P. 1
McAfee Threats Report Q2 2011

McAfee Threats Report Q2 2011

|Views: 14,349|Likes:
Published by Jonathan Fingas

More info:

Published by: Jonathan Fingas on Aug 23, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

07/10/2013

pdf

text

original

Report

McAfee Threats Report: Second Quarter 2011
By McAfee® Labs™

Report

McAfee Threats Report: Second Quarter 2011

The threat landscape of 2011 is undergoing a year of chaos and change. We see chaos in the major challenges that hacktivist groups such as LulzSec and Anonymous pose, and change in the shifts in new malware classes and targeted devices. This quarter McAfee Labs saw major hacktivist activity—but in a very different way. The group Lulz Security, LulzSec for short, differs from other hacktivist groups in that they had no specific goals. They were in it, as they claimed, for the “lulz” (LOLs in text messagespeak, or “laugh out loud’s” ) but showed an agility at compromising networks and servers, and stealing usernames, passwords, and other data. LulzSec committed multiple intrusions against a wide variety of companies, as well as attacks against police departments and intelligence agencies, and many other compromises. Although many of the outcomes and uses of these compromises are still in play (and we provide a helpful overview of the quarter’s activity) one thing has become clear: Many companies, both large and small, are more vulnerable than they may have suspected. Further, the security industry may need to reconsider some of its fundamental assumptions, including “Are we really protecting users and companies?” Although LulzSec may have ceased its operations during this quarter, the questions they and other hacktivist groups have raised will be debated for a long time. One significant change in the first quarter of 2011 was Android’s becoming the third-most targeted platform for mobile malware. This quarter the count of new Android-specific malware moved to number one, with J2ME (Java Micro Edition), coming in second while suffering only a third as many malware. This increase in threats to such a popular platform should make us evaluate our behavior on mobile devices and the security industry’s preparedness to combat this growth. We also saw an increase in for-profit mobile malware, including simple SMS-sending Trojans and complex Trojans that use exploits to compromise smartphones. We offer an update of cybercrime “pricebooks” as well as some changes to toolkit and service prices. “Crimeware as a service” and the burgeoning “hacktivism as a service” continue to evolve as interests and targets change. On the positive side, there were some significant victories against cybercriminals this quarter. Continuing the change theme, we observed a considerable decrease in both AutoRun and Koobface malware, offset by a strong rise in fake-anti-virus software that targets the Mac. Apple’s OS X has been mostly ignored by malware writers for years, so this represents a significant change of target for cybercriminals. Malware continued its overall growth during the quarter as did rootkit malware. Rootkits, used primarily for stealth and resilience, makes malware more effective and persistent; its popularity is rising. Rootkits such as Koutodoor and TDSS appear with increasing frequency. The amount of malware that attacks vulnerabilities in Adobe products continues to overwhelm those in Microsoft products. Botnets and messaging threats, although still at historic lows, have begun to rise again. We expected this recovery after some recent botnet takedowns. Users and enterprises must plan for this growth and prepare their defenses and responses accordingly. We again examine social engineering subjects by both geography and subject and botnets by geography and type. We saw several spikes in malicious web activity this quarter as well as some serious growth in blogs and wikis with malicious reputations. Sites that deliver malware, potentially unwanted programs, and phishing sites also increased. The second quarter of the year was clearly a period of chaos, changes, and new challenges.

Report

McAfee Threats Report: Second Quarter 2011

Table of Contents
Hacktivism Mobile Threats Cybercrime Malware Threats Adobe Outpaces Microsoft in Attracting Exploits Messaging Threats Web Threats 4 5 7 9 14 15 20

Report

McAfee Threats Report: Second Quarter 2011

Hacktivism Early in this quarter the Anonymous group apparently quarreled and split. On May 9, an Anonymous press release said the Anonops network was down after the website coadministrator Ryan attempted to stage a “coup d’état.” As a reprisal, his contact details were immediately distributed on the web. Around May 7 a new Twitter account registering the @LulzSec username appeared, marking the birth of Lulz Security. Their first feats did not gain much media coverage; however, when they targeted the entertainment industry, the world was truly introduced to LulzSec. After 50 days of operations, LulzSec’s adventures ended due to group-against-group struggles. These events show a level of immaturity in some groups labeled as political hacktivists and who claim to be part of Anonymous. Jester (th3j35t3r, an Anonymous opponent who is known for fighting against jihadist and anti-U.S. websites) and other groups (Team Web Ninjas, Backtrace, The A-Team, Teamp0ison, etc.) made a point of denouncing their former colleagues. These internecine struggles helped authorities identify some of these hackers. Other reported incidents include a “serious” attack against the European Commission just before a summit to discuss the future structure of the European Union, economic strategy, and the war in Libya.1 France’s Ministry of Finance suffered a similar attack. The Australian Security Intelligence Organisation disclosed that it is investigating an attack that compromised the computers of at least 10 federal ministers, including the prime minister, foreign minister, and defense minister. The German government reported it sees an average of five targeted attacks per day against users of government networks.2 Some published accounts number the various hacktivist operations, such as #antisec, #OpNewBlood, #OpLibya, #OpBrazil, at more than 4,000 in total, but this number is hard to verify. These operations have resulted in websites being taken offline, large amounts of usernames and passwords stolen, and confidential documents stolen and uploaded. Many companies have suffered very effective politically motivated attacks. Many observers have called these attacks simplistic, even lame, but these pundits miss the point: Hacktivism is about the message, not the method. Two intrusions by a Romanian hacker also caught our attention due to the high-profile targets: the U.S. and European space agencies. In an April blog entry, this hacker published information from the European Space Agency’s server that included names, usernames, and emails of more than 150 users. In May, the same hacker claimed to have entered a server at NASA’s Goddard Space Flight Center and gained access to confidential satellite data. He posted on his blog a screen grab of what he said was one of NASA’s main FTP servers.

