McAfee Threats Report: Second Quarter 2011 fileone, with J2ME (Java Micro Edition), coming in second...
24
McAfee Threats Report: Second Quarter 2011 By McAfee ® Labs ™ Report
Transcript of McAfee Threats Report: Second Quarter 2011 fileone, with J2ME (Java Micro Edition), coming in second...
McAfee Threats Report: Second Quarter 2011By McAfee® Labs™
Report
Report McAfee Threats Report: Second Quarter 2011
The threat landscape of 2011 is undergoing a year of chaos and change. We see chaos in the major challenges that hacktivist groups such as LulzSec and Anonymous pose, and change in the shifts in new malware classes and targeted devices.
This quarter McAfee Labs saw major hacktivist activity—but in a very different way. The group Lulz Security, LulzSec for short, differs from other hacktivist groups in that they had no specific goals. They were in it, as they claimed, for the “lulz” (LOLs in text messagespeak, or “laugh out loud’s” ) but showed an agility at compromising networks and servers, and stealing usernames, passwords, and other data. LulzSec committed multiple intrusions against a wide variety of companies, as well as attacks against police departments and intelligence agencies, and many other compromises. Although many of the outcomes and uses of these compromises are still in play (and we provide a helpful overview of the quarter’s activity) one thing has become clear: Many companies, both large and small, are more vulnerable than they may have suspected. Further, the security industry may need to reconsider some of its fundamental assumptions, including “Are we really protecting users and companies?” Although LulzSec may have ceased its operations during this quarter, the questions they and other hacktivist groups have raised will be debated for a long time.
One significant change in the first quarter of 2011 was Android’s becoming the third-most targeted platform for mobile malware. This quarter the count of new Android-specific malware moved to number one, with J2ME (Java Micro Edition), coming in second while suffering only a third as many malware. This increase in threats to such a popular platform should make us evaluate our behavior on mobile devices and the security industry’s preparedness to combat this growth.
We also saw an increase in for-profit mobile malware, including simple SMS-sending Trojans and complex Trojans that use exploits to compromise smartphones. We offer an update of cybercrime “pricebooks” as well as some changes to toolkit and service prices. “Crimeware as a service” and the burgeoning “hacktivism as a service” continue to evolve as interests and targets change. On the positive side, there were some significant victories against cybercriminals this quarter.
Continuing the change theme, we observed a considerable decrease in both AutoRun and Koobface malware, offset by a strong rise in fake-anti-virus software that targets the Mac. Apple’s OS X has been mostly ignored by malware writers for years, so this represents a significant change of target for cybercriminals.
Malware continued its overall growth during the quarter as did rootkit malware. Rootkits, used primarily for stealth and resilience, makes malware more effective and persistent; its popularity is rising. Rootkits such as Koutodoor and TDSS appear with increasing frequency. The amount of malware that attacks vulnerabilities in Adobe products continues to overwhelm those in Microsoft products.
Botnets and messaging threats, although still at historic lows, have begun to rise again. We expected this recovery after some recent botnet takedowns. Users and enterprises must plan for this growth and prepare their defenses and responses accordingly. We again examine social engineering subjects by both geography and subject and botnets by geography and type.
We saw several spikes in malicious web activity this quarter as well as some serious growth in blogs and wikis with malicious reputations. Sites that deliver malware, potentially unwanted programs, and phishing sites also increased.
The second quarter of the year was clearly a period of chaos, changes, and new challenges.
Report McAfee Threats Report: Second Quarter 2011
Table of Contents
Hacktivism 4
Mobile Threats 5
Cybercrime 7
Malware Threats 9
Adobe Outpaces Microsoft in Attracting Exploits 14
Messaging Threats 15
Web Threats 20
4
Report McAfee Threats Report: Second Quarter 2011
HacktivismEarly in this quarter the Anonymous group apparently quarreled and split. On May 9, an Anonymous press release said the Anonops network was down after the website coadministrator Ryan attempted to stage a “coup d’état.” As a reprisal, his contact details were immediately distributed on the web.
Around May 7 a new Twitter account registering the @LulzSec username appeared, marking the birth of Lulz Security. Their first feats did not gain much media coverage; however, when they targeted the entertainment industry, the world was truly introduced to LulzSec.
After 50 days of operations, LulzSec’s adventures ended due to group-against-group struggles. These events show a level of immaturity in some groups labeled as political hacktivists and who claim to be part of Anonymous. Jester (th3j35t3r, an Anonymous opponent who is known for fighting against jihadist and anti-U.S. websites) and other groups (Team Web Ninjas, Backtrace, The A-Team, Teamp0ison, etc.) made a point of denouncing their former colleagues. These internecine struggles helped authorities identify some of these hackers.
Other reported incidents include a “serious” attack against the European Commission just before a summit to discuss the future structure of the European Union, economic strategy, and the war in Libya.1 France’s Ministry of Finance suffered a similar attack. The Australian Security Intelligence Organisation disclosed that it is investigating an attack that compromised the computers of at least 10 federal ministers, including the prime minister, foreign minister, and defense minister. The German government reported it sees an average of five targeted attacks per day against users of government networks.2
Some published accounts number the various hacktivist operations, such as #antisec, #OpNewBlood, #OpLibya, #OpBrazil, at more than 4,000 in total, but this number is hard to verify. These operations have resulted in websites being taken offline, large amounts of usernames and passwords stolen, and confidential documents stolen and uploaded. Many companies have suffered very effective politically motivated attacks. Many observers have called these attacks simplistic, even lame, but these pundits miss the point: Hacktivism is about the message, not the method.
