mcafee threats report q2 2011

8/4/2019 McAfee Threats Report Q2 2011

1/24

McAee Threats Report:Second Quarter 2011By McAee Labs

Report


2/24

Report McAee Threats Report: Second Quarter 2011

The threat landscape o 2011 is undergoing a year o chaos and change. We see chaos in the major

challenges that hacktivist groups such as LulzSec and Anonymous pose, and change in the shits in new

malware classes and targeted devices.

This quarter McAee Labs saw major hacktivist activitybut in a very dierent way. The group Lulz

Security, LulzSec or short, diers rom other hacktivist groups in that they had no specic goals. They

were in it, as they claimed, or the lulz (LOLs in text messagespeak, or laugh out louds ) but

showed an agility at compromising networks and servers, and stealing usernames, passwords, and other

data. LulzSec committed multiple intrusions against a wide variety o companies, as well as attacks

against police departments and intelligence agencies, and many other compromises. Although many

o the outcomes and uses o these compromises are still in play (and we provide a helpul overview o

the quarters activity) one thing has become clear: Many companies, both large and small, are more

vulnerable than they may have suspected. Further, the security industry may need to reconsider some

o its undamental assumptions, including Are we really protecting users and companies? Although

LulzSec may have ceased its operations during this quarter, the questions they and other hacktivist

groups have raised will be debated or a long time.

One signicant change in the rst quarter o 2011 was Androids becoming the third-most targeted

platorm or mobile malware. This quarter the count o new Android-specic malware moved to numbe

one, with J2ME (Java Micro Edition), coming in second while suering only a third as many malware.

This increase in threats to such a popular platorm should make us evaluate our behavior on mobile

devices and the security industrys preparedness to combat this growth.

We also saw an increase in or-prot mobile malware, including simple SMS-sending Trojans and

complex Trojans that use exploits to compromise smartphones. We oer an update o cybercrime

pricebooks as well as some changes to toolkit and service prices. Crimeware as a service and the

burgeoning hacktivism as a service continue to evolve as interests and targets change. On the positive

side, there were some signicant victories against cybercriminals this quarter.

Continuing the change theme, we observed a considerable decrease in both AutoRun and Koobace

malware, oset by a strong rise in ake-anti-virus sotware that targets the Mac. Apples OS X has

been mostly ignored by malware writers or years, so this represents a signicant change o target

or cybercriminals.

Malware continued its overall growth during the quarter as did rootkit malware. Rootkits, used primarily

or stealth and resilience, makes malware more eective and persistent; its popularity is rising. Rootkits

such as Koutodoor and TDSS appear with increasing requency. The amount o malware that attacks

vulnerabilities in Adobe products continues to overwhelm those in Microsot products.

Botnets and messaging threats, although still at historic lows, have begun to rise again. We expected

this recovery ater some recent botnet takedowns. Users and enterprises must plan or this growth and

prepare their deenses and responses accordingly. We again examine social engineering subjects by both

geography and subject and botnets by geography and type.

We saw several spikes in malicious web activity this quarter as well as some serious growth in blogs

and wikis with malicious reputations. Sites that deliver malware, potentially unwanted programs, and

phishing sites also increased.

The second quarter o the year was clearly a period o chaos, changes, and new challenges.


3/24


Table o Contents

Hacktivism 4

Mobile Threats 5

Cybercrime 7

Malware Threats 9

Adobe Outpaces Microsot in Attracting Exploits 14

Messaging Threats 15

Web Threats 20


4/24

4


Hacktivism

Early in this quarter the Anonymous group apparently quarreled and split. On May 9, an Anonymous

press release said the Anonops network was down ater the website coadministrator Ryan attempted to

stage a coup dtat. As a reprisal, his contact details were immediately distributed on the web.

Around May 7 a new Twitter account registering the @LulzSec username appeared, marking the birth

o Lulz Security. Their rst eats did not gain much media coverage; however, when they targeted the

entertainment industry, the world was truly introduced to LulzSec.

Ater 50 days o operations, LulzSecs adventures ended due to group-against-group struggles. These

events show a level o immaturity in some groups labeled as political hacktivists and who claim to be

part o Anonymous. Jester (th3j35t3r, an Anonymous opponent who is known or ghting against

jihadist and anti-U.S. websites) and other groups (Team Web Ninjas, Backtrace, The A-Team, Teamp0ison

etc.) made a point o denouncing their ormer colleagues. These internecine struggles helped authorities

identiy some o these hackers.

Other reported incidents include a serious attack against the European Commission just beore a

summit to discuss the uture structure o the European Union, economic strategy, and the war in Libya.1

Frances Ministry o Finance suered a similar attack. The Australian Security Intelligence Organisation

disclosed that it is investigating an attack that compromised the computers o at least 10 ederal

ministers, including the prime minister, oreign minister, and deense minister. The German government

reported it sees an average o ve targeted attacks per day against users o government networks.2

Some published accounts number the various hacktivist operations, such as #antisec, #OpNewBlood,

#OpLibya, #OpBrazil, at more than 4,000 in total, but this number is hard to veriy. These operations

have resulted in websites being taken ofine, large amounts o usernames and passwords stolen, and

condential documents stolen and uploaded. Many companies have suered very eective politically

motivated attacks. Many observers have called these attacks simplistic, even lame, but these pundits miss

the point: Hacktivism is about the message, not the method.

