The majority of the biggest malware incidents that took place in the second quarter of 2010 were linked in some way to botnets. New bots were created and existing bots further developed, such as TDSS, an article on which has been published by our virus analysts, and Zbot (ZeuS), which we discuss below.
The evolution of the ZeuS (Zbot) Trojan, which is used to build botnets, is worth describing. A new modification of the malicious program was detected in late April. It included file virus functionality, which meant it could infect executable files. The malware writers decided to use relatively unsophisticated code and a similarly simple infection routine. Instead of the Trojan itself, a 512-byte-long fragment of code was added to .exe files, after which the infected file’s entry point was changed so that the appended code would be executed prior to the original code.
The injected code is designed to download the new versions of the Trojan to the infected computer if the main ZeuS component has been removed. The malware writers used computers in the US to test the new version of the Trojan. ZeuS primarily targets online banking accounts and as online banking is more evolved in the US than anywhere else, computers located in the US users are tasty morsels for cybercriminals. The ZeuS version that the injected piece of code loaded was detected by Kaspersky Lab products as Trojan-Spy.Win32.Zbot.gen and had been created specifically to steal accounts from customers of Bank of America, a major US bank.
Another notable innovation is that ZeuS is distributed using pdf files. An independent researcher has discovered that executable files embedded in pdf documents can be executed without having to exploit any vulnerabilities. The file is executed using the Launch function described in the pdf format specification. Just a few days after this information was published on March 29, people started to get emails with a specially crafted pdf document, which used the file launching method described above to infect computers with the ZeuS Trojan. In order for the computer to become part of a botnet, all the user needed to do was open the attachment.
In our previous quarterly reports we wrote about cybercriminals’ first attempts to control botnets via social networks. Those were only proof-of-concept efforts and we expected further developments. We did not have to wait long. A bot building utility called TwitterNET Builder appeared on the Web in May. The program builds a botnet using a Twitter account as a command and control center.
Since no programming skills are required to use the builder, it’s an ideal toy for script kiddies, who are able build a bot with only a couple of mouse clicks. Kaspersky Lab classifies this ‘toy’ as Backdoor.Win32.Twitbot. The resulting bot has the following features: it can be used to downloads and run files, conduct DDoS attacks and open websites specified by the bot’s owners. To receive commands, the bot searches for the relevant Twitter account, which is used by the bot master to publish commands in text form.
Fortunately, this bot never became widespread, because security researchers were tracking such tricks. A botnet with such primitive control system (the commands were sent unencrypted via a social network) is easy to detect and disconnect from the command and control center by closing the cybercriminal’s account. To the credit of the network’s security service, there were no such command centers on Twitter by the end of June.
Social networks have become a popular means of exchanging information. Cybercriminals take advantage of this by increasingly using them for fraudulent attacks, to send spam and distribute malware. Below we focus on the most notable incidents that took place on social networks in the second quarter.
Recently, we’ve seen links to social networks being actively distributed in spam messages. Eventually, social networks may, to a great extent, replace email in spreading malware.
One example is Brazil, where, until recently, banking Trojans were primarily spread by email. Brazilian cybercriminals must have realized that social networks are much more suitable for this purpose: since the start of Q2, social networks have seen significant amounts of spam targeting Brazilian bank customers.
Statistics confirm that social network spam is effective: in just one attack on Twitter, over 2,000 people followed the link sent by spammers within the space of an hour.
A notable iPhone-related story took place on Twitter. On May 19, the social network’s administration officially announced a new application, Twitter for iPhone. Cybercriminals decided to ride the wave of interest caused by the announcement. Less than an hour after the news was published, Twitter was flooded with messages that included the words “twitter iPhone application” and links leading to malware: Worm.Win32.VBNA.b.
This particular piece of malware is notable for several reasons. One is that this worm has relatively good self-protection: it uses anti-emulation tricks to disable some Windows system programs and spreads via USB devices. Another is that its principal function is to steal information required to conduct financial operations. The piece of news that was used to spread the worm wasn’t chosen at random: most smartphone owners have bank accounts and cards which are a prime target for cybercriminals. Therefore, it’s not surprising that about a third of all VBNA.b attacks (27-33%) targeted US computers, which are of greatest interest for cybercriminals.
Click fraud has always been a lucrative proposition for cybercriminals and it has became even more profitable with the advent of social networks, since the major social networks have as many users as the world’s largest countries.
