Malware Report Q4 2012

Copyright © 2013 Kindsight, Inc.. All rights reserved.

Kindsight Security Labs Malware Report – Q4 2012 Contents INTRODUCTION 1 Q4 2012 HIGHLIGHTS

1

2012 HIGHLIGHTS

1

Q4 2012 HOME NETWORK MALWARE STATISTICS

2

Home Network Infection Rates

2

Top 20 Home Network Infections

2

Top 20 High Level Threats

3

Top 20 Internet Threats

4

Q4 2012 MOBILE MALWARE STATISTICS

5

Mobile Device Infection Rates

5

Top Android Malware

5

Mobile Spyware, Byod and Corporate Espionage

6

2012 IN REVIEW

7

CONCLUSION 9 ABOUT KINDSIGHT SECURITY LABS

Kindsight Security Labs Malware Report – Q4 2012

10

ii

Introduction The Kindsight Security Labs Q4 2012 Malware Report examines general trends for malware infections in home networks or infections in mobile devices and computers connected through mobile adapters. The data in this report is aggregated across the networks where Kindsight solutions are deployed.

SLIGHT REDUCTION OVER PREVIOUS QUARTER

Infection Rate = 11%

Q4 2012 Highlights • 11% of home networks were infected with malware in Q4/2012, that’s down slightly from the 13% figure in the previous quarter. • 6% of broadband customers, similar to Q3/2012, were infected with high-level threats such as a bots, root-kits, and banking Trojans. • The ZeroAccess Bot continued to be the most common malware threat in Q4, infecting about 0.8% of broadband users. • In mobile networks 0.5% of devices exhibited high threat level malware. While this number is still small it has increased 67% from 0.3% in Q3. Android malware samples increased by 5.5 times in Q4 from Q3/2012.. • Mobile spyware that can track calls, text messages and location is on the rise. When combined with the BYOD trend this type of spyware provides and excellent platform for corporate and industrial espionage.

2012 Highlights • 13% of home networks were infected with malware in 2012 with 7% of broadband customers, infected with high-level threats such as a bots, root-kits, and banking Trojans. • Botnets were a major issue throughout 2012 with 4 of the top 5 threats being bot-related infections and almost 50 percent of infected home networks having a botnet issue. • ZeroAccess was the most common malware in 2012 and was the top threat throughout the 2nd half of the year. • Mac Flashback bot made it to the top of the list in the second quarter of 2012 and finished in the top 5 malware in 2012.

Kindsight Security Labs Malware Report – Q4 2012

1

Q4 2012 Home Malware Statistics Home Network Infection Rates In fixed broadband deployments in Q4 2012 we found that 11% of residential households show evidence of malware infection. This has decreased slightly from 13% in Q3. 6% of households were infected by high threat level malware such as a botnet, rootkit or banking Trojan with 6% of households also infected with a moderate threat level malware such as spyware, browser hijackers or adware. Some households had multiple infections including both high and moderate threat level infections.

Infecte d

Moder ate

11%

6%

Hig h

NO SIGNIFICANT CHANGE

6%

OVER PREVIOUS QUARTER HIGH LEVEL THREATS

Home Networks Infected with

Division of Infections by

Malware

Threat Level

Top 20 Home Network Infections The chart below shows the top home network infections detected in Kindsight deployments. The results are aggregated and the order is based on the number of infections detected over the three month period of this report. Position