Two intrusions by a Romanian hacker also caught our attention due to the high-prole targets: the U.S.

and European space agencies.In an April blog entry, this hacker published inormation rom the European Space Agencys server that

included names, usernames, and emails o more than 150 users. In May, the same hacker claimed to

have entered a server at NASAs Goddard Space Flight Center and gained access to condential satellite

data. He posted on his blog a screen grab o what he said was one o NASAs main FTP servers.

1. http://www.bbc.co.uk/news/world-europe-12840941

2. http://www.bundestag.de/presse/hib/2011_05/2011_201/08.html
http://www.bbc.co.uk/news/world-europe-12840941http://www.bundestag.de/presse/hib/2011_05/2011_201/08.htmlhttp://www.bundestag.de/presse/hib/2011_05/2011_201/08.htmlhttp://www.bbc.co.uk/news/world-europe-12840941


5/24

5


Mobile Threats

This quarter Android OS-based malware became the most popular target or mobile malware

developers. Thats a rapid rise or Android, which outpaces second place Java Micro Edition threeold.

Android

Java ME

Symbian

BlackBerry

MSIL

Python

VBS

New Mobile Malware This Quarter

As we watch steady, signicant growth in the mobile malware threat landscape, many o the same

unctions and eatures o PC-based threats are already part o the codebase. Mobile threats already

take advantage o exploits, employ botnet unctionality, and even use rootkit eatures or stealth

and permanence.

0

300

600

900

1,200

1,500

Q1

2011

Q2

2011

Q4

2010

Q3

2010

Q2

2010

Q1

2010

Q4

2009

Q3

2009

Q2

2009

Q1

2009

Total Mobile Malware Samples

Maliciously modied apps are still a popular vector or inecting devices: Corrupt a legitimate app or

game and users will download and install malware on their smartphones by themselves.

Inltrating popular modied apps this quarter were the malware Android/Jmsonez.A, Android/

Smsmecap.A, and the Android/DroidKungFu, and Android/DrdDreamLite amilies. Lets take a close look

at some recent mobile malware.


6/24

6


Android/Jmsonez.A is a version o a calendar app that doesnt quite work as intended.3 No matter when

the program is launched, it displays the calendar or January 2011. I the user tr ies to change the month

to a uture date, the malware begins sending SMS messages to a premium-rate number. Android/

Jmsonez.A also monitors the inbox or conrmation SMS messages rom the premium-rate service to

avoid detection.

Android/Smsmecap.A is a modied version o a legitimate comedy app.4 The malware sends humorous,

irreverent SMS messages to all the contacts in the users address book. Since May 21, the date o the

purported Rapture, it has sent messages in a mocking tone.

The Android/DroidKungFu amily is similar to Android/DrdDream; it also uses a pair o root exploits to

maintain itsel on a device.5 The exploits are actually identical to those used by the Android/DrdDream

except they have been encrypted with AES. These variants can also load URLs and install additional

sotware and updates.

The Android/DrdDreamLite amily is a less capable variant o the original Android/DrdDream amily.6 The

Lite version uses DES to encrypt the data it sends to the attacker. Android/DrdDreamLite does not include

any root exploits to remain installed on an inected device.

Other complex Trojans are Android/Tcent.A, the Android/Crusewin.A amily, Android/J.SMSHider.A, and

Android/Toplank.A.

Android/Tcent.A is another premium-rate, SMS-sending Trojan, similar to Android/Jmsonez.A, but it

includes an interesting sel-protection eature.7 The malware targets the QQ instant-messaging service,

which is popular in China. The malware attempts to uninstall anti-virus and other security sotware that

are bundled with mobile QQ clients.

The Android/Crusewin.A amily comprises a number o premium-ratesending Trojans.8 Unlike simpler

malware, the Android/Crusewin.A amily includes some botnet unctions, including executing orders rom

the attackers command server. The attacker can send SMS messages rom an inected device, useul or

signing up the victim to premium-rate subscription services, and attempt to uninstall sotware. The latter

eature is similar to that o Android/Tcent.A but suers rom a slight problem. Android/Crusewin.A uses

an uninstall code that works only on Symbian smartphones; it will not run properly on Android. Thissuggests the malware author may be porting Symbian Trojan/botnet code to the Android platorm.

Android/J.SMSHider.A sends premium-rate messages.9 The malware author modied a legitimate

SMS love analyzer to add backdoor unctionality and the ability to delete incoming SMS messages.

Android/J.SMSHider.A uses DES encryption to cover its communications with the attacker.

Android/Toplank.A pretends to be a multiuser update to the popular Angry Birds game. The malware

sends sensitive inormation (international mobile subscriber identity, the list o permissions granted to the

malware, etc.) to the attacker and can download an additional Android app to an inected device. The

new app provides a backdoor to the attacker, who can then add and delete bookmarks, browser history,

and shortcuts. The attacker can also download urther sotware.

Mobile crimeware authors are continuing their tricks with SymbOS/Zitmo.C and BlackBerry/Zitmo.D, which

are simple SMS orwarders. The authors have already compromised victims PCs with advanced malware,so it appears that they are doing only the bare minimum on mobile platorms to enable their attacks.

3. http://home.mcaee.com/VirusIno/VirusProle.aspx?key=501748






http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=501748http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=509500http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=522281http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=518925http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=501599http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=501639http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=527859http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=527859http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=501639http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=501599http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=518925http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=522281http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=509500http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=501748


7/24

7


Cybercrime

Email Address Book or Sale

Via their botnets or through rental services, spammers need email address lists to food the world. Prices

vary or such enterprises, oten with location.

