3. Malware Trend Report 3rd Quarter, 2014
Page 2 of 24
1. Introduction
This is the third quarterly trend report for 2014 from the RedSocks Malware Research Lab. RedSocks is a
Dutch company specialising in Malware detection. Our solution, RedSocks Malware Threat Defender, is a
network appliance that analyses digital traffic flows in real-time, based on algorithms and lists of malicious
indicators. This critical information is compiled by the RedSocks Malware Intelligence Team. The team
consists of specialists whose job it is to identify new threats on the Internet and to translate them into
state-of-the-art malware detection capabilities.
With this report, we hope to provide the reader with a deeper insight into the trends we see in the Malware
we process. We will look at data collected during the third quarter of 2014. RedSocks analyses large
numbers of malicious files on a daily basis, therefore we can cover only a few topics briefly in this trend
report.
Protecting your data from Internet-based threats is not an easy task — and relying on protection from Anti-
Virus companies, no matter how established their brand, is not enough. Comprehensive protection requires
an entirely new approach.
4. Malware Trend Report 3rd Quarter, 2014
Page 3 of 24
2. Overview
The total number of new and unique malicious files processed per month went from 8.7 million in July to 7.4
million in August, and down to 6.6 million in September.
The overall detection by Anti-Virus software this quarter remains roughly the same compared to the last
quarter. The detection rate for July was 75.78 percent. For August, it is 77.50 percent and in September, the
average detection was 80.06 percent. Which might not sound too bad but it means that around 24 percent,
23 percent and 20 percent was not detected. There is a slight improvement compared with the second
quarter. Please note that identification rates can change based on samples chosen and time scanned.
During the third quarter, the number of identified Adware dropped from 1.2 million in July and August, to
0.9 million in September.
The drop in the numbers of identified Backdoors and Botnets reported in our Second Quarter Malware
Trend Report, has come to an end. In July, the numbers dropped to 53.000. In August the numbers
increased to 117.000, in September, the numbers increased further to 140.000 new Backdoors and Botnets.
Only 0.03 percent of the files were detected as Exploit and 0.05 percent as Rootkit in July by Anti-Virus
software. In August, 0.03 percent were detected as Rootkits and 0.09 percent as Exploits. For September it
is 0.04 percent Exploits and 0.02 percent for the Rootkits.
Like in the first and second quarter of this year, Trojans are by far the most popular type of Malware. In July
and August, they made up for 3.1 and 3.2 million. In September, 2.5 million unique files were identified as
Trojans.
In July, 690.000 Worm files were identified. In August, the number drops to 381.000. In September, 463.000
Worms were added to our databases.
Grouped together, all other malicious files such as Flooders, HackTools, Spoofers, Spyware, Viruses, etc.,
make up for 39, 33, and 38 percent of the total for July, August, and September, respectively.
As in the first quarter, most Command & Control (C&C) servers were hosted in the United States, followed
by the Russian Federation. During the second quarter, Germany occupied the third place. The Netherlands
was the biggest riser in countries hosting C&C servers going from 8th place in March, and April, to 6th place
in May, and finishing on 5th place in June.
5. Malware Trend Report 3rd Quarter, 2014
Page 4 of 24
2.1. Collecting Malware
At the RedSocks Malware Research Labs, we
track large numbers of Malware from our
global-distributed honeypots, honey-clients,
spamnets, and through various botnet
monitoring sensors. Due to the distribution
of our Honeypots, we are able to
automatically collect and process new
malicious samples from across the globe.
We also exchange large quantities of
malicious files with the Anti-Virus industry.
2.2. Processing
Working with Malware is what we love to do.
More than 200.000 new malicious files arrive
every day at our automated Malware
collecting machines.
All samples were renamed to their hash
calculation. We check to see if that particular
piece of Malware has already been
processed.
The picture on the right shows the total
amount of disk space needed to store all the
new malicious files. While the numbers of
new malicious files stayed more or less the
same, the average file size decreased a little
bit. During the second quarter, we saw that
malicious files, on average, shrunk 12.73 percent. During the third quarter, the average file size increased
with 118.52 percent.
