Threat  Report  H2 2012Protecting the irreplaceable |
F-Secure LabsAt the F-Secure Response Labs in Helsinki, Finland,and Kuala Lumpur, Malaysia, security experts work     arou...
forewordToday, the most common way of getting hit by malware is by browsing theWeb. It hasn’t always been this way. Years ...
Executive Summaryexecutive summaryThree things visibly stand out in this past half year: botnets (with special reference t...
ContentsThis Threat Report highlights trends and new developments seen in the malware threat landscape by analystsin F-Sec...
Incidents CalendarH2 2012 incidents calendar (July-December)* jul                 Aug                SEPT                 ...
In Reviewchanges in the threat landscapeUnlike the first half of 2012, the second half of the year saw no major malware ou...
Top 10 detections in H2 2012,                                                         top countries*         ZeroAccess   ...
This skewed preference in attack targeting can be directly attributed to the popular usage ofexploit kits such as Blackhol...
Of Notethe Password          11COrporate espionage   12
Passwordthe password                                                                                     dead man walkingC...
COrporate of the ‘watering hole’ attack             rise                  espionage                                       ...
How a ‘watering hole’ attack works                                                                                        ...
Case StudiesBotS15ZeRoAccess17Zeus21Exploits25Web28Multi-Platform attacks       32Mobile35
BotS                                                                        The world of bots in 2012In the last few years...
quickly. The most important feature for Citadel however is the               The Carberp-infected mobile app is distribute...
ZeRoAccess botnet malware in the wild   The most profitableZeroAccess is one of today’s most notable botnets. It was first...
ZeroAccess botnet affiliate program structure                  ZeroAccess botnet                      operator            ...
Zeroaccess infections, top countriesBitcoin mining has too many constraints. For instance, thesuccess of generating a bitc...
ZEROACCESS INFECTIONS In the USA, Japan, and europe*                                                                      ...
Zeus                                                             robbing banks in modern timesZeus makes up a significant ...
country                  unique ips           % of all ips         Different derivatives (i.e. Citadel, Ice IX, and P2P) t...
Citadel                                                                        Zeus 2 Timeline of Notable Events Commands ...
The complete infographic can be viewed at
Exploits                                             Top Targeted Vulnerabilities in 2012In 2012, we saw the exploitation ...
Netherlands                                                                                                         Belgiu...
infographic                                                                      Belgium                                  ...
Threat Report H2 2012
Threat Report H2 2012
Threat Report H2 2012
Threat Report H2 2012
Threat Report H2 2012
Threat Report H2 2012
Threat Report H2 2012
Threat Report H2 2012
Threat Report H2 2012
Threat Report H2 2012
Threat Report H2 2012
Threat Report H2 2012
Threat Report H2 2012
Upcoming SlideShare
Loading in...5

Threat Report H2 2012


Published on

The report focuses on three things that stood out in the second half of 2012: botnets (with special reference to ZeroAcess), exploits (particularly against the Java development platform) and banking trojans (Zeus). Also discussed are multi-platform attack in which a coordinated attack campaign is launched against both desktop and mobile platforms, state of today's web concerning malware hosting and malvertising, and an update on the mobile threat scene.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Transcript of "Threat Report H2 2012"

  1. 1. Threat Report H2 2012Protecting the irreplaceable |
  2. 2. F-Secure LabsAt the F-Secure Response Labs in Helsinki, Finland,and Kuala Lumpur, Malaysia, security experts work around the clock to ensure our customers are protected from the latest online threats. At any given moment, F-Secure Response Labs staff is on top of the worldwide security situation,ensuring that sudden virus and malware outbreaks Protection around the clock are dealt with promptly and effectively. Response Labs’ work is assisted by a host of automatic systems that track worldwide threat occurences in real time, collecting and analyzing hundreds of thousands of data samples per day. Criminals who make use of virus and malware to profit from these attacks are constantly at work on new threats. This situation demands around the clock vigilance on our part to ensure that our customers are protected.
  3. 3. forewordToday, the most common way of getting hit by malware is by browsing theWeb. It hasn’t always been this way. Years ago, floppy disks were the mainmalware vector. Then sharing of executable files. Then e-mail attachments.But for the past five years, the Web has been the main source of malware.The Web is the problem largely because of Exploit Kits. Kits such asBlackHole, Cool Exploit, Eleanore, Incognito, Yes or Crimepack automatethe process of infecting computers via exploits.There is no exploit without a vulnerability. Ultimately, vulnerabilities arejust bugs, that is, programming errors. We have bugs because programsare written by human beings, and human beings make mistakes. Softwarebugs have been a problem for as longs as we have had programmablecomputers—and they are not going to disappear.Bugs were not very critical until access to the Internet became widespread.Before, you could have been working on a word processor and opening a Mikko HyppÖnencorrupted document file, and as a result, your word processor would have crashed. Chief Research OfficerEven if annoying, such a crash would not have been too big of a deal. You might havelost any unsaved work in open documents, but that would have been it.However, things changed as soon as the Internet entered the picture. Suddenly, bugsthat used to be just a nuisance could be used to take over your computer.Yet, even the most serious vulnerabilities are worthless for the attacker, if they getpatched. Therefore, the most valuable exploits are targeting vulnerabilities that arenot known to the vendor behind the exploited product. This means that the vendorcannot fix the bug and issue a security patch to close the hole. Software bugs have been a problem for as longs as we have had programmable computers—and they are not going to disappear.If a security patch is available and the vulnerability starts to get exploited by theattackers five days after the patch came out, the users have had five days to react. Ifthere is no patch available, the users have no time at all to secure themselves; literally,zero days. This is where the term ‘Zero Day Vulnerability’ comes from: users arevulnerable, even if they have applied all possible patches.One of the key security mechanisms continues to be patching. Make sure all yoursystems are always fully up-to-date. This drastically reduces the risk of gettinginfected. But for Zero Day vulnerabilities, there are no patches available. However,antivirus products can help against even them.We’re in a constant race against the attackers. And this race isn’t going to be over anytime soon.FOREWORD 3