A new type of attack appeared on Facebook in May in response to the introduction of the new Like feature. As can be easily guessed, the feature is associated with a list of the things that the owner of an account liked on the Internet. Thousands of users fell victim to an attack that was dubbed “likejacking” (by analogy with clickjacking.)
Luckily, so far we have not seen any cases of links to malware being distributed in this way.
Two unexpected events involving vulnerabilities and Google took place in Q2. In both cases, a Google employee disclosed full information about vulnerabilities. Since at the time of disclosure there were no patches for the vulnerabilities, this predictably led to mass exploitation by black hats.
A zero-day vulnerability in Java Web Start (CVE-2010-0886) was disclosed on April 9. Oracle worked hard to develop a patch, which was released on April 16. However, cybercriminals beat them to it: a couple of days after the vulnerability disclosure, an exploit was widely available and even added to an exploit pack. Exploits are clearly mass-produced by cybercriminals these days: the domain that was subsequently used to conduct attacks was registered one day before information on that particular vulnerability was published.
In the second instance, the same Google employee disclosed a vulnerability in the Windows Help and Support Center (CVE-2010-1885). The situation repeated itself and working exploits became available on the Internet very soon after the information had been disclosed.
A researcher disclosing information about vulnerabilities is probably impelled to do so by an acute sense of justice. He believes that by making that information public, he is doing a good deed. But is this really the case?
On the one hand, when a vulnerability is disclosed, software vendors try to release a patch as quickly as possible. On the other hand, all cybercriminals receive a brand new weapon that is nearly 100% effective. In addition, while fixing today’s software that is made up of millions of lines of code takes much longer than a day, cybercriminals can take advantage of the vulnerability virtually at once. Isn’t this too high a price to pay for fixing bugs?
Our research demonstrates that such attempts to do good lead in quite the opposite direction. According to our data, exploits that target the CVE-2010-0886 vulnerability became widespread very soon. In their heyday, they boasted a 17% share of all vulnerabilities! The situation with the exploit that targets the HSC vulnerability (CVE-2010-1885) is similar. It is rapidly gaining ground and has risen as high as thirteenth in the quarterly exploit ranking, in spite of the fact that it only appeared in the last month of the quarter. It can only be hoped that this will be a good lesson to all researchers.
On May 31, Google announced that it was abandoning Windows and migrating to Linux and Mac OS. Security issues were among the reasons for this decision cited by Google representatives. However, Linux and Mac OS are, in fact no better protected than Windows.
The second quarter saw malware for alternative platforms gaining new ground. A new backdoor for Mac OS X, Backdoor.OSX.Reshe.a, appeared on April 20. Once on the victim machine, the malware protects itself by disguising as iPhoto, a popular application, and configures itself to start at system startup. The backdoor offers an attacker full control of the infected computer, with the ability to send spam, search for and steal files, download and execute programs, take screenshots and much, much more. It is written in RealBasic and can run on Apple computers based on both PowerPC and Intel processors. So far, mass use of this malware has not been detected, but it nevertheless remains a weapon in the hands of cybercriminals.
On June 3, several days after Google’s announcement that it was migrating to alternative operating systems, Kaspersky Lab detected a new Trojan Spy for Mac OS X. The malware was disguised as an advertising system and was distributed in a bundle with legitimate software. In addition to stealing information from the computer, the malware has backdoor functionality, enabling attackers to send commands to the computer.
Many Mac OS users have a false sense of security. They are convinced that there are simply no threats that target their operating system. At the same time, Apple Computers admits that malware for Macs does exist. In the latest update for OS X 10.6.4, Apple quietly added a new signature to its antivirus scanner to protect computers against Backdoor.OSX.Reshe.a, which we described above. However, these quiet updates provided by the vendor only support users’ false sense of security instead of dispelling it.
It should be noted that there are no operating systems that are completely safe. Today, Mac OS X is no more secure than, say, Windows 7 because, Mac OS X also requires anti-malware protection. Given the incidents described above, it is quite conceivable that targeted attacks on Macs are not far away.
In the past three months, over 540 million attacks were blocked in 228 countries. Last quarter, even Norfolk Island with a population of 2,141 appeared on Kaspersky Lab’s antivirus radar. During the quarter, the average number of infection attempts increased globally by 4.5% per month.
As the table below shows, the likelihood of a computer becoming infected depends on its location.
