McAfee Threats Report Q2 2011

Report
McAfee Threats Report: Second Quarter 2011

By McAfee Labs
Report
The threat landscape of 2011 is undergoing a year of chaos and change. We see chaos in the major challenges that hacktivist groups such as LulzSec and Anonymous pose, and change in the shifts in new malware classes and targeted devices. This quarter McAfee Labs saw major hacktivist activitybut in a very different way. The group Lulz Security, LulzSec for short, differs from other hacktivist groups in that they had no specific goals. They were in it, as they claimed, for the lulz (LOLs in text messagespeak, or laugh out louds ) but showed an agility at compromising networks and servers, and stealing usernames, passwords, and other data. LulzSec committed multiple intrusions against a wide variety of companies, as well as attacks against police departments and intelligence agencies, and many other compromises. Although many of the outcomes and uses of these compromises are still in play (and we provide a helpful overview of the quarters activity) one thing has become clear: Many companies, both large and small, are more vulnerable than they may have suspected. Further, the security industry may need to reconsider some of its fundamental assumptions, including Are we really protecting users and companies? Although LulzSec may have ceased its operations during this quarter, the questions they and other hacktivist groups have raised will be debated for a long time. One significant change in the first quarter of 2011 was Androids becoming the third-most targeted platform for mobile malware. This quarter the count of new Android-specific malware moved to number one, with J2ME (Java Micro Edition), coming in second while suffering only a third as many malware. This increase in threats to such a popular platform should make us evaluate our behavior on mobile devices and the security industrys preparedness to combat this growth. We also saw an increase in for-profit mobile malware, including simple SMS-sending Trojans and complex Trojans that use exploits to compromise smartphones. We offer an update of cybercrime pricebooks as well as some changes to toolkit and service prices. Crimeware as a service and the burgeoning hacktivism as a service continue to evolve as interests and targets change. On the positive side, there were some significant victories against cybercriminals this quarter. Continuing the change theme, we observed a considerable decrease in both AutoRun and Koobface malware, offset by a strong rise in fake-anti-virus software that targets the Mac. Apples OS X has been mostly ignored by malware writers for years, so this represents a significant change of target forcybercriminals. Malware continued its overall growth during the quarter as did rootkit malware. Rootkits, used primarily for stealth and resilience, makes malware more effective and persistent; its popularity is rising. Rootkits such as Koutodoor and TDSS appear with increasing frequency. The amount of malware that attacks vulnerabilities in Adobe products continues to overwhelm those in Microsoft products. Botnets and messaging threats, although still at historic lows, have begun to rise again. We expected this recovery after some recent botnet takedowns. Users and enterprises must plan for this growth and prepare their defenses and responses accordingly. We again examine social engineering subjects by both geography and subject and botnets by geography and type. We saw several spikes in malicious web activity this quarter as well as some serious growth in blogs and wikis with malicious reputations. Sites that deliver malware, potentially unwanted programs, and phishing sites also increased. The second quarter of the year was clearly a period of chaos, changes, and new challenges.
Report
Table of Contents
Hacktivism Mobile Threats Cybercrime Malware Threats Adobe Outpaces Microsoft in Attracting Exploits Messaging Threats Web Threats 4 5 7 9 14 15 20
Report
Hacktivism Early in this quarter the Anonymous group apparently quarreled and split. On May 9, an Anonymous press release said the Anonops network was down after the website coadministrator Ryan attempted to stage a coup dtat. As a reprisal, his contact details were immediately distributed on the web. Around May 7 a new Twitter account registering the @LulzSec username appeared, marking the birth of Lulz Security. Their first feats did not gain much media coverage; however, when they targeted the entertainment industry, the world was truly introduced to LulzSec. After 50 days of operations, LulzSecs adventures ended due to group-against-group struggles. These events show a level of immaturity in some groups labeled as political hacktivists and who claim to be part of Anonymous. Jester (th3j35t3r, an Anonymous opponent who is known for fighting against jihadist and anti-U.S. websites) and other groups (Team Web Ninjas, Backtrace, The A-Team, Teamp0ison, etc.) made a point of denouncing their former colleagues. These internecine struggles helped authorities identify some of these hackers. Other reported incidents include a serious attack against the European Commission just before a summit to discuss the future structure of the European Union, economic strategy, and the war in Libya.1 Frances Ministry of Finance suffered a similar attack. The Australian Security Intelligence Organisation disclosed that it is investigating an attack that compromised the computers of at least 10 federal ministers, including the prime minister, foreign minister, and defense minister. The German government reported it sees an average of five targeted attacks per day against users of government networks.2 Some published accounts number the various hacktivist operations, such as #antisec, #OpNewBlood, #OpLibya, #OpBrazil, at more than 4,000 in total, but this number is hard to verify. These operations have resulted in websites being taken offline, large amounts of usernames and passwords stolen, and confidential documents stolen and uploaded. Many companies have suffered very effective politically motivated attacks. Many observers have called these attacks simplistic, even lame, but these pundits miss the point: Hacktivism is about the message, not the method. Two intrusions by a Romanian hacker also caught our attention due to the high-profile targets: the U.S. and European space agencies. In an April blog entry, this hacker published information from the European Space Agencys server that included names, usernames, and emails of more than 150 users. In May, the same hacker claimed to have entered a server at NASAs Goddard Space Flight Center and gained access to confidential satellite data. He posted on his blog a screen grab of what he said was one of NASAs main FTP servers.
1. 2.
http://www.bbc.co.uk/news/world-europe-12840941 http://www.bundestag.de/presse/hib/2011_05/2011_201/08.html
Report
Mobile Threats This quarter Android OS-based malware became the most popular target for mobile malware developers. Thats a rapid rise for Android, which outpaces second place Java Micro Edition threefold.
New Mobile Malware This Quarter
Android Java ME Symbian BlackBerry MSIL Python VBS
As we watch steady, significant growth in the mobile malware threat landscape, many of the same functions and features of PC-based threats are already part of the codebase. Mobile threats already take advantage of exploits, employ botnet functionality, and even use rootkit features for stealth andpermanence.
Total Mobile Malware Samples