1. 2.

http://www.bbc.co.uk/news/world-europe-12840941 http://www.bundestag.de/presse/hib/2011_05/2011_201/08.html

4

Report

McAfee Threats Report: Second Quarter 2011

Mobile Threats This quarter Android OS-based malware became the most popular target for mobile malware developers. That’s a rapid rise for Android, which outpaces second place Java Micro Edition threefold.

New Mobile Malware This Quarter

Android Java ME Symbian BlackBerry MSIL Python VBS

As we watch steady, significant growth in the mobile malware threat landscape, many of the same functions and features of PC-based threats are already part of the codebase. Mobile threats already take advantage of exploits, employ botnet functionality, and even use rootkit features for stealth and permanence.

Total Mobile Malware Samples
1,500 1,200 900 600 300 0

Q1 2009

Q2 2009

Q3 2009

Q4 2009

Q1 2010

Q2 Q3 2010 2010

Q4 2010

Q1 2011

Q2 2011

Maliciously modified apps are still a popular vector for infecting devices: Corrupt a legitimate app or game and users will download and install malware on their smartphones by themselves. Infiltrating popular modified apps this quarter were the malware Android/Jmsonez.A, Android/ Smsmecap.A, and the Android/DroidKungFu, and Android/DrdDreamLite families. Let’s take a close look at some recent mobile malware.

5

Report

McAfee Threats Report: Second Quarter 2011

Android/Jmsonez.A is a version of a calendar app that doesn’t quite work as intended.3 No matter when the program is launched, it displays the calendar for January 2011. If the user tries to change the month to a future date, the malware begins sending SMS messages to a premium-rate number. Android/ Jmsonez.A also monitors the inbox for confirmation SMS messages from the premium-rate service to avoid detection. Android/Smsmecap.A is a modified version of a legitimate comedy app.4 The malware sends humorous, irreverent SMS messages to all the contacts in the user’s address book. Since May 21, the date of the purported “Rapture,” it has sent messages in a mocking tone. The Android/DroidKungFu family is similar to Android/DrdDream; it also uses a pair of root exploits to maintain itself on a device.5 The exploits are actually identical to those used by the Android/DrdDream except they have been encrypted with AES. These variants can also load URLs and install additional software and updates. The Android/DrdDreamLite family is a less capable variant of the original Android/DrdDream family.6 The Lite version uses DES to encrypt the data it sends to the attacker. Android/DrdDreamLite does not include any root exploits to remain installed on an infected device. Other complex Trojans are Android/Tcent.A, the Android/Crusewin.A family, Android/J.SMSHider.A, and Android/Toplank.A. Android/Tcent.A is another premium-rate, SMS-sending Trojan, similar to Android/Jmsonez.A, but it includes an interesting self-protection feature.7 The malware targets the QQ instant-messaging service, which is popular in China. The malware attempts to uninstall anti-virus and other security software that are bundled with mobile QQ clients. The Android/Crusewin.A family comprises a number of premium-rate–sending Trojans.8 Unlike simpler malware, the Android/Crusewin.A family includes some botnet functions, including executing orders from the attacker’s command server. The attacker can send SMS messages from an infected device, useful for signing up the victim to premium-rate subscription services, and attempt to uninstall software. The latter feature is similar to that of Android/Tcent.A but suffers from a slight problem. Android/Crusewin.A uses an uninstall code that works only on Symbian smartphones; it will not run properly on Android. This suggests the malware author may be porting Symbian Trojan/botnet code to the Android platform. Android/J.SMSHider.A sends premium-rate messages.9 The malware author modified a legitimate “SMS love analyzer” to add backdoor functionality and the ability to delete incoming SMS messages. Android/J.SMSHider.A uses DES encryption to cover its communications with the attacker. Android/Toplank.A pretends to be a multiuser update to the popular Angry Birds game. The malware sends sensitive information (international mobile subscriber identity, the list of permissions granted to the malware, etc.) to the attacker and can download an additional Android app to an infected device. The new app provides a backdoor to the attacker, who can then add and delete bookmarks, browser history, and shortcuts. The attacker can also download further software. Mobile crimeware authors are continuing their tricks with SymbOS/Zitmo.C and BlackBerry/Zitmo.D, which are simple SMS forwarders. The authors have already compromised victims’ PCs with advanced malware, so it appears that they are doing only the bare minimum on mobile platforms to enable their attacks.

