Malware ReportQ2 2012

Copyright © 2012 Kindsight, Inc.. All rights reserved.

Kindsight Security Labs Malware Report – Q2 2012 ii

Kindsight Security Labs Malware Report – Q2 2012

Contents

INTRODUCTION 1

Q2 2012 HIGHLIGHTS 1

Q2 2012 HOME MALWARE STATISTICS 2

Home Network Infection Rates 2

Infection Methods 2

Top 20 Home Network Infections 3

Top High Level Threats 3

Top 20 Internet Threats 4

NEW DEVELOPMENTS IN Q2 5

Mac “Flashback” at Number One for 4 Weeks 5

Zeroaccess Modifies C&C Protocol 5

Ad-click Fraud Burns Bandwidth 6

Flame is the Latest Espionage Bot 7

DNSChanger is Still Making News 7

Q2 2012 MOBILE MALWARE STATISTICS 8

Mobile Device Infection Rates 8

Top Android Malware 8

“Find and Call” Infects iPhones and Androids 8

CONCLUSION 9

ABOUT KINDSIGHT SECURITY LABS 10

Kindsight Security Labs Malware Report – Q2 2012 1

Introduction

The Kindsight Security Labs Q2 2012 Malware Report shows general trends for malware infections in home networks

or infections in mobile devices and computers connected through mobile adapters. The numbers in this report are

aggregated across the networks where Kindsight solutions are deployed.

Infection Rate = 14%7.7%

OVER PREVIOUSQUARTER

Q2 2012 Highlights

• 14% of home networks were infected with malware in Q2/2012, that’s up from 13% in the previous quarter.

• The Mac Flashback infection led the top 20 lists for four weeks in a row, infecting 10% of home networks with Mac computers during the month of April.

• The p2p ZeroAccess Botnet changed its C&C protocol and grew to over 1.2 million super nodes resulting in ad-click fraud that can consume the equivalent bandwidth of downloading as many as 45 full length movies per month per subscriber.

• 0.7% of all devices on mobile networks were infected. The infected devices include Android phones and laptops connected to the mobile network so this infection rate is significant since the total device count includes a large number of feature phones that are not targets for malware.

• In Q2 there was a three-fold increase in the number of Android malware samples.

300%OVER PREVIOUS

QUARTERAndroid

Malware Samples

Kindsight Security Labs Malware Report – Q2 2012 2

Q2 2012 Home Malware Statistics

Home Network Infection Rates

In fixed broadband deployments we found that in Q2/2012 an average of 14% of residential households show

evidence of malware infection. In Q1, 13% of residential households showed evidence of infection. 9% of

households were infected by high threat level malware such as a botnet, rootkit or a banking Trojan. 6% of

households were infected with a moderate threat level malware such as spyware, browser hijackers or adware. Some

households had multiple infections. The number of high level infections is a 50% increase from Q1/2012 when only

6% of households were infected with a high-level threat.

Infection Methods

The main infection method continues to be e-mail messages luring victims to web sites running a variety of exploit

kits. The victim would typically receive an e-mail message from a business or the government informing them of an

issue with their account. This would contain a reasonable looking link a web site. The web site would actually host

an exploit kit such as Blackhole. This would probe their system and attempt to infect it. Once infected the attacker

would generally install a rootkit botnet such as Alureon or ZeroAccess which is then used to coordinate additional

malware activity. In some cases they will directly download fake anti-virus software, a Spambot or a banking Trojan

like Zeus or SpyEye. Often the e-mail will simply contain a zip file containing an executable malware file.

MalwareHome Networks Infected with

14% 6%9%

Threat LevelDivision of Infections by

Moderate High

Infected

HIGH LEVEL THREATS

50%OVER PREVIOUS

QUARTER

Kindsight Security Labs Malware Report – Q2 2012 3

Position Name

1 MAC.Bot.Flashback.K/I

2 Win32.Botnet.ZeroAccess

3 Win32.Trojan.NineBall/Gumblar

4 Win32.Backdoor.TDSS

5 Win32.Downloader.Agent.TK

6 Win32.BankingTrojan.Zeus

7 Win32.Trojan.Alureon/TDL

8 DNS.Trojan.DNSchanger

9 Win32.HackTool.Binder

10 Win32.Downloader.Cred.B

11 Win32.Trojan.Agent.Gen

12 Win32.Virus.Sality.AT

13 Win32.Downloader.Ponmocup.A

14 Win32.Trojan.Medfos.A

15 Win32.Backdoor.InstallCore.D

16 Win32.Exploit.JS_Blacole

17 Win32.Backdoor.Cycbot.B

18 Win32.Trojan.Proxyier.qk

19 Generic.Spambot

20 Win32.BankingTrojan.SpyEye

Top High Level Threats

The table shows the top 20 high threat level malware that leads to identity theft, cybercrime or other online attacks.

