motive security labs malware report - h2...

Motive Security Labs malware report – H2 2014

2

Motive Security Labs malware report – H2 2014ALCATEL-LUCENT

Table of contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2014 highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Mobile malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Mobile infection rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

Android malware samples continue growth in 2014 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

Android and Windows PC biggest offenders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

Top Android malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Examples of mobile threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Residential malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Top 20 residential network infections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

Top 20 high-threat-level infections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Top 25 most prolific threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Review of 2014 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

DDoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

New vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Breaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Mobile malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Predictions for 2015 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Botnets move to mobile and the cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Adware becomes mainstream . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Hactivism goes mobile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Internet of Things gets hit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

DDoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Attacks on the cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Summary and conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Terminology and definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

About Motive Security Labs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

3


IntroductionThe “Motive Security Labs H2 2014 Malware Report” examines general trends and statistics for malware infections in devices connected through mobile and fixed networks . The data in this report is aggregated across the networks where the Motive Security Guardian, formerly Kindsight Security, network-based malware detection solutions are deployed . This solution is deployed in major fixed and mobile networks around the world, monitoring network traffic from close to 100 million devices .

2014 highlights

Mobile

• On the mobile side, infections continue to accelerate, with an increase of 25% in 2014, compared with 20% for 2013 .

• The infection rate is currently at 0 .68% . Based on this, we estimate that worldwide, about 16 million mobile devices are infected by malware .

• Mobile malware is increasing in sophistication with more robust command and control (C&C) protocols .

• Mobile spyware is definitely on the increase . Six of the mobile malware top 20 list are mobile spyware . These are apps that are used to spy on the phone’s owner . They track the phone’s location, monitor ingoing and outgoing calls and text messages, monitor email and track the victim’s web browsing .

• The infections were split 50/50 between Android devices and Windows/PCs, with less than 1% coming from other smartphones such as the iPhone and Blackberry . Windows/PCs remain the workhorse of cybercrime, but the Android platform is catching up .

Residential

• The overall monthly infection rate in residential fixed broadband networks is currently at just under 14% . This is up substantially from the 9% we saw in 2013 . The increase is mostly attributable to a large increase in moderate-threat-level adware infections .

• High-level threats such as a bots, rootkits and banking Trojans remain steady at around 5% .

2014 overall

2014 saw a variety of innovative DDoS attacks (NTP MON_LIST, DNS DDoS using home routers andmobile Wi Fi® hotspots), new vulnerabilities and exploits (Heartbleed, ShellShock, Android FakeID),new Apple attacks (WireLurker and Masque), high-profile breaches (Sony, Regin), and newmobile malware (NotCompatible, Koler, hactivism with LOIC) .

Based on 2014 we predict the following for 2015:

• Botnets move to mobile and the cloud

• Hactivism goes mobile

• Internet of Things gets hit

• Attacks on the cloud

16MMOBILE DEVICES INFECTED WORLDWIDE

14%OF HOMES ARE INFECTED WITH MALWARE

OUT OFTHE TOP6 20

MOBILE THREATS ARE SPYPHONE APPS

http://www.alcatel-lucent.com/solutions/security-guardian

4


Mobile malwareIn the second half of 2014 the overall mobile infection rate continued its upward trend . The number of Android malware samples continued to grow significantly, but not at the exponential rates seen in 2013 .

Mobile infection rate

The graph below shows the percentage of infected mobile devices observed on a monthly basis since December 2012 . This data is averaged from actual mobile deployments

Figure 1. Mobile infection rate since December 2012

0.4%

0.5%

0.6%

0.7%

Oct Jan May Aug Nov Mar Jun Sep Dec Apr

Mobile infection rate

2012 2013 2014 2015

Currently, 0 .68% of mobile devices are infected with malware . This is a growth of 25% in 2014 . We can use this infection rate to calculate the total number of infected smartphones worldwide . According the ITU there are currently 2 .3 billion mobile broadband subscriptions, so we estimate that 16 million mobile devices had some sort of malware infection in December 2014 . This global estimate is likely on the conservative side because our sensors do not have complete coverage in areas such as China and Russia, where mobile infection rates are known to be higher than average .

Android malware samples continue growth in 2014

An indicator of Android malware growth is the increase in the number of samples in our malware database . The chart below shows numbers since June 2012 . The number of samples grew by 161% in 2014 .