3. 4. 5. 6. 7. 8. 9.

http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=501748 http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=509500 http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=522281 http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=518925 http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=501599 http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=501639 http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=527859

6

Report

McAfee Threats Report: Second Quarter 2011

Cybercrime Email Address Book for Sale Via their botnets or through rental services, spammers need email address lists to flood the world. Prices vary for such enterprises, often with location.
Country Russia Address List Prices (all in U.S.$) 400,000 addresses in St. Petersburg: $25 1,000,000 (entire country): $25 3,000,000: $50 5,000,000: $100 8,000,000: $200 1,000,000: $25 3,000,000: $50 5,000,000: $100 10,000,000: $300 2,000,000: $40 1,000,000: $25 3,000,000: $50 5,000,000: $100 8,000,000: $200 1,000,000: $50 150,000: $25 1,000,000: $25 3,000,000: $50 5,000,000: $100 1,500,000: $100

United States

Ukraine Germany

Turkey Portugal Australia

England

Crimeware tools Again this quarter, we saw new products and updates among exploits kits. The most notable were the release of Eleonore Version 1.6.5, with two 2011 exploits, and Best Pack, with one 2011 exploit.
Name Weyland-Yutani BOT Version 1.0 BlackHole Exploit Kit Version 1.1.0 Prices (all in U.S.$) $1,000 Annual license: $1,500 6 months: $1,000 3 months : $700 Description Offered on the underground market. The seller quickly closed the bid after claiming to have found a buyer. This kit first appeared in September 2010. Updated in April, it contains nine exploits, with six from 2010. Announced by ScriptKiddieSec and Kahu Security as the possible successor of Dragon Pack, this exploit pack contains seven old exploits and one from 2011:10 • CVE-2011-0611 (affecting Adobe Flash Player versions before 10.2.159) $2,200 This version replaced Version 2.5, whose code was leaked in April. Current release contains at least 15 exploits, with six from 2010. 10 exploits include two Flash Player exploits from 2011: • CVE-2011-0558 (Flash before 10.2) • CVE-2011-0611 (Flash before 10.2.159) Replaced Version 3.0RC, from April 2010. This version has nearly 20 exploits, with seven from 2010.

Best Pack

Phoenix Exploit Kit Version 2.7

Eleonore Version 1.6.5

$2,000

YES Exploit Kit 4.0

$400

10. http://www.kahusecurity.com/2011/best-pack/

7

Report

McAfee Threats Report: Second Quarter 2011

Actions Against Cybercriminals This quarter was not all doom and gloom. Courts and law enforcement continue to make progress worldwide against cybercriminals.
Country and Date United Kingdom April United States April Description Police Central e-Crime Unit arrested three men—a Lithuanian, a Latvian, and another whose nationality was not revealed—in connection with using SpyEye malware to steal online banking details.11 In Operation Adeona the Department of Justice and the F.B.I. shut down the Coreflood botnet, which had infected hundreds of thousands of PCs since 2002. During an 11-month period starting in March 2009, Coreflood siphoned some 190GB worth of banking passwords and other sensitive data from more than 413,000 infected systems as users browsed the Internet, authorities said.12 Police arrested 17 people suspected of taking part in Internet banking fraud aimed at Nordea account holders at the beginning of this year. The perpetrators tried to steal almost €1.2 million via a series of more than 100 false transactions.13 The majority of suspects are suspected of being phishing mules. The two suspected masterminds were from Estonia. A University of Salford student was convicted of a malware-based scam that allowed him to break into the computers and webmail accounts of an estimated 100 victims. The police asked McAfee to analyze the malware and acknowledged McAfee’s contribution in gathering evidence that enabled an early arrest.14 The Department of Justice and the F.B.I. announced Operation Trident Tribunal, a coordinated, international law enforcement action that disrupted the activities of two international cybercrime rings involved in the sale of fake-alert anti-virus software (scareware).15 Conducted with the Ukrainian security services, the action appears to be the first enforcement targeting a gang using Conficker.16 The second police effort targeted Latvians charged with creating a fraudulent advertising agency. One of the most controversial figures in Russia’s online world, ChronoPay cofounder and CEO Pavel Vrublevsky, was arrested on suspicion of ordering a distributed denial of service (DDoS) attack against a rival firm. Vrublevsky, 32, is probably best known as the co-owner of the RxPromotion rogue online pharmacy program. His company also consistently has been involved in credit card processing for—and in many cases setting up companies on behalf of—rogue anti-virus or scareware scams that use misleading PC security alerts in a bid to frighten people into purchasing worthless “security” software.17

Finland May

United Kingdom May

United States, Ukraine, Latvia June

Russia June

A Touch of Cyberwar Just discussing the definition of “cyberwar” can spark heated debate, as more and more countries struggle with how to categorize this developing conflict. The discussion is sure to be further muddied as hacktivism becomes more prevalent.
Country and Date Russia March/April Description From March 24 to April 4 various DDoS attacks were launched against some bloggers on LiveJournal, which hosts more than 4.7 million Russian bloggers (including President Dmitry Medvedev) who exchange information and often share critical views that cannot be expressed in the mainstream media.18 The Oak Ridge National Laboratory, home to one of the world’s most powerful supercomputers, was the victim of a sophisticated cyberattack launched through phishing emails sent to some 573 lab employees. Some of them appear to have clicked on a link in the email and downloaded information-stealing malware.19 South Korean authorities alleged North Korea's secret services hacked into the computer system of the National Agricultural Cooperative Federation, which delivers supply, processing, marketing, and banking services to more than 4,000 branches.20 The Norwegian military admitted being hit by a potentially serious targeted cyberattack attack in March. The attack happened when 100 senior military personnel received an email with an attachment appearing to come from another government agency.21