Name

Threat Level

% of Total

Last Quarter

1

Botnet.ZeroAccess2

High

2

Spyware.MyWebSearchToolbar

Moderate

20.19%

2

9.94%

3

Adware.GameVance

4

Moderate

6.75%

4

3

Backdoor.TDSS

High

5.93%

5

5

Trackware.Binder

High

5.41%

7

6

Downloader.Agent.TK

High

4.75%

11

7

Hijacker.StartPage.KS

Moderate

4.58%

9

8

Adware.MarketScore

Moderate

3.31%

8

9

Botnet.Alureon.A

High

2.54%

10

10

BankingTrojan.Zeus

High

2.37%

13

11

Backdoor.Hupigon.FI

High

2.23%

16

12

Botnet.ZeroAccess1

High

2.13%

1

13

Virus.Sality.AT

High

1.60%

-

14

Hijacker.MyWebSearch

Moderate

1.55%

12

15

ScareWare.FakeXPA

High

1.44%

-

16

MAC.Bot.Flashback.K/I

High

1.28%

15

Moderate

1.10%

17

High

0.89%

-

Moderate

0.71%

-

High

0.59%

14

17 18 19 20

Spyware.SBU-Hotbar Trojan.Alureon/TDL/TDSS Adware.MediaFinder Trojan.Medfos.A

Kindsight Security Labs Malware Report – Q4 2012

2

Top 20 High Level Threats The table shows the top 20 high threat level malware that leads to identity theft, cybercrime or other online attacks. We’ll look at the significant ones in more detail below. Position

Name

% of Total

Last Quarter

1

Botnet.ZeroAccess2

2

Backdoor.TDSS

31.59%

2

9.28%

3

3

Downloader.Agent.TK

7.44%

5

4

Trojan.Alureon.A

3.98%

4

5

BankingTrojan.Zeus

3.71%

6

6

Backdoor.Hupigon.FI

3.50%

9

7

Botnet.ZeroAccess1

3.33%

1

8

Virus.Sality.AT

2.50%

12

9

ScareWare.FakeXPA

2.25 %

-

10

MAC.Bot.Flashback.K/I

2.00 %

8

11

Trojan.Alureon/TDL/TDSS

1.39%

-

12

Botnet.ZeroAccess1

1.32%

1

13

Backdoor.Hupigon.DZ

0.93%

13

14

Trojan.Obvod.K

0.93%

10

15

Trojan.Medfos.A

0.93%

7

16

Android.Trojan.Wapsx

0.72%

-

17

BankingTrojan.ZBot

0.69%

-

18

Trojan.DNSchanger

0.62%

15

19

Generic.Spambot

0.58%

19

20

Trojan.Proxyier.qk

0.55%

18

Throughout 2012, two versions of the ZeroAccess peer-to-peer bot vied for the top spot. In Q4 the newer version, which uses a UDP based command and control protocol, gained a firm grip on number one with the original version dropping to number 7. TDSS and Alureon are related rootkits that conceal themselves on the victim’s computer and allow the malware controller to download additional malware to the infected device. These are often associated with subsequent spam bots and Banking Trojans. Various versions of these are in second, forth and eleventh positions. AgentTK jumped up the table at the end of the Q4 and doubled the number of home networks it infected from Q3. There was a significant increase in activity over the holiday period, which can be linked to some new C&C sites in China. This increase was probably the result of a holiday season spam campaign to get the malware installed. This threat is a Trojan downloader that accesses remote websites and attempts to download and install malicious or potentially unwanted software. The Zeus Banking Trojan continues to cause havoc at position number five. This bot attaches itself to the victim’s browser and monitors online banking activity. Banking credentials and credit card numbers are then sent back to a command and control site. Over the years, various versions of Zeus have been responsible for millions of dollars in online backing fraud. Two versions of the Hupigon backdoor Trojan continue to appear in the top twenty. This provides the attacker with backdoor remote access to the infected computer and also includes keylogger components to steal access credentials and passwords. It also used rootkit technology to hide its files and processes from detection.

Kindsight Security Labs Malware Report – Q4 2012

3

Sality moved up from twelve to eight this quarter, mostly due to a significant infection event over the Christmas break. It is a virus that spreads by infecting Windows executable files and by copying itself to removable and remote drives. It also terminates various security products, prevents certain Windows utilities from executing and attempts to download additional files from a predefined remote Web server. FakeXPA is new to the top 20 this quarter. It was strong at the beginning of Q4 but there was a significant drop off in December. It is a family of programs that claims to scan for malware and displays fake warnings of “malicious programs and viruses”. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats. Some members of the Win32/FakeXPA family may also download additional malware and have been observed in the wild downloading variants of Alureon. The Mac-based Flashback is on the decline as are detections of DSNChanger but some computers are clearly still infected. Android malware moved into the top 20 for the first time with Wapsx, an information stealing Trojan.

