IT Threat Evolution: Q3 2012 Yury Namestnikov Contents Q3 in figures ............................................................................................................................................ 1 Overview ................................................................................................................................................. 1 Mobile malware and operating systems............................................................................................. 1 Exploits: Java vulnerabilities are used in more than half of all attacks .............................................. 5 Cyber-espionage: Gauss, Madi and others ......................................................................................... 7 Q3 in figures According to KSN data, Kaspersky Lab products detected and neutralized 1,347,231,728 threats in Q3 2012. 28% of all mobile devices attacked run Android OS version 2.3.6, which was released in September 2011. 56% of exploits blocked in Q3 use Java vulnerabilities. A total of 91.9 million URLs serving malicious code were detected, a 3% increase compared to Q2 2012. Overview Mobile malware and operating systems During Q3 2012, over 9,000 new malicious .dex files were added to our malware collection. This is 5,000 files fewer than last quarter but 3,500 more than in Q1 2012. This is due to the fact that in Q2 files that had been detected heuristically for some time were added to our malware collection. (Note that one heuristic is used to detect a large number of different programs.) In Q3, the situation was standard and the number of new files added to our collection was in line with the trend we have seen since the beginning of the year. The number of malware modifications targeting Android OS It is curious to see which Android versions become targets for cyber-attacks most often. Distribution of the malware detected by Android OS version, Q3 2012 Android 2.3.6 “Gingerbread”, which accounts for 28% of all blocked attempts to install malware, was the most commonly attacked version. It is not new: it was released in September 2011. However, due to the considerable segmentation of the Android device market, it remains one of the most popular versions. To find out whether there is a good correlation between the distribution of Android OS versions on mobile devices and the distribution of OS versions on devices attacked by cybercriminals, we need to compare our data to the official Android OS version distribution figures from developer.android.com. Below we provide the percentage distribution of OS versions for the last two weeks of September: Source: http://developer.android.com/about/dashboards/index.html Compare this to our data for the same period: Distribution of malware detected in the last 14 days of September 2012, by Android OS version As we can see, there are significant differences between the diagrams: in 48% of all cases victims of cybercriminals used Gingerbread, which was installed on 55% of all devices, while in 43% of all cases the victims had Ice Cream Sandwich, the latest version of Android OS, which is installed on 23.7% of all devices. It is obvious that the devices with the later versions of operating systems installed on them are better suited to actively working online. Unfortunately, more active web surfing often leads users to sites hosting malicious content. Below, we use the KSN statistics for mobile devices to determine what kinds of programs most commonly attack user devices. Distribution of malware targeting Android OS detected on user devices by behavior, Q3 2012* More than one half of all malware detected on user smartphones turned out to be SMS Trojans, i.e. malicious programs that steal money from victims’ mobile accounts by sending SMS messages to premium rate numbers. Distribution of the Android OS malware detected on user devices by family, Q3 2012* * Detection verdicts returned by the Kaspersky Mobile Security file scanning module. Information provided by those users of KL products who have expressly agreed to provide statistical data. The OpFake family has become the most widespread (38.3% of all the malicious programs for Android detected) among all the mobile malware families. All the programs in this family disguise themselves as Opera Mini. Third place in the ranking was taken by the FakeInst family, whose members pretend to be installers for popular programs (17%). These two types of malware are mostly distributed via so-called alternative app stores created by cybercriminals. A fifth of the malicious programs detected on user devices are versatile Trojans, most of which belong to the Plangton family. After being installed on a device, these Trojans collect service data on the telephone, send it to the command server and wait for the cybercriminals’ commands. Specifically, malicious programs in this family can stealthily change bookmarks