United States April

South Korea May Norway May

11. 12. 13. 14. 15. 16. 17. 18. 19.

http://www.networkworld.com/news/2011/041111-uk-police-arrest-three-men.html http://www.theregister.co.uk/2011/04/13/coreflood_botnet_takedown/ http://www.theregister.co.uk/2011/05/10/finnish_banking_trojan_investigation/ http://www.zdnet.co.uk/news/security-management/2011/05/18/gamer-sentenced-for-stealing-steam-passwords-40092802/ http://www.fbi.gov/news/stories/2011/june/cyber_062211/cyber_062211 http://www.zdnet.co.uk/news/security-management/2011/06/24/ukrainian-sting-targets-conficker-fraudsters-40093222/ http://krebsonsecurity.com/tag/pavel-vrublevsky/ http://uk.reuters.com/article/2011/04/06/oukin-uk-russia-medvedev-cyberattack-idUKTRE7354OV20110406 http://www.computerworlduk.com/news/security/3275613/us-government-energy-research-lab-shuts-down-email-and-internet-access-afterphishing-attack/ 20. http://www.koreaittimes.com/story/14507/north-korea-behind-cyber-attack-south-korea-bank 21. http://www.cio.com.au/article/387581/norwegian_military_admits_march_cyberattack

8

Report

McAfee Threats Report: Second Quarter 2011

Malware Threats The malware landscape this quarter has presented us several surprises. Although numerically not the busiest period in history (just a little behind last year’s pace), when combined with the first quarter we have the busiest ever first half-year in this vector. The increase is 22 percent over 2010! McAfee Labs identified almost six million unique malware samples during this quarter. This puts us on track for our cumulative malware “zoo” collection to reach 75 million samples by year’s end.
Total Malware Samples in the Database

70,000,000 60,000,000 50,000,000 40,000,000 30,000,000 20,000,000 10,000,000 0
JAN 2010 FEB 2010 MAR 2010 APR 2010 MAY 2010 JUN 2010 JUL 2010 AUG 2010 SEP 2010 OCT 2010 NOV 2010 DEC 2010 JAN 2011 FEB 2011 MAR 2011 APR 2011 MAY 2011 JUN 2011

Just to reinforce how significant the growth has been during the last several years, here is a look at the monthly incremental growth of unique malware binaries:
New Malware Samples Added to the Database, by Month 2,500,000

2,000,000

1,500,000

1,000,000

500,000

0 JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2010 2010 2010 2010 2010 2010 2010 2010 2010 2010 2010 2010 2011 2011 2011 2011 2011 2011

9

Report

McAfee Threats Report: Second Quarter 2011

We now collect on average almost two million new samples every month. This is certainly not a welcome development, but it is consistent and predictable considering how our business and private lives are now tethered to technology. Among the specific families we track, fake anti-virus software (a.k.a. fake-alert or rogue anti-virus software) continues to show consistent growth and has even begun to climb aboard a new platform: the Mac. You read that right; fake-AV for Apple’s platform is now a reality. This does not surprise us at McAfee Labs. There are more Mac users than ever before as well as steady business adoption. This puts the Apple platforms squarely in the crosshairs of malware authors. It will be interesting to see if this type of malware makes its way to the iPhone and iPad as well. It is probably a case of “when” rather than “if.”
Unique Fake-Alert Samples Discovered

350,000 300,000 300000 250,000 250000 200,000 200000 150,000 150000 100,000 100000 50,000 50000 0 0
JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2010 2010 2010 2010 2010 2010 2010 2010 2010 2010 2010 2010 2011 2011 2011 2011 2011 2011

Unique Fake-Alert Samples for Mac Discovered

250 200 150 100 50 0

JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2010 2010 2010 2010 2010 2010 2011 2011 2011 2011 2011 2011

10

Report

McAfee Threats Report: Second Quarter 2011

Generic password-stealing Trojans declined just a bit this quarter, while AutoRun malware was greatly reduced. Koobface threats dropped to the lowest levels in years.

Unique Password Stealers Samples Discovered

300,000 250,000 200,000 150,000 100,000 50,000 0
JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2010 2010 2010 2010 2010 2010 2010 2010 2010 2010 2010 2010 2011 2011 2011 2011 2011 2011

Unique AutoRun Samples Discovered

700,000 600,000 500,000 400,000 300,000 200,000 100,000 0
JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2010 2010 2010 2010 2010 2010 2010 2010 2010 2010 2010 2010 2011 2011 2011 2011 2011 2011

Unique Koobface Samples Discovered

18,000 16,000 14,000 12,000 10,000 8,000 6,000 4,000 2,000 0
JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2010 2010 2010 2010 2010 2010 2010 2010 2010 2010 2010 2010 2011 2011 2011 2011 2011 2011

11

Report

McAfee Threats Report: Second Quarter 2011

Rootkits and Stealth Malware Another malware category demonstrating recent steady growth is the rootkit. A rootkit (sometimes called stealth malware) is code that hides its elements from the operating system and security software. Cybercriminals use rootkits to make other malware stealthier and more persistent. The better hidden the malware is, the longer it will remain on the system and engage in its malicious activity. As you can see from the following charts, rootkits are on the rise overall. The first half of 2011 was comparable to malware overall: Rootkits have seen their busiest-ever six months, up almost 38 percent over 2010! Two of the busiest rootkits that we encounter are Koutodoor and TDSS. Both are nasty and hide malware to steal data.