1,500 1,200 900 600 300 0
Q1 2009
Q2 2009
Q3 2009
Q4 2009
Q1 2010
Q2 Q3 2010 2010
Q4 2010
Q1 2011
Q2 2011
Maliciously modified apps are still a popular vector for infecting devices: Corrupt a legitimate app or game and users will download and install malware on their smartphones by themselves. Infiltrating popular modified apps this quarter were the malware Android/Jmsonez.A, Android/ Smsmecap.A, and the Android/DroidKungFu, and Android/DrdDreamLite families. Lets take a close look at some recent mobile malware.
Report
Android/Jmsonez.A is a version of a calendar app that doesnt quite work as intended.3 No matter when the program is launched, it displays the calendar for January 2011. If the user tries to change the month to a future date, the malware begins sending SMS messages to a premium-rate number. Android/ Jmsonez.A also monitors the inbox for confirmation SMS messages from the premium-rate service to avoid detection. Android/Smsmecap.A is a modified version of a legitimate comedy app.4 The malware sends humorous, irreverent SMS messages to all the contacts in the users address book. Since May 21, the date of the purported Rapture, it has sent messages in a mocking tone. The Android/DroidKungFu family is similar to Android/DrdDream; it also uses a pair of root exploits to maintain itself on a device.5 The exploits are actually identical to those used by the Android/DrdDream except they have been encrypted with AES. These variants can also load URLs and install additional software and updates. The Android/DrdDreamLite family is a less capable variant of the original Android/DrdDream family.6 The Lite version uses DES to encrypt the data it sends to the attacker. Android/DrdDreamLite does not include any root exploits to remain installed on an infected device. Other complex Trojans are Android/Tcent.A, the Android/Crusewin.A family, Android/J.SMSHider.A, and Android/Toplank.A. Android/Tcent.A is another premium-rate, SMS-sending Trojan, similar to Android/Jmsonez.A, but it includes an interesting self-protection feature.7 The malware targets the QQ instant-messaging service, which is popular in China. The malware attempts to uninstall anti-virus and other security software that are bundled with mobile QQ clients. The Android/Crusewin.A family comprises a number of premium-ratesending Trojans.8 Unlike simpler malware, the Android/Crusewin.A family includes some botnet functions, including executing orders from the attackers command server. The attacker can send SMS messages from an infected device, useful for signing up the victim to premium-rate subscription services, and attempt to uninstall software. The latter feature is similar to that of Android/Tcent.A but suffers from a slight problem. Android/Crusewin.A uses an uninstall code that works only on Symbian smartphones; it will not run properly on Android. This suggests the malware author may be porting Symbian Trojan/botnet code to the Android platform. Android/J.SMSHider.A sends premium-rate messages.9 The malware author modified a legitimate SMS love analyzer to add backdoor functionality and the ability to delete incoming SMS messages. Android/J.SMSHider.A uses DES encryption to cover its communications with the attacker. Android/Toplank.A pretends to be a multiuser update to the popular Angry Birds game. The malware sends sensitive information (international mobile subscriber identity, the list of permissions granted to the malware, etc.) to the attacker and can download an additional Android app to an infected device. The new app provides a backdoor to the attacker, who can then add and delete bookmarks, browser history, and shortcuts. The attacker can also download further software. Mobile crimeware authors are continuing their tricks with SymbOS/Zitmo.C and BlackBerry/Zitmo.D, which are simple SMS forwarders. The authors have already compromised victims PCs with advanced malware, so it appears that they are doing only the bare minimum on mobile platforms to enable their attacks.
3. 4. 5. 6. 7. 8. 9.
http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=501748 http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=509500 http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=522281 http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=518925 http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=501599 http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=501639 http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=527859
Report
Cybercrime Email Address Book for Sale Via their botnets or through rental services, spammers need email address lists to flood the world. Prices vary for such enterprises, often with location.
Country Russia Address List Prices (all in U.S.$) 400,000 addresses in St. Petersburg: $25 1,000,000 (entire country): $25 3,000,000: $50 5,000,000: $100 8,000,000: $200 1,000,000: $25 3,000,000: $50 5,000,000: $100 10,000,000: $300 2,000,000: $40 1,000,000: $25 3,000,000: $50 5,000,000: $100 8,000,000: $200 1,000,000: $50 150,000: $25 1,000,000: $25 3,000,000: $50 5,000,000: $100 1,500,000: $100
United States
Ukraine Germany
Turkey Portugal Australia
England
Crimeware tools Again this quarter, we saw new products and updates among exploits kits. The most notable were the release of Eleonore Version 1.6.5, with two 2011 exploits, and Best Pack, with one 2011 exploit.
Name Weyland-Yutani BOT Version 1.0 BlackHole Exploit Kit Version 1.1.0 Prices (all in U.S.$) $1,000 Annual license: $1,500 6 months: $1,000 3 months : $700 Description Offered on the underground market. The seller quickly closed the bid after claiming to have found a buyer. This kit first appeared in September 2010. Updated in April, it contains nine exploits, with six from 2010. Announced by ScriptKiddieSec and Kahu Security as the possible successor of Dragon Pack, this exploit pack contains seven old exploits and one from 2011:10 CVE-2011-0611 (affecting Adobe Flash Player versions before 10.2.159) $2,200 This version replaced Version 2.5, whose code was leaked in April. Current release contains at least 15 exploits, with six from 2010. 10 exploits include two Flash Player exploits from 2011: CVE-2011-0558 (Flash before 10.2) CVE-2011-0611 (Flash before 10.2.159) Replaced Version 3.0RC, from April 2010. This version has nearly 20 exploits, with seven from 2010.