and the home page. 5% - not-a-virus:RiskTool.AndroidOS.SMSreg, which subscribes the user to expensive services. Programs in this family target users from such countries as the US, the Netherlands, Great Britain and Malaysia. We have written about these programs in our blog. 4% – the Exploit.AndroidOS.Lotoor family. To gain control of a device, cybercriminals need to perform a jailbreak (i.e. to bypass the telephone’s protection in order to gain full access to the file system). Malware belonging to this family is used to obtain root privileges, which offer virtually unlimited possibilities related to manipulating the system. Various advertising programs detected as AdWare together also account for 4% of mobile malware. The most ‘popular’ of these belong to the Hamob family and show advertising built into applications. To summarize, attacks of cybercriminals in Q3 most commonly targeted Android versions 2.3.6 Gingerbread and 4.0.4 Ice Cream Sandwich. Attackers are sufficiently good at bypassing restrictions on installing software from untrusted sources, primarily using social engineering techniques. In the wild, Trojans that use a variety of methods to steal money from mobile users’ accounts are the most widespread, although they are clearly being gradually replaced by more sophisticated versatile Trojans. Exploits: Java vulnerabilities are used in more than half of all attacks Online attacks primarily involve various exploits that allow attackers to download malware onto victims’ computers during drive-by attacks without having to resort to social engineering. The successful use of exploits is reliant on the presence of vulnerabilities in the code of popular applications installed on user machines. The diagram below shows which vulnerable applications were targeted by exploits in Q3. This quarter, we changed the methodology and included exploits detected heuristically in the statistics. Applications with vulnerabilities targeted by web exploits, Q3 2012 Java vulnerabilities were exploited in more than 50% of all attacks. According to Oracle, different versions of this virtual machine are installed on more than 1.1 billion computers. Importantly, updates for this software are installed on demand rather than automatically, increasing the lifetime of vulnerabilities. In addition, Java exploits are sufficiently easy to use under any Windows version and, with some additional work by cybercriminals, as in the case of Flashfake, cross-platform exploits can be created. This explains the special interest of cybercriminals in Java vulnerabilities. Naturally, most detections are triggered by various exploit packs. A number of vulnerabilities that cybercriminals were quick to take advantage of were discovered in Q3. CVE-2012-1723, discovered in July, is an error in the HotSpot component, by exploiting which attackers can execute their class, bypassing the sandbox provided by the Java virtual machine. Another vulnerability, CVE-2012-4681, was found in late August. Exploits for this vulnerability were first used in targeted attacks, but were quickly included in popular exploit packs. Kaspersky Lab products successfully detected them using the Advanced Exploit Protection technology. More information about this can be found in our blog. Attacks via Adobe Reader rank second, accounting for a quarter of all attacks blocked. The popularity of exploits for Adobe Reader is gradually declining due to a realtively simple mechanism that ensures their detection, as well as to automated updates introduced in the latest versions of the Reader. Exploits targeting vulnerabilities in the Windows Help and Support Center, as well as various Internet Explorer (IE) flaws, accounted for 3% of all attacks. Specifically, a new vulnerability (CVE-2012-1876) was discovered in Q3 in IE versions 6-9. A vulnerable browser does not properly handle objects in memory, which allows remote attackers to attempt to access a non-existent object, leading to a heap overflow. Curiously, the vulnerability was exploited during the Pwn2Own contest at the CanSecWest 2012 conference in March. Our advice is that users should install updates of popular programs as they are released and use upto-date protection against exploits, and companies should also use Patch Management technologies. Cyber-espionage: Gauss, Madi and others Q3 saw a plethora of espionage-related incidents. The most significant of these were related to the activity of Madi, Gauss and Flame malware, which were distributed primarily in the Middle East. One campaign related to penetrating computer systems went on for almost a year and targeted users primarily in Iran, Israel and Afghanistan. We conducted a joint detailed study of this malware with our partner, an Israeli company called Seculert. The malicious program was named “Madi” based on the strings and identifiers used by the cybercriminals in their malware. The