ThreaT reporT H2 2012

Protecting the irreplaceable | www.f-secure.com

F-Secure Labs

At the F-Secure Response Labs in Helsinki, Finland, and Kuala Lumpur, Malaysia, security experts work

around the clock to ensure our customers are protected from the latest online threats.

At any given moment, F-Secure Response Labs staff is on top of the worldwide security situation,

ensuring that sudden virus and malware outbreaks are dealt with promptly and effectively.

Protection around the clock

Response Labs’ work is assisted by a host of automatic systems that track worldwide threat occurences in real time, collecting and analyzing hundreds of thousands of data samples per day. Criminals who make use of virus and malware to profit from these attacks are constantly at work on new threats. This situation demands around the clock vigilance on our part to ensure that our customers are protected.

3

Today, the most common way of getting hit by malware is by browsing the Web. It hasn’t always been this way. Years ago, floppy disks were the main malware vector. Then sharing of executable files. Then e-mail attachments. But for the past five years, the Web has been the main source of malware.

The Web is the problem largely because of Exploit Kits. Kits such as BlackHole, Cool Exploit, Eleanore, Incognito, Yes or Crimepack automate the process of infecting computers via exploits.

There is no exploit without a vulnerability. Ultimately, vulnerabilities are just bugs, that is, programming errors. We have bugs because programs are written by human beings, and human beings make mistakes. Software bugs have been a problem for as longs as we have had programmable computers—and they are not going to disappear.

Bugs were not very critical until access to the Internet became widespread. Before, you could have been working on a word processor and opening a corrupted document file, and as a result, your word processor would have crashed. Even if annoying, such a crash would not have been too big of a deal. You might have lost any unsaved work in open documents, but that would have been it.

However, things changed as soon as the Internet entered the picture. Suddenly, bugs that used to be just a nuisance could be used to take over your computer.

Yet, even the most serious vulnerabilities are worthless for the attacker, if they get patched. Therefore, the most valuable exploits are targeting vulnerabilities that are not known to the vendor behind the exploited product. This means that the vendor cannot fix the bug and issue a security patch to close the hole.

If a security patch is available and the vulnerability starts to get exploited by the attackers five days after the patch came out, the users have had five days to react. If there is no patch available, the users have no time at all to secure themselves; literally, zero days. This is where the term ‘Zero Day Vulnerability’ comes from: users are vulnerable, even if they have applied all possible patches.

One of the key security mechanisms continues to be patching. Make sure all your systems are always fully up-to-date. This drastically reduces the risk of getting infected. But for Zero Day vulnerabilities, there are no patches available. However, antivirus products can help against even them.

We’re in a constant race against the attackers. And this race isn’t going to be over any time soon.

foreword

SOFTWARE BUgS HAVE BEEn A PROBLEM FOR AS LOngS AS WE HAVE HAD PROgRAMMABLE COMPUTERS—AnD THEY ARE nOT gOIng