Country Address List Prices (all in U.S.$)

Russia 400,000 addresses in St. Petersburg: $25

1,000,000 (entire country): $25

3,000,000: $50

5,000,000: $100

8,000,000: $200

United States 1,000,000: $25

3,000,000: $50

5,000,000: $100

10,000,000: $300

Ukraine 2,000,000: $40

Germany 1,000,000: $25

3,000,000: $50

5,000,000: $100

8,000,000: $200

Turkey 1,000,000: $50

Portugal 150,000: $25

Australia 1,000,000: $25

3,000,000: $50

5,000,000: $100

England 1,500,000: $100

Crimeware tools

Again this quarter, we saw new products and updates among exploits kits. The most notable were the

release o Eleonore Version 1.6.5, with two 2011 exploits, and Best Pack, with one 2011 exploit.

Name Prices (all in U.S.$) Description

Weyland-Yutani BOT Version 1.0 $1,000 Oered on the underground market. The seller quicklyclosed the bid ater claiming to have ound a buyer.

BlackHole Exploit Kit Version 1.1.0 Annual license: $1,500

6 months: $1,000

3 months : $700

This kit rst appeared in September 2010. Updated in

April, it contains nine exploits, with six rom 2010.

Best Pack Announced by ScriptKiddieSec and Kahu Security asthe possible successor o Dragon Pack, this exploit pack

contains seven old exploits and one rom 2011:10

CVE-2011-0611 (aecting Adobe Flash Player

versions beore 10.2.159)

Phoenix Exploit Kit Version 2.7 $2,200 This version replaced Version 2.5, whose code wasleaked in April. Current release contains at least 15

exploits, with six rom 2010.

Eleonore Version 1.6.5 $2,000 10 exploits include two Flash Player exploits rom 2011: CVE-2011-0558 (Flash beore 10.2)

CVE-2011-0611 (Flash beore 10.2.159)

YES Exploit Kit 4.0 $400 Replaced Version 3.0RC, rom April 2010. This versionhas nearly 20 exploits, with seven rom 2010.

10. http://www.kahusecurity.com/2011/best-pack/
http://www.kahusecurity.com/2011/best-pack/http://www.kahusecurity.com/2011/best-pack/


8/24

8


Actions Against Cybercriminals

This quarter was not all doom and gloom. Courts and law enorcement continue to make progress

worldwide against cybercriminals.

Country and Date Description

United Kingdom

April

Police Central e-Crime Uni t arrested three mena Lithuanian, a Latvian, and another whose

nationality was not revealedin connection with using SpyEye malware to steal online

banking details.11

United States

April

In Operation Adeona the Department o Justice and the F.B.I. shut down the Corefood

botnet, which had inected hundreds o thousands o PCs since 2002. During an 11-month

period starting in March 2009, Corefood siphoned some 190GB worth o banking passwords

and other sensitive data rom more than 413,000 inected systems as users browsed the

Internet, authorities said.12

Finland

May

Police arrested 17 people suspected o taking part in Internet banking raud aimed at

Nordea account holders at the beginning o this year. The perpetrators tried to steal almost

1.2 million via a series o more than 100 alse transactions.13 The majority o suspects are

suspected o being phishing mules. The two suspected masterminds were rom Estonia.

United Kingdom

May

A University o Salord student was convicted o a malware-based scam that allowed him

to break into the computers and webmail accounts o an estimated 100 victims. The police

asked McAee to analyze the malware and acknowledged McAees contribution in gathering

evidence that enabled an early arrest.14

United States, Ukraine, Latvia

June

The Department o Justice and the F.B.I. announced Operation Trident Tribunal, a coordinated,

international law enorcement action that disrupted the activities o two international

cybercrime rings involved in the sale o ake-alert anti-virus sotware (scareware).15 Conducted

with the Ukrainian security services, the action appears to be the rst enorcement targeting

a gang using Concker.16 The second police eort targeted Latvians charged with creating a

raudulent advertising agency.

Russia

June

One o the most controversial gures in Russias online world, ChronoPay coounder and CEO

Pavel Vrublevsky, was arrested on suspicion o ordering a distributed denial o service (DDoS)

attack against a rival rm. Vrublevsky, 32, is probably best known as the co-owner o the Rx-

Promotion rogue online pharmacy program. His company also consistently has been involved

in credit card processing orand in many cases setting up companies on behal orogue

anti-virus or scareware scams that use misleading PC security alerts in a bid to righten people

into purchasing worthless security sotware.17

A Touch o CyberwarJust discussing the denition o cyberwar can spark heated debate, as more and more countries

struggle with how to categorize this developing confict. The discussion is sure to be urther muddied as

hacktivism becomes more prevalent.

