Malware Trend Report, Q3 2015 July| August | September
November 2015 Copyright RedSocks B.V. © 2014-2015. All Rights Reserved.
Malware Trend Report
Quarter 3, 2015
This page is left blank on purpose.
Page | 1
Malware Trend Report
Quarter 3, 2015
Table of Contents 1. Introduction ......................................................................................................................................................... 5 2. Summary .............................................................................................................................................................. 6 2.1. Data Breaches and Security News.......................................................................................................... 6 3. Methodology ....................................................................................................................................................... 9 3.1. Collecting Malware ..................................................................................................................................... 9 3.2. Processing Malware .................................................................................................................................10 3.3. Detecting Malware....................................................................................................................................10 3.4. Classifying Malware ..................................................................................................................................12 4. Trends .................................................................................................................................................................13 4.1. Backdoors...................................................................................................................................................13 4.2. Exploits ........................................................................................................................................................15 4.3. Rootkits .......................................................................................................................................................17 4.4. Trojans.........................................................................................................................................................18 4.5. Worms .........................................................................................................................................................22 4.6. 64-Bit Malware ..........................................................................................................................................23 4.7. Others .........................................................................................................................................................25 5. Geolocation .......................................................................................................................................................28 6. Final Word ..........................................................................................................................................................30 Appendix A: Detecting Malware ........................................................................................................................28 Appendix B: Classifying Malware.......................................................................................................................29
Page | 2
Malware Trend Report
Quarter 3, 2015
Table of Figures Figure 01: Unique New Malicious Files Q3-2015............................................................................................. 9 Figure 02: Distribution New Malicious Files Q3-2015 .................................................................................... 9 Figure 03: Storing New Malicious Files Q3-2015 ...........................................................................................10 Figure 04: Detection by Anti-Virus Engines Q3-2015 ...................................................................................11 Figure 05: Anti-Virus Detection Percentage Q3-2015 ..................................................................................11 Figure 06: Files Identified as Backdoor Q3-2015 ..........................................................................................13 Figure 07: Distribution of Backdoors Q3-2015 ..............................................................................................14 Figure 08: Distribution of Variations of Backdoor Wabot,a Q3-2015 .......................................................15 Figure 09: Files Identified as Exploits Q3-2015..............................................................................................16 Figure 10: Distribution of Exploits Q3-2015 ...................................................................................................16 Figure 11: Files Identified as Rootkit Q3-2015 ...............................................................................................17 Figure 12: Distribution of Rootkits Q2-2015 ..................................................................................................18 Figure 13: Files Identified as Trojan Q3-2015 ................................................................................................19 Figure 14: Distribution of Trojans Q3-2015 ....................................................................................................19 Figure 15: Distribution of Trojan Downloaders Q3-2015 ............................................................................20 Figure 16: distribution of Trojan-Droppers Q3-2015 ...................................................................................20 Figure 17: Distribution of Trojan PWS Q3-2015 ............................................................................................21 Figure 18: Distribution of Trojan-Spy Q3-2015..............................................................................................21 Figure 19: Files Identified as Worm Q3-2015 .................................................................................................22 Figure 20: Distribution of Worms Q3-2015 ....................................................................................................22 Figure 21: Distribution of Alleaple.e Worm Q3-2015 ...................................................................................23 Figure 22: Files Identified with 64-Bit Malware Q3-2015.............................................................................24 Figure 23: Distribution of 64-Bit Malware Q3-2015......................................................................................24 Figure 24: Files Identified as Other Malware Q3-2015 ................................................................................25 Figure 25: Distribution of Other Malware Q3-2015......................................................................................26 Figure 26: Files Identified as Macro-based Malware Q1 & Q2-2015 ........................................................26 Figure 27: Distribution of Macro-based Malware Q3-2015 ........................................................................27 Figure 28: Sum of the Top 10 C&C Hosting Countries Q3-2015 ...............................................................28 Figure 29: Top 10 C&C Hosting Countries Q3-2015.....................................................................................28 Figure 30: Distribution of 64-Bit Adware Q2 and Q3-2015 ........................................................................30
Page | 3
Malware Trend Report
Quarter 3, 2015
Table of Tables Table 1: Malware Categories Q3-2015 ............................................................................................................12 Table 2: Top 10 Backdoor Families Q3 vs. Q2-2015 .....................................................................................14 Table 3: Top 10 Exploit Families Q3 vs. Q2-2015 ..........................................................................................17 Table 4: Top 10 Rootkit Families Q3 vs. Q2-2015 .........................................................................................18 Table 5: Top 10 Worm Families Q3 vs. Q2-2015 ...........................................................................................23 Table 6: Top 10 64-Bit Malware Families Q3 vs. Q2-2015 ..........................................................................25 Table 7: Top 10 Macro Families Q3 vs. Q2-2015...........................................................................................27 Table 8: Top 10 Countries Hosting C&C Q3-2015 ........................................................................................29 Table 9: Identified Malware per Category Q3 vs. Q2-2015 .........................................................................30
Page | 4
Malware Trend Report
Quarter 3, 2015
1. Introduction This is the third quarterly trend report for 2015 from the RedSocks Malware Research Lab. RedSocks is a 100 percent Dutch company specializing in malware detection. Our product, the RedSocks Malware Threat Defender, is a network appliance that analyses digital traffic flows in real-time, based on algorithms and lists of malicious indicators. This critical information is compiled by the RedSocks Malware Intelligence Team (RSMIT). The team consists of specialists whose job is to identify and analyse new threats and trends on the Internet and to translate our analyses into state-of-the-art malware detection capabilities. With this report we hope to provide the reader with a deeper insight into the trends we see in the malware we process as we look at data collected during the third quarter of 2015. At RedSocks we analyse large numbers of malicious files on a daily basis, therefore we can only cover a few topics briefly in this trend report. Protecting your data from Internet-based threats is not an easy task, and relying solely on protection from Anti-Virus companies - no matter how established their brand - is not enough. Comprehensive protection requires an entirely new approach.
Page | 5
Malware Trend Report
Quarter 3, 2015
2. Summary In the third quarter of 2015, over 26 million, new and unique malicious files were processed in the RedSocks Malware Labs. 7.9 Million in July, 8.9 million in August, and 9.5 million in September. Compared with the second quarter of 2015, that is a decrease of 7 percent. This quarter, the overall detection by Anti-Virus software was only 56.32 percent, which is an increase of 4.22 percent when compared to the second quarter of 2015. The detection rate for July was only 46.03 percent. For August, it was a much improved 59.27 percent. And in September, the average detection was 63.90 percent. Please note that identification rates can change based on samples chosen, scanning engines used and time of scanning. During the third quarter the amount of unique files identified as backdoors was 180.000, which is a 118 percent increase when compared to the amount of files found in the second quarter of 2015. The Anti-Virus software identified 11,141 exploits and 28,812 rootkits in the third quarter of this year. The identified exploits increased by a 109 percent, and the rootkits increased by 124 percent when compared to the amount from the second quarter of 2015. A total of 3.6 million Trojan files were found in the third quarter: in July, 1 million, in August, 1.2 million, and in September, 1.4 million - a decrease of 10 percent when compared with Q2 2015. In July 418,000 worm files were identified. In August that number increased to 574,000. In September 1.6 million worms were added to our databases. Compared with the 4 million worms from Q2 2015, that is a decrease of 37 percent. Grouped together, all other malicious files - such as flooders, hacktools, spoofers, spyware, viruses, etc. – added up to 5.4 million unique malicious files of the total for July, August and September, respectively, which is around the same when compared to the amount of files found in the second quarter of 2015. Within the top 10 countries hosting C&C servers, there was little change. The United States is still leading, followed by the Russian Federation. A total of 7,822 active C&C servers were found and added to our blacklist in the third quarter of this year (5,044 in July, 1,129 August, and 1,430 in September). When compared with Q2-2015, this is a decrease of 48 percent. The Netherlands hosted a total of 433 C&C servers in the third quarter of 2015, good for 4th place.