Best Pack
Phoenix Exploit Kit Version 2.7
Eleonore Version 1.6.5
$2,000
YES Exploit Kit 4.0
$400
10. http://www.kahusecurity.com/2011/best-pack/
Report
Actions Against Cybercriminals This quarter was not all doom and gloom. Courts and law enforcement continue to make progress worldwide against cybercriminals.
Country and Date United Kingdom April United States April Description Police Central e-Crime Unit arrested three mena Lithuanian, a Latvian, and another whose nationality was not revealedin connection with using SpyEye malware to steal online banking details.11 In Operation Adeona the Department of Justice and the F.B.I. shut down the Coreflood botnet, which had infected hundreds of thousands of PCs since 2002. During an 11-month period starting in March 2009, Coreflood siphoned some 190GB worth of banking passwords and other sensitive data from more than 413,000 infected systems as users browsed the Internet, authorities said.12 Police arrested 17 people suspected of taking part in Internet banking fraud aimed at Nordea account holders at the beginning of this year. The perpetrators tried to steal almost 1.2 million via a series of more than 100 false transactions.13 The majority of suspects are suspected of being phishing mules. The two suspected masterminds were from Estonia. A University of Salford student was convicted of a malware-based scam that allowed him to break into the computers and webmail accounts of an estimated 100 victims. The police asked McAfee to analyze the malware and acknowledged McAfees contribution in gathering evidence that enabled an early arrest.14 The Department of Justice and the F.B.I. announced Operation Trident Tribunal, a coordinated, international law enforcement action that disrupted the activities of two international cybercrime rings involved in the sale of fake-alert anti-virus software (scareware).15 Conducted with the Ukrainian security services, the action appears to be the first enforcement targeting a gang using Conficker.16 The second police effort targeted Latvians charged with creating a fraudulent advertising agency. One of the most controversial figures in Russias online world, ChronoPay cofounder and CEO Pavel Vrublevsky, was arrested on suspicion of ordering a distributed denial of service (DDoS) attack against a rival firm. Vrublevsky, 32, is probably best known as the co-owner of the RxPromotion rogue online pharmacy program. His company also consistently has been involved in credit card processing forand in many cases setting up companies on behalf ofrogue anti-virus or scareware scams that use misleading PC security alerts in a bid to frighten people into purchasing worthless security software.17
Finland May
United Kingdom May
United States, Ukraine, Latvia June
Russia June
A Touch of Cyberwar Just discussing the definition of cyberwar can spark heated debate, as more and more countries struggle with how to categorize this developing conflict. The discussion is sure to be further muddied as hacktivism becomes more prevalent.
Country and Date Russia March/April Description From March 24 to April 4 various DDoS attacks were launched against some bloggers on LiveJournal, which hosts more than 4.7 million Russian bloggers (including President Dmitry Medvedev) who exchange information and often share critical views that cannot be expressed in the mainstream media.18 The Oak Ridge National Laboratory, home to one of the worlds most powerful supercomputers, was the victim of a sophisticated cyberattack launched through phishing emails sent to some 573 lab employees. Some of them appear to have clicked on a link in the email and downloaded information-stealing malware.19 South Korean authorities alleged North Korea's secret services hacked into the computer system of the National Agricultural Cooperative Federation, which delivers supply, processing, marketing, and banking services to more than 4,000 branches.20 The Norwegian military admitted being hit by a potentially serious targeted cyberattack attack in March. The attack happened when 100 senior military personnel received an email with an attachment appearing to come from another government agency.21
United States April
South Korea May Norway May
11. 12. 13. 14. 15. 16. 17. 18. 19.
http://www.networkworld.com/news/2011/041111-uk-police-arrest-three-men.html http://www.theregister.co.uk/2011/04/13/coreflood_botnet_takedown/ http://www.theregister.co.uk/2011/05/10/finnish_banking_trojan_investigation/ http://www.zdnet.co.uk/news/security-management/2011/05/18/gamer-sentenced-for-stealing-steam-passwords-40092802/ http://www.fbi.gov/news/stories/2011/june/cyber_062211/cyber_062211 http://www.zdnet.co.uk/news/security-management/2011/06/24/ukrainian-sting-targets-conficker-fraudsters-40093222/ http://krebsonsecurity.com/tag/pavel-vrublevsky/ http://uk.reuters.com/article/2011/04/06/oukin-uk-russia-medvedev-cyberattack-idUKTRE7354OV20110406 http://www.computerworlduk.com/news/security/3275613/us-government-energy-research-lab-shuts-down-email-and-internet-access-afterphishing-attack/ 20. http://www.koreaittimes.com/story/14507/north-korea-behind-cyber-attack-south-korea-bank 21. http://www.cio.com.au/article/387581/norwegian_military_admits_march_cyberattack
Report
Malware Threats The malware landscape this quarter has presented us several surprises. Although numerically not the busiest period in history (just a little behind last years pace), when combined with the first quarter we have the busiest ever first half-year in this vector. The increase is 22 percent over 2010! McAfee Labs identified almost six million unique malware samples during this quarter. This puts us on track for our cumulative malware zoo collection to reach 75 million samples by years end.
Total Malware Samples in the Database
70,000,000 60,000,000 50,000,000 40,000,000 30,000,000 20,000,000 10,000,000 0