Figure 2. Mobile malware samples since June 2012

Jul-12 Oct-12 Jan-13 Apr-13 Jul-13 Oct-13 Jan-14 Apr-14 Jul-14 Oct-14

Mobile malware samples

200000

400000

600000

800000

1000000

1200000

1400000

5


In addition to the increase in raw numbers, the sophistication of the Android malware also increased . Previously the C&C mechanisms were primitive; configurations were hard-coded and inflexible; the malware made no serious effort to conceal itself; and attack vectors were limited to hoping someone installs the infected app . However in 2014 we started to see malware applications that had originally been developed for the Windows/PC platform migrate to the mobile space, bringing with them more sophisticated command and control and rootkit technologies . Examples include NotCompatible and Koler .

Android and Windows PC biggest offenders

Figure 3. Infected device types in 2013 and 2014

Android Windows

Jan Feb Mar Apr May June Jan Feb Mar Apr May JuneJuly Aug Sept Oct Nov Dec July Aug Sept Oct Nov Dec

0

10

20

30

40

50

60

70

80

90

100Infected device types, 2013 and 2014

The chart above shows the breakdown of infected device types that have been observed in 2013 and 2014 .

Most people are surprised to find such a high proportion of Windows/PC devices involved . These Windows/PCs are connected to the mobile network via dongles and mobile Wi-Fi devices or simply tethered through smartphones . They are responsible for about 50% of the malware infections observed . This is because these devices are still the favorite of hardcore professional cybercriminals who have a huge investment in the Windows malware ecosystem . As the mobile network becomes the access network of choice for many Windows PCs, the malware moves with them .

Android phones and tablets are responsible for about 50% of the malware infections observed . Currently most mobile malware is distributed as “Trojanized” apps and Android offers the easiest target for this because of its open app environment . Specifically, the following Android issues have been observed:

• Android apps can be downloaded from third-party app stores and web sites .

• There is no control of the digital certificates used to sign Android apps .

¬ Android apps are usually self-signed and can’t be traced to the developer

¬ It is easy to hijack an Android app, inject code into it and re-sign it

• The other smartphones (iPhone, Blackberry, Windows Mobile, etc .) make up less than 1% of the infections we have observed . The iPhone and Blackberry have a more controlled app distribution environment and are thus less of a target .

6


Top Android malware

The table below shows the top 20 Android malware detected in H2 2014 in the networks where the Motive solution is deployed .

Table 1. Top 20 Android malware detected in H2 2014

NAME THREAT LEVEL % H1 2014

Android .Adware .Uapush .A Moderate 45 .57 2

Android .Trojan .Ackposts .a High 17 .08 6

Android .MobileSpyware .SmsTracker High 14 .67 3

Android .Adware .Counterclank Moderate 9 .56 New*

Android .MobileSpyware .SpyMob .a High 1 .87 12

Android .Bot .Notcompatible High 1 .65 5

Android .Trojan .FakeFlash Moderate 1 .62 New

Android .Trojan .Wapsx High 1 .09 8

Android .MobileSpyware .GinMaster High 0 .85 32

Android .Trojan .Qdplugin High 0 .82 7

Android .Trojan .Sms .Send .B High 0 .76 4

Android .MobileSpyware .SpyBubble High 0 .64 9

Android .ScareWare .Koler .C High 0 .64 New

Android .Backdoor .Advulna High 0 .52 10

Android .MobileSpyware .Phonerec High 0 .45 13

Android .MobileSpyware .Tekwon .A High 0 .33 New

Android .ScareWare .Lockdroid .F High 0 .25 New

Android .Adware .Kuguo .A Moderate 0 .2 15

Android .Trojan .MMarketPay .a High 0 .16 29

Android .Trojan .JSmsHider .D High 0 .16 64

Cybercriminals are quick to take advantage of opportunities that are unique to the mobile ecosystem . Six of the top 20 list are in the mobile spyware category . These are apps that are used to spy on the phone’s owner . They track the phone’s location and monitor ingoing and outgoing calls and text messages . These are functions that are unique to the mobile environment . Similarly the SMS Trojans that make their living by sending text messages to premium SMS numbers are unique to the mobile space . Three of the top 20 are malicious adware .