Country and Date Description

Russia

March/April

From March 24 to April 4 various DDoS attacks were launched against some bloggers on

LiveJournal, which hosts more than 4.7 million Russian bloggers (including President Dmitry

Medvedev) who exchange inormation and oten share critical views that cannot be expressed

in the mainstream media.18

United States

April

The Oak Ridge National Laboratory, home to one o the worlds most powerul

supercomputers, was the victim o a sophisticated cyberattack launched through phishing

emails sent to some 573 lab employees. Some o them appear to have clicked on a link in the

email and downloaded inormation-stealing malware.19

South Korea

May

South Korean authorities alleged North Korea's secret services hacked into the computer

system o the National Agricultural Cooperative Federation, which delivers supply, processing,marketing, and banking services to more than 4,000 branches.20

Norway

May

The Norwegian military admitted being hit by a potentially serious targeted cyberattack attack

in March. The attack happened when 100 senior mili tary personnel received an email with an

attachment appearing to come rom another government agency.21

11. http://www.networkworld.com/news/2011/041111-uk-police-arrest-three-men.html

12. http://www.theregister.co.uk/2011/04/13/corefood_botnet_takedown/

13. http://www.theregister.co.uk/2011/05/10/nnish_banking_trojan_investigation/

14. http://www.zdnet.co.uk/news/security-management/2011/05/18/gamer-sentenced-or-stealing-steam-passwords-40092802/

15. http://www.bi.gov/news/stories/2011/june/cyber_062211/cyber_062211

16. http://www.zdnet.co.uk/news/security-management/2011/06/24/ukrainian-sting-targets-concker-raudsters-40093222/

17. http://krebsonsecurity.com/tag/pavel-vrublevsky/

18. http://uk.reuters.com/article/2011/04/06/oukin-uk-russia-medvedev-cyberattack-idUKTRE7354OV20110406

19. http://www.computerworlduk.com/news/security/3275613/us-government-energy-research-lab-shuts-down-email-and-internet-access-aterphishing-attack/

20. http://www.koreaittimes.com/story/14507/north-korea-behind-cyber-attack-south-korea-bank

21. http://www.cio.com.au/article/387581/norwegian_military_admits_march_cyberattack
http://www.networkworld.com/news/2011/041111-uk-police-arrest-three-men.htmlhttp://www.theregister.co.uk/2011/04/13/coreflood_botnet_takedown/http://www.theregister.co.uk/2011/05/10/finnish_banking_trojan_investigation/http://www.zdnet.co.uk/news/security-management/2011/05/18/gamer-sentenced-for-stealing-steam-passwords-40092802/http://www.fbi.gov/news/stories/2011/june/cyber_062211/cyber_062211http://www.zdnet.co.uk/news/security-management/2011/06/24/ukrainian-sting-targets-conficker-fraudsters-40093222/http://krebsonsecurity.com/tag/pavel-vrublevsky/http://uk.reuters.com/article/2011/04/06/oukin-uk-russia-medvedev-cyberattack-idUKTRE7354OV20110406http://www.computerworlduk.com/news/security/3275613/us-government-energy-research-lab-shuts-down-email-and-internet-access-after-phishing-attack/http://www.computerworlduk.com/news/security/3275613/us-government-energy-research-lab-shuts-down-email-and-internet-access-after-phishing-attack/http://www.cio.com.au/article/387581/norwegian_military_admits_march_cyberattackhttp://www.cio.com.au/article/387581/norwegian_military_admits_march_cyberattackhttp://www.computerworlduk.com/news/security/3275613/us-government-energy-research-lab-shuts-down-email-and-internet-access-after-phishing-attack/http://www.computerworlduk.com/news/security/3275613/us-government-energy-research-lab-shuts-down-email-and-internet-access-after-phishing-attack/http://uk.reuters.com/article/2011/04/06/oukin-uk-russia-medvedev-cyberattack-idUKTRE7354OV20110406http://krebsonsecurity.com/tag/pavel-vrublevsky/http://www.zdnet.co.uk/news/security-management/2011/06/24/ukrainian-sting-targets-conficker-fraudsters-40093222/http://www.fbi.gov/news/stories/2011/june/cyber_062211/cyber_062211http://www.zdnet.co.uk/news/security-management/2011/05/18/gamer-sentenced-for-stealing-steam-passwords-40092802/http://www.theregister.co.uk/2011/05/10/finnish_banking_trojan_investigation/http://www.theregister.co.uk/2011/04/13/coreflood_botnet_takedown/http://www.networkworld.com/news/2011/041111-uk-police-arrest-three-men.html


9/24

9


Malware Threats

The malware landscape this quarter has presented us several surprises. Although numerically not the

busiest period in history (just a little behind last years pace), when combined with the rst quarter we

have the busiest ever rst hal-year in this vector. The increase is 22 percent over 2010! McAee Labs

identied almost six million unique malware samples during this quarter. This puts us on track or our

cumulative malware zoo collection to reach 75 million samples by years end.

0

10,000,000

20,000,000

30,000,000

40,000,000

50,000,000

60,000,000

70,000,000

MAR

2011

FEB

2011

JAN

2011

DEC

2010

JUN

2011

MAY

2011

APR

2011

NOV

2010

OCT

2010

SEP

2010

AUG

2010

JUL

2010

JUN

2010

MAY

2010

APR

2010

MAR

2010

FEB

2010

JAN

2010

Total Malware Samples in the Database

Just to reinorce how signicant the growth has been during the last several years, here is a look at the

monthly incremental growth o unique malware binaries:

0

500,000

1,000,000

1,500,000

2,000,000

2,500,000

MAR

2011

FEB

2011

JAN

2011

DEC

2010

JUN

2011

MAY

2011

APR

2011

NOV

2010

OCT

2010

SEP

2010

AUG

2010

JUL

2010

JUN

2010

MAY

2010

APR

2010

MAR

2010

FEB

2010

JAN

2010

New Malware Samples Added to the Database, by Month


10/24

10


We now collect on average almost two million new samples every month. This is certainly not a welcome

development, but it is consistent and predictable considering how our business and private lives are now

tethered to technology.

Among the specic amilies we track, ake anti-virus sotware (a.k.a. ake-alert or rogue anti-virussotware) continues to show consistent growth and has even begun to climb aboard a new platorm: the

Mac. You read that right; ake-AV or Apples platorm is now a reality. This does not surprise us at McAee

Labs. There are more Mac users than ever beore as well as steady business adoption. This puts the Apple

platorms squarely in the crosshairs o malware authors. It will be interesting to see i this type o malware

makes its way to the iPhone and iPad as well. It is probably a case o when rather than i.

MAR

2011

FEB

2011

JAN

2011

DEC

2010

JUN

2011

MAY

2011

APR

2011

NOV

2010

OCT

2010

SEP

2010

AUG

2010

JUL

2010

JUN

2010

MAY

2010

APR

2010

MAR

2010

FEB

2010

JAN

2010

Unique Fake-Alert Samples Discovered

0

0000

0000

00000000

0000

0000

350,000

300,000

250,000

200,000

150,000

100,000

50,000

0

Unique Fake-Alert Samples for Mac Discovered

0

50

100

150

200

250

MAR

2011

FEB

2011

JAN

2011

DEC

2010

JUN

2011

MAY

2011

APR

2011

NOV

2010

OCT

2010

SEP

2010

AUG

2010

JUL

2010


11/24

11


Generic password-stealing Trojans declined just a bit this quarter, while AutoRun malware was greatly

reduced. Koobace threats dropped to the lowest levels in years.

MAR

2011

FEB

2011

JAN

2011

DEC

2010

JUN

2011

MAY

2011

APR

2011

NOV

2010

OCT

2010

SEP

2010

AUG

2010

JUL

2010

JUN

2010

MAY

2010

APR

2010

MAR

2010

FEB

2010

JAN

2010

Unique Password Stealers Samples Discovered

0

50,000

100,000

150,000

200,000

250,000

300,000

MAR

2011

FEB

2011

JAN

2011

DEC

2010

JUN

2011

MAY

2011

APR

2011

NOV

2010

OCT

2010

SEP

2010

AUG

2010

JUL

2010

JUN

2010

MAY

2010

APR

2010

MAR

2010

FEB

2010

JAN

2010

Unique AutoRun Samples Discovered

0

100,000

200,000

300,000

400,000

500,000

600,000

700,000

MAR

2011

FEB

2011

JAN

2011

DEC

2010

JUN

2011

MAY

2011

APR

2011

NOV

2010

OCT

2010

SEP

2010

AUG

2010

JUL

2010

JUN

2010

MAY

2010

APR

2010

MAR

2010

FEB

2010

JAN

2010

0

2,000

4,000

6,000

8,000

10,000

12,000

14,000

16,000

18,000

Unique Koobface Samples Discovered


12/24

12


Rootkits and Stealth Malware

Another malware category demonstrating recent steady growth is the rootkit. A rootkit (sometimes

called stealth malware) is code that hides its elements rom the operating system and security sotware.

Cybercriminals use rootkits to make other malware stealthier and more persistent. The better hidden

the malware is, the longer it will remain on the system and engage in its malicious activity. As you can

see rom the ollowing charts, rootkits are on the rise overall. The rst hal o 2011 was comparable to

malware overall: Rootkits have seen their busiest-ever six months, up almost 38 percent over 2010! Two

o the busiest rootkits that we encounter are Koutodoor and TDSS. Both are nasty and hide malware to

steal data.

MAR

2011

FEB

2011

JAN

2011

DEC

2010

JUN

2011

MAY

2011

APR

2011

NOV

2010

OCT

2010

SEP

2010

AUG

2010

JUL

2010

JUN

2010

MAY

2010

APR

2010

MAR

2010

FEB

2010

JAN

2010

Unique Rootkit Samples Discovered

0

20,000

40,000

60,000

80,000

100,000

120,000


13/24

13


Global Inected Computer Numbers

Globally and by individual geography much o the malware we collected this quarter matched the same

varieties as in the rst quarter. We saw a ew dierences among the continents but overall they were

more similar than dierent.

Rank Top 5 Global Malware

1 AutoRun Malware

2 OpenCandy Adware

3 HotBar Adware

4 General Trojans

5 HotBar vF Adware

Rank North America

1 AutoRun Malware

2 HotBar Adware

3 OpenCandy Adware

4 Downloader Malware5 HotBar vF Adware

Rank South America

1 AutoRun Malware

2 Java Runtime Exploitation

3 Concker AutoRun Malware

4 Remote-Access Trojans

5 Downloader Malware

Rank Europe and Middle East

1 HotBar vF Adware

2 AutoRun Malware

3 HotBar Adware

4 OpenCandy Adware


Rank Australia

1 OpenCandy Adware


3 Hotbar Adware


5 AutoRun Malware

Rank Arica

1 AutoRun Malware



4 Yahoo Messenger Malware

5 Sality Virus

Rank Asia

1 AutoRun Malware



4 Downloader Malware5 Browser Exploitation
http://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic!atrhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic!atrhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic!atrhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Exploit-CVE2010-0840http://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=BackDoor-EZC!lnkhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic.dxhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic!atrhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Adware-OpenCandy.dllhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Downloader-BCShttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Adware-HotBar.fhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Downloader-UAhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic!atrhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic!atrhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Downloader-CJX!lnkhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=W32/YahLover.worm.genhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic!atrhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic.dxhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Suspicious%20IFrame.dhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Suspicious%20IFrame.dhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic.dxhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic!atrhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=W32/YahLover.worm.genhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Downloader-CJX!lnkhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic!atrhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic!atrhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Downloader-UAhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Adware-HotBar.fhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Downloader-BCShttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Adware-OpenCandy.dllhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic!atrhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic.dxhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=BackDoor-EZC!lnkhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Exploit-CVE2010-0840http://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic!atrhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic!atrhttp://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=Generic!atr


14/24

14


Adobe Outpaces Microsot in Attracting Exploits

For several quarters, one o the major trends weve seen is that malware authors preer to write exploits

that target vulnerabilities in Adobe products as opposed to those in Microsot products. This trend does

not prove that Adobes technologies are more vulnerable or have more coding bugs than Microsots.

Rather, Adobe is one o the clear leaders in worldwide client applications, and this leadership is what

drives malware authors and cybercriminals: They target what is popular and in wide use. The ollowing

chart shows the malware McAee Labs has seen this quarter that attempts to exploit vulnerabilities in

Adobe and Microsot products.

MAY

2011

JUN

2011

APR

2011

MAR

2011

FEB

2011

JAN

2011

Adobe and Microsoft Exploits Discovered

0

2,000

4,000

6,000

8,000

10,000

12,000

14,000

16,000

Adobe

Microsoft


15/24

15


Messaging Threats

Messaging threats continued a mild decline rom last quarter, although the drop is not signicant. A

coordinated eort last quarter among several security providers, law enorcement, and even CERTs was

able to shut o major amounts o botnet zombies and their command structure. This recent success

may still be having a positive eect. We expect to again see sharp rises in spam; in the mean time, we

continue to watch this area closely. Although the volume o spam remains at historic low levels, the

spearphishing (a class o spam) that we see today is more targeted and eective than ever. This vector

continues to evolve.

Global Spam Volume, in Trillions of Messages per Day

6

5

4

3

2

1

0

Spam

Ham

MAR

2011

FEB

2011

JAN

2011

DEC

2010

JUN

2011

MAY

2011

APR

2011

NOV

2010

OCT

2010

SEP

2010

AUG

2010

JUL

2010

Argentina

120,000,000

100,000,000

80,000,000

60,000,000

40,000,000

20,000,000

0

MAR

2011

FEB

2011

JAN

2011

DEC

2010

JUN

2011

MAY

2011

APR

2011

NOV

2010

OCT

2010

SEP

2010

AUG

2010

JUL

2010

MAR

2011

FEB

2011

JAN

2011

DEC

2010

JUN

2011

MAY

2011

APR

2011

NOV

2010

OCT

2010

SEP

2010

AUG

2010

JUL

2010

MAR

2011

FEB

2011

JAN

2011

DEC

2010

JUN

2011

MAY

2011

APR

2011

NOV

2010

OCT

2010

SEP

2010

AUG

2010

JUL

2010

MAR

2011

FEB

2011

JAN

2011

DEC

2010

JUN

2011

MAY

2011

APR

2011

NOV

2010

OCT

2010

SEP

2010

AUG

2010

JUL

2010

Spam Volume by Country

Brazil

600,000,000

500,000,000

400,000,000

300,000,000

200,000,000

100,000,000

0

MAR

2011

FEB

2011

JAN

2011

DEC

2010

JUN

2011

MAY

2011

APR

2011

NOV

2010

OCT

2010

SEP

2010

AUG

2010

JUL

2010

MAR

2011

FEB

2011

JAN

2011

DEC

2010

JUN

2011

MAY

2011

APR

2011

NOV

2010

OCT

2010

SEP

2010

AUG

2010

JUL

2010

Columbia

120,000,000

100,000,000

80,000,000

60,000,000

40,000,000

20,000,000

0

France

300,000,000

250,000,000

200,000,000

150,000,000

100,000,000

50,000,000

0

Germany

500,000,000

400,000,000

300,000,000

200,000,000

100,000,000

0

India

700,000,000

600,000,000

500,000,000

400,000,000

300,000,000

200,000,000

100,000,000

0


16/24

16


MAR

2011

FEB

2011

JAN

2011

DEC

2010

JUN

2011

MAY

2011

APR

2011

NOV

2010

OCT

2010

SEP

2010

AUG

2010

JUL

2010

MAR

2011

FEB

2011

JAN

2011

DEC

2010

JUN

2011

MAY

2011

APR

2011

NOV

2010

OCT

2010

SEP

2010

AUG

2010

JUL

2010

MAR

2011

FEB

2011

JAN

2011

DEC

2010

JUN

2011

MAY

2011

APR

2011

NOV

2010

OCT

2010

SEP

2010

AUG

2010

JUL

2010

MAR

2011

FEB

2011

JAN

2011

DEC

2010

JUN

2011

MAY

2011

APR

2011

NOV

2010

OCT

2010

SEP

2010

AUG

2010

JUL

2010

Spam Volume by Country

MAR

2011

FEB

2011

JAN

2011

DEC

2010

JUN

2011

MAY

2011

APR

2011

NOV

2010

OCT

2010

SEP

2010

AUG

2010

JUL

2010

MAR

2011

FEB

2011

JAN

2011

DEC

2010

JUN

2011

MAY

2011

APR

2011

NOV

2010

OCT

2010

SEP

2010

AUG

2010

JUL

2010

MAR

2011

FEB

2011

JAN

2011

DEC

2010

JUN

2011

MAY

2011

APR

2011

NOV

2010

OCT

2010

SEP

2010

AUG

2010

JUL

2010

MAR

2011

FEB

2011

JAN

2011

DEC

2010

JUN

2011

MAY

2011

APR

2011

NOV

2010

OCT

2010

SEP

2010

AUG

2010

JUL

2010

MAR

2011

FEB

2011

JAN

2011

DEC

2010

JUN

2011

MAY

2011

APR

2011

NOV

2010

OCT

2010

SEP

2010

AUG

2010

JUL

2010

Italy

250,000,000

200,000,000

150,000,000

100,000,000

50,000,000

0

Japan

50,000,000

40,000,000

30,000,000

20,000,000

10,000,000

0

