McAee Threats Report: Second Quarter 2011
The threat landscape o 2011 is undergoing a year o chaos and change. We see chaos in the majorchallenges that hacktivist groups such as LulzSec and Anonymous pose, and change in the shits in newmalware classes and targeted devices.This quarter McAee Labs saw major hacktivist activity—but in a very dierent way. The group LulzSecurity, LulzSec or short, diers rom other hacktivist groups in that they had no specic goals. Theywere in it, as they claimed, or the “lulz” (LOLs in text messagespeak, or “laugh out loud’s” ) butshowed an agility at compromising networks and servers, and stealing usernames, passwords, and otherdata. LulzSec committed multiple intrusions against a wide variety o companies, as well as attacksagainst police departments and intelligence agencies, and many other compromises. Although manyo the outcomes and uses o these compromises are still in play (and we provide a helpul overview othe quarter’s activity) one thing has become clear: Many companies, both large and small, are morevulnerable than they may have suspected. Further, the security industry may need to reconsider someo its undamental assumptions, including “Are we really protecting users and companies?” AlthoughLulzSec may have ceased its operations during this quarter, the questions they and other hacktivistgroups have raised will be debated or a long time.One signicant change in the rst quarter o 2011 was Android’s becoming the third-most targetedplatorm or mobile malware. This quarter the count o new Android-specic malware moved to numberone, with J2ME (Java Micro Edition), coming in second while suering only a third as many malware.This increase in threats to such a popular platorm should make us evaluate our behavior on mobiledevices and the security industry’s preparedness to combat this growth.We also saw an increase in or-prot mobile malware, including simple SMS-sending Trojans andcomplex Trojans that use exploits to compromise smartphones. We oer an update o cybercrime“pricebooks” as well as some changes to toolkit and service prices. “Crimeware as a service” and theburgeoning “hacktivism as a service” continue to evolve as interests and targets change. On the positiveside, there were some signicant victories against cybercriminals this quarter.Continuing the change theme, we observed a considerable decrease in both AutoRun and Koobacemalware, oset by a strong rise in ake-anti-virus sotware that targets the Mac. Apple’s OS X hasbeen mostly ignored by malware writers or years, so this represents a signicant change o targetor cybercriminals.Malware continued its overall growth during the quarter as did rootkit malware. Rootkits, used primarilyor stealth and resilience, makes malware more eective and persistent; its popularity is rising. Rootkitssuch as Koutodoor and TDSS appear with increasing requency. The amount o malware that attacksvulnerabilities in Adobe products continues to overwhelm those in Microsot products.Botnets and messaging threats, although still at historic lows, have begun to rise again. We expectedthis recovery ater some recent botnet takedowns. Users and enterprises must plan or this growth andprepare their deenses and responses accordingly. We again examine social engineering subjects by bothgeography and subject and botnets by geography and type.We saw several spikes in malicious web activity this quarter as well as some serious growth in blogsand wikis with malicious reputations. Sites that deliver malware, potentially unwanted programs, andphishing sites also increased.The second quarter o the year was clearly a period o chaos, changes, and new challenges.