فا

‫ اخبار

صفحات: «« « ... 48 49 50 51 52 »
Top 10 in 2011: An 'explosive' year in security- 2
IRCRE201201088
As we turn the page to 2012, it makes sense to sit back and take a look at what happened during the past twelve months in the IT Security world. If we were to summarize the year in one word, I think it would probably be “explosive.” The multitude of incidents, stories, facts, new trends and intriguing actors is so big that it makes it very hard to crack into top 10 of security stories of 2011. What I was aiming for with this list is to remember the stories that also indicate major trends or the emergence of major actors on the security scene. By looking at these stories, we can get an idea of what will happen in 2012.
6. The Sony PlayStation Network hack

On April 19th, 2011, Sony learned that its PlayStation Network (PSN) was hacked. At first, the company was reluctant to explain what happened and claimed the service, which was suspended on April 20th, would be back in a few days. It wasn’t until April 26th that the company acknowledged personal information was stolen, which potentially included credit card numbers. Three days later, reports appeared which seemed to indicate that 2.2 million credit card numbers were being offered for sales on hacker forums. By May 1st, the PSN was still unavailable, which left many users not just with their credit cards stolen, but frustrated for not being able to play the games they already paid for. Unfortunately for Sony, the story was not over because in October 2011, the PSN was again making the headlines with 93,000 compromised accounts that had to be locked down by Sony to prevent further misusage.

The Sony PSN hack was a major story for 2011 because it points out several main things – first of all, in the cloud era, Personally Identifiable Information is nicely available in one place, over fast internet links, ready to be stolen in the case of any misconfigurations or security issues. 77 million usernames and 2.2 million credit cards can be considered normal “booty” in the cloud era.
7. Fighting cybercrime and botnet takedowns

If the attackers from the PSN incident are still unidentified, 2011 was definitively a bad year for many cybercriminals that got caught and arrested by law enforcement authorities around the world. The ZeuS gang arrests, the DNSChanger gang takedown and the Rustock, Coreflood and Kelihos/Hilux botnet takedowns were just a few examples. These indicate an emerging trend, which is of course “attribution.” Bringing down one cyber-criminal gang goes a long way to slow criminal activity around the world and sending a message to the remaining gangs that this is no longer a risk-free job. One particular case I’d like to mention is the Kelihos takedown, which was performed in cooperation between Kaspersky Lab and Microsoft’s Digital Crimes Unit. As part of this effort, Kaspersky Lab initiated a sinkhole operation for the botnet, counting many tens of thousands of infected users per day. Here’s where the big debate starts: knowing the bot update process, Kaspersky Lab or a law enforcement agency could effectively push a program to all the infected users, notifying them of this fact, or, even cleaning their machines automagically. In a poll ran on the Securelist website, a whopping 83% of the users voted that Kaspersky should “Push a cleanup tool that removes the infections,” despite this being illegal in most countries. For obvious reasons, we haven’t done so, but it outlines the vast limitations of today’s legal system when it comes to fighting cyber-crime in an effective manner.

8. The rise of Android malware

In August 2010, the first Trojan for the Android platform appeared as Trojan-SMS.AndroidOS.FakePlayer.a, which masqueraded as a media player app. In less than one year, Android malware quickly exploded and became the most popular mobile malware category. This trend became obvious in Q3, when we received over 40% of all the mobile malware we saw in 2011. Finally, we hit critical mass in November 2011, when we received over 1000 malicious samples for Android, which is almost as much as all the mobile malware we have received in the past 6 years! The huge popularity of Android malware can be attributed to several things – most notably the wild growth of Android itself. Secondly, the documentation available on the Android platform makes the creation of malware for Android quite trivial. Finally, there are many who blame the Google Market for its weak screening process, which makes it easy for cybercriminals to upload malicious programs. While there are only two known malicious programs for iPhone, we are now approaching 2000 Android Trojans in our collection.

9. The CarrierIQ incident

CarrierIQ is a small, privately owned company founded in 2005 and operating out of Mountain View, Calif. According to their web site, the CarrierIQ software is deployed on over 140 million devices around the world. Although the declared purpose of CarrierIQ is to collect “diagnostic” information from the mobile terminals, Trevor Eckhart, a security researcher, demonstrated that the extent of information CarrierIQ is collect goes beyond the simple “diagnostic” purpose and includes things such as keylogging and monitoring URLs opened on the mobile device. CarrierIQ is built in a typical Command and Control architecture – the admins can set up the kind of information which is collected from the terminals and which information is being sent “home.”

While it is obvious that CarrierIQ does collect a lot of information from your mobile phone, it doesn’t necessarily mean it is evil, or so we are advised to think by its creators or companies such as HTC, which support its usage. Being a U.S.-based company, this means that CarrierIQ could be forced to disclose much of the collected information to US law enforcement, if presented with a warrant. This legal loophole could effectively turn it into a government spy and monitoring tool. If this is indeed the case, or not, many users have decided that it’s best to get rid of CarrierIQ from their phones. Unfortunately, this isn’t a very simple process and is different for iPhones, Android phones and BlackBerry terminals. In the case of Android, you may have to root your phone in order to get rid of it. Alternatively, many users have decided to flash a custom Android firmware instead, such as Cyanogenmod. The CarrierIQ incident shows that we are vastly unaware of what exactly is running on our mobile devices, or the level of control which the mobile operator has on your hardware.
10. MacOS malware
While I do realize that I’ll put myself into the line of fire by even just mentioning Mac OS X malware, I think it’s an important story from 2011 which shouldn’t be overlooked. Products called MacDefender, MacSecurity, MacProtector or MacGuard, which are actually Rogue AV products for Mac OS appeared in May 2011 and quickly became popular. Distributed through black-hat SEO techniques in Google searches, these programs rely on social engineering to get the user to download, install and then pay for the full version. Most of the users who decide to pay $40 for the supposedly “full” version, later discover that they actually paid $140, and sometimes, they paid multiple times.

The expansion of PC threats (Rogue AV programs being one of the most popular malware categories for PCs) to Macs is one of the important trends of 2011. In addition to Mac OS Rogue AVs, the DNSChanger family of Trojans deserves a special mention as well. First identified around 2007, these small Trojans perform a very simple and straightforward system compromise, by changing the DNS settings to point to the criminals’ private DNS servers, before uninstalling themselves. Hence, you may get infected with a DNSChanger, have your DNS settings changed and you may be happily thinking you’re fine because there’s no malware on your computer, while criminals abuse the DNS communication to make you visit fake websites and perform click fraud and man-in-the-middle attacks. Luckily, in November 2011, the FBI arrested six Estonian nationals as part of an operation called “Ghost Click,” as the gang behind the DNSChanger malware.

According to FBI data, during the past four years, they infected over 4 million computers in more than 100 countries and generated approximately $14 million in illegal profit. These incidents show that malware for Mac OS is as real as the malware for PCs, and that even modern security practices fail against carefully elaborated social engineering techniques. It is without doubt that we will see both of them being abused in the future.
SUMMARY

To summarize, these 10 stories are probably just a tiny speck in the galaxy of 2011 security incidents. The reason I selected them is because they point to the major actors of 2011 which will no doubt continue to play a major role in the cyber-security blockbuster which is around the corner. These are the hacktivist groups, the security companies, the Advanced Persistent Threat in the form of superpowers fighting each other through cybere-spionage, the major software and gaming developers such as Adobe, Microsoft, Oracle or Sony, Law Enforcement Agencies and traditional cybercriminals, Google, via the Android operating system and Apple, thanks to its Mac OS X platform. The relations between these can be complicated, full of drama, contain many super-secret details and be as mysterious and darkly dreaming as Showtime’s Dexter. One thing is for sure – these same stars will be playing in all the major 2012 security blockbuster movies.

Source: ZDNet website

25 بهمن 1390 برچسب‌ها: گزارشات تحلیلی
Top 10 in 2011: An 'explosive' year in security
IRCRE201201087

As we turn the page to 2012, it makes sense to sit back and take a look at what happened during the past twelve months in the IT Security world. If we were to summarize the year in one word, I think it would probably be “explosive.” The multitude of incidents, stories, facts, new trends and intriguing actors is so big that it makes it very hard to crack into top 10 of security stories of 2011. What I was aiming for with this list is to remember the stories that also indicate major trends or the emergence of major actors on the security scene. By looking at these stories, we can get an idea of what will happen in 2012.

1. The rise of Hacktivism

It’s difficult to imagine someone reading this list who has not yet heard of Anonymous, LulzSec or TeaMp0isoN. Throughout 2011, these groups, together with others were actively involved in various operations against law enforcement agencies, banks, governments, security companies or just major software vendors. Sometimes working together, in other cases, working against each other, these groups emerged as one of the main actors of 2011, through incidents such as security breaches of networks belonging to the United Nations, security intelligence firm Stratfor, FBI contractor IRC Federal, US Defense contractor ManTech or the CIA website. Interestingly, some of these incidents, such as the Stratfor hack revealed major security problems such as the storing of CVV numbers in unencrypted format, or extremely weak passwords used by the administrator.

Overall, the rise of hacktivism was one of the major trends of 2011 and no doubt, it will continue in 2012 with similar incidents.
2. The HBGary Federal hack

Although related to the first item on this list, I’d like to point this out as a separate story. In January 2011, hackers from the ‘Anonymous’ hacker collective broke into HBGary Federal’s webserver “hbgaryfederal.com” through an SQL injection attack. They were able to extract several MD5 hashes for passwords belonging to the company CEO, Aaron Barr and COO, Ted Vera. Unfortunately, both used passwords were very simple: six lowercase letters and two numbers. These passwords allowed the attackers to get access to the company’s research documents and tens of thousands of mails stored on Google Apps.

I believe this story is relevant because it shows an interesting situation – the usage of weak passwords together with old software systems and cloud application can turn into a security nightmare. If the CEO and COO would have been using strong passwords, maybe none of this would have happened. Or, if they would have had multi-factor authentication enabled on Google Apps, the attackers wouldn’t have been able to access the superuser account and copy all the company e-mails. It’s important to point out that even if better security measures were into place, we can’t rule out the possibility that the persistent hackers wouldn’t have found another way in. Persistence and determination, together with time, gives the attackers the upper hand.
3. The Advanced Persistent Threat

Although many security experts despise this term, it has made its way into the media and rocketed to the top with incidents such as the RSA security breach or imposingly sounding incidents such as operation “Night Dragon,” “Lurid,” or “Shady Rat.” Interestingly, many of these operations were not too advanced at all. On the other hand, there were many cases in which zero-day exploits were used, such as the RSA breach. In this case, the attackers took advantage of CVE-2011-0609 – a vulnerability in Adobe Flash Player - to run malicious code on the target machine. Another interesting zero-day is CVE-2011-2462, a vulnerability in Adobe Reader, which was used in targeted attacks against U.S. Defense contractor ManTech. Several things stand out in these attacks – many cases involved zero-day vulnerabilities in Adobe software such as Flash Player or Adobe Reader.

Additionally, many of these attacks were directed at U.S. targets, notably companies working with the U.S. military or government. From this point of view, the “Lurid” attack was interesting because it mainly targeted countries in the Eastern part of Europe, such as Russia or the CIS. These attacks confirm the emergence of powerful nation-state actors and the establishment of cyber-espionage as common practice.

Additionally, many of these attacks seem to be connected and have major global ramifications. For instance, the RSA breach was notable because the attackers stole the database of SecurID tokens, which was later used in another high-profile attack.

4. The Comodo and DigiNotar incidents

On March 15th 2011, one of the affiliates of Comodo, a company known for its security software and SSL digital certificates, was hacked. The attacker quickly used the existing infrastructure to generate nine fake digital certificates, for web sites such as mail.google.com, login.yahoo.com, addons.mozilla.com or login.skype.com. During the incident analysis, Comodo was able to identify the attacker as operating from the IP address 212.95.136.18, in Tehran, Iran. If in the Comodo incident, only nine certificates were created, the DigiNotar breach was a lot bigger. On 17th June 2011, the hackers began poking at the DigiNotar servers and during the next five days, managed to get access to the infrastructure and generate over 300 fraudulent certificates. The hacker left a message in the form of a digital certificate containing a message in the Persian language, “Great hacker, I will crack all encryption, I break your head!” To make the link with Iran more solid, days later, the fake certificates were used in a man-in-the-middle attack against over 100,000 GMail users from Iran.

The attacks against Comodo and DigiNotar are an indication of two emerging trends: first of all, we already have the loss of trust in the certificate authorities (CA), but in future, CA compromises may become even more popular. Additionally, more digitally signed malware will appear.
5. Duqu

In June 2010, researcher Sergey Ulasen from the Belarussian company VirusBlokada discovered a most intriguing piece of malware which appeared to use stolen certificates to sign its drivers, together with a zero-day exploit which used .LNK files for replication in a typical Autorun fashion. This malware became world famous under the name “Stuxnet,” a computer worm containing a very special payload, directly aimed at Iran’s nuclear program.

Duqu Trojan created by the same people as Stuxnet, Duqu was discovered in August 2011 by the Hungarian research lab CrySyS. Originally, it wasn’t known how one gets infected with Duqu – later, malicious Microsoft Word documents exploiting the vulnerability known as CVE-2011-3402 were discovered as a means of entry for Duqu. Compared to Stuxnet, the purpose of Duqu is quite different; this Trojan is actually a sophisticated attack toolkit which can be used to breach a system and then systematically siphon information out of it. New modules can be uploaded and run on the fly, without a filesystem footprint. The highly modular architecture, together with the small number of victims around the world made Duqu so hard to detect for years – the first trace of Duqu related activity we were able to find actually dates back to August 2007. In all the incidents we have analyzed, the attackers used an infrastructure of hacked servers to move the data, sometimes hundreds of megabytes, out of the victim’s PCs. Duqu and Stuxnet represent the state of the art in cyberwarfare and hint that we are entering an era of cold cyberwar, where superpowers are fighting each other unconstrained by the limitations of real world war.

source: ZDNet website

25 بهمن 1390 برچسب‌ها: گزارشات تحلیلی
Four predictions for security in 2012
IRCRE201112086
Date: 2011-12-31
Malicious Android apps will increase
As a target for malicious software, Android is the Microsoft of the mobile platform. Android has more than 50 percent of the smartphone market, eclipsing all others, so it's the most attractive platform for scammers to target. While iPhone apps get vetted by Apple, Google's open apps store model, which lacks code signing and a review process, makes it easy to distribute malware in apps.
The numbers bear this out. In the last six months, the number of malicious Android apps has doubled to 1,000, a report from mobile security firm Lookout says. Granted the vast majority of the malware -often disguised as legitimate apps- is found on third-party sites. But some malicious apps have made it to the Android Market. Google yanked about two dozen apps containing malware in May and nearly 60 malicious apps in March. That's not counting the nearly 30 apps pulled in December that appeared to be designed for fraud.
Google moves quickly when problems are reported, but removing apps after-the-fact means there may be users who have downloaded them already. To be fair, the likelihood that the average Android user will encounter malware is very, very slim because most people avoid third-party sites where they are required to allow apps from unknown sources to be downloaded, and are thus assuming the risk.
Another utility will get hacked
Hacking of corporate and government networks happens all the time. Now that SCADA systems used in utilities and other critical infrastructure environments are being connected to the Internet, without the built-in security that traditional information technology networks have, it should come as no surprise that hackers will make their way in to areas where they conceivably could cause real harm to the environment and people.
The first wake-up call for the industry was the Stuxnet malware that emerged last year that appeared to have been designed to sabotage Iran's nuclear program. Then a leaked report in November appeared to be the first acknowledgement of a cyberattack on a U.S. critical infrastructure system, but the Department of Homeland Security denied that there had been an attack and ultimately it turned out to have been a false alarm.
However, an unnamed hacker claimed to have remotely breached a system at a Texas water plant, as well as systems in Europe. It's clear hackers are targeting these sensitive and critical systems, for whatever reason. Given how easy it is to find SCADA equipment with just a Google search, all the holes the SCADA systems seem to have, and that researchers say it is relatively easy to exploit the weaknesses, you can expect more attacks on critical infrastructure systems in the coming year. Whether they will make it to the news or be kept a secret, is another thing.
People will continue over-sharing despite the privacy ramifications
We have become a society of sharing to the detriment of our personal privacy.
Social media provides a way for us to share every aspect of our life with people, from where we went to school to what restaurant we're dining at tonight to who our friends are. The ego prompts us to accept all the friend requests and seek more followers, and to bombard them with more details of our lives than anyone needs to know. We also are unknowingly revealing sensitive information.
Companies like Facebook are offering increased integration so that our activities on the site and elsewhere are automatically shared with others. So now we can see what music our friends are listening to and what articles they are reading right now. But advertisers are privy to more information about us collectively. Many people don't care if they see ads targeted to their tastes and lifestyle.
Companies need to better explain the privacy implications of the new features they offer, but consumers need to be asking themselves questions before they push "post," such as "Do I care if people I don't know or enemies are able to see this?"
Hacktivists will become more active
There's no doubt that 2011 can be called the Year of the Hackers. The Anonymous movement and its offshoots, notably LulzSec, gained fame and notoriety for their denial-of-service attacks and data breaches on a host of targets. From Sony and the CIA to bankers, police officers, and Fox News, the attacks were a daily occurrence for months. With the emergence of the Occupy Wall Street protests, Anonymous actions became more organized and focused on a cause--political protest of financial inequality and corporate influence--and inclusive, online and offline.
The Anons, as they call themselves, have ownership in the larger political movement and could provide the technical skills and online organization needed to even create a new party.

It seems that 2012, is a more active year for this group of hackers.

Source: CNet.com

25 بهمن 1390 برچسب‌ها: گزارشات تحلیلی
McAfee Threats Report: Third Quarter 2011 – 2nd Section
IRCRE201111083
Date: 2011-11-27
The McAfee Labs has studied the security threats of the third half of 2011 in a report. The following report is briefing that report.
Global Infected Computers
The top threats around the world continue to change from quarter to quarter. Last quarter, downloaders and certain potentially unwanted programs (PUPs) were prevalent. This quarter, parasitic malware and exploits are a bit more popular, with exploit scripts at the forefront of global detections.
Messaging Threats
Spam around the globe continues its downward trend. Even though spam volume is way down, McAfee Labs sees targeted spam, often called spearphishing, at its greatest development in years. So, very much like malware, the noise tells us spam levels have dropped, yet the signal we need to hear is that the bad guys have changed their tactics. They are protecting their business models and are doing so with a sophistication that creates a more dangerous threat than before.
Social Engineering
As always, social engineering lures in spam subject lines differ greatly depending on geography and language. The lures can vary by month or season, and often use holidays or sporting events as bait. Attackers show a remarkable insight into what works in different cultures and regions—not just globally but also seasonally. In France phishing may be popular, while in the United Kingdom “419 scams” are the rage. Meanwhile drug spam is hot in South Korea and Russia, while in the United States we see lots of Delivery Service Notifications (fake error messages) as a lure.
Worldwide overall botnet growth also took a small dip toward the end of this quarter, but our analysis of specific regions shows some significant increases.
Several countries saw significant growth in botnet infections. Cutwail, Festi, and Lethic lead the pack in new infection activity this quarter, while new infection rates of Grum, Bobax, and Maazben declined.
Web Threats
Websites can have bad or malicious reputations for a variety of reasons. Reputations can be based on full domains and any number of subdomains as well as on a specific IP address or URL. Malicious reputations are influenced by the hosting of malware, PUPs, or phishing sites. Often we observe combinations of questionable code and functionality.
Last quarter McAfee Labs recorded an average of 7,300 new bad sites per day; in this period that figure dropped a bit to 6,500 sites, which is comparable to the same time last year. In August we saw an average of more than 3.5 sites rated “red” each minute.
We saw four significant spikes in malicious web content this quarter. They are not linked to any particular attack.
The vast majority of new malicious sites are located in the United States. Next in line, we find the Netherlands, Canada, Germany, South Korea, China, and the United Kingdom. Last quarter we saw the same top seven countries though they finished in a different order.
North America still leads by a large margin (with 66 percent of servers this quarter, 60 percent last quarter, and 68 percent in the first quarter). Europe and the Middle East remain in second rank (23 percent, 25 percent, and 18 percent).
This quarter, the number of websites hosting malicious downloads continued to increase, while the number of sites hosting browser exploits slightly decreased.
The following chart provides a picture of the number of websites delivering malware and PUPs that McAfee Labs detected this quarter.
We saw an increase this quarter, with around 3,500 new sites per day compared with 3,000 per day during the prior quarter.
During the quarter we identified approximately 2,700 phishing URLs per day, very similar to our figures for last quarter. During the same period last year, we counted 2,900 URLs per day.
Related Links:
References:
McAfee Threats Report: Third Quarter 2011
25 بهمن 1390 برچسب‌ها: گزارشات تحلیلی
McAfee Threats Report: Third Quarter 2011 – 1st Section
IRCRE201111082
Date: 2011-11-27
The McAfee Labs has studied the security threats of the third half of 2011 in a report. The following report is briefing that report.
Mobile Threats
Last quarter the Android mobile operating system became the most “popular” platform for new malware. This quarter Android became the exclusive platform for all new mobile malware. The Symbian OS (for Nokia handsets) remains the platform with the all-time greatest number of malware, but Android is clearly today’s target.
Premium-rate SMS-sending Trojans continue to be attractive to malware authors. The Android/Wapaxy, Android/LoveTrp, and Android/HippoSMS families are new versions of premium-rate SMS Trojans that sign up victims to subscription services. The malware also cleverly deletes all subscription confirmation messages received so that the victim remains unaware of the activity, and the attacker makes more money.
Maliciously modified apps made up a good portion of mobile malware this quarter. The Android/PJApp family sends SMS messages, too, but also collects sensitive information from the phone.
In an interesting turn, Android malware has begun a new method of stealing information from users: by recording their phone calls. Two examples are Android/NickiSpy.A and Android/GoldenEagle.A, both of which record user conversations and forward them to the attacker. Attackers can’t be sure that the first one or two calls have the information they seek, so these malware remain on the devices for extended periods without being detected; that’s a very persistent threat indeed!
Another technique for stealing information is to use root exploits to gain access to system databases. This allows attackers to break free of the application sandbox that Android would normally make them sit in, and allows attackers access to all of the phone’s data and operations. The Android/DroidDeluxe and Android.ApkMon families try to gain root access to read system files. We expect this trend to continue as it has proved useful for years on other platforms.
As you can see in the next chart, mobile malware growth in 2011 is firmly on target to exceed last year’s and become the busiest year in mobile malware’s short, but interesting, history.
And Android is the top target of today’s mobile malware authors.
Malware Threats
The overall growth of malware declined slightly during this quarter compared with last quarter but remains about equal with last year’s pace at the same time of year. Third-quarter growth has been slower than the second quarter’s for the last two years; maybe malware writers take vacations like the rest of us. But we warn you not to get complacent—because the cumulative malware number has exceeded the 70 million mark. We predicted this figure last year. We expect to count around 75 million unique malware samples by year’s end.
Despite the fact that their overall numbers are slightly down, we saw interesting development in rootkits in general. Rootkits, or stealth malware, are one of the nastiest threats we face. They are designed to evade detection and thus “live” on a system for prolonged periods. The next graph shows that the overall numbers are again on a growth curve.
Let’s catch up on some of our other “favorite” malware: Fake AV, AutoRun, and password-stealing Trojans. Fake AV, also known as fake alert or rogue security software, has bounced back strongly from previous quarters, while AutoRun and password stealers remain at relatively constant levels.
Previously considered almost a misnomer, Mac malware continues to show a bit of growth—although this can be deceptive. When we look at a chart of overall malware growth for the Mac, the trend appears unremarkable.
Related Links:
References:
McAfee Threats Report: Third Quarter 2011
25 بهمن 1390 برچسب‌ها: گزارشات تحلیلی
McAfee Threats Report: Second Quarter 2011 – 2nd Section
IRCRE201109078
Date: 2011-09-23
The McAfee Labs has studied the security threats of the second half of 2011 in a report. The following report is briefing the second section of the report.
Messaging Threats

Messaging threats continued a mild decline from last quarter, although the drop is not significant. A coordinated effort last quarter among several security providers, law enforcement, and even CERTs was able to shut off major amounts of botnet zombies and their command structure. We expect to again see sharp rises in spam; in the mean time, we continue to watch this area closely. Although the volume of spam remains at historic low levels, the spearphishing (a class of spam) that we see today is more targeted and effective than ever. This vector continues to evolve.

This quarter McAfee Labs has observed the Rustock botnets. Meanwhile the Maazben, Cutwail, and Bobax botnet masters have stepped up their activity. Of these three dominant botnets, Maazben clearly outpaces the others in worldwide usage and influence.

There has been steady growth in new botnet infections throughout the quarter. This is an interesting juxtaposition when we consider the worldwide drop in spam. Clearly botnet usage is in a state of transition. Given the growth and goals of hacktivists, we expect to see major changes in how botnets are used.

Spam lures and their subjects continue to show diversity. “Nigerian 419 scams” seemed a bit more popular this quarter globally while lotto scams were also prevalent in many parts of the world, along with the long-time subjects of bogus DSN and gambling spams. Social engineering with lures based on location is certain to continue, as scammers understand the diversities in their global audience.
Web Threats

Websites can have bad or malicious reputations for a variety of reasons. Reputations can be based on full domains and any number of subdomains as well as on a specific IP address or URL. Malicious reputations are influenced by the hosting of malware, unwanted programs, or phishing sites. Often we observe combinations of questionable code and functionality. Many factors go into a site’s reputational rating. Last quarter McAfee Labs recorded an average of 8,900 new bad sites per day.

We saw some significant spikes in malicious web content this quarter. On May 31, spam campaigns distributed fraudulent URLs hosting Zeus-related malware. Among these sites were undss-syria.org, baranava.com,emajic.net, and sturtholdfastmarioncc.com. The vast majority of these new malicious sites are located in the United States. Next in line, we find South Korea, Netherlands, Canada, United Kingdom, China, and Germany.

In the first quarter our top countries were the United States, South Korea, Germany, and China. This quarter, however, is quite different. Our regional breakdown reveals where most malicious servers reside:

North America, primarily the United States, still dominates, but the figure for the combined region of Europe, the Middle East, and Africa has increased to 25 percent from 18 percent in the first quarter. Let’s take a deeper look at some regions:

This quarter, the number of websites hosting malicious downloads has again increased, while the amount of sites that host browser exploits was unchanged:

This quarter we also observed a continued increase in blogs and wikis with malicious reputations.
Websites Delivering Malware and PUPs

The following chart provides a picture of the number of websites delivering malware and potentially unwanted programs (PUPs) that McAfee Labs detected this quarter.

We saw a small increase this quarter with around 3,000 new sites per day compared with 2,700 per day during the first quarter.
Phishing Sites

This quarter we identified approximately 2,700 phishing URLs per day, up slightly from 2,500 per day last quarter.

Resource:
McAfee Threats Report: Second Quarter 2011, McAfee Labs
25 بهمن 1390 برچسب‌ها: گزارشات تحلیلی
McAfee Threats Report: Second Quarter 2011 – 1st Section
IRCRE201109077
Date: 2011-09-23
The McAfee Labs has studied the security threats of the second half of 2011 in a report. The following report is briefing the first section of the report.
Mobile Threats

This quarter Android OS-based malware became the most popular target for mobile malware developers. That’s a rapid rise for Android, which outpaces second place Java Micro Edition threefold.

Mobile threats already take advantage of exploits, employ botnet functionality, and even use rootkit features for stealth and permanence.

Maliciously modified apps are still a popular vector for infecting devices: Corrupt a legitimate app or game and users will download and install malware on their smartphones by themselves. Infiltrating popular modified apps this quarter were the malware Android/Jmsonez.A, Android/ Smsmecap.A, and the Android/DroidKungFu, and Android/DrdDreamLite families.
Malware Threats

The malware landscape this quarter has presented us several surprises. Although numerically not the busiest period in history, when combined with the first quarter we have the busiest ever first half-year in this vector. The increase is 22 percent over 2010! McAfee Labs identified almost six million unique malware samples during this quarter. This puts us on track for our cumulative malware “zoo” collection to reach 75 million samples by year’s end.

Just to reinforce how significant the growth has been during the last several years, here is a look at the monthly incremental growth of unique malware binaries:

We now collect on average almost two million new samples every month. This is certainly not a welcome development, but it is consistent and predictable considering how our business and private lives are now tethered to technology.

Among the specific families we track, fake anti-virus software continues to show consistent growth and has even begun to climb aboard a new platform: the Mac. You read that right; fake-AV for Apple’s platform is now a reality. This does not surprise us at McAfee Labs. There are more Mac users than ever before. This puts the Apple platforms squarely in the crosshairs of malware authors. It will be interesting to see if this type of malware makes its way to the iPhone and iPad as well.

Generic password-stealing Trojans declined just a bit this quarter, while AutoRun malware was greatly reduced. Koobface threats dropped to the lowest levels in years.

Rootkits and Stealth Malware

Another malware category demonstrating recent steady growth is the rootkit. A rootkit (sometimes called stealth malware) is code that hides its elements from the operating system and security software. Cybercriminals use rootkits to make other malware stealthier and more persistent. The better hidden the malware is, the longer it will remain on the system and engage in its malicious activity. As you can see from the following chart, rootkits are on the rise overall. The first half of 2011 was comparable to malware overall: Rootkits have seen their busiest-ever six months, up almost 38 percent over 2010! Two of the busiest rootkits that we encounter are Koutodoor and TDSS. Both are nasty and hide malware to steal data.

Adobe Outpaces Microsoft in Attracting Exploits

For several quarters, one of the major trends we’ve seen is that malware authors prefer to write exploits that target vulnerabilities in Adobe products. This trend does not prove that Adobe’s technologies are more vulnerable or have more coding bugs than Microsoft’s. Rather, Adobe is one of the clear leaders in worldwide client applications, and this leadership is what drives malware authors and cybercriminals: They target what is popular and in wide use. The following chart shows the malware McAfee Labs has seen this quarter that attempts to exploit vulnerabilities in Adobe and Microsoft products.

Resource:
McAfee Threats Report: Second Quarter 2011, McAfee Labs
25 بهمن 1390 برچسب‌ها: گزارشات تحلیلی
McAfee Threats Report: First Quarter 2011- 2nd Section
IRCRE201106070
Date: 2011-06-14
McAfee Labs has surveyed the threats of the first quarter of 2011 in its last report. This security report studies the second section of it in short.
Password Stealers Take It to the Bank
This quarter we noticed an interesting new trend among “banker” Trojans, malware that steals passwords and other data. Although Zeus continues to be prevalent, both the Zeus and SpyEye Trojans are using almost the same phish-like email topics on their spam campaigns. As we have discussed in previous Threats Reports, Zeus development appears to have ceased, with its author merging the source code with SpyEye.
SpyEye’s architecture allows it to add functions via new modules. As of March, the most recent SpyEye (Version 1.3.05) can support more than 150 modules.
At McAfee Labs we see a new password stealer variant every day, and they’re not terribly hard to
combat. However, a few of them continue to develop in a way that challenges security companies. One of these is PWS-Caberp.
PWS-Caberp has been around since last quarter, but due to the improvements we’ve seen this quarter this banking Trojan deserves a special mention. As with SpyEye, PWS-Caberp has a modular configuration that allows it to add new features and updates.
In the coming quarter, besides improvements to SpyEye and PWS-Caberp, we expect to see a revision of Zeus/PWS-Zbot. At the end of this quarter the Zeus source code was leaked on some underground forums, which will certainly result in new variants.
What’s in a Word?
1.2 percent of search results this quarter led to a malicious site, down from 3.3 percent last quarter. 49 percent of the terms led to malicious sites (down from 51 percent). On average, each of these poisoned result pages contained more than two malicious links.
Web Threats
Last quarter McAfee Labs observed a significant increase in the number of domains, IP addresses, and URLs with malicious reputations. In addition to websites with bad reputations, we included in this category sites that host malware, potentially unwanted programs, and phishing sites. This quarter has dropped compared with the previous quarter.
For the quarter McAfee Labs recorded an average of 8,600 new bad sites per day.

We saw some significant spikes in malicious web content this quarter. Many of these sites correspond to high-impact news events such as the Japanese earthquake and tsunami, and major sporting dates. These events are continually exploited by cybercriminals as lures for scams and attacks. The vast majority of these new malicious sites are located in the United States. Next in line, we find South Korea, Germany, and China.
Websites hosting malicious downloads dropped notably this quarter while sites that host browser
exploits remained unchanged:

This quarter we also observed a continued increase in blogs and wikis with malicious reputations.
Websites Delivering Malware and PUPs
The next chart provides a picture of the number of websites delivering malware and potentially
unwanted programs (PUPs) that McAfee Labs detected this quarter.

With two notable exceptions, new malware sites were relatively flat this quarter compared with last quarter, increasing slightly on average. But the two exceptions were outstanding. The spike on January 24 was due to W32/Conficker.worm. That day, we found a tremendous amount of Conficker .info and .org domains.
Phishing Sites
After a rapid increase during the first part of 2010, the number of phishing sites discovered each day has been fairly stable since the second half of that year. This quarter we identified approximately 2,500 sites per day, with two large leaps at the end of January.

Illegal File Sharing
This quarter we identified around 14 new sites per day used for the illegal exchange of copyrighted files. These sites illegally distribute software or electronic media such as copyrighted music or film, illegal license key generators, software cracks, and serial numbers. We include in this category sites that allow users to search for and exchange files from peer-to-peer networks. The United States is the clear leader in this area, with Germany a strong second ahead of China, Russia, and the Netherlands.

Earthquake and Tsunami in Japan
Only two hours after the Japanese earthquake and tsunami struck we spotted the first potential scam donation site. During the few next hours we collected more than 500 malicious domains or URLs with the terms Japan, tsunami, or earthquake in their titles. Most were created in association with spam campaigns, false news sites to distribute malware, and especially fake charity actions.
Vulnerabilities and Network Attacks
This quarter continued the trend of malware authors heavily exploiting weaknesses in both Adobe
Flash and PDF technologies. Our malware database reveals that malicious exploits of Adobe products (more than 36,000 this quarter) topped the number of malicious exploits of Microsoft Office products by a wide margin.

SQL-Injection Attacks
China and the United States continue to be the primary sources for SQL-injection attacks. This quarter again sees China as number one (hosting 50 percent of attacks), with the United States second (25 percent). The Ukraine moved into third position (13 percent), pushing Iran down to fourth (5 percent). Other host countries support no more than 2 percent of attacks.

References:

McAfee Threats Report: First Quarter 2011

25 بهمن 1390 برچسب‌ها: گزارشات تحلیلی
McAfee Threats Report: First Quarter 2011- 1st Section
IRCRE201106069
Date: 2011-06-13
McAfee Labs has surveyed the threats of the first quarter of 2011 in its last report. This security report studies its first section in short.
Malware Attracted to Android Phones
During this quarter the Android was the second most popular environment for mobile malware, after Symbian OS. As the popularity of that platform continues to grow around the world, we expect to see more and more malware developed for it. Android malware remains third overall in our historical view.
One of the families, Android/DrdDream, comprises a variety of legitimate games and apps that have been injected with malicious code. These threats are unique and quite dangerous due to the use of two root exploits to gain greater control of those phones. The two exploits were initially used by users trying to gain legitimate root access to their own devices, a process commonly referred to as rooting. For mobile devices, much of the malware has required user interaction, but in the near future mobile exploits will certainly allow automatic malware installation.
Like Android/DrdDream, the Android/Drad family is made up of maliciously modified applications. This family sends device information to an attacker-controlled site. Just like in the PC malware world, Android/Drad listens for commands from the attacker. The malware can also download additional software. It appears that the malware uses blackhat search-engine optimization techniques, a process of manipulating search engine results to place dangerous sites higher than they should appear in lists of hits.
The recently released Android/SteamyScr.A is a modified version of a novelty app that turns a phone’s screen into a steamy window. This malware collects device information (International Mobile Equipment Identity and phone numbers) and sends it to the attacker. Android/SteamyScr.A also accepts a number of commands from botnet command servers. This malware is another example of attackers attempting to implement botnet functionality on Android devices.
Google created a security repair tool for Android/DrdDream infections that the creators of Android/Bgyoulu.A cleverly used for their own nefarious purposes. While pretending to be the official Android Market Security Tool, this malware actually monitors incoming SMS data and provides a backdoor for an attacker. Android/Bgyoulu.A appears to sign up a user to a premium-rate SMS service and then deletes the incoming confirmation message. With no indication that the user using a for-pay service, the malware manages to silently steal data and phone information.

The criminals who use the Zeus crimeware toolkit have created new versions of Zitmo for both Symbian and Windows Mobile systems. The bank account–stealing thieves who created SymbOS/Zitmo.A have expanded from Symbian to Windows Mobile.2 MSIL/Zitmo.B is a .NET Compact Framework that is a functional clone of Zitmo.A.
We expect to see much more development in this class of malware. As the world turns more to mobile devices, so too will cybercriminals and malware writers. Expect them to leverage, at Internet speed, everything they have learned from writing malware in the broader PC world.

Botnet Takes a Fall
One of the most important events of this quarter was the coordinated beheading of the Rustock botnet. This carefully scheduled effort among several security providers, law enforcement, and CERTs was able to shut off major amounts of the zombies and command structure of this very active botnet on a global level Spam, while already at its lowest point since 2007, dropped once again as a result of this action.

In spite of the success in crippling Rustock, McAfee Labs still sees a small amount of activity from the botnet. We expect Rustock will be reseeded by cybercriminals during the coming months.

Many botnets are in position to fill the gap left by Rustock’s decline. Aside from sending spam, botnets can control a variety of cybercrime—such as denial-of-service attacks, malware distribution and installation, and hosting phishing sites. Thus the information security community must remain vigilant.
Malware Busier Than Ever
These three months turned out to be the busiest first quarter we have ever seen. McAfee Labs identified more than six million unique malware samples! This far exceeds any first quarter we have seen. Historically this period tends to be a slow quarter for malware, so it will be interesting to see how much malware we identify during the rest of the year.

Just to reinforce how significant the growth has been during the last several years, let’s take a look at the monthly incremental growth of unique malware binaries:

As the preceding graph makes plain, the last month to register fewer than one million samples was February 2010. Thus we predict more malware on a monthly and quarterly basis for a variety of reasons: more users online, more opportunities for scamming, as well as more efficient means of creating and distributing malware.
Fake anti-virus, also known as bogus or rogue security software, had a very strong quarter and its growth shows no real signs of slowing.

Generic password-stealing Trojans are showing a consistent, sustained level of usage, while AutoRun malware has leveled off a bit.

The preceding chart shows the unique password stealers discovered by McAfee and the next chart shows the unique AutoRun samples discovered by this company.

25 بهمن 1390 برچسب‌ها: گزارشات تحلیلی
Microsoft Security Intelligence Report from 1st Quarter of 2011
IRCRE201111081
Date: 2011-11-12
Volume 11 of the Microsoft Security Intelligence Report (SIRv11) provides in-depth perspectives on software vulnerabilities, software vulnerability exploits, malicious and potentially unwanted software, and security breaches. Microsoft developed these perspectives based on detailed trend analysis over the past several years, with a focus on the first and second quarters of 2011.
Vulnerabilities
Vulnerability Severity

The following figure shows Industry-wide vulnerability disclosures by severity, 2H08-1H11.

Medium and High severity vulnerabilities disclosed in 1H11 were down 6.8 percent and 4.4 percent from 2H10, respectively. Even as fewer vulnerabilities are being disclosed overall, the number of Low severity vulnerabilities being disclosed has increased slightly. Low severity vulnerabilities accounted for 7.2 percent of all vulnerabilities disclosed in 1H11.
Vulnerability Complexity
Some vulnerabilities are easier to exploit than others, and vulnerability complexity is an important factor to consider in determining the magnitude of the threat that a vulnerability poses. A High severity vulnerability that can only be exploited under very specific and rare circumstances might require less immediate attention than a lower severity vulnerability that can be exploited more easily.

The following figure shows complexity trends for vulnerabilities disclosed since July 2006. Note that Low complexity indicates greater danger, just as High severity indicates greater danger in past figure.

As with vulnerability severity, the trend here is a positive one, with Low complexity vulnerabilities the easiest ones to exploit—down 41.2 percent from the prior 12-month period.
High complexity vulnerability disclosures, meanwhile, have increased slightly. They accounted for 4.9 percent of all vulnerabilities disclosed between July 2010 and June 2011, up from 2.8 percent in the prior 12-month period.
Operating System, Browser, and Application Vulnerabilities

The following figure shows industry-wide vulnerabilities for operating systems, browsers, and applications since July 2006.