Poland

200,000,000

150,000,000

100,000,000

50,000,000

0

Portugal

100,000,000

80,000,000

60,000,000

40,000,000

20,000,000

0

South Korea

200,000,000

150,000,000

100,000,000

50,000,000

0

Spain

200,000,000

150,000,000

100,000,000

50,000,000

0

United Kingdom

500,000,000

400,000,000

300,000,000

200,000,000

100,000,000

0

United States

1,500,000,000

1,200,000,000

900,000,000

600,000,000

300,000,000

0

Venezuela

500,000,000

400,000,000

300,000,000

200,000,000

100,000,000

0

Russia

350,000,000

300,000,000

250,000,000

200,000,000

150,000,000

100,000,000

50,000,000

0

MAR

2011

FEB

2011

JAN

2011

DEC

2010

JUN

2011

MAY

2011

APR

2011

NOV

2010

OCT

2010

SEP

2010

AUG

2010

JUL

2010


17/24

17


This quarter McAee Labs has observed the Rustock botnets continuing to dwindle even though it

may be reseeded by cybercriminals during the coming months. Meanwhile the Maazben, Cutwail, and

Bobax botnet masters have stepped up their activity. O these three dominant botnets, Maazben clearly

outpaces the others in worldwide usage and infuence.

New Global Botnet Infections by Week

Maazben

4/4/11

4/11/11

4/18/11

4/25/11

5/2/11

5/9/11

5/16/11

5/23/11

5/30/11

6/6/11

6/13/11

6/20/110

100,000

200,000

300,000

400,000

500,000

600,000

700,000

800,000

900,000

1,000,000

Maazben's Influence on Global Botnet Infections

Bagle-CB

Bobax

Cutwail

Grum

Maazben

Others

North America

Bagle-CB

Bobax

Cutwail

Grum

Maazben

Others

Africa

Latin America

Bagle-CB

Bobax

Cutwail

Grum

Maazben

Others

Bagle-CB

Bobax

Cutwail

Grum

Maazben

Others

Asia-Pacic

Bagle-CB

Bobax

Cutwail

Grum

Maazben

Others

Europe-Middle East

Bagle-C

Bobax

Cutwai

Grum

Maazb

Others

Australia


18/24

18


New Botnet Infections by Week

Bagle-CBDonbot

Rustock

4/4/11

4/11/11

4/18/11

4/25/11

5/2/11

5/9/11

5/16/11

5/23/11

5/30/11

6/6/11

6/13/11

6/20/11

0

20,000

40,000

60,000

80,000

100,000

120,000

Cutwail

Bobax

Grum

4/4/11

4/11/11

4/18/11

4/25/11

5/2/11

5/9/11

5/16/11

5/23/11

5/30/11

6/6/11

6/13/11

6/20/11

0

20,000

40,000

60,000

80,000

100,000

120,000

140,000

160,000

New Botnet Infections by Week


19/24

19


There has been steady growth in new botnet inections throughout the quarter. This is an interesting

juxtaposition when we consider the worldwide drop in spam. Clearly botnet usage is in a state o

transition. Given the growth and goals o hacktivists, we expect to see major changes in how botnets

are used.

Overall Botnet Infections per Month

APR10

MAY10

JUN10

JUL10

AUG

10

SEP10

OCT10

NOV10

DEC10

JAN11

FEB11

MAR11

2,000,000

3,000,000

4,000,000

5,000,000

6,000,000

Spam lures and their subjects (the social engineering hook used to make the message attractive)

continue to show diversity. Nigerian 419 scams seemed a bit more popular this quarter globally while

lotto scams were also prevalent in many parts o the world, along with the long-time subjects o bogus

DSN and gambling spams. Social engineering with lures based on location is certain to continue, as

scammers understand the diversities in their global audience.

China

l

l

l

l

l

Brazil

l

l

l

l

l

France

Germany

l

l

l

l

l

Spam by Country

419 ScamsDSN

Diplomas

Drugs

Fashion

Gambling

Horoscopes

Jobs

Lonely Women

Lotto Scams

Marketing

Newsletters

Phishing

Products

Third Parties

Travel

Unknown

Viruses

Watches

India

l

l

l

l

l

Indonesia


20/24

20


Web Threats

Websites can have bad or malicious reputations or a variety o reasons. Reputations can be based

on ull domains and any number o subdomains as well as on a specic IP address or URL. Malicious

reputations are infuenced by the hosting o malware, potentially unwanted programs, or phishing sites.

Oten we observe combinations o questionable code and unctionality. Many actors go into a sites

reputational rating.

Last quarter McAee Labs recorded an average o 8,900 new bad sites per day; this period that gure

dropped a bit to 7,300 hits, which is comparable to the same time last year.