2.1. Data Breaches and Security News On 5 July, a new spam run was spotted involving a ransomware-carrying attachment. The scheme invites the recipient to download and view the senders resume (my_resume_pdf_id_14227311.scr), which leads to the execution of a malicious file. Once downloaded and executed, the affected system is locked down and displays a message that notifies the victim that the files are encrypted with RSA-2048 using CryptoWall 3.0. Ultimately, this means that the documents and data stored in the system can no longer be accessed unless the victim pays the cybercriminal. Page | 6
Malware Trend Report
Quarter 3, 2015
CryptoWall 3.0 is another evolved variant that uses hardcoded URLs that are heavily obfuscated to evade detection. This buys the malware more time to communicate to a C&C server and acquire the RSA public key needed to carry out its file encryption tactics. The C&C server is different from its payment page, which still uses Tor, to ensure that such transactions will continue running without interference from the authorities. CryptoWall 3.0 also employs “smarter” measures of deleting the target systems shadow copies to prevent attempts of restoring files to its previous state—leaving a victim without any other option but to pay up. (Source: http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/-resume-spamused-to-spread-cryptowall-3-0-ransomware).
On 15 July, a total of forty cybercriminals were arrested by the FBI and the Dutch police. The underground forum Darkode was used by cybercriminals to sell stolen data and to exchange information such as software to hack companies or individuals. The seizure of the Darkode servers let to the arrest of forty people. The forum had between 250 and 300 members. Those who were arrested are accused of computer fraud, money laundering and selling criminal malware. According to the American prosecutor, the Darkode forum is the most significant and dangerous of the 800 underground forums available today. (Source: https://www.europol.europa.eu/content/cybercriminal-darkode-forum-taken-down-through-globalaction).
In August, as the government moves to tighten controls on the Internet, the police in China reported that they had arrested about 15,000 people for crimes that "jeopardized Internet security". Police have investigated 7,400 cases of cybercrime, the Ministry of Public Security said in a statement on its website. It did not make clear over what period the arrests were made, but referred to a case dating to last December. The sweep targeted websites providing "illegal and harmful information" besides advertisements for pornography, gambling, explosives and firearms. The police said they investigated 66,000 websites in total. Known as the Great Firewall, China runs one of the world's most sophisticated online censorship mechanisms. Censors keep a tight grip on what can be published, particularly material that could potentially undermine the ruling Communist Party. (Source: http://www.reuters.com/article/2015/08/18/us-china-internet-idUSKCN0QN1A520150818)
Over this past summer, a new attack vector has caught on, and while it's still used relatively infrequently, at least one security firm believes it'll soon be extremely prominent. Calling the Portmapper attack vector an “alarming trend,” Level 3 Communications issued a warning to other security firms and professionals in their latest blog post.
Page | 7
Malware Trend Report
Quarter 3, 2015
Dale Drew, CSO at Level 3, told SCMagazine.com, that millions of servers run an open portmapper service leaving them ripe for exploitation, adding that perpetrators behind this attack vector appear to be trying to develop an “automated capability,” and find the “best way to make it work.” Within days of discovering the Portmapper amplification attack, efforts to use it increased significantly. When comparing the last week of June to a week in early August, global portmap traffic grew by a factor of 22 times, the company's post stated. (Source: http://blog.level3.com/security/a-new-ddos-reflection-attack-portmapper-an-early-warning-to-theindustry/).
On 15 September, Rob Norris, Fujitsu's UK enterprise and cyber-security director, confirmed to SCMagazineUK.com that it found the 385 million email addresses on a server hosted in Russia as part of its activity tracking Dridex over the past few months. In that time, Fujitsu has seen as many as 12 different Dridex phishing campaigns in one day. Fujitsu discovered the massive database after following a trail from major clients who had fallen victim to hackers. The campaign was global but targeted the UK in particular. Fujitsu said the targets have been mainly people in accounts roles in UK-based banks, government agencies and other corporates. Norris said that as the threat continues to get more advanced: “The financial sector must consider deploying behavioural-based security technologies. A good user education programme for staff on the dangers of email would go some way to reducing this risk.” (Source: http://www.scmagazineuk.com/uk-firms-hit-as-dridex-criminals-target-385-million-emails/ article/ 438564/).
In September, Security researchers have uncovered a network of infected Linux computers that's flooding gaming and education sites with as much as 150 gigabits per second of malicious traffic. The XOR DDoS or Xor.DDoS botnet, as the distributed denial-of-service network has been dubbed, targets as many as 20 sites each day, according to an advisory published by content delivery network Akamai Technologies. In some cases, the IP address of the participating bot is spoofed in a way that makes the compromised machines appear to be part of the network being targeted. That technique can make it harder for defenders to stop the attack. Xor.DDoS is a multi-platform, polymorphic malware for Linux OS, and its ultimate goal is to DDoS other machines, a separate writeup on the botnet explained. XOR DDoS takes hold by cracking weak passwords used to protect the command shell of Linux computers. (Source: http://bartblaze.blogspot.nl/2015/09/notes-on-linuxxorddos.html).
Page | 8
Malware Trend Report
Quarter 3, 2015
3. Methodology 3.1. Collecting Malware At the RedSocks Malware Research Labs, we track large numbers of malware from our globally distributed honeypots, honey-clients, spam-nets and various botnet monitoring sensors. Due to the distribution of our honeypots we are able to automatically collect and process new malicious samples from across the globe. We also exchange large quantities of malicious files with the AntiVirus industry.
Storing Only The New Malicious Files Q3-2015
Q3-2014
Q2-2015
2014
September
August
July
June
May
April
September
August
July
6.000 5.000 4.000 3.000 2.000 1.000 0
Q3-2015 2015
Figure 01: Unique New Malicious Files Q3-2015
In the second quarter of 2015, we processed a total of 26,284,813 unique malicious samples. This is 94 percent of the total from Q2-2015 and 116 percent compared with Q3-2014.
Distribution of New Malicious Files Q3-2015 600.000 500.000 400.000 300.000 200.000 100.000 01/07/2015 04/07/2015 07/07/2015 10/07/2015 13/07/2015 16/07/2015 19/07/2015 22/07/2015 25/07/2015 28/07/2015 31/07/2015 03/08/2015 06/08/2015 09/08/2015 12/08/2015 15/08/2015 18/08/2015 21/08/2015 24/08/2015 27/08/2015 30/08/2015 02/09/2015 05/09/2015 08/09/2015 11/09/2015 14/09/2015 17/09/2015 20/09/2015 23/09/2015 26/09/2015 29/09/2015
0
July
August
September
Q3-2015 Figure 02: Distribution New Malicious Files Q3-2015 Page | 9
Malware Trend Report
Quarter 3, 2015
In figure 2, almost 493,000 new and unique malicious files were collected and processed on 5 September. The second best day for collecting malware, with 419,000 samples, was on 3 September.
3.2. Processing Malware Working with malware is what we love to do. More than 286,000 new malicious files arrive at our automated malware collecting machines every day. All samples were renamed according to their hash calculation. We then check to see if that particular piece of malware has already been processed.
Storing Only The New Malicious Files Q3-2015 6.000 5.000 4.000 3.000 2.000 1.000
Q3-2014
Q2-2015
2014
September
August
July
June
May
April
September
August
July
0
Q3-2015 2015
Figure 03: Storing New Malicious Files Q3-2015
Figure 3 shows the total amount of disk space needed to store all the new malicious files. For the third quarter of 2015, 11.3 Terabytes were needed, 1.6 Terabytes less when compared with the second quarter of 2015.