Distribution of attacks by country Q2 2010 and Q1 2010
|№||Q2 2010||№||Q1 2010|
|2||Russian Federation||11.36%||2||Russian Federation||13.18%|
|4||United States||5.96%||4||United States||5.25%|
|5||Viet Nam||5.44%||5||Viet Nam||3.73%|
The distribution of attacks remains virtually unchanged. The only exception is that the Bangladesh have replaced Philippines in nineteenth place. The five leading countries are still China (17.09% of all attacks), Russia (11.36%), India (9.30%), the USA (5.96%) and Viet Nam (5.44%).
In terms of the share in the total number of attacks, the most noticeable changes are shown by Russia (-1.82%), and Viet Nam (+1.71%).
It’s been a long time since Australia (31 position, 0.5%), which actively combats cybercrime, appeared on the rankings. The latest report presented by the Australian House of Representatives Standing Committee on Communications recommends that Internet service providers refrain from providing Internet access to computers without antivirus protection or firewall installed. This recommendation may become a requirement for all Australian users.
This may seem harsh, but take another look at the rankings. The top position is taken by China, where, according to a poll conducted by CNNIC, about 4.4% (approximately 17 million!) of all users connect to the Internet without any protection whatsoever. This is the online equivalent of leaving home with all the doors and windows wide open. Moreover, Chinese users are not eager to learn from their own mistakes: according to the same poll, one sixth of all respondents admitted to having fallen victim to cybercriminals and lost virtual property – virtual property which these days can very easily be converted into real money …
In Q2 2010, Kaspersky Lab products blocked 157,626,761 attempts to infect computers via the Internet.
The five most common types of malware on the Internet includes various Trojans, exploits and adware, with nearly half (48%) being accounted for by Trojans. Of these, 57% were malicious scripts injected by cybercriminals into various websites, including legitimate sites with thousands, even millions of visitors. These scripts are categorized by Kaspersky Lab as Trojan.Script.Iframer and Trojan.Script.Generic. They make users follow a link that is not visible in the browser window and which takes them to a web page created by cybercriminals. Such links usually lead to pages with exploits (in more professional schemes, exploit packs), which enable attackers to make their first step towards evading security applications and, ultimately, to download and run any file on the victim machine. Exploits are discussed in more detail below.
Adware accounts for 7.15% of all detections. In the first quarter, 70% of all adware programs detected belonged to the Zwangi and Boran families. In Q2, they ceded their place to the Shopper (26.06%) and FunWeb (22.81%) families, which together accounted for 49% of adware detections.
Over a third of all Shopper, FunWeb and Zwangi detections were on US and UK computers. At the same time, in 93% of all cases Boran, whose share diminished to 8%, was detected on computers in China.
An increase in the share of Shopper – a Browser Helper Object that provides online shopping advice – is due to the way in which it is currently being spread. It is now distributed in installation packages with free software handed out under the GPL license. When a free program received from an unofficial source is installed on a computer, Adware.Win32.Shopper installs together with the main program.
157,626,761 attacks conducted from online resources located in different countries were identified in Q2, 2010. Over 95% of all the attacks recorded originated from twenty countries.
Top 20 countries with servers hosting malicious code
|№||Q2 2010||№||Q1 2010|
|1||United States||28.99%||1||United States||27.57%|
|2||Russian Federation||16.06%||2||Russian Federation||22.59%|
|7||United Kingdom||4.62%||7||United Kingdom||3.29%|
|20||Viet Nam||0.36%||20||Viet Nam||0.25%|
As in the previous quarter, the top three positions in the ranking are taken by the US (28.99%), Russia (16.06%) and China (13.64%). The latter did not succeed in regaining the top position, which it had lost in the previous quarter.
The proportion of infected sites in Russia was down by 6.5 percentage points. At the same time, the number of attacks coming from web resources in the Netherlands and Sweden increased, with shares growing by 2.8 and 3.4 percentage points respectively.
The majority of Internet attacks start with exploits which make it possible for cybercriminals to surreptitiously access systems and download malware to victim machines. It’s therefore hardly surprising that exploit packages cost in the region of thousands of dollars.
A total of 8,540,223 exploits were detected in Q2, 2010. The table below shows the ten exploit families most commonly used by cybercriminals:
Exploits which target vulnerabilities in Adobe Reader remain the most common. However, it’s striking that the share of these programs decreased significantly in comparison to Q1, dropping by 17.11%.