We’ll look at the significant ones in more detail below under New Developments.

Position Name Threat Level

1 Hijacker.MyWebSearchToolbar Moderate

2 Spyware.SCN-ToolBar Moderate

3 Hijacker.StartPage.KS Moderate

4 Adware.GameVance Moderate

5 Mac.Bot.Flashback.K/I High

6 Adware.MarketScore Moderate

7 Trojan.NineBall/Gumblar High

8 Trojan.Backdoor.TDSS High

9 Botnet.ZeroAccess High

10 Downloader.Agent.TK High

11 Spyware.SBU-Hotbar Moderate

12 BankingTrojan.Zeus High

13 Trojan.Alureon/TDL High

14 Trojan.DNSChanger High

15 Hacktool.Binder High

16 Downloader.Cred.B High

17 Trojan.Agent.Gen High

18 Virus.Sality.AT High

19 Downloader.Ponmocup.A High

20 Trojan.Medfos.A High

Top 20 Home Network Infections

The chart below shows the top home network infections detected in Kindsight deployments. The results are

aggregated and the order is based on the number of infections detected over the 3-month period of this report.

Kindsight Security Labs Malware Report – Q2 2012 4

Top 20 Internet Threats

The chart below shows the top 20 most prolific malware found on the Internet. The sort order is based on the number

of distinct samples we have captured from the wild. Finding a large number of samples indicates that the malware

distribution is extensive and that the malware author is making a serious attempt to evade detection by anti-virus products.

Adware:Win32/Hotbar

Rogue:Win32/Winwebsec

Worm:Win32/Allaple.A

Virus:Win32/Sality.AT

Worm:Win32/Mydoom.O@mm

PWS:Win32/Lolyda.BF

Trojan:Win32/Rimecud.A

Worm:Win32/Rebhip.A

TrojanDownloader:Win32/Beebone.BQ

TrojanDownloader:Win32/Beebone.BR

VirTool:Win32/VBInject.UG

Trojan:Win32/Otran

Backdoor:Win32/Zegost.L

Worm:Win32/Vobfus.EG

Worm:Win32/Vobfus.gen!R

TrojanDropper:Win32/Sirefef.B

PWS:Win32/OnLineGames.IZ

Worm:Win32/Mydoom.L@mm

VirTool:Win32/VBInject.WX

Backdoor:Win32/Cycbot.G

PROLIFIC MALWARE

0.00

%

0.50

%

1.00

%

1.50

%

2.00

%

2.50

%

Adware:Win32/HotbarRogue:Win32/Winwebsec

Worm:Win32/Allaple.A Virus:Win32/Sality.AT

Worm:Win32/Mydoom.O@mm PWS:Win32/Lolyda.BF

Trojan:Win32/Rimecud.A Worm:Win32/Rebhip.A

TrojanDownloader:Win32/Beebone.BQ TrojanDownloader:Win32/Beebone.BR

VirTool:Win32/VBInject.UG Trojan:Win32/Otran

Backdoor:Win32/Zegost.L Worm:Win32/Vobfus.EG

Worm:Win32/Vobfus.gen!R TrojanDropper:Win32/Sirefef.B

PWS:Win32/OnLineGames.IZ Worm:Win32/Mydoom.L@mm

VirTool:Win32/VBInject.WX Backdoor:Win32/Cycbot.G

Kindsight Security Labs Malware Report – Q2 2012 5

New Developments in Q2 Mac “Flashback” at number one for 4 weeks

For the first time ever, malware targeting the Macintosh platform was in the number one position on the Kindsight

Security Labs home network infections list. Our detection statistics for the month of April show that 1.1% of homes

were infected with this malware. Based on a Mac market share this translates into about 10% of homes with Mac

computers being infected with this malware during the month of April. Security researchers at Symantec have

discovered that in addition to stealing passwords, Flashback is also being use for ad-click fraud.

The graph below shows the infections observed in network traffic throughout Q2. The percentage represents the

number of home networks that have Macs that were infected on that date.

Home NetworksInternet1 million+ peers 3321 infected users

Internet

The chart shows that the infection rate is on the decline, but still significant.

ZeroAccess Modifies C&C Protocol

We have been investigating the appearance of a new variation of the ZeroAccess/Sirefef bot. In February, we

published a detailed analysis of the network behavior of this bot and the encrypted p2p protocol that it uses to

communicate with its peers. The main purpose of this botnet is to distribute malware responsible for ad-click fraud,

which we explain in more detail below.