3.3. Detecting Malware At RedSocks Malware Labs we use an in-house classification system for grouping malware. We have classified over 300 types for which we have created detailed statistics. Once multiple antivirus scanners (in ‘paranoid’ mode) have performed their on-demand scan, we know which malware was detected by them and, perhaps more importantly, which was not. In figure 4 the detection results of the Anti-Virus Engines.
Page | 10
Malware Trend Report
Quarter 3, 2015
Detection by Anti-Virus Engines Q3-2015
Q3-2014
Q2-2015
2014
September
August
July
June
May
April
September
August
July
100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0%
Q3-2015 2015
Figure 04: Detection by Anti-Virus Engines Q3-2015
In the second quarter of 2015, the average detection by anti-virus engines was only 47 percent. For the third quarter of this year, the average detection was a little bit better at 52 percent. Figure 5 shows the percentage detected per month in green and the missed samples in red. We are working closely with the Anti-Virus Industry to find the cause of the low detection rates.
Anti-Virus Detection Q3-2015
01/07/2015 04/07/2015 07/07/2015 10/07/2015 13/07/2015 16/07/2015 19/07/2015 22/07/2015 25/07/2015 28/07/2015 31/07/2015 03/08/2015 06/08/2015 09/08/2015 12/08/2015 15/08/2015 18/08/2015 21/08/2015 24/08/2015 27/08/2015 30/08/2015 02/09/2015 05/09/2015 08/09/2015 11/09/2015 14/09/2015 17/09/2015 20/09/2015 23/09/2015 26/09/2015 29/09/2015
100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0%
July
August
September
Q3-2015 Figure 05: Anti-Virus Detection Percentage Q3-2015
Page | 11
Malware Trend Report
Quarter 3, 2015
3.4. Classifying Malware We categorise malware according to its primary feature. In the first quarter, malware was grouped as follows: Malware Categories Backdoors
Exploits
Rootkits
Trojans
Worms
Others
Backdoors
ADODB
(D)DoS Trojans
Email-Worms
Adware
Bot-Trojans
HTML
Banking Trojans
Generic Worms
(D)DoS Tools
Java
Batch Trojans
IM-Worms
AV Tools
JS
FakeAV
IRC-Worms
Constructors
Linux
GameThief Trojans
Net-Worms
DOS based
MSExcel
Generic Trojans
P2P-Worms
Encrypted Malware
MSPPoint
IRC Trojans
Packed Worms
Flooders
MSWord
Java Trojan
Script Worms
Fraud Tools
OSX
LNK Trojans
Generic Malware
PDF
Packed Trojans
Hack Tools
Script
Password Stealing Tr.
Macro based
SWF
Proxy Trojans
Malware Heuristic
Win32
Ransom Trojans
Monitors
Win64
Rogue Trojans
Nukers
Script Trojans
Porn-Dialers
SMS Trojans
Porn-Downloaders
Spy Trojans
Porn-Tools
Trojan Clickers
PSW-Tools
Trojan Dialers
PUPs
Trojan Downloaders
RemoteAdmin
Trojan Droppers
Riskware
Trojan Flooders
Spammers
Trojan Mailfinder
Spoofers
Trojan Notifiers
SpyTools
Trojan RATs
Spyware
WinREG Trojans
Suspicious Viruses
Table 1: Malware Categories Q3-2015
The ‘Others’ category consists of malicious samples that do not fit in any of the six main categories. See appendix B: “Classifying Malware” for the numbers by day, month and category.
Page | 12
Malware Trend Report
Quarter 3, 2015
4. Trends Discovering malware-propagation trends starts with an analysis of the raw data behind the collection and processing of malware. From July to September, RedSocks Malware Research Labs identified the following trends by malware category.
4.1. Backdoors In the second quarter of 2015, over 153.000 unique files were identified either as have been infected with a backdoor, or as having backdoor functions. In the third quarter of 2015, 180,000 new and unique files were identified as backdoor. This is an increase of 118 percent when compared with Q2-2015.
Files Identified as Backdoor Q3-2015
Q3-2014 2014
Q2-2015
September
August
July
June
May
April
September
August
July
140.000 120.000 100.000 80.000 60.000 40.000 20.000 0
Q3-2015 2015
Figure 06: Files Identified as Backdoor Q3-2015
In figure 6, we see that the amount of new files identified as backdoor, or as having bot functions.
Page | 13
Malware Trend Report
Quarter 3, 2015
Distribution of Backdoors Q3-2015
01/07/2015 04/07/2015 07/07/2015 10/07/2015 13/07/2015 16/07/2015 19/07/2015 22/07/2015 25/07/2015 28/07/2015 31/07/2015 03/08/2015 06/08/2015 09/08/2015 12/08/2015 15/08/2015 18/08/2015 21/08/2015 24/08/2015 27/08/2015 30/08/2015 02/09/2015 05/09/2015 08/09/2015 11/09/2015 14/09/2015 17/09/2015 20/09/2015 23/09/2015 26/09/2015 29/09/2015
18.000 16.000 14.000 12.000 10.000 8.000 6.000 4.000 2.000 0
July
August
September
Q3-2015 Figure 07: Distribution of Backdoors Q3-2015
Top 10 Backdoor Families Q3-2015 Family Amount
Top 10 Backdoor Families Q2-2015 Family Amount
Backdoor.Win32.Wabot.a Backdoor.Win32.Generic Backdoor.Win32.Agent.dele Backdoor.Win32.Allaple.a Backdoor.Win32.DarkKomet.xyk Backdoor.Win32.Udr.a Backdoor.Win32.DarkKomet.aagt Backdoor.Win32.Spammy.gf Backdoor.Win32.Hlux.dca Backdoor.Win32.Lavandos.a
Backdoor.Win32.Generic Backdoor.Win32.Plite.bhrm Backdoor.Win32.DarkKomet.xyk Backdoor.Win32.Spammy.gf Backdoor.Win32.DarkKomet.aagt Backdoor.Win32.Zepfod.aco Backdoor.Win32.Wabot.a Backdoor.Win32.Ruskill.hlc Backdoor.Win32.DarkKomet.zem Backdoor.Win32.Hlux.cqg
52,900 20,697 9,751 8,984 7,487 5,046 2,575 2,000 1,870 1,508
16,030 13,161 4,588 2,569 1,591 1,443 1,353 1,216 1,045 937
Table 2: Top 10 Backdoor Families Q3 vs. Q2-2015
Wabot.a was first reported on March 14, 2014. When the backdoor is executed, it creates in the %System% directory two files, an executable copy of itself, and a text file containing ASCII art. It will add an auto-start entry to the registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = %name of the executable% The backdoor searches for files with the following extensions: .exe, .scr, .com, .pif, .cmd, and .bat. It copies itself to one of the following locations for each file it finds with the previously mentioned extensions: %System%/DC++ Share/ %System%/xdccPrograms/
Page | 14
Malware Trend Report
Quarter 3, 2015
The backdoor renames itself to that file and adds random data to the end of itself so it matches the file's length. Note: If the file is smaller, it will add a random amount of data below C800h bytes. It attempts to connect to an IRC server using a direct client-to-client connection with a randomly generated username, nickname, and email address. The backdoor joins the following chat rooms: #hellothere Rooms with 'mp3' in the title Rooms with 'xdcc' in the title In figure 8, a closer look at the distribution of variation of Backdoor.Wabot.a. This malware is detected by the heuristics of the Anti-Virus software.