JAN 2010 FEB 2010 MAR 2010 APR 2010 MAY 2010 JUN 2010 JUL 2010 AUG 2010 SEP 2010 OCT 2010 NOV 2010 DEC 2010 JAN 2011 FEB 2011 MAR 2011 APR 2011 MAY 2011 JUN 2011
Just to reinforce how significant the growth has been during the last several years, here is a look at the monthly incremental growth of unique malware binaries:
New Malware Samples Added to the Database, by Month 2,500,000
2,000,000
1,500,000
1,000,000
500,000
0 JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2010 2010 2010 2010 2010 2010 2010 2010 2010 2010 2010 2010 2011 2011 2011 2011 2011 2011
Report
We now collect on average almost two million new samples every month. This is certainly not a welcome development, but it is consistent and predictable considering how our business and private lives are now tethered to technology. Among the specific families we track, fake anti-virus software (a.k.a. fake-alert or rogue anti-virus software) continues to show consistent growth and has even begun to climb aboard a new platform: the Mac. You read that right; fake-AV for Apples platform is now a reality. This does not surprise us at McAfee Labs. There are more Mac users than ever before as well as steady business adoption. This puts the Apple platforms squarely in the crosshairs of malware authors. It will be interesting to see if this type of malware makes its way to the iPhone and iPad as well. It is probably a case of when rather than if.
Unique Fake-Alert Samples Discovered
350,000 300,000 300000 250,000 250000 200,000 200000 150,000 150000 100,000 100000 50,000 50000 0 0
JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2010 2010 2010 2010 2010 2010 2010 2010 2010 2010 2010 2010 2011 2011 2011 2011 2011 2011
Unique Fake-Alert Samples for Mac Discovered
250 200 150 100 50 0
JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2010 2010 2010 2010 2010 2010 2011 2011 2011 2011 2011 2011
10
Report
Generic password-stealing Trojans declined just a bit this quarter, while AutoRun malware was greatly reduced. Koobface threats dropped to the lowest levels in years.
Unique Password Stealers Samples Discovered
300,000 250,000 200,000 150,000 100,000 50,000 0