malicious components were distributed via attacks that were based on a set of well-known unsophisticated technologies. This indicates that the victims’ awareness of Internet security left much to be desired. These attacks involved installing backdoors coded in Delphi on victim machines. They could have been created by an amateur programmer or else by a professional developer who was extremely short of time. The campaign targeted the critically important infrastructure of engineering firms, government organizations, banks and universities in the Middle East. Victims were chosen among users within these organizations whose communications had been under close surveillance for extended periods of time. The Gauss malware was discovered in the course of an investigation initiated by the International Telecommunication Union (ITU) after the discovery of the Flame malware. Essentially, Gauss is a nation-state sponsored “banking” Trojan. In addition to stealing a variety of data from infected Windows machines, it includes malicious payload which is encrypted and the purpose of which is not yet known. The malicious program activates only on systems with certain configurations. Gauss is based on the Flame platform and shares some features with Flame, such as routines for infecting USB drives. Our experts were also able to gain new information on Flame command-and-control (C&C) servers. A study conducted by Kaspersky Lab experts in cooperation with our partners – Symantec, ITUIMPACT and CERT-Bund/BSI – has enabled us to make a number of important conclusions. First, the development of code for C&C servers based on the platform began as far back as December 2006. Judging by the comments left in the source code, the project was developed by at least four programmers. The C&C code supports three communication protocols. A major finding is that it handles requests from four malicious programs, codenamed by the authors as SP, SPE, FL and IP. Of these four malicious programs, only two are known at this time: Flame and SPE (a.k.a. miniFlame). Based on the data collected from the study, we can state that the cyber-espionage story looks set to continue in the near future. The objective of the work performed by Kaspersky Lab is to mitigate the risks which have arisen with the emergence of cyber weapons. Statistics Below, we will review the statistics obtained from the operation of various malware protection components. All statistical data used in the report has been obtained with the help of the cloud-based Kaspersky Security Network (KSN). The statistics were acquired from KSN users who consented to share their local data. Millions of users of Kaspersky Lab products in 213 countries take part in the global information exchange on malicious activity. Online threats The statistics in this section are derived from the web-based antivirus solution that protects users as soon as malicious code is uploaded from an infected web page. Infections can be found on web pages where users are allowed to create their own content (e.g. forums) and even on legitimate pages which have been compromised by hackers. Detectable online objects In Q3 2012, 511 269 302 attacks were neutralized. These had been launched from online resources located in various countries around the world. A total of 165 732 unique modifications of malicious and potentially unwanted programs were detected in these incidents. TOP 20 malicious programs detected on the Internet Rank Name* 1 Malicious URL % of all attacks** 90.7% 2 Trojan.Script.Generic 2.3% 3 Trojan.Script.Iframer 1.6% 4 Trojan-Downloader.SWF.Voleydaytor.h 0.4% 5 Trojan.Win32.Generic 0.4% 6 Exploit.Script.Blocker 0.3% 7 AdWare.Win32.IBryte.x 0.2% 8 Trojan-Downloader.JS.Iframe.cyq 0.2% 9 Exploit.Script.Generic 0.2% 10 Trojan-Downloader.JS.Agent.gsv 0.2% 11 Trojan-Downloader.JS.JScript.bp 0.2% 12 Hoax.HTML.FraudLoad.i 0.2% 13 Trojan-Downloader.Script.Generic 0.1% 14 Trojan.HTML.Redirector.am 0.1% 15 Trojan-Downloader.Win32.Generic 0.1% 16 Trojan-Downloader.JS.Iframe.czo 0.1% 17 AdWare.Win32.ScreenSaver.e 0.1% 18 Backdoor.MSIL.Agent.gtx 0.1% 19 Trojan.JS.Popupper.aw 0.1% 20 Exploit.Java.CVE-2012-4681.gen 0.1% *These statistics represent detection verdicts of the web-based antivirus module and were submitted by the users of Kaspersky Lab products who consented to share their local data. **The total number of unique incidents recorded by web-based antivirus on user computers. First place in this ranking is still occupied by malicious links from our blacklist. They now trigger 90% of all antivirus alerts, 5 percentage points more than in the previous quarter. Of these, 4% of malicious linked were blocked as a result of instant cloud-based updates; the links are to newly compromised sites, or freshly-made cybercriminal pages. Users without antivirus protection installed would face a drive-by attack as soon as they visited these