تاریخ ایجاد
IRCRE201211118
Date: 2012-11-18
Introduction
The Kindsight Security Labs Q3 2012 Malware Report examines general trends for malware infections in home networks or infections in mobile devices and computers connected through mobile adapters. The data in this report is aggregated across the networks where Kindsight solutions are deployed. This is the 1st part of the report.
Q3 2012 Highlights
- 13% of home networks were infected with malware in Q3/2012, that’s down slightly from the 14% reported in the previous quarter.
- 6.5% of broadband customers were infected with high-level threats such as a bots, root-kits, and banking Trojans.
- ZeroAccess was the most active botnet in Q3. We estimate that there are over 2 million infected users worldwide with 685,000 in the United States alone.
- These bots are engaged in a sophisticated ad-click fraud scheme that each day generates about 140 million fraudulent ad-clicks and 260 terabytes of network traffic. ZeroAccess could be costing advertisers $900,000 per day.
Android adware is on the rise and being distributed via Google Play. It accounts for 90% of the 3+% infection rate among mobile devices.
Q3 2012 Home Malware Statistics
- Home Network Infection Rates
In fixed broadband deployments in Q3 2012 we found that 13% of residential households show evidence of malware infection. This has slightly decreased from 14% in Q2. 6.5% of households were infected by high-level threats such as a botnet, rootkit or banking Trojan. 8.1% of households were infected with a moderate threat level malware such as spyware, browser hijackers or adware. Some households had multiple infections including both high and moderate threat level infections. - Infection Methods
The main infection method is through malicious web sites running exploit kits such as Blackhole. When a victim lands there, it will probe their computer and attempt to infect it. Once the infection process is successful, the kit generally installs a rootkit botnet such as Alureon or ZeroAccess which is then used to coordinate additional malware activity. In some cases it will directly download fake anti-virus software, a spambot or a banking Trojan like Zeus or SpyEye. The victim is attracted to these malicious web sites either by offers of free services (sometimes of a dubious nature) or by spam e-mail messages luring victims to these sites. The victim will typically receive an e-mail message from a business or some level of government (the tax department is a good candidate) informing them of an issue with their account. It will contain a reasonable looking link a web site, which would unfortunately contain the exploit kit. It is also quite common to find malware embedded in a spam attachment. - Top 20 Home Network Infections
The chart below shows the top home network infections detected in Kindsight deployments. The results are aggregated and the order is based on the number of infections detected over the three month period of this report. - Top High Level Threats
The table shows the top 20 high threat level malware that leads to identity theft, cybercrime or other online attacks. We’ll look at the significant ones in more detail below.
The two different versions of the ZeroAccessad-click botnet head the list. These bots are engaged in a sophisticated ad-click fraud scheme that could be costing advertisers almost a million dollars each day. They also earn money through “Bitcoin mining”. Details on both these activities are provided later in the document.
The TDSSand Alureonrootkits continue to be near the top of the high threat list. These provide the attacker with a secure platform to load additional malware to monetize their botnet and are often associated with subsequent spambots, banking Trojan and identity theft infections. More details on these are also provided later in the document. The Zeusbanking Trojan is still very active and is now leveraging peer-to-peer technology for command and control. The Mac Flashbackbot has dropped to number 8 and DNSchangeris still present, but in a reduced role at number 15.
New to the top 20 list this quarter are two new versions of Hupigon, a bot featuring backdoor access and Obvod, a Trojan downloader. A new version of the Cutwailspambot also appeared. - Top 20 Internet Threats
The chart below shows the top 20 most prolific malware found on the Internet. The order is based on the number of distinct samples we have captured from the Internet at large. Finding a large number of samples indicates that the malware distribution is extensive and that the malware author is making a serious attempt to evade detection by anti-virus products.
References:
Malware Report, Q3 2012, Kindsight Security Labs
- 2