Threat Report H2 2012
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Threat Report H2 2012

  • 4,869 views
Uploaded on

The report focuses on three things that stood out in the second half of 2012: botnets (with special reference to ZeroAcess), exploits (particularly against the Java development platform) and......

The report focuses on three things that stood out in the second half of 2012: botnets (with special reference to ZeroAcess), exploits (particularly against the Java development platform) and banking trojans (Zeus). Also discussed are multi-platform attack in which a coordinated attack campaign is launched against both desktop and mobile platforms, state of today's web concerning malware hosting and malvertising, and an update on the mobile threat scene.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
4,869
On Slideshare
4,863
From Embeds
6
Number of Embeds
2

Actions

Shares
Downloads
11
Comments
0
Likes
0

Embeds 6

http://192.168.6.184 4
http://192.168.6.179 2

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Threat Report H2 2012Protecting the irreplaceable | www.f-secure.com
  • 2. F-Secure LabsAt the F-Secure Response Labs in Helsinki, Finland,and Kuala Lumpur, Malaysia, security experts work around the clock to ensure our customers are protected from the latest online threats. At any given moment, F-Secure Response Labs staff is on top of the worldwide security situation,ensuring that sudden virus and malware outbreaks Protection around the clock are dealt with promptly and effectively. Response Labs’ work is assisted by a host of automatic systems that track worldwide threat occurences in real time, collecting and analyzing hundreds of thousands of data samples per day. Criminals who make use of virus and malware to profit from these attacks are constantly at work on new threats. This situation demands around the clock vigilance on our part to ensure that our customers are protected.
  • 3. forewordToday, the most common way of getting hit by malware is by browsing theWeb. It hasn’t always been this way. Years ago, floppy disks were the mainmalware vector. Then sharing of executable files. Then e-mail attachments.But for the past five years, the Web has been the main source of malware.The Web is the problem largely because of Exploit Kits. Kits such asBlackHole, Cool Exploit, Eleanore, Incognito, Yes or Crimepack automatethe process of infecting computers via exploits.There is no exploit without a vulnerability. Ultimately, vulnerabilities arejust bugs, that is, programming errors. We have bugs because programsare written by human beings, and human beings make mistakes. Softwarebugs have been a problem for as longs as we have had programmablecomputers—and they are not going to disappear.Bugs were not very critical until access to the Internet became widespread.Before, you could have been working on a word processor and opening a Mikko HyppÖnencorrupted document file, and as a result, your word processor would have crashed. Chief Research OfficerEven if annoying, such a crash would not have been too big of a deal. You might havelost any unsaved work in open documents, but that would have been it.However, things changed as soon as the Internet entered the picture. Suddenly, bugsthat used to be just a nuisance could be used to take over your computer.Yet, even the most serious vulnerabilities are worthless for the attacker, if they getpatched. Therefore, the most valuable exploits are targeting vulnerabilities that arenot known to the vendor behind the exploited product. This means that the vendorcannot fix the bug and issue a security patch to close the hole. Software bugs have been a problem for as longs as we have had programmable computers—and they are not going to disappear.If a security patch is available and the vulnerability starts to get exploited by theattackers five days after the patch came out, the users have had five days to react. Ifthere is no patch available, the users have no time at all to secure themselves; literally,zero days. This is where the term ‘Zero Day Vulnerability’ comes from: users arevulnerable, even if they have applied all possible patches.One of the key security mechanisms continues to be patching. Make sure all yoursystems are always fully up-to-date. This drastically reduces the risk of gettinginfected. But for Zero Day vulnerabilities, there are no patches available. However,antivirus products can help against even them.We’re in a constant race against the attackers. And this race isn’t going to be over anytime soon.FOREWORD 3
  • 4. Executive Summaryexecutive summaryThree things visibly stand out in this past half year: botnets (with special reference toZeroAcess), exploits (particularly against the Java development platform) and banking trojans(Zeus).ZeroAccess was easily the most prevalent botnet we saw in 2012, with infections most visible inFrance, United States and Sweden. It is also one of the most actively developed and perhapsthe most profitable botnet of last year. In this report, we go through the distribution methodsand payment schemes of ZeroAccess’s ‘affiliate program’, as well as its two main profit-generating activities: click fraud and BitCoin mining. Aside from ZeroAccess, other notablebotnets of 2012 are Zeus, Carberp, Dorkbot and SpamSoldier (a mobile botnet).Java was the main target for most of the exploit-based attacks we saw during the past halfyear. This is aptly demonstrated in the statistics for the top 10 most prevalent detectionsrecorded by our cloud lookup systems, in which the combined total of detections for the Java-specific CVE-2012-4681 and CVE-2012-5076 vulnerabilities and the Majava generic detections,which also identify samples that exploit Java-related vulnerabilities, account for one third ofthe samples identified during this period. Exploit kits plays a big role in this prevalence. Inaddition, exploits against other programs such as the PDF document reader (CVE-2010-0188)or Windows TrueType font (CVE-2011-3402) made notable impacts in H2 2012, as detailedfurther in this report.With regards to banking-trojans, a botnet known as Zeus—which is also the name for themalware used to infect the user’s machines—is the main story for 2012. Analysis of thegeography for Zeus’s infection distribution highlights the United States, Italy and Germany asthe most affected countries. In addition to its banking-trojan capabilities, the Zeus malwarealso functions as a backdoor, allowing it to be directly controlled from the botnet’s commandand control (C&C) servers. An examination of the different sets of backdoor commands usedby Zeus derivatives (known as Citadel and Ice IX) gives more detail of what other maliciousactions this malware can perform.In terms of online security, we look at the more ambiguous side of the ever-growing popularityof website hosting, and how its increasingly affordable and user-friendly nature also makes itwell suited to supporting malware hosting and malvertising.We also take a look at multi-platform attacks, in which a coordinated attack campaign islaunched against multiple platforms (both desktop and mobile), often with multiple malware.And finally on the mobile scene, the Android and Symbian platforms continue to be the mainfocus of threats, accounting for 79% and 19%, respectively, of all new mobile malware variantsidentified in 2012.executive summary 4
  • 5. ContentsThis Threat Report highlights trends and new developments seen in the malware threat landscape by analystsin F-Secure Labs during the second half of 2012. Also included are case studies covering selected noteworthy,highly-prevalent threats from this period. contributing foreword3 AUTHORS Broderick Aquilino Executive Summary 4 Karmina Aquino Contents5 Christine Bejerasco Edilberto Cajucom Incidents Calendar 6 Su Gim Goh In Review 7 Alia Hilyati Timo Hirvonen Of Note 10 Mikko Hypponen the password 11 Sarah Jamaludin COrporate espionage 12 Jarno Niemela Mikko Suominen Case Studies 14 Chin Yick Low BotS15 Sean Sullivan ZeRoAccess17 Marko Thure Juha Ylipekkala Zeus21 Exploits25 Web28 Multi-Platform attacks 32 Mobile35 Sources38contents 5
  • 6. Incidents CalendarH2 2012 incidents calendar (July-December)* jul Aug SEPT OCT NOV DEC FBI support for Out-of-band Patch Friday Syrian Internet,mobile DNSChanger ended connections cut off Imuler.B backdoor found on OS X Multi-platform Intel/OS X backdoor found Malware signed Berlin poice warned of with Adobe certificate Android banking trojans Commercial multi-platform surveillance tools found Samsung TouchWiz exploit Cool Exploit kit Iran-targeted malware reported rivalling Blackhole reported New Mac Revir threat Indian government email found accounts hacked New Linux rootkit found Gauss threat targeted Dexter malware hit point the London Olympics Huawei controversy in US Congress of sales (POS) ITU Telecom World ‘12 raised Australian hospital’s Blackhole updated faster Internet/government concerns records ransomed than flaws patched Java update closed 3 Mac threat found on Dalai vulnerabilities Lama-related webite Matt Honan ‘hack’ highlighted One rogue ad hits Finnish flaws in accounts systems web traffic Eurograbber attack on European banks reported Samsung Exynos exploit reported Online In the news PC threats Mobile threats Hacktivism & espionage Sources: See page 38.incidents calendar 6
  • 7. In Reviewchanges in the threat landscapeUnlike the first half of 2012, the second half of the year saw no major malware outbreakson any platform. Instead, a handful of incidents took place during this time period, most ofwhich were notable as indications of how inventive the attackers have been in finding waysto compromise a user’s machine, data or money. These incidents included the hack into theWired Matt Honan’s Gmail and Apple accounts, which exposed loopholes in those accountsystems; the Adobe-certified malware episode, in which attackers went to the extent ofstealing Adobe’s digital certificate in order to sign malware used in targeted attacks; and theEurograbber attack, in which a variant of the Zeus crimeware was reportedly used to stealmoney from various corporations and banks in Europe.An interesting development in 2012 has been the increasing public awareness of cyber-securityand the various implications of being vulnerable to attack over a borderless Internet. Newsreports of alleged online or malware-based attacks against Iranian facilities drew attentionto state-sponsored cyber-attacks. A conference gathering the various telecommunicationsentities to discuss basic infrastructure issues raised concerns about Internet governance, andthe role of governments in it. The past year also saw US politicians, not generally consideredthe most tech-savvy of users, raise concerns over perceived reliance on IT solutions forsensitive government systems being provided by foreign corporations seen as potentiallyunreliable. Though it is probably a positive development that more people are becomingexposed to topics that have long been considered irrelevant or academic, only time will tellwhat will result from the increased awareness.Rather than a single major event, perhaps the most noteworthy aspect of H2 2012 is the waythat the various trends we saw emerging in the first two quarters of the year have continued togrow apace—that is, the growth of botnets, the ‘standardization’ of vulnerability exploitationand the increasing ‘establishment’ of exploit kits.When it comes to botnets, the news has been mixed at best. The last few years have seenconcerted efforts by players from different fields—telecommunications, information securityand even government organizations—to take down or at least hamper the activities of variousbotnets, which have compromised millions of user’s computers and been used to performsuch activities as monetary fraud and online hacking. These combined efforts resulted intotally shuttering, or at least seriously hampering, major botnets such as Rustock, Zeus andDNSChanger.Unfortunately, despite these commendable efforts, the botnets have been regularlyresurrecting, often with new strategies or mechanisms for garnering profit. In addition,the operators running these botnets have been aggressively marketing their ‘products’ toother hackers and malware distributors. Their efforts include offering affiliate programs withattractive ‘pay-per-installation’ rates and ‘rent-a-botnet’ schemes that allow attackers to usethe combined power of the infected hosts to perform attacks or other nefarious activities.These sophisticated business tactics have garnered significant returns. In some cases, such asZeroAccess, the reborn botnets have grown to count millions of infected hosts. See the casesstudies Bots (pg. 15), ZeroAccess (pg. 17) and Zeus (pg. 21) for more information on botnets.Another change we saw last year was the increasing use of vulnerability exploitation, oftenin tandem with established social engineering tactics. Unlike previous years, when most ofthe infections we saw involved trojans, 2012 was definitely the year of the exploit, as exploit-In review 7
