mcafee threats report q2 2011
TRANSCRIPT
-
8/4/2019 McAfee Threats Report Q2 2011
1/24
McAee Threats Report:Second Quarter 2011By McAee Labs
Report
-
8/4/2019 McAfee Threats Report Q2 2011
2/24
Report McAee Threats Report: Second Quarter 2011
The threat landscape o 2011 is undergoing a year o chaos and change. We see chaos in the major
challenges that hacktivist groups such as LulzSec and Anonymous pose, and change in the shits in new
malware classes and targeted devices.
This quarter McAee Labs saw major hacktivist activitybut in a very dierent way. The group Lulz
Security, LulzSec or short, diers rom other hacktivist groups in that they had no specic goals. They
were in it, as they claimed, or the lulz (LOLs in text messagespeak, or laugh out louds ) but
showed an agility at compromising networks and servers, and stealing usernames, passwords, and other
data. LulzSec committed multiple intrusions against a wide variety o companies, as well as attacks
against police departments and intelligence agencies, and many other compromises. Although many
o the outcomes and uses o these compromises are still in play (and we provide a helpul overview o
the quarters activity) one thing has become clear: Many companies, both large and small, are more
vulnerable than they may have suspected. Further, the security industry may need to reconsider some
o its undamental assumptions, including Are we really protecting users and companies? Although
LulzSec may have ceased its operations during this quarter, the questions they and other hacktivist
groups have raised will be debated or a long time.
One signicant change in the rst quarter o 2011 was Androids becoming the third-most targeted
platorm or mobile malware. This quarter the count o new Android-specic malware moved to numbe
one, with J2ME (Java Micro Edition), coming in second while suering only a third as many malware.
This increase in threats to such a popular platorm should make us evaluate our behavior on mobile
devices and the security industrys preparedness to combat this growth.
We also saw an increase in or-prot mobile malware, including simple SMS-sending Trojans and
complex Trojans that use exploits to compromise smartphones. We oer an update o cybercrime
pricebooks as well as some changes to toolkit and service prices. Crimeware as a service and the
burgeoning hacktivism as a service continue to evolve as interests and targets change. On the positive
side, there were some signicant victories against cybercriminals this quarter.
Continuing the change theme, we observed a considerable decrease in both AutoRun and Koobace
malware, oset by a strong rise in ake-anti-virus sotware that targets the Mac. Apples OS X has
been mostly ignored by malware writers or years, so this represents a signicant change o target
or cybercriminals.
Malware continued its overall growth during the quarter as did rootkit malware. Rootkits, used primarily
or stealth and resilience, makes malware more eective and persistent; its popularity is rising. Rootkits
such as Koutodoor and TDSS appear with increasing requency. The amount o malware that attacks
vulnerabilities in Adobe products continues to overwhelm those in Microsot products.
Botnets and messaging threats, although still at historic lows, have begun to rise again. We expected
this recovery ater some recent botnet takedowns. Users and enterprises must plan or this growth and
prepare their deenses and responses accordingly. We again examine social engineering subjects by both
geography and subject and botnets by geography and type.
We saw several spikes in malicious web activity this quarter as well as some serious growth in blogs
and wikis with malicious reputations. Sites that deliver malware, potentially unwanted programs, and
phishing sites also increased.
The second quarter o the year was clearly a period o chaos, changes, and new challenges.
-
8/4/2019 McAfee Threats Report Q2 2011
3/24
Report McAee Threats Report: Second Quarter 2011
Table o Contents
Hacktivism 4
Mobile Threats 5
Cybercrime 7
Malware Threats 9
Adobe Outpaces Microsot in Attracting Exploits 14
Messaging Threats 15
Web Threats 20
-
8/4/2019 McAfee Threats Report Q2 2011
4/24
4
Report McAee Threats Report: Second Quarter 2011
Hacktivism
Early in this quarter the Anonymous group apparently quarreled and split. On May 9, an Anonymous
press release said the Anonops network was down ater the website coadministrator Ryan attempted to
stage a coup dtat. As a reprisal, his contact details were immediately distributed on the web.
Around May 7 a new Twitter account registering the @LulzSec username appeared, marking the birth
o Lulz Security. Their rst eats did not gain much media coverage; however, when they targeted the
entertainment industry, the world was truly introduced to LulzSec.
Ater 50 days o operations, LulzSecs adventures ended due to group-against-group struggles. These
events show a level o immaturity in some groups labeled as political hacktivists and who claim to be
part o Anonymous. Jester (th3j35t3r, an Anonymous opponent who is known or ghting against
jihadist and anti-U.S. websites) and other groups (Team Web Ninjas, Backtrace, The A-Team, Teamp0ison
etc.) made a point o denouncing their ormer colleagues. These internecine struggles helped authorities
identiy some o these hackers.
Other reported incidents include a serious attack against the European Commission just beore a
summit to discuss the uture structure o the European Union, economic strategy, and the war in Libya.1
Frances Ministry o Finance suered a similar attack. The Australian Security Intelligence Organisation
disclosed that it is investigating an attack that compromised the computers o at least 10 ederal
ministers, including the prime minister, oreign minister, and deense minister. The German government
reported it sees an average o ve targeted attacks per day against users o government networks.2
Some published accounts number the various hacktivist operations, such as #antisec, #OpNewBlood,
#OpLibya, #OpBrazil, at more than 4,000 in total, but this number is hard to veriy. These operations
have resulted in websites being taken ofine, large amounts o usernames and passwords stolen, and
condential documents stolen and uploaded. Many companies have suered very eective politically
motivated attacks. Many observers have called these attacks simplistic, even lame, but these pundits miss
the point: Hacktivism is about the message, not the method.