Distribution of Backdoor Wabot.a Q3-2015 30.000 25.000 20.000 15.000 10.000 5.000 01/07/2015 04/07/2015 07/07/2015 10/07/2015 13/07/2015 16/07/2015 19/07/2015 22/07/2015 25/07/2015 28/07/2015 31/07/2015 03/08/2015 06/08/2015 09/08/2015 12/08/2015 15/08/2015 18/08/2015 21/08/2015 24/08/2015 27/08/2015 30/08/2015 02/09/2015 05/09/2015 08/09/2015 11/09/2015 14/09/2015 17/09/2015 20/09/2015 23/09/2015 26/09/2015 29/09/2015
0
Figure 08: Distribution of Variations of Backdoor Wabot,a Q3-2015
4.2. Exploits Exploits are used to attack computer systems, especially by taking advantage of a particular vulnerability. The amount of new malicious files identified as exploit increased dramatically in June 2015. In the second quarter of 2015 only 10,231 unique files were identified as exploit. In the third quarter the amount of identified exploits was 11,141. This is an increase of 109 percent when compared with Q2-2015.
Page | 15
Malware Trend Report
Quarter 3, 2015
Files Identified as Exploit Q3-2015
Q3-2014
Q2-2015
2014
September
August
July
June
May
April
September
August
July
9.000 8.000 7.000 6.000 5.000 4.000 3.000 2.000 1.000 0
Q3-2015 2015
Figure 09: Files Identified as Exploits Q3-2015
Distribution of Exploits Q3-2015 2.500 2.000 1.500 1.000 500 01/07/2015 04/07/2015 07/07/2015 10/07/2015 13/07/2015 16/07/2015 19/07/2015 22/07/2015 25/07/2015 28/07/2015 31/07/2015 03/08/2015 06/08/2015 09/08/2015 12/08/2015 15/08/2015 18/08/2015 21/08/2015 24/08/2015 27/08/2015 30/08/2015 02/09/2015 05/09/2015 08/09/2015 11/09/2015 14/09/2015 17/09/2015 20/09/2015 23/09/2015 26/09/2015 29/09/2015
0
July
August
September
Q3-2015 Figure 10: Distribution of Exploits Q3-2015
In figure 10, we can see that from 18 August to 7 September unusual high amounts of malicious files were distributed containing one or more exploits. On the next page in table 3, the top 10 exploit families of Q3 and Q2 2015.
Page | 16
Malware Trend Report
Family
Quarter 3, 2015
Top 10 Exploit Families Q3-2015 Amount
Exploit.PDF.Generic Exploit:W32/Kakara.A Exploit:W32/CVE-2010-0188.C Exploit.PDF-JS.Gen Exploit.JS.Pdfka.fhg Exploit.JS.PDF.EE Exploit.CVE-2009-0927.Gen Exploit.Script.Generic Exploit.JS.Pdfka.fmg Exploit.JS.Pdfka.fkc
Family
5,251 1,316 1,186 1,129 1,050 909 876 635 611 601
Top 10 Exploit Families Q2-2015 Amount
Exploit.PDF.Generic Exploit.Script.Generic Exploit.Win32.Pidief.ddl Exploit.JS.Pdfka.ghj Exploit.JS.Pdfka.fhg Exploit.JS.Pdfka.fkc Exploit.Win32.CVE-2010-0188.a Exploit.JS.Pdfka.cil Exploit.JS.Pdfka.fof Exploit.JS.Pdfka.gbe
8,508 223 164 122 87 82 41 37 37 32
Table 3: Top 10 Exploit Families Q3 vs. Q2-2015
4.3. Rootkits A rootkit is a type of software designed to hide the fact that an operating system has been compromised. This can be done in various ways, such as replacing vital executables or by introducing a new kernel module. Rootkits allow malware to hide in plain sight. Rootkits themselves are not harmful; they are simply used to hide malware, bots and worms. To install a rootkit, an attacker must first gain sufficient access to the target operating system. This can be accomplished by using an exploit, by obtaining valid account credentials or through social engineering. Because rootkits are activated before the operating system boots up, they are very difficult to detect and therefore provide a powerful way for attackers to access and use the targeted computer without the owner being aware of it. Due to the way rootkits are used and installed, they are notoriously difficult to remove. Nowadays, rootkits are usually not used to gain elevated access, but instead are used to mask malware payloads more effectively.
Files Identified as Rootkit Q3-2015 30.000 25.000 20.000 15.000 10.000 5.000
Q3-2014 2014
Q2-2015
September
August
July
June
May
April
September
August
July
0
Q3-2015 2015
Figure 11: Files Identified as Rootkit Q3-2015
Page | 17
Malware Trend Report
Quarter 3, 2015
The total amount of identified rootkits in the third quarter of 2015 was 28,812; a 124 percent increase when compared with the second quarter of 2015. In July: 2,496, in August: a stunning 24,138, and in September:2,178.
Distribution of Rootkits Q3-2015 25.000 20.000 15.000 10.000 5.000 01/07/2015 04/07/2015 07/07/2015 10/07/2015 13/07/2015 16/07/2015 19/07/2015 22/07/2015 25/07/2015 28/07/2015 31/07/2015 03/08/2015 06/08/2015 09/08/2015 12/08/2015 15/08/2015 18/08/2015 21/08/2015 24/08/2015 27/08/2015 30/08/2015 02/09/2015 05/09/2015 08/09/2015 11/09/2015 14/09/2015 17/09/2015 20/09/2015 23/09/2015 26/09/2015 29/09/2015
0
July
August
September
Q3-2015 Figure 12: Distribution of Rootkits Q2-2015
A closer look at the 19,059 identified rootkit samples from 24 August shows that most samples are variation or small modification of the following 4 rootkit families: Agent.diuy (5,154), Lapka.an (2,657), Small.vkd (1,497), and Small.bse (1,079). Family
Top 10 Rootkit Families Q3-2015 Amount
Rootkit.Win32.Agent.diuy Rootkit.Win32.Lapka.an Rootkit.Win32.Small.vkd Rootkit.Win32.Small.bse Rootkit.Win32.Agent.ehck Rootkit.Win32.Agent.ehol Rootkit.Win32.Agent.egxj Rootkit.Win32.Agent.dqkh Rootkit.Win32.Agent.dqnx Rootkit.Win32.HideProc.bj
5,154 2,657 1,497 1,079 938 797 733 708 477 440
Family
Top 10 Rootkit Families Q2-2015 Amount
Rootkit.Win32.Agent.egxj Rootkit.Win32.Agent.ehck Rootkit.Win32.Lapka.an Rootkit.Win32.Small.bsf Rootkit.Win32.Small.bse Rootkit.Win32.Agent.dqkh Rootkit.Win32.Agent.egxa Rootkit.Win32.Agent.dqnx Rootkit.Win32.Agent.egtf Rootkit.Win32.HideProc.bj
17,559 2,575 1,448 666 644 460 270 237 137 137
Table 4: Top 10 Rootkit Families Q3 vs. Q2-2015
4.4. Trojans With more than 3.6 million new unique samples in the third quarter of 2015, trojans are still the biggest category of malware. On average 39,000 new files per day were identified as trojan in Q32015. A drop of 10 percent when compared with the second quarter of 2015.
Page | 18
Malware Trend Report
Quarter 3, 2015
Files Identified as Trojan Q3-2015 3.000.000 2.500.000 2.000.000 1.500.000 1.000.000 500.000
Q3-2014
Q2-2015
2014
September
August
July
June
May
April
September
August
July
0
Q3-2015 2015
Figure 13: Files Identified as Trojan Q3-2015
In figure 16 we see the distribution of all the different types of trojans during the third quarter of 2015.