New file metrics by month April May June July August September
Average number of new files per day 236.719 218.280 239.528 279.969 237.761 219.353
Average file size in bytes 471.319 453.797 411.308 455.027 494.817 539.299
Average Anti-Virus Detection 75.52% 74.61% 79.76% 75.78% 77.50% 80.06%
Graph: 1
Graph: 2
6. Malware Trend Report 3rd Quarter, 2014
Page 5 of 24
2.3. Identifying Malware
Although we collect all types and categories of Malware for all operating systems at RedSocks, we do have
a special interest in certain types and categories of Malware.
A simple means of identifying malware is by file type. RSMIT uses various analysis tools to determine the
statistically most likely file type for each malware sample we analyse. The majority of malware samples
target windows users, this causes Windows executable files to be very common while executables for other
operating systems are far less common.
The top 10 file types are listed in the tables below.
July August September
Extension Amount Extension Amount Extension Amount
EXE 7.360.993 EXE 6.143.113 EXE 5.500.664
DLL 813.347 DLL 827.924 DLL 720.834
OCX 197.634 SCR 223.397 OCX 141.419
SCR 134.100 OCX 126.126 SCR 89.343
AX 43.450 AX 28.134 AX 28.805
DOC 2.926 PDF 2.949 XLS 5.241
CAB 2.529 DOC 2.113 DOC 4.341
PDF 2.511 XLS 1.449 PDF 3.498
XLS 2.197 CPL 1.188 CAB 1.466
CPL 1.746 CAB 848 CPL 1.390
In the second quarter of this year, we saw a total of 47, 37 and 42 different extensions being used by
Malware, respectively. Like in the previous quarter, .EXE files are by far the most popular way to distribute
Malware. 84 percent of all malicious files in the third quarter were .EXE files. An increase of 3 percent
compared with the second quarter.
2.4. Detecting Malware
Within the RedSocks Malware Labs, we use an in-house built classification system for grouping Malware.
We have classified over 300 types for which we have created detailed statistics. Once multiple anti-virus
scanners (in ‘paranoid’ mode) have performed their on-demand scan, we know which Malware was
detected and, perhaps more importantly, which was not.
In graph below, the blue section shows all the new and unique malicious files per day, the green section
shows the sum of all files identified by Anti-Virus software and, in red, the number of files not detected.
8. Malware Trend Report 3rd Quarter, 2014
Page 7 of 24
Graph: 5
Of all the malicious files we processed in July on
average 24 percent of them were not detected
by any of the Anti-Virus products we currently
use. In August 22 percent of the samples on
average remained undetected. In September
the Anti-Virus detection improved, but still
missed 20 percent of all malicious samples we
processed.
In appendix A “Detecting Malware” you will find the
detection results per day, per month.
Graph: 7 Graph: 8
Graph: 6
9. Malware Trend Report 3rd Quarter, 2014
Page 8 of 24
2.5. Classifying Malware
We categorise Malware according to its primary feature. In the second quarter, Malware was grouped as
follows:
The 'Other' category in 'All Malware' consists of malicious samples that do not fit in the six categories, such
as 64-bit Malware, malicious Macros, Packed Malware, Riskware, Spamming Tools, Spoofers, Spyware, All
kinds of (Hacking) Tools, and the ‘classic’ Viruses.
See appendix B for the numbers per day, per category, per month.
Graph: 6 Graph: 5
10. Malware Trend Report 3rd Quarter, 2014
Page 9 of 24
3. Trends
Discovering Malware propagation trends starts with an analysis of the raw data behind the collection and
processing of Malware. From July to September, RedSocks Malware Research Labs identified the following
trends by Malware category.
3.1. Adware
During the second quarter, we identified around 3 million files as Adware. During the third quarter, we
identified 3.3 million. Like in the second quarter, this makes up for about 15 percent of the total. The overall
popularity of Adware stayed the same.
On the 25th of July, generic variations of “Adware.Graftor.146103”, “Adware.Dropper.101”, and
“Adware.Dropper.103”, were identified in 47.000, 26.000, and 15.000 files.
During the third quarter, 877.000 variations of the “Adware.Dropper” family were found. They can be
grouped in seven major versions. Newer versions are clearly not always better or more popular compared
to the days they were active on.