The reason for this is that the Exploit.JS.CVE-2010-0806 and Exploit.JS.Agent.bab families have become increasingly widespread. These two exploit families target CVE-2010-0806, a vulnerability in the Peer Object component (aka iepeers.dll) in Microsoft Internet Explorer 6 and 7. The Q1 report describes how these exploits were spread. After inclusion in the metasploit (www.metasploit.com; en.wikipedia.org/wiki/Metasploit_Project) framework, these exploits were added (almost unmodified) to many exploit packages; this meant they were then used on a wide scale. On average, Kaspersky Lab products counteracted 31,000 attacks of this type every day – attacks which used Exploit.JS.Agent.bab and Exploit.JS.CVE-2010-0806 to target the CVE-2010-0806 vulnerability.
These exploits were used with a number of aims; however, the main target was online gaming accounts. Research shows that downloader programs installed by Exploit.JS.CVE-2010-0806 mostly attempted to download Trojan-GameThief.Win32.Magania and Trojan-GameThief.Win32.WOW to infected machines. The geographical distribution of attacks using these exploits also confirms the hypothesis that online gaming accounts were the main prize: the five most targeted countries (accounting for 96.5% of all attacks) were China, Taiwan, Korea, the USA and Vietnam. All of these are countries where the number of MMORPG players is traditionally high.
Another significant change is the increased proportion of Java exploits which target CVE-2010-0886 and CVE-2009-3867. The 2% increase in the proportion of Java malware in Q2 2010 is mainly due to these exploits, which were mostly used to conduct attacks targeting European - Germany, the UK, Russia, Italy, Ukraine and Spain - and North American countries – the USA and Canada. The attacks resulted in Backdoor.Win32.Bredolab being downloaded to victim machines. This malware is designed to, in its turn, download and install other malicious programs with varied payloads ranging from spam bots and programs designed to steal FTP passwords to rogue antivirus programs.
The exploits used in the Aurora attack are rapidly losing ground: in Q2 their share decreased by 7.08%. The mass media coverage of the attack, which exploited CVE-2010-0249, seemed to have a positive effect: users with Internet Explorer 6.0, which contained the vulnerability, started to upgrade their browsers. According to Net Applications www.netmarketshare.com , the market share of Internet Explorer 6.0 has dropped 3% since January 2010.
The decline in the number of people using Internet Explorer 6.0 has resulted in a decrease in the share of the Exploit.JS.Adodb family exploits which target an old vulnerability in this version of the browser.
The exploits which target the CVE-2010-1885 vulnerability in Windows Help and Support Center (see above) are rapidly increasing in number. In Q2 they took thirteenthplace even though the vulnerability was only identified on June 9. A patch was released over a month later in Microsoft Security Bulletin MS10-042, on July 13. This meant cybercriminals had plenty of time to exploit the vulnerability. It was primarily Russian, German, Spanish and American users who were targeted by attacks using these exploits. Mostly, they were used in pay-per-install (affiliate) schemes where one cybercriminal grouping pays others to distribute a particular piece of malware, with the amount paid depending on the number and location of infected machines.
2010, Kaspersky Lab products detected 33,765,504 vulnerable files and applications on users’ computers. Notable, one in four computers had over seven unpatched vulnerabilities.
The table below shows the ten most common vulnerabilities:Ten most common vulnerabilities detected on users’ computers
|№|| Secunia |
|Change||Vulnerabilty||Impact|| Percentage |
| Release |
|1||SA 38805||7||Microsoft Office Excel Multiple Vulnerabilities||System access, execution of arbitrary code with local user privileges||39.45%|| 2009- |
|2||SA 37255||new||Sun Java JDK / JRE Multiple Vulnerabilities||Security bypass||38.32%|| 2010- |
|3||SA 35377||-2||Microsoft Office Word Two Vulnerabilities||System access, execution of arbitrary code with local user privileges||35.91%|| 2010- |
|4||SA 38547||-1||Adobe Flash Player Domain Sandbox Bypass Vulnerability||Security bypass||30.46%|| 2009- |
|5||SA 31744||1||Microsoft Office OneNote URI Handling Vulnerability||System access, execution of arbitrary code with local user privileges||27.22%|| 2007- |
|6||SA 34572||-2||Microsoft PowerPoint OutlineTextRefAtom Parsing Vulnerability||System access, execution of arbitrary code with local user privileges||21.14%|| 2008- |
|7||SA 39272||new||Adobe Reader / Acrobat Multiple Vulnerabilities||System access, execution of arbitrary code with local user privileges |
|21.12%|| 2010- |
|8||SA 29320||2||Microsoft Outlook "mailto:" URI Handling Vulnerability||System access, execution of arbitrary code with local user privileges||19.54%|| 2008- |
|9||SA 39375||new||Microsoft Office Publisher File Parsing Buffer Overflow Vulnerability||System access, execution of arbitrary code with local user privileges||16.08%|| 2010- |
|10||SA 37690||-1||Adobe Reader/Acrobat Multiple Vulnerabilities|| System access, execution of arbitrary code with local user privileges |
|15.57%|| 2009- |
6 out of 10 vulnerabilities were found in Microsoft products, 3 in Adobe products and 1 in a Sun product. This does not mean, however, that these companies’ products contain errors than products from other vendors, simply that these products are those which are most widely used.