Top 20 Internet Threats The chart below shows the top 20 most prolific malware found on the Internet. The order is based on the number of distinct samples we have captured from the Internet at large. Finding a large number of samples indicates that the malware distribution is extensive and that the malware author is making a serious attempt to evade detection by anti-virus products. PROLIFIC MALWARE Adware:Win32/Hotbar Adware:Win32/Hotbar Worm:Win32/Allaple.A Worm:Win32/Allaple.A Worm:Win32/Vobfus.GZ Worm:Win32/Vobfus.GZ Virus:Win32/Sality.AT Virus:Win32/Sality.AT Virus:Win32/Sality.AM Virus:Win32/Sality.AM Backdoor:Win32/Kelihos.F Backdoor:Win32/Kelihos.F Trojan:Win32/Vundo.QA Trojan:Win32/Vundo.QA Worm:Win32/Ainslot.A Worm:Win32/Ainslot.A Trojan:Win32/Sirefef.P Trojan:Win32/Sirefef.P Trojan:Win32/Vundo Trojan:Win32/Vundo VirTool:Win32/VBInject VirTool:Win32/VBInject Backdoor:Win32/Simda Backdoor:Win32/Simda Rogue:Win32/Winwebsec Rogue:Win32/Winwebsec Trojan:Win32/Alyak.C Trojan:Win32/Alyak.C Virus:Win32/Virut.BN Virus:Win32/Virut.BN Trojan:Win32/Rimecud.A Trojan:Win32/Rimecud.A Worm:Win32/Vobfus Worm:Win32/Vobfus Worm:Win32/Vobfus.CF Worm:Win32/Vobfus.CF PWS:Win32/Zbot PWS:Win32/Zbot TrojanDropper:Win32/Loring TrojanDropper:Win32/Loring Worm:Win32/Vobfus.gen!N Worm:Win32/Vobfus.gen!N Worm:Win32/Mydoom.O@mm Worm:Win32/Mydoom.O@mm Worm:Win32/Vobfus.gen!W Worm:Win32/Vobfus.gen!W Backdoor:Win32/Fynloski.A Backdoor:Win32/Fynloski.A

Kindsight Security Labs Malware Report – Q4 2012

7.00%

6.00%

5.00%

4.00%

3.00%

2.00%

1.00%

0.00%

Virus:Win32/Morto.A Virus:Win32/Morto.A

4

Q4 2012 Mobile Malware Statistics Mobile Device Infection Rates In mobile networks we found that 0.5% of devices were infected with

67%

high threat level malware which is an increase from 0.3% in Q3. The infected devices include Android phones and laptops tethered to a phone or connected directly through a mobile USB stick/hub. The

Mobile Malware Infections

OVER PREVIOUS QUARTER

infection rate is low because the total device count includes a large number of feature phones that are not malware targets. However, we saw a 5.5x increase in the number of Android malware samples.

2012 MALWARE SAMPLES

9000 8000 7000 6000 5000

5.5x

4000

INCREASE

3000 2000

Q4 2012

Q3 2012

Q1 2012

0

Q2 2012

1000

Top Android Malware The table below shows the top Android malware detected in the networks where the Kindsight Mobile Security solution is deployed. The following table shows the top 10 Android infections of Q4.

Position

Name

% of Total

Last Quarter

1

Trojan.Wapsx

42.24%

3

2

Trojan.MMarketPay.a

15.09%

4

3

Trojan.GGTracker

12.58%

1

4

Spyware.MobileSpy

10.11%

2

5.73%

9

3.02%

5 7

5 6

Trojan.Opfake.bo Trojan.Pjapps3.A

7

BankingTrojan.FakeToken

2.86%

8

Spyware.FlexiSpy

2.79%

6

9

Trojan.Anserver.A

2.66%

11

10

Root.DroidDream

1.73%

10

For the most part these are all “trojanized” apps that steal information about the phone or send SMS messages, but the list also includes a banking Trojan that intercepts access tokens for banking web sites and two spyware applications that are used to spy on family members or associates.