However, there is also a cross-over from the traditional Windows/PC malware space . For example the top 20 includes:

• A variety of scare-ware apps that try to extort money by claiming to have encrypted the phone’s data

• Identity theft apps that steal personal information from the device

• A web proxy app that allows hackers to anonymously browse the web through an infected phone (at the owner’s expense)

7


Examples of mobile threats

Uapush.A is an Android adware Trojan with a moderate threat level; it also sends Short Message Service (SMS) messages and steals personal information from the compromised device . Activity on this decreased steadily since the first half of the year . The malware has its web-based C&C site located in China .

Figure 4. Uapush.A summary

Infections

MAP: ANDROID.ADWARE.UAPUSH.A

Jan 1Oct 16 Nov 1

Name: Android.Adware.Uapush.ASignature ID: 2805862Signature State: ActiveType: AdwareClass: SpywareLevel: Moderate

Nov 16 Dec 1 Dec 16

SMSTracker is an Android spyphone app that provides a complete remote phone tracking and monitoring system for Android phones . It allows the attacker to remotely track and monitor all SMS, Multimedia Messaging Service (MMS), text messages, voice calls, GPS locations and browser history . This is also known as Android .Monitor .Gizmo .A .

Figure 5. SMSTracker summary

Infections

MAP: ANDROID.TROJAN.SMSTRACKER

Jan 1Oct 16 Nov 1

Name: Android.MobileSpyware.SMSTrackerSignature ID: 2807732Signature State: ActiveType: MobileSpywareClass: Identity TheftLevel: High

Nov 16 Dec 1 Dec 16

NotCompatible is an Android bot that uses the infected phone to provide anonymous proxy web browsing services . This can consume large amounts of bandwidth and airtime, as the phone serves as a proxy for illicit web browsing activity . The C&C is located in Germany and Holland . The C&C protocol is the same as a Windows-based web proxy bot . This is the first time we have seen a common C&C protocol between Windows and Android malware . The malware first appeared in 2013 . Activity has been declining throughout 2014 .

8


Figure 6. NotCompatible summary

Infections

MAP: ANDROID.BOT.NOTCOMPATIBLE

Jan 1Oct 16 Nov 1

Name: Android.Bot.NotcompatibleSignature ID: 513102890Signature State: ActiveType: BotClass: CybercrimeLevel: High

Nov 16 Dec 1 Dec 16

Koler is an Android scareware Trojan that uses the infected phone to provide anonymous proxy web browsing services . This can consume large amounts of bandwidth and airtime, as the phone serves as a proxy for illicit web browsing activity . The C&C is located in Germany and Holland .

Figure 7. Koler summary

Infections

MAP: ANDROID.SCAREWARE.KOLER.C

Jan 1Oct 16 Nov 1

Name: Android.KolerSignature ID: 2809106Signature State: ActiveType: ScarewareClass: CybercrimeLevel: High

Nov 16 Dec 1 Dec 16

FakeFlash is a scam application distributed under the name “Install Flash Player 11 .” It charges money for downloading and installing the Adobe Flash Player .

Figure 8. FakeFlash summary

Infections

MAP: ANDROID.TROJAN.FAKEFLASH

Jan 1Oct 16 Nov 1

Name: Android.Trojan.FakeFlashSignature ID: 2808191Signature State: ActiveType: TrojanClass: CybercrimeLevel: Moderate

Nov 16 Dec 1 Dec 16

9


Residential malwareIn 2014 the infection rate in residential networks rose significantly, as can be seen the chart below . However the increase is almost entirely due to moderate-threat-level “adware” infections . High-threat-level “botnet” infections have returned to around the 5% level despite a slight increase in Q2 .

Figure 9. Residential infection rates

2012Q1

Residential infection rates (%)

2012Q2

2012Q3

2012Q4

2013Q3

2013Q4

2014Q1

2014Q2

2014Q3

2014Q4

2013Q1

2013Q2

TotalHighModerate

2

4

6

8

10

12

14

16

18

20

0

In Q4, 13 .6% of residences had some sort of malware infection . Of these 5 .3% had a high-threat-level infection and 11 .6% had a moderate infection . 3 .3% of residences had both high and moderate infections, so the total adds up to 13 .6%, not 16 .9% .

Top 20 residential network infections

The chart below shows the top home network infections detected in Motive deployments . The results are aggregated and the order is based on the number of infections detected over the three-month period of this report .