  4. 4. Executive Summaryexecutive summaryThree things visibly stand out in this past half year: botnets (with special reference toZeroAcess), exploits (particularly against the Java development platform) and banking trojans(Zeus).ZeroAccess was easily the most prevalent botnet we saw in 2012, with infections most visible inFrance, United States and Sweden. It is also one of the most actively developed and perhapsthe most profitable botnet of last year. In this report, we go through the distribution methodsand payment schemes of ZeroAccess’s ‘affiliate program’, as well as its two main profit-generating activities: click fraud and BitCoin mining. Aside from ZeroAccess, other notablebotnets of 2012 are Zeus, Carberp, Dorkbot and SpamSoldier (a mobile botnet).Java was the main target for most of the exploit-based attacks we saw during the past halfyear. This is aptly demonstrated in the statistics for the top 10 most prevalent detectionsrecorded by our cloud lookup systems, in which the combined total of detections for the Java-specific CVE-2012-4681 and CVE-2012-5076 vulnerabilities and the Majava generic detections,which also identify samples that exploit Java-related vulnerabilities, account for one third ofthe samples identified during this period. Exploit kits plays a big role in this prevalence. Inaddition, exploits against other programs such as the PDF document reader (CVE-2010-0188)or Windows TrueType font (CVE-2011-3402) made notable impacts in H2 2012, as detailedfurther in this report.With regards to banking-trojans, a botnet known as Zeus—which is also the name for themalware used to infect the user’s machines—is the main story for 2012. Analysis of thegeography for Zeus’s infection distribution highlights the United States, Italy and Germany asthe most affected countries. In addition to its banking-trojan capabilities, the Zeus malwarealso functions as a backdoor, allowing it to be directly controlled from the botnet’s commandand control (C&C) servers. An examination of the different sets of backdoor commands usedby Zeus derivatives (known as Citadel and Ice IX) gives more detail of what other maliciousactions this malware can perform.In terms of online security, we look at the more ambiguous side of the ever-growing popularityof website hosting, and how its increasingly affordable and user-friendly nature also makes itwell suited to supporting malware hosting and malvertising.We also take a look at multi-platform attacks, in which a coordinated attack campaign islaunched against multiple platforms (both desktop and mobile), often with multiple malware.And finally on the mobile scene, the Android and Symbian platforms continue to be the mainfocus of threats, accounting for 79% and 19%, respectively, of all new mobile malware variantsidentified in 2012.executive summary 4
  5. 5. ContentsThis Threat Report highlights trends and new developments seen in the malware threat landscape by analystsin F-Secure Labs during the second half of 2012. Also included are case studies covering selected noteworthy,highly-prevalent threats from this period. contributing foreword3 AUTHORS Broderick Aquilino Executive Summary 4 Karmina Aquino Contents5 Christine Bejerasco Edilberto Cajucom Incidents Calendar 6 Su Gim Goh In Review 7 Alia Hilyati Timo Hirvonen Of Note 10 Mikko Hypponen the password 11 Sarah Jamaludin COrporate espionage 12 Jarno Niemela Mikko Suominen Case Studies 14 Chin Yick Low BotS15 Sean Sullivan ZeRoAccess17 Marko Thure Juha Ylipekkala Zeus21 Exploits25 Web28 Multi-Platform attacks 32 Mobile35 Sources38contents 5
  6. 6. Incidents CalendarH2 2012 incidents calendar (July-December)* jul Aug SEPT OCT NOV DEC FBI support for Out-of-band Patch Friday Syrian Internet,mobile DNSChanger ended connections cut off Imuler.B backdoor found on OS X Multi-platform Intel/OS X backdoor found Malware signed Berlin poice warned of with Adobe certificate Android banking trojans Commercial multi-platform surveillance tools found Samsung TouchWiz exploit Cool Exploit kit Iran-targeted malware reported rivalling Blackhole reported New Mac Revir threat Indian government email found accounts hacked New Linux rootkit found Gauss threat targeted Dexter malware hit point the London Olympics Huawei controversy in US Congress of sales (POS) ITU Telecom World ‘12 raised Australian hospital’s Blackhole updated faster Internet/government concerns records ransomed than flaws patched Java update closed 3 Mac threat found on Dalai vulnerabilities Lama-related webite Matt Honan ‘hack’ highlighted One rogue ad hits Finnish flaws in accounts systems web traffic Eurograbber attack on European banks reported Samsung Exynos exploit reported Online In the news PC threats Mobile threats Hacktivism espionage Sources: See page 38.incidents calendar 6
  7. 7. In Reviewchanges in the threat landscapeUnlike the first half of 2012, the second half of the year saw no major malware outbreakson any platform. Instead, a handful of incidents took place during this time period, most ofwhich were notable as indications of how inventive the attackers have been in finding waysto compromise a user’s machine, data or money. These incidents included the hack into theWired Matt Honan’s Gmail and Apple accounts, which exposed loopholes in those accountsystems; the Adobe-certified malware episode, in which attackers went to the extent ofstealing Adobe’s digital certificate in order to sign malware used in targeted attacks; and theEurograbber attack, in which a variant of the Zeus crimeware was reportedly used to stealmoney from various corporations and banks in Europe.An interesting development in 2012 has been the increasing public awareness of cyber-securityand the various implications of being vulnerable to attack over a borderless Internet. Newsreports of alleged online or malware-based attacks against Iranian facilities drew attentionto state-sponsored cyber-attacks. A conference gathering the various telecommunicationsentities to discuss basic infrastructure issues raised concerns about Internet governance, andthe role of governments in it. The past year also saw US politicians, not generally consideredthe most tech-savvy of users, raise concerns over perceived reliance on IT solutions forsensitive government systems being provided by foreign corporations seen as potentiallyunreliable. Though it is probably a positive development that more people are becomingexposed to topics that have long been considered irrelevant or academic, only time will tellwhat will result from the increased awareness.Rather than a single major event, perhaps the most noteworthy aspect of H2 2012 is the waythat the various trends we saw emerging in the first two quarters of the year have continued togrow apace—that is, the growth of botnets, the ‘standardization’ of vulnerability exploitationand the increasing ‘establishment’ of exploit kits.When it comes to botnets, the news has been mixed at best. The last few years have seenconcerted efforts by players from different fields—telecommunications, information securityand even government organizations—to take down or at least hamper the activities of variousbotnets, which have compromised millions of user’s computers and been used to performsuch activities as monetary fraud and online hacking. These combined efforts resulted intotally shuttering, or at least seriously hampering, major botnets such as Rustock, Zeus andDNSChanger.Unfortunately, despite these commendable efforts, the botnets have been regularlyresurrecting, often with new strategies or mechanisms for garnering profit. In addition,the operators running these botnets have been aggressively marketing their ‘products’ toother hackers and malware distributors. Their efforts include offering affiliate programs withattractive ‘pay-per-installation’ rates and ‘rent-a-botnet’ schemes that allow attackers to usethe combined power of the infected hosts to perform attacks or other nefarious activities.These sophisticated business tactics have garnered significant returns. In some cases, such asZeroAccess, the reborn botnets have grown to count millions of infected hosts. See the casesstudies Bots (pg. 15), ZeroAccess (pg. 17) and Zeus (pg. 21) for more information on botnets.Another change we saw last year was the increasing use of vulnerability exploitation, oftenin tandem with established social engineering tactics. Unlike previous years, when most ofthe infections we saw involved trojans, 2012 was definitely the year of the exploit, as exploit-In review 7
