Malware reports

Monthly Malware Statistics: November 2011

November in figures

The following statistics were compiled in November using data collected from computers running Kaspersky Lab products:

  • 204,595,286 network attacks were blocked;
  • 89,001,505 web-borne infections were prevented;
  • 238,045,358 malicious programs were detected and neutralized on user computers;
  • 98,047,245 heuristic verdicts were registered.

November was relatively calm in terms of traditional threats. The authors of malicious programs continued to develop already existing technology, with no significant creations noted throughout the month.

Topic of the month. DUQU– the investigation continues

The Duqu Trojan, which was detected in September and hit the headlines in October, remained the center of attention for IT security experts and the mass media in November. The headline news was the discovery of how the malicious program penetrated computer systems. The attacks took place via email with the help of a Microsoft Word document that contained an exploit to a previously unknown vulnerability in Windows. An error in win32k.sys allowed the malicious code to be executed from a file with system privileges.

This is yet another parallel between Duqu and Stuxnet, which also made use of a previously unknown vulnerability. We wrote back in October that the discovery of a Duqu dropper was a vital clue that could help unravel the mystery of the Trojan’s origins, and that the dropper probably contained an exploit for just this kind of vulnerability.

Kaspersky Lab experts managed to trace the original message with the dropper and exploit that was sent to a victim in Sudan. A detailed analysis was published in a recent blog post. Kaspersky Lab immediately added a signature for this exploit to its product databases.

Importantly, by the beginning of December Microsoft still hadn’t released a patch to fix this vulnerability. This means there’s a high risk of it being used in an attack.

As well as analyzing the vulnerability, we took a closer look at several Duqu-controlled servers in various countries. Unfortunately, those behind Duqu were quick to react when their activities became public knowledge and on 20 October a major cleanup operation of the Duqu network was initiated with traces wiped from all the affected servers around the world. However, we did manage to obtain some information which is helping us with our investigations.

All the information we have points to the fact that Duqu was created with the aim of gathering data related to the activities of a series of Iranian companies and agencies. There are numerous indications that early versions of Duqu could have been around since 2007-2008, and that the Stuxnet worm was created on the basis of a platform that was also used during the creation of Duqu. It’s also quite possible that Duqu and Stuxnet were developed in parallel.

Out of the box activity

The cybercriminals’ new bag of tricks

There has been a recent upsurge in the number of incidents involving the use of steganography in malware.

September saw the use of graphic files containing hidden commands for managing the SST botnet, a modification of the notorious TDSS/TDL.

We detected a similar technique in November among a family of Trojan programs that targeted Brazilian bank customers. It was the first detected case of Latin American Trojans using steganography in images.

The files contained encrypted malware and some additional data. They had a jpeg extension, but were in fact bmp files in structure. Further analysis revealed that the cybercriminals had made use of a block cipher.

By using this technique, the virus creators killed several birds with one stone. Firstly, it can cause automatic malware analysis systems to function incorrectly: antivirus programs will give an all-clear to the file after analysis, and in time the link will be exempted from checks altogether. Secondly, the administrators of the sites where the encrypted malicious files are hosted won’t be able to identify them as malicious and will leave them alone. Thirdly, some malware researchers may not have the time or necessary expertise to deal with them. All of this obviously plays into the hands of the cybercriminals.

Mobile threats: SMS Trojans spreading all over the world

In mid-July we wrote about ‘porn SMS senders’ that used premium-rate text messages to subscribe users to various services. The apps targeted users in the US, Malaysia, the Netherlands, the UK, Kenya and South Africa.

In November we detected SMS Trojans targeting users in several European countries as well as Canada. The malware sends four text messages from infected devices to premium-rate short numbers. We detect this particular family as Trojan-SMS.AndroidOS.Foncy.

According to messages left on forums, the first infections took place in early September. Someone downloaded an app that supposedly monitored their SMS/MMS messages, calls and Internet traffic. After launching, the program displayed a message stating that it was not compatible with the user’s version of Android OS. After that the money on the user’s balance disappeared.

Before the arrival of the Trojan-SMS.AndroidOS.Foncy family, SMS Trojans mainly targeted users in Russian and China. SMS Trojans are now one of the easiest ways for cybercriminals to make money. Unfortunately, it now looks like the malicious use of short numbers is starting to affect other parts of the world, and we very much doubt this process will end any time soon.

Mac OS threats

Windows users are unlikely to find anything unusual about Trojans and worms on websites that are spread by pirate versions of popular software. But for Mac users this is still a bit of a novelty. At the very end of October a new malicious program – subsequently named Backdoor.OSX.Miner – was detected on torrent trackers spreading pirate versions of programs for Mac. This program has a number of malicious functions:

  1. Establishes remote access to an infected computer
  2. Gathers information about browsing history in Safari
  3. Captures screenshots
  4. Steals the wallet.dat file from BitCoin clients
  5. Launches BitCoin miner without user authorization

This piece of malware spreads via a number of torrent trackers, including publicbt.com, openbittorrent.com and thepiratebay.org.