Table 2. Top 20 home network infections

RANK NAME THREAT LEVEL % H1 2014

1 Win32 .Adware .iBryte Moderate 11 .65 1

2 Win32 .Adware .Wysotot Moderate 7 .89 4

3 Win32 .AdWare .Eorezo Moderate 6 .86 7

4 Win32 .AdWare .AddLyrics .T Moderate 5 .76 3

5 Win32 .Hijacker .StartPage .KS Moderate 5 .47 5

6 Win32 .Adware .BrowseFox .G Moderate 4 .96 New

7 Win32 .Adware .Wajam Moderate 4 .94 2

8 Win32 .Adware .Megasearch Moderate 4 .71 9

9 Win32 .Trackware .Binder Moderate 4 .16 New

10 Indep .DDoS .DNSAmplification High 3 .64 New

11 Android .Adware .Uapush .A Moderate 3 .01 12

12 Win32 .Adware .MarketScore Moderate 2 .67 14

13 Win32 .Adware .Eorezo Moderate 2 .62 15

14 Win32 .BankingTrojan .Carberp High 2 .25 13

15 Win32 .Bot .ZeroAccess2 High 1 .68 8

16 Win32 .Adware .MediaFinder Moderate 1 .61 11

17 Win32 .Adware .Bundlore Moderate 1 .41 21

18 Android .Trojan .Ackposts .a High 1 .16 30

19 Win32 .Adware .InstallMonetizer Moderate 1 .06 16

20 Win32 .Adware .PullUpdate Moderate 1 .00 New

10


In 2014 we saw a significant increase in adware and other moderate-threat-level malware . Of the top 20 threats in the second half of 2014, 14 are adware . The activity of high level threats such as bots has not declined, but they have been pushed out of the top 20 by the proliferation of adware .

Top 20 high-threat-level infections

The table shows the top 20 high-threat-level malware that leads to identity theft, cybercrime or other online attacks .

Table 3. Top 20 high-threat-level infections

RANK NAME % H1 2014

1 Indep .DDOS .DNSAmplification 16 .41 New

2 Win32 .BankingTrojan .Carberp 10 .14 3

3 Win32 .Bot .ZeroAccess2 7 .60 1

4 Android .Trojan .Ackposts .a 5 .26 12

5 Win32 .Trojan .CI .A 3 .39 New

6 Win32 .PasswordStealer .Lolyda .B 3 .15 14

7 Win32 .Trojan .Bunitu .B 2 .58 8

8 Win32 .Trojan .Malagent 2 .57 10

9 Win32 .BankingTrojan .Zeus 2 .30 5

10 Win32 .Worm .Koobface .gen .B 1 .97 25

11 Win32 .Backdoor .Delfsnif .DU 1 .79 New

12 Win32 .Downloader .Obvod .K 1 .71 22

13 Win32 .Virus .Jeefo .A 1 .66 New

14 MAC .Bot .Flashback .K/I 1 .64 13

15 Win32 .Virus .Sality .AT 1 .47 43

16 Win32 .Backdoor .Delfsnif .DU 1 .43 New

17 Win32 .Downloader .Dofoil .T 1 .36 New

18 Win32 .BankingTrojan .ZBot 1 .28 9

19 Win32 .Downloader .Banload .AUN 1 .21 20

20 Win32 .Trojan .Clicker 1 .02 39

The top 20 list contains the usual suspects from previous reports with bots, downloaders, banking Trojans, password stealers . There are also representatives from the Mac and Android environment . But at number one is the DDoS DNS amplification attack that continues to plague the Internet . The majority of this activity is due to the exploitation of vulnerabilities on devices such as home routers and Wi-Fi hotspots . These devices are never protected by anti-virus software and the only way to detect the infection is via network-based monitoring . This attack was responsible for the well publicized network outage at Spark New Zealand in September, which involved over 130 home routers and a number of less publicized incidents involving Wi-Fi hotspots in mobile networks . There is more on these DDoS attacks in the “2014 in Review” section .

11


Top 25 most prolific threats

The chart below shows the top 20 most prolific malware found on the Internet . The order is based on the number of distinct samples we have captured from the Internet at large . Finding a large number of samples indicates that the malware distribution is extensive and that the malware author is making a serious attempt to evade detection by anti-virus products .