  8. 8. Top 10 detections in H2 2012, top countries* ZeroAccess 27% FR us se dk others Majava 26% US fr fi se others Downadup 11% br fr my it others BlackHole 9% fr fi se nl others CVE-2012-4681 6% us se fr de others CVE-2011-3402 6% fr se nl fi others CVE-2010-0188 6% fr se fi nl others CVE-2012-5076 3% fi us fr se others PDF Exploits 3% fi fr se de others Sinowal 3% nl se fi others % 0 25 50 75 100*Based on statistics from F-Secure’s cloud lookup systems from July to December 2012. related detections accounted for approximately 28% of all detections F-Secure’s cloud lookup systems saw in H2 2012. In addition, malware designed to exploit vulnerabilities related to the Java development platform made up about 68% of all exploit-related detections recorded by our systems in the second half of last year. If we look at the list of Top 10 Detections (above) seen by our cloud lookup systems in H2 2012 in more detail, two detections which specifically identify samples exploiting the Java-specific CVE-2012-4681 and CVE-2012-5076 vulnerabilities alone account for 9% of the malware identified by the top 10 detections. In addition, the Majava generic detections, which identify samples that exploit known vulnerabilities, including the Java-specific CVE-2012-0507 and CVE-2012-1723 vulnerabilities, account for another 26% of the top 10 detections, as well as having the dubious honor of being the second most common detection overall reported by our backend systems. The sheer volume of Java-related detections indicate both the widespread popularity of that platform and its susceptibility to the malicious inventiveness of malware authors. Interestingly enough, when considering exploit attacks in general, though we saw attacks exploiting numerous vulnerabilities in multiple platforms and programs in 2012, the vast majority of the cases were related to only four vulnerabilities—CVE- 2011-3402 and CVE-2010-0188, which are Windows-related vulnerabiltiies, and the previously mentioned Java vulnerabilities, CVE-2012-4681 and CVE-2012-5076. All of these vulnerabilities, incidentally, have already had security patches released by their relevant review 8
  9. 9. This skewed preference in attack targeting can be directly attributed to the popular usage ofexploit kits such as Blackhole and Cool Exploit, which have incorporated the exploits for thesevulnerabilities, in some cases faster than the vendors were able to patch them. It’s perhaps nottoo surprising then that BlackHole-related detections account for 9% of all samples detectedby the top 10 detections of H2 2012. For more information on these exploits, see the Exploitscase study on page 25.And as a closing note, a quick look at our detection statistics for Mac indicates that eventhough Windows machines continues to be the main target for attacks, the Mac platformis increasingly coming in for a share of unwanted attention. Apart from the major Flashbackoutbreak in early 2012, we saw a slow but steady increase in malware on the Mac platform,as we detected 121 new, unique variants in all of 2012, the majority of them backdoors. Bycontrast, in 2011, we recorded only 59 new unique variants discovered on that platform. 85 +4+4+7+z Mac Malware by type, Jan - Dec 2012 Total= 121 variants* Backdoor, 85% Others 4% Rogue, 4% Trojan, 7% *The total is counted based on unique variants detected from Jan to Dec 2012, rather than total file count. Riskware and repackaged installers are not counted; multi-component malware are only counted review 9
  10. 10. Of Notethe Password 11COrporate espionage 12
  11. 11. Passwordthe password dead man walkingComputer passwords are something like fifty years old. And Determine which accounts that are your critical points ofuntil a little over twenty years ago, they were very often a shared failure, and make sure they are all well defended. Two factorresource where multiple people used the same password (or authentication is good, but even that is not a bulletproofset of passwords) for access to computer systems. The use of solution. It is important to use every option available.individual passwords was actually something of an innovationat the time. For example, Google’s Gmail allows users to create their own security question for password resets. There is absolutely noThen came the World Wide Web, and with it, the ever growing reason why this question needs to be based on reality. It canneed for more and more account passwords. As time has just as easily be another “password”. One which is writtenpassed and our online lives have grown, it is now not at all down and stored safely at home, where only you have accessuncommon for people to have dozens of passwords to keep to it.track of. And what’s worse is that all of those passwords shouldbe “strong” passwords and people shouldn’t reuse them And if you are a parent of teenage children… you really shouldbetween accounts. It’s too much! have “the talk” with them about their use of passwords. The habits they form now will have a big impact on their futureThe second half of 2012 provided more than enough evidence online demonstrate the problem of passwords. Hacks, breaches,database dumps—these are terms that average individuals Hopefully, one day soon, a true successor will rise to take the(not just techies) are now familiar with. With today’s processing password’s place and we will all be able to let the passwordpower, passwords that are strong enough to withstand brute die a dignified death. Unfortunately, we are more likely toforce attacks are too difficult for the human brain to remember. experience fits and starts towards a new solution. Prepare yourself now, 2013 isn’t going to be kind for those who areEven if the passwords are strong, our systems of authenticating unprepared.account resets are flawed. A strong password is useless if socialengineering tactics can be used to reset those passwords.The password is dead and we all know it. But unfortunately,its successor has yet to turn up. So what’s to be done in themeantime? Triage.• Use a password manager such as KeePass or Password Recommended Reading Safe• Kill old accounts that you no longer use • Hacked: passwords have failed and it’s time• Untangle cross-linked accounts for something new[1]• Consider using a “secret” email address for account Matt Honan discusses the account hack that disrupted his maintenance digital life and its implications for online security• Be careful about what you share on social media. If you share, don’t rely on personal information for your • Google declares war on the password[2] account password resets Find out more about Google’s experiment with device-based• Use two-factor authentication options if available account authenticationSOURCES[1] Wired; Matt Honan; Hacked: passwords have failed and it’s time for something new; published 17Jan 2013;[2] Wired; Robert McMillan; Google declares war on the password; published 18 Jan 2013; 11