Distribution of Trojans Q3-2015
01/07/2015 04/07/2015 07/07/2015 10/07/2015 13/07/2015 16/07/2015 19/07/2015 22/07/2015 25/07/2015 28/07/2015 31/07/2015 03/08/2015 06/08/2015 09/08/2015 12/08/2015 15/08/2015 18/08/2015 21/08/2015 24/08/2015 27/08/2015 30/08/2015 02/09/2015 05/09/2015 08/09/2015 11/09/2015 14/09/2015 17/09/2015 20/09/2015 23/09/2015 26/09/2015 29/09/2015
180.000 160.000 140.000 120.000 100.000 80.000 60.000 40.000 20.000 0
July
August
September
Q3-2015 Figure 14: Distribution of Trojans Q3-2015
We want to share four of many trojan subcategories with you. These are the Trojan Downloaders and Droppers, plus Password Stealing and the Spy Trojan. On average 4,670 unique samples per day were identified as Trojan Downloader in Q2 2015. In total 429,669 unique samples were classified as Trojan Downloader. This is a 159 percent increase when compared with Q1-2015.
Page | 19
Malware Trend Report
Quarter 3, 2015
Distribution of Trojan Downloaders Q3-2015 18.000 16.000 14.000 12.000 10.000 8.000 6.000 4.000 2.000 01/07/2015 04/07/2015 07/07/2015 10/07/2015 13/07/2015 16/07/2015 19/07/2015 22/07/2015 25/07/2015 28/07/2015 31/07/2015 03/08/2015 06/08/2015 09/08/2015 12/08/2015 15/08/2015 18/08/2015 21/08/2015 24/08/2015 27/08/2015 30/08/2015 02/09/2015 05/09/2015 08/09/2015 11/09/2015 14/09/2015 17/09/2015 20/09/2015 23/09/2015 26/09/2015 29/09/2015
0
Figure 15: Distribution of Trojan Downloaders Q3-2015
Next are the Trojan Droppers. In the second quarter of 2015, a total of 261,814 samples were identified as Trojan Dropper. In the third quarter the amount of identified trojan-droppers was a stunning 373,449 - an increase of 143 percent when compared with the second quarter of 2015.
Distribution of Trojan Droppers Q3-2015 30.000 25.000 20.000 15.000 10.000 5.000 01/07/2015 04/07/2015 07/07/2015 10/07/2015 13/07/2015 16/07/2015 19/07/2015 22/07/2015 25/07/2015 28/07/2015 31/07/2015 03/08/2015 06/08/2015 09/08/2015 12/08/2015 15/08/2015 18/08/2015 21/08/2015 24/08/2015 27/08/2015 30/08/2015 02/09/2015 05/09/2015 08/09/2015 11/09/2015 14/09/2015 17/09/2015 20/09/2015 23/09/2015 26/09/2015 29/09/2015
0
Figure 16: distribution of Trojan-Droppers Q3-2015
Password Stealing trojans were identified in 153,428 unique samples in Q3-2015. This is an increase of 134 percent when compared with the 114,440 samples of Q2-2015.
Page | 20
Malware Trend Report
Quarter 3, 2015
Distribution of Password Stealing Trojans Q3-2015 12.000 10.000 8.000 6.000 4.000 2.000 01/07/2015 04/07/2015 07/07/2015 10/07/2015 13/07/2015 16/07/2015 19/07/2015 22/07/2015 25/07/2015 28/07/2015 31/07/2015 03/08/2015 06/08/2015 09/08/2015 12/08/2015 15/08/2015 18/08/2015 21/08/2015 24/08/2015 27/08/2015 30/08/2015 02/09/2015 05/09/2015 08/09/2015 11/09/2015 14/09/2015 17/09/2015 20/09/2015 23/09/2015 26/09/2015 29/09/2015
0
Figure 17: Distribution of Trojan PWS Q3-2015
With 16,233 unique samples the OnLineGames.bomg malware family was the most common password stealing trojan in Q3-2015. Looking at the Spy Trojans 175,041 unique samples were identified in the third quarter of 2015. When compared with the second quarter of 2015, a decrease of 29 percent.
Distribution of Spy Trojans Q3-2015 18.000 16.000 14.000 12.000 10.000 8.000 6.000 4.000 2.000 01/07/2015 04/07/2015 07/07/2015 10/07/2015 13/07/2015 16/07/2015 19/07/2015 22/07/2015 25/07/2015 28/07/2015 31/07/2015 03/08/2015 06/08/2015 09/08/2015 12/08/2015 15/08/2015 18/08/2015 21/08/2015 24/08/2015 27/08/2015 30/08/2015 02/09/2015 05/09/2015 08/09/2015 11/09/2015 14/09/2015 17/09/2015 20/09/2015 23/09/2015 26/09/2015 29/09/2015
0
Figure 18: Distribution of Trojan-Spy Q3-2015
The Agent.cpyi spy trojan was, with 28,600 unique samples, the most common Spy Trojan of Q32015.
Page | 21
Malware Trend Report
Quarter 3, 2015
4.5. Worms We identified worm traces and functionalities in roughly 2.6 million new files – a drop of 37 percent when compared to the 4 million of the second quarter 2015.
Files Identified as Worm Q3-2015 3.000.000 2.500.000 2.000.000 1.500.000 1.000.000 500.000
Q3-2014
Q2-2015
2014
September
August
July
June
May
April
September
August
July
0
Q3-2015 2015
Figure 19: Files Identified as Worm Q3-2015
In figure 20 we see that after 26 August the amount of worms identified per day increased.
Distribution of Worms Q3-2015
01/07/2015 04/07/2015 07/07/2015 10/07/2015 13/07/2015 16/07/2015 19/07/2015 22/07/2015 25/07/2015 28/07/2015 31/07/2015 03/08/2015 06/08/2015 09/08/2015 12/08/2015 15/08/2015 18/08/2015 21/08/2015 24/08/2015 27/08/2015 30/08/2015 02/09/2015 05/09/2015 08/09/2015 11/09/2015 14/09/2015 17/09/2015 20/09/2015 23/09/2015 26/09/2015 29/09/2015
100.000 90.000 80.000 70.000 60.000 50.000 40.000 30.000 20.000 10.000 0
July
August
September
Q3-2015 Figure 20: Distribution of Worms Q3-2015
A closer look at the data from those days reveals that variations of the Allaple.e net-worm were widely distributed.
Page | 22
Malware Trend Report
Quarter 3, 2015
Distribution of Allaple.e Worm Q3-2015 250.000 200.000 150.000 100.000 50.000
01/07/2015 04/07/2015 07/07/2015 10/07/2015 13/07/2015 16/07/2015 19/07/2015 22/07/2015 25/07/2015 28/07/2015 31/07/2015 03/08/2015 06/08/2015 09/08/2015 12/08/2015 15/08/2015 18/08/2015 21/08/2015 24/08/2015 27/08/2015 30/08/2015 02/09/2015 05/09/2015 08/09/2015 11/09/2015 14/09/2015 17/09/2015 20/09/2015 23/09/2015 26/09/2015 29/09/2015
0
Figure 21: Distribution of Alleaple.e Worm Q3-2015
Top 10 Worm Families Q3-2015 Family Amount
Top 10 Worm Families Q2-2015 Family Amount
Net-Worm.Win32.Allaple.e
Net-Worm.Win32.Allaple.e
2,782,846 1,409,310
2,746,527
Worm.Win32.VBNA.alxm
136,292
P2P-Worm.Win32.Sytro.o
P2P-Worm.Win32.Sytro.o
123,574
P2P-Worm.Win32.Sytro.j
Net-Worm.Win32.Allaple.b
92,772
P2P-Worm.Win32.Picsys.c
52,856
Net-Worm.Win32.Allaple.a
58,282
P2P-Worm.Win32.Sytro.k
52,741
Email-Worm.Win32.Runouce.b
56,009
Worm.Win32.AutoRun.but
32,315
Worm.Win32.WBNA.bul
44,137
Net-Worm.Win32.Allaple.a
26,946
P2P-Worm.Win32.Sytro.j
41,034
Email-Worm.Win32.Runouce.b
21,681
Worm.Win32.Mabezat.b
22,514
Email-Worm.Win32.Mydoom.m
19,107
P2P-Worm.Win32.Picsys.c
14,189
Email-Worm.Win32.Mydoom.l
15,770
139,805
Table 5: Top 10 Worm Families Q3 vs. Q2-2015
4.6. 64-Bit Malware Malware designed to run on Windows 64-bit was identified in 114,439 new malicious samples in the third quarter - an increase of 561 percent when compared with the second quarter of 2015.