  • 8. Top 10 detections in H2 2012, & top countries* ZeroAccess 27% FR us se dk others Majava 26% US fr fi se others Downadup 11% br fr my it others BlackHole 9% fr fi se nl others CVE-2012-4681 6% us se fr de others CVE-2011-3402 6% fr se nl fi others CVE-2010-0188 6% fr se fi nl others CVE-2012-5076 3% fi us fr se others PDF Exploits 3% fi fr se de others Sinowal 3% nl se fi others % 0 25 50 75 100*Based on statistics from F-Secure’s cloud lookup systems from July to December 2012. related detections accounted for approximately 28% of all detections F-Secure’s cloud lookup systems saw in H2 2012. In addition, malware designed to exploit vulnerabilities related to the Java development platform made up about 68% of all exploit-related detections recorded by our systems in the second half of last year. If we look at the list of Top 10 Detections (above) seen by our cloud lookup systems in H2 2012 in more detail, two detections which specifically identify samples exploiting the Java-specific CVE-2012-4681 and CVE-2012-5076 vulnerabilities alone account for 9% of the malware identified by the top 10 detections. In addition, the Majava generic detections, which identify samples that exploit known vulnerabilities, including the Java-specific CVE-2012-0507 and CVE-2012-1723 vulnerabilities, account for another 26% of the top 10 detections, as well as having the dubious honor of being the second most common detection overall reported by our backend systems. The sheer volume of Java-related detections indicate both the widespread popularity of that platform and its susceptibility to the malicious inventiveness of malware authors. Interestingly enough, when considering exploit attacks in general, though we saw attacks exploiting numerous vulnerabilities in multiple platforms and programs in 2012, the vast majority of the cases were related to only four vulnerabilities—CVE- 2011-3402 and CVE-2010-0188, which are Windows-related vulnerabiltiies, and the previously mentioned Java vulnerabilities, CVE-2012-4681 and CVE-2012-5076. All of these vulnerabilities, incidentally, have already had security patches released by their relevant vendors.in review 8
  • 9. This skewed preference in attack targeting can be directly attributed to the popular usage ofexploit kits such as Blackhole and Cool Exploit, which have incorporated the exploits for thesevulnerabilities, in some cases faster than the vendors were able to patch them. It’s perhaps nottoo surprising then that BlackHole-related detections account for 9% of all samples detectedby the top 10 detections of H2 2012. For more information on these exploits, see the Exploitscase study on page 25.And as a closing note, a quick look at our detection statistics for Mac indicates that eventhough Windows machines continues to be the main target for attacks, the Mac platformis increasingly coming in for a share of unwanted attention. Apart from the major Flashbackoutbreak in early 2012, we saw a slow but steady increase in malware on the Mac platform,as we detected 121 new, unique variants in all of 2012, the majority of them backdoors. Bycontrast, in 2011, we recorded only 59 new unique variants discovered on that platform. 85 +4+4+7+z Mac Malware by type, Jan - Dec 2012 Total= 121 variants* Backdoor, 85% Others 4% Rogue, 4% Trojan, 7% *The total is counted based on unique variants detected from Jan to Dec 2012, rather than total file count. Riskware and repackaged installers are not counted; multi-component malware are only counted once.in review 9
  • 10. Of Notethe Password 11COrporate espionage 12
  • 11. Passwordthe password dead man walkingComputer passwords are something like fifty years old. And Determine which accounts that are your critical points ofuntil a little over twenty years ago, they were very often a shared failure, and make sure they are all well defended. Two factorresource where multiple people used the same password (or authentication is good, but even that is not a bulletproofset of passwords) for access to computer systems. The use of solution. It is important to use every option available.individual passwords was actually something of an innovationat the time. For example, Google’s Gmail allows users to create their own security question for password resets. There is absolutely noThen came the World Wide Web, and with it, the ever growing reason why this question needs to be based on reality. It canneed for more and more account passwords. As time has just as easily be another “password”. One which is writtenpassed and our online lives have grown, it is now not at all down and stored safely at home, where only you have accessuncommon for people to have dozens of passwords to keep to it.track of. And what’s worse is that all of those passwords shouldbe “strong” passwords and people shouldn’t reuse them And if you are a parent of teenage children… you really shouldbetween accounts. It’s too much! have “the talk” with them about their use of passwords. The habits they form now will have a big impact on their futureThe second half of 2012 provided more than enough evidence online lives.to demonstrate the problem of passwords. Hacks, breaches,database dumps—these are terms that average individuals Hopefully, one day soon, a true successor will rise to take the(not just techies) are now familiar with. With today’s processing password’s place and we will all be able to let the passwordpower, passwords that are strong enough to withstand brute die a dignified death. Unfortunately, we are more likely toforce attacks are too difficult for the human brain to remember. experience fits and starts towards a new solution. Prepare yourself now, 2013 isn’t going to be kind for those who areEven if the passwords are strong, our systems of authenticating unprepared.account resets are flawed. A strong password is useless if socialengineering tactics can be used to reset those passwords.The password is dead and we all know it. But unfortunately,its successor has yet to turn up. So what’s to be done in themeantime? Triage.• Use a password manager such as KeePass or Password Recommended Reading Safe• Kill old accounts that you no longer use • Hacked: passwords have failed and it’s time• Untangle cross-linked accounts for something new[1]• Consider using a “secret” email address for account Matt Honan discusses the account hack that disrupted his maintenance digital life and its implications for online security• Be careful about what you share on social media. If you share, don’t rely on personal information for your • Google declares war on the password[2] account password resets Find out more about Google’s experiment with device-based• Use two-factor authentication options if available account authenticationSOURCES[1] Wired; Matt Honan; Hacked: passwords have failed and it’s time for something new; published 17Jan 2013;http://www.wired.co.uk/magazine/archive/2013/01/features/hacked?page=all[2] Wired; Robert McMillan; Google declares war on the password; published 18 Jan 2013;http://www.wired.com/wiredenterprise/2013/01/google-password/Password 11
  • 12. COrporate of the ‘watering hole’ attack rise espionage Espionage In Q4 2012, we watched the nature of corporate espionage Numerous examples of corporate espionage attacks have attacks change. Before, almost all recorded corporate been reported in the F-Secure Weblog over the years, many of espionage cases were based on using specially crafted them involving poisoned e-mail file attachments sent directly documents containing exploits and a malware payload. Now, to the targeted organizations. spies have started to leverage vulnerabilities in web browsers and browser plugins to achieve their aims in so-called These attacks contrast sharply with the most recent case of a ‘watering hole’ attacks. watering hole attack—the 21st December 2012 compromise of the Council of Foreign Relations (CFR) website[1]. In this attack, ‘Watering hole’ attacks are called such because instead of the website was injected with a previously unknown exploit compromising a random website and infecting anyone who that affected versions 6, 7 and 8 of the Internet Explorer (IE) happens to visit the site, the attackers are more discriminating web browser. Compromising the website itself was not the attacker’s final objective; it was merely“Cross-referencing this list [of known attack domains] used as which naturally include members visitors, a conduit to infect the website’sagainst the Alexa.com’s list of 1 million most common of the CSR itself. And considering that CSRdomains showed that 99.6% of these potential C&C sites counts among its members both current and former US political elite and thewere outside of Alexa’s top domains.” founders of multinational companies, the list of potential targets is very interesting. in both the users being targeted and the site used as the infection vector. The attackers specifically attack a site The rise of web-based attacks in corporate espionage raises which is commonly used by employees of the actual target two points: first, this trend means that any corporation with organization. When these employees visit the compromised an online presence that serves such potentially ‘interesting‘ site, their browser or computer is then attacked, typically by targets may be at risk of unwittingly serving as an attack exploiting a vulnerability that allows trojans or backdoors to conduit, and secondly; obviously, such organizations must be installed on the machine. From that point on, the installed now find a way to mitigate such a risk, in order to protect malware becomes the gateway for attackers to reach their real themselves and their clients. target: the internal network and/or communications of the compromised employee’s companies. Figure 1: Screenshots of an e-mail and malicious file attachment used in a targeted attack Corporate espionage 12
  • 13. How a ‘watering hole’ attack works Espionage Targeted Organization www Exploit kit www Compromised Attacker Attacker gains access to computer compromised computerFor companies with online resources that may be vulnerable A second, very effective method of ruining the spy’s day is toto ‘watering hole’ attacks, it is very important to invest in web use DNS whitelisting in the company‘s DNS server so that onlyand server security. Performing regular audits to verify that specific, approved public sites can be accessed on the user’syour web server is serving only what it should is also highly machine. This precaution directly interferes with the spy’srecommended. ability to communicate with its installed trojan(s), as well as helping to prevent information stolen from the machine beingDefending against watering hole attacks does not require sent out to the attacker’s command and control (C&C) server.anything new that should not already be in place to protectagainst more mundane web attacks which target zero day Done right, this method also has the advantage of notvulnerabilities, thereby circumventing detection-based interfering with the way most users work or browse thesecurity coverage. A corporate security suite with behavioral Internet. At F-Secure, we maintain a list of known attackbased detection should of course be a part of the protection domains potentially associated with corporate espionage.solution, as it can still provide a measure of protection by Cross-referencing this list against Alexa.com’s list of 1 millionactively looking for and red-flagging suspicious behavior, most common domains showed that 99.6% of these potentialrather than static reliance on known features to identify a C&C sites were outside of Alexa’s top domains.malicious file. So if your organization is in possession of information thatBut when we consider dealing with advanced and persistent might be interesting to other companies, we recommendattackers, one layer of protection is not enough. At a a custom DNS whitelisting solution that is relaxed enoughminimum, corporate users should use Microsoft’s free Exploit to allow your users to work, but still strict enough to blockMitigation Toolkit (EMET) to harden their system’s memory unknown domains. And while attackers can use C&C channelshandling for client applications such as web browsers, web that are trickier to block, such as Twitter or Facebook, thisbrowser plugins and document readers. simple precaution does make it more difficult for attackers to operate.SOURCE[1] The Washington Free Beacon; Chinese Hackers Suspected in Cyber Attack on Council on Foreign Relations; published 27 Dec. 2012;http://freebeacon.com/chinese-hackers-suspected-in-cyberattack-on-council-on-foreign-relations/Corporate espionage 13