Two intrusions by a Romanian hacker also caught our attention due to the high-prole targets: the U.S.
and European space agencies.In an April blog entry, this hacker published inormation rom the European Space Agencys server that
included names, usernames, and emails o more than 150 users. In May, the same hacker claimed to
have entered a server at NASAs Goddard Space Flight Center and gained access to condential satellite
data. He posted on his blog a screen grab o what he said was one o NASAs main FTP servers.
1. http://www.bbc.co.uk/news/world-europe-12840941
2. http://www.bundestag.de/presse/hib/2011_05/2011_201/08.html
http://www.bbc.co.uk/news/world-europe-12840941http://www.bundestag.de/presse/hib/2011_05/2011_201/08.htmlhttp://www.bundestag.de/presse/hib/2011_05/2011_201/08.htmlhttp://www.bbc.co.uk/news/world-europe-12840941 -
8/4/2019 McAfee Threats Report Q2 2011
5/24
5
Report McAee Threats Report: Second Quarter 2011
Mobile Threats
This quarter Android OS-based malware became the most popular target or mobile malware
developers. Thats a rapid rise or Android, which outpaces second place Java Micro Edition threeold.
Android
Java ME
Symbian
BlackBerry
MSIL
Python
VBS
New Mobile Malware This Quarter
As we watch steady, signicant growth in the mobile malware threat landscape, many o the same
unctions and eatures o PC-based threats are already part o the codebase. Mobile threats already
take advantage o exploits, employ botnet unctionality, and even use rootkit eatures or stealth
and permanence.
0
300
600
900
1,200
1,500
Q1
2011
Q2
2011
Q4
2010
Q3
2010
Q2
2010
Q1
2010
Q4
2009
Q3
2009
Q2
2009
Q1
2009
Total Mobile Malware Samples
Maliciously modied apps are still a popular vector or inecting devices: Corrupt a legitimate app or
game and users will download and install malware on their smartphones by themselves.
Inltrating popular modied apps this quarter were the malware Android/Jmsonez.A, Android/
Smsmecap.A, and the Android/DroidKungFu, and Android/DrdDreamLite amilies. Lets take a close look
at some recent mobile malware.
-
8/4/2019 McAfee Threats Report Q2 2011
6/24
6
Report McAee Threats Report: Second Quarter 2011
Android/Jmsonez.A is a version o a calendar app that doesnt quite work as intended.3 No matter when
the program is launched, it displays the calendar or January 2011. I the user tr ies to change the month
to a uture date, the malware begins sending SMS messages to a premium-rate number. Android/
Jmsonez.A also monitors the inbox or conrmation SMS messages rom the premium-rate service to
avoid detection.
Android/Smsmecap.A is a modied version o a legitimate comedy app.4 The malware sends humorous,
irreverent SMS messages to all the contacts in the users address book. Since May 21, the date o the
purported Rapture, it has sent messages in a mocking tone.
The Android/DroidKungFu amily is similar to Android/DrdDream; it also uses a pair o root exploits to
maintain itsel on a device.5 The exploits are actually identical to those used by the Android/DrdDream
except they have been encrypted with AES. These variants can also load URLs and install additional
sotware and updates.
The Android/DrdDreamLite amily is a less capable variant o the original Android/DrdDream amily.6 The
Lite version uses DES to encrypt the data it sends to the attacker. Android/DrdDreamLite does not include
any root exploits to remain installed on an inected device.
Other complex Trojans are Android/Tcent.A, the Android/Crusewin.A amily, Android/J.SMSHider.A, and
Android/Toplank.A.
Android/Tcent.A is another premium-rate, SMS-sending Trojan, similar to Android/Jmsonez.A, but it
includes an interesting sel-protection eature.7 The malware targets the QQ instant-messaging service,
which is popular in China. The malware attempts to uninstall anti-virus and other security sotware that
are bundled with mobile QQ clients.
The Android/Crusewin.A amily comprises a number o premium-ratesending Trojans.8 Unlike simpler
malware, the Android/Crusewin.A amily includes some botnet unctions, including executing orders rom
the attackers command server. The attacker can send SMS messages rom an inected device, useul or
signing up the victim to premium-rate subscription services, and attempt to uninstall sotware. The latter
eature is similar to that o Android/Tcent.A but suers rom a slight problem. Android/Crusewin.A uses
an uninstall code that works only on Symbian smartphones; it will not run properly on Android. Thissuggests the malware author may be porting Symbian Trojan/botnet code to the Android platorm.
Android/J.SMSHider.A sends premium-rate messages.9 The malware author modied a legitimate
SMS love analyzer to add backdoor unctionality and the ability to delete incoming SMS messages.
Android/J.SMSHider.A uses DES encryption to cover its communications with the attacker.
Android/Toplank.A pretends to be a multiuser update to the popular Angry Birds game. The malware
sends sensitive inormation (international mobile subscriber identity, the list o permissions granted to the
malware, etc.) to the attacker and can download an additional Android app to an inected device. The
new app provides a backdoor to the attacker, who can then add and delete bookmarks, browser history,
and shortcuts. The attacker can also download urther sotware.
Mobile crimeware authors are continuing their tricks with SymbOS/Zitmo.C and BlackBerry/Zitmo.D, which
are simple SMS orwarders. The authors have already compromised victims PCs with advanced malware,so it appears that they are doing only the bare minimum on mobile platorms to enable their attacks.
3. http://home.mcaee.com/VirusIno/VirusProle.aspx?key=501748
4. http://home.mcaee.com/VirusIno/VirusProle.aspx?key=509500
5. http://home.mcaee.com/VirusIno/VirusProle.aspx?key=522281
6. http://home.mcaee.com/VirusIno/VirusProle.aspx?key=518925
7. http://home.mcaee.com/VirusIno/VirusProle.aspx?key=501599
8. http://home.mcaee.com/VirusIno/VirusProle.aspx?key=501639
9. http://home.mcaee.com/VirusIno/VirusProle.aspx?key=527859
http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=501748http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=509500http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=522281http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=518925http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=501599http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=501639http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=527859http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=527859http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=501639http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=501599http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=518925http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=522281http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=509500http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=501748 -
8/4/2019 McAfee Threats Report Q2 2011
7/24
7
Report McAee Threats Report: Second Quarter 2011
Cybercrime
Email Address Book or Sale
Via their botnets or through rental services, spammers need email address lists to food the world. Prices
vary or such enterprises, oten with location.