Unique Rootkit Samples Discovered

120,000 100,000 80,000 60,000 40,000 20,000 0

JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN 2010 2010 2010 2010 2010 2010 2010 2010 2010 2010 2010 2010 2011 2011 2011 2011 2011 2011

12

Report

McAfee Threats Report: Second Quarter 2011

Global Infected Computer Numbers Globally and by individual geography much of the malware we collected this quarter matched the same varieties as in the first quarter. We saw a few differences among the continents but overall they were more similar than different.
Rank 1 2 3 4 5 Rank 1 2 3 4 5 Rank 1 2 3 4 5 Rank 1 2 3 4 5 Top 5 Global Malware AutoRun Malware OpenCandy Adware HotBar Adware General Trojans HotBar vF Adware North America AutoRun Malware HotBar Adware OpenCandy Adware Downloader Malware HotBar vF Adware South America AutoRun Malware Java Runtime Exploitation Conficker AutoRun Malware Remote-Access Trojans Downloader Malware Europe and Middle East HotBar vF Adware AutoRun Malware HotBar Adware OpenCandy Adware Conficker AutoRun Malware Rank 1 2 3 4 5 Rank 1 2 3 4 5 Rank 1 2 3 4 5 Africa AutoRun Malware Downloader Malware Downloader Malware Yahoo Messenger Malware Sality Virus Asia AutoRun Malware Downloader Malware Conficker AutoRun Malware Downloader Malware Browser Exploitation Australia OpenCandy Adware Downloader Malware Hotbar Adware Downloader Malware AutoRun Malware

13

Report

McAfee Threats Report: Second Quarter 2011

Adobe Outpaces Microsoft in Attracting Exploits For several quarters, one of the major trends we’ve seen is that malware authors prefer to write exploits that target vulnerabilities in Adobe products as opposed to those in Microsoft products. This trend does not prove that Adobe’s technologies are more vulnerable or have more coding bugs than Microsoft’s. Rather, Adobe is one of the clear leaders in worldwide client applications, and this leadership is what drives malware authors and cybercriminals: They target what is popular and in wide use. The following chart shows the malware McAfee Labs has seen this quarter that attempts to exploit vulnerabilities in Adobe and Microsoft products.
Adobe and Microsoft Exploits Discovered

16,000 14,000 12,000 10,000 8,000 6,000 4,000 2,000 0
JAN 2011 FEB 2011 MAR 2011 APR 2011 MAY 2011 JUN 2011

Adobe Microsoft

14

Report

McAfee Threats Report: Second Quarter 2011

Messaging Threats Messaging threats continued a mild decline from last quarter, although the drop is not significant. A coordinated effort last quarter among several security providers, law enforcement, and even CERTs was able to shut off major amounts of botnet zombies and their command structure. This recent success may still be having a positive effect. We expect to again see sharp rises in spam; in the mean time, we continue to watch this area closely. Although the volume of spam remains at historic low levels, the spearphishing (a class of spam) that we see today is more targeted and effective than ever. This vector continues to evolve.
Global Spam Volume, in Trillions of Messages per Day
6 5 4 3 2 1 0
JUL 2010 AUG 2010 SEP 2010 OCT 2010 NOV 2010 DEC 2010 JAN 2011 FEB 2011 MAR 2011 APR 2011 MAY 2011 JUN 2011 Spam “Ham”

Spam Volume by Country
Argentina
120,000,000 100,000,000 80,000,000 60,000,000 40,000,000 20,000,000 0
JUL 2010 AUG 2010 SEP OCT 2010 2010 NOV 2010 DEC 2010 JAN 2011 FEB 2011 MAR 2011 APR 2011 MAY JUN 2011 2011

Brazil
600,000,000 500,000,000 400,000,000 300,000,000 200,000,000 100,000,000 0
JUL 2010 AUG 2010 SEP OCT 2010 2010 NOV 2010 DEC 2010 JAN 2011 FEB 2011 MAR 2011 APR 2011 MAY JUN 2011 2011

Columbia
120,000,000 100,000,000 80,000,000 60,000,000 40,000,000 20,000,000 0
JUL 2010 AUG 2010 SEP OCT 2010 2010 NOV 2010 DEC 2010 JAN 2011 FEB 2011 MAR 2011 APR 2011 MAY JUN 2011 2011

France
300,000,000 250,000,000 200,000,000 150,000,000 100,000,000 50,000,000 0
JUL 2010 AUG 2010 SEP OCT 2010 2010 NOV 2010 DEC 2010 JAN 2011 FEB 2011 MAR 2011 APR 2011 MAY JUN 2011 2011