Two intrusions by a Romanian hacker also caught our attention due to the high-profile targets: the U.S. and European space agencies.
In an April blog entry, this hacker published information from the European Space Agency’s server that included names, usernames, and emails of more than 150 users. In May, the same hacker claimed to have entered a server at NASA’s Goddard Space Flight Center and gained access to confidential satellite data. He posted on his blog a screen grab of what he said was one of NASA’s main FTP servers.
1. http://www.bbc.co.uk/news/world-europe-128409412. http://www.bundestag.de/presse/hib/2011_05/2011_201/08.html
5
Report McAfee Threats Report: Second Quarter 2011
Mobile ThreatsThis quarter Android OS-based malware became the most popular target for mobile malware developers. That’s a rapid rise for Android, which outpaces second place Java Micro Edition threefold.
Android
Java ME
Symbian
BlackBerry
MSIL
Python
VBS
New Mobile Malware This Quarter
As we watch steady, significant growth in the mobile malware threat landscape, many of the same functions and features of PC-based threats are already part of the codebase. Mobile threats already take advantage of exploits, employ botnet functionality, and even use rootkit features for stealth and permanence.
0
300
600
900
1,200
1,500
Q12011
Q22011
Q42010
Q32010
Q22010
Q12010
Q42009
Q32009
Q22009
Q12009
Total Mobile Malware Samples
Maliciously modified apps are still a popular vector for infecting devices: Corrupt a legitimate app or game and users will download and install malware on their smartphones by themselves.
Infiltrating popular modified apps this quarter were the malware Android/Jmsonez.A, Android/Smsmecap.A, and the Android/DroidKungFu, and Android/DrdDreamLite families. Let’s take a close look at some recent mobile malware.
6
Report McAfee Threats Report: Second Quarter 2011
Android/Jmsonez.A is a version of a calendar app that doesn’t quite work as intended.3 No matter when the program is launched, it displays the calendar for January 2011. If the user tries to change the month to a future date, the malware begins sending SMS messages to a premium-rate number. Android/Jmsonez.A also monitors the inbox for confirmation SMS messages from the premium-rate service to avoid detection.
Android/Smsmecap.A is a modified version of a legitimate comedy app.4 The malware sends humorous, irreverent SMS messages to all the contacts in the user’s address book. Since May 21, the date of the purported “Rapture,” it has sent messages in a mocking tone.
The Android/DroidKungFu family is similar to Android/DrdDream; it also uses a pair of root exploits to maintain itself on a device.5 The exploits are actually identical to those used by the Android/DrdDream except they have been encrypted with AES. These variants can also load URLs and install additional software and updates.
The Android/DrdDreamLite family is a less capable variant of the original Android/DrdDream family.6 The Lite version uses DES to encrypt the data it sends to the attacker. Android/DrdDreamLite does not include any root exploits to remain installed on an infected device.
Other complex Trojans are Android/Tcent.A, the Android/Crusewin.A family, Android/J.SMSHider.A, and Android/Toplank.A.
Android/Tcent.A is another premium-rate, SMS-sending Trojan, similar to Android/Jmsonez.A, but it includes an interesting self-protection feature.7 The malware targets the QQ instant-messaging service, which is popular in China. The malware attempts to uninstall anti-virus and other security software that are bundled with mobile QQ clients.
The Android/Crusewin.A family comprises a number of premium-rate–sending Trojans.8 Unlike simpler malware, the Android/Crusewin.A family includes some botnet functions, including executing orders from the attacker’s command server. The attacker can send SMS messages from an infected device, useful for signing up the victim to premium-rate subscription services, and attempt to uninstall software. The latter feature is similar to that of Android/Tcent.A but suffers from a slight problem. Android/Crusewin.A uses an uninstall code that works only on Symbian smartphones; it will not run properly on Android. This suggests the malware author may be porting Symbian Trojan/botnet code to the Android platform.
Android/J.SMSHider.A sends premium-rate messages.9 The malware author modified a legitimate “SMS love analyzer” to add backdoor functionality and the ability to delete incoming SMS messages. Android/J.SMSHider.A uses DES encryption to cover its communications with the attacker.
Android/Toplank.A pretends to be a multiuser update to the popular Angry Birds game. The malware sends sensitive information (international mobile subscriber identity, the list of permissions granted to the malware, etc.) to the attacker and can download an additional Android app to an infected device. The new app provides a backdoor to the attacker, who can then add and delete bookmarks, browser history, and shortcuts. The attacker can also download further software.
Mobile crimeware authors are continuing their tricks with SymbOS/Zitmo.C and BlackBerry/Zitmo.D, which are simple SMS forwarders. The authors have already compromised victims’ PCs with advanced malware, so it appears that they are doing only the bare minimum on mobile platforms to enable their attacks.
3. http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=5017484. http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=5095005. http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=5222816. http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=5189257. http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=5015998. http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=5016399. http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=527859
7
Report McAfee Threats Report: Second Quarter 2011
Cybercrime
Email Address Book for SaleVia their botnets or through rental services, spammers need email address lists to flood the world. Prices vary for such enterprises, often with location.
Country Address List Prices (all in U.S.$)
Russia 400,000 addresses in St. Petersburg: $251,000,000 (entire country): $253,000,000: $505,000,000: $1008,000,000: $200
United States 1,000,000: $253,000,000: $505,000,000: $10010,000,000: $300
Ukraine 2,000,000: $40
Germany 1,000,000: $253,000,000: $505,000,000: $1008,000,000: $200
Turkey 1,000,000: $50
Portugal 150,000: $25
Australia 1,000,000: $253,000,000: $505,000,000: $100
England 1,500,000: $100
Crimeware toolsAgain this quarter, we saw new products and updates among exploits kits. The most notable were the release of Eleonore Version 1.6.5, with two 2011 exploits, and Best Pack, with one 2011 exploit.
Name Prices (all in U.S.$) Description
Weyland-Yutani BOT Version 1.0 $1,000 Offered on the underground market. The seller quickly closed the bid after claiming to have found a buyer.
BlackHole Exploit Kit Version 1.1.0 Annual license: $1,5006 months: $1,0003 months : $700
This kit first appeared in September 2010. Updated in April, it contains nine exploits, with six from 2010.
Best Pack Announced by ScriptKiddieSec and Kahu Security as the possible successor of Dragon Pack, this exploit pack contains seven old exploits and one from 2011:10
• CVE-2011-0611 (affecting Adobe Flash Player versions before 10.2.159)
Phoenix Exploit Kit Version 2.7 $2,200 This version replaced Version 2.5, whose code was leaked in April. Current release contains at least 15 exploits, with six from 2010.
Eleonore Version 1.6.5 $2,000 10 exploits include two Flash Player exploits from 2011:• CVE-2011-0558 (Flash before 10.2)• CVE-2011-0611 (Flash before 10.2.159)
YES Exploit Kit 4.0 $400 Replaced Version 3.0RC, from April 2010. This version has nearly 20 exploits, with seven from 2010.
10. http://www.kahusecurity.com/2011/best-pack/
8
Report McAfee Threats Report: Second Quarter 2011
Actions Against CybercriminalsThis quarter was not all doom and gloom. Courts and law enforcement continue to make progress worldwide against cybercriminals.
Country and Date Description
United Kingdom
April
Police Central e-Crime Unit arrested three men—a Lithuanian, a Latvian, and another whose nationality was not revealed—in connection with using SpyEye malware to steal online banking details.11
United States
April
In Operation Adeona the Department of Justice and the F.B.I. shut down the Coreflood botnet, which had infected hundreds of thousands of PCs since 2002. During an 11-month period starting in March 2009, Coreflood siphoned some 190GB worth of banking passwords and other sensitive data from more than 413,000 infected systems as users browsed the Internet, authorities said.12
Finland
May
Police arrested 17 people suspected of taking part in Internet banking fraud aimed at Nordea account holders at the beginning of this year. The perpetrators tried to steal almost €1.2 million via a series of more than 100 false transactions.13 The majority of suspects are suspected of being phishing mules. The two suspected masterminds were from Estonia.
United Kingdom
May
A University of Salford student was convicted of a malware-based scam that allowed him to break into the computers and webmail accounts of an estimated 100 victims. The police asked McAfee to analyze the malware and acknowledged McAfee’s contribution in gathering evidence that enabled an early arrest.14
United States, Ukraine, Latvia
June
The Department of Justice and the F.B.I. announced Operation Trident Tribunal, a coordinated, international law enforcement action that disrupted the activities of two international cybercrime rings involved in the sale of fake-alert anti-virus software (scareware).15 Conducted with the Ukrainian security services, the action appears to be the first enforcement targeting a gang using Conficker.16 The second police effort targeted Latvians charged with creating a fraudulent advertising agency.
Russia
June
One of the most controversial figures in Russia’s online world, ChronoPay cofounder and CEO Pavel Vrublevsky, was arrested on suspicion of ordering a distributed denial of service (DDoS) attack against a rival firm. Vrublevsky, 32, is probably best known as the co-owner of the Rx-Promotion rogue online pharmacy program. His company also consistently has been involved in credit card processing for—and in many cases setting up companies on behalf of—rogue anti-virus or scareware scams that use misleading PC security alerts in a bid to frighten people into purchasing worthless “security” software.17
A Touch of CyberwarJust discussing the definition of “cyberwar” can spark heated debate, as more and more countries struggle with how to categorize this developing conflict. The discussion is sure to be further muddied as hacktivism becomes more prevalent.
Country and Date Description
Russia
March/April
From March 24 to April 4 various DDoS attacks were launched against some bloggers on LiveJournal, which hosts more than 4.7 million Russian bloggers (including President Dmitry Medvedev) who exchange information and often share critical views that cannot be expressed in the mainstream media.18
United States
April
The Oak Ridge National Laboratory, home to one of the world’s most powerful supercomputers, was the victim of a sophisticated cyberattack launched through phishing emails sent to some 573 lab employees. Some of them appear to have clicked on a link in the email and downloaded information-stealing malware.19
South Korea
May
South Korean authorities alleged North Korea's secret services hacked into the computer system of the National Agricultural Cooperative Federation, which delivers supply, processing, marketing, and banking services to more than 4,000 branches.20
Norway
May
The Norwegian military admitted being hit by a potentially serious targeted cyberattack attack in March. The attack happened when 100 senior military personnel received an email with an attachment appearing to come from another government agency.21
11. http://www.networkworld.com/news/2011/041111-uk-police-arrest-three-men.html12. http://www.theregister.co.uk/2011/04/13/coreflood_botnet_takedown/13. http://www.theregister.co.uk/2011/05/10/finnish_banking_trojan_investigation/14. http://www.zdnet.co.uk/news/security-management/2011/05/18/gamer-sentenced-for-stealing-steam-passwords-40092802/15. http://www.fbi.gov/news/stories/2011/june/cyber_062211/cyber_06221116. http://www.zdnet.co.uk/news/security-management/2011/06/24/ukrainian-sting-targets-conficker-fraudsters-40093222/17. http://krebsonsecurity.com/tag/pavel-vrublevsky/18. http://uk.reuters.com/article/2011/04/06/oukin-uk-russia-medvedev-cyberattack-idUKTRE7354OV2011040619. http://www.computerworlduk.com/news/security/3275613/us-government-energy-research-lab-shuts-down-email-and-internet-access-after-
phishing-attack/20. http://www.koreaittimes.com/story/14507/north-korea-behind-cyber-attack-south-korea-bank21. http://www.cio.com.au/article/387581/norwegian_military_admits_march_cyberattack
9
Report McAfee Threats Report: Second Quarter 2011
Malware ThreatsThe malware landscape this quarter has presented us several surprises. Although numerically not the busiest period in history (just a little behind last year’s pace), when combined with the first quarter we have the busiest ever first half-year in this vector. The increase is 22 percent over 2010! McAfee Labs identified almost six million unique malware samples during this quarter. This puts us on track for our cumulative malware “zoo” collection to reach 75 million samples by year’s end.
0
10,000,000
20,000,000
30,000,000
40,000,000
50,000,000
60,000,000
70,000,000
MAR2011
FEB2011
JAN2011
DEC2010
JUN2011
MAY2011
APR2011
NOV2010
OCT2010
SEP2010
AUG2010
JUL2010
JUN2010
MAY2010
APR2010
MAR2010
FEB2010
JAN2010
Total Malware Samples in the Database
Just to reinforce how significant the growth has been during the last several years, here is a look at the monthly incremental growth of unique malware binaries:
0
500,000
1,000,000
1,500,000
2,000,000
2,500,000
MAR2011
FEB2011
JAN2011
DEC2010
JUN2011
MAY2011
APR2011
NOV2010
OCT2010
SEP2010
AUG2010
JUL2010
JUN2010
MAY2010
APR2010
MAR2010
FEB2010
JAN2010
New Malware Samples Added to the Database, by Month
10
Report McAfee Threats Report: Second Quarter 2011
We now collect on average almost two million new samples every month. This is certainly not a welcome development, but it is consistent and predictable considering how our business and private lives are now tethered to technology.
Among the specific families we track, fake anti-virus software (a.k.a. fake-alert or rogue anti-virus software) continues to show consistent growth and has even begun to climb aboard a new platform: the Mac. You read that right; fake-AV for Apple’s platform is now a reality. This does not surprise us at McAfee Labs. There are more Mac users than ever before as well as steady business adoption. This puts the Apple platforms squarely in the crosshairs of malware authors. It will be interesting to see if this type of malware makes its way to the iPhone and iPad as well. It is probably a case of “when” rather than “if.”
MAR2011
FEB2011
JAN2011
DEC2010
JUN2011
MAY2011
APR2011
NOV2010
OCT2010
SEP2010
AUG2010
JUL2010
JUN2010
MAY2010
APR2010
MAR2010
FEB2010
JAN2010
Unique Fake-Alert Samples Discovered
0
50000
100000
150000
200000
250000
300000
350,000
300,000
250,000
200,000
150,000
100,000
50,000
0
Unique Fake-Alert Samples for Mac Discovered
0
50
100
150
200
250
MAR2011
FEB2011
JAN2011
DEC2010
JUN2011
MAY2011
APR2011
NOV2010
OCT2010
SEP2010
AUG2010
JUL2010
11
Report McAfee Threats Report: Second Quarter 2011
Generic password-stealing Trojans declined just a bit this quarter, while AutoRun malware was greatly reduced. Koobface threats dropped to the lowest levels in years.
MAR2011
FEB2011
JAN2011
DEC2010
JUN2011
MAY2011
APR2011
NOV2010
OCT2010
SEP2010
AUG2010
JUL2010
JUN2010
MAY2010
APR2010
MAR2010
FEB2010
JAN2010
Unique Password Stealers Samples Discovered
0
50,000
100,000
150,000
200,000
250,000
300,000
MAR2011
FEB2011
JAN2011
DEC2010
JUN2011
MAY2011
APR2011
NOV2010
OCT2010
SEP2010
AUG2010
JUL2010
JUN2010
MAY2010
APR2010
MAR2010
FEB2010
JAN2010
Unique AutoRun Samples Discovered
0
100,000
200,000
300,000
400,000
500,000
600,000
700,000
MAR2011
FEB2011
JAN2011
DEC2010
JUN2011
MAY2011
APR2011
NOV2010
OCT2010
SEP2010
AUG2010
JUL2010
JUN2010
MAY2010
APR2010
MAR2010
FEB2010
JAN2010
0
2,000
4,000
6,000
8,000
10,000
12,000
14,000
16,000
18,000
Unique Koobface Samples Discovered
12
Report McAfee Threats Report: Second Quarter 2011
Rootkits and Stealth MalwareAnother malware category demonstrating recent steady growth is the rootkit. A rootkit (sometimes called stealth malware) is code that hides its elements from the operating system and security software. Cybercriminals use rootkits to make other malware stealthier and more persistent. The better hidden the malware is, the longer it will remain on the system and engage in its malicious activity. As you can see from the following charts, rootkits are on the rise overall. The first half of 2011 was comparable to malware overall: Rootkits have seen their busiest-ever six months, up almost 38 percent over 2010! Two of the busiest rootkits that we encounter are Koutodoor and TDSS. Both are nasty and hide malware to steal data.
MAR2011
FEB2011
JAN2011
DEC2010
JUN2011
MAY2011
APR2011
NOV2010
OCT2010
SEP2010
AUG2010
JUL2010
JUN2010
MAY2010
APR2010
MAR2010
FEB2010
JAN2010
Unique Rootkit Samples Discovered
0
20,000
40,000
60,000
80,000
100,000
120,000
13
Report McAfee Threats Report: Second Quarter 2011
Global Infected Computer NumbersGlobally and by individual geography much of the malware we collected this quarter matched the same varieties as in the first quarter. We saw a few differences among the continents but overall they were more similar than different.
Rank Top 5 Global Malware
1 AutoRun Malware
2 OpenCandy Adware
3 HotBar Adware
4 General Trojans
5 HotBar vF Adware
Rank North America
1 AutoRun Malware
2 HotBar Adware
3 OpenCandy Adware
4 Downloader Malware
5 HotBar vF Adware
Rank South America
1 AutoRun Malware
2 Java Runtime Exploitation
3 Conficker AutoRun Malware
4 Remote-Access Trojans
5 Downloader Malware
Rank Europe and Middle East
1 HotBar vF Adware
2 AutoRun Malware
3 HotBar Adware
4 OpenCandy Adware
5 Conficker AutoRun Malware
Rank Australia
1 OpenCandy Adware
2 Downloader Malware
3 Hotbar Adware
4 Downloader Malware
5 AutoRun Malware
Rank Africa
1 AutoRun Malware
2 Downloader Malware
3 Downloader Malware
4 Yahoo Messenger Malware
5 Sality Virus
Rank Asia
1 AutoRun Malware
2 Downloader Malware
3 Conficker AutoRun Malware
4 Downloader Malware
5 Browser Exploitation
14
Report McAfee Threats Report: Second Quarter 2011
Adobe Outpaces Microsoft in Attracting ExploitsFor several quarters, one of the major trends we’ve seen is that malware authors prefer to write exploits that target vulnerabilities in Adobe products as opposed to those in Microsoft products. This trend does not prove that Adobe’s technologies are more vulnerable or have more coding bugs than Microsoft’s. Rather, Adobe is one of the clear leaders in worldwide client applications, and this leadership is what drives malware authors and cybercriminals: They target what is popular and in wide use. The following chart shows the malware McAfee Labs has seen this quarter that attempts to exploit vulnerabilities in Adobe and Microsoft products.
MAY2011
JUN2011
APR2011
MAR2011
FEB2011
JAN2011
Adobe and Microsoft Exploits Discovered
0
2,000
4,000
6,000
8,000
10,000
12,000
14,000
16,000
Adobe
Microsoft
15
Report McAfee Threats Report: Second Quarter 2011
Messaging ThreatsMessaging threats continued a mild decline from last quarter, although the drop is not significant. A coordinated effort last quarter among several security providers, law enforcement, and even CERTs was able to shut off major amounts of botnet zombies and their command structure. This recent success may still be having a positive effect. We expect to again see sharp rises in spam; in the mean time, we continue to watch this area closely. Although the volume of spam remains at historic low levels, the spearphishing (a class of spam) that we see today is more targeted and effective than ever. This vector continues to evolve.