Country Address List Prices (all in U.S.$)
Russia 400,000 addresses in St. Petersburg: $25
1,000,000 (entire country): $25
3,000,000: $50
5,000,000: $100
8,000,000: $200
United States 1,000,000: $25
3,000,000: $50
5,000,000: $100
10,000,000: $300
Ukraine 2,000,000: $40
Germany 1,000,000: $25
3,000,000: $50
5,000,000: $100
8,000,000: $200
Turkey 1,000,000: $50
Portugal 150,000: $25
Australia 1,000,000: $25
3,000,000: $50
5,000,000: $100
England 1,500,000: $100
Crimeware tools
Again this quarter, we saw new products and updates among exploits kits. The most notable were the
release o Eleonore Version 1.6.5, with two 2011 exploits, and Best Pack, with one 2011 exploit.
Name Prices (all in U.S.$) Description
Weyland-Yutani BOT Version 1.0 $1,000 Oered on the underground market. The seller quicklyclosed the bid ater claiming to have ound a buyer.
BlackHole Exploit Kit Version 1.1.0 Annual license: $1,500
6 months: $1,000
3 months : $700
This kit rst appeared in September 2010. Updated in
April, it contains nine exploits, with six rom 2010.
Best Pack Announced by ScriptKiddieSec and Kahu Security asthe possible successor o Dragon Pack, this exploit pack
contains seven old exploits and one rom 2011:10
CVE-2011-0611 (aecting Adobe Flash Player
versions beore 10.2.159)
Phoenix Exploit Kit Version 2.7 $2,200 This version replaced Version 2.5, whose code wasleaked in April. Current release contains at least 15
exploits, with six rom 2010.
Eleonore Version 1.6.5 $2,000 10 exploits include two Flash Player exploits rom 2011: CVE-2011-0558 (Flash beore 10.2)
CVE-2011-0611 (Flash beore 10.2.159)
YES Exploit Kit 4.0 $400 Replaced Version 3.0RC, rom April 2010. This versionhas nearly 20 exploits, with seven rom 2010.
10. http://www.kahusecurity.com/2011/best-pack/
http://www.kahusecurity.com/2011/best-pack/http://www.kahusecurity.com/2011/best-pack/ -
8/4/2019 McAfee Threats Report Q2 2011
8/24
8
Report McAee Threats Report: Second Quarter 2011
Actions Against Cybercriminals
This quarter was not all doom and gloom. Courts and law enorcement continue to make progress
worldwide against cybercriminals.
Country and Date Description
United Kingdom
April
Police Central e-Crime Uni t arrested three mena Lithuanian, a Latvian, and another whose
nationality was not revealedin connection with using SpyEye malware to steal online
banking details.11
United States
April
In Operation Adeona the Department o Justice and the F.B.I. shut down the Corefood
botnet, which had inected hundreds o thousands o PCs since 2002. During an 11-month
period starting in March 2009, Corefood siphoned some 190GB worth o banking passwords
and other sensitive data rom more than 413,000 inected systems as users browsed the
Internet, authorities said.12
Finland
May
Police arrested 17 people suspected o taking part in Internet banking raud aimed at
Nordea account holders at the beginning o this year. The perpetrators tried to steal almost
1.2 million via a series o more than 100 alse transactions.13 The majority o suspects are
suspected o being phishing mules. The two suspected masterminds were rom Estonia.
United Kingdom
May
A University o Salord student was convicted o a malware-based scam that allowed him
to break into the computers and webmail accounts o an estimated 100 victims. The police
asked McAee to analyze the malware and acknowledged McAees contribution in gathering
evidence that enabled an early arrest.14
United States, Ukraine, Latvia
June
The Department o Justice and the F.B.I. announced Operation Trident Tribunal, a coordinated,
international law enorcement action that disrupted the activities o two international
cybercrime rings involved in the sale o ake-alert anti-virus sotware (scareware).15 Conducted
with the Ukrainian security services, the action appears to be the rst enorcement targeting
a gang using Concker.16 The second police eort targeted Latvians charged with creating a
raudulent advertising agency.
Russia
June
One o the most controversial gures in Russias online world, ChronoPay coounder and CEO
Pavel Vrublevsky, was arrested on suspicion o ordering a distributed denial o service (DDoS)
attack against a rival rm. Vrublevsky, 32, is probably best known as the co-owner o the Rx-
Promotion rogue online pharmacy program. His company also consistently has been involved
in credit card processing orand in many cases setting up companies on behal orogue
anti-virus or scareware scams that use misleading PC security alerts in a bid to righten people
into purchasing worthless security sotware.17
A Touch o CyberwarJust discussing the denition o cyberwar can spark heated debate, as more and more countries
struggle with how to categorize this developing confict. The discussion is sure to be urther muddied as
hacktivism becomes more prevalent.