Germany
500,000,000 400,000,000 300,000,000 200,000,000 100,000,000 0
JUL 2010 AUG 2010 SEP OCT 2010 2010 NOV 2010 DEC 2010 JAN 2011 FEB 2011 MAR 2011 APR 2011 MAY JUN 2011 2011

India
700,000,000 600,000,000 500,000,000 400,000,000 300,000,000 200,000,000 100,000,000 0
JUL 2010 AUG 2010 SEP OCT 2010 2010 NOV 2010 DEC 2010 JAN 2011 FEB 2011 MAR 2011 APR 2011 MAY JUN 2011 2011

15

Report

McAfee Threats Report: Second Quarter 2011

Spam Volume by Country
Italy
250,000,000 200,000,000 150,000,000 100,000,000 50,000,000 0
JUL 2010 AUG 2010 SEP OCT 2010 2010 NOV 2010 DEC 2010 JAN 2011 FEB 2011 MAR 2011 APR 2011 MAY JUN 2011 2011

Japan
50,000,000 40,000,000 30,000,000 20,000,000 10,000,000 0
JUL 2010 AUG 2010 SEP OCT 2010 2010 NOV 2010 DEC 2010 JAN 2011 FEB 2011 MAR 2011 APR 2011 MAY JUN 2011 2011

Poland
200,000,000 150,000,000 100,000,000 40,000,000 50,000,000 0
JUL 2010 AUG 2010 SEP OCT 2010 2010 NOV 2010 DEC 2010 JAN 2011 FEB 2011 MAR 2011 APR 2011 MAY JUN 2011 2011

Portugal
100,000,000 80,000,000 60,000,000

20,000,000 0
JUL 2010 AUG 2010 SEP OCT 2010 2010 NOV 2010 DEC 2010 JAN 2011 FEB 2011 MAR 2011 APR 2011 MAY JUN 2011 2011

Russia
350,000,000 300,000,000 250,000,000 200,000,000 150,000,000 100,000,000 50,000,000 0
JUL 2010 AUG 2010 SEP OCT 2010 2010 NOV 2010 DEC 2010 JAN 2011 FEB 2011 MAR 2011 APR 2011 MAY JUN 2011 2011

South Korea
200,000,000 150,000,000 100,000,000 50,000,000 0
JUL 2010 AUG 2010 SEP OCT 2010 2010 NOV 2010 DEC 2010 JAN 2011 FEB 2011 MAR 2011 APR 2011 MAY JUN 2011 2011

Spain
200,000,000 150,000,000 100,000,000 200,000,000 50,000,000 0
JUL 2010 AUG 2010 SEP OCT 2010 2010 NOV 2010 DEC 2010 JAN 2011 FEB 2011 MAR 2011 APR 2011 MAY JUN 2011 2011

United Kingdom
500,000,000 400,000,000 300,000,000

100,000,000 0
JUL 2010 AUG 2010 SEP OCT 2010 2010 NOV 2010 DEC 2010 JAN 2011 FEB 2011 MAR 2011 APR 2011 MAY JUN 2011 2011

United States
1,500,000,000 1,200,000,000 900,000,000 600,000,000 300,000,000 0 500,000,000 400,000,000 300,000,000 200,000,000 100,000,000 0

Venezuela

JUL 2010

AUG 2010

SEP OCT 2010 2010

NOV 2010

DEC 2010

JAN 2011

FEB 2011

MAR 2011

APR 2011

MAY JUN 2011 2011

JUL 2010

AUG 2010

SEP OCT 2010 2010

NOV 2010

DEC 2010

JAN 2011

FEB 2011

MAR 2011

APR 2011

MAY JUN 2011 2011

16

Report

McAfee Threats Report: Second Quarter 2011

This quarter McAfee Labs has observed the Rustock botnets continuing to dwindle even though it may be reseeded by cybercriminals during the coming months. Meanwhile the Maazben, Cutwail, and Bobax botnet masters have stepped up their activity. Of these three dominant botnets, Maazben clearly outpaces the others in worldwide usage and influence.

North America
Bagle-CB Bobax Cutwail Grum Maazben Others

Latin America
Bagle-CB Bobax Cutwail Grum Maazben Others

Europe-Middle East
Bagle-CB Bobax Cutwail Grum Maazben Others

Africa
Bagle-CB Bobax Cutwail Grum Maazben Others

Asia-Paci c
Bagle-CB Bobax Cutwail Grum Maazben Others

Australia
Bagle-CB Bobax Cutwail Grum Maazben Others

Maazben's Influence on Global Botnet Infections

1,000,000 900,000 800,000 700,000 600,000 500,000 400,000 300,000 200,000 100,000 4/4/11 4/11/11 4/18/11 4/25/11 5/2/11 5/9/11 5/16/11 5/23/11 5/30/11 6/6/11 6/13/11 6/20/11 0

New Global Botnet Infections by Week Maazben

17

Report

McAfee Threats Report: Second Quarter 2011

New Botnet Infections by Week

120,000 100,000 80,000 60,000 40,000 20,000 0

4/4/11

4/11/11

4/18/11

4/25/11

5/2/11

5/9/11

5/16/11

5/23/11

5/30/11

6/6/11

6/13/11
6/13/11

Bagle-CB Donbot Rustock

New Botnet Infections by Week

160,000 140,000 120,000 100,000 80,000 60,000 40,000 20,000 4/4/11 4/11/11 4/18/11 4/25/11 5/2/11 5/9/11 5/16/11 5/23/11 5/30/11 6/6/11 6/20/11 0

Cutwail Bobax Grum

6/20/11

18

Report

McAfee Threats Report: Second Quarter 2011

There has been steady growth in new botnet infections throughout the quarter. This is an interesting juxtaposition when we consider the worldwide drop in spam. Clearly botnet usage is in a state of transition. Given the growth and goals of hacktivists, we expect to see major changes in how botnets are used.

