. More and more frequently, these attacks are employed as a means of political struggle. All of these cases receive wide coverage in the press, since publicity of the event is critical for promoting the ideology of the so-called ‘hacktivists.’ Given the events of this year so far, the hacking scandals that took place in August were not, unfortunately, particularly surprising.

Over the reporting period, the victims of hacktivists included the Italian cyber police, a number of companies cooperating with law enforcement agencies in the US, and the military contractor Vanguard, who work with communications systems under contract with the US Department of Defense. Gigabytes of private information were made public, and in the situation involving the Italian cyber police, documents that had likely initially been the property of the Indian Embassy to Russia had been made public.

Later, in the US, hackers attacked a transit system in the San Francisco Bay Area and stole the personal data of two thousand passengers, which was subsequently published. The defacement of the official government websites of Syria and Libya, in connection with the civil uprisings in these countries, also stand out among the politically-motivated hack attacks that took place in August.

August ratings:

Top 10 Internet threats

Top 10 sources of malware:

Top 10 malware hosts:

Top 10 malicious domain zones:

Top 10 countries with the highest percentage of attacks against user comptuers (Web Antivirus)

Top 10 countries with FakeAV detections: