Kindsight Security Labs Malware Report – Q3 2012 – 2nd Part

Kindsight Security Labs Malware Report – Q3 2012 – 2nd Part

تاریخ ایجاد

IRCRE201211119
Date: 2012-11-18

Introduction
The Kindsight Security Labs Q3 2012 Malware Report examines general trends for malware infections in home networks or infections in mobile devices and computers connected through mobile adapters. The data in this report is aggregated across the networks where Kindsight solutions are deployed. This is the 2nd part of the report.

New Developments in Q3

  • ZeroAccess
    ZeroAccess continues to be the most active botnet in 2012. The main purpose of the botnet is to distribute malware responsible for a massive ad-click fraud campaign. One version also makes money through “Bitcoin mining”. In February, we published a detailed analysis of its network behavior and the encrypted p2p protocol it uses to communicate with its peers. In Q2 the bot morphed (ZeroAccess2), changing its infection process and C&C protocol. A detailed description of the new C&C protocol can be found in “New C&C Protocol for ZeroAccess/Sirefef”. Both versions of the bot are currently active.
    ZeroAccess uses a peer-to-peer command and control protocol, where infected hosts maintain communication through super-nodes. A “super-node” is an infected host that is directly connected to the internet without an intervening home router or other network address translation (NAT) device. The Kindsight network-based malware detection technology is able to detect and map these super-nodes. The chart below shows the number of super-nodes for ZeroAccess2 detected during Q3.
    On any given day we detected communications with about 200,000 super nodes. The geographic distribution of these is shown in the chart below.
  • Size of ZeroAccess Botnet
    We have also monitored the percentage of households that are infected on a daily basis in a number of service providers in North America. On average this has been consistently at about 0.8% each day during Q3. Based on this we can estimate the size of the Botnet. There are a number of ways to approach this.
    Based on the observed North American infection rate of 0.8% and an estimate of the number of broadband users in the United States, we can easily calculate that there are likely 685K infected households in the United States alone. If the same infection rate (0.8%) is applied to the top twenty countries hosting super nodes (table above) this gives a world-wide total of 2.21 million infected households. If we assume the international ratio of infected computers to super nodes is roughly the same as observed in North America , we come out to about 2.27M infected home networks.
    These figures are estimates of course, but they are based on two independent measurements and we can confidently say that on any given day there are at least 2.2 million active ZeroAccess bots on the Internet.
  • Ad-click Fraud
    ZeroAccess earns money through ad-click fraud. The bot operators or their business associates have registered a large number of web sites that host pay per click advertisements. These sites are built around some standard templates that provide a search interface, display ads and offer domain names for sale. The bots are programmed to click on ads that are hosted by these sites. When the ad is clicked the owner of the web site is paid for the click.
    The bots visit a C&C server periodically and are given a list of ads to click. This allows the C&C server to dynamically control which ads are chosen, how frequently they are clicked and which bots are used. Advertisers and ad networks have sophisticated mechanisms in place to detect ad-click fraud, so the C&C server balances the load between bots to make the clicking behavior look very realistic. To enhance the realism and make the clicks look like they are from a real person, the bots are programmed to follow the ad-click through to the advertiser’s landing page through several layers of redirection, loading all the html, java-script and graphics components as would a regular browser. This also consumes significant bandwidth as can been seen below.
    We monitored a bot for a 24 hour period to see how the clicking behavior varied over time and to get an idea of the scale of this ad-click fraud. The chart below shows the network activity starting at 10:00am and running over night to the next day.
    The activity varies during the day (and night) as would be expected from a real user. In this case, in the 24 hour period, the bot clicked on 140 ads, resulting in 262MBytes of network traffic. Only half of the bots are used for ad-click fraud (the rest are used for Bitcoin mining), so if our test case is typical, then each day about one million ZeroAccess bots are responsible for fraudulently clicking on about 140 million advertisements and generating around 260 Terabytes of network traffic.
    The actual dollar value of the fraud is very difficult to estimate. The ad networks use sophisticated algorithms to detect fraudulent clicks and will not charge these to the advertisers. The offending web sites will be blacklisted once the abuse is detected. In 2007 Google reported that about 10% of ad-clicks were detected as fraudulent and never charged to the advertiser and that only 0.02% of fraudulent clicks got through their filters. However, this bot is also very sophisticated and goes to great lengths to make the clicks look legitimate. The ad-click algorithm observed in this lab test is the third variation we’ve seen since we first observed ZeroAccess in late 2011, so the bot operators are obviously honing their skills and adapting.
    We asked an Internet advertising expert to have a look at the network traffic generated by our 24 hour trial. They found that 18 out of the 140 clicks would likely have resulted in the advertiser paying for the click. Based on this analysis, the botnet could be costing advertisers $900,000 per day in ad-click fraud if we assume a low-end cost per click (CPC) of $0.05.
  • Bitcoin Mining
    The other way ZeroAccess makes money for its operators is through Bitcoin mining. A “Bitcoin” is a form of electronic currency invented in 2009 that is managed through a peer-to-peer network. Bitcoin transactions are confirmed by complex computations that are very difficult and time consuming to perform. “Bitcoin miners” are computers that solve these computations and are rewarded in Bitcoins. About half of the ZeroAccess bots are cooperating as a Bitcoin mining pool to solve these computations and earn Bitcoins. Bitcoins are supposedly worth about $10 each and Sophos has estimated that ZeroAccess could be earning over $2.7M per year, but it is unclear if actual money is really involved, or if they are just playing a Bitcoin futures game.
  • TDSS/Alureon
    The second most active botnet in Q3 2012 was the TDSS/Alureon family, also known as TDL-4. This is a rootkit bot that buries itself in the master boot record of the infected computer and uses various stealth techniques to hide itself from traditional antivirus software. It even goes so far as to remove competing malware from the infected computer. This provides the attacker with a secure platform to load additional malware to monetize their botnet and it is often associated with subsequent spambots, banking Trojan and identity theft infections. In the past some security experts have said that this bot is practically indestructible, although this did cause some debate.
    In July a new variant was discovered that uses a domain name generation algorithm to establish its command and control network. This variant was reported to have infected at least a quarter of a million computers including computers at 9% of Fortune 500 companies. In addition to its traditional role in malware distribution, this new variant was also observed to be using ad-click fraud to make money for its operators.