Overall Botnet Infections per Month
6,000,000 5,000,000 4,000,000 3,000,000 2,000,000
JUN 10 APR 10 MAY 10 AUG 10 OCT 10 NOV 10 DEC 10 JAN 11 JUL 10 MAR 11 SEP 10 FEB 11

Spam lures and their subjects (the social engineering hook used to make the message attractive) continue to show diversity. “Nigerian 419 scams” seemed a bit more popular this quarter globally while lotto scams were also prevalent in many parts of the world, along with the long-time subjects of bogus DSN and gambling spams. Social engineering with lures based on location is certain to continue, as scammers understand the diversities in their global audience.
China
419 Scams DSN Diplomas Drugs Fashion Gambling Horoscopes Jobs Lonely Women Lotto Scams Marketing Newsletters Phishing Products Third Parties

Spam by Country
419 Scams DSN Diplomas Drugs Fashion Gambling Horoscopes Jobs Lonely Women Lotto Scams Marketing Newsletters Phishing Products Third Parties Travel Unknown Viruses Watches

Brazil

France
419 Scams DSN Diplomas Drugs Fashion Gambling Horoscopes Jobs Lonely Women Lotto Scams Marketing Newsletters Phishing Products

419 Sca DSN

Diplom Drugs

Fashion

Gambl

Horosc Jobs

Lonely

Lotto S

Marke

Newsle

Phishin

Produc

Germany

Travel Unknown Viruses 419 Scams Watches DSN

India

Third Parties Travel

Third P Travel

Indonesia

Unknown

Unkno

419 Scams Viruses DSN Watches Diplomas Drugs Fashion Gambling Horoscopes Jobs Lonely Women Lotto Scams Marketing Newsletters Phishing Products Third Parties Travel Unknown Viruses Watches

419 Sc Viruses

DSN Watch

Diplomas Drugs Fashion Gambling Horoscopes Jobs Lonely Women Lotto Scams Marketing Newsletters Phishing Products Third Parties Travel Unknown Viruses Watches

Diplom Drugs

Fashio

Gambl

Horosc Jobs

Lonely

Lotto S

Marke

Newsle

Phishin

Produc

Third P Travel

Unkno

Viruse

Watch

19

Report

McAfee Threats Report: Second Quarter 2011

Spam by Country
419 Scams DSN Diplomas Drugs Fashion Gambling Horoscopes Jobs Lonely Women Lotto Scams Marketing Newsletters Phishing Products Third Parties Travel Unknown Viruses Watches

Italy

Philippines
419 Scams DSN Diplomas Drugs Fashion Gambling Horoscopes Jobs Lonely Women Lotto Scams Marketing Newsletters Phishing Products Third Parties
419 Scams DSN Diplomas Drugs Fashion Gambling Horoscopes Jobs

Russia

South Korea
419 Scams DSN Diplomas Drugs Fashion Gambling Horoscopes Jobs Lonely Women Lotto Scams Marketing Newsletters Phishing Products Third Parties Travel Unknown Viruses

419 S DSN

Diplo

Drug

Fashi

Gamb

Horo Jobs

Lonely Women Lotto Scams Marketing Newsletters Phishing Products Third Parties Travel

Lonel

Lotto

Mark

News

Phish

Produ

United Kingdom

Travel

United States

Venezuela

Third

Unknown

Unknown Viruses 419 Scams Watches DSN

Trave

419 Scams Viruses DSN Watches Diplomas Drugs Fashion Gambling Horoscopes Jobs Lonely Women Lotto Scams Marketing Newsletters Phishing Products Third Parties Travel Unknown

419 Scams DSN Diplomas Drugs Fashion Gambling Horoscopes Jobs Lonely Women Lotto Scams Marketing Newsletters Phishing Products Third Parties Travel Unknown

Unkn

Watches

Virus

Diplomas Drugs Fashion Gambling Horoscopes Jobs Lonely Women Lotto Scams Marketing Newsletters Phishing Products Third Parties Travel Unknown Viruses

Watc

Viruses Viruses Web Threats Watches Watches Watches Websites can have bad or malicious reputations for a variety of reasons. Reputations can be based on full domains and any number of subdomains as well as on a specific IP address or URL. Malicious reputations are influenced by the hosting of malware, potentially unwanted programs, or phishing sites. Often we observe combinations of questionable code and functionality. Many factors go into a site’s reputational rating.