Country and Date Description
Russia
March/April
From March 24 to April 4 various DDoS attacks were launched against some bloggers on
LiveJournal, which hosts more than 4.7 million Russian bloggers (including President Dmitry
Medvedev) who exchange inormation and oten share critical views that cannot be expressed
in the mainstream media.18
United States
April
The Oak Ridge National Laboratory, home to one o the worlds most powerul
supercomputers, was the victim o a sophisticated cyberattack launched through phishing
emails sent to some 573 lab employees. Some o them appear to have clicked on a link in the
email and downloaded inormation-stealing malware.19
South Korea
May
South Korean authorities alleged North Korea's secret services hacked into the computer
system o the National Agricultural Cooperative Federation, which delivers supply, processing,marketing, and banking services to more than 4,000 branches.20
Norway
May
The Norwegian military admitted being hit by a potentially serious targeted cyberattack attack
in March. The attack happened when 100 senior mili tary personnel received an email with an
attachment appearing to come rom another government agency.21
11. http://www.networkworld.com/news/2011/041111-uk-police-arrest-three-men.html
12. http://www.theregister.co.uk/2011/04/13/corefood_botnet_takedown/
13. http://www.theregister.co.uk/2011/05/10/nnish_banking_trojan_investigation/
14. http://www.zdnet.co.uk/news/security-management/2011/05/18/gamer-sentenced-or-stealing-steam-passwords-40092802/
15. http://www.bi.gov/news/stories/2011/june/cyber_062211/cyber_062211
16. http://www.zdnet.co.uk/news/security-management/2011/06/24/ukrainian-sting-targets-concker-raudsters-40093222/
17. http://krebsonsecurity.com/tag/pavel-vrublevsky/
18. http://uk.reuters.com/article/2011/04/06/oukin-uk-russia-medvedev-cyberattack-idUKTRE7354OV20110406
19. http://www.computerworlduk.com/news/security/3275613/us-government-energy-research-lab-shuts-down-email-and-internet-access-aterphishing-attack/
20. http://www.koreaittimes.com/story/14507/north-korea-behind-cyber-attack-south-korea-bank
21. http://www.cio.com.au/article/387581/norwegian_military_admits_march_cyberattack
http://www.networkworld.com/news/2011/041111-uk-police-arrest-three-men.htmlhttp://www.theregister.co.uk/2011/04/13/coreflood_botnet_takedown/http://www.theregister.co.uk/2011/05/10/finnish_banking_trojan_investigation/http://www.zdnet.co.uk/news/security-management/2011/05/18/gamer-sentenced-for-stealing-steam-passwords-40092802/http://www.fbi.gov/news/stories/2011/june/cyber_062211/cyber_062211http://www.zdnet.co.uk/news/security-management/2011/06/24/ukrainian-sting-targets-conficker-fraudsters-40093222/http://krebsonsecurity.com/tag/pavel-vrublevsky/http://uk.reuters.com/article/2011/04/06/oukin-uk-russia-medvedev-cyberattack-idUKTRE7354OV20110406http://www.computerworlduk.com/news/security/3275613/us-government-energy-research-lab-shuts-down-email-and-internet-access-after-phishing-attack/http://www.computerworlduk.com/news/security/3275613/us-government-energy-research-lab-shuts-down-email-and-internet-access-after-phishing-attack/http://www.cio.com.au/article/387581/norwegian_military_admits_march_cyberattackhttp://www.cio.com.au/article/387581/norwegian_military_admits_march_cyberattackhttp://www.computerworlduk.com/news/security/3275613/us-government-energy-research-lab-shuts-down-email-and-internet-access-after-phishing-attack/http://www.computerworlduk.com/news/security/3275613/us-government-energy-research-lab-shuts-down-email-and-internet-access-after-phishing-attack/http://uk.reuters.com/article/2011/04/06/oukin-uk-russia-medvedev-cyberattack-idUKTRE7354OV20110406http://krebsonsecurity.com/tag/pavel-vrublevsky/http://www.zdnet.co.uk/news/security-management/2011/06/24/ukrainian-sting-targets-conficker-fraudsters-40093222/http://www.fbi.gov/news/stories/2011/june/cyber_062211/cyber_062211http://www.zdnet.co.uk/news/security-management/2011/05/18/gamer-sentenced-for-stealing-steam-passwords-40092802/http://www.theregister.co.uk/2011/05/10/finnish_banking_trojan_investigation/http://www.theregister.co.uk/2011/04/13/coreflood_botnet_takedown/http://www.networkworld.com/news/2011/041111-uk-police-arrest-three-men.html -
8/4/2019 McAfee Threats Report Q2 2011
9/24
9
Report McAee Threats Report: Second Quarter 2011
Malware Threats
The malware landscape this quarter has presented us several surprises. Although numerically not the
busiest period in history (just a little behind last years pace), when combined with the rst quarter we
have the busiest ever rst hal-year in this vector. The increase is 22 percent over 2010! McAee Labs
identied almost six million unique malware samples during this quarter. This puts us on track or our
cumulative malware zoo collection to reach 75 million samples by years end.
0
10,000,000
20,000,000
30,000,000
40,000,000
50,000,000
60,000,000
70,000,000
MAR
2011
FEB
2011
JAN
2011
DEC
2010
JUN
2011
MAY
2011
APR
2011
NOV
2010
OCT
2010
SEP
2010
AUG
2010
JUL
2010
JUN
2010
MAY
2010
APR
2010
MAR
2010
FEB
2010
JAN
2010
Total Malware Samples in the Database
Just to reinorce how signicant the growth has been during the last several years, here is a look at the
monthly incremental growth o unique malware binaries:
0
500,000
1,000,000
1,500,000
2,000,000
2,500,000
MAR
2011
FEB
2011
JAN
2011
DEC
2010
JUN
2011
MAY
2011
APR
2011
NOV
2010
OCT
2010
SEP
2010
AUG
2010
JUL
2010
JUN
2010
MAY
2010
APR
2010
MAR
2010
FEB
2010
JAN
2010
New Malware Samples Added to the Database, by Month
-
8/4/2019 McAfee Threats Report Q2 2011
10/24
10
Report McAee Threats Report: Second Quarter 2011
We now collect on average almost two million new samples every month. This is certainly not a welcome
development, but it is consistent and predictable considering how our business and private lives are now
tethered to technology.