  • 14. Case StudiesBotS15ZeRoAccess17Zeus21Exploits25Web28Multi-Platform attacks 32Mobile35
  • 15. BotS The world of bots in 2012In the last few years, concerted efforts by various parties to take down or hamstring the operation of botnets, which were costingmillions of users control of their machines, their data and/or their money. In 2012 however, we saw the resurrection of many ofthese botnets, often in a more aggressive form and with new malicious products, updated ‘packaging’ or marketing and distributionstrategies and more efficient money-making mechanisms.ZeroAccess BotsOf all the botnets we saw this year, definitely the fastestgrowing one was ZeroAccess, which racked up millions ofinfections globally in 2012, with up to 140,000 unique IPs in theUS and Europe, as seen on the infection map at right [27].The actual malware that turns a users’s computers into abot is typically served by malicious sites which the user istricked into visiting The malicious site contains an exploit kit,usually Blackhole, which targets vulnerabilities on the user’smachine while they’re visiting the site. Once the machine iscompromised, the kit drops the malware, which then turns thecomputer into a ZeroAccess bot.The bot then retrieves a new list of advertisements from Figure 1: Google Earth map of ZeroAccess infections in the US [1]. Red markers indicate an infected unique IP address or cluster of IP addresses.ZeroAccess’s command and control (C&C) server every day.The ZeroAccess botnet reportedly clicks 140 million ads a day.As this is essentially click fraud, it has been estimated that the 900 ZeuS C&C servers around the world. This number maybotnet is costing up to USD 900,000 of daily revenue loss to not be truly reflective of the botnet’s size, as the latest versionlegitimate online advertisers. Click fraud has been on the rise of Zeus includes a peer to peers protocol that maintainsas the online advertisement vendors realistically have no way communication within the botnet itself, allowing a bot to fetchto differentiate between a legitimate click and a fraudulent configuration files and update from other infected hosts in theone. botnet. This feature was dubbed “Gameover” and removes the need for a centralized C&C infrastructure, making it harder forAnother revenue source for ZeroAccess is its ability to mine for security researchers to track the botnet.Bitcoin, a virtual currency that is managed in a peer-to-peer(P2P) infrastructure. Bitcoin miners harness the computational Apart from the introduction of the Gameover feature, the mainpower from the bots to perform complex calculations to find change with Zeus has been tweaks done to make the malwarea missing block to verify Bitcoin transactions, and that would more user-friendly, in effect making it an attractive resourcereward them in more Bitcoin currency that is agreed within even for wannabe attackers with low technical capabilities.the same peer to peer network, and these can be converted With its fancy control and administration panel, wellto cash. More than half of the botnet is dedicated to mining documented manual and a builder, Zeus allows both amateurBitcoin for profit. Further details of ZeroAccess’s profit- and expert attackers to craft, design and build executables togenerating activities can be found in the case study on page 17. infect the victim computers in a very short amount of time. Citadel, the third derivative of Zeus, sets itself apart byZeus enabling a more rapid deployment of new features andMoving on, Zeus (and its rival cum partner, SpyEye) are customization through an enhanced user interface, again withperhaps still the most talked about banking-trojans in 2012. the aim of helping novice hackers get in the game of deployingZeus has been referred to as “the God of Do-it-Yourself their crimeware. This “dynamic config” functionality allowsbotnets”. Despite various takedown efforts, as of the end of botmasters to create web injections on the fly, a vital abilityDecember 2012, The ZeuS Tracker project has seen almost in today’s online crime landscape as bots are also taken downBots 15
  • 16. quickly. The most important feature for Citadel however is the The Carberp-infected mobile app is distributed on the Androidavailability of a “Customer Relationship Management” system platform, with most of the targeted users being customers ofthrough the use of a social network platform to support European and Russian banks. As online banking continuesreporting and fixing bugs. This kit is definitely professional to rise in many countries, making such online transactionsgrade, and we expect to see a continuous rise in infections by attractive targets to cybercriminals, banking-related botnetsCitadel in the near future. such as Carberp are expected to continue growing in 2013.Carberp DorkBotFollowing the success of the Zeus and Spyeye, Carberp is most Then there is DorkBot, which was discovered spreadingnotable for making a comeback with a tweaked product and through Skype in October 2012. The malware steals user‘marketing’ approach. First appearing in 2011 a regular data- account and passwords from FaceBook, Twitter, Netflix and Botsstealing banking malware, Carberp’s spread was temporarily various Instant Messaging (IM) channels. From an infectedhampered by a takedown effort from Russian agencies in early social networking account, DorkBot sent out images to the2012. Unfortunately, in December this botnet was discovered users’ contacts list asking the contacts if the attached imageto have resurrected with a new ability to infect a computer’s was their profile pic. Falling for this cliched social engineeringboot record, a component that launches even before the main tactic resulted in an executable installing a backdoor and theoperating system (OS) starts, making any malware in the boot DorkBot worm on the user’s machine, which was then enrolledrecord harder to detect and remove. in a botnet.Carberp’s authors or operators also changed the way the Unlike previously mentioned botnets, DorkBot makes itsmalware was distributed in order to attract more usage from profit through ransom—literally by locking down the victim’sother malware distributors. Carberp was previously only computer, allegedly for the presence of ‘illegal content’ suchavailable as a standalone malware through private underground as pornography or pirated music. It then demands a ‘fine’marketplaces. Since its resurrection, Carberp has pursued a of $200 to be paid within 48 hours, failing which the victimsnew “malware-as-a-service” model that allows users to lease would be ‘reported to a government enforcement agency’use of the botnet itself for prices ranging from USD 2000 to for further prosecution. DorkBot is also capable of makingup to USD 10,000 a month. In addition, the buyer is offered a more money out of its infected hosts by using their combinedchoice of botnet configurations. The priciest format includes power to perpetrate click fraud, which incidentally creates anthe bootkit functionality, which has boosted its market price attractive revenue source for the authors.to about USD 40,000. Though the prices may seem steep,this rental scheme appears to be particularly attractive to lesstech-savvy users who simply want a means to an end - that is, Mobile botnetsto install more trojans on more victim machines. And finally, though it is still at an embryonic stage in comparison, we are also seeing botnets operating on theCarberp has also spread to the mobile platform in the form mobile platform, specifically Android. These mobile botnetsof man in the mobile attacks. For a Carberp-in-the-mobile do exactly what botnets did when they first appeared on(CitMo) attack to work, the user must have both a mobile computers - that is, generate spam.app and a computer infected with the desktop version ofthe Carberp malware. Once the mobile app is installed, it is The SpamSoldier malware sends SMS messages to a hundredable to intercept SMS messages containing mTAN’s (mobile Android devices (in the US) at a time. The sender has noTransaction Authorization Numbers), which are sent by idea of this activity, as the sent SMS messages are deletedbanks as an authentication measure used to validate online immediately once sent, making the sky high phone bills thattransactions performed by the user. The intercepted mTAN result an unpleasant surprise. These spam messages may alsois then forwarded to a remote server, from which it is later contain social engineering content, including links that lead toretrieved and used by the Carberp trojan installed on the same other malware, therefore compounding the malicious effectuser’s computer in order to gain access to the user’s banking of these spambots.account.SOURCE[1] F-Secure Weblog; Sean Sullivan; The United States of ZeroAccess; published 20 Sept. 2012;http://www.f-secure.com/weblog/archives/00002430.htmlBots 16
  • 17. ZeRoAccess botnet malware in the wild The most profitableZeroAccess is one of today’s most notable botnets. It was first discovered by researchers back in 2010, when it drew a lot of attentionfor its capability for terminating all processes related to security tools, including those belonging to anti-virus products. When toomany researchers focused on this self-protection capability however, ZeroAccess’ author decided to drop the feature and focusmore on improving its custom peer-to-peer (P2P) network protocol, which is unique to ZeroAccess. After the change[1] , ZeroAccessbecame easier to spot by anti-virus products, yet it continued to spread like wildfire around the world due to the improved P2Ptechnique[2]. This success can be largely attributed to its affiliate program.Affiliate program: ZeroAccess success storyAffiliate programs are a well-known marketing strategy and The variety of distribution schemes and methods used by theare widely used by many e-commerce websites[3]. Essentially, numerous affiliates have contributed to the volume of trojan-a business owner with an e-commerce site to promote dropper variants detected by antivirus products every day.commissions other site owners to help drive customers to All driven by the same motive which is to collect attractive ZeroAccessit (and hopefully eventually make a purchase). The website revenue share from the gang.owners are then compensated for providing these customerleads. Figure 1: A botnet operator seeking partners in an underground forumAdopting this concept, ZeroAccess’s author or operator(s) Methods used by ZeroAccess distributorshas managed to distribute the program to a large number ofmachines with the help of its enlisted partners. Distribution methodsThe ZeroAccess gang advertises the malware installer in Downloader trojan Dropping a downloader trojan onto aRussian underground forums, actively looking for distributor machine, which proceeds to downloadpartners. Their objective is to seek other cybercriminals who and install the botnetare more capable in distributing the malware and do so more Exploit kit Using an exploit kit (e.g., Blackhole) in aefficiently. drive-by-download attack Fake media file or Hosting infected files in P2P file sharingThe malware distributors generally consist of experienced keygen or crack services using enticing names, such asaffiliates, each of them employing their own methods of ‘microsoft.office.2010.vl.editi.keygen.distributing the Zeroaccess installers, in order to fulfill the exe’recruiter’s requirements. P2P file sharing service Abusing a P2P file sharing website to host the ZeroAccess installerThe most popular distribution methods we’ve seen involve Spam email Sending spam emails containing anexploit kits, spam e-mails, trojans-downloaders, and seeding attachment or a link that could enablefake media files on P2P file-sharing services and on video further exploitationsites, though the specific details in each case depend on thedistributor handling the operations.ZeroAccess 17