Unique AutoRun Samples Discovered
700,000 600,000 500,000 400,000 300,000 200,000 100,000 0

Unique Koobface Samples Discovered
18,000 16,000 14,000 12,000 10,000 8,000 6,000 4,000 2,000 0

11
Report
Rootkits and Stealth Malware Another malware category demonstrating recent steady growth is the rootkit. A rootkit (sometimes called stealth malware) is code that hides its elements from the operating system and security software. Cybercriminals use rootkits to make other malware stealthier and more persistent. The better hidden the malware is, the longer it will remain on the system and engage in its malicious activity. As you can see from the following charts, rootkits are on the rise overall. The first half of 2011 was comparable to malware overall: Rootkits have seen their busiest-ever six months, up almost 38 percent over 2010! Two of the busiest rootkits that we encounter are Koutodoor and TDSS. Both are nasty and hide malware to steal data.
Unique Rootkit Samples Discovered
120,000 100,000 80,000 60,000 40,000 20,000 0
12
Report
Global Infected Computer Numbers Globally and by individual geography much of the malware we collected this quarter matched the same varieties as in the first quarter. We saw a few differences among the continents but overall they were more similar than different.
Rank 1 2 3 4 5 Rank 1 2 3 4 5 Rank 1 2 3 4 5 Rank 1 2 3 4 5 Top 5 Global Malware AutoRun Malware OpenCandy Adware HotBar Adware General Trojans HotBar vF Adware North America AutoRun Malware HotBar Adware OpenCandy Adware Downloader Malware HotBar vF Adware South America AutoRun Malware Java Runtime Exploitation Conficker AutoRun Malware Remote-Access Trojans Downloader Malware Europe and Middle East HotBar vF Adware AutoRun Malware HotBar Adware OpenCandy Adware Conficker AutoRun Malware Rank 1 2 3 4 5 Rank 1 2 3 4 5 Rank 1 2 3 4 5 Africa AutoRun Malware Downloader Malware Downloader Malware Yahoo Messenger Malware Sality Virus Asia AutoRun Malware Downloader Malware Conficker AutoRun Malware Downloader Malware Browser Exploitation Australia OpenCandy Adware Downloader Malware Hotbar Adware Downloader Malware AutoRun Malware
13
Report
Adobe Outpaces Microsoft in Attracting Exploits For several quarters, one of the major trends weve seen is that malware authors prefer to write exploits that target vulnerabilities in Adobe products as opposed to those in Microsoft products. This trend does not prove that Adobes technologies are more vulnerable or have more coding bugs than Microsofts. Rather, Adobe is one of the clear leaders in worldwide client applications, and this leadership is what drives malware authors and cybercriminals: They target what is popular and in wide use. The following chart shows the malware McAfee Labs has seen this quarter that attempts to exploit vulnerabilities in Adobe and Microsoft products.
Adobe and Microsoft Exploits Discovered
16,000 14,000 12,000 10,000 8,000 6,000 4,000 2,000 0

JAN 2011 FEB 2011 MAR 2011 APR 2011 MAY 2011 JUN 2011
Adobe Microsoft
14
Report
Messaging Threats Messaging threats continued a mild decline from last quarter, although the drop is not significant. A coordinated effort last quarter among several security providers, law enforcement, and even CERTs was able to shut off major amounts of botnet zombies and their command structure. This recent success may still be having a positive effect. We expect to again see sharp rises in spam; in the mean time, we continue to watch this area closely. Although the volume of spam remains at historic low levels, the spearphishing (a class of spam) that we see today is more targeted and effective than ever. This vector continues to evolve.
Global Spam Volume, in Trillions of Messages per Day
6 5 4 3 2 1 0
JUL 2010 AUG 2010 SEP 2010 OCT 2010 NOV 2010 DEC 2010 JAN 2011 FEB 2011 MAR 2011 APR 2011 MAY 2011 JUN 2011 Spam Ham
Spam Volume by Country

Argentina
120,000,000 100,000,000 80,000,000 60,000,000 40,000,000 20,000,000 0
JUL 2010 AUG 2010 SEP OCT 2010 2010 NOV 2010 DEC 2010 JAN 2011 FEB 2011 MAR 2011 APR 2011 MAY JUN 2011 2011
Brazil
600,000,000 500,000,000 400,000,000 300,000,000 200,000,000 100,000,000 0
Columbia
120,000,000 100,000,000 80,000,000 60,000,000 40,000,000 20,000,000 0
France
300,000,000 250,000,000 200,000,000 150,000,000 100,000,000 50,000,000 0
Germany
500,000,000 400,000,000 300,000,000 200,000,000 100,000,000 0
India
700,000,000 600,000,000 500,000,000 400,000,000 300,000,000 200,000,000 100,000,000 0
15
Report
Spam Volume by Country