Figure 10. Most prolific malware

Most proli�c malware

Virus:Win32/Ramnit.I

TrojanDownloader:Win32/Tugspay.A

TrojanDownloader:Win32/Ogimant.gen!C

Worm:Win32/Soltern.L

Trojan:Win32/Beaugrit.gen!AAC

Virus:Win32/Ramnit.J

Virus:Win32/Elkern.B

Worm:Win32/Picsys.C

TrojanDropper:Win32/Gepys.A

TrojanDropper:Win32/Loring

PWS:Win32/OnLineGames.AH

TrojanDownloader:Win32/Unruy.C

TrojanDownloader:Win32/Upatre.AA

PWS:Win32/Zbot

Virus:Win32/Ramnit.A

Virus:Win32/Jadtre.L

Virus:Win32/Virut.BN

Virus:Win32/Sality.AT

Trojan:Win32/Comame!gmb

Backdoor:Win32/Simbot.gen

0.0% 0.5% 1.0% 1.5% 2.0% 2.5% 3.0% 3.5%

Review of 2014DDoS

In 2014 we saw an increase in DDoS activity leveraging network infrastructure components such as home routers, DSL modems, cable modems, mobile Wi-Fi hotspots, DNS servers and Network Time Protocol (NTP) servers .

NTP MON_LIST attack

The year started off with a series of NTP-based DDoS amplification attacks leveraging service provider infrastructure . The attacker sends spoofed NTP MON_LIST requests to NTP servers operated by service providers . Each request is a 60-byte User Datagram Protocol (UDP) packet . The NTP server responds with about 50 kilobytes of data for each request, an 800 times amplification . Usually the source IP address on the request is spoofed, flooding the victim with gigabytes of traffic .

There are actually two victims of this attack . The main victim was of course the ultimate destination of the UDP traffic . They would be bombarded with UDP traffic from NTP servers all over the Internet . However the service providers whose NTP servers were being used in the attack also suffered collateral damage due to a huge load increase on their NTP servers and significant increases in the amount of UDP traffic on their network infrastructure . In one instance we noticed that the amount of UDP traffic was more than double its usual level .

12


DNS DDoS at Spark

Spark New Zealand was hit with a DNS DDoS amplification attack that caused a network outage in September . According to media reports, about 138 home routers that responded to recursive DNS requests were used to bombard Spark’s DNS infrastructure as part of a DDoS attack on an external third party . The attack was severe enough to prevent the DNS servers from servicing regular requests .

Figure 11. DDoS amplification attack process

1

2

3

5

4

The attack worked as follows: 1 . Hacker tells Internet-based botnets to launch attack .2 . Bots send spoofed DNS request to Spark CPE modems .3 . Modems send DNS requests to Spark DNS servers, flooding them with requests .4 . DNS server responds with amplified response traffic .5 . Modems flood the victim’s server with this response traffic .

DNS DDoS using Mobile Wi-Fi hotspots

Mobile Wi-Fi (MiFi) hotspot devices are used to connect laptops, PCs and other devices to the Internet through the mobile network . Certain models have the same flaw that was leveraged in the Spark case — they respond to external recursive DNS requests . We have seen these leveraged in a number of mobile deployments as part of a DNS DDoS amplification attack involving tens of millions of DNS requests per day . The device must have a public IP address for the attacker to exploit these devices, so mobile networks where the devices have private IP addresses and use Network Address Translation (NAT) to access the Internet are not vulnerable to this type of attack .

New vulnerabilities

There were also some significant zero day vulnerabilities that came to light in 2014 .

Heartbleed

Secure Sockets Layer (SSL) had a bad year, starting with HeartBleed . This impacted any server or client running OpenSSL versions 1 .0 .1 through 1 .0 .1f . It allowed the attacker to use OpenSSL’s heart beat mechanism to retrieve up to 64 kilobytes of the memory contents from the victim’s computer, revealing everything from encryption keys to personal information . In Q2 Heartbleed was at number 16 on our top 20 high level threats detections .

http://www.stuff.co.nz/technology/61108592/spark-blames-outage-on-bad-modems.html

13


Then in September the Poodle vulnerability was discovered in SSL 3 .0 . This “padding oracle” attack allowed attackers with man-in-the-middle access to SSL communications to decrypt parts of the communication, revealing such things as cookies containing session keys . The most popular solution was to disable SSL 3 .0 and use Transport Layer Security (TLS) . However, in December a variant of Poodle was discovered that attacked specific implementations of TLS 1 .0 to 1 .2 .

ShellShock

In September the ShellShock vulnerability in the Unix Bash shell was announced . This allowed remote attackers to execute commands by setting environment variables . Any application that set environment variables and used Bash was vulnerable . Millions of production web servers around the world were vulnerable and had to be patched .

