G Data PC MalwareReport

Half-yearly report January – June 2013 G Data SecurityLabs

Copyright © 2013 G Data Software AG 1

G Data PC Malware Report H1/2013

Contents

At a glance ............................................................................................................................................ 2

Malware program statistics ................................................................................................................. 3

Categories ........................................................................................................................................................................ 3

Platforms – massive focus on Windows ................................................................................................................ 5

Risk monitor ......................................................................................................................................... 5

Website analyses .................................................................................................................................. 7

Categorisation by topic .............................................................................................................................................. 7

Categorisation by server location ........................................................................................................................... 8

Online banking ..................................................................................................................................... 9

Conclusion and outlook .......................................................................................................................................... 11

Copyright © 2013 G Data Software AG 2

G Data PC Malware Report H1/2013

At a glance • In the first half of 2013, there were 1,509,934 new malware strains in total. • Compared to the second half of 2012, that is an increase of almost 20%. • In H1 2013, an average of 8,342 new malware program types was produced every day. • We expect a record number of three million new malware programs types in one year to be

set by the end of 2013.

• The number of new malware program types in the worm category has once again increased significantly over the past six months.

• The adware category has also recorded a steep increase in numbers, after this area had been somewhat less active in 2012.

• Malware authors are focusing even more on Windows. In H1 2013, more than 99.9% of all

new malware programs were targeting Windows!

• In the risk monitor, a glance at attacks on G Data customers that have been fought off shows that the last half year focused on making money through click fraud and pay-per-install.

• The Sirefef malware family, also known as ZeroAccess, is still dominating the top 10.

• The area of pornography has become predominant in relation to malicious websites, almost doubling its share and now holding 2nd place.

• The proportion of dangerous websites related to shopping has also increased significantly, leaping from 9th place to 4th.

• Malicious websites are increasingly distributed across more categories; the share of the top 10 places has fallen to 74.6% and thus lost 14% since the second half of 2012.

• Malicious websites are still predominantly hosted in countries with an advanced

infrastructure.

• The numbers of infections involving banking Trojans remained at a comparatively low level over the past half year. However, the numbers in June were about a quarter more than back in December 2012.

• Cridex has been added as a new family and has immediately made a name for itself with high infection numbers.

• In late May/early June, a large portion of the Citadel botnet was destroyed in a joint effort by Microsoft and various authorities.

• The source code for the Trojan horse Carberp has been published on the Internet and is now freely available. We expect parts of this code to appear in new malware programs.

• Investigating authorities will experience increasing difficulties with prosecutions, because the banking Trojan market is becoming more diversified.

• Attackers are also working on further decentralising botnet communication, so new developments are expected in this area as well.

Copyright © 2013 G Data Software AG 3

G Data PC Malware Report H1/2013

Malware program statistics In the first half of 2013, there were 1,509,934 new types of malware programs1 in total. Experts at G Data SecurityLabs thus recorded yet another increase and, in fact, a new record compared to the previous six-month periods. The forecasts in the last half-yearly report predicted a level similarly high as for H2 2012, but the current figures indicate that we can expect yet another new record for the end of 2013.

In contrast to H2 2012, the number of newly registered malware program types increased by 251,455 – almost 20%. Compared to H12012, that is an increase of 127,967, or more than 9%. However, the tendency has been for more new malware program types to be recorded in the second half of each year, so we expect that the milestone of three million new malware program types will be passed by the end of 2013. All it would take to reach this number is for the average of 8,342 new malicious programs per day to remain unchanged. Based on these figures, almost 6 new malware programs were produced every minute in the first half of 2013!

Categories A glance at the categories of new malware program types shows the basic direction of the interests of cyber criminals. Malware programs are classified on the basis of the malicious actions that they execute in an infected system. Figure 2 shows the most important categories.

In the dominant categories – Trojan horses, spyware, downloaders and backdoors – there have been no significant changes or surprises. New malware programs were once again added at the usual high levels in the first half of 2013.

The steep increase in the worm category is noteworthy. The number of new worm malware variants is still on the rise and has caught up with the number of new backdoor variants, but they remain in 5th place.

1 The figures in this report are based on the identification of malware using virus signatures. They are based on similarities in the code of

harmful files. Much malware code is similar and is gathered together into families, in which minor deviations are referred to as variants. Fundamentally different files form the foundation for their own families. The count is based on new signature variants, also called malware types, created in the first half of 2013.

Figure 1: Number of new malware program types since 2006

Copyright © 2013 G Data Software AG 4

G Data PC Malware Report H1/2013

Adware is in 6th place – after a fall in the second half of 2012, the number of new adware variants is now back at last year's level. This is also reflected in the trend shown in recorded attacks against computer users in H1 2013. For more information, see the "Risk monitor" section.