Italy
250,000,000 200,000,000 150,000,000 100,000,000 50,000,000 0
Japan
50,000,000 40,000,000 30,000,000 20,000,000 10,000,000 0
Poland
200,000,000 150,000,000 100,000,000 40,000,000 50,000,000 0
Portugal
100,000,000 80,000,000 60,000,000
20,000,000 0
Russia
350,000,000 300,000,000 250,000,000 200,000,000 150,000,000 100,000,000 50,000,000 0
South Korea
200,000,000 150,000,000 100,000,000 50,000,000 0
Spain
200,000,000 150,000,000 100,000,000 200,000,000 50,000,000 0
United Kingdom
500,000,000 400,000,000 300,000,000
100,000,000 0
United States
1,500,000,000 1,200,000,000 900,000,000 600,000,000 300,000,000 0 500,000,000 400,000,000 300,000,000 200,000,000 100,000,000 0
Venezuela
JUL 2010
AUG 2010
SEP OCT 2010 2010
NOV 2010
DEC 2010
JAN 2011
FEB 2011
MAR 2011
APR 2011
MAY JUN 2011 2011
JUL 2010
AUG 2010
SEP OCT 2010 2010
NOV 2010
DEC 2010
JAN 2011
FEB 2011
MAR 2011
APR 2011
MAY JUN 2011 2011
16
Report
This quarter McAfee Labs has observed the Rustock botnets continuing to dwindle even though it may be reseeded by cybercriminals during the coming months. Meanwhile the Maazben, Cutwail, and Bobax botnet masters have stepped up their activity. Of these three dominant botnets, Maazben clearly outpaces the others in worldwide usage and influence.
North America
Bagle-CB Bobax Cutwail Grum Maazben Others
Latin America
Europe-Middle East
Africa
Asia-Paci c
Australia
Maazben's Influence on Global Botnet Infections
1,000,000 900,000 800,000 700,000 600,000 500,000 400,000 300,000 200,000 100,000 4/4/11 4/11/11 4/18/11 4/25/11 5/2/11 5/9/11 5/16/11 5/23/11 5/30/11 6/6/11 6/13/11 6/20/11 0
New Global Botnet Infections by Week Maazben
17
Report
New Botnet Infections by Week
120,000 100,000 80,000 60,000 40,000 20,000 0
4/4/11
4/11/11
4/18/11
4/25/11
5/2/11
5/9/11
5/16/11
5/23/11
5/30/11
6/6/11
6/13/11
6/13/11
Bagle-CB Donbot Rustock
New Botnet Infections by Week
160,000 140,000 120,000 100,000 80,000 60,000 40,000 20,000 4/4/11 4/11/11 4/18/11 4/25/11 5/2/11 5/9/11 5/16/11 5/23/11 5/30/11 6/6/11 6/20/11 0
Cutwail Bobax Grum
6/20/11
18
Report
There has been steady growth in new botnet infections throughout the quarter. This is an interesting juxtaposition when we consider the worldwide drop in spam. Clearly botnet usage is in a state of transition. Given the growth and goals of hacktivists, we expect to see major changes in how botnets are used.
Overall Botnet Infections per Month