Graph: 9
11. Malware Trend Report 3rd Quarter, 2014
Page 10 of 24
Generic Malware ID Count Days active Q3
Adware.Dropper.101 394.809 92
Adware.Dropper.103 305.943 92
Adware.Dropper.105 24.520 17
Adware.Dropper.106 3.131 17
Adware.Dropper.108 144.223 61
Adware.Dropper.110 4.163 41
Adware.Dropper.112 53 5
12. Malware Trend Report 3rd Quarter, 2014
Page 11 of 24
3.2. Backdoors and Botnets
Files identified as infected with a Backdoor or having Botnet functions, made up 2 percent in the second
quarter. A total of 309.000 files were classified in this category in the third quarter. This is 1 percent of the
total.
Since May 2014, the distribution of new and variations of Backdoors and Botnets, have been low. From the
second week of September the numbers are rising again.
On the 23rd of August, 31.000 variations of “Backdoor.Delf.ARS”, and 17.000 variations of
“Backdoor.Wabot.A” were intercepted.
Graph: 10
13. Malware Trend Report 3rd Quarter, 2014
Page 12 of 24
3.3. Exploits
An exploit is an attack on a computer system, especially one that takes advantage of a particular
vulnerability. Looking at malicious files that were identified as exploits, we see quite some spikes above
250.
In the second quarter, we saw a slight decrease in the overall usage of exploits compared to the first
quarter. This trend continues during the third quarter.
Of the 461 major exploit families we identified, one jumps out. Spread over 56 days, with 1.400 unique
samples is “CVE-2010-0188.C”. Making it the most popular exploit of this quarter.
Exploit “CVE-2010-0188.C” identifies malicious PDF files downloaded by the Blackhole exploit kit that
exploit a known vulnerability in Adobe Reader. To prevent successful exploitation, install the latest updates
available for Adobe Reader and/or remove any old, unnecessary installations.
Graph: 11
14. Malware Trend Report 3rd Quarter, 2014
Page 13 of 24
3.4. Rootkits
A rootkit is a type of software designed to hide the fact that an operating system has been compromised.
This can be done in various ways for example by replacing vital executables or by introducing a new kernel
module. Rootkits allow Malware to “hide in plain sight”. Rootkits themselves are not harmful; they are
simply used to hide Malware, bots and worms.
To install a rootkit, an attacker must first gain sufficient access the target operating system. This could be
accomplished by using an exploit, by obtaining valid account credentials or through social engineering.
Because rootkits are activated before your operating system boots up, they are very difficult to detect, and
therefore provide a powerful way for attackers to access and use the targeted computer without the owner
being aware of it. Due to the way rootkits are used and installed, they are notoriously difficult to remove.
Rootkits today are usually not used to gain elevated access, but are instead used to mask Malware payloads
more effectively.
Graph: 12
15. Malware Trend Report 3rd Quarter, 2014
Page 14 of 24
The huge spick on the 10th of August, was created by 2.600 different files containing the “Rootkit.15158” or
a slight modification of it. In the third quarter a total of 3.498 unique files were identified using this Rootkit.
Distribution started on the 1st of August and was last seen on the 29th of September.
Graph: 3
In the first and second quarter, we saw a slight drop in the rootkit usage. This drop continued in the third
quarter.
16. Malware Trend Report 3rd Quarter, 2014
Page 15 of 24
3.5. Trojans
Trojans are by far the biggest category of Malware. With more than 9.1 million (43 percent) new unique
samples in the second quarter of this year. In the third quarter 8.8 million files (39 percent) were Trojans.
Of all the Trojan families, we will only discuss the top three. At third place, we find “Trojan.Agent.BEFC”,
with 188.000 different samples distributed over 64 days. Its best day was on the 5th of July, with little over
14.000. Second place is “Trojan.Agent.BDMJ”, with 259.000 files, spread over 89 days. Its best day was on
the 1st of July. Without any doubt, the most distributed Trojan family is “Trojan.Generic.11210422”, in 58
days we counted nearly a 271.000 new samples.
AV-Identifier
Total
Amount
First Seen Last Seen Best Day
Amount
Best Day
Days
Seen
Trojan.Generic.11210422 270.613 01-07-14 27-08-14 29-07-14 51.487 58
Trojan.Agent.BDMJ 258.928 01-07-14 30-09-14 01-07-14 24.136 89
Trojan.Agent.BEFC 188.099 24-07-14 28-09-14 05-09-14 14.074 64
During the first and second quarter there was a slight increase in Trojan use. In the third quarter there is a 3
percent drop in Trojan usage.