Last quarter McAfee Labs recorded an average of 8,900 new bad sites per day; this period that figure dropped a bit to 7,300 hits, which is comparable to the same time last year.
New Bad-Reputation URLs per Day
40,000 35,000 30,000 25,000 20,000 15,000 10,000 5,000 0
APR 1 2011 MAY 1 2011 JUNE 1 2011 JULY 1 2011

We saw some significant spikes in malicious web content this quarter. Several of these spikes corresponded to intensive malicious campaigns.

20

Report

McAfee Threats Report: Second Quarter 2011

On May 31, spam campaigns—one promoting online dating sites with video chats and another informing recipients of fake pending invoices—distributed fraudulent URLs hosting Zeus-related malware (Generic FakeAlert.by and Generic PWS.y). Among these sites were undss-syria.org, baranava.com, emajic.net, and sturtholdfastmarioncc.com. The vast majority of these new malicious sites are located in the United States. Next in line, we find South Korea, Netherlands, Canada, United Kingdom, China, and Germany. In the first quarter our top countries were the United States, South Korea, Germany, and China. This quarter, however, is quite different. Our regional breakdown reveals where most malicious servers reside:
Africa 0.2%

Asia-Pacific 11.1%

Australia 1.8%

Africa Asia-Paci c Australia Europe-Middle East Latin America

Europe-Middle East 24.9% North America 60.2%

North America

Latin America 1.7%

North America, primarily the United States, still dominates, but the figure for the combined region of Europe, the Middle East, and Africa has increased to 25 percent from 18 percent in the first quarter. Let’s take a deeper look at some regions:

Africa
Morocco South Africa Egypt Senegal Seychelles Others

Asia Paci c
South Korea China Vietnam Others

21

Report

McAfee Threats Report: Second Quarter 2011

Australia
Australia New Zealand

Europe and Middle East
Netherlands United Kingdom Germany France Russia Romania Italy Others

Latin America
Brazil British Virgin Islands Argentina Chile Panama Trinidad and Tobago Others

North America
United States Canada Mexico

This quarter, the number of websites hosting malicious downloads has again increased, while the amount of sites that host browser exploits was unchanged:
Active Malicious URLs
160,000 140,000 120,000 100,000 80,000 60,000 40,000 20,000 0 JUL 2010 AUG 2010 SEP 2010 OCT 2010 NOV 2010 DEC 2010 JAN 2011 FEB 2011 MAR 2011 APR 2011 MAY 2011 JUN 2011
Malicious Downloads Browser Exploits

This quarter we also observed a continued increase in blogs and wikis with malicious reputations.

22

Report

McAfee Threats Report: Second Quarter 2011

Websites Delivering Malware and PUPs The following chart provides a picture of the number of websites delivering malware and potentially unwanted programs (PUPs) that McAfee Labs detected this quarter.
New Malware Sites per Day
35,000 30,000 25,000 20,000 15,000 10,000 5,000 0 APR 1 2011
MAY 1 2011 JUNE 1 2011 JULY 1 2011

We saw a small increase this quarter with around 3,000 new sites per day compared with 2,700 per day during the first quarter. Phishing Sites This quarter we identified approximately 2,700 phishing URLs per day, up slightly from 2,500 per day last quarter.
New Phishing Sites per Day
8,000

6,000

4,000

2,000

0
APR 1 2011 MAY 1 2011 JUNE 1 2011 JULY 1 2011

23

Report

McAfee Threats Report: Second Quarter 2011

About the Authors This report was prepared and written by Toralv Dirro, Paula Greve, Rahul Kashyap, David Marcus, François Paget, Craig Schmugar, Jimmy Shah, and Adam Wosotowsky of McAfee Labs. About McAfee Labs McAfee Labs is the global research team of McAfee. With the only research organization devoted to all threat vectors—malware, web, email, network, and vulnerabilities—McAfee Labs gathers intelligence from its millions of sensors and its cloud-based service McAfee Global Threat Intelligence™. The McAfee Labs team of 350 multidisciplinary researchers in 30 countries follows the complete range of threats in real time, identifying application vulnerabilities, analyzing and correlating risks, and enabling instant remediation to protect enterprises and the public. About McAfee McAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ:INTC), is the world’s largest dedicated security technology company. McAfee delivers proactive and proven solutions and services that help secure systems, networks, and mobile devices around the world, allowing users to safely connect to the Internet, browse, and shop the web more securely. Backed by its unrivaled Global Threat Intelligence, McAfee creates innovative products that empower home users, businesses, the public sector, and service providers by enabling them to prove compliance with regulations, protect data, prevent disruptions, identify vulnerabilities, and continuously monitor and improve their security. McAfee is relentlessly focused on finding new ways to keep our customers safe. www.mcafee.com

McAfee 2821 Mission College Boulevard Santa Clara, CA 95054 888 847 8766 www.mcafee.com

The information in this document is provided only for educational purposes and for the convenience of McAfee customers. The information contained herein is subject to change without notice, and is provided “as is,” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. McAfee, the McAfee logo, McAfee Labs, and McAfee Global Threat Intelligence are registered trademarks or trademarks of McAfee or its subsidiaries in the United States and other countries. Other marks may be claimed as the property of others. © 2011 McAfee. All rights reserved. 32000rpt_quarterly-threat-q2_0711_ETMG

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->