Q3 2012 Mobile Malware Statistics

  • Mobile Device Infection Rates
    In mobile networks we found that 0.3% of devices were infected with high-level threats. The infected devices include Android phones and laptops tethered to a phone on connected directly through a mobile USB stick/hub. The infection rate is low because the total device count includes a large number of feature phones that are not malware targets. However, we saw a 165% increase in the number of Android malware samples.
  • Top Android Malware
    The table below shows the top Android malware detected in the networks where the Kindsight Mobile Security solution is deployed. The following table shows the top 10 Android infections of Q3.
    For the most part these are all “trojanized” apps that steal information about the phone or send SMS messages, but the list also includes a banking Trojan that intercepts access tokens for banking web sites and two spyware applications that are used to spy on family members or associates.
  • Mobile Adware
    In January 2012 there was industry discussion about whether the Plankton/Apperhand advertising SDK from StartApp should be classified as malware or not. At the time, the consensus was that it was “aggressive adware” and not really malware. Many anti-virus vendors stopped detecting it as malware and the apps were made available on Google Play.
    In Q3 2012 some new players have been active offering even more aggressive advertising using techniques such as push notifications and home screen icons to deliver their message. Previously ad-funded applications restricted their advertising to when the user was actually using the application. With push notification and home screen icons, the advertising shows up even when the app is not being used. Users are often unaware of the source of these messages and find it very difficult to get rid of them.
    The security industry has responded by creating “Adware Detector” applications that detect and remove the offending applications. This parallels the past development of anti-spyware applications for the Windows platform to catch the adware and browser hijackers that traditional Windows anti-virus products missed. One key difference between these ad-funded Android apps and the traditional Window’s variety, is that the Android variety is being distributed from the Google Play App Store, which lends them considerable legitimacy.
    To get a handle on the extent of the problem and monitor its growth, Kindsight introduced some signatures to detect these apps. The results show that about 3% of mobile devices have applications that are using this adware.

    References:
    Malware Report, Q3 2012, Kindsight Security Labs
برچسب‌ها