New Bad-Reputation URLs per Day

APR 1

2011

MAY 1

2011

JUNE 1

2011

JULY 1

2011

0

5,000

10,000

15,000

20,000

25,000

30,000

35,000

40,000

We saw some signicant spikes in malicious web content this quarter. Several o these spikes

corresponded to intensive malicious campaigns.

Philippines

l

l

l

l

l

Italy

l

l

l

l

l

Russia

l

l

l

l

l

South KoreaSpam by Country

419 Scams

DSN

Diplomas

Drugs

Fashion

Gambling

Horoscopes

Jobs

Lonely Women

Lotto Scams

Marketing

Newsletters

Phishing

Products

Third Parties

Travel

Unknown

Viruses

Watches

United Kingdom

l

l

l

l

l

United States

l

l

l

l

l

Venezuela

l

l

l

l

l


21/24

21


On May 31, spam campaignsone promoting online dating sites with video chats and another

inorming recipients o ake pending invoicesdistributed raudulent URLs hosting Zeus-related malware

(Generic FakeAlert.by and Generic PWS.y). Among these sites were undss-syria.org, baranava.com,

emajic.net, and sturtholdastmarioncc.com.

The vast majority o these new malicious sites are located in the United States. Next in line, we nd

South Korea, Netherlands, Canada, United Kingdom, China, and Germany.

In the rst quarter our top countries were the United States, South Korea, Germany, and China. This

quarter, however, is quite dierent. Our regional breakdown reveals where most malicious servers reside:

Africa

Asia-Pacic

Australia

Europe-Middle East

Latin America

North America

North America60.2%

Australia1.8%

Africa0.2%

Latin America1.7%

Europe-Middle East24.9%

Asia-Pacific11.1%

North America, primarily the United States, still dominates, but the gure or the combined region o

Europe, the Middle East, and Arica has increased to 25 percent rom 18 percent in the rst quarter.

Lets take a deeper look at some regions:

Morocco

South Africa

Egypt

Senegal

Seychelles

Others

Africa

South Korea

China

Vietnam

Others

Asia Pacic


22/24

22


This quarter, the number o websites hosting malicious downloads has again increased, while the

amount o sites that host browser exploits was unchanged:

0

20,000

40,000

60,000

80,000

100,000

120,000

140,000

160,000

Malicious Downloads

Browser Exploits

Active Malicious URLs

MAR

2011

FEB

2011

JAN

2011

DEC

2010

JUN

2011

MAY

2011

APR

2011

NOV

2010

OCT

2010

SEP

2010

AUG

2010

JUL

2010

This quarter we also observed a continued increase in blogs and wikis with malicious reputations.

Australia

New Zealand

Australia

Net

Unit

Ger

Fran

Russ

Rom

Italy

Oth

Europe and Middle East

Brazil

British Virgin Islands

Argentina

Chile

Panama

Trinidad and Tobago

Others

Latin America

Uni

Can

Mex

North America


23/24

23


Websites Delivering Malware and PUPs

The ollowing chart provides a picture o the number o websites delivering malware and potentially

unwanted programs (PUPs) that McAee Labs detected this quarter.

New Malware Sites per Day

APR 1

2011

MAY 1

2011

JUNE 1

2011

JULY 1

2011

0

5,000

10,000

15,000

20,000

25,000

30,000

35,000

We saw a small increase this quarter with around 3,000 new sites per day compared with 2,700 per day

during the rst quarter.

Phishing Sites

This quarter we identied approximately 2,700 phishing URLs per day, up slightly rom 2,500 per day

last quarter.

New Phishing Sites per Day

APR 1

2011

MAY 1

2011

JUNE 1

2011

JULY 1

2011

0

2,000

4,000

6,000

8,000


24/24

McAee

The inormation in this document is provided only or educational purposes and or the convenience o McAee customers. The inormation

contained herein is subject to change without notice, and is provided as is, without guarantee or warranty as to the accuracy or applicability

o the inormation to any specifc situation or circumstance.


About the Authors

This report was prepared and written by Toralv Dirro, Paula Greve, Rahul Kashyap, David Marcus,

Franois Paget, Craig Schmugar, Jimmy Shah, and Adam Wosotowsky o McAee Labs.

About McAee Labs

McAee Labs is the global research team o McAee. With the only research organization devoted to all

threat vectorsmalware, web, email, network, and vulnerabilitiesMcAee Labs gathers intelligence

rom its millions o sensors and its cloud-based service McAee Global Threat Intelligence. The McAee

Labs team o 350 multidisciplinary researchers in 30 countries ollows the complete range o threats

in real time, identiying application vulnerabilities, analyzing and correlating risks, and enabling instant

remediation to protect enterprises and the public.

About McAee

McAee, a wholly owned subsidiary o Intel Corporation (NASDAQ:INTC), is the worlds largest dedicated

security technology company. McAee delivers proactive and proven solutions and services that help

secure systems, networks, and mobile devices around the world, allowing users to saely connect to the

Internet, browse, and shop the web more securely. Backed by its unrivaled Global Threat Intelligence,McAee creates innovative products that empower home users, businesses, the public sector, and service

providers by enabling them to prove compliance with regulations, protect data, prevent disruptions,

identiy vulnerabilities, and continuously monitor and improve their security. McAee is relentlessly

ocused on nding new ways to keep our customers sae. www.mcaee.com
http://www.mcafee.com/http://www.mcafee.com/

mcafee threats report q2 2011

Documents