Over the last week of June on one network, we observed 3321 infected computers actively communicating with over

1.2 million Internet peers. This is almost a 2.5x increase in the number of infected computers and an over 50%

increase in the number of Internet peers when compared to the last week of Q1.

14 A

pril

6.00%

4.00%

2.00%

5.00%

3.00%

1.00%

0

21 A

pril

28 A

pril

5 M

ay

12 M

ay

19 M

ay

26 M

ay

2 Ju

ne

9 Ju

ne

16 Ju

ne

23 Ju

ne

30 Ju

ne

FLASHBACK INFECTIONSFLASHBACK INFECTIONS

Kindsight Security Labs Malware Report – Q2 2012 6

As can be seen in the bar chart below, the infected peers are widely distributed throughout the Internet with almost

18% in India and 10% in the United States.

The underlying structure and function of the bot remain the same, but the command and control (C&C) protocol

also changed in Q2 to a combination of TCP and UDP. The botnet continues to be very prolific with this new variety

infecting about 0.8% of the home networks observed by Kindsight. A detailed description of the new C&C protocol

can be found in “New C&C Protocol for ZeroAccess/Sirefef” Malware Analysis Report.

Ad-click Fraud Burns Bandwidth

The traffic generated by the ad-click fraud can burn through your bandwidth cap. We have been following a number

of bots such as ZeroAccess whose primary function is ad-click fraud. These bots receive instructions from a controller

directing them to click on ads on specific web sites. The web site owner gets paid by the advertiser on a per click

basis usually through the intermediary of an ad network. The advertisers and ad network operator have a number of

safeguards in place to protect against click fraud.

The bot tries to circumvent these by simulating normal human browsing behavior. This involves using a relatively low

click rate and responding to redirects, cookies and scripting as would a regular browser. Despite this low profile, the bot

operates 24 hour a day, seven days a week, so the bandwidth utilization for all that browsing adds up over time.

India

United States

Kazakhstan

Iran, Islamic Republic of

Brazil

Argentina

Italy

Chile

Venezuela

Algeria

Romania

Russian Federation

Japan

Ukraine

Morocco

Colombia

Spain

Turkey

Sweden

Indonesia

ZERO ACCESS SUPERNODES BY COUNTRY

12.0

0%

14.0

0%

16.0

0%

18.0

0%

2.00

%

4.00

%

6.00

%

8.00

%

10.0

0%

0.00

%

India United States

Kazakhstan Iran, Islamic Republic of

Brazil Argentina

Italy Chile

Venezuela Algeria

Romania Russian Federation

Japan Ukraine Morocco

Colombia Spain Turkey

SwedenIndonesia

Kindsight Security Labs Malware Report – Q2 2012 7

In one example we observed in the lab, a single bot consumed 0.1 Mbits/second when averaged out. For the infected

consumer, this adds up to 32GBytes per month which it is the equivalent of downloading 45 full length movies. For the

service provider, the impact on their network depends on the number of infected subscribers. The observed infection rate

for this bot was about 0.8% of the user population. This means that at any instant this bot alone is consuming 800 Mbits/

sec of bandwidth for every 1M users on the network.

Service Provider with 1M users

= 800 Mbits/sec

1 Infected Subscriber= 32GB of downloads

x45

Service Provider with 1M users

= 800 Mbits/sec

1 Infected Subscriber= 32GB of downloads

x45

Flame is the latest espionage bot

In May 2012 a new espionage bot was discovered by the Iranian National CERT. Detailed analysis was made

available from CrySyS Labs who refer to it as SkyWiper and Kaspersky who refer to it as Flame. Both drew parallels

with the previous Stuxnet and Duqu malware. Flame is a large complex bot written in the Lua scripting language and

can spread via USB sticks or via file-sharing on a LAN. Kaspersky estimated in May that about 1000 computers in

the Middle East were infected, mostly in Iran. This appears to be a highly targeted attack, focused on espionage and

we have not seen any evidence of this infection in any Kindsight deployments.

DNSChanger is still making news

The FBI took down the DNSChanger domain name servers in November 2011, but despite that it continues to make the

news. During Q2 2012, malware related to DNSChanger was consistently on our top 20 infection list. This is because

infected computers remain infected even after the takedown. These computers will effectively lose Internet access if they

are not fixed before the interim DNS service is decommissioned.

The FBI and major security vendors have been working with service providers to get the infections resolved before the

interim DNS servers were decommissioned on July 9th. These efforts have been partially successful and over the first

half of the year the number of computers using the rogue DNS servers has been significantly reduced. However about

10% of the infected computers remain unfixed. In some cases, service providers have continued to route the traffic for

infected computers so that the subscriber does not lose Internet connectivity and has more time to fix the problem. By

working together, the industry did a good job of minimizing the number of affected homes.