Our malware detection sensors detected a huge amount of network activity associated with this vulnerability . Some of this was from hackers looking for vulnerable hosts, but the majority appeared to be from security research companies scanning the Internet to evaluate the scale of the problem .

Android FakeID

Last year it was the MasterKey vulnerability that allowed a Trojanized app to be injected into a legitimate application and assume its identity and any system privileges . This year we have the “Fake ID” exploit . This uses a flaw in certificate verification that allows a malicious application to pretend to be an application that is given special privileges, such as Google Wallet . We have not yet seen any exploits of this vulnerability .

iPhone Exposed

In early November PaloAlto Networks announced the discovery of the WireLurker vulnerability that allows an infected Mac OS-X computer to install applications on any iPhone that connects to it via a USB connection . User permission is not required and the iPhone need not be jail-broken . News stories reported the source of the infected Mac OS-X apps as an app store in China that apparently impacted over 350,000 users through apps disguised as popular games . These infected the Mac computer, which in turn infected the iPhone . Once infected, the iPhone contacted a remote C&C server .

A couple of weeks later, FireEye revealed the Masque Attack vulnerability, which allows third-party apps to be replaced with a malicious app that can access all the data of the original app . In a demo, FireEye replaced the Gmail app on an iPhone, allowing the attacker complete access to the victim’s email and text messages .

So it looks like the iPhone is no longer immune .

Breaches

Sony

The Sony Pictures breach was the biggest breach story of 2014, probably due to the fact that it involved the theft of huge amounts of corporate data . That data was used to blackmail a major movie company to not release a controversial film, which portrayed a fictional assassination attempt on the North Korean head of state . The story raised cyber espionage debate to a new level, with North Korean state-sponsored hackers being suspected of perpetrating the breach . The discussion went all the way to the White House and the United States implemented additional sanctions against North Korea as a result .

14


From a security perspective, the attack was either a brilliant execution of an Advanced Persistent Threat or an inside job . The extent of the breach points to an inside job . The FBI released a warning about some malware from the “Guardians of Peace” or “GOP” that was found on Sony computers . This malware wiped the disks and left the warning shown in Figure 12 .

Figure 12. Example of warning from GOP

Regin

In November Kaspersky Labs and Symantec both published detailed malware analyses of the Regin toolkit, which is suspected of being used by government intelligence agencies for cyber espionage purposes . The malware has been around for some time, with samples dating back to 2003 . The name Regin has been used since 2011 .

The malware appears to be used for targeted cyber-espionage against private individuals, government and telecom carriers .

• 28% of targets were in the telecom sector

• Used against mobile operators to collect network management log information

• Capture of a log file from a GSM Base Station found on one of the infected devices

Credit cards

2014 saw major breaches of Home Depot, Dairy Queen and Staples . All of these were cases of malware infections on the cash registers or point-of-sale terminals in actual stores and not of online web-based stores . Credit and debit cards stolen from brick-and-mortar stores are much more valuable than cards stolen from online retailers . Card information stolen from online retailers can only be used for online purchases . Online purchases typically need to be shipped to the address of the card owner, making them less usable to fraudsters . Because the point-of-sale-based malware records all the information in the magnetic strip on the card, the data they collect can be used to make new physical cards . Criminals use these forged cards in stores to buy expensive items such as electronics, which can easily be sold for cash .

Consumers avoiding online retailers in order to reduce their exposure to credit card fraud may actually be exposing themselves to greater risks in brick-and-mortar stores .

15


Mobile malware

Mobile malware has matured and became more sophisticated in 2014 . Cybercriminals have been quick to take advantage of opportunities that are unique to the mobile ecosystem, such as spy phone apps that are used to track the phone’s owner and SMS Trojans that make their living by sending text messages to premium SMS numbers . However, there is also a significant cross-over from the traditional Windows/PC malware space . The following examples illustrate this .

Notcompatible

This is an Android bot that uses the infected phone to provide anonymous proxy web browsing services . This can consume large amounts of bandwidth and airtime, as the phone serves as a proxy for illicit web browsing activity . The C&C protocol is the same as that for a Windows-based web proxy bot . This is the first time we’ve seen a common C&C infrastructure shared between Windows and Android malware .