  12. 12. COrporate of the ‘watering hole’ attack rise espionage Espionage In Q4 2012, we watched the nature of corporate espionage Numerous examples of corporate espionage attacks have attacks change. Before, almost all recorded corporate been reported in the F-Secure Weblog over the years, many of espionage cases were based on using specially crafted them involving poisoned e-mail file attachments sent directly documents containing exploits and a malware payload. Now, to the targeted organizations. spies have started to leverage vulnerabilities in web browsers and browser plugins to achieve their aims in so-called These attacks contrast sharply with the most recent case of a ‘watering hole’ attacks. watering hole attack—the 21st December 2012 compromise of the Council of Foreign Relations (CFR) website[1]. In this attack, ‘Watering hole’ attacks are called such because instead of the website was injected with a previously unknown exploit compromising a random website and infecting anyone who that affected versions 6, 7 and 8 of the Internet Explorer (IE) happens to visit the site, the attackers are more discriminating web browser. Compromising the website itself was not the attacker’s final objective; it was merely“Cross-referencing this list [of known attack domains] used as which naturally include members visitors, a conduit to infect the website’sagainst the’s list of 1 million most common of the CSR itself. And considering that CSRdomains showed that 99.6% of these potential CC sites counts among its members both current and former US political elite and thewere outside of Alexa’s top domains.” founders of multinational companies, the list of potential targets is very interesting. in both the users being targeted and the site used as the infection vector. The attackers specifically attack a site The rise of web-based attacks in corporate espionage raises which is commonly used by employees of the actual target two points: first, this trend means that any corporation with organization. When these employees visit the compromised an online presence that serves such potentially ‘interesting‘ site, their browser or computer is then attacked, typically by targets may be at risk of unwittingly serving as an attack exploiting a vulnerability that allows trojans or backdoors to conduit, and secondly; obviously, such organizations must be installed on the machine. From that point on, the installed now find a way to mitigate such a risk, in order to protect malware becomes the gateway for attackers to reach their real themselves and their clients. target: the internal network and/or communications of the compromised employee’s companies. Figure 1: Screenshots of an e-mail and malicious file attachment used in a targeted attack Corporate espionage 12
  13. 13. How a ‘watering hole’ attack works Espionage Targeted Organization www Exploit kit www Compromised Attacker Attacker gains access to computer compromised computerFor companies with online resources that may be vulnerable A second, very effective method of ruining the spy’s day is toto ‘watering hole’ attacks, it is very important to invest in web use DNS whitelisting in the company‘s DNS server so that onlyand server security. Performing regular audits to verify that specific, approved public sites can be accessed on the user’syour web server is serving only what it should is also highly machine. This precaution directly interferes with the spy’srecommended. ability to communicate with its installed trojan(s), as well as helping to prevent information stolen from the machine beingDefending against watering hole attacks does not require sent out to the attacker’s command and control (CC) server.anything new that should not already be in place to protectagainst more mundane web attacks which target zero day Done right, this method also has the advantage of notvulnerabilities, thereby circumventing detection-based interfering with the way most users work or browse thesecurity coverage. A corporate security suite with behavioral Internet. At F-Secure, we maintain a list of known attackbased detection should of course be a part of the protection domains potentially associated with corporate espionage.solution, as it can still provide a measure of protection by Cross-referencing this list against’s list of 1 millionactively looking for and red-flagging suspicious behavior, most common domains showed that 99.6% of these potentialrather than static reliance on known features to identify a CC sites were outside of Alexa’s top domains.malicious file. So if your organization is in possession of information thatBut when we consider dealing with advanced and persistent might be interesting to other companies, we recommendattackers, one layer of protection is not enough. At a a custom DNS whitelisting solution that is relaxed enoughminimum, corporate users should use Microsoft’s free Exploit to allow your users to work, but still strict enough to blockMitigation Toolkit (EMET) to harden their system’s memory unknown domains. And while attackers can use CC channelshandling for client applications such as web browsers, web that are trickier to block, such as Twitter or Facebook, thisbrowser plugins and document readers. simple precaution does make it more difficult for attackers to operate.SOURCE[1] The Washington Free Beacon; Chinese Hackers Suspected in Cyber Attack on Council on Foreign Relations; published 27 Dec. 2012; espionage 13
  14. 14. Case StudiesBotS15ZeRoAccess17Zeus21Exploits25Web28Multi-Platform attacks 32Mobile35
  15. 15. BotS The world of bots in 2012In the last few years, concerted efforts by various parties to take down or hamstring the operation of botnets, which were costingmillions of users control of their machines, their data and/or their money. In 2012 however, we saw the resurrection of many ofthese botnets, often in a more aggressive form and with new malicious products, updated ‘packaging’ or marketing and distributionstrategies and more efficient money-making mechanisms.ZeroAccess BotsOf all the botnets we saw this year, definitely the fastestgrowing one was ZeroAccess, which racked up millions ofinfections globally in 2012, with up to 140,000 unique IPs in theUS and Europe, as seen on the infection map at right [27].The actual malware that turns a users’s computers into abot is typically served by malicious sites which the user istricked into visiting The malicious site contains an exploit kit,usually Blackhole, which targets vulnerabilities on the user’smachine while they’re visiting the site. Once the machine iscompromised, the kit drops the malware, which then turns thecomputer into a ZeroAccess bot.The bot then retrieves a new list of advertisements from Figure 1: Google Earth map of ZeroAccess infections in the US [1]. Red markers indicate an infected unique IP address or cluster of IP addresses.ZeroAccess’s command and control (CC) server every day.The ZeroAccess botnet reportedly clicks 140 million ads a day.As this is essentially click fraud, it has been estimated that the 900 ZeuS CC servers around the world. This number maybotnet is costing up to USD 900,000 of daily revenue loss to not be truly reflective of the botnet’s size, as the latest versionlegitimate online advertisers. Click fraud has been on the rise of Zeus includes a peer to peers protocol that maintainsas the online advertisement vendors realistically have no way communication within the botnet itself, allowing a bot to fetchto differentiate between a legitimate click and a fraudulent configuration files and update from other infected hosts in theone. botnet. This feature was dubbed “Gameover” and removes the need for a centralized CC infrastructure, making it harder forAnother revenue source for ZeroAccess is its ability to mine for security researchers to track the botnet.Bitcoin, a virtual currency that is managed in a peer-to-peer(P2P) infrastructure. Bitcoin miners harness the computational Apart from the introduction of the Gameover feature, the mainpower from the