The exploits category has probably experienced the most remarkable downward trend. Even

though they've always been at a relatively low level, the number of new variants has fallen yet another 46%. The fact that there are fewer new detections of exploit variants does not necessarily mean that there is less of a risk posed by the exploitation of security vulnerabilities. Experts at G Data SecurityLabs have long been observing how old security vulnerabilities are successfully exploited time and again, because computer users have failed to install updates and patches, thus leaving the doors wide open for cyber attackers. A single (!) security vulnerability on a PC is enough to infect the PC and thus potentially the entire network. According to research, 9,776 security vulnerabilities were discovered in 2012, equating to an increase of 15% over the last five years and an increase of 5% since 2011.2

The Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik; short: BSI) also rates exploits as a particularly dangerous and relevant risk in its "Register of current cyber risks and forms of attacks".3 So there is no reason to give the all-clear!

2 Secunia Vulnerability Review 2013 3 https://www.bsi.bund.de/DE/Themen/Cyber-Sicherheit/Content_Cyber-Sicherheit/Analysen/Grundlagen/BSIa001.html

Figure 2: Number of new malware programs per category in the last seven six-month periods

Copyright © 2013 G Data Software AG 5

G Data PC Malware Report H1/2013

Platforms – massive focus on Windows A glance at the target platforms of the new malware program types holds few surprises. Malware code targeting the Windows platform has been and still is number one. However, compared to the previous six-month period, the share of .NET developments (MSIL) has once again increased and has now more than doubled its share since H2 2011 (1.4%). The number of new .NET developments is also on the rise – compared to H1 2012, H1 2013 records a plus of more than 150%.

In H1 2013, more than 99.9% of all new malware programs were aimed at Windows4. This is yet another increase in its share!

The number of new signatures for WebScripts is continuing to fall because this threat can still usually be detected through generic signatures. Thus there is no need for large numbers of new defence mechanisms. They still retain third place.

A glance at the next section "Risk monitor" shows which attacks were actually executed against computer users in the past half year, irrespective of the changes in new malware program types.

Risk monitor The risk monitor shows the top 10 defeated attacks against computer users6 involving G Data security solutions and activated MII7. Over the last six months, the focus has clearly been on malware routines like click fraud and pay-per-install – in pursuit of fast cash!

The dominance of the Sirefef malware family (also known as ZeroAccess) during the second half of 2012 is continued in the report for the past six months. There are numerous new variants of the family, and some of these were so widespread that they once again dominate the top ranks. The main motive of the various malware families is monetary gain, e.g. through manipulated search engine results (click fraud). Paired with various sophisticated rootkit functions, this creates very aggressive and powerful malware.

4 For us, malware for Windows means executable files in PE format that are declared there for Windows or executed files created in

Microsoft Intermediate Language (MSIL). MSIL is the intermediate format that is used in the .NET environment. Most .NET applications are platform independent but they are used almost exclusively on Windows computers.

5 "Scripts" are batch or shell scripts or programs that were written in scripting languages such as VBS, Perl, Python or Ruby. 6 The way of counting in this chapter differs from the preceding chapter, because the numbers of actual attacks are evaluated rather than

the number of new malware program types. A single malware program can have a massive effect when the attacks are counted, even if the family has produced few (new) variants (for example: Trojan.Wimad.Gen.1)

7 The Malware Information Initiative (MII) relies on the power of the online community and any customer that purchases a G Data security solution can take part in this initiative. The prerequisite for this is that customers must activate this function in their G Data security solution. If a computer malware attack is fended off, a completely anonymous report of this event is sent to G Data SecurityLabs. G Data SecurityLabs then collects and statistically assesses data on the malware.

Platform

#2013 H1 Share #2012 H2 Share

Difference #2013 H1 #2012 H2

Difference #2013 H1 #2012 H1

1 Win 1,462,527 96.9% 1,223,419 97.2% +19.54% +7.52% 2 MSIL 46,448 3.1% 33,020 2.6% +40.67% +150.25% 3 WebScripts 540 <0.1% 1,087 0.1% -50.32% -67.70% 4 Java 163 <0.1% 426 <0.1% -61.74% -75.58% 5 Scripts5 146 <0.1% 392 <0.1% -62.76% -69.77%