pages. Trojan-Downloader.SWF.Voleydaytor.h takes third place. It is detected on various adult content sites. While claiming to update a video playback program, various malicious programs are delivered to user computers. In seventh place we see the adware program AdWare.Win32.IBryte.x, which spreads as a downloader of popular freeware. Once started, it downloads the freeware program required by the user, and simultaneously installs an adware module. It’s just as easy to download the programs you need from their official sites, saving you the trouble of removing adware later. A recent study suggests this problem mostly affects Internet Explorer users. Hoax.HTML.FraudLoad.i (in 12th place) is interesting. This threat mostly affects users who like downloading films and software for free. From web pages detected under this heading, users purportedly can download content, but are first required to send a paid message. Users who do so don’t receive the required file, but either a TXT file containing advice on how to use search engines, or a malicious program. The Top 20 is completed by Exploit.Java.CVE-2012-4681.gen, an exploit detected in late August that simultaneously uses two Java vulnerabilities. Java exploits are especially popular with cybercriminals as there are more than three billion devices in the world that have this virtual machine installed on them. This exploit is interesting in that it has been used both in targeted attacks (APT) and as part of mass infection exploit kits. 12 positions in the ranking are taken up by malicious programs and components which deliver Trojans to the user’s computer in conjunction with exploits. Countries where web resources are seeded with malware These figures show where sites hosting malicious programs are physically located. The geographic sources of web attacks were determined by comparing the domain name with the actual IP address where a specific domain is located, and determining the location of that IP address (GEOIP). Just 10 countries worldwide host 86% of the web resources used to spread malware. For the second quarter running this figure has climbed by a single percentage point. A distribution of online resources seeded with malicious code, by country. Q3 2012 There is a new leader among countries hosting malicious content: Russia (23.2%) has overtaken the USA (20.3%). In the last three months, the proportion of malicious hosts in Russia has dramatically increased (+8.6 percentage points); at the same time, the fall in the US share (-9.7 percentage points) has almost mirrored Russia’s rise. The number of malicious hosts in the Netherlands has also risen (+5.8 percentage points). 60% of all malicious content is located in the top three countries – Russia, the USA and the Netherlands. Without effective action from law enforcement agencies and hosting providers, this situation is likely to continue for several more months. There were no significant changes among the other countries in the Top 10, apart from the UK’s share falling by 2.6 percentage points. Countries where users faced the greatest risk of infection via the Internet In order to assess a user’s infection risk in any given country, Kaspersky Lab calculated the frequency of web antivirus detections in different countries throughout the quarter. These figures are based on the raw number of web antivirus alerts on computers in each country and are not adjusted to reflect the number of KSN users in each country. Top 20 countries* for online infection risks** in Q3 2012 *When calculating, we excluded those countries in which the number of Kaspersky Lab product users is relatively small (less than 10,000). **The percentage of unique users in the country with computers running Kaspersky Lab products that blocked web-borne threats. In the previous quarter, the top 20 consisted exclusively of countries from the former Soviet Union, Africa and SE Asia. This time, two Southern European countries are on the list, namely Italy (36.5%) and Spain (37.4%). All these countries can be divided into four groups. The Maximum risk group includes countries where more than 60% of users encountered malware at least once while online. In Q3, Tajikistan (61.1%) found itself in this category, displacing Russia (58%) from the leader’s position. 1. The High risk group includes countries where 41% to 60% of users encountered online malware at least once. This group includes ten countries from the TOP 20, eight countries fewer than in the last quarter. Along with Russia (58%), this group includes Kazakhstan (54.9%), Belarus (49.6%) and Ukraine (46.1%) 2. . The Moderate risk group (21-40%) includes 99 countries, including India (38.4%), Spain (37.4%), Italy (36.5%), Lithuania (33.5%), China 3. (33.4%), Turkey (33.3%), the USA (32.4%), Brazil (32.9%), the UK (30.2%), Belgium (28.3%) and France (28.2%). 