  • 18. ZeroAccess botnet affiliate program structure ZeroAccess botnet operator $$$ Bitcoin mining Click fraud underground forum Distributor A Exploit kits Distributor B Victims ZeroAccess Distributor C Spam emails Downloader trojan P2P network Distributor nThe partners are compensated based on a Pay-Per-Install Given the rate of pay, it is no surprise that ZeroAccess is(PPI) service scheme[4] and the rate differs depending on the widespread in the US alone[5]. After the US, the commissiongeographical location of the machine on which the malware rate sorted from highest to lowest are Australia, Canada, Greatwas successfully installed. A successful installation in the Britain, and others. Some distributors even post screenshotsUnited States will net the highest payout, with the gang willing of the payment they’ve received in underground forums toto pay USD 500 per 1,000 installations in that location. show the reliability of their recruiter. The ZeroAccess gang can afford to pay such high incentives to its recruits because the army of bots created by the affiliate’s efforts is able to generate even more revenue in return. Once the malware is successfully installed on the victim machines, ZeroAccess will begin downloading and installing additional malware onto the machines, which will generate profit for the botnet operators through click fraud and Bitcoin mining operations. Figure 2: Proof of payments made by recruiter Botnet operators prefer the click fraud payload because since 2006 [6], it has been a proven way to generate income from the pay-per-click (PPC) or the cost-per-click advertising.ZeroAccess 18
  • 19. Zeroaccess infections, top countriesBitcoin mining has too many constraints. For instance, thesuccess of generating a bitcoin depends on the difficulty level by percentage (%)of the target specified in the Bitcoin network and might evenrequire some luck[7]. Furthermore, the victim’s machine needs 35% 3538+8654to run on a decent CPU power, preferably with GPU or FPGA UShardware, in a reasonable amount of time[8]. Even with a largenumber of botnets, the difficulty factors in solving Bitcoinblocks hinder Bitcoin mining operation from performing aswell as click fraud which only requires the victims to have aninternet connection and a web browser. 38% 5% Italy OthersDespite the difficulties in Bitcoin mining, the fact that the 5% RomaniaZeroAccess botnet was modified to drop its problematicself-protection feature and introduce the Bitcoin mining 5% Canadaoperations indicates that ZeroAccess’s operators are very 6% Indiaambitious to keep the botnet growing and are not afraid of 8% Japantaking risks. *Based on statistics gathered from national ASN-registered networks. ZeroAccessConclusionGiven ZeroAccess’s current success as a huge, fully functionalprofit-generating ‘machine’, it’s unlikely that we’ll see it going zeroaccess’s profit-generating activities,away anytime soon. The ZeroAccess malware - which poses the by percentage (%) 1783most direct threat to the users - will continue to exist as a hiddendanger on malicious or boobytrapped websites. The affiliateprogram that encourages the spread of malware will continue 17%to attract more cybercriminals due to the botnet operators’ Bitcoin miningestablished reputation for reliably paying its affiliates andadjusting commission rates to maintain their attractiveness.And finally, the criminal organizations behind the botnet havedemonstrated that they’re willing to experiment and modifytheir ‘product’ in order to increase their ability to make money.As such, we expect the ZeroAccess botnet to grow and evolve,with new features or feature updates being introduced in thenear future. 83% Click fraudSources[1] F-Secure Weblog; Threat Research; ZeroAccess’s Way of Self-Deletion; published 13 June 2012;http://www.f-secure.com/weblog/archives/00002385.html[2] F-Secure Weblog; Sean Sullivan; ZeroAccess: We’re Gonna Need a Bigger Planet; published 17 September 2012;http://www.f-secure.com/weblog/archives/00002428.html[3] Wikipedia; Affiliate Marketing;http://en.wikipedia.org/wiki/Affiliate_marketing[4] Wikipedia; Compensation Methods;http://en.wikipedia.org/wiki/Compensation_methods#Pay-per-install_.28PPI.29[5] F-Secure Weblog; Sean Sullivan; The United States of ZeroAccess, published 20 September 2012;http://www.f-secure.com/weblog/archives/00002430.html[6] MSNBC; Associated Press; Google settles advertising suit for $90 million; published 8 March 2006;http://www.msnbc.msn.com/id/11734026/#.ULiDyN2sHvA[7] Bitcoin Wiki; Target;http://en.bitcoin.it/wiki/Target[8] Wikipedia; Bitcoin;http://en.wikipedia.org/wiki/BitcoinZeroAccess 19
  • 20. ZEROACCESS INFECTIONS In the USA, Japan, and europe* ZeroAccess Europe USA japan*Red markers indicate an infected unique IP address or cluster of IP addresses.ZeroAccess 20
  • 21. Zeus robbing banks in modern timesZeus makes up a significant portion of banking trojans; it compromises millions of computers around the world and causes millionsof dollars in loss to its victims. In a typical operation, Zeus modifies a targeted webpage to collect valuable information. For example,adding a part that requests potential victims to enter additional login details or personal information when they visited the webpage.The information is later used to access the victims’ online account and to perform unauthorized transactions.P2P Zeus geographyOf all derivatives and variants, the peer-to-peer (P2P) version Web-Injection Targets by countryis particularly special because it is private and forms only onelarge botnet. Other derivatives usually consist of numerousyet smaller botnets, each run by someone who has purchased 88a version of Zeus. From late August to mid-November 2012,we monitored the P2P bots and tracked the websites thatthey had targeted to compromise with web injections. Thetargeted sites were defined by a configuration data that the 47bots received from other infected machines, and is stored inencrypted form to the Windows registry. 23 18 15The configuration data revealed that a total of 644 unique 14 11 10URLs were targeted for web-injections during the monitoring Zeusperiod, with a special focus on sites based in North America.Not all of these URLs included the domain names. Sometimes, USA Canada Italy Poland Saudi Arabia UAE Germany Rest of the worldonly the path is used for identifying a targeted website. Andmany domains had several different URLs leading to them,using different paths. After excluding URLs with missingdomain names and duplicate domains, a total of 243 uniquedomains were left. In summary, the targeted websites can becategorized into the following types:• Personal online banking When it comes to the number of machines infected with P2P• Corporate online banking (mainly for North American Zeus, the US leads the pack followed by Italy. This number small businesses) was based on 5395 random samples analyzed between July to• Investment and online trading sites November. After the US and Italy, no other countries in the• Credit card services subsequent positions really stand out from the pack as the• Extremely popular global websites (e.g. Amazon, eBay, difference in the number of infection varies only slightly. Facebook, etc.)Geographically, North America is the primary focal point of Top-10 countries with the most P2P ZeusP2P Zeus botnet where it targeted 88 US-based websites and infections23 Canadian-based websites. Several European countries werealso hot targets for web-injection. In the configuration data,entries involving Italian websites were actively added, removed country unique ips % of all ipsor changed; throughout the changes, Italy still remains as one USA 1809 33.53%of the favorite targeted countries. Poland started to creep into Italy 439 8.14%one of the top spots when 15 Polish sites were added to the Germany 205 3.80%targeted list in September and October when there were none Georgia 203 3.76%listed in August. A real surprise from the findings is the number Mexico 179 3.32%of targeted Middle Eastern banks as compared to the number Canada 168 3.11%of infections in the same area.zeus 21
  • 22. country unique ips % of all ips Different derivatives (i.e. Citadel, Ice IX, and P2P) that popped up after the original Zeus 2 source code was leaked online have India 167 3.10% received drastically different commands since then. These Brazil 143 2.65% commands provide a good indication of the development Romania 133 2.47% pace of each derivative. Citadel leads with 20 new commands Taiwan 110 2.04% while Ice IX only received one, making it the closest version to the leaked version 2.0.8.9. For Citadel and Ice IX, the earliest date listed on each respective table was also the date when weEvery month, the US and Italy were consistently positioned at ran into the first sample of the derivative. For the P2P variantthe top in terms of infection numbers. When Polish sites started however, we received the first sample on 3rd September 2011to become targets, the number of infection in Poland more but only saw the first changes to the backdoor commands sixthan doubled but this number only accounted for two percent months later.of the total amount even at its highest point in November. The tables below list all new commands that are callable. Some of these may not implement any action and we did not track PERCENTAGEs (%) OF INFECTED IPs any possible changes in the behavior of each command. Please take note that the dates used in the tables were based on when 80% we first received the sample with that particular command rather than when the Zeus author rolled out the changes. 70% 60% Callable commands in the Zeus botnet 50% Poland P2P Variant Taiwan Commands First seen Zeus Mexico fs_find_by_keywords ** 2012-03-30 40% India fs_find_add_keywords 2012-04-09 fs_find_execute 2012-04-09 30% Canada fs_pack_path 2012-05-24 Germany ddos_address 2012-05-24 20% Georgia ddos_execute 2012-05-24 Italy ddos_type 2012-05-24 10% USA ddos_url 2012-05-24 ** fs_find_by_keywords was a short lived command in the P2P JUL AUG SEP OCT NOV variant; it was last seen in a sample received on 3rd April 2012. CitadelEarlier this year, Dell SecureWorks Counter Threat Unit[3] was Commands First seenable to connect to approximately 100,000 P2P Zeus bots. dns_filter_add 2011-12-10Using this number as a minimum botnet size, we can say that dns_filter_remove 2011-12-10the most affected Internet Service Providers (ISPs) could haveseveral thousand of P2P Zeus infections on their customers’ url_open 2012-02-12machines. module_download_disable 2012-05-07 module_download_enable 2012-05-07 module_execute_disable 2012-05-07New backdoor commands in Zeus derivatives module_execute_enable 2012-05-07Zeus capability is not limited to serving as a banking trojan info_get_antivirus 2012-05-07only. Since the beginning of its release, it has always contained info_get_firewall 2012-05-07some backdoor features that are controlled by simple scripts info_get_software 2012-05-07as ordered by the botnet owner. These scripts are delivered ddos_start 2012-07-03to infected machines through command and control (C&C)servers.zeus 22