Graph: 14
17. Malware Trend Report 3rd Quarter, 2014
Page 16 of 24
3.6. Worms
In roughly 1.8 million new files, we identified worm traces and functionalities. The first spike above 100.000
on the 16th of July, is primarily caused by 83.000 samples of “Worm.Generic.510258”. On the 19th of July
82.000 minor variations of “Win32.Worm.P2p.Picsys.C” were counted. The last spike, on the 13th of
September, was again caused by “Worm.Generic.510258”, this day we saw 54.000 files.
In the table below, the top 3 most identified Worm families.
AV-Identifier
Total
Amount
First Seen Last Seen Best Day
Amount
Best Day
Days
Seen
Win32.Worm.P2p.Picsys.C 290.077 01-07-14 30-09-14 19-07-14 81.650 91
Worm.Generic.510258 289.723 02-07-14 30-09-14 16-07-14 82.655 85
Win32.Worm.VB.NZQ 110.606 02-07-14 30-09-14 21-07-14 32.781 85
Members belonging to the peer-to-peer worm “Picsys.C” were with 54.000 files on the 13th of September,
responsible for the last spike.
Compared with the second quarter, a 1.4 percent increase can be observed in Worm usage.
Graph: 15
18. Malware Trend Report 3rd Quarter, 2014
Page 17 of 24
3.7. 64-bit Malware
In the second quarter of this year “Expiro” family members, which are able to infect 32-bit and 64-bit files,
ruled the 64-bit malware charts. The third quarter shows a drop in the old “Expiro” usage and the rise of the
second and third generation.
“Expiro” aims to maximise profit and infects executable files on local, removable and network drives. As for
the payload, this malware installs extensions for the Google Chrome and Mozilla Firefox browsers. The
malware also steals stored certificates and passwords from Internet Explorer, Microsoft Outlook, and from
the FTP client FileZilla. Browser extensions are used to redirect the user to a malicious URL, as well as to
hijack confidential information, such as account credentials or information about online banking. The virus
disables some services on the compromised computer, including Windows Defender and Windows Security
Center, and can also terminate processes.
The virus aims to maximise profit and infects executable files on local, removable and network drives. As
for the payload, this Malware installs extensions for the Google Chrome and Mozilla Firefox browsers. The
Malware also steals stored certificates and passwords from Internet Explorer, Microsoft Outlook, and from
the FTP client FileZilla. Browser extensions are used to redirect the user to a malicious URL, as well as to
hijack confidential information, such as account credentials or information about online banking. The virus
disables some services on the compromised computer, including Windows Defender and Windows Security
Center, and can also terminate processes.
In graph 16, the distribution of the 33.000 intercepted 64-bit malware samples during the third quarter.
Graph: 15
20. Malware Trend Report 3rd Quarter, 2014
Page 19 of 24
3.8. Others
After the adware, backdoors/botnets, exploits, rootkits, worms, and 64-bit malware, we are still left with
6.4 million identified malicious files. This is 28 percent of the total of this quarter.
In the tables below, we divided the others over 10 categories.
Q3
Q2
Category Count % of total +/-
Count % of total +/-
DOS based 2.070 0.009 % -0.089 %
20.566 0.098 % +0.088 %
Encrypted Malware 10.361 0.046 % -0.011 % 12.031 0.057 % n/a
Generic Malware 4.083.268 18.043 % +3.660 % 3.028.399 14.384 % -0.027 %
Macro based 9.530 0.042 % -0.024 % 14.018 0.067 % +0.064 %
Malware Heuristic 153.411 0.678 % -0.355 % 217.509 1.033 % +0.096 %
PUP 2.088.143 9.227 % +0.456 % 1.846.627 8.771 % +5.746 %
Riskware 138 0.001 % 0.000 %
163 0.001 % n/a
Suspicious 62.181 0.275 % +0.071 % 42.863 0.204 % -0.181 %
(Hack)Tools 3.448 0.015 % -0.062 % 16.343 0.078 % n/a
Windows Viruses 2.784 0.012 % -0.012 %
5.080 0.024 % -0.092 %
Total 6.415.335 28.349 % +3.633 %
5.203.599 24.715 % +5.829 %
% of total: The percentage of the category of all the malicious files processed in that quarter.