Among the specic amilies we track, ake anti-virus sotware (a.k.a. ake-alert or rogue anti-virussotware) continues to show consistent growth and has even begun to climb aboard a new platorm: the
Mac. You read that right; ake-AV or Apples platorm is now a reality. This does not surprise us at McAee
Labs. There are more Mac users than ever beore as well as steady business adoption. This puts the Apple
platorms squarely in the crosshairs o malware authors. It will be interesting to see i this type o malware
makes its way to the iPhone and iPad as well. It is probably a case o when rather than i.
MAR
2011
FEB
2011
JAN
2011
DEC
2010
JUN
2011
MAY
2011
APR
2011
NOV
2010
OCT
2010
SEP
2010
AUG
2010
JUL
2010
JUN
2010
MAY
2010
APR
2010
MAR
2010
FEB
2010
JAN
2010
Unique Fake-Alert Samples Discovered
0
0000
0000
00000000
0000
0000
350,000
300,000
250,000
200,000
150,000
100,000
50,000
0
Unique Fake-Alert Samples for Mac Discovered
0
50
100
150
200
250
MAR
2011
FEB
2011
JAN
2011
DEC
2010
JUN
2011
MAY
2011
APR
2011
NOV
2010
OCT
2010
SEP
2010
AUG
2010
JUL
2010
-
8/4/2019 McAfee Threats Report Q2 2011
11/24
11
Report McAee Threats Report: Second Quarter 2011
Generic password-stealing Trojans declined just a bit this quarter, while AutoRun malware was greatly
reduced. Koobace threats dropped to the lowest levels in years.
MAR
2011
FEB
2011
JAN
2011
DEC
2010
JUN
2011
MAY
2011
APR
2011
NOV
2010
OCT
2010
SEP
2010
AUG
2010
JUL
2010
JUN
2010
MAY
2010
APR
2010
MAR
2010
FEB
2010
JAN
2010
Unique Password Stealers Samples Discovered
0
50,000
100,000
150,000
200,000
250,000
300,000
MAR
2011
FEB
2011
JAN
2011
DEC
2010
JUN
2011
MAY
2011
APR
2011
NOV
2010
OCT
2010
SEP
2010
AUG
2010
JUL
2010
JUN
2010
MAY
2010
APR
2010
MAR
2010
FEB
2010
JAN
2010
Unique AutoRun Samples Discovered
0
100,000
200,000
300,000
400,000
500,000
600,000
700,000
MAR
2011
FEB
2011
JAN
2011
DEC
2010
JUN
2011
MAY
2011
APR
2011
NOV
2010
OCT
2010
SEP
2010
AUG
2010
JUL
2010
JUN
2010
MAY
2010
APR
2010
MAR
2010
FEB
2010
JAN
2010
0
2,000
4,000
6,000
8,000
10,000
12,000
14,000
16,000
18,000
Unique Koobface Samples Discovered
-
8/4/2019 McAfee Threats Report Q2 2011
12/24
12
Report McAee Threats Report: Second Quarter 2011
Rootkits and Stealth Malware
Another malware category demonstrating recent steady growth is the rootkit. A rootkit (sometimes
called stealth malware) is code that hides its elements rom the operating system and security sotware.
Cybercriminals use rootkits to make other malware stealthier and more persistent. The better hidden
the malware is, the longer it will remain on the system and engage in its malicious activity. As you can
see rom the ollowing charts, rootkits are on the rise overall. The rst hal o 2011 was comparable to
malware overall: Rootkits have seen their busiest-ever six months, up almost 38 percent over 2010! Two
o the busiest rootkits that we encounter are Koutodoor and TDSS. Both are nasty and hide malware to
steal data.
MAR
2011
FEB
2011
JAN
2011
DEC
2010
JUN
2011
MAY
2011
APR
2011
NOV
2010
OCT
2010
SEP
2010
AUG
2010
JUL
2010
JUN
2010
MAY
2010
APR
2010
MAR
2010
FEB
2010
JAN
2010
Unique Rootkit Samples Discovered
0
20,000
40,000
60,000
80,000
100,000
120,000
-
8/4/2019 McAfee Threats Report Q2 2011
13/24
13
Report McAee Threats Report: Second Quarter 2011
Global Inected Computer Numbers
Globally and by individual geography much o the malware we collected this quarter matched the same
varieties as in the rst quarter. We saw a ew dierences among the continents but overall they were
more similar than dierent.
Rank Top 5 Global Malware
1 AutoRun Malware
2 OpenCandy Adware
3 HotBar Adware
4 General Trojans
5 HotBar vF Adware
Rank North America
1 AutoRun Malware
2 HotBar Adware
3 OpenCandy Adware
4 Downloader Malware5 HotBar vF Adware
Rank South America
1 AutoRun Malware
2 Java Runtime Exploitation
3 Concker AutoRun Malware
4 Remote-Access Trojans
5 Downloader Malware
Rank Europe and Middle East
1 HotBar vF Adware
2 AutoRun Malware
3 HotBar Adware
4 OpenCandy Adware
5 Concker AutoRun Malware
Rank Australia
1 OpenCandy Adware
2 Downloader Malware
3 Hotbar Adware
4 Downloader Malware
5 AutoRun Malware
Rank Arica
1 AutoRun Malware
2 Downloader Malware
3 Downloader Malware
4 Yahoo Messenger Malware
5 Sality Virus
Rank Asia
1 AutoRun Malware
2 Downloader Malware
3 Concker AutoRun Malware
4 Downloader Malware5 Browser Exploitation
http://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic!atrhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic!atrhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic!atrhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Exploit-CVE2010-0840http://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=BackDoor-EZC!lnkhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic.dxhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic!atrhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Adware-OpenCandy.dllhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Downloader-BCShttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Adware-HotBar.fhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Downloader-UAhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic!atrhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic!atrhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Downloader-CJX!lnkhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=W32/YahLover.worm.genhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic!atrhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic.dxhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Suspicious%20IFrame.dhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Suspicious%20IFrame.dhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic.dxhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic!atrhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=W32/YahLover.worm.genhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Downloader-CJX!lnkhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic!atrhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic!atrhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Downloader-UAhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Adware-HotBar.fhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Downloader-BCShttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Adware-OpenCandy.dllhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic!atrhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic.dxhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=BackDoor-EZC!lnkhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Exploit-CVE2010-0840http://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic!atrhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic!atrhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic!atr -
8/4/2019 McAfee Threats Report Q2 2011
14/24
14
Report McAee Threats Report: Second Quarter 2011
Adobe Outpaces Microsot in Attracting Exploits
For several quarters, one o the major trends weve seen is that malware authors preer to write exploits
that target vulnerabilities in Adobe products as opposed to those in Microsot products. This trend does
not prove that Adobes technologies are more vulnerable or have more coding bugs than Microsots.