Global Spam Volume, in Trillions of Messages per Day
6
5
4
3
2
1
0
Spam
“Ham”
MAR2011
FEB2011
JAN2011
DEC2010
JUN2011
MAY2011
APR2011
NOV2010
OCT2010
SEP2010
AUG2010
JUL2010
Argentina
120,000,000
100,000,000
80,000,000
60,000,000
40,000,000
20,000,000
0MAR2011
FEB2011
JAN2011
DEC2010
JUN2011
MAY2011
APR2011
NOV2010
OCT2010
SEP2010
AUG2010
JUL2010
MAR2011
FEB2011
JAN2011
DEC2010
JUN2011
MAY2011
APR2011
NOV2010
OCT2010
SEP2010
AUG2010
JUL2010
MAR2011
FEB2011
JAN2011
DEC2010
JUN2011
MAY2011
APR2011
NOV2010
OCT2010
SEP2010
AUG2010
JUL2010
MAR2011
FEB2011
JAN2011
DEC2010
JUN2011
MAY2011
APR2011
NOV2010
OCT2010
SEP2010
AUG2010
JUL2010
Spam Volume by Country
Brazil
600,000,000
500,000,000
400,000,000
300,000,000
200,000,000
100,000,000
0
MAR2011
FEB2011
JAN2011
DEC2010
JUN2011
MAY2011
APR2011
NOV2010
OCT2010
SEP2010
AUG2010
JUL2010
MAR2011
FEB2011
JAN2011
DEC2010
JUN2011
MAY2011
APR2011
NOV2010
OCT2010
SEP2010
AUG2010
JUL2010
Columbia
120,000,000
100,000,000
80,000,000
60,000,000
40,000,000
20,000,000
0
France
300,000,000
250,000,000
200,000,000
150,000,000
100,000,000
50,000,000
0
Germany
500,000,000
400,000,000
300,000,000
200,000,000
100,000,000
0
India
700,000,000
600,000,000
500,000,000
400,000,000
300,000,000
200,000,000
100,000,000
0
16
Report McAfee Threats Report: Second Quarter 2011
MAR2011
FEB2011
JAN2011
DEC2010
JUN2011
MAY2011
APR2011
NOV2010
OCT2010
SEP2010
AUG2010
JUL2010
MAR2011
FEB2011
JAN2011
DEC2010
JUN2011
MAY2011
APR2011
NOV2010
OCT2010
SEP2010
AUG2010
JUL2010
MAR2011
FEB2011
JAN2011
DEC2010
JUN2011
MAY2011
APR2011
NOV2010
OCT2010
SEP2010
AUG2010
JUL2010
MAR2011
FEB2011
JAN2011
DEC2010
JUN2011
MAY2011
APR2011
NOV2010
OCT2010
SEP2010
AUG2010
JUL2010
Spam Volume by Country
MAR2011
FEB2011
JAN2011
DEC2010
JUN2011
MAY2011
APR2011
NOV2010
OCT2010
SEP2010
AUG2010
JUL2010
MAR2011
FEB2011
JAN2011
DEC2010
JUN2011
MAY2011
APR2011
NOV2010
OCT2010
SEP2010
AUG2010
JUL2010
MAR2011
FEB2011
JAN2011
DEC2010
JUN2011
MAY2011
APR2011
NOV2010
OCT2010
SEP2010
AUG2010
JUL2010
MAR2011
FEB2011
JAN2011
DEC2010
JUN2011
MAY2011
APR2011
NOV2010
OCT2010
SEP2010
AUG2010
JUL2010
MAR2011
FEB2011
JAN2011
DEC2010
JUN2011
MAY2011
APR2011
NOV2010
OCT2010
SEP2010
AUG2010
JUL2010
Italy
250,000,000
200,000,000
150,000,000
100,000,000
50,000,000
0
Japan
50,000,000
40,000,000
30,000,000
20,000,000
10,000,000
0
Poland
200,000,000
150,000,000
100,000,000
50,000,000
0
Portugal
100,000,000
80,000,000
60,000,000
40,000,000
20,000,000
0
South Korea
200,000,000
150,000,000
100,000,000
50,000,000
0
Spain
200,000,000
150,000,000
100,000,000
50,000,000
0
United Kingdom
500,000,000
400,000,000
300,000,000
200,000,000
100,000,000
0
United States
1,500,000,000
1,200,000,000
900,000,000
600,000,000
300,000,000
0
Venezuela
500,000,000
400,000,000
300,000,000
200,000,000
100,000,000
0
Russia
350,000,000
300,000,000
250,000,000
200,000,000
150,000,000
100,000,000
50,000,000
0MAR2011
FEB2011
JAN2011
DEC2010
JUN2011
MAY2011
APR2011
NOV2010
OCT2010
SEP2010
AUG2010
JUL2010
17
Report McAfee Threats Report: Second Quarter 2011
This quarter McAfee Labs has observed the Rustock botnets continuing to dwindle even though it may be reseeded by cybercriminals during the coming months. Meanwhile the Maazben, Cutwail, and Bobax botnet masters have stepped up their activity. Of these three dominant botnets, Maazben clearly outpaces the others in worldwide usage and influence.
New Global Botnet Infections by Week
Maazben
4/4/
11
4/11
/11
4/18
/11
4/25
/11
5/2/
11
5/9/
11
5/16
/11
5/23
/11
5/30
/11
6/6/
11
6/13
/11
6/20
/110
100,000
200,000
300,000
400,000
500,000
600,000
700,000
800,000
900,000
1,000,000
Maazben's Influence on Global Botnet Infections
Bagle-CB
Bobax
Cutwail
Grum
Maazben
Others
North America
Bagle-CB
Bobax
Cutwail
Grum
Maazben
Others
Africa
Latin America
Bagle-CB
Bobax
Cutwail
Grum
Maazben
Others
Bagle-CB
Bobax
Cutwail
Grum
Maazben
Others
Asia-Paci�c
Bagle-CB
Bobax
Cutwail
Grum
Maazben
Others
Europe-Middle East
Bagle-CB
Bobax
Cutwail
Grum
Maazben
Others
Australia
18
Report McAfee Threats Report: Second Quarter 2011
New Botnet Infections by Week
Bagle-CB
Donbot
Rustock
4/4/
11
4/11
/11
4/18
/11
4/25
/11
5/2/
11
5/9/
11
5/16
/11
5/23
/11
5/30
/11
6/6/
11
6/13
/11
6/20
/11
0
20,000
40,000
60,000
80,000
100,000
120,000
Cutwail
Bobax
Grum
4/4/
11
4/11
/11
4/18
/11
4/25
/11
5/2/
11
5/9/
11
5/16
/11
5/23
/11
5/30
/11
6/6/
11
6/13
/11
6/20
/110
20,000
40,000
60,000
80,000
100,000
120,000
140,000
160,000
New Botnet Infections by Week
19
Report McAfee Threats Report: Second Quarter 2011
There has been steady growth in new botnet infections throughout the quarter. This is an interesting juxtaposition when we consider the worldwide drop in spam. Clearly botnet usage is in a state of transition. Given the growth and goals of hacktivists, we expect to see major changes in how botnets are used.