Example of a torrent tracker spreading Backdoor.OSX.Miner

According to our estimates, dozens of Mac systems had been infected by Backdoor.OSX.Miner by the end of November.

Attacks on state and corporate networks

Steam compromised

An attack on Valve’s Steam service in November called to mind the Sony PlayStation Network hack earlier this year. Someone managed to hack into the service forum and send out messages with links to videos on how to hack games. Valve turned off its server to fix the problem and found that the main Steam database had been compromised.

The compromised database held information such as user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information.

Valve was forced to write to all users of the service informing them off the problem. Valve claimed there was no evidence that encrypted credit card numbers or personal info were taken by the intruders, and that the company was “still investigating”. The message went on to say that there was also no evidence of credit card misuse, but Steam users were asked to “watch your credit card activity and statements closely”.

More problems with certificates

This year has been full of incidents involving certification authorities. First, there was the story of Comodo, followed by Dutch firm DigiNotar. On top of that, a number of stolen certificates were discovered being used in malicious programs, including Duqu. There is now a serious lack of trust in certificates, with no solution to the problem in sight.

November saw yet another Dutch certificate authority announce that it had been targeted by hackers and forced to halt the issuing of certificates.

The breach was discovered on a KPN web server related to PKI. The attack dates back no less than four years.

KPN, best known for its telecom business, bought Getronics four years ago, acquiring a certificate authority similar to DigiNotar. Like DigiNotar, KPN is allowed to issue ‘special’ certificates for the Dutch government and public services. In fact, many organizations affected by the DigiNotar incident switched to KPN certificates.

It’s not yet clear if a breach of the CA server(s) can be ruled out or not. Another question that needs to be answered is how a DDoS tool went undetected for four years.

Oddly enough, KPN’s statement could be interpreted as saying that existing certificates will remain valid, no matter what.

The Malaysian certificate authority Digicert (CA Digicert Malaysia) was involved in an even more serious incident. It has been removed from the list of trusted authorities by all browser manufacturers and by Microsoft. Such extreme measures were deemed necessary after the authority issued 22 certificates with weak 512-bit keys, and certificates without the appropriate usage extensions or revocation information.

Microsoft’s group manager of response communications, Jerry Bryant, said there was no indication that any certificates were issued fraudulently, but the weak keys had allowed some of the certificates to be compromised.

Interestingly, in November a number of malicious programs were detected that were signed with certificates issued by the Malaysian Agricultural Research and Development Institute, a government body. According to a spokesperson, a certificate was earlier stolen from the Institute. However, that begs the question: if they knew about the theft, why wasn’t the certificate immediately revoked?

November ratings

Top 10 threats on the Internet

1 Malicious URL 81.41% 0
2 Trojan.Script.Iframer 4.57% 0
3 Trojan.Script.Generic 1.67% 1
4 Trojan.Win32.Generic 0.74% -1
5 Trojan-Downloader.Script.Generic 0.61% 2
6 Trojan.JS.Popupper.aw 0.37% 3
7 Exploit.Script.Generic 0.36% -2
8 Trojan.JS.Agent.bwi 0.24% New
9 Exploit.Java.CVE-2010-4452.a 0.21% New
10 AdWare.Win32.Screensaver.i 0.16% New

Top 10 sources of malware

1 USA 26.72% 0
2 Germany 14.52% 1
3 Russia 12.58% -1
4 Netherlands 11.67% 0
5 Ukraine 6.69% 0
6 Virgin Islands, British 3.99% 1
7 China 3.64% 1
8 Romania 2.11% 2
9 Great Britain 1.45% -3
10 Canada 1.11% New

Top 10 malware hosts

1 adv-downloader.in 11.83%
2 72.51.44.90 10.69%
3 rm-download.in 7.22%
4 69.170.135.91 6.71%
5 livestaticforus.info 6.37%
6 rx-downloader.in 6.04%
7 youtubedownload.altervista.org 3.91%
8 origin-ics.clickpotato.tv 3.87%
9 tizerplatform.com 3.60%
10 advancedadv.net 3.46%

Top 10 malicious domain zones

1 com 35509894
2 ru 14482880
3 info 5891872
4 co.in 5221964
5 in 4197274
6 net 3493864
7 org 1971202
8 me 1953502
9 tv 536867
10 pl 384305

Top 10 countries with the highest percentage of attacks against users’ computers (Web Antivirus)

1 Russia 44.88% 0
2 Armenia 39.21% 0
3 Korea 38.03% 6
4 Kazakhstan 36.86% 4
5 Belarus 35.39% -2
6 Ukraine 33.43% 0
7 Azerbaijan 33.14% 3
8 Sudan 28.76% -1
9 Uzbekistan 28.63% New
10 Moldova 28.13% New

Monthly Malware Statistics: November 2011

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q3 2024

The report features the most significant developments relating to APT groups in Q3 2024, including hacktivist activity, new APT tools and campaigns.

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

Subscribe to our weekly e-mails

The hottest research right in your inbox