6,000,000 5,000,000 4,000,000 3,000,000 2,000,000
JUN 10 APR 10 MAY 10 AUG 10 OCT 10 NOV 10 DEC 10 JAN 11 JUL 10 MAR 11 SEP 10 FEB 11
Spam lures and their subjects (the social engineering hook used to make the message attractive) continue to show diversity. Nigerian 419 scams seemed a bit more popular this quarter globally while lotto scams were also prevalent in many parts of the world, along with the long-time subjects of bogus DSN and gambling spams. Social engineering with lures based on location is certain to continue, as scammers understand the diversities in their global audience.
China
419 Scams DSN Diplomas Drugs Fashion Gambling Horoscopes Jobs Lonely Women Lotto Scams Marketing Newsletters Phishing Products Third Parties
Spam by Country
419 Scams DSN Diplomas Drugs Fashion Gambling Horoscopes Jobs Lonely Women Lotto Scams Marketing Newsletters Phishing Products Third Parties Travel Unknown Viruses Watches
Brazil
France
419 Scams DSN Diplomas Drugs Fashion Gambling Horoscopes Jobs Lonely Women Lotto Scams Marketing Newsletters Phishing Products
419 Sca DSN
Diplom Drugs
Fashion
Gambl
Horosc Jobs
Lonely
Lotto S
Marke
Newsle
Phishin
Produc
Germany
Travel Unknown Viruses 419 Scams Watches DSN
India
Third Parties Travel
Third P Travel
Indonesia
Unknown
Unkno
419 Scams Viruses DSN Watches Diplomas Drugs Fashion Gambling Horoscopes Jobs Lonely Women Lotto Scams Marketing Newsletters Phishing Products Third Parties Travel Unknown Viruses Watches
419 Sc Viruses
DSN Watch
Diplomas Drugs Fashion Gambling Horoscopes Jobs Lonely Women Lotto Scams Marketing Newsletters Phishing Products Third Parties Travel Unknown Viruses Watches
Diplom Drugs
Fashio
Gambl
Horosc Jobs
Lonely
Lotto S
Marke
Newsle
Phishin
Produc
Third P Travel
Unkno
Viruse
Watch
19
Report
Spam by Country
419 Scams DSN Diplomas Drugs Fashion Gambling Horoscopes Jobs Lonely Women Lotto Scams Marketing Newsletters Phishing Products Third Parties Travel Unknown Viruses Watches
Italy
Philippines
419 Scams DSN Diplomas Drugs Fashion Gambling Horoscopes Jobs Lonely Women Lotto Scams Marketing Newsletters Phishing Products Third Parties
419 Scams DSN Diplomas Drugs Fashion Gambling Horoscopes Jobs
Russia
South Korea
419 Scams DSN Diplomas Drugs Fashion Gambling Horoscopes Jobs Lonely Women Lotto Scams Marketing Newsletters Phishing Products Third Parties Travel Unknown Viruses
419 S DSN
Diplo
Drug
Fashi
Gamb
Horo Jobs
Lonely Women Lotto Scams Marketing Newsletters Phishing Products Third Parties Travel
Lonel
Lotto
Mark
News
Phish
Produ
United Kingdom
Travel
United States
Venezuela
Third
Unknown
Unknown Viruses 419 Scams Watches DSN
Trave
419 Scams Viruses DSN Watches Diplomas Drugs Fashion Gambling Horoscopes Jobs Lonely Women Lotto Scams Marketing Newsletters Phishing Products Third Parties Travel Unknown
419 Scams DSN Diplomas Drugs Fashion Gambling Horoscopes Jobs Lonely Women Lotto Scams Marketing Newsletters Phishing Products Third Parties Travel Unknown
Unkn
Watches
Virus
Diplomas Drugs Fashion Gambling Horoscopes Jobs Lonely Women Lotto Scams Marketing Newsletters Phishing Products Third Parties Travel Unknown Viruses
Watc
Viruses Viruses Web Threats Watches Watches Watches Websites can have bad or malicious reputations for a variety of reasons. Reputations can be based on full domains and any number of subdomains as well as on a specific IP address or URL. Malicious reputations are influenced by the hosting of malware, potentially unwanted programs, or phishing sites. Often we observe combinations of questionable code and functionality. Many factors go into a sites reputational rating.
Last quarter McAfee Labs recorded an average of 8,900 new bad sites per day; this period that figure dropped a bit to 7,300 hits, which is comparable to the same time last year.
New Bad-Reputation URLs per Day
40,000 35,000 30,000 25,000 20,000 15,000 10,000 5,000 0
APR 1 2011 MAY 1 2011 JUNE 1 2011 JULY 1 2011
We saw some significant spikes in malicious web content this quarter. Several of these spikes corresponded to intensive malicious campaigns.
20
Report
On May 31, spam campaignsone promoting online dating sites with video chats and another informing recipients of fake pending invoicesdistributed fraudulent URLs hosting Zeus-related malware (Generic FakeAlert.by and Generic PWS.y). Among these sites were undss-syria.org, baranava.com, emajic.net, and sturtholdfastmarioncc.com. The vast majority of these new malicious sites are located in the United States. Next in line, we find South Korea, Netherlands, Canada, United Kingdom, China, and Germany. In the first quarter our top countries were the United States, South Korea, Germany, and China. This quarter, however, is quite different. Our regional breakdown reveals where most malicious servers reside:
Africa 0.2%
Asia-Pacific 11.1%
Australia 1.8%
Africa Asia-Paci c Australia Europe-Middle East Latin America
Europe-Middle East 24.9% North America 60.2%
North America
Latin America 1.7%
North America, primarily the United States, still dominates, but the figure for the combined region of Europe, the Middle East, and Africa has increased to 25 percent from 18 percent in the first quarter. Lets take a deeper look at some regions:
Africa
Morocco South Africa Egypt Senegal Seychelles Others
Asia Paci c
South Korea China Vietnam Others
21
Report
Australia
Australia New Zealand
Europe and Middle East