In Q2, 2010 there were two new additions to the ten most widespread vulnerabilities: vulnerabilities in MS Office Publisher (SA 39375) and Adobe Reader (SA 39272). Both of them have a high threat rating because they can be used by cybercriminals to gain full access to a system and to execute arbitrary code. Both vulnerabilities were identified in the middle of April with one day between the disclosures.
The Microsoft automatic update system is now enabled by default on most computers, whereas the new update system for Adobe Reader/Acrobat Reader was only introduced on 13 April, 2010 along with the regular quarterly update. Automatic updates for popular applications are an important factor which affects the security of the operating system as a whole. Vendors who add update functionality to their products are going in the right direction as it not only makes it possible to add new functions but also, most importantly, patch security loopholes in an effective way. The quicker vendors release and automatically download patches to users’ machines, the less likely it is for these computers to get infected via vulnerabilities.
Statistics from the Kaspersky Security Network show that 203,997,565 infection attempts were blocked in Q2, 2010.
Twenty most common malicious programs detected on users’ computers in Q2, 2010
|3||Net-Worm.Win32.Kido.ir||7.4%||0||Internet, removable disks|
|5||Net-Worm.Win32.Kido.ih||3.82%||0||Internet, removable disks|
|6||Net-Worm.Win32.Kido.iq||3.51%||0||Internet, removable disks|
|7||Worm.Win32.FlyStudio.cu||2.78%||0||Local and removable disks|
|14||Worm.Win32.Generic||1.19%||-4||Internet, removable disks|
|15||Worm.Win32.Mabezat.b||1.16%||-4||Internet, removable disks, email, file infection|
|16||Trojan-Dropper.Win32.Flystud.yo||1.11%||1||Network and removable disks|
|17||Worm.Win32.Autoit.tc||1.02%||-4||Network and removable disks|
Five out of twenty positions in the ranking are occupied by heuristic detections (Generic); this is because heuristic methods are one of the most effective ways of detecting complex threats.
A range of Trojans, which are detected as Trojan.Win32.Generic (12%), head the table. These programs are unable to self-replicate, but have various payloads which range from stealing passwords to providing full access to a victim machine.
Malware detected by Kaspersky Lab’s Urgent Detection System (UDS) as DangerousObject.Multi.Generic comes in second place, with 10%. The UDS technology provides real-time protection to users who have opted-in to KSN.
In third, fifth, and sixth place are three Kido modifocations which have maintained their positions since Q1. Although no new versions of Kido have appeared, and malware writers have not made further efforts to distribute the program, the worm’s propagation routine is extremely effective, and it therefore shows no signs of leaving the rankings. In contrast, there have been new variants of Sality (fourth place), a virus that infects executable files and which also maintains its position. Nevertheless, the most common modification remains Sality.aa, which first appeared at the end of 2008.
The ranking includes two programs written in “E”, a relatively uncommon programming language: Win32.FlyStudio.cu (seventh place) and Trojan-Dropper.Win32.Flystud.yo (sixteenth place). These malicious programs are regional, and mostly found only in one country, China. Trojan.Win32.Pakes.Krap.l (eighteenth place) is another new addition among malware writing in cripting languages; it detects obfuscated malware written in AutoIT.
Contrary to the previous quarter when there were no exploits among the most common malicious programs, this time there are two. Firstly, Exploit.Script.Generic (tenth place) which detects exploits written in different scripting languages. Second is Exploit.JS.Agent.bab (thirteenth place) which exploits the Internet Explorer vulnerability that allows cybercriminals to download and launch programs on a user’s computer. Kaspersky Lab statistics show that exploits are one of the most effective ways of infecting victim machines.