Kindsight Security Labs Malware Report – Q4 2012

5

Mobile Spyware, BYOD and Corporate Espionage Until now mobile spyware, such as MobileSpy and FlexiSpy, has been aimed at the consumer market, with the promise of being able to track your loved one’s every move through their phone. These products can be used to keep track of your children which seems to have some legitimacy, but they are typically marketed to catch cheating partners and for other more dubious purposes. Typical features for these products include:

•

Tracking the phone’s location



•

Log phone calls made and received



•

Record text messages sent and received



•

Monitor e-mail



•

Monitor social media activity



•

Monitor browsing activity



•

Access to photos and contact information

In the BYOD context these spyware applications pose a huge threat because they can be installed surreptitiously on an employee’s phone and used for industrial or corporate espionage. In addition to the features listed above, it is fairly easy to add the ability to activate the phone’s microphone and camera without the user knowing and stream the output through the Internet in real time to a remote command and control server. This gives the attacker the ability to monitor and record business meetings. The command and control server can also remotely operate the device, allowing the attacker to send text messages or make calls from the device without the user’s knowledge. They can also retrieve or modify information stored on the device. The mobile phone is also a fully functional network device. When connected to the company Wifi, the infected phone provides the attacker with remote access to the network and the ability to probe the network for vulnerabilities and assets. It is the perfect platform for launching advanced persistent threats (APT). We built a proof of concept version of this in our lab and can confirm that these threats are very real. The spyware can be packaged as a Trojan inside a legitimate application with the victim enticed to install it using social engineering and phishing techniques. Our proof of concept version was packaged inside a legitimate version of Angry Birds.

Kindsight Security Labs Malware Report – Q4 2012

6

2012 in Review In fixed broadband deployments in 2012 we found that 12.8% of residential households show evidence of malware infection. This was fairly consistent throughout the year with Q2 having the highest infection rate at 14%. 6.9% of households were infected by high threat level malware such as a botnet, rootkit or banking Trojan with Q2 also reporting the biggest infection rate for high-level threats at 9%. The chart below shows the top 25 home network infections detected in Kindsight deployments throughout the past 12 months with a brief summary of the top malware from 2012.

Position

Name

Type

% of Total

1 2

Win32.Bot.ZeroAccess

Bot

16.87

Win32.Backdoor.TDSS

Bot

3

Win32.Downloader.Agent.TK

10.03

Downloader

4

6.51

Win32.Trojan.Alureon.A

Bot

6.28

5

MAC.Bot.Flashback.K/I

Bot

4.14

6

Win32.BankingTrojan.Zeus

BankingTrojan

3.83

7

Win32.Bot.Alureon/TDL/TDSS

Bot

3.39

8

Win32.Virus.Sality.AT

Virus

2.21

9

DNS.Trojan.DNSchanger

Trojan

1.91

10

Win32.Trojan.Medfos.A

Trojan

1.87

11

Win32.Backdoor.Cycbot.B

Backdoor

1.13

12

Generic.Spam

Spambot

0.98

13

Android.Trojan.GGTracker

Trojan

0.95

14

Win32.ScareWare.FakeXPA

Scareware

0.94

15

Win32.Trojan.Obvod.K

Trojan

0.89

16

Win32.Trojan.Proxyier.qk

Trojan

0.88

17

Win32.Backdoor.Hupigon.DZ

Backdoor

0.63

18

Win32.Exploit.NETAPI

Hacking

0.61

19

Win32.Backdoor.Blackhole

Backdoor

0.54

20

Win32.Downloader.Obvod.H

Downloader

0.53

21

Win32.BankingTrojan.SpyEye

BankingTrojan

0.53

22

Win32.Trojan.Hiloti.gen!A

Trojan

0.53

23

Win32.Trojan.Piptea.J/Cutwail

Spambot

0.45

24

Win32.Trojan.Zeprox.A

Trojan

0.40

25

Win32.Exploit.Blackhole

Exploit

0.36

Zero Access Bot ZeroAccess was the most active botnet in 2012. The main purpose of the botnet is to distribute malware responsible for a massive ad-click fraud campaign. One version also makes money through “Bitcoin mining”. In February, we first published a detailed analysis of its network behavior and the encrypted p2p protocol it uses to communicate with its peers. In Q2 the bot morphed, changing its infection process and C&C protocol. A detailed description of the new C&C protocol can be found in “New C&C Protocol for ZeroAccess/Sirefef”. Both versions of the bot are currently active but the updated one continues to grow as the other one winds down.