Page | 23
Malware Trend Report
Quarter 3, 2015
Files Identified with 64-bit Malware Q3-2015
Q3-2014
Q2-2015
2014
September
August
July
June
May
April
September
August
July
70.000 60.000 50.000 40.000 30.000 20.000 10.000 0
Q3-2015 2015
Figure 22: Files Identified with 64-Bit Malware Q3-2015
In figure 23, a clear spike can be seen on 2 July, when we look at the distribution of unique new 64bit malware.
Distribution of 64-bit Malware Q3-2015
01/07/2015 05/07/2015 09/07/2015 13/07/2015 17/07/2015 21/07/2015 25/07/2015 29/07/2015 01/08/2015 05/08/2015 09/08/2015 13/08/2015 17/08/2015 21/08/2015 25/08/2015 29/08/2015 16/09/2015 25/09/2015 02/08/2015 06/08/2015 10/08/2015 14/08/2015 18/08/2015 22/08/2015 26/08/2015 30/08/2015 03/09/2015 07/09/2015 11/09/2015 15/09/2015 19/09/2015 23/09/2015 27/09/2015
8.000 7.000 6.000 5.000 4.000 3.000 2.000 1.000 0
July
August
September Q3-2015
Figure 23: Distribution of 64-Bit Malware Q3-2015
A closer look at the 64-bit malicious files reveals that the Expiro malware families, for the first time since January 2014, do not top the charts. In the third quarter of 2015, we find 64-bit Adware in first place, followed by 64-bit NetTools.
Page | 24
Malware Trend Report
Family
Quarter 3, 2015
Top 10 64-bit Families Q3-2015 Amount
Family
Top 10 64-bit Families Q2-2015 Amount
AdWare.Win64.Agent.ar
20,590
Virus.Win64.Expiro.Gen.3
8,050
NetTool.Win64.NetFilter.k
15,854
Virus.Win64.Expiro.Gen.2
7,888
Virus.Win64.Expiro.Gen.4
10,445
Virus.Win64.Expiro.A
4,288
AdWare.Win64.Agent.j
5,236
Trojan:W64/Dridex.D
104
Virus.Win64.Expiro.e
4,896
Trojan:W64/Bedeb.A
34
Win64.Expiro.Gen.3
3,210
Trojan:W64/Apolmy.B
17
NetTool.Win64.NetFilter.l
2,400
Virus.Win64.Expiro.R
12
Virus.Win64.Expiro.f
2,375
Backdoor:W64/Turla.A
2
Virus.Win64.Expiro.AA
2,129
Virus.Win64.Expiro.G
1
Virus.Win64.Expiro.Gen.2
2,044
N/A
Table 6: Top 10 64-Bit Malware Families Q3 vs. Q2-2015
4.7. Others After the backdoors, exploits, rootkits, trojans, worms, and the 64-bit malware, we are still left with 5.4 million identified malicious files. This is a 99 percent of the second quarter of 2015.
Files Identified as Other Malware Q3-2015 3.000.000 2.500.000 2.000.000 1.500.000 1.000.000 500.000
Q3-2014 2014
Q2-2015
September
August
July
June
May
April
September
August
July
0
Q3-2015 2015
Figure 24: Files Identified as Other Malware Q3-2015
Page | 25
Malware Trend Report
Quarter 3, 2015
Distribution of Other Malware Q3-2014
01/07/2015 04/07/2015 07/07/2015 10/07/2015 13/07/2015 16/07/2015 19/07/2015 22/07/2015 25/07/2015 28/07/2015 31/07/2015 03/08/2015 06/08/2015 09/08/2015 12/08/2015 15/08/2015 18/08/2015 21/08/2015 24/08/2015 27/08/2015 30/08/2015 02/09/2015 05/09/2015 08/09/2015 11/09/2015 14/09/2015 17/09/2015 20/09/2015 23/09/2015 26/09/2015 29/09/2015
180.000 160.000 140.000 120.000 100.000 80.000 60.000 40.000 20.000 0
July
August
September
Q3-2015 Figure 25: Distribution of Other Malware Q3-2015
Within the category Other Malware, we find Macro-based malware. Macro-based malware was identified in 19,311 new malicious samples in the third quarter - an increase of 131 percent when compared with the second quarter of 2015.
Identified Macro-based Malware 2015 10.000 9.000 8.000 7.000 6.000 5.000 4.000 3.000 2.000 1.000 0
Figure 26: Files Identified as Macro-based Malware Q1 & Q2-2015
In figure 28, the distribution of Macro-based malware per day for the third quarter of 2015. The spike on the 1 August was mostly caused by variations of the Trojan-Dropper.MSWord.Agent.jj.
Page | 26
Malware Trend Report
Quarter 3, 2015
Distribution of Macro-based Malware Q3-2015 1.800 1.600 1.400 1.200 1.000 800 600 400 200 01/07/2015 04/07/2015 07/07/2015 10/07/2015 13/07/2015 16/07/2015 19/07/2015 22/07/2015 25/07/2015 28/07/2015 31/07/2015 03/08/2015 06/08/2015 09/08/2015 12/08/2015 15/08/2015 18/08/2015 21/08/2015 24/08/2015 27/08/2015 30/08/2015 02/09/2015 05/09/2015 08/09/2015 11/09/2015 14/09/2015 17/09/2015 20/09/2015 23/09/2015 26/09/2015 29/09/2015
0
Figure 27: Distribution of Macro-based Malware Q3-2015
Top 10 Macro Families Q3-2015 Family Amount
Top 10 Macro Families Q2-2015 Family Amount
Virus.MSExcel.Agent.f
3,994
Virus.MSExcel.Agent.f
4,501
Trojan-Downloader.MSWord.Agent.oa
1,861
Virus.MSWord.Marker.kn
2,395
Trojan-Dropper.MSWord.Agent.jj
1,469
Virus.MSExcel.Sic.f
792
Virus.MSWord.Marker.kn
723
Virus.MSWord.Xaler.g
615
Virus.MSExcel.Laroux.jp
692
Virus.MSExcel.Laroux.jm
602
Virus.MSExcel.Sic.f
651
Virus.MSExcel.Laroux.zc
395
Virus.MSExcel.Laroux.zc
499
Virus.MSExcel.NetSnak.a
368
Virus.MSExcel.Laroux.cs
471
Virus.MSWord.Nsi
355
Virus.MSExcel.Laroux.jm
445
Virus.MSExcel.Laroux.ja
351
X97M.Mailcab.A@mm
433
Virus.MSWord.Marker.fq
312
Table 7: Top 10 Macro Families Q3 vs. Q2-2015
Page | 27
Malware Trend Report
Quarter 3, 2015
5. Geolocation A total of 7,822 active C&C servers were found and added to our blacklist in the third quarter of this year (5,044 in July, 1,129 in August and 1,430 in September). When compared with Q2-2015 this is a decrease of 48 percent. Figure 29 represents only the top 10 hosting countries.