  • 23. Citadel Zeus 2 Timeline of Notable Events Commands First seen ddos_stop 2012-07-03 01.04.2010 Birth of Zeus 2.0.0.0 close_browsers 2012-09-11 xx.10.2010 SpyEye author received Zeus source code[1] webinjects_update 2012-09-11 download_file 2012-09-11 search_file 2012-09-11 tokenspy_update 2012-09-11 upload_file 2012-09-11 xx.04.2011 Earliest known date of Ice IX debut[2] tokenspy_disable 2012-10-06 bot_transfer 2012-10-06 xx.05.2011 Zeus 2.0.8.9 source code leaked online xx.08.2011 First public sale of Ice IX on the internet Ice IX 03.09.2011 Earliest P2P Zeus variant identified by FS Commands First seen Labs bot_update_exe 2011-11-03 05.09.2011 First P2P Zeus backup domain registered 03.11.2011 Earliest Ice IX sample identified by FS LabsBesides being used as a banking trojan, some Zeus botnetsmay now also be used to perform distributed denial of service xx.11.2011 P2P gang started incorporating DDoS(DDoS) attacks on targeted websites where interested parties attack in their operations[3]can rent a botnet from the controller for certain fees. As canbe seen from the new backdoor commands, both the Citadel xx.12.2011 First date of Citadel identification[4] Zeusand the P2P versions received the DDoS features during thesummer, but the reason behind the P2P feature update may 10.12.2011 Earliest Citadel sample seen by FS Labsbe different. According to Dell SecureWorks Counter ThreatUnit[3], the crew running the P2P variant used DDoS attacks toprevent victims of banking trojans from accessing their onlinebanking accounts until the fraudulent transactions had beencompleted. Thus reason for the DDoS feature update may be 30.03.2012 First change made to P2P Zeus backdoorto stop having to rent a third party botnet kit that the gang commandshad been using to conduct attacks that took place betweenNovember 2011 and summer 2012. 07.05.2012 Citadel received backdoor commands to control additional modules 14.05.2012 A custom Zeus 2 variant that includes ransomware features found 24.05.2012 DDoS feature added to P2P Zeus 03.07.2012 DDoS feature added to CItadelSOURCES[1] KrebsonSecurity; Brian Krebs; SpyEye v. ZeuS Rivalry Ends in Quiet Merger; published 24 Oct 2010;http://krebsonsecurity.com/2010/10/spyeye-v-zeus-rivalry-ends-in-quiet-merger/[2] RSA FraudAction Research Labs; New Trojan Ice IX Written Over Zeus’ Ruins; published 24 Aug 2011;http://blogs.rsa.com/rsafarl/new-trojan-ice-ix-written-over-zeus-ruins/[3] Dell SecureWorks; Brett Stone-Goss; The Lifecycle of Peer-to-Peer (Gameover) ZeuS; published 23 Jul 2012;http://www.secureworks.com/cyber-threat-intelligence/threats/The_Lifecycle_of_Peer_to_Peer_Gameover_ZeuS/[4] Seculert Blog; Citadel - An Open-Source Malware Project; published 8 Feb 2012;http://blog.seculert.com/2012/02/citadel-open-source-malware-project.htmlzeus 23
  • 24. The complete infographic can be viewed at http://bit.ly/How2RobBanks
  • 25. Exploits Top Targeted Vulnerabilities in 2012In 2012, we saw the exploitation of known vulnerabilities in These then are the most commonly targeted CVEa popular program or the operating system become one of vulnerabilities of 2012:the most popular, if not the most popular, technique used bymalware distributors, hackers and attackers in order to gain CVE-2011-3402access to or control of a user’s machine. A vulnerability in the TrueType font parsing engine used in the kernel drivers of various Microsoft Windows operating systemFrom the normal user’s perspective, the most likely scenario in versions (including XP, Windows Vista and Windows 7) allowswhich they are likely to encounter an attempted vulnerability remote attackers to run arbitrary code on a user’s machine.exploit of their machine is through visiting a malicious or The attack uses a Word document or web page containingcompromised website. Though some attacks continue to use specially crafted malicious font data. More information on thistried-and-true social engineering tactics, which require an vulnerability can be found on the infographic on page 27.element of deception and are relatively easy for an alert userto spot (“Click this link for free stuff!” or “Download this codec CVE-2010-0188to view this tantalizing video!”), in more sophisticated attacks A vulnerability in Adobe Reader and various versions ofusers are unlikely to see any overt signs that an attack has Adobe Acrobat allows attackers to use a specially crafted PDFtaken place at all; instead, their machine is quickly and silently document to force the application to crash, causing a denial ofcompromised during the short period it was exposed to the service. According to reports, the attack document is also ablemalicious or compromised website. to drop a malicious file onto the compromised system, which then connects to a remote site for further instructions.In some cases, the attack is tailored specifically to target aparticular set of users. Targeted user groups are typically CVE-2012-4681either the users of specific banks (making the attack a case of Vulnerabilities in the Java Runtime Environment (JRE) runningmonetary theft) or users employed by a specific company or in web browsers allow attackers to use a specially craftedin a specific field (essentially corporate or political espionage, applet to run arbitrary code on the compromised machine. exploitssee the Corporate Espionage case study on page 12). These Users are most commonly exposed to the malicious applettargeted attacks are hardly new—we’ve seen cases of spear when they are directed (either through social engineering orphishing come and go over the years. The main change poisoned search results) to a malicious webpage hosting thethat we’ve seen in the last few years is that rather than attack applet.depending on the user to download an infected attachmentor enter sensitive data into a malicious page masquerading as CVE-2012-5076a legitimate portal, the attacks now make use of exploits and/ A vulnerability in the JRE component of Oracle Java SE 7 Updateor exploit kits to directly compromise the user’s machine, 7 and earlier allows attackers to use a specially crafted appletwithout needing any action from the user. to run arbitrary code on the compromised machine, usually to download additional malicious files onto it.In 2012, we saw a wide range of exploits being used totarget known vulnerabilities, but surprisingly, statisticsfrom F-Secure’s cloud lookup systems indicate that in most CVE-2012-0507countries, the majority of exploits detected were related to A vulnerability in the AtomicReferenceArray of various versionsonly four vulnerabilities, all reported within the last two years of Oracle Java allows attackers to essentially breach theand designated with official Common Vulnerabilities and ‘sandbox’ or contained environment of the Java installation,Exposure (CVE) identifiers. The preference for targeting these permitting the attacker to perform malicious actions on thefour vulnerabilities may be related to the fact the some of the affected machine.most popular exploit kits of today, particularly BlackHole andCool Exploit, have incorporated the exploits targeting these CVE-2012-1723vulnerabilities into their capabilities. Ironically, most of these A vulnerability in the Java HotSpot VM in the JRE componentvulnerabilities have already had security updates or patches of various versions of Oracle Java allows attackers to essentiallyreleased by the relevant software vendors. Two other Java- breach the ‘sandbox’ or contained environment of the Javaspecific vulnerabilities, though nowhere near as frequently installation, permitting the attacker to perform malicioustargeted as the first four, also saw enough attacks to be worth actions on the affected machine.noting.exploits 25
  • 26. Netherlands BelgiumExploit Prevalence: Exploit Prevalence:139 2011-3402 2012-4681 1212011-3402: 39% 2011-3402 2011-3402: 36%2010-0188: 32% 2010-0188 2010-0188: 35%2012-4681: 17% 2012-5076 2012-4681: 16%2012-5076: 9% 2012-5076: 11% 2012-4681 2010-0188 Sweden Exploit Prevalence: 2010-0188 102 2012-4681 2011-3402 2012-5076 2011-3402: 31% 2010-0188: 29% 2012-5076 2012-4681: 29% 2012-5076: 9%infographic These were the top 10 countries that saw the most exploitsMost Targeted CVE Vulnerabilities, targeting known CVE vulnerabilities in H2 2012, ranked by Exploit Prevalence, which is calculated as the count of CVE-Top 10 Countries related detections reported per 1,000 users in the country forH2 2012 that time period. For example, during H2 2012, our systems recorded a CVE-related exploit detection for 139 of every 1,000 users in the Netherlands. Also listed are the top 4 CVE vulnerabilities targeted in each country, as well as their relative percentage of all CVE-related detections from that country. 2010- 2012-4681 2010-0188 2010-0188 2012- 0188 4681 2011- 2012- 2012- 3402 2012-4681 2012- 2011-3402 5076 2011-3402 5076 5076 Italy Germany France Exploit Prevalence: 88 Exploit Prevalence: 78 Exploit Prevalence: 69 2010-0188: 38% 2012-4681: 32% 2011-3402: 32% 2012-4681: 29% 2010-0188: 26% 2010-0188: 28% 2011-3402: 22% 2011-3402: 22% 2012-4681: 24% 2012-5076: 8% 2012-5076: 15% 2012-5076: 13% 2011-3402 2010-0188 2010-0188 2012-5076 2012-4681 2012- 2010- 2012-5076 2012-5076 4681 0188 2010- 2011- 0188 2011-3402 2011- 2012- 3402 4681 3402 2012-5076 2012-4681 US UK Poland Finland Exploit Prevalence: Exploit Prevalence: Exploit Prevalence: Exploit Prevalence: 87 67 61 45 2012-4681: 47% 2011-3402: 30% 2010-0188: 35% 2010-0188: 33% 2012-5076: 25% 2012-4681: 28% 2012-5076: 24% 2012-5076: 25% 2011-3402: 16% 2010-0188: 28% 2011-3402: 21% 2011-3402: 21% 2010-0188: 9% 2012-5076: 11% 2012-4681: 16% 2012-4681: 17%
  • 27. infographic Belgium Sweden 34 72 56 NetherlandsCVE-2011-3402 UK 21 11Denmark USA 16 13 Poland 17 Germany 25 19 Czech RepublicMost Exploited Users, 25 Austria 27 FranceTop 15 Countries GreeceCalculated as the count of CVE-2011-3402-related detections per 1,000 users in thecountry, as seen by F-Secure’s cloud lookup 15 Switzerland 40 Spainsystems in H2 2012.For example, in Belgium, 21 Italy72 out of every 1,000 usersreported seeing a CVE-2011-3402-related detection in thesecond half of the year. 2% Blackhole 11% The Cool (kit) factor 11 Others In H2 2012, most of the maliciousFirst reported in 2011, the term CVE-2011-3402 refers to a Cool sites we saw with the CVE-2011- 87%vulnerability in the Windows operating system component 3042 exploit were using the Coolthat handles TrueType fonts. Exploit kit to attack unsuspecting site visitors.Shortly afterwards, an exploit became public that tookadvantage of this vulnerability to, among other things,install malware onto the affected system. +87+2+ 34%The exploit was first used in the Duqu malware, which Germany 26% 26% Ukraineonly targeted specific organizations in certain countries. France Russia USAIn October 2012, the exploit was added to the Cool UKExploit kit, and shortly after to 5 other kits as well. It quicklybecame one of the most common exploits seen by normal The Euro zonecomputer users in H2 2012. 60% percent of malicious sites hosting kits with the CVE-2011-3042 exploit were registered to just 2 countries: France and Germany.CVE-2012-4681 1000=CVE-2011-3402 980=CVE-2010-0188 950= The greatest hits Despite being relatively new, of all CVE-related hitsCVE-2012-5076 500= logged by F-Secure’s cloud lookup systems in H2 2012,CVE-2012-0507 100= CVE-2011-3402-related detections were the second most frequent. 135 000