4. The Low risk group includes 27 countries where between 10.6% and 21% of users have encountered online malware The safest surfing was in Japan (13.6%), Denmark (17.7%), Taiwan (15.4%), Hong Kong (19.3%), Luxembourg (19.7%), Slovakia (20.7%) and Singapore (20.9%). The risk of online infection around the world, Q3 2012 It should be noted that African countries are in the safest web surfing group. In our opinion, the low level of online attacks is due to the fact that Internet usage remains underdeveloped in these countries. This hypothesis is supported by the fact that the situation with local infections in these countries is far from healthy (see below). On average in Q3 2012, 36.7% of KSN users’ computers were attacked at least once while surfing online. That average is 3 percentage points less than the previous quarter. Local threats This section of the report contains an analysis of statistics based on data obtained from the on-access scanner and scanning statistics for different disks, including removable media (the on-demand scanner). Malicious objects detected on users’ computers In Q3 2012, Kaspersky Lab’s security solutions successfully blocked 882 545 490 local infection attempts on computers participating in Kaspersky Security Network. A total of 328 804 unique modifications of malicious and potentially unwanted programs were blocked by on-access scanners while attempting to launch on user computers. Top 20 malicious objects detected on users’ computers Rank Name %% of individual users*в 1 Trojan.Win32.Generic 17.1% 2 DangerousObject.Multi.Generic 15.6% 3 Trojan.Win32.AutoRun.gen 14.5% 4 Trojan.Win32.Starter.yy 7.6% 5 Virus.Win32.Virut.ce 5.5% 6 Net-Worm.Win32.Kido.ih 4.8% 7 Virus.Win32.Sality.aa 3.9% 8 HiddenObject.Multi.Generic 3.9% 9 Virus.Win32.Generic 3.7% 10 Virus.Win32.Nimnul.a 3.2% 11 Trojan.WinLNK.Runner.bl 2.5% 12 Worm.Win32.AutoRun.hxw 1.8% 13 Virus.Win32.Sality.ag 1.5% 14 Trojan.Win32.Patched.dj 0.7% 15 Email-Worm.Win32.Runouce.b 0.5% 16 AdWare.Win32.BHO.awvu 0.4% 17 Trojan-Dropper.Script.Generic 0.4% 18 AdWare.Win32.GoonSearch.b 0.4% 19 Backdoor.Win64.Generic 0.3% 20 AdWare.Win32.RelevantKnowledge.a 0.3% These statistics are compiled from the malware detection verdicts generated by the on-access and on-demand scanner modules on the computers of those users running Kaspersky Lab products that have consented to submit their statistical data. * The percentage of individual users on whose computers the antivirus module detected these objects as a percentage of all individual users of Kaspersky Lab products on whose computers a malicious program was detected. Trojan.Win32.Generic (17.1%) takes first place in the rankings – this is the verdict given by the heuristic analyzer when proactively detecting a wide variety of malicious programs. Malicious programs detected with the help of cloud technologies (DangerousObject.Multi.Generic, 15.6%) moved up one position to second spot. Cloud technologies work when neither signature-based nor heuristic methods are immediately able to detect a malicious program, but information about the object already exists in the cloud. In essence, this is the verdict given to the most recent malicious programs. 16th, 18th and 20th places are occupied by adware programs. The Q3 newcomer is the malware family AdWare.Win32.RelevantKnowledge (0.3%). Programs belonging to this family integrate into the web browser and periodically display a user query window. Countries where users run the most serious risk of local infection The figures below show the average rate of computer infection in different countries. KSN users who provide information for us had at least one malicious file detected on every third computer (32.5%) – either on the hard drive or on removable media connected to it. This is 3.9 percentage points less compared to the last quarter. Computer infection levels by country* - TOP 20 rating** Q3 2012 *The percentage of unique users in the country with computers running Kaspersky Lab products that blocked web-borne threats. **When calculating, we excluded those countries where there are fewer than 10,000 Kaspersky Lab users. As was the case in the previous quarter, the top 20 only consisted of countries in Africa, the Middle East and South-East Asia. In Bangladesh, at the top of the table, the percentage of computers where malicious code was blocked was down 7.3 percentage points to 90.9%. Local infection rates can also be categorized into separate categories in terms of infection level. Maximum level of local infection (over 60%): this group now features nine fewer countries and consists of 11 Asian countries (India, Vietnam, Nepal etc.), Middle East countries (Afghanistan) and Africa (Sudan, Mali, Tanzania etc.). 1. High level of local infection (41-60%): 39 countries, including Indonesia (53.5%), Egypt (46%), Thailand (42.3%), China (41.4%) and the Philippines (44.3%). 2. Moderate level of local infection (21-40%): 56 countries, including Turkey, Mexico, Israel, Latvia, Portugal, Italy, Russia and Spain. 