Rather, Adobe is one o the clear leaders in worldwide client applications, and this leadership is what
drives malware authors and cybercriminals: They target what is popular and in wide use. The ollowing
chart shows the malware McAee Labs has seen this quarter that attempts to exploit vulnerabilities in
Adobe and Microsot products.
MAY
2011
JUN
2011
APR
2011
MAR
2011
FEB
2011
JAN
2011
Adobe and Microsoft Exploits Discovered
0
2,000
4,000
6,000
8,000
10,000
12,000
14,000
16,000
Adobe
Microsoft
-
8/4/2019 McAfee Threats Report Q2 2011
15/24
15
Report McAee Threats Report: Second Quarter 2011
Messaging Threats
Messaging threats continued a mild decline rom last quarter, although the drop is not signicant. A
coordinated eort last quarter among several security providers, law enorcement, and even CERTs was
able to shut o major amounts o botnet zombies and their command structure. This recent success
may still be having a positive eect. We expect to again see sharp rises in spam; in the mean time, we
continue to watch this area closely. Although the volume o spam remains at historic low levels, the
spearphishing (a class o spam) that we see today is more targeted and eective than ever. This vector
continues to evolve.
Global Spam Volume, in Trillions of Messages per Day
6
5
4
3
2
1
0
Spam
Ham
MAR
2011
FEB
2011
JAN
2011
DEC
2010
JUN
2011
MAY
2011
APR
2011
NOV
2010
OCT
2010
SEP
2010
AUG
2010
JUL
2010
Argentina
120,000,000
100,000,000
80,000,000
60,000,000
40,000,000
20,000,000
0
MAR
2011
FEB
2011
JAN
2011
DEC
2010
JUN
2011
MAY
2011
APR
2011
NOV
2010
OCT
2010
SEP
2010
AUG
2010
JUL
2010
MAR
2011
FEB
2011
JAN
2011
DEC
2010
JUN
2011
MAY
2011
APR
2011
NOV
2010
OCT
2010
SEP
2010
AUG
2010
JUL
2010
MAR
2011
FEB
2011
JAN
2011
DEC
2010
JUN
2011
MAY
2011
APR
2011
NOV
2010
OCT
2010
SEP
2010
AUG
2010
JUL
2010
MAR
2011
FEB
2011
JAN
2011
DEC
2010
JUN
2011
MAY
2011
APR
2011
NOV
2010
OCT
2010
SEP
2010
AUG
2010
JUL
2010
Spam Volume by Country
Brazil
600,000,000
500,000,000
400,000,000
300,000,000
200,000,000
100,000,000
0
MAR
2011
FEB
2011
JAN
2011
DEC
2010
JUN
2011
MAY
2011
APR
2011
NOV
2010
OCT
2010
SEP
2010
AUG
2010
JUL
2010
MAR
2011
FEB
2011
JAN
2011
DEC
2010
JUN
2011
MAY
2011
APR
2011
NOV
2010
OCT
2010
SEP
2010
AUG
2010
JUL
2010
Columbia
120,000,000
100,000,000
80,000,000
60,000,000
40,000,000
20,000,000
0
France
300,000,000
250,000,000
200,000,000
150,000,000
100,000,000
50,000,000
0
Germany
500,000,000
400,000,000
300,000,000
200,000,000
100,000,000
0
India
700,000,000
600,000,000
500,000,000
400,000,000
300,000,000
200,000,000
100,000,000
0
-
8/4/2019 McAfee Threats Report Q2 2011
16/24
16
Report McAee Threats Report: Second Quarter 2011
MAR
2011
FEB
2011
JAN
2011
DEC
2010
JUN
2011
MAY
2011
APR
2011
NOV
2010
OCT
2010
SEP
2010
AUG
2010
JUL
2010
MAR
2011
FEB
2011
JAN
2011
DEC
2010
JUN
2011
MAY
2011
APR
2011
NOV
2010
OCT
2010
SEP
2010
AUG
2010
JUL
2010
MAR
2011
FEB
2011
JAN
2011
DEC
2010
JUN
2011
MAY
2011
APR
2011
NOV
2010
OCT
2010
SEP
2010
AUG
2010
JUL
2010
MAR
2011
FEB
2011
JAN
2011
DEC
2010
JUN
2011
MAY
2011
APR
2011
NOV
2010
OCT
2010
SEP
2010
AUG
2010
JUL
2010
Spam Volume by Country
MAR
2011
FEB
2011
JAN
2011
DEC
2010
JUN
2011
MAY
2011
APR
2011
NOV
2010
OCT
2010
SEP
2010
AUG
2010
JUL
2010
MAR
2011
FEB
2011
JAN
2011
DEC
2010
JUN
2011
MAY
2011
APR
2011
NOV
2010
OCT
2010
SEP
2010
AUG
2010
JUL
2010
MAR
2011
FEB
2011
JAN
2011
DEC
2010
JUN
2011
MAY
2011
APR
2011
NOV
2010
OCT
2010
SEP
2010
AUG
2010
JUL
2010
MAR
2011
FEB
2011
JAN
2011
DEC
2010
JUN
2011
MAY
2011
APR
2011
NOV
2010
OCT
2010
SEP
2010
AUG
2010
JUL
2010
MAR
2011
FEB
2011
JAN
2011
DEC
2010
JUN
2011
MAY
2011
APR
2011
NOV
2010
OCT
2010
SEP
2010
AUG
2010
JUL
2010
Italy
250,000,000
200,000,000
150,000,000
100,000,000
50,000,000
0
Japan
50,000,000
40,000,000
30,000,000
20,000,000
10,000,000
0
Poland
200,000,000
150,000,000
100,000,000
50,000,000
0
Portugal
100,000,000
80,000,000
60,000,000
40,000,000
20,000,000
0
South Korea
200,000,000
150,000,000
100,000,000
50,000,000
0
Spain
200,000,000