  • 28. Web The increasingly greying webThere is a worrying trend that is gaining momentum on the subdomain hosting has also emerged to make hosting contentWeb today. The empowerment afforded by dynamic hosting online even cheaper, often even totally free.of all things virtual that continuously makes a staggeringamount of exciting content available at lightning speed is As diverse as these hosting sites may be, some are moreat the same time contributing to an online landscape that’s conducive to hosting malware than others. Image-hostingturning increasingly grey. More and more malware and sites for example have not been heavily abused to hostmalicious content are becoming available, and to an ever malware yet. Some types of hosting sites though, by their verywidening audience. nature, can readily serve malicious content. The following are some services most heavily used by malware distributors:Never has posting content online been so easy. Anything canbe backed-up and saved for posterity and websites can be • Dynamic DNS providerscreated in seconds without any special technical knowledge. • Subdomain and Redirection HostingThis is a happy state of affairs for everyone, from the fledgling • Blog and Content Hostingbusiness owner who wants to minimize costs while reaching a • File Hostingwider audience with his product, to the activist who wants to • App marketsremain anonymous while bringing more visibility to his cause—and of course, the bad guys who want to rake in more profits All of the these services are favored due to the ease use, a highfrom infected user machines, stolen data and hijacked bank level of anonymity and the fact that they are cheap or evenaccounts. free. Although all these services have seen notable growth in malware hosting, the heaviest growth is most evident in Top 20 top-level domains (TLDs) dynamic DNS providers and app markets (for more on app serving malicious URLs, Aug-Dec 2012 market malware hosting, see our Mobile case study on page 35). TLD % .in 1.10 As the number of subdomain hosting offerings from Dynamic .com 44.51 .pl 1.01 DNS providers have increased, so has the amount of malicious .ru 6.62 .uk 0.84 content being channeled through them. On checking one of the top 3 dynamic DNS providers (no-ip.com, dnsdynamic.org .net 6.53 .eu 0.65 and changeip.com) 165 out of 189 of the domains that they .org 4.44 .it 0.58 support, or 87%, hosted malicious content. .ua 3.67 .kr 0.55 Granted, this rough estimate accounts for only 1% of all .info 2.49 .fr 0.54 malicious URLs from that time period, but it also doesn’t yet factor in malicious content hosted by other providers, Web .cn 2.41 .es 0.52 including those like afraid.org, which currently has 98,302 .cc 2.17 .nl 0.51 domains at its disposal. .de 1.53 .biz 0.50 Then comes subdomain and redirection hosting. Although .br 1.18 TOTAL 82.35 they have surrendered a lot of of ground to dynamic DNS providers, these sites are still around and providing their fair share of malicious content. A significant number of them (such as uni.me, 110mb.com, vv.cc, x10.mx and rr.nu) areContent Hosting/Channeling Locations heavily used to host malware. Even when a major player, co.cc,Traditionally, the bad guys have hosted their malicious mysteriously vanished, most of these subdomain hosting sitesproducts on standalone websites. Recent developments in continue to thrive.the site hosting industry have made this option even moreattractive for those with malicious intent. Not to be left behind are various flavors of file, blog and other content hosting sites. While these sites provide empowermentWebsite hosting has not only become so generic and to the masses, they also enable the bad guys to push their waresaffordable that domain purchases can be done in bulk, now with ease. Let’s take Wordpress, the most popular ContentWeb 28
  • 29. Management System (CMS) online at the moment 59% market Ad-Serving Networks share[1], as an example. Its user-friendliness has revolutionized In the age of empowerment with all these platforms to post the content creation sphere, giving even the least tech-savvy free content floating around, someone needs to foot the writer a voice and presence in the cyberworld. However, since bill for all the infrastructure behind it. Techcrunch has an the bad guys are also well aware of the statistics, exploit kits interesting analysis[2] of modern-day monetization techniques have been targeting sites served via the Wordpress CMS, using used by ad services and the way it affects the mobile landscape them as redirection pages for malware, scamware and various as well. That aside, a darker side of advertising has also come shades of greyware. in, in the form of malvertising. Finally, file hosting sites are an easy way to backup and share Malvertising is a rapidly growing trend. A quick look at the both legitimate files and malware online. A significant amount Alexa’s domain rankings is enough to show the appeal: of of the executable malware pulled from the file hosting sites is the top 1000 domains, 5.9% of them belong to ad-serving networks. And of course users don’t“On checking one of the top 3 dynamic DNS see the ads on these networks by going to the ad-sites themselves,providers...165 out of 189 of the domains that but rather by visiting other content- providing websites, which pulls thethey support, or 87%, hosted malicious content.“ ads from the ad-servers. Quite a lot of websites nowadays display content from remote, dropped by trojan downloaders straight to the system without third-party locations, in addition to the actual domain where any user intervention. File hosting sites provide a free and the sites reside. Let’s take the ESPN website as an example. readily disposable malware-hosting alternative for attackers, Aside from the actual webpage espn.go.com, it pulls content who would otherwise have to use the more technically- from these locations: challenging dynamic DNS, subdomain hosting sites or even standalone domains. • espncdn.com – page formatting and content • dl-rms.com, doubleclick.net, 2mdn.net, scorecardresearch.com, ooyala.com, adnxs.com, adroll. Social Networking and Social Media Sites com, mktoresp.com – ads and monetization-related While social networking and social media sites are very links effective locations to distribute grey content, big players such • chartbeat.com, google-analytics.com, etc – web traffic as Facebook and Twitter have been very engaged in improving statistics their security. Facebook has partnered with security experts in • typekit.com, etc – kits/software hopes of cleaning up the massive amount of data that handled by their systems daily and their efforts have largely been Given the multiple content sources involved, the website’s successful. security is no longer about just the content-display site alone, but is also affected by the integrity of the ad-serving networks The amount of malicious apps and scams posted to Facebook providing the content, and even the security of the kits or pages has lessened over the years, and in H2 2012 alone, we softwares used on the site. Unfortunately, it can be tricky found less than 30 grey apps on the social networking site. managing security when it is spread over so many disparate Web Twitter also has their own URL shortening service (t.co) to help elements. sanitize as much greyware from the shared links as possible. Even though Facebook and Twitter are boosting security, The bad guys are aware of this and readily exploit it. The most that still leaves other social networking sites, often serving common attacks via ads seen so far involve distribution of a country-specific users and each with their own security issues. malicious ad and compromising the ad-platform used by the host website. A clear example of this occurred when an The fundamental problem with social-networking sites really is advertising network that serves one of Finland’s most popular they are perfect venues for social engineering attacks. Despite websites, suomi24, inadvertently served a rogue ad. Since continuing user education and increased user awareness, suomi24 is one of the top 15 websites in Finland, this resulted there’s still the odd user who unwittingly clicks on a ‘juicy’ link in a dramatic spike in detections numbers for the country —and in that way, the grey stuff, which are mostly scams, still during the period of 1–4 December 2012[3]. spreads. web 29
  • 30. Count of detections Sat Dec 1 2012 Sun Dec 2 Mon Dec 3 Tues Dec 4 Count of detections Figure 1: Comparison of detections in Finland reported by F-Secure’s cloud lookup system for the periods 24 - 27 November and 1 - 4 December 2012 Sat Nov 24 2012 Sun Nov 25 Mon Nov 26 Tues Nov 27 Ad-platform attacks, though requiring rather more technical of the top 1000 websites. Although only a handful of them sophistication, are also effective. A recent example was have been found to serve malicious content as of H2 2012, they reported by Websense[4] and involved the ad server itself being definitely provide a big playground for possible exploitation compromised to serve malicious code on the site itself. and as such need to be secured. The greatest amount of malicious content came from content- Another popular malvertising distribution mechanism is the hosting sites. In H2 2012 we saw that 56 out of Alexa’s top adf.ly URL shortening service that pays users for sharing links. 1000 sites, or 5.6% of the top sites, hosted malicious content, Alexa ranks it as the 76th most visited site worldwide, no. 37 usually a link or redirection to malware or phishing scam. in India. With 116,165 sites linking to it, this service has a very More intriguingly, we saw that 95.4% of all the malicious URLs found in these 56 sites are from“...56 out of Alexa’s top 1000 sites, or 5.6% of the top only a handful of domains.sites, hosted malicious content, usually a link or Note that so far, we’ve only consideredredirection to malware or phishing scam.” outrightly malicious programs or scams; we haven’t included suspect but borderline Web wide reach. For more insight into the malicious ads being legitimate schemes that use health, beauty, money and served through this service, Malekal[5] tracks the spread of sexuality concerns to lure victims into parting with their malvertising on the service through all of 2012. information or cash. These types of scams are also creeping up the charts, A glance at the top 1000 most visited sites especially in the country-level top visited sites. For example, in late H2, 2% of Argentina’s top 500 sites host survey/reward Now let’s check Alexa’s top 1000 most visited sites and see what sites. Australia, Spain, Iceland, Hungary and Armenia are also is really here. The ranks are peppered with search engines, seeing their own share of get-rich-quick or win-something- social networking and social media sites, news and shopping quick websites. sites and a variety of content, file and ad-hosting sites. These types of schemes however are generally considered File hosting sites make up 1.9% of the most visited sites, while Potentially Unwanted, rather than Malicious, and therefore websites with some form of social networking and social media belong to another shade of grey. sites account for 3.4%. Ad-serving networks account for 5.9% Web 30
  • 31. top domains hosting malware, as listed Conclusion in Alexa’s Top 1000 domains for H2 2012 It is truly amazing how much freedom the Internet offers to its users, and how interconnected it makes its netizens. With DOMAIN DESCRIPTION the only prerequisite nowadays being an ability to access the MAIL.RU blog hosting, file hosting, Internet through whatever device is handy, it has become a various services true force for empowerment for people from different corners LETITBIT.NET file hosting of the globe. CLOUDFRONT.NET content hosting and delivery, The dark side of this renaissance however is that malicious various services behavior is also becoming so empowered that it can strike DROPBOX.COM file hosting from any corner of the internet. Internet safety has been HOTFILE.COM file hosting redefined. Although some sites are still safer than the others, FC2.COM blog hosting, file hosting, nothing is 100% safe anymore. various services For users, this means that online safety is become more and GOOGLE.COM document hosting, file hosting, more a personal issue, requiring multiple layers of protection search engine, various services and a healthy dose of paranoia to at least minimize the COMCAST.NET site hosting, various services exposure. SENDSPACE.COM file hosting 4SHARED.COM file hosting BLOGSPOT.DE blog hosting AMAZONAWS.COM general hosting, web services, NOTE: various other services Ranking data from Alexa .com was cross-checked against a SAPO.PT site hosting third-party partner’s URL rankings. Malware statistics came UCOZ.COM site hosting from F-Secure’s cloud lookup systems, for the period August to December 2012. RAPIDSHARE.COM file hosting WebSources[1] Opensource CMS; CMS Market Share;http://www.opensourcecms.com/general/cms-marketshare.php[2] Techcrunch; Keith Teare; Unnatural Acts And The Rise Of Mobile; published 29 Dec 2012;http://techcrunch.com/2012/12/29/unnatural-acts-and-therise-of-mobile/[3] F-Secure Weblog; Sean Sullivan; Finnish Website Attack via Rogue Ad; published 5 Dec 2012;http://www.f-secure.com/weblog/archives/00002468.html[4] Websense; Dissecting Cleartrip.com website compromise: Malicious ad tactics uncovered; published 29 Jun 2012;http://community.websense.com/blogs/securitylabs/archive/2012/06/29/cleartrip-com-compromised-maliciousad-tactics-uncovered.aspx[5] Malekal’s site; Malvertising adf.ly => Ransomware Sacem /Police Nationale; published 13 Mar 2012;http://www.malekal.com/2012/03/13/malvertising-adf-lyransomware-sacem-police-nationale/Web 31