Overall Botnet Infections per Month
APR
10
MA
Y 1
0
JUN
10
JUL
10
AU
G 1
0
SEP
10
OC
T 10
NO
V 1
0
DEC
10
JAN
11
FEB
11
MA
R 11
2,000,000
3,000,000
4,000,000
5,000,000
6,000,000
Spam lures and their subjects (the social engineering hook used to make the message attractive) continue to show diversity. “Nigerian 419 scams” seemed a bit more popular this quarter globally while lotto scams were also prevalent in many parts of the world, along with the long-time subjects of bogus DSN and gambling spams. Social engineering with lures based on location is certain to continue, as scammers understand the diversities in their global audience.
China
419 Scams
DSN
Diplomas
Drugs
Fashion
Gambling
Horoscopes
Jobs
Lonely Women
Lotto Scams
Marketing
Newsletters
Phishing
Products
Third Parties
Travel
Unknown
Viruses
Watches
Brazil
419 Scams
DSN
Diplomas
Drugs
Fashion
Gambling
Horoscopes
Jobs
Lonely Women
Lotto Scams
Marketing
Newsletters
Phishing
Products
Third Parties
Travel
Unknown
Viruses
Watches
Watches
Viruses
France
419 Scams
DSN
Diplomas
Drugs
Fashion
Gambling
Horoscopes
Jobs
Lonely Women
Lotto Scams
Marketing
Newsletters
Phishing
Products
Third Parties
Travel
Unknown
Viruses
Watches
Germany
419 Scams
DSN
Diplomas
Drugs
Fashion
Gambling
Horoscopes
Jobs
Lonely Women
Lotto Scams
Marketing
Newsletters
Phishing
Products
Third Parties
Travel
Unknown
Viruses
Watches
Spam by Country
419 Scams
DSN
Diplomas
Drugs
Fashion
Gambling
Horoscopes
Jobs
Lonely Women
Lotto Scams
Marketing
Newsletters
Phishing
Products
Third Parties
Travel
Unknown
Viruses
Watches
India
419 Scams
DSN
Diplomas
Drugs
Fashion
Gambling
Horoscopes
Jobs
Lonely Women
Lotto Scams
Marketing
Newsletters
Phishing
Products
Third Parties
Travel
Unknown
Viruses
Watches
Indonesia
419 Scams
DSN
Diplomas
Drugs
Fashion
Gambling
Horoscopes
Jobs
Lonely Women
Lotto Scams
Marketing
Newsletters
Phishing
Products
Third Parties
Travel
Unknown
Viruses
Watches
20
Report McAfee Threats Report: Second Quarter 2011
Web ThreatsWebsites can have bad or malicious reputations for a variety of reasons. Reputations can be based on full domains and any number of subdomains as well as on a specific IP address or URL. Malicious reputations are influenced by the hosting of malware, potentially unwanted programs, or phishing sites. Often we observe combinations of questionable code and functionality. Many factors go into a site’s reputational rating.
Last quarter McAfee Labs recorded an average of 8,900 new bad sites per day; this period that figure dropped a bit to 7,300 hits, which is comparable to the same time last year.
New Bad-Reputation URLs per Day
APR 12011
MAY 12011
JUNE 12011
JULY 12011
0
5,000
10,000
15,000
20,000
25,000
30,000
35,000
40,000
We saw some significant spikes in malicious web content this quarter. Several of these spikes corresponded to intensive malicious campaigns.
Philippines
419 Scams
DSN
Diplomas
Drugs
Fashion
Gambling
Horoscopes
Jobs
Lonely Women
Lotto Scams
Marketing
Newsletters
Phishing
Products
Third Parties
Travel
Unknown
Viruses
Watches
Italy
419 Scams
DSN
Diplomas
Drugs
Fashion
Gambling
Horoscopes
Jobs
Lonely Women
Lotto Scams
Marketing
Newsletters
Phishing
Products
Third Parties
Travel
Unknown
Viruses
Watches
Russia
419 Scams
DSN
Diplomas
Drugs
Fashion
Gambling
Horoscopes
Jobs
Lonely Women
Lotto Scams
Marketing
Newsletters
Phishing
Products
Third Parties
Travel
Unknown
Viruses
Watches
South Korea
419 Scams
DSN
Diplomas
Drugs
Fashion
Gambling
Horoscopes
Jobs
Lonely Women
Lotto Scams
Marketing
Newsletters
Phishing
Products
Third Parties
Travel
Unknown
Viruses
Watches
Spam by Country
419 Scams
DSN
Diplomas
Drugs
Fashion
Gambling
Horoscopes
Jobs
Lonely Women
Lotto Scams
Marketing
Newsletters
Phishing
Products
Third Parties
Travel
Unknown
Viruses
Watches
United Kingdom
419 Scams
DSN
Diplomas
Drugs
Fashion
Gambling
Horoscopes
Jobs
Lonely Women
Lotto Scams
Marketing
Newsletters
Phishing
Products
Third Parties
Travel
Unknown
Viruses
Watches
United States
419 Scams
DSN
Diplomas
Drugs
Fashion
Gambling
Horoscopes
Jobs
Lonely Women
Lotto Scams
Marketing
Newsletters
Phishing
Products
Third Parties
Travel
Unknown
Viruses
Watches
Venezuela
419 Scams
DSN
Diplomas
Drugs
Fashion
Gambling
Horoscopes
Jobs
Lonely Women
Lotto Scams
Marketing
Newsletters
Phishing
Products
Third Parties
Travel
Unknown
Viruses
Watches
21
Report McAfee Threats Report: Second Quarter 2011
On May 31, spam campaigns—one promoting online dating sites with video chats and another informing recipients of fake pending invoices—distributed fraudulent URLs hosting Zeus-related malware (Generic FakeAlert.by and Generic PWS.y). Among these sites were undss-syria.org, baranava.com, emajic.net, and sturtholdfastmarioncc.com.