150,000,000
100,000,000
50,000,000
0
United Kingdom
500,000,000
400,000,000
300,000,000
200,000,000
100,000,000
0
United States
1,500,000,000
1,200,000,000
900,000,000
600,000,000
300,000,000
0
Venezuela
500,000,000
400,000,000
300,000,000
200,000,000
100,000,000
0
Russia
350,000,000
300,000,000
250,000,000
200,000,000
150,000,000
100,000,000
50,000,000
0
MAR
2011
FEB
2011
JAN
2011
DEC
2010
JUN
2011
MAY
2011
APR
2011
NOV
2010
OCT
2010
SEP
2010
AUG
2010
JUL
2010
-
8/4/2019 McAfee Threats Report Q2 2011
17/24
17
Report McAee Threats Report: Second Quarter 2011
This quarter McAee Labs has observed the Rustock botnets continuing to dwindle even though it
may be reseeded by cybercriminals during the coming months. Meanwhile the Maazben, Cutwail, and
Bobax botnet masters have stepped up their activity. O these three dominant botnets, Maazben clearly
outpaces the others in worldwide usage and infuence.
New Global Botnet Infections by Week
Maazben
4/4/11
4/11/11
4/18/11
4/25/11
5/2/11
5/9/11
5/16/11
5/23/11
5/30/11
6/6/11
6/13/11
6/20/110
100,000
200,000
300,000
400,000
500,000
600,000
700,000
800,000
900,000
1,000,000
Maazben's Influence on Global Botnet Infections
Bagle-CB
Bobax
Cutwail
Grum
Maazben
Others
North America
Bagle-CB
Bobax
Cutwail
Grum
Maazben
Others
Africa
Latin America
Bagle-CB
Bobax
Cutwail
Grum
Maazben
Others
Bagle-CB
Bobax
Cutwail
Grum
Maazben
Others
Asia-Pacic
Bagle-CB
Bobax
Cutwail
Grum
Maazben
Others
Europe-Middle East
Bagle-C
Bobax
Cutwai
Grum
Maazb
Others
Australia
-
8/4/2019 McAfee Threats Report Q2 2011
18/24
18
Report McAee Threats Report: Second Quarter 2011
New Botnet Infections by Week
Bagle-CBDonbot
Rustock
4/4/11
4/11/11
4/18/11
4/25/11
5/2/11
5/9/11
5/16/11
5/23/11
5/30/11
6/6/11
6/13/11
6/20/11
0
20,000
40,000
60,000
80,000
100,000
120,000
Cutwail
Bobax
Grum
4/4/11
4/11/11
4/18/11
4/25/11
5/2/11
5/9/11
5/16/11
5/23/11
5/30/11
6/6/11
6/13/11
6/20/11
0
20,000
40,000
60,000
80,000
100,000
120,000
140,000
160,000
New Botnet Infections by Week
-
8/4/2019 McAfee Threats Report Q2 2011
19/24
19
Report McAee Threats Report: Second Quarter 2011
There has been steady growth in new botnet inections throughout the quarter. This is an interesting
juxtaposition when we consider the worldwide drop in spam. Clearly botnet usage is in a state o
transition. Given the growth and goals o hacktivists, we expect to see major changes in how botnets
are used.
Overall Botnet Infections per Month
APR10
MAY10
JUN10
JUL10
AUG
10
SEP10
OCT10
NOV10
DEC10
JAN11
FEB11
MAR11
2,000,000
3,000,000
4,000,000
5,000,000
6,000,000
Spam lures and their subjects (the social engineering hook used to make the message attractive)
continue to show diversity. Nigerian 419 scams seemed a bit more popular this quarter globally while
lotto scams were also prevalent in many parts o the world, along with the long-time subjects o bogus
DSN and gambling spams. Social engineering with lures based on location is certain to continue, as
scammers understand the diversities in their global audience.
China
l
l
l
l
l
Brazil
l
l
l
l
l
France
Germany
l
l
l
l
l
Spam by Country
419 ScamsDSN
Diplomas
Drugs
Fashion
Gambling
Horoscopes
Jobs
Lonely Women
Lotto Scams
Marketing
Newsletters
Phishing
Products
Third Parties
Travel
Unknown
Viruses
Watches
India
l
l
l
l
l
Indonesia
-
8/4/2019 McAfee Threats Report Q2 2011
20/24
20
Report McAee Threats Report: Second Quarter 2011
Web Threats
Websites can have bad or malicious reputations or a variety o reasons. Reputations can be based
on ull domains and any number o subdomains as well as on a specic IP address or URL. Malicious
reputations are infuenced by the hosting o malware, potentially unwanted programs, or phishing sites.
Oten we observe combinations o questionable code and unctionality. Many actors go into a sites
reputational rating.
Last quarter McAee Labs recorded an average o 8,900 new bad sites per day; this period that gure
dropped a bit to 7,300 hits, which is comparable to the same time last year.