Most of the industry-wide decline in vulnerability disclosures over the past several years has been caused by a decrease in application vulnerabilities, which were down 8.8 percent from 1H11. Despite this decline, application vulnerabilities still accounted for 71.5 percent of all vulnerabilities disclosed in 1H11. Operating system and browser vulnerability disclosures have been mostly stable for several years, accounting for 12.7 percent and 15.7 percent of all vulnerabilities disclosed in 1H11, respectively.
Vulnerability Disclosures

The following figure charts vulnerability disclosures for Microsoft and non-Microsoft products since 2H08.

Vulnerabilities in Microsoft products accounted for 6.9 percent of all vulnerabilities disclosed in 1H11, down from 8.2 percent in 2H10.
Vulnerability disclosures for Microsoft products have generally remained stable over the past several periods, though the percentage of all disclosures industry-wide that affect Microsoft products has increased slightly, primarily because of the overall decline in vulnerability disclosures across the industry.
Exploits

The following figure shows the prevalence of different types of exploits for each quarter between 3Q10 and 2Q11.

The most commonly observed type of exploits in 1H11 were those targeting vulnerabilities in the Oracle (formerly Sun) Java Runtime Environment (JRE), Java Virtual Machine (JVM), and Java SE in the Java Development Kit (JDK). Java exploits were responsible for between one-third and one-half of all exploits observed in each of the four most recent quarters.
Detections of operating system exploits increased dramatically in 2Q11 because of increased exploitation of vulnerability CVE-2010-2568. Detections of exploits targeting Adobe Flash, although uncommon in comparison to some other types of exploits, increased in 2Q11 to more than 40 times the volume seen in 1Q11 because of exploitation of a pair of newly-discovered vulnerabilities.
Malware and Potentially Unwanted Software
The information in this section was compiled from telemetry data that was generated from more than 600 million computers worldwide and some of the busiest Internet online services.
Global Infection Rates

The following table shows the locations with the most computers reporting detections and removals by Microsoft desktop antimalware products in 1H11.

Detections in Russia increased 22.2 percent from 1Q11 to 2Q11, mostly because of increased detections of Win32/Pameseg, a potentially unwanted software program with a Russian language user interface.
Detections in France and Italy both increased significantly in 2Q11 because of increased detections of a number of Adware families, including Win32/ClickPotato, Win32/Hotbar, and Win32/OfferBox.
Operating System Infection Rates

The following figure shows the infection rate for each Windows operating system/service pack in 2Q11.

This data is normalized: the infection rate for each version of Windows is calculated by comparing an equal number of computers per version (for example, 1,000 Windows XP SP3 computers to 1,000 Windows 7 RTM computers).
As in previous periods, infection rates for more recently released operating systems and service packs are consistently lower than earlier ones, for both client and server platforms. Windows 7 and Windows Server 2008 R2, the most recently released Windows client and server versions, respectively, have the lowest infection rates on the chart.
Infection rates for the 64-bit versions of Windows Vista® and Windows 7 are lower than for the corresponding 32-bit versions of those operating systems.
Threat Categories
The Microsoft Malware Protection Center (MMPC) classifies individual threats into types based on a number of factors, including how the threat spreads and what it is designed to do. To simplify the presentation of this information and make it easier to understand, these types are grouped into 10 categories based on similarities in function and purpose.

The following figure shows detections by threat category each quarter in 3Q10-2Q11, by percentage of all computers reporting detections.

Totals for each time period may exceed 100 percent because some computers report more than one category of threat in each time period.
Adware rose to become the most commonly detected category in 1Q11 and 2Q11, primarily because of a pair of new families, Win32/OpenCandy and Win32/ShopperReports, and large increases in detections of a number of older families.
Worms and Trojan Downloaders & Droppers were two of the more significant categories in 2010, but declined to 10.9 percent and 9.3 percent of detections by 2Q11, respectively.
Rogue Security Software
Rogue security software, is software that appears to be beneficial from a security perspective but provides limited or no security, generates erroneous or misleading alerts, or attempts to lure users into participating in fraudulent transactions.

The following figure shows detection trends for the most common rogue security software families detected in 1H11.

Email Threats
Spam Messages Blocked
The information in this section of the Microsoft Security Intelligence Report is compiled from telemetry data provided by Microsoft Forefront® Online Protection for Exchange (FOPE), which provides spam, phishing, and malware filtering services for thousands of Microsoft enterprise customers that process tens of billions of messages each month.

The following figure shows messages blocked by FOPE each month July 2010 to June 2011.

The volume of spam blocked by FOPE decreased dramatically over the past 12 months, from a high of 89.2 billion messages in July 2010 to a low of 21.9 billion in May 2011, primarily because of takedowns of two major botnets: Cutwail, which was shut down in August 2010, and Rustock, which was shut down in March 2011 following a period of dormancy that began in January.
Between 85 and 95 percent of incoming messages were blocked at the network edge each month.
The decline in the percentage of messages blocked at the network edge beginning in January was caused by the overall decline in the volume of spam that occurred following the inactivation of the Rustock botnet.
Spam Types

The FOPE content filters recognize several different common types of spam messages. The following figure shows the relative prevalence of these spam types in 1H11.

Advertisements for nonsexual pharmaceutical products (28.0 percent of the total) and nonpharmaceutical product advertisements (17.2 percent) accounted for the majority of the spam messages blocked by FOPE content filters in 1H11.
In an effort to evade content filters, spammers sometimes send messages that consist only of one or more images, with no text in the body of the message. Image-only spam messages declined to 3.1 percent of the total in 1H11, down from 8.7 percent in 2010.
23 آذر 1390 برچسب‌ها: گزارشات تحلیلی
صفحات: «« « ... 48 49 50 51 52 »