Table 1: Top 5 platforms in the last two six-month periods

Copyright © 2013 G Data Software AG 6

G Data PC Malware Report H1/2013

Rank Name Percent

1 Win32:DNSChanger-VJ [Trj] 7.28%

2 Win64:Sirefef-A [Trj] 1.61%

3 Adware.BHO.BProtector.A 1.41%

4 Win32:ZAccess-PB [Trj] 1.20%

5 Exploit.CVE-2011-3402.Gen 0.78%

6 Generic.JS.Crypt1.C14787EE 0.77%

7 Trojan.Sirefef.XL 0.57%

8 Trojan.Sirefef.RG 0.53%

9 Gen:Variant.Kazy.138843 0.52%

10 Trojan.Wimad.Gen.1 0.48%

With Win64:Sirefef-A [Trj], Win32:ZAccess-PB [Trj], Trojan.Sirefef.XL and Trojan.Sirefef.RG, this multi-component family holds four of the top spots and was responsible for about one in 25 recorded attacks. This number is even higher if you count Win32:DNSChanger-VJ [Trj] as part of the Sirefef malware family. DNSChanger is often shipped as a payload of the Sirefef family and is therefore still at the top of the statistics. If you include its attacks in the count, this aggressive malware combination is responsible for as many as one in nine attacks.

Malware Gen:Variant.Kazy.138843 belongs to the click fraud category. This malicious code monitors the Internet data traffic and takes over the browser session as soon as one of the URLs predefined in the code is called up. Furthermore, Generic.JS.Crypt1.C14787EE is also suspected of using its functions to artificially generate clicks using images reloaded using JavaScript.

Adware.BHO.BProtector.A, a detection for potentially unwanted browser toolbars, makes money for the attackers using the pay-per-install principle. This completes the top 10 for the six-month period, which is characterised by the pursuit of direct monetary gain, instead of bothering to steal data first and sell it on or similar things.

The "exceptions" to this trend of the first half of the year are Exploit.CVE-2011-3402.Gen and the evergreen Trojan.Wimad.Gen.1. Back in their day, Stuxnet and Duqu were already using this exploit to attack computer users. The fact that this exploit is still in the top 10 attacks shows that a specific development like this has eventually been able to progress to the mass malware market. In this case, the exploit was spread as part of the Cool Exploit Kit and, soon after, as part of the Blackhole Exploit Kit as well.8

8 http://krebsonsecurity.com/tag/cve-2011-3402/

Table 2: The top 10 attacks registered by the MII in H1 2013

Copyright © 2013 G Data Software AG 7

G Data PC Malware Report H1/2013

Website analyses

Categorisation by topic There have been several new developments in the top 10 categories of malicious websites in the first six months of the year.9

In total, the top 10 have a share of 74.6%, which is a full 14% less than in the second half of 2012. Hence overall, the attacks are increasingly spread across the existing categories. The remaining 25.4% are spread over 68 additional categories, which show that there is still a clear focus on the top 10 or even top 5 – the first five categories alone cover 55.3% of all websites detected as malicious websites.

The health and games categories have reappeared since H2 2012. However, sport and forums have been pushed out of the top 10 – they are in 12th and 23rd place at the end of H1 2013.

The technology & telecommunication category has safely held on to 1st place, but is down by almost 10% compared to H2 2012. Maybe websites for technology enthusiasts have improved their security concepts and are not as easy to attack. However, the pornography area has moved up to 2nd place, increasing from 7.5% (when it was in 5th place) to 13.4%.

There has been no significant change to the situation with malicious blog sites – they used to be in 7th place with 5.1% and are now in 5th place with 5.7%.

What is notable though is the decline in the education category, which was still in 2nd place in H2 2012, with 15.5%, but has now almost lost its spot in the top 10 altogether. Shopping on the other hand has advanced from 9th place, with 3.1%, to 4th place with 8.9%.

The distribution across 78 different subject categories also reaffirms the fact that attacks can take place anywhere on the Internet. There are some subject areas that harbour a higher risk of infections, but no subject area in itself is completely evil or harmless. Attackers are focusing on current topics10 but, other than that, they are relying on untargeted attacks that are quick to execute, for example, through the mass infection of websites with security vulnerabilities. This means high profits with little effort.

9 In this context, malicious websites include phishing sites as well as malware sites. The count does not distinguish between domains set

up specifically for this purpose and legitimate sites that have been manipulated. 10 Example: http://blog.gdatasoftware.com/blog/article/explosions-at-boston-marathon-inspire-cyber-attackers.html

Figure 3: Top 10 subjects of malicious websites in H1 2013

Copyright © 2013 G Data Software AG 8

G Data PC Malware Report H1/2013

Categorisation by server location Malicious websites are hosted on servers across the world. The map below, Figure 4, shows the frequency distribution of websites flagged as malicious. The figure does not distinguish between websites with malicious code and phishing sites.

Highly developed countries with a particularly advanced infrastructure in the telecommunications industry are still the attackers' favourite hosting countries. These include the USA, Russia, central European countries (currently first and foremost Germany) and also China. Proportionally, Russia and Germany have gained compared to previous analyses.

The white spots on the African continent recorded in H2 2012 have become smaller. There were malicious websites in these places as well at the start of 2013, albeit only a few. Hence the trend we are continuing to see is that the number of countries not involved at all is decreasing.