Sum Of The Top 10 C&C Hosting Countries Q32015
Q3-2014
Q2-2015
2014
September
August
July
June
May
April
Septembar
August
July
6.000 5.000 4.000 3.000 2.000 1.000 0
Q3-2015 2015
Figure 28: Sum of the Top 10 C&C Hosting Countries Q3-2015
In figure 29, a closer look at the top C&C-hosting countries in the third quarter of 2015.
Top 10 C&C Hosting Countries Q3-2015 1.400 Bulgaria 1.200
Canada China
1.000
France
800
Germany Korea
600
Netherlands
400
Poland Romania
200
Russian Federation
0 July
August
September
Turkey Ukraine
Q3-2015 Figure 29: Top 10 C&C Hosting Countries Q3-2015
Page | 28
Malware Trend Report
Quarter 3, 2015
Like in the first and second quarter of this year, the United States still led the pack in the third quarter, followed by the Russian Federation and Ukraine: Top 10 Countries Hosting C&C Q3-2015 July United States Russian Federation Germany Netherlands United Kingdom Ukraine France China Korea Turkey
August 1,165 630 312 274 270 268 181 142 111 111
Russian Federation United States Ukraine Netherlands Germany Turkey China Bulgaria Romania United Kingdom
September 243 191 92 79 77 45 34 31 29 21
United States Russian Federation Ukraine Netherlands Germany China Canada Turkey Romania Poland
340 184 94 80 76 44 43 41 28 27
Table 8: Top 10 Countries Hosting C&C Q3-2015
The Netherlands, as a hosting country for C&C Servers, ended up 4th in July, August and September. The drop in the global amount of C&C Servers in August is the result of combined global cleaning action. A complete list of C&C hosting countries, the amount of new C&C servers and their percentages can be found in appendix C.
Page | 29
Malware Trend Report
Quarter 3, 2015
6. Final Word In the third quarter of 2015, with an average of 285,704 new malicious files per day, the total number of samples processed was 26.3 million, a slight decrease of 7 percent compared with the amount of new malicious files from the first quarter of 2015.
Category Adware
Total Q32015
% of Total Identified
Compared to Q2-2015
3,334,040
22.11%
12.34%
180,084
1.19%
0.18%
Exploits
11,141
0.07%
0.00%
Rootkits
28,812
0.19%
0.04%
Trojans
3,609,878
23.94%
-2.66%
Backdoors
2,555,285 16.95% -9.73% The overall detection by Anti-Virus Worms 5,357,201 35.53% -0.19% software was on average 56.32 percent. Others This is a 4.22 percent improvement Table 9: Identified Malware per Category Q3 vs. Q2-2015 when compared with the second quarter of 2015. Still missed by the Anti-Virus software are a total of 11.2 million unique malicious files.
By grouping and classifying the identified malware, we detected a slight increase of popularity in backdoors and rootkits. The category, adware, increased by 22.11 percent when compared with the second quarter of 2015. A closer look at the distribution of 64-bit adware in Q2 and Q3 shows that on 2 July, 2140 Adware families were found within the 7,031 64-bit malicious files of that day. Adware authors are clearly switching to support 64-bit environments.
Distribution of 64-Bit Adware Q3-2015
01/04/2015 07/04/2015 13/04/2015 19/04/2015 25/04/2015 01/05/2015 07/05/2015 13/05/2015 19/05/2015 25/05/2015 31/05/2015 06/06/2015 12/06/2015 18/06/2015 24/06/2015 30/06/2015 06/07/2015 12/07/2015 18/07/2015 24/07/2015 30/07/2015 05/08/2015 11/08/2015 17/08/2015 23/08/2015 29/08/2015 04/09/2015 10/09/2015 16/09/2015 22/09/2015 28/09/2015
8.000 7.000 6.000 5.000 4.000 3.000 2.000 1.000 0
Q2-2015
Q3-2015
Figure 30: Distribution of 64-Bit Adware Q2 and Q3-2015
Within the top 10 countries hosting C&C servers, there was little change. The United States is still leading, followed by the Russian Federation. A total of 7,822 active C&C servers were found and added to our blacklist in the third quarter of this year, a decrease of 48 percent.
Page | 30
Malware Trend Report
Quarter 3, 2015
The Netherlands hosted a total of 433 C&C servers in the third quarter of 2015. A total of 135,507 infected machines were connecting in Q3 to the Dutch C&C servers (83,606 in July, 27,834 in August and 24,067 in September).
We hope that you have enjoyed our third Malware Trend Report of 2015, and that it provides you with insight into the trends we have seen during the second quarter of 2015. We continue to innovate, so please check back with us for our next quarterly trend report which will also include mobile threats. Questions, comments and requests can be directed towards the RedSocks Malware Research Labs. RedSocks B.V. W: www.redsocks.nl T: +31 (0) 55 36 61 396
G.J.Vroon Anti-Malware Behavioural Researcher
E:
[email protected]
Page | 31
Malware Trend Report
Quarter 3, 2015
Appendix A: Detecting Malware April Day
Files/day
Detected
May % Detected
Files/day
Detected
June % Detected
Files/day
Detected
% Detected
1
200,903
2
243,708
81,455
33.42%
227,195
159,097
70.03%
365,060
340,591
93.30%
3
341,462
64,281
18.83%
239,900
114,296
47.64%
236,027
148,531
62.93%
4
192,160
68,523
35.66%
392,641
206,228
52.52%
219,684
110,565
50.33%
5
262,211
86,871
33.13%
402,588
291,626
72.44%
364,571
148,606
40.76%
6
197,400
55,585
28.16%
529,820
439,559
82.96%
262,648
158,914
60.50%
7
253,337
67,159
26.51%
442,336
239,251
54.09%
268,110
110,523
41.22%
8
246,581
79,818
32.37%
323,474
165,901
51.29%
391,166
182,962
46.77% 49.02%
100,422
49.99%
221,833
101,925
45.95%
199,592
143,546
71.92%
9
252,660
76,301
30.20%
379,158
186,568
49.21%
286,141
140,277
10
232,027
70,927
30.57%
325,496
168,651
51.81%
359,576
167,902
46.69%
11
244,452
100,887
41.27%
327,578
142,140
43.39%
298,166
121,219
40.65%
12
218,685
88,737
40.58%
447,648
338,371
75.59%
251,553
107,309
42.66%
13
227,794
75,397
33.10%
394,221
262,327
66.54%
276,596
109,730
39.67%
14
230,514
77,051
33.43%
470,257
342,722
72.88%
267,027
110,213
41.27%
15
272,283
117,440
43.13%
452,256
391,056
86.47%
282,998
105,894
37.42%
16
196,903
141,869
72.05%
472,958
326,124
68.95%
257,409
82,295
31.97%
17
266,481
124,168
46.60%
355,622
215,824
60.69%
266,228
118,323
44.44%
18
220,681
91,009
41.24%
315,931
174,478
55.23%
266,228
116,207
43.65%
19
350,332