The vast majority of these new malicious sites are located in the United States. Next in line, we find South Korea, Netherlands, Canada, United Kingdom, China, and Germany.
In the first quarter our top countries were the United States, South Korea, Germany, and China. This quarter, however, is quite different. Our regional breakdown reveals where most malicious servers reside:
Africa
Asia-Paci�c
Australia
Europe-Middle East
Latin America
North America
North America60.2%
Australia1.8%
Africa0.2%
Latin America1.7%
Europe-Middle East24.9%
Asia-Pacific11.1%
North America, primarily the United States, still dominates, but the figure for the combined region of Europe, the Middle East, and Africa has increased to 25 percent from 18 percent in the first quarter.
Let’s take a deeper look at some regions:
Morocco
South Africa
Egypt
Senegal
Seychelles
Others
Africa
South Korea
China
Vietnam
Others
Asia Paci�c
22
Report McAfee Threats Report: Second Quarter 2011
This quarter, the number of websites hosting malicious downloads has again increased, while the amount of sites that host browser exploits was unchanged:
0
20,000
40,000
60,000
80,000
100,000
120,000
140,000
160,000
Malicious Downloads
Browser Exploits
Active Malicious URLs
MAR2011
FEB2011
JAN2011
DEC2010
JUN2011
MAY2011
APR2011
NOV2010
OCT2010
SEP2010
AUG2010
JUL2010
This quarter we also observed a continued increase in blogs and wikis with malicious reputations.
Australia
New Zealand
Australia
Netherlands
United Kingdom
Germany
France
Russia
Romania
Italy
Others
Europe and Middle East
Brazil
British Virgin Islands
Argentina
Chile
Panama
Trinidad and Tobago
Others
Latin America
United States
Canada
Mexico
North America
23
Report McAfee Threats Report: Second Quarter 2011
Websites Delivering Malware and PUPsThe following chart provides a picture of the number of websites delivering malware and potentially unwanted programs (PUPs) that McAfee Labs detected this quarter.
New Malware Sites per Day
APR 12011
MAY 12011
JUNE 12011
JULY 12011
0
5,000
10,000
15,000
20,000
25,000
30,000
35,000
We saw a small increase this quarter with around 3,000 new sites per day compared with 2,700 per day during the first quarter.
Phishing SitesThis quarter we identified approximately 2,700 phishing URLs per day, up slightly from 2,500 per day last quarter.
New Phishing Sites per Day
APR 12011
MAY 12011
JUNE 12011
JULY 12011
0
2,000
4,000
6,000
8,000
McAfee 2821 Mission College Boulevard Santa Clara, CA 95054 888 847 8766 www.mcafee.com
The information in this document is provided only for educational purposes and for the convenience of McAfee customers. The information contained herein is subject to change without notice, and is provided “as is,” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance.
McAfee, the McAfee logo, McAfee Labs, and McAfee Global Threat Intelligence are registered trademarks or trademarks of McAfee or its subsidiaries in the United States and other countries. Other marks may be claimed as the property of others. © 2011 McAfee. All rights reserved. 32000rpt_quarterly-threat-q2_0711_ETMG
Report McAfee Threats Report: Second Quarter 2011
About the AuthorsThis report was prepared and written by Toralv Dirro, Paula Greve, Rahul Kashyap, David Marcus, François Paget, Craig Schmugar, Jimmy Shah, and Adam Wosotowsky of McAfee Labs.
About McAfee LabsMcAfee Labs is the global research team of McAfee. With the only research organization devoted to all threat vectors—malware, web, email, network, and vulnerabilities—McAfee Labs gathers intelligence from its millions of sensors and its cloud-based service McAfee Global Threat Intelligence™. The McAfee Labs team of 350 multidisciplinary researchers in 30 countries follows the complete range of threats in real time, identifying application vulnerabilities, analyzing and correlating risks, and enabling instant remediation to protect enterprises and the public.
About McAfeeMcAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ:INTC), is the world’s largest dedicated security technology company. McAfee delivers proactive and proven solutions and services that help secure systems, networks, and mobile devices around the world, allowing users to safely connect to the Internet, browse, and shop the web more securely. Backed by its unrivaled Global Threat Intelligence, McAfee creates innovative products that empower home users, businesses, the public sector, and service providers by enabling them to prove compliance with regulations, protect data, prevent disruptions, identify vulnerabilities, and continuously monitor and improve their security. McAfee is relentlessly focused on finding new ways to keep our customers safe. www.mcafee.com