This type of Transmission Control Protocol (TCP) proxy can be used for a number of purposes including:

• Anonymous web browsing

• Providing access to restricted foreign content

• Ad-Click fraud

• Web site optimization fraud

• APT probing and exfiltration

More details on the C&C protocol and the use of this bot can be found in the document “NotCompatible – Android Web Proxy Bot” .

Koler

Scareware and ransomware are beginning to make inroads in the mobile space . The latest example is Koler, Android scareware that tries to extort money from its victims .

Figure 13. Example of scareware from Koler

The victims are usually visitors to Internet-based pornographic sites,who are duped into downloading and installing a “premium access video player.” Once the app is installed, it claims that it has encryptedall the data and locked the phone because the victim has violatedanti-pornography laws. The phone will not be unlocked until a $300 �ne is paid. The malware “lock-screen” is customized depending on the location of the phone. The screen image is from a United States-based phone.

Koler has not actually encrypted anything and can be easily removed by either pressing the home screen and navigating to the app, then dragging it on the top of the screen where the uninstall control is located, or by booting the device in safe mode and then uninstalling the app .

This is believed to be produced by the same cybercriminal gang that created the Windows Revetol and Icepol Trojans and is an example of traditional Windows cybercrime moving into the mobile environment .

http://resources.alcatel-lucent.com/?cid=172444

http://resources.alcatel-lucent.com/?cid=172444

16


LOIC

The Anonymous hactivism group has been using a tool called the Low Orbit Ion Canon (LOIC) to launch DDoS attacks on various targets . A version of the tool is now available for the Android on Google Play . So now you can take part in a hactivism DDoS attack from your mobile phone .

Figure 14. LOIC tool

Predictions for 2015No annual report would be complete without a look into the future . The following are trends that we’ve noticed in 2014 that will come into prominence in 2015 .

Botnets move to mobile and the cloud

In 2014 residential botnet detections were relatively flat and actually dropped a bit toward the end of the year . In 2015 you will see botnets move from the traditional residential Windows/PC-based systems to the cloud and the mobile network . It is likely more cost effective for cybercriminals to leverage cloud-based server resources and mobile devices to support their spam, DDoS attacks, Ad-click fraud, Bitcoin mining and other illegal activity .

Adware becomes mainstream

Adware used to be regarded as malicious . Then it became unwanted or potentially unwanted . Now it’s become so common that it will start to move off the radar from a security perspective . It is now common for mobile apps to be supported by targeted advertising and ad-networks offer developers SDKs to integrate advertising into their applications . It is now common-place to sit through a short ad before viewing content on YouTube and other services .

Hactivism goes mobile

Providing a LOIC DDoS app for Android is likely just the start . The mobile phone offers a myriad of opportunities that can be applied to hactivism .

• Targeted DDoS attacks using SMS and phone services

• Communications app to support protests . Imagine a movement called “Occupy the Internet .”

• Cyber terrorism against mobile infrastructure

17


Internet of Things gets hit

To some extent the Internet of Things has already been involved in attacks . Home routers have always been a target . In 2014 modems and mobile Wi-Fi hotspots were used in DNS DDoS amplification attacks . In 2015 you will see attacks against things like Internet-connected video surveillance equipment, alarm systems, smart meters, and automobiles; and yes — the proverbial smart fridge .

DDoS

2014 saw an increase in leveraging network infrastructure in DDoS amplification attacks, notably the NTP MONLIST attack at the beginning of the year and the DNS attacks that are still ongoing . So why stop now? The fun will continue in 2015 .

Attacks on the cloud

Cloud-based services are basically anything that relies on server components on the Internet . These present large targets for DDoS attacks . At the end of 2014 we saw the following:

• On Christmas Day there was a coordinated attack on Microsoft and Sony servers that support the Xbox and PlayStation games by a group called the Lizard Squad . News stories report that this was done as a marketing scheme by Lizard Squad, who is now offering their DDoS capability as service to anyone who is willing to pay .

• In late December, RackSpace was hit by a major DNS DDoS attack that took down their DNS infrastructure and caused connectivity problems with their cloud-based services for over 11 hours .

• A software developer using GitHub discovered that hackers were using a bot that continually scans GitHub looking for Amazon API keys . Once keys are found they are used to spin up the maximum allowed Amazon EC2 servers and do some Bitcoin mining .

So we predict that in 2015 cybercrime is going to move into the cloud in a big way .