Kindsight Security Labs Malware Report – Q4 2012

7

TDSS/Alureon Bot Another very active botnet in 2012 was the TDSS/Alureon family, also known as TDL-4. This is a rootkit bot that buries itself in the master boot record of the infected computer and uses various stealth techniques to hide itself from traditional antivirus software. It even goes so far as to remove competing malware from the infected computer. This provides the attacker with a secure platform to load additional malware to monetize their botnet and it is often associated with subsequent spambots, banking Trojan and identity theft infections.

Agent.TK Downloader AgentTK surged up the list in later 2012, which can be linked to some new C&C sites in China. This threat is a Trojan downloader that accesses remote websites and attempts to download and install malicious or potentially unwanted software.

Mac Flashback For the first time ever, malware targeting the Macintosh platform hit the number one position on the Kindsight Security Labs home network infections list in April 2012. It was not a minor outbreak either, as our statistics for April showed that 1.1% of homes were infected with this malware. Based on a Mac market share this translates into about 10% of homes with Mac computers being infected with this malware. This malware was spread via a Java applet that is a fake update for the Adobe Flash Player. It downloads and installs the malware, which then connects to a command and control (C&C) server to await additional instructions. Security researchers at Symantec discovered that in addition to stealing passwords, Flashback is also being use for ad-click fraud.

Zeus Banking Trojan The well known banking Trojan, Zeus, continued to place in the top 10 in our high threats level report throughout 2012. Our detection signatures continued to evolve with the malware. In 2012 a new version of Zeus emerged that uses a peer-to-peer protocol to maintain contact with its command and control sites. The malware is usually installed via a rootkit such as Alureon or as a result of an e-mail phishing attack that lures the user to a web site running an exploit kit such as BlackHole.

Kindsight Security Labs Malware Report – Q4 2012

8

Conclusion Q4 was pretty much a continuation of Q3 in terms of malware activity with some jockeying for position in the top 20s lists. The residential malware infection rate continues to be in the two digit percentage range, ZeroAccess has established itself as a solid number one botnet, spam levels trailed off a bit and Android infections continued to grow. In 2013 we expect to see more resilient p2p botnets like ZeroAccess, which will also continue to be a major problem despite takedown attempts. If 2012 is any indication then exploit kits (like Blackhole) hosted on compromised web servers will continue to be the major infection vector. Android malware could be considered an emerging threat in 2012 but in 2013 we anticipate it will grow to new levels as attackers learn to monetize their malware. As explained earlier in the report, we see a major story next year where our proof of concept becomes a reality and an employee’s Android phone was used as a platform to hack into a major corporation.

Kindsight Security Labs Malware Report – Q4 2012

9

About Kindsight Security Labs Kindsight Security Labs focuses on the behavior of malware communications to develop network signatures that detect current threats with low false positives. This approach enables the detection of malware in the service provider network and the signatures developed form the foundation of Kindsight Security Analytics and Kindsight Security Services. To accurately detect that a user is infected, our signature set looks for network behavior that provides unequivocal evidence of infection coming from the user’s computer. This includes: • Malware command and control (C&C) communications • Backdoor connections • Attempts to infect others (e.g. exploits) • Excessive e-mail • Denial of Service (DoS) and hacking activity There are four main activities that support our signature development and verification process.

1. Monitor information sources from major security vendors and maintain a database of currently active threats.



2. Collect malware samples (>10,000/day), classify and correlate them against the threat database.



3. Execute samples matching the top threats in a sandbox environment and compare against our current



signature set.

4. Conduct a detailed analysis of the malware’s behavior and build new signatures if a sample fails to trigger



a signature

As an active member of the security community, Kindsight Security Labs also shares this research by publishing a list of actual threats detected and the top emerging threats on the Internet and this report.

Kindsight, Inc 555 Legget Drive, Tower B, Suite 132 Ottawa, ON K2K 2X3 Canada Copyright © 2013 Kindsight, Inc. Kindsight is a registerd trademark of Kindsight, Inc. All rights reserved.

T: +1 613.592.3200

[email protected] www.kindsight.net