  • 32. Multi-Platform attacks eyeing windows & non-windows platformsThe perception that Mac is malware-free while its counterpart Windows is infection-prone is outdated. As Mac grows in popularityand numbers, malware authors will not ignore this market anymore. The same situation also applies to the mobile operating systems.With the diversity of platforms and the growing number of devices, it becomes less practical to develop an attack that only works ona specific system.In the latter half of 2012, we witnessed several cases of multi-platform attacks where malware(s) are used on different types ofoperating systems (OS). The attacks consist of multiple components—some are OS-neutral while others are OS-specific, with theOS-neutral components typically serving as the infection vector for the OS-specific ones. In most cases, the components do notbelong to the same family and are compilations of different tools obtained from various sources, which range from open sourcesoftware to programs purchased from the cyber black market.The emergence of multi-platform attacksMulti-platform, multi-malware attacks are not a new potential of malware targeting non-Windows platforms morephenomenon that debuted a few months ago; they have seriously[2]. Following Flashback, more attacks targetingbeen around for a while. Back in November 2011, the US non-Windows platforms began to emerge, beginning withFederal Bureau of Investigation (FBI) revealed that over four a few cases of malicious Java applets exploiting the samemillion users were infected with the DNSChanger trojan. This vulnerabilities. In the first case[3], the applet checks for themalware, which has been circulating since 2007, infiltrates platform on which the user’s machine runs on, and thenboth Windows and Mac machines by pretending to be a deploys corresponding platform specific payload. On acodec installer needed to play pornographic videos. When Windows system, the applet will install a typical backdoordownloaded, the website hosting the trojan will check the component, but on a Mac system, it set up a free remotebrowser’s user agent and then push a corresponding installer. access tool called Matahari[4].This installer then changes the user’s Domain Name System(DNS) settings to divert traffic to unsolicited sites. Some The second case involved multiple incidents[5] that essentiallyvariants of DNSChanger may also affect routers[1]. was a continuous, multi-waved attack against certain non- governmental organizations (NGOs) that continued until theNext, there was the Boonana trojan, which will run on end of 2012[6]. It was conducted by sending spearphishingmachines with a Java installation, regardless of the host e-mails to potential targets that contained either (a) a maliciousoperating system. Unlike other previously-seen Java malware, link[7] that exploits Java vulnerabilities, or (b) a maliciouswhich made no special considerations for different platforms, attachment[8] that exploit Microsoft Office vulnerabilities.Boonana uses platform-specific components and does not Some of the malicious emails contained links that check forrely entirely on Java to perform its routines. This trojan the browser’s user agent and only load an applet carryingspread around social networking sites— the correct platform-specific payload;predominantly Facebook—during the fall of others indiscriminately loaded all2010, earning itself the alias ‘Koobface.’ applets, hoping that some would be a match. The differing infection strategiesMany of us may still remember the Fake Mac used in the attacks suggest differentDefender rogue that gained coverage back in groups were behind the attacks. GivenMay 2011. Since it was the first case that came sustained nature of the attack, and thatclose to an outbreak on the Mac platform, Figure 1: Fake Mac Defender equivalent in the attackers had advance knowledge Multiplatformmany overlooked the fact that the attack Windows that the NGOs used a mix of Windowswas actually targeting multiple platforms. and Mac machines, it’s possible that theSimilar to the DNSChanger trojan, websites hosting the rogue attacks were targeted and motivated for political reasons.will push out either a Mac or a Windows version (Figure 1) ofthe rogue, depending on the information gained from thebrowser’s user agent. Every platform is fair game, none is spared More malicious Java applets were found in the second half ofIn the first quarter of 2012, an outbreak involving the Flashback 2012 [9,10]. With most effort concentrated on infecting Windowstrojan on Mac systems has brought major attention to the and Mac machines, attackers still manage to spend some timeMulti-Platform attacks 32
  • 33. to craft malicious payloads for The outlook Linux. But instead of exploiting It is normal for surveillance tools to software vulnerabilities, the support multiple platforms. As users applets look to exploit the increasingly rely on mobile devices to weakest link in the security perform daily tasks and even work tasks, chain—uninformed users. The surveillance tools are expected to be able attackers try to make their way to capture these activities’ footprint. We into a system by using the free can expect that malware encountered penetration testing tool, Social in the future that targets both desktop engineer Toolkit (SET)[11]. and mobile platforms to still come from a surveillance suite. But instead As the trend continued to Figure 2: NetWire server generator of developing a malware that work on expand, even the Unix platform every single platform, the author may is not spared. Soon enough, only focuses on the top desktop and a remote access tool called NetWire (Figure 2) was found mobile platforms used by the mainstream consumers. Aside being sold in the cyber black market. The tool has server from surveillance purposes, the trend of malware working on components for Windows, Mac, Linux and Solaris platforms both desktop and mobile environments may not take off. We that can be controlled from a single client. are not considering Zitmo-like malware here because they are not really targeting mobile devices. The mobile components Multi-platform attacks are are just used to complement the desktop components [19]. not limited to the desktop environment. In July 2012, a For malware that focus on desktop platforms, Windows rogue website distributing and Mac will remain to be the main targets. However there fake Skype installer for mobile will likely be a few incidents where Linux is also targeted. In devices was discovered [12]. the mobile landscape, it is likely that will be fewer multiple- Depending on the device’s platform attacks, as Symbian’s market share continues to drop operating system, the website and leave the mobile landscape essentially dominated by one will proceed with different platform - Android. actions. On Android andFigure 3: Fake iOS app installation Symbian devices, it pushes an APK and Java version of an SMS trojan; on iOS device, it displays a page that simulates the look during application installation (Figure 3) even though no installation is taking place. In a more advanced attack, the same malware may target both desktop and mobile platforms, such as the case of the FinSpy trojan. During a raid on the state security headquarter of Egypt after the 2011 revolution, protesters got hold of a document that revealed a company named Gamma International offering to sell a surveillance suite called FinSpy to the former regime[13]. At that time, no one had seen an actual sample until last year, when Citizen Lab was able to identify several samples that belong to the suite[14]. Among discovered versions include FinSpy for Windows; and FinSpy Mobile[15] for Android, iOS, Multiplatform BlackBerry, Windows Mobile and Symbian. Although no sample is found, a leaked product description mentioned that Figure 4: Remote Control System promotional video Mac and Linux versions of the program are also available [16]. Citizen Lab also identified several other samples used in targeted attacks that belong to another surveillance suite called Remote Control System[17]. Only Windows and Mac versions were found, but according to the official promotional video (Figure 4), Android, iOS, BlackBerry, Symbian and Linux versions are also available [18]. Multi-Platform attacks 33
  • 34. Sources[1] F-Secure Weblog; Sean Sullivan; FBI: Operation Ghost Click; published 10 November 2011;http://www.f-secure.com/weblog/archives/00002268.html[2] F-Secure Weblog; Sean Sullivan; Mac Flashback Infections; published 5 April 2012;http://www.f-secure.com/weblog/archives/00002345.html[3] Computer Weekly; Warwick Ashford; Malware targets Macs and PCs; published 30 April 2011;http://www.computerweekly.com/news/2240149271/New-malware-targets-Macs-and-PCs[4] Matahari: A simple reverse HTTP shell;http://www.matahari.sourceforge.net[5] F-Secure Weblog; Broderick Aquilino; More Mac Malware Exploitiing Java; published 17 April 2012;http://www.f-secure.com/weblog/archives/00002348.html[6] F-Secure Weblog; Sean Sullivan; New Mac Malware Found on Dalai Lama Related Website; published 3 December 2012;http://www.f-secure.com/weblog/archives/00002466.html[7] F-Secure Weblog; Sean Sullivan; China Targets Macs Used By NGO #Tibet; published 20 March 2012;http://www.f-secure.com/weblog/archives/00002334.html[8] F-Secure Weblog; Sean Sullivan; More Mac Malware (Word Exploit) Targeting NGOs; published 28 March 2012;http://www.f-secure.com/weblog/archives/00002339.html[9] F-Secure Weblog; Karmina Aquino; Multi-Platform Backdoor Lurks in Colombian Transport Site; published 9 July 2012;http://www.f-secure.com/weblog/archives/00002397.html[10] F-Secure Weblog; Broderick Aquilino; Multi-Platform Backdoor with Intel OS X Binary; published 13 July 2012;http://www.f-secure.com/weblog/archives/00002400.html[11] TrustedSec; Social Engineer Toolkit;https://www.trustedsec.com/downloads/social-engineer-toolkit/[12] F-Secure Weblog; Karmina Aquino; Not Your Normal Skype Download; published 9 July 2012;http://www.f-secure.com/weblog/archives/00002396.html[13] F-Secure Weblog; Mikko Hyppönen; Egypt, FinFisher Intrusion Tools and Ethics; published 8 March 2011;http://www.f-secure.com/weblog/archives/00002114.html[14] CitizenLab; From Bahrain With Love: FinFisher’s Spy Kit Exposed?; published 25 July 2012;https://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposed/[15] CitizenLab; The SmartPhone Who Loved Me: FinFisher Goes Mobile?; published 29 August 2012;https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/[16] Wikileaks; FinSpy: Remote Monitoring & Infection Solutions;http://wikileaks.org/spyfiles/files/0/289_GAMMA-201110-FinSpy.pdf[17] CitizenLab; Backdoors are Forever: Hacking Team and the Targeting of Dissent; published 10 October 2012;https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/[18] HackingTeam; The Solution;http://www.hackingteam.it/index.php/remote-control-system[19] F-Secure Weblog; Sean Sullivan; Berlin Police: Beware Android Banking Trojans; published 15 November 2012;http://www.f-secure.com/weblog/archives/00002457.html MultiplatformMulti-Platform attacks 34
  • 35. Mobile The ever-expanding Threat marketThe mobile threat landscape continues to be focused on two platforms—Android, which accounted for 79% of all new malwarevariants identified in 2012; and Symbian, with 19% of the remaining new variants. Though previously identified threats from past yearscontinued to trouble users of most mobile platforms there was little active malware development, with only a single new variantidentified on the BlackBerry and PocketPC platforms in the whole of 2012, and only two new variants for the iPhone and Java ME(J2ME). Instead, malware authors have focused the main thrust of their efforts on the two most common mobile platforms today—Android and Symbian.Android new families and variants receivedIn the third quarter of 2012, Android reportedly accounted 75% per quarter, q1-q4 2012of the global smartphone market, or three out of every fourphones shipped during that quarter, effectively making it the 100most common mobile operating system in the world[1]. 90In addition, in Q2 2012, China officially surpasssed theUnited States as the world’s largest market for smartphoneconsumers. Android handsets accounted for 81% of that 80market and it’s therefore probably not surprising that many ofthe new malware families we detected last year were targeted 70specifically to Android users in mainland China. 60Data-stealing and profit-making 50Given its dominance, the Android platform has naturallybecome the main target for active malware development,with a total of 238 new, unique variants found on the platform 40during that period. 30The majority of these malware are distributed as trojanizedapps, in which a legitimate program has been engineered 20to include a malicious component. Most of the new variantsfound are categorized as trojans or monitoring-tools, whichare able to either compromise the user’s data or track the 10user’s movements and activities. 50+50+aMuch like their Symbian counterparts, these malwares 25+25+a 33+33+34a 25+25+agenerally attempt to profit from the user by silently subscribing Q1 Q2 Q3 Q4them to premium SMS-based services, or by placing calls to all threats J2MEpremium-rate numbers. The confidential data harvested from Android Windows Mobilethese devices are often silently forwarded to a remote server, Blackberry Symbianpresumably for future use in an unwanted context. iOS Figure 1: New malware families and variants received per quarterBoosting security throughout 2012Meanwhile, during 2012 Google continued efforts to enhancesecurity on the Android platform, particularly in the Play Store(the rebranded Android Market). These efforts included the For users who were, for various reasons, unable to receiveaddition of exploit mitigation features in the 4.1 update[2] and these updates, another security measure came in the form ofan (optional) app verification feature in the 4.2 update[3]. Bouncer, an app-scanning security tool in the Play Store that MobileMobile 35