bots to perform complex calculations to find change with Zeus has been tweaks done to make the malwarea missing block to verify Bitcoin transactions, and that would more user-friendly, in effect making it an attractive resourcereward them in more Bitcoin currency that is agreed within even for wannabe attackers with low technical capabilities.the same peer to peer network, and these can be converted With its fancy control and administration panel, wellto cash. More than half of the botnet is dedicated to mining documented manual and a builder, Zeus allows both amateurBitcoin for profit. Further details of ZeroAccess’s profit- and expert attackers to craft, design and build executables togenerating activities can be found in the case study on page 17. infect the victim computers in a very short amount of time. Citadel, the third derivative of Zeus, sets itself apart byZeus enabling a more rapid deployment of new features andMoving on, Zeus (and its rival cum partner, SpyEye) are customization through an enhanced user interface, again withperhaps still the most talked about banking-trojans in 2012. the aim of helping novice hackers get in the game of deployingZeus has been referred to as “the God of Do-it-Yourself their crimeware. This “dynamic config” functionality allowsbotnets”. Despite various takedown efforts, as of the end of botmasters to create web injections on the fly, a vital abilityDecember 2012, The ZeuS Tracker project has seen almost in today’s online crime landscape as bots are also taken downBots 15
  16. 16. quickly. The most important feature for Citadel however is the The Carberp-infected mobile app is distributed on the Androidavailability of a “Customer Relationship Management” system platform, with most of the targeted users being customers ofthrough the use of a social network platform to support European and Russian banks. As online banking continuesreporting and fixing bugs. This kit is definitely professional to rise in many countries, making such online transactionsgrade, and we expect to see a continuous rise in infections by attractive targets to cybercriminals, banking-related botnetsCitadel in the near future. such as Carberp are expected to continue growing in 2013.Carberp DorkBotFollowing the success of the Zeus and Spyeye, Carberp is most Then there is DorkBot, which was discovered spreadingnotable for making a comeback with a tweaked product and through Skype in October 2012. The malware steals user‘marketing’ approach. First appearing in 2011 a regular data- account and passwords from FaceBook, Twitter, Netflix and Botsstealing banking malware, Carberp’s spread was temporarily various Instant Messaging (IM) channels. From an infectedhampered by a takedown effort from Russian agencies in early social networking account, DorkBot sent out images to the2012. Unfortunately, in December this botnet was discovered users’ contacts list asking the contacts if the attached imageto have resurrected with a new ability to infect a computer’s was their profile pic. Falling for this cliched social engineeringboot record, a component that launches even before the main tactic resulted in an executable installing a backdoor and theoperating system (OS) starts, making any malware in the boot DorkBot worm on the user’s machine, which was then enrolledrecord harder to detect and remove. in a botnet.Carberp’s authors or operators also changed the way the Unlike previously mentioned botnets, DorkBot makes itsmalware was distributed in order to attract more usage from profit through ransom—literally by locking down the victim’sother malware distributors. Carberp was previously only computer, allegedly for the presence of ‘illegal content’ suchavailable as a standalone malware through private underground as pornography or pirated music. It then demands a ‘fine’marketplaces. Since its resurrection, Carberp has pursued a of $200 to be paid within 48 hours, failing which the victimsnew “malware-as-a-service” model that allows users to lease would be ‘reported to a government enforcement agency’use of the botnet itself for prices ranging from USD 2000 to for further prosecution. DorkBot is also capable of makingup to USD 10,000 a month. In addition, the buyer is offered a more money out of its infected hosts by using their combinedchoice of botnet configurations. The priciest format includes power to perpetrate click fraud, which incidentally creates anthe bootkit functionality, which has boosted its market price attractive revenue source for the about USD 40,000. Though the prices may seem steep,this rental scheme appears to be particularly attractive to lesstech-savvy users who simply want a means to an end - that is, Mobile botnetsto install more trojans on more victim machines. And finally, though it is still at an embryonic stage in comparison, we are also seeing botnets operating on theCarberp has also spread to the mobile platform in the form mobile platform, specifically Android. These mobile botnetsof man in the mobile attacks. For a Carberp-in-the-mobile do exactly what botnets did when they first appeared on(CitMo) attack to work, the user must have both a mobile computers - that is, generate and a computer infected with the desktop version ofthe Carberp malware. Once the mobile app is installed, it is The SpamSoldier malware sends SMS messages to a hundredable to intercept SMS messages containing mTAN’s (mobile Android devices (in the US) at a time. The sender has noTransaction Authorization Numbers), which are sent by idea of this activity, as the sent SMS messages are deletedbanks as an authentication measure used to validate online immediately once sent, making the sky high phone bills thattransactions performed by the user. The intercepted mTAN result an unpleasant surprise. These spam messages may alsois then forwarded to a remote server, from which it is later contain social engineering content, including links that lead toretrieved and used by the Carberp trojan installed on the same other malware, therefore compounding the malicious effectuser’s computer in order to gain access to the user’s banking of these spambots.account.SOURCE[1] F-Secure Weblog; Sean Sullivan; The United States of ZeroAccess; published 20 Sept. 2012; 16
  17. 17. ZeRoAccess botnet malware in the wild The most profitableZeroAccess is one of today’s most notable botnets. It was first discovered by researchers back in 2010, when it drew a lot of attentionfor its capability for terminating all processes related to security tools, including those belonging to anti-virus products. When toomany researchers focused on this self-protection capability however, ZeroAccess’ author decided to drop the feature and focusmore on improving its custom peer-to-peer (P2P) network protocol, which is unique to ZeroAccess. After the change[1] , ZeroAccessbecame easier to spot by anti-virus products, yet it continued to spread like wildfire around the world due to the improved P2Ptechnique[2]. This success can be largely attributed to its affiliate program.Affiliate program: ZeroAccess success storyAffiliate programs are a well-known marketing strategy and The variety of distribution schemes and methods used by theare widely used by many e-commerce websites[3]. Essentially, numerous affiliates have contributed to the volume of trojan-a business owner with an e-commerce site to promote dropper variants detected by antivirus products every day.commissions other site owners to help drive customers to All driven by the same motive which is to collect attractive ZeroAccessit (and hopefully eventually make a purchase). The website revenue share from the gang.owners are then compensated for providing these customerleads. Figure 1: A botnet operator seeking partners in an