173,134
49.42%
326,729
132,434
40.53%
290,214
144,589
49.82%
20
369,629
164,368
44.47%
351,660
276,105
78.51%
218,747
110,918
50.71%
21
302,775
141,803
46.83%
455,514
273,341
60.01%
214,787
111,225
51.78%
22
251,920
128,110
50.85%
468,347
238,360
50.89%
211,061
116,117
55.02%
23
272,905
114,891
42.10%
308,512
220,589
71.50%
236,655
154,469
65.27%
24
241,270
97,107
40.25%
344,729
200,439
58.14%
496,414
472,586
95.20%
25
245,738
90,298
36.75%
304,034
187,848
61.79%
268,334
136,044
50.70%
26
250,282
91,737
36.65%
395,348
208,601
52.76%
347,383
226,612
65.23%
27
254,701
111,717
43.86%
363,948
223,542
61.42%
443,170
333,285
75.20%
28
296,490
141,048
47.57%
327,804
191,764
58.50%
330,361
307,535
93.09%
29
338,607
142,143
41.98%
371,361
202,529
54.54%
302,523
198,429
65.59%
30
295,970
120,385
40.67%
263,002
205,918
78.30%
316,269
192,196
60.77%
39.72%
313,918 11,315,81
161,805 6,989,419
51.54% 60.84%
8,794,698
5,027,612
55.45%
31 7,770,861
3,084,641
Page | 28
Malware Trend Report
Quarter 3, 2015
Appendix B: Classifying Malware July Day
Adware
Backdoors
Exploits
Rootkits
Trojans
Worms
Others
1
45,711
2,076
32
117
28,470
28,904
37,185
2
47,027
1,504
30
58
22,847
22,700
30,399
3
38,477
1,380
36
1
25,240
18,316
34,041
4
22,704
1,487
56
87
21,954
19,407
31,974
5
19,166
1,168
17
59
18,621
23,523
23,771
6
23,363
1,078
32
95
22,091
23,134
37,902
7
25,306
2,199
15
87
27,516
13,450
41,190
8
31,703
2,414
26
130
33,515
9,047
45,640
9
33,474
2,132
24
105
34,567
5,771
46,037
10
26,323
1,771
35
89
27,227
9,678
37,973
11
45,293
2,788
70
139
50,824
11,492
75,671
12
28,849
1,883
31
112
36,342
6,417
50,266
13
26,494
1,721
35
127
32,906
11,069
47,484
14
24,519
1,601
46
121
33,024
12,371
58,780
15
20,956
1,229
44
78
25,396
23,405
53,370
16
11,566
1,110
19
37
20,872
13,307
24,942
17
17,562
1,826
23
99
30,532
11,619
32,850
18
13,065
1,481
44
48
22,181
12,849
36,524
19
16,798
1,620
25
103
26,494
10,864
41,222
20
28,044
1,351
26
55
26,441
9,038
41,637
21
33,766
1,566
47
96
34,975
12,066
53,826
22
20,628
1,137
22
67
24,093
9,038
41,728
23
25,839
1,546
34
63
29,491
11,536
49,993
24
18,770
2,521
57
65
35,730
12,914
30,456
25
11,417
1,262
27
35
89,537
11,366
25,910
26
17,005
1,282
24
74
25,525
12,117
34,898
27
19,700
1,317
33
66
31,247
12,912
40,962
28
23,989
1,612
43
77
32,237
7,258
37,149
29
37,579
1,630
23
86
52,365
11,163
69,384
30
26,553
1,314
57
44
48,886
9,981
41,440
31
29,454
1,477
53
76
44,262
11,048
49,037
811,100
50,483
1,086
2,496
1,015,408
417,760
1,303,641
Total:
Page | 29
Malware Trend Report
Quarter 3, 2015
August Day 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Total
Adware
Backdoors
Exploits
Rootkits
Trojans
Worms
Others
43,048 39,136 36,264 25,528 36,746 50,664 17,800 23,322 27,142 32,559 67,260 52,741 26,032 51,653 30,648 52,699 32,964 48,294 54,318 66,715 57,154 70,795 38,835 35,055 41,607 31,481 36,195 47,758 54,445 53,040 44,482
2,240 1,557 1,870 1,537 1,972 2,691 867 935 1,494 1,551 3,570 2,335 776 2,637 1,418 2,174 1,550 1,986 2,494 2,884 2,552 2,372 1,789 1,768 1,870 1,217 1,785 1,703 2,805 1,778 1,227
50 45 37 30 59 52 62 2 5 16 32 40 42 76 75 47 27 166 337 146 93 64 60 89 244 389 470 694 353 406 418
117 110 101 164 116 371 67 81 65 120 351 189 346 296 196 176 151 127 101 146 124 129 113 19,059 385 197 159 102 224 198 57
39,141 26,588 41,867 28,740 39,822 55,085 15,104 23,305 32,114 31,933 66,477 76,105 19,124 37,787 28,946 43,661 25,548 38,948 64,641 40,520 52,693 50,387 34,356 6,890 47,460 24,628 30,199 35,818 53,914 49,567 34,452
12,384 9,393 10,149 14,752 11,978 14,199 6,495 7,552 7,686 7,373 18,950 14,626 7,845 20,537 12,014 21,274 9,111 6,357 5,783 19,237 17,964 20,289 22,076 24,102 14,269 8,123 12,391 51,643 61,150 51,922 52,194
72,613 52,845 61,770 72,780 60,932 155,420 41,356 34,217 46,765 46,789 124,154 79,531 34,156 58,014 41,206 64,355 48,868 61,454 59,907 70,211 73,036 65,404 67,412 100,326 87,697 73,309 78,691 76,241 89,925 82,777 92,153
1,326,380
59,404
4,626
24,138
1,195,820
573,818
2,174,314
Page | 30
Malware Trend Report
Quarter 3, 2015
September Day 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
Total
Adware
Backdoors
Exploits
Rootkits
Trojans
Worms
Others
57,996 46,116 72,635 11,344 63,058 31,976 47,756 44,910 44,656 19,893 11,728 36,463 14,092 22,063 34,321 27,479 54,571 51,599 35,932 47,822 59,459 41,777 37,266 41,979 28,445 29,270 58,733 41,877 45,788 35,556
1,734 1,535 2,728 680 2,624 15,637 1,997 899 1,728 937 508 1,492 657 692 2,338 683 2,410 1,412 1,600 2,519 4,223 3,067 1,944 2,102 2,074 1,851 3,192 3,330 2,102 1,502
565 65 83 1,293 2,058 351 802 14 9 0 2 15 9 9 17 2 16 3 19 7 11 4 1 4 8 4 11 7 36 4
112 101 220 23 165 40 107 30 60 53 19 81 23 29 53 28 83 59 38 40 72 62 56 104 75 41 152 84 93 75
45,603 48,075 107,519 11,484 170,339 42,461 65,443 31,228 58,052 29,011 52,936 33,363 19,763 16,905 49,871 26,310 41,735 31,134 19,285 40,510 81,423 51,275 23,478 25,412 42,724 27,782 42,396 82,931 52,711 27,491
51,794 59,421 70,419 9,507 51,315 33,619 84,444 51,120 40,050 24,597 13,289 64,760 23,157 20,720 44,435 48,472 80,498 58,893 43,946 66,363 93,953 53,233 61,310 65,475 66,838 65,329 62,997 56,078 50,306 47,369
101,663 63,587 116,683 36,702 43,876 61,895 75,788 34,742 77,224 52,287 23,716 56,820 19,674 26,845 68,571 71,616 76,847 61,909 39,916 86,315 128,492 50,368 45,449 63,311 66,943 48,374 65,798 64,097 76,833 72,905
1,196,560
70,197
5,429
2,178
1,398,650
1,563,707
1,879,246
Page | 31
REDSOCKS RedSocks is a Dutch company specialised in malware detection. RedSocks supplies RedSocks malware threat defender as a network appliance. This innovative appliance analyses digital traffic flows in real time based on the algorithms and lists of malicious indicators compiled by the RedSocks Malware Intelligence Team. This team consists of specialists in identifying new threats on the internet and translating them into state-of-the-art malware detection.
www.redsocks.nl Boogschutterstraat 9C, 7324 AE Apeldoorn, The Netherlands
Tel +31 (0)55 36 61 396
E-mail
[email protected]
Website www.redsocks.nl