Figure 4: Choropleth map showing how many hosted, malicious websites there are in different countries

Copyright © 2013 G Data Software AG 9

G Data PC Malware Report H1/2013

Online banking The number of infections fell markedly in the second half of 2012. However, this trend has been halted and partially reversed. In June 2013, the infection figures were about a quarter higher than back in December 2012, whereas the number of infections had fallen by about two thirds between July 2012 and December 2012.

A whole range of Trojans rather than a single Trojan are responsible for the higher infection numbers. The chronology of the first half of 2013 is:

In March and April, Bankpatch and Tatanga recorded higher infection numbers. Bankpatch managed to achieve these infection levels by spreading a new version of the Trojan. This version uses the Jabber protocol for communication.

With Cridex, a new Trojan has managed to position itself on the market. Cridex recorded significant infection numbers, especially in April and May. In May it even reached third place in the ranking for most frequent banking Trojans.

At the end of April, a new version of the ZeuS variant Citadel was detected, after the author had been thought to have gone underground. The publication of this variant resulted in a sharp increase in infection numbers. The rapid decline of infections in June is due to the organised take-down of Citadel command & control servers by Microsoft, in cooperation with various authorities. They "simultaneously cut off communication between 1,462 Citadel botnets and the millions of infected computers under their control".11

Citadel's significant strength in May had the effect that twice as many infections were recorded in this month compared to January. Even though the infection numbers for Citadel dropped to an

11 http://www.microsoft.com/en-us/news/Press/2013/Jun13/06-05DCUPR.aspx

Q1 2013 Citadel 34.7% Gameover 14.8% Sinowal 11.7% Tatanga 11.2% ZeuS 8.1% Other 19.5% Q2 2013 Citadel 42.4% Sinowal 13.5% ZeuS 9.1% Tatanga 8.5% Gameover 7.8% Other 18.7%

Table 3: Share of banking Trojan families detected by BankGuard in Q1 and Q2 2013 Figure 5: Share of banking Trojan families detected by

BankGuard in H1 2013

Copyright © 2013 G Data Software AG 10

G Data PC Malware Report H1/2013

average level in June, the total number of infections involving banking Trojans will still be a quarter higher than in January. Bebloh and ZeuS are especially responsible for this:

The Bebloh Trojan (also known as URLzone) developed notably over the last six months. This Trojan has been known to be very innovative for some time, e.g. by faking return bank transfers, but has never had particularly high infection numbers. However, in June Bebloh managed to reach the top three of the most frequent banking Trojans.

In June, sharply higher infection rates for the standard ZeuS Trojan were also detected. These might have been triggered by a new grouping of the source code being circulated on the Internet. In addition, ZeuS was being spread as malware code via Facebook pages. Thus it enjoyed a true revival in a short space of time.12 To carry out this ploy, the attackers created fake pages for popular sports clubs and sports goods manufacturers, as well as leather goods manufacturers and brands of sunglasses, to lure victims to infected websites.

What is also remarkable is that, after the publication of ZeuS the source code for the Carberp Trojan has also been made available in underground forums, in June. In the past, security experts often described this Trojan as particularly technically advanced. However, Carberp's infection numbers have never reached a particularly significant level.

Initial analyses by G Data can only partially confirm the high technical quality. According to G Data, most of the source code is not significantly new, and it is more likely than not inferior to the source code for ZeuS. However, the bootkit that is included is of a technically high quality and could motivate cyber criminals to use at least this part of the Trojan.

12 http://www.ibtimes.com/facebook-virus-hackers-exploiting-facebook-api-send-malware-nfl-nba-real-madrid-fc-fans-1314701

Figure 6: Development of infection numbers for the most notable banking Trojans in H1 2013

Copyright © 2013 G Data Software AG 11

G Data PC Malware Report H1/2013

Conclusion and outlook As predicted in the last MalwareReport, the trend towards lower infection numbers did not continue and has been partially reversed.

The Trojan horse market has been showing an ongoing trend towards diversification. While individual banking Trojans used to dominate the market, there is a clear trend toward multiple Trojans occurring in similar numbers.

This should make life harder for law enforcement authorities. While they used to be able to focus on individual Trojan authors, other authors now seem to be ready to spring into action in the immediate aftermath of successful investigations and arrests. Depending on the success of the law enforcement authorities, this trend is expected to continue. Following the publication of the ZeuS source code in 2011, the source code for Carberp is now also available on the Internet, making it even easier for people to develop their own clones.

As predicted, steps were taken to decentralise botnet communication. Bankpatch has become a trendsetter with communication via the chat service Jabber. Further developments in this area are likely. The development of communication via Tor still appears to be a useful variant from the cyber criminals' perspective.