underground forumAdopting this concept, ZeroAccess’s author or operator(s) Methods used by ZeroAccess distributorshas managed to distribute the program to a large number ofmachines with the help of its enlisted partners. Distribution methodsThe ZeroAccess gang advertises the malware installer in Downloader trojan Dropping a downloader trojan onto aRussian underground forums, actively looking for distributor machine, which proceeds to downloadpartners. Their objective is to seek other cybercriminals who and install the botnetare more capable in distributing the malware and do so more Exploit kit Using an exploit kit (e.g., Blackhole) in aefficiently. drive-by-download attack Fake media file or Hosting infected files in P2P file sharingThe malware distributors generally consist of experienced keygen or crack services using enticing names, such asaffiliates, each of them employing their own methods of ‘ the Zeroaccess installers, in order to fulfill the exe’recruiter’s requirements. P2P file sharing service Abusing a P2P file sharing website to host the ZeroAccess installerThe most popular distribution methods we’ve seen involve Spam email Sending spam emails containing anexploit kits, spam e-mails, trojans-downloaders, and seeding attachment or a link that could enablefake media files on P2P file-sharing services and on video further exploitationsites, though the specific details in each case depend on thedistributor handling the operations.ZeroAccess 17
  18. 18. ZeroAccess botnet affiliate program structure ZeroAccess botnet operator $$$ Bitcoin mining Click fraud underground forum Distributor A Exploit kits Distributor B Victims ZeroAccess Distributor C Spam emails Downloader trojan P2P network Distributor nThe partners are compensated based on a Pay-Per-Install Given the rate of pay, it is no surprise that ZeroAccess is(PPI) service scheme[4] and the rate differs depending on the widespread in the US alone[5]. After the US, the commissiongeographical location of the machine on which the malware rate sorted from highest to lowest are Australia, Canada, Greatwas successfully installed. A successful installation in the Britain, and others. Some distributors even post screenshotsUnited States will net the highest payout, with the gang willing of the payment they’ve received in underground forums toto pay USD 500 per 1,000 installations in that location. show the reliability of their recruiter. The ZeroAccess gang can afford to pay such high incentives to its recruits because the army of bots created by the affiliate’s efforts is able to generate even more revenue in return. Once the malware is successfully installed on the victim machines, ZeroAccess will begin downloading and installing additional malware onto the machines, which will generate profit for the botnet operators through click fraud and Bitcoin mining operations. Figure 2: Proof of payments made by recruiter Botnet operators prefer the click fraud payload because since 2006 [6], it has been a proven way to generate income from the pay-per-click (PPC) or the cost-per-click advertising.ZeroAccess 18
  19. 19. Zeroaccess infections, top countriesBitcoin mining has too many constraints. For instance, thesuccess of generating a bitcoin depends on the difficulty level by percentage (%)of the target specified in the Bitcoin network and might evenrequire some luck[7]. Furthermore, the victim’s machine needs 35% 3538+8654to run on a decent CPU power, preferably with GPU or FPGA UShardware, in a reasonable amount of time[8]. Even with a largenumber of botnets, the difficulty factors in solving Bitcoinblocks hinder Bitcoin mining operation from performing aswell as click fraud which only requires the victims to have aninternet connection and a web browser. 38% 5% Italy OthersDespite the difficulties in Bitcoin mining, the fact that the 5% RomaniaZeroAccess botnet was modified to drop its problematicself-protection feature and introduce the Bitcoin mining 5% Canadaoperations indicates that ZeroAccess’s operators are very 6% Indiaambitious to keep the botnet growing and are not afraid of 8% Japantaking risks. *Based on statistics gathered from national ASN-registered networks. ZeroAccessConclusionGiven ZeroAccess’s current success as a huge, fully functionalprofit-generating ‘machine’, it’s unlikely that we’ll see it going zeroaccess’s profit-generating activities,away anytime soon. The ZeroAccess malware - which poses the by percentage (%) 1783most direct threat to the users - will continue to exist as a hiddendanger on malicious or boobytrapped websites. The affiliateprogram that encourages the spread of malware will continue 17%to attract more cybercriminals due to the botnet operators’ Bitcoin miningestablished reputation for reliably paying its affiliates andadjusting commission rates to maintain their attractiveness.And finally, the criminal organizations behind the botnet havedemonstrated that they’re willing to experiment and modifytheir ‘product’ in order to increase their ability to make money.As such, we expect the ZeroAccess botnet to grow and evolve,with new features or feature updates being introduced in thenear future. 83% Click fraudSources[1] F-Secure Weblog; Threat Research; ZeroAccess’s Way of Self-Deletion; published 13 June 2012;[2] F-Secure Weblog; Sean Sullivan; ZeroAccess: We’re Gonna Need a Bigger Planet; published 17 September 2012;[3] Wikipedia; Affiliate Marketing;[4] Wikipedia; Compensation Methods;[5] F-Secure Weblog; Sean Sullivan; The United States of ZeroAccess, published 20 September 2012;[6] MSNBC; Associated Press; Google settles advertising suit for $90 million; published 8 March 2006;[7] Bitcoin Wiki; Target;[8] Wikipedia; Bitcoin; 19
  20. 20. ZEROACCESS INFECTIONS In the USA, Japan, and europe* ZeroAccess Europe USA japan*Red markers indicate an infected unique IP address or cluster of IP addresses.ZeroAccess 20
  21. 21. Zeus robbing banks in modern timesZeus makes up a significant portion of banking trojans; it compromises millions of computers around the world and causes millionsof dollars in loss to its victims. In a typical operation, Zeus modifies a targeted webpage to collect valuable information. For example,adding a part that requests potential victims to enter additional login details or personal information when they visited the webpage.The information is later used to access the victims’ online account and to perform unauthorized transactions.P2P Zeus geographyOf all derivatives and variants, the peer-to-peer (P2P) version Web-Injection Targets by countryis particularly special because it is private and forms only onelarge botnet. Other derivatives usually consist of numerousyet smaller botnets, each run by someone who has purchased 88a version of Zeus. From late August to mid-November 2012,we monitored the P2P bots and tracked the websites thatthey had targeted to compromise with web injections. Thetargeted sites were defined by a configuration data that the 47bots received from other infected machines, and is stored inencrypted form to the Windows registry. 