New Bad-Reputation URLs per Day
APR 1
2011
MAY 1
2011
JUNE 1
2011
JULY 1
2011
0
5,000
10,000
15,000
20,000
25,000
30,000
35,000
40,000
We saw some signicant spikes in malicious web content this quarter. Several o these spikes
corresponded to intensive malicious campaigns.
Philippines
l
l
l
l
l
Italy
l
l
l
l
l
Russia
l
l
l
l
l
South KoreaSpam by Country
419 Scams
DSN
Diplomas
Drugs
Fashion
Gambling
Horoscopes
Jobs
Lonely Women
Lotto Scams
Marketing
Newsletters
Phishing
Products
Third Parties
Travel
Unknown
Viruses
Watches
United Kingdom
l
l
l
l
l
United States
l
l
l
l
l
Venezuela
l
l
l
l
l
-
8/4/2019 McAfee Threats Report Q2 2011
21/24
21
Report McAee Threats Report: Second Quarter 2011
On May 31, spam campaignsone promoting online dating sites with video chats and another
inorming recipients o ake pending invoicesdistributed raudulent URLs hosting Zeus-related malware
(Generic FakeAlert.by and Generic PWS.y). Among these sites were undss-syria.org, baranava.com,
emajic.net, and sturtholdastmarioncc.com.
The vast majority o these new malicious sites are located in the United States. Next in line, we nd
South Korea, Netherlands, Canada, United Kingdom, China, and Germany.
In the rst quarter our top countries were the United States, South Korea, Germany, and China. This
quarter, however, is quite dierent. Our regional breakdown reveals where most malicious servers reside:
Africa
Asia-Pacic
Australia
Europe-Middle East
Latin America
North America
North America60.2%
Australia1.8%
Africa0.2%
Latin America1.7%
Europe-Middle East24.9%
Asia-Pacific11.1%
North America, primarily the United States, still dominates, but the gure or the combined region o
Europe, the Middle East, and Arica has increased to 25 percent rom 18 percent in the rst quarter.
Lets take a deeper look at some regions:
Morocco
South Africa
Egypt
Senegal
Seychelles
Others
Africa
South Korea
China
Vietnam
Others
Asia Pacic
-
8/4/2019 McAfee Threats Report Q2 2011
22/24
22
Report McAee Threats Report: Second Quarter 2011
This quarter, the number o websites hosting malicious downloads has again increased, while the
amount o sites that host browser exploits was unchanged:
0
20,000
40,000
60,000
80,000
100,000
120,000
140,000
160,000
Malicious Downloads
Browser Exploits
Active Malicious URLs
MAR
2011
FEB
2011
JAN
2011
DEC
2010
JUN
2011
MAY
2011
APR
2011
NOV
2010
OCT
2010
SEP
2010
AUG
2010
JUL
2010
This quarter we also observed a continued increase in blogs and wikis with malicious reputations.
Australia
New Zealand
Australia
Net
Unit
Ger
Fran
Russ
Rom
Italy
Oth
Europe and Middle East
Brazil
British Virgin Islands
Argentina
Chile
Panama
Trinidad and Tobago
Others
Latin America
Uni
Can
Mex
North America
-
8/4/2019 McAfee Threats Report Q2 2011
23/24
23
Report McAee Threats Report: Second Quarter 2011
Websites Delivering Malware and PUPs
The ollowing chart provides a picture o the number o websites delivering malware and potentially
unwanted programs (PUPs) that McAee Labs detected this quarter.
New Malware Sites per Day
APR 1
2011
MAY 1
2011
JUNE 1
2011
JULY 1
2011
0
5,000
10,000
15,000
20,000
25,000
30,000
35,000
We saw a small increase this quarter with around 3,000 new sites per day compared with 2,700 per day
during the rst quarter.
Phishing Sites
This quarter we identied approximately 2,700 phishing URLs per day, up slightly rom 2,500 per day
last quarter.
New Phishing Sites per Day
APR 1
2011
MAY 1
2011
JUNE 1
2011
JULY 1
2011
0
2,000
4,000
6,000
8,000
-
8/4/2019 McAfee Threats Report Q2 2011
24/24
McAee
The inormation in this document is provided only or educational purposes and or the convenience o McAee customers. The inormation
contained herein is subject to change without notice, and is provided as is, without guarantee or warranty as to the accuracy or applicability
o the inormation to any specifc situation or circumstance.
Report McAee Threats Report: Second Quarter 2011
About the Authors
This report was prepared and written by Toralv Dirro, Paula Greve, Rahul Kashyap, David Marcus,
Franois Paget, Craig Schmugar, Jimmy Shah, and Adam Wosotowsky o McAee Labs.
About McAee Labs
McAee Labs is the global research team o McAee. With the only research organization devoted to all
threat vectorsmalware, web, email, network, and vulnerabilitiesMcAee Labs gathers intelligence
rom its millions o sensors and its cloud-based service McAee Global Threat Intelligence. The McAee
Labs team o 350 multidisciplinary researchers in 30 countries ollows the complete range o threats
in real time, identiying application vulnerabilities, analyzing and correlating risks, and enabling instant
remediation to protect enterprises and the public.
About McAee
McAee, a wholly owned subsidiary o Intel Corporation (NASDAQ:INTC), is the worlds largest dedicated
security technology company. McAee delivers proactive and proven solutions and services that help
secure systems, networks, and mobile devices around the world, allowing users to saely connect to the
Internet, browse, and shop the web more securely. Backed by its unrivaled Global Threat Intelligence,McAee creates innovative products that empower home users, businesses, the public sector, and service
providers by enabling them to prove compliance with regulations, protect data, prevent disruptions,
identiy vulnerabilities, and continuously monitor and improve their security. McAee is relentlessly
ocused on nding new ways to keep our customers sae. www.mcaee.com
http://www.mcafee.com/http://www.mcafee.com/