3. Lowest level of local infection (under 21%): this group now includes newcomers, comprising 31 countries, including the USA, Australia, Canada, New Zealand, Puerto Rico, 19 European countries (including Norway, Estonia and France) and two Asian countries: Japan and Hong Kong. 4. The risk of local infection around the world, Q3 2012 The 10 countries where users faced the lowest risk of local infection were: Rank Country % of unique users 1 Denmark 10.5 2 Japan 10.6 3 Luxembourg 13.8 4 Switzerland 14.3 5 Sweden 14.7 6 Germany 15.0 7 Finland 15.1 8 Netherlands 15.1 9 Czech Republic 15.2 10 Ireland 15.5 Ireland is a newcomer to this rating, appearing at number 10 with 15.5% of computers blocking malicious programs from various media carriers. Vulnerabilities In the third quarter of Q3 2012 a total of 30 749 066 vulnerable programs and files were detected on the computers of KSN users – with an average of eight different vulnerabilities on each affected computer. The Top 10 vulnerabilities are listed in the table below. Secunia ID – Unique vulnerability number Vulnerability name and link to description What the vulnerability lets malicious users do Percentage of users on whose computers the vulnerability was detected* Date of latest change Rating 35.0% 20.08.2012 Highly Critical 21.7% 31.08.2012 Extremely Critical 19.0% 25.09.2012 Highly Critical DoS-attack Oracle Java Multiple Vulnerabilities 1 SA 49472 http://www.securelist.com/en/advisories/4947 2 Gain access to a system and execute arbitrary code with local user privileges Cross-Site Scripting Gain access to sensitive data Manipulate data Gain access to a system and execute http://www.securelist.com/en/advisories/50133 arbitrary code with local user privileges Oracle Java Three Vulnerabilities 2 SA 50133 3 SA 50354 Adobe Flash Player Multiple Vulnerabilities Gain access to a system and execute http://www.securelist.com/en/advisories/5035 4 Adobe Flash Player Multiple Vulnerabilities 4 SA 49388 arbitrary code with local user privileges Gain access to sensitive data Gain access to a system and execute arbitrary code with local user privileges 18.8% 18.06.2012 Highly Critical Gain access to a system and execute arbitrary code with local user privileges 14.7% 11.01.2012 Extremely Critical Gain access to a system and execute arbitrary code with local user privileges 13.8% 23.08.2012 Highly Critical Gain access to a system and execute arbitrary code with local user privileges 11.7% 10.07.2012 Highly Critical Gain access to a system and execute arbitrary code with local user privileges 10.9% 03.08.2012 Highly Critical Adobe Shockwave Player Multiple Vulnerabilities Gain access to a system and http://www.securelist.com/en/advisories/5028 execute arbitrary code 3 with local user privileges 10.8% 14.08.2012 Highly Critical 9.7% 09.11.2010 Extremely Critical http://www.securelist.com/en/advisories/4938 8 SA 5 Adobe Reader/Acrobat Multiple Vulnerabilities 47133 http://www.securelist.com/en/advisories/4713 3 6 Apple QuickTime Multiple Vulnerabilities SA 47447 http://www.securelist.com/en/advisories/4744 7 Apple iTunes Multiple Vulnerabilities 7 SA 49489 http://www.securelist.com/en/advisories/4948 9 Winamp AVI / IT File Processing Vulnerabilities 8 SA 46624 http://www.securelist.com/en/advisories/4662 4 SA 9 50283 Adobe Flash Player Multiple Vulnerabilities SA 10 41917 http://www.securelist.com/en/advisories/4191 7 Bypass security systems Gain access to a system and execute arbitrary code with local user privileges Bypass security systems Gain access to sensitive data *Percentage of all users on whose computers at least one vulnerability was detected The first two spots are taken by Oracle Java vulnerabilities, which were found on 35% and 21.7% of vulnerable computers respectively. Five common vulnerabilities affect Adobe products: Flash Reader and Shockwave players and Reader, a popular PDF reader for documents. The rating now also includes two Apple programs – QuickTime player and iTunes and the popular Nullsoft Winamp media-player. Vendors of products with the Top 10 vulnerabilities, Q3 2012 Any of the top 10 vulnerabilities can jeopardize a computer’s security because they all allow cybercriminals to gain full control of the system using exploits. As in Q2, three vulnerabilities enable attackers to gain access to sensitive data. Both Flash Player vulnerabilities enable cybercriminals to bypass security systems integrated into the application. The top 10 also features vulnerabilities that enable attackers to manipulate data and conduct DDoS and XSS attacks. Distribution of Top 10 vulnerabilities by type of system impact, Q3 2012. Microsoft products no longer feature among the Top 10 products with vulnerabilities. This is because the automatic updates mechanism has now been well developed in recent versions of Windows OS.