23 18 15The configuration data revealed that a total of 644 unique 14 11 10URLs were targeted for web-injections during the monitoring Zeusperiod, with a special focus on sites based in North America.Not all of these URLs included the domain names. Sometimes, USA Canada Italy Poland Saudi Arabia UAE Germany Rest of the worldonly the path is used for identifying a targeted website. Andmany domains had several different URLs leading to them,using different paths. After excluding URLs with missingdomain names and duplicate domains, a total of 243 uniquedomains were left. In summary, the targeted websites can becategorized into the following types:• Personal online banking When it comes to the number of machines infected with P2P• Corporate online banking (mainly for North American Zeus, the US leads the pack followed by Italy. This number small businesses) was based on 5395 random samples analyzed between July to• Investment and online trading sites November. After the US and Italy, no other countries in the• Credit card services subsequent positions really stand out from the pack as the• Extremely popular global websites (e.g. Amazon, eBay, difference in the number of infection varies only slightly. Facebook, etc.)Geographically, North America is the primary focal point of Top-10 countries with the most P2P ZeusP2P Zeus botnet where it targeted 88 US-based websites and infections23 Canadian-based websites. Several European countries werealso hot targets for web-injection. In the configuration data,entries involving Italian websites were actively added, removed country unique ips % of all ipsor changed; throughout the changes, Italy still remains as one USA 1809 33.53%of the favorite targeted countries. Poland started to creep into Italy 439 8.14%one of the top spots when 15 Polish sites were added to the Germany 205 3.80%targeted list in September and October when there were none Georgia 203 3.76%listed in August. A real surprise from the findings is the number Mexico 179 3.32%of targeted Middle Eastern banks as compared to the number Canada 168 3.11%of infections in the same area.zeus 21
  22. 22. country unique ips % of all ips Different derivatives (i.e. Citadel, Ice IX, and P2P) that popped up after the original Zeus 2 source code was leaked online have India 167 3.10% received drastically different commands since then. These Brazil 143 2.65% commands provide a good indication of the development Romania 133 2.47% pace of each derivative. Citadel leads with 20 new commands Taiwan 110 2.04% while Ice IX only received one, making it the closest version to the leaked version For Citadel and Ice IX, the earliest date listed on each respective table was also the date when weEvery month, the US and Italy were consistently positioned at ran into the first sample of the derivative. For the P2P variantthe top in terms of infection numbers. When Polish sites started however, we received the first sample on 3rd September 2011to become targets, the number of infection in Poland more but only saw the first changes to the backdoor commands sixthan doubled but this number only accounted for two percent months later.of the total amount even at its highest point in November. The tables below list all new commands that are callable. Some of these may not implement any action and we did not track PERCENTAGEs (%) OF INFECTED IPs any possible changes in the behavior of each command. Please take note that the dates used in the tables were based on when 80% we first received the sample with that particular command rather than when the Zeus author rolled out the changes. 70% 60% Callable commands in the Zeus botnet 50% Poland P2P Variant Taiwan Commands First seen Zeus Mexico fs_find_by_keywords ** 2012-03-30 40% India fs_find_add_keywords 2012-04-09 fs_find_execute 2012-04-09 30% Canada fs_pack_path 2012-05-24 Germany ddos_address 2012-05-24 20% Georgia ddos_execute 2012-05-24 Italy ddos_type 2012-05-24 10% USA ddos_url 2012-05-24 ** fs_find_by_keywords was a short lived command in the P2P JUL AUG SEP OCT NOV variant; it was last seen in a sample received on 3rd April 2012. CitadelEarlier this year, Dell SecureWorks Counter Threat Unit[3] was Commands First seenable to connect to approximately 100,000 P2P Zeus bots. dns_filter_add 2011-12-10Using this number as a minimum botnet size, we can say that dns_filter_remove 2011-12-10the most affected Internet Service Providers (ISPs) could haveseveral thousand of P2P Zeus infections on their customers’ url_open 2012-02-12machines. module_download_disable 2012-05-07 module_download_enable 2012-05-07 module_execute_disable 2012-05-07New backdoor commands in Zeus derivatives module_execute_enable 2012-05-07Zeus capability is not limited to serving as a banking trojan info_get_antivirus 2012-05-07only. Since the beginning of its release, it has always contained info_get_firewall 2012-05-07some backdoor features that are controlled by simple scripts info_get_software 2012-05-07as ordered by the botnet owner. These scripts are delivered ddos_start 2012-07-03to infected machines through command and control (CC)servers.zeus 22
  23. 23. Citadel Zeus 2 Timeline of Notable Events Commands First seen ddos_stop 2012-07-03 01.04.2010 Birth of Zeus close_browsers 2012-09-11 xx.10.2010 SpyEye author received Zeus source code[1] webinjects_update 2012-09-11 download_file 2012-09-11 search_file 2012-09-11 tokenspy_update 2012-09-11 upload_file 2012-09-11 xx.04.2011 Earliest known date of Ice IX debut[2] tokenspy_disable 2012-10-06 bot_transfer 2012-10-06 xx.05.2011 Zeus source code leaked online xx.08.2011 First public sale of Ice IX on the internet Ice IX 03.09.2011 Earliest P2P Zeus variant identified by FS Commands First seen Labs bot_update_exe 2011-11-03 05.09.2011 First P2P Zeus backup domain registered 03.11.2011 Earliest Ice IX sample identified by FS LabsBesides being used as a banking trojan, some Zeus botnetsmay now also be used to perform distributed denial of service xx.11.2011 P2P gang started incorporating DDoS(DDoS) attacks on targeted websites where interested parties attack in their operations[3]can rent a botnet from the controller for certain fees. As canbe seen from the new backdoor commands, both the Citadel xx.12.2011 First date of Citadel identification[4] Zeusand the P2P versions received the DDoS features during thesummer, but the reason behind the P2P feature update may 10.12.2011 Earliest Citadel sample seen by FS Labsbe different. According to Dell SecureWorks Counter ThreatUnit[3], the crew running the P2P variant used DDoS attacks toprevent victims of banking trojans from accessing their onlinebanking accounts until the fraudulent transactions had beencompleted. Thus reason for the DDoS feature update may be 30.03.2012 First change made to P2P Zeus backdoorto stop having to rent a third party botnet kit that the gang commandshad been using to conduct attacks that took place betweenNovember 2011 and summer 2012. 07.05.2012 Citadel received backdoor commands to control additional modules 14.05.2012 A custom Zeus 2 variant that includes ransomware features found 24.05.2012 DDoS feature added to P2P Zeus 03.07.2012 DDoS feature added to CItadelSOURCES[1] KrebsonSecurity; Brian Krebs; SpyEye v. ZeuS Rivalry Ends in Quiet Merger; published 24 Oct 2010;[2] RSA FraudAction Research Labs; New Trojan Ice IX Written Over Zeus’ Ruins; published 24 Aug 2011;[3] Dell SecureWorks; Brett Stone-Goss; The Lifecycle of Peer-to-Peer (Gameover) ZeuS; published 23 Jul 2012;[4] Seculert Blog; Citadel - An Open-Source Malware Project; published 8 Feb 2012; 23
  24. 24. The complete infographic can be viewed at