  • 36. reportedly reduced the number of malicious apps offered messages that silently subscribe the user to premium services.through the app market. A more sophisticated method—placing automated calls to premium rate numbers—is only slightly more challenging.In addition, in September 2012 Google bought VirusTotal[4], afile analysis service. Though the company has not announced We have also seen Chinese malware that emulates userits future plans or detailed how it would integrate the newly behavior and silently uses WAP services, which is then billedacquired service into its security mechanisms, presumably through the mobile operator. Similarly, some malware familiesthe purchase will be instrumental in boosting the platform’s have the capability to act as scripted bots, playing regular,security capabilities. albeit simple browser-based games online.Though the effectiveness of Google’s security-related effortshas come under criticism, they do represent concrete steps Data-stealing, stealthy behavior and self-protectiontowards better protecting the data and device security of A typical Symbian malware is a Trojan mimicking as a systemAndroid users. As Android continues its apparently unstoppable update or a legitimate application. The capability modeldomination of the mobile platform market—thereby making designed to protect the device from harmful softwareitself the favoured target for malware developers—device and installation allows signed applications to do things that onedata security will continue to be an important issue to users on would not expect. For example, roughly the same set ofthis platform. capabilities is required of a legitimate action game and an application that can download and install new software from the Internet without user intervention.SymbianIn stark contrast to the Symbian roadmap, the malware scene is Nearly every malicious Symbian application uses programmaticfar from dead. The most common origin of malware for Symbian access to the device International Mobile Equipment Identitytoday is, as it has been for a while, China. Other countries are (IMEI) and International Mobile Subscriber Identity (IMSI)still represented on our radar, but there are differences in the numbers. Profit-driven malware may also access the user’squality and quantity. What we see is that whereas western core personal information, such as SMS messages, locationcountries generally encounter commercial spyware targeted and voice or user input. We have seen many examples ofto mobile users, malware in China is predominantly aimed at malware reading the Contacts database, primarily to send outmonetizing the victim. unsolicited and malicious SMS messages to these contacts. Hiding malicious activity from the user is a defining character of malware. Many samples present a believable front to theMechanics of monetization user as a distraction. Others simply hide their presence—forGiven the sheer amount of Symbian devices in circulation in example, most legitimate Symbian applications include anChina, a malware author does not need to infect a significant application icon that the user can select to launch the program;fraction of the mobile phones in order to generate revenue. most malware lack this, and silently launch themselves duringThe easiest, most logical way to turn an infection into money installation and device boot.is to use the built-in billing mechanism and send out SMS Mobile Threats Motivated by Profit, 2012 profit-motivated Not profit-motivated Q1 2012 34 27 Q2 2012 40 26 Q3 2012 32 42 Q4 2012 67 33 Figure 2: Breakdown of profit-motivated vs no profit-motivated malware in 2012 MobileMobile 36
  • 37. Other malwares are stealthier and avoid detection by processes and terminating them. More aggressively, theysuppressing regular system notifications, by terminating the can uninstall the security product completely. The malwaresystem process responsible for displaying message indications can also prevent the user from uninstalling a suspicious oron the screen or even temporarily changing the message unwanted app by terminating the uninstaller application,ringtone to Silent. Any logged system events are purged from preventing any attempt at removal.the device afterwards.Nearly every Symbian malware contacts a remote server over Future outlookthe Internet. Most samples simply retrieve new software to Of late, we have noticed that in Symbian malware componentssilently install, but based on static analysis, some also include are being reused and malware have begun to resemblefunctionality that allows a user (the attacker) to remotely engineered products rather than hacked together snippets oftrigger any of its functions via a configuration or custom script. copy-pasted code, as they used to be.Communication is typically scrambled or encrypted. It is hard to tell whether the malware authors are just elevatingA common tactic used by malware to hide instructions the level of grunt software engineering by bringing insent from a remote attacker is to listen on incoming SMS modularization and dynamic features, or deliberately doing somessages by hooking a low-level system API, then capturing to make the analysis and reverse engineering harder. It may bethe messages from the attacker before the system can deliver that a combination of both motivations is at work here. Eitherthem to the user’s Inbox. Another common tactic is to wait way, it’s an indication that Symbian malware will continue tountil the phone is not in user’s immediate control before evolve and remain a threat to users in markets such as China,performing any malicious actions, as detecting idle mode is where the platform is still going strong.very easy.Many malicious apps try to prevent detection by securityproducts, usually by detecting the security program’s runningSources[1] IDC; IDC - Press Release: Android Marks Fourth Anniversary Since Launch with 75.0% Market Share in Third Quarter, According to IDC;published 1 Nov 2012;http://www.idc.com/getdoc.jsp?containerId=prUS23771812#.UPzbakU3S3A[2] Android Developers; Jelly Bean Android 4.1;http://developer.android.com/about/versions/jelly-bean.html[3] Android Developers; Jelly Bean Android 4.2;http://developer.android.com/about/versions/jelly-bean.html[4] Virustotal Blog; An update from VirusTotal; published 7 Sep 2012; Mobilehttp://blog.virustotal.com/2012/09/an-update-from-virustotal.htmlMobile 37
  • 38. Sourcesh2 2012 incidents calendar1. F-Secure Weblog; DNSChanger Wrap Up; published 9 Jul 2012; 20. The Register; Iain Thomson;Syria cuts off internet and mobile http://www.f-secure.com/weblog/archives/00002395.html communications; published 29 Nov 2012;2. F-Secure Weblog; Multi-platform Backdoor with Intel OS X http://www.theregister.co.uk/2012/11/29/syria_internet_ Binary; published 13 Jul 2012; blackout/ http://www.f-secure.com/weblog/archives/00002400.html 21. F-Secure Weblog; New Mac Malware Found on Dalai Lama3. F-Secure Weblog; Emails from Iran; published 23 Jul 2012; Related Website; published 3 Dec 2012; http://www.f-secure.com/weblog/archives/00002403.html http://www.f-secure.com/weblog/archives/00002466.html4. F-Secure Weblog; Gauss: the Latest Event in the Olympic 22. F-Secure Weblog; Finnish Website Attack via Rogue Ad; Games; published 10 Aug 2012; published 5 Dec 2012; http://www.f-secure.com/weblog/archives/00002406.html http://www.f-secure.com/weblog/archives/00002468.html5. F-Secure Weblog; Blackhole: Faster Than the Speed of Patch; 23. The Register; John Leyden; Major £30m cyberheist pulled off published 28 Aug 2012; using MOBILE malware; published 7 Dec 2012; http://www.f-secure.com/weblog/archives/00002414.html http://www.theregister.co.uk/2012/12/07/eurograbber_6. F-Secure Weblog; Java SE 7u7 AND SE 6u35 Released; published mobile_malware_scam/ 30 Aug 2012; 24. F-Secure Weblog; Australian Medical Records Encrypted, Held http://www.f-secure.com/weblog/archives/00002415.html Ransom; published 10 Dec 2012;7. F-Secure Weblog; Cosmo The Hacker God; published 13 Sep http://www.f-secure.com/weblog/archives/00002469.html 2012; 25. The Register; Neil McAllister; Dexter malware targets point of http://www.f-secure.com/weblog/archives/00002427.html sale systems worldwide; published 14 Dec 2012;8. F-Secure Weblog; It’s Out of Cycle Patch Friday; published 21 http://www.theregister.co.uk/2012/12/14/dexter_malware_ Sep 2012; targets_pos_systems/ http://www.f-secure.com/weblog/archives/00002431.html 26. The Register; Phil Muncaster; 10,000 Indian government and9. F-Secure Weblog; Backdoor:OSX/Imuler.B No Likes Wireshark; military emails hacked; published 21 Dec 2012; published 24 Sep 2012; http://www.theregister.co.uk/2012/12/21/indian_government_ http://www.f-secure.com/weblog/archives/00002432.html email_hacked/10. F-Secure Weblog; Samsung TouchWiz Devices Vulnerable to Mischief; published 26 Sep 2012; http://www.f-secure.com/weblog/archives/00002434.html11. F-Secure Weblog; Adobe Cert Used to Sign Malware; published 28 Sep 2012; http://www.f-secure.com/weblog/archives/00002435.html12. F-Secure Weblog; Hackable Huawei; published 10 Oct 2012; http://www.f-secure.com/weblog/archives/00002442.html13. CitizenLab; Morgan Marquis-Boire; Backdoors are Forever: Hacking Team and the Targeting of Dissent; published 10 October 2012; http://citizenlab.org/2012/10/backdoors-are-forever-hacking- team-and-the-targeting-of-dissent/14. F-Secure Weblog; New Variant of Mac Revir Found; published 14 Nov 2012; http://www.f-secure.com/weblog/archives/00002455.html15. F-Secure Weblog; Berlin Police: Beware Android Banking Trojans; published 15 Nov 2012; http://www.f-secure.com/weblog/archives/00002457.html16. F-Secure Weblog; Cool-er Than Blackhole?; published 16 Nov 2012; http://www.f-secure.com/weblog/archives/00002458.html17. F-Secure Weblog; A New Linux Rootkit; published 20 Nov 2012; http://www.f-secure.com/weblog/archives/00002459.html18. F-Secure Weblog; Google Joins World War 3.0; published 23 Nov 2012; http://www.f-secure.com/weblog/archives/00002461.html19. F-Secure Weblog; Next Week: “World War”; published 23 Nov 2012; http://www.f-secure.com/weblog/archives/00002443.htmlSources 38
  • 39. F-Secure in Brief F-Secure has been protecting the digital lives of consumers and businesses for over 20 years. Our Internet security and content cloud services are available through over 200 operators in more than 40 countries around the world and are trusted in millions of homes and businesses. In 2011, the company’s revenues were EUR 146 million and it has over 900 employees inmore than 20 offices worldwide. F-Secure Corporation is listed on the NASDAQ OMX Helsinki Ltd. since 1999.
  • 40. Protectingthe IrreplaceableF-Secure proprietary materials. © F-Secure Corporation 2013.All rights reserved.F-Secure and F-Secure symbols are registered trademarksof F-Secure Corporation and F-Secure names and symbols/logos are either trademark or registered trademark ofF-Secure Corporation.Protecting the irreplaceable | f-secure.com