Kindsight Security Labs Malware Report – Q2 2012 8

Q2 2012 Mobile Malware Statistics

Mobile Device Infection Rates

In mobile networks we found that 0.7% of devices were infected. The infected devices include Android phones and

laptops tethered to a phone or connected directly through a mobile hub/USB stick. The infection rate is low because

the total device count includes a large number of feature phones that are not malware targets. We also saw a three-

fold growth in the number of Android malware samples.

Top Android Malware

The table below shows the top Android malware detected in the networks where the Kindsight Mobile Security

solution is deployed. The following table shows the top 10 Android infections of Q2.

For the most part these are all “trojanized” apps that steal information about the phone or send SMS messages, but the

list also includes a banking Trojan that intercepts access tokens for banking web sites and two spyware applications that

are used to spy on family members or associates. The top 2 infections are the same as in the Q1 report and are covered

in more detail there.

Throughout Q2 Kindsight Security Labs continued to collect Android malware. Our sample library grew three-fold in

that period.

“Find and Call” infects iPhones and Androids

After years with a solid security record, Apple was being hit a couple of times in Q2 2012. First Flashback infected the

Mac and now it appears that an iPhone app called “Find and Call” uploads the users contact list to a remote server. The

server then sends e-mail and text-message spam to the victim’s contacts. The messages are in Russian and encourage

the recipient to download the app. The app has been removed from the Apple Store. There is also an Android version of

the app.

Position Name

1 Trojan.GGTracker

2 Trojan.Pjapps3.A

3 Spyware.MobileSpy

4 Trojan.DroidDream

5 Adware.SndApp.B

6 BankingTrojan.FakeToken

7 Trojan.Dogowar

8 Spyware.FlexiSpy

9 Trojan.Geimini.A

10 Trojan.DroidKungFu

300%OVER PREVIOUS

QUARTERAndroid

Malware Samples

Kindsight Security Labs Malware Report – Q2 2012 9

Conclusion

In this report, we saw an increase in the number of home networks infected as compared to Q1/2012. We also saw

a 0.7% infection rate for all devices on mobile networks but more concerning was the 3x increase in the number of

Android malware samples.

While it has not received the publicity of Flame, malware like the ZeroAccess botnet should be of more concern

to consumers as it continues to grow to over 1 million super nodes. It tries to remain unobserved, uses P2P

communications that changes to spread which makes it difficult to detect, and most importantly can generate enough

ad-click traffic where it impacts bandwidth caps and costs the consumer money.

This past quarter also confirmed that Apple is not immune to malware. For the first time ever, malware targeting

the Macintosh platform, Flashback, was in the number one position on the Kindsight Security Labs home network

infections list. And, an iPhone app called “Find and Call” uploads the users contact list to a remote server and then

sends e-mail and text-message spam to the victim’s contacts.

So while the increases in malware in this report are a concern, it is the types of malware that is driving this growth that

is the thing to watch as we move into Q3.

Kindsight, Inc755 Ravendale Drive, Mountain View, CA 94043 U.S.A 555 Legget Drive, Tower B, Suite 132, Ottawa, ON K2K 2X3 Canada

T: +1.650.969.7770info@kindsight.netwww.kindsight.net

Copyright © 2012 Kindsight, Inc. Kindsight is a registerd trademark of Kindsight, Inc. All rights reserved.

About Kindsight Security Labs

Kindsight Security Labs focuses on the behavior of malware

communications to develop network signatures that detect current

threats with low false positives. This approach enables the detection

of malware in the service provider network and the signatures

developed form the foundation of Kindsight Security Analytics and

Kindsight Security Services.

To accurately detect that a user is infected, our signature set looks for network behavior that provides unequivocal

evidence of infection coming from the user’s computer. This includes:

• Malware command and control (C&C) communications

• Backdoor connections

• Attempts to infect others (e.g. exploits)

• Excessive e-mail

• Denial of Service (DoS) and hacking activity

There are four main activities that support our signature development and verification process.

1. Monitor information sources from major security vendors and maintain a database of currently active threats.

2. Collect malware samples (>10,000/day), classify and correlate them against the threat database.

3. Execute samples matching the top threats in a sandbox environment and compare against our current

signature set.

4. Conduct a detailed analysis of the malware’s behavior and build new signatures if a sample fails to trigger

a signature

As an active member of the security community, Kindsight Security Labs also shares this research by publishing a list

of actual threats detected and the top emerging threats on the Internet and this report.