  25. 25. Exploits Top Targeted Vulnerabilities in 2012In 2012, we saw the exploitation of known vulnerabilities in These then are the most commonly targeted CVEa popular program or the operating system become one of vulnerabilities of 2012:the most popular, if not the most popular, technique used bymalware distributors, hackers and attackers in order to gain CVE-2011-3402access to or control of a user’s machine. A vulnerability in the TrueType font parsing engine used in the kernel drivers of various Microsoft Windows operating systemFrom the normal user’s perspective, the most likely scenario in versions (including XP, Windows Vista and Windows 7) allowswhich they are likely to encounter an attempted vulnerability remote attackers to run arbitrary code on a user’s machine.exploit of their machine is through visiting a malicious or The attack uses a Word document or web page containingcompromised website. Though some attacks continue to use specially crafted malicious font data. More information on thistried-and-true social engineering tactics, which require an vulnerability can be found on the infographic on page 27.element of deception and are relatively easy for an alert userto spot (“Click this link for free stuff!” or “Download this codec CVE-2010-0188to view this tantalizing video!”), in more sophisticated attacks A vulnerability in Adobe Reader and various versions ofusers are unlikely to see any overt signs that an attack has Adobe Acrobat allows attackers to use a specially crafted PDFtaken place at all; instead, their machine is quickly and silently document to force the application to crash, causing a denial ofcompromised during the short period it was exposed to the service. According to reports, the attack document is also ablemalicious or compromised website. to drop a malicious file onto the compromised system, which then connects to a remote site for further instructions.In some cases, the attack is tailored specifically to target aparticular set of users. Targeted user groups are typically CVE-2012-4681either the users of specific banks (making the attack a case of Vulnerabilities in the Java Runtime Environment (JRE) runningmonetary theft) or users employed by a specific company or in web browsers allow attackers to use a specially craftedin a specific field (essentially corporate or political espionage, applet to run arbitrary code on the compromised machine. exploitssee the Corporate Espionage case study on page 12). These Users are most commonly exposed to the malicious applettargeted attacks are hardly new—we’ve seen cases of spear when they are directed (either through social engineering orphishing come and go over the years. The main change poisoned search results) to a malicious webpage hosting thethat we’ve seen in the last few years is that rather than attack applet.depending on the user to download an infected attachmentor enter sensitive data into a malicious page masquerading as CVE-2012-5076a legitimate portal, the attacks now make use of exploits and/ A vulnerability in the JRE component of Oracle Java SE 7 Updateor exploit kits to directly compromise the user’s machine, 7 and earlier allows attackers to use a specially crafted appletwithout needing any action from the user. to run arbitrary code on the compromised machine, usually to download additional malicious files onto it.In 2012, we saw a wide range of exploits being used totarget known vulnerabilities, but surprisingly, statisticsfrom F-Secure’s cloud lookup systems indicate that in most CVE-2012-0507countries, the majority of exploits detected were related to A vulnerability in the AtomicReferenceArray of various versionsonly four vulnerabilities, all reported within the last two years of Oracle Java allows attackers to essentially breach theand designated with official Common Vulnerabilities and ‘sandbox’ or contained environment of the Java installation,Exposure (CVE) identifiers. The preference for targeting these permitting the attacker to perform malicious actions on thefour vulnerabilities may be related to the fact the some of the affected machine.most popular exploit kits of today, particularly BlackHole andCool Exploit, have incorporated the exploits targeting these CVE-2012-1723vulnerabilities into their capabilities. Ironically, most of these A vulnerability in the Java HotSpot VM in the JRE componentvulnerabilities have already had security updates or patches of various versions of Oracle Java allows attackers to essentiallyreleased by the relevant software vendors. Two other Java- breach the ‘sandbox’ or contained environment of the Javaspecific vulnerabilities, though nowhere near as frequently installation, permitting the attacker to perform malicioustargeted as the first four, also saw enough attacks to be worth actions on the affected machine.noting.exploits 25
  26. 26. Netherlands BelgiumExploit Prevalence: Exploit Prevalence:139 2011-3402 2012-4681 1212011-3402: 39% 2011-3402 2011-3402: 36%2010-0188: 32% 2010-0188 2010-0188: 35%2012-4681: 17% 2012-5076 2012-4681: 16%2012-5076: 9% 2012-5076: 11% 2012-4681 2010-0188 Sweden Exploit Prevalence: 2010-0188 102 2012-4681 2011-3402 2012-5076 2011-3402: 31% 2010-0188: 29% 2012-5076 2012-4681: 29% 2012-5076: 9%infographic These were the top 10 countries that saw the most exploitsMost Targeted CVE Vulnerabilities, targeting known CVE vulnerabilities in H2 2012, ranked by Exploit Prevalence, which is calculated as the count of CVE-Top 10 Countries related detections reported per 1,000 users in the country forH2 2012 that time period. For example, during H2 2012, our systems recorded a CVE-related exploit detection for 139 of every 1,000 users in the Netherlands. Also listed are the top 4 CVE vulnerabilities targeted in each country, as well as their relative percentage of all CVE-related detections from that country. 2010- 2012-4681 2010-0188 2010-0188 2012- 0188 4681 2011- 2012- 2012- 3402 2012-4681 2012- 2011-3402 5076 2011-3402 5076 5076 Italy Germany France Exploit Prevalence: 88 Exploit Prevalence: 78 Exploit Prevalence: 69 2010-0188: 38% 2012-4681: 32% 2011-3402: 32% 2012-4681: 29% 2010-0188: 26% 2010-0188: 28% 2011-3402: 22% 2011-3402: 22% 2012-4681: 24% 2012-5076: 8% 2012-5076: 15% 2012-5076: 13% 2011-3402 2010-0188 2010-0188 2012-5076 2012-4681 2012- 2010- 2012-5076 2012-5076 4681 0188 2010- 2011- 0188 2011-3402 2011- 2012- 3402 4681 3402 2012-5076 2012-4681 US UK Poland Finland Exploit Prevalence: Exploit Prevalence: Exploit Prevalence: Exploit Prevalence: 87 67 61 45 2012-4681: 47% 2011-3402: 30% 2010-0188: 35% 2010-0188: 33% 2012-5076: 25% 2012-4681: 28% 2012-5076: 24% 2012-5076: 25% 2011-3402: 16% 2010-0188: 28% 2011-3402: 21% 2011-3402: 21% 2010-0188: 9% 2012-5076: 11% 2012-4681: 16% 2012-4681: 17%
  27. 27. infographic Belgium Sweden 34 72 56 NetherlandsCVE-2011-3402 UK 21 11Denmark USA 16 13 Poland 17 Germany 25 19 Czech RepublicMost Exploited Users, 25 Austria 27 FranceTop 15 Countries GreeceCalculated as the count of CVE-2011-3402-related detections per 1,000 users in thecountry, as seen by F-Secure’s cloud lookup 15 Switzerland 40 Spainsystems in H2 2012.For example, in Belgium, 21 Italy72 out of every 1,000 usersreported seeing a CVE-2011-3402-related detection in thesecond half of the year. 2% Blackhole 11% The Cool (kit) factor 11 Others In H2 2012, most of the maliciousFirst reported in 2011, the term CVE-2011-3402 refers to a Cool sites we saw with the CVE-2011- 87%vulnerability in the Windows operating system component 3042 exploit were using the Coolthat handles TrueType fonts. Exploit kit to attack unsuspecting site visitors.Shortly afterwards, an exploit became public that tookadvantage of this vulnerability to, among other things,install malware onto the affected system. +87+2+ 34%The exploit was first used in the Duqu malware, which Germany 26% 26% Ukraineonly targeted specific organizations in certain countries. France Russia USAIn October 2012, the exploit was added to the Cool UKExploit kit, and shortly after to 5 other kits as well. It quicklybecame one of the most common exploits seen by normal The Euro zonecomputer users in H2 2012. 60% percent of malicious sites hosting kits with the CVE-2011-3042 exploit were registered to just 2 countries: France and Germany.CVE-2012-4681 1000=CVE-2011-3402 980=CVE-2010-0188 950= The greatest hits Despite being relatively new, of all CVE-related hitsCVE-2012-5076 500= logged by F-Secure’s cloud lookup systems in H2 2012,CVE-2012-0507 100= CVE-2011-3402-related detections were the second most frequent. 135 000