Summary and conclusionOn the fixed residential side, the malware infection rate grew significantly in the first half of 2014, ending up at an all time high of 14% . This was entirely due to moderate-threat-level adware infections . The infection rate for high-threat-level infections remained relatively constant except for a slight jump in Q2 . Currently 5% of homes monitored by Motive Security Guardian are infected with a high-threat-level variety of malware such as a bot, rootkit or banking Trojan .

On the mobile front, infection levels increased 25% in 2014 . The percentage of mobile devices that showed evidence of infection in December 2014 was 0 .68% . Extrapolating from this gives about 16 million infected mobile devices worldwide . About 50% of the infected mobile devices are Android phones, with the remaining 50% being mostly Windows computers that are tethered to the mobile network . Less than 1% of the infections are from other devices such as iPhones, BlackBerry smartphones and Windows Phones . The number of Android malware samples in our data base increased 161% in 2014 .

In terms of malware trends, on the mobile side we have seen more sophisticated malware crossing over from the Windows/PC realm and also in the area of mobile spyware that tracks the victim’s calls, text messages and location . On the residential side, we have seen a significant increase in adware with 14 out of the top 20 being in that category .

18


Terminology and definitionsThis section defines some of the terminology used in this report .

TERM DEFINITION

Advanced Persistent Threat (APT) A targeted cyber-attack launched against a company or government department by professional hackers using state-of-the-art tools, usually with information theft as the main motivation .

Infection Vector The mechanism used to infect a computer or network device . For example, in computers running the Windows operating system, the most popular infection vector is web-based exploit kits, whereas on the Android phone it is Trojanized applications .

Bot An infected computer that is part of a botnet . A botnet is a network of infected computers that are controlled remotely via the Internet by cyber-criminals . Botnets are used for sending spam email, ad-click fraud, DDoS attacks, distributing additional malware, Bitcoin mining and a variety of other purposes .

Rootkit A malware component that compromises the computer’s operating system software for the purposes of concealing the malware from anti-virus and other detection technologies .

Trojans Computer programs or applications that look fine on the surface, but actually contain malware hidden inside . From the term Trojan Horse .

High/Moderate threat level We split malware into High and Moderate threat levels . High is any threat that does damage, steals personal information or steals money . A moderate threat is one that does no serious damage, but will be perceived by most as annoying and disruptive .

Ad-click fraud Advertisers pay money, typically a few cents, when someone clicks on a web-based advertisement . Ad-click fraud is when someone uses software to fake these ad clicks and collect money from the advertisers for the fake clicks . Typically the ad-click software is packaged as malware and distributed through a botnet that is controlled by cyber-criminals who make money from the ad-click fraud .

Bitcoin mining Bitcoins are a form of virtual cyber-currency that can be created through complex arithmetic calculations that take a lot of computing power to perform . The process of executing these calculations to generate new Bitcoins is referred to as Bitcoin mining . Cyber-criminals use large botnets to efficiently generate new Bitcoins .

About Motive Security Labs Motive Security Labs focuses on the behavior of malware communications to develop network detection rules that specifically and positively detect current threats . This approach enables the detection of malware in the service provider’s network and the signatures developed form the foundation of the Motive Security Guardian product suite .

To accurately detect that a user is infected, our detection rule set looks for network behavior that provides unequivocal evidence of infection coming from the user’s computer . This includes:

• Malware command and control (C&C) communications

• Backdoor connections

• Attempts to infect others (for example, exploits)

• Excessive email

• Denial of Service (DoS) and hacking activity

http://www.alcatel-lucent.com/solutions/security-guardian

www.alcatel-lucent.com Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners. The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility for inaccuracies contained herein. Copyright © 2015 Alcatel-Lucent. All rights reserved. MKT2015019837EN (February)

Four main activities support our signature development and verification process .

1 . Monitor information sources from major security vendors and maintain a database of currently active threats .

2 . Collect malware samples (>10,000/day), classify and correlate them against the threat database .

3 . Execute samples matching the top threats in a sandbox environment and compare against our current signature set .

4 . Conduct a detailed analysis of the malware’s behavior and build new signature if a sample fails to trigger a signature .

As an active member of the security community, Motive Security Labs also shares this research by publishing a list of actual threats detected and the top emerging threats on the Internet and this report .

(Formerly Kindsight Security Solutions)

http://www.alcatel-lucent.com/solutions/home-network-infections

http://www.alcatel-lucent.com/solutions/internet-threats

motive security labs malware report - h2...

Documents