+/-: Increase/decrease in percentage compared with the quarter before.
Windows Viruses: These are so called Classic Viruses for Microsoft Windows, true file infectors.
21. Malware Trend Report 3rd Quarter, 2014
Page 20 of 24
4. Geolocation
We can see where the hotspots are located by plotting the Command & Control (C&C) servers with the
most traffic and connections on a map. Over the past few months, a number of Malware families targeting
Point of Sale (POS) systems got some media attention.
First there was DexterPOS (first image below), then there was its sister, AlinaPOS (second image below),
and more recently there was JackPOS (third image below). One of the most interesting threads of
commonality between these samples is the command and control (C&C) structure used between them.
Using a C&C communication channel for data exfiltration, while previously rare, has become more and
more common in POS Malware.
Map 1 - DexterPOS C&C
23. Malware Trend Report 3rd Quarter, 2014
Page 22 of 24
During the second quarter of 2014, there were only minor changes at the top of the C&C landscape. Below,
the top 10 countries from the second quarter of 2014.
Top 10 Countries Hosting C&C
April
May
June
United States 1274
United States 1203
United States 1128
Russian Federation 453
Russian Federation 474
Russian Federation 490
Germany 289
Germany 236
Germany 257
China 226
United Kingdom 206
United Kingdom 200
United Kingdom 213
China 172
The Netherlands 184
Iran 185
The Netherlands 166
China 182
Turkey 142
Turkey 138
Turkey 133
The Netherlands 137
Korea 123
Korea 126
Korea 130
Ukraine 110
Iran 118
Ukraine 118
France and Sweden 107
Ukraine 113
In the third quarter, the United States is still leading, followed by the Russian Federation. Germany was
dropping during the first quarter, but holds the third place during the second quarter.
Top 10 Countries Hosting C&C
July
August
September
24. Malware Trend Report 3rd Quarter, 2014
Page 23 of 24
5. Final Word
In the second quarter of 2014, the total number of new malicious files processed was 21.1 million. For the
third quarter it was 22.6 million, an increase of 7 percent.
The overall detection by Anti-Virus software improved with 1.15 percent compared with the second
quarter. Altogether, around 4.9 million malicious files were not detected during the third quarter.
By grouping and classifying the identified Malware, we detected a decrease of popularity in 5 of the 7 main
Malware categories during the second quarter. These five categories are Adware, Backdoors/Botnets,
Exploits, Rootkits and Trojans. The remaining two categories, Worms and Others, increased.
Category Total % of Total +/- compared to Q2 Largest Family
Total number
Q3
Adware 3.317.733 14,661 % - 0,011 % Gen:Variant.Adware.Dropper.101 394.809
Backdoors/Botnets 309.385 1,367 % -0,549 % Backdoor.Bot.158614 77.704
Exploit 7.109 0,031 % -0,007 % Exploit:W32/CVE-2010-0188.C 1.423
Rootkits 12.928 0,057 % -0,055 % Rootkit.15158 3.498
Trojans 8.815.922 38,95 6% -4,500 % Trojan.Generic.11210422 270.613
Worms 1.804.149 7,972 % +1,362 % Win32.Worm.P2p.Picsys.C 290.077
Others 8.293.280 36,647 % +3,325 % Win32.Ramnit.N 1.425.643
Within the top 10 of countries hosting C&C servers, the United States led the second quarter of 2014,
followed by the Russian Federation and Germany. In March and April, China held the fourth place. In May
and June, Chine dropped two places. While in March, the United Kingdom could be found at the third place,
in April it dropped to fifth place. Nevertheless, in May, the United Kingdom climbed up to the fourth place
and stayed there.
The Netherlands is found at 8th place at the end of quarter one. In May, it climbed to 6th place, and ends at
5th place in June.
We hope you that you enjoyed our third Malware Trend Report of this year. And that it may provide you
with insight into the trends we have seen during the third quarter of 2014. We continue to innovate so
please check back with us for our next quarterly trend report.
Questions, comments and requests can be directed towards the RedSocks Malware Research Labs.
G.J.Vroon
Anti-Malware Behavioural Researcher
RedSocks B.V.
W: www.redsocks.nl
T: +31 (0) 55 36 61 396
E: info@redsocks.nl