Netherlands United Kingdom Germany France Russia Romania Italy Others
Latin America
Brazil British Virgin Islands Argentina Chile Panama Trinidad and Tobago Others
North America
United States Canada Mexico
This quarter, the number of websites hosting malicious downloads has again increased, while the amount of sites that host browser exploits was unchanged:
Active Malicious URLs
160,000 140,000 120,000 100,000 80,000 60,000 40,000 20,000 0 JUL 2010 AUG 2010 SEP 2010 OCT 2010 NOV 2010 DEC 2010 JAN 2011 FEB 2011 MAR 2011 APR 2011 MAY 2011 JUN 2011
Malicious Downloads Browser Exploits
This quarter we also observed a continued increase in blogs and wikis with malicious reputations.
22
Report
Websites Delivering Malware and PUPs The following chart provides a picture of the number of websites delivering malware and potentially unwanted programs (PUPs) that McAfee Labs detected this quarter.
New Malware Sites per Day
35,000 30,000 25,000 20,000 15,000 10,000 5,000 0 APR 1 2011
MAY 1 2011 JUNE 1 2011 JULY 1 2011
We saw a small increase this quarter with around 3,000 new sites per day compared with 2,700 per day during the first quarter. Phishing Sites This quarter we identified approximately 2,700 phishing URLs per day, up slightly from 2,500 per day lastquarter.
New Phishing Sites per Day
8,000
6,000
4,000
2,000
0
APR 1 2011 MAY 1 2011 JUNE 1 2011 JULY 1 2011
23
Report
About the Authors This report was prepared and written by Toralv Dirro, Paula Greve, Rahul Kashyap, David Marcus, Franois Paget, Craig Schmugar, Jimmy Shah, and Adam Wosotowsky of McAfee Labs. About McAfee Labs McAfee Labs is the global research team of McAfee. With the only research organization devoted to all threat vectorsmalware, web, email, network, and vulnerabilitiesMcAfee Labs gathers intelligence from its millions of sensors and its cloud-based service McAfee Global Threat Intelligence. The McAfee Labs team of 350 multidisciplinary researchers in 30 countries follows the complete range of threats in real time, identifying application vulnerabilities, analyzing and correlating risks, and enabling instant remediation to protect enterprises and the public. About McAfee McAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ:INTC), is the worlds largest dedicated security technology company. McAfee delivers proactive and proven solutions and services that help secure systems, networks, and mobile devices around the world, allowing users to safely connect to the Internet, browse, and shop the web more securely. Backed by its unrivaled Global Threat Intelligence, McAfee creates innovative products that empower home users, businesses, the public sector, and service providers by enabling them to prove compliance with regulations, protect data, prevent disruptions, identify vulnerabilities, and continuously monitor and improve their security. McAfee is relentlessly focused on finding new ways to keep our customers safe. www.mcafee.com
McAfee 2821 Mission College Boulevard Santa Clara, CA 95054 888 847 8766 www.mcafee.com
The information in this document is provided only for educational purposes and for the convenience of McAfee customers. The information contained herein is subject to change without notice, and is provided as is, without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. McAfee, the McAfee logo, McAfee Labs, and McAfee Global Threat Intelligence are registered trademarks or trademarks of McAfee or its subsidiaries in the United States and other countries. Other marks may be claimed as the property of others. 2011 McAfee. All rights reserved. 32000rpt_quarterly-threat-q2_0711_ETMG

McAfee Threats Report Q2 2011

Cargado por

Información del documento

Descripción original:

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

McAfee Threats Report Q2 2011

Cargado por

Copyright:

Formatos disponibles

Report

McAfee Threats Report: Second Quarter 2011

McAfee Threats Report: Second Quarter 2011

McAfee Threats Report: Second Quarter 2011

McAfee Threats Report: Second Quarter 2011

McAfee Threats Report: Second Quarter 2011

New Mobile Malware This Quarter

Android Java ME Symbian BlackBerry MSIL Python VBS

Total Mobile Malware Samples

McAfee Threats Report: Second Quarter 2011

McAfee Threats Report: Second Quarter 2011

Turkey Portugal Australia

Phoenix Exploit Kit Version 2.7

Eleonore Version 1.6.5

YES Exploit Kit 4.0

McAfee Threats Report: Second Quarter 2011

United Kingdom May

United States, Ukraine, Latvia June

United States April

South Korea May Norway May

11. 12. 13. 14. 15. 16. 17. 18. 19.

McAfee Threats Report: Second Quarter 2011

70,000,000 60,000,000 50,000,000 40,000,000 30,000,000 20,000,000 10,000,000 0

McAfee Threats Report: Second Quarter 2011

Unique Fake-Alert Samples for Mac Discovered

250 200 150 100 50 0

McAfee Threats Report: Second Quarter 2011

Unique Password Stealers Samples Discovered

300,000 250,000 200,000 150,000 100,000 50,000 0

Unique AutoRun Samples Discovered

700,000 600,000 500,000 400,000 300,000 200,000 100,000 0

Unique Koobface Samples Discovered

18,000 16,000 14,000 12,000 10,000 8,000 6,000 4,000 2,000 0

McAfee Threats Report: Second Quarter 2011

Unique Rootkit Samples Discovered

120,000 100,000 80,000 60,000 40,000 20,000 0

McAfee Threats Report: Second Quarter 2011

McAfee Threats Report: Second Quarter 2011

16,000 14,000 12,000 10,000 8,000 6,000 4,000 2,000 0

McAfee Threats Report: Second Quarter 2011

Spam Volume by Country

McAfee Threats Report: Second Quarter 2011

Spam Volume by Country

SEP OCT 2010 2010

MAY JUN 2011 2011

SEP OCT 2010 2010

MAY JUN 2011 2011

McAfee Threats Report: Second Quarter 2011

Maazben's Influence on Global Botnet Infections

New Global Botnet Infections by Week Maazben

McAfee Threats Report: Second Quarter 2011

New Botnet Infections by Week

120,000 100,000 80,000 60,000 40,000 20,000 0

Bagle-CB Donbot Rustock

New Botnet Infections by Week

Cutwail Bobax Grum

McAfee Threats Report: Second Quarter 2011

Overall Botnet Infections per Month

419 Sca DSN

Travel Unknown Viruses 419 Scams Watches DSN

Third Parties Travel

McAfee Threats Report: Second Quarter 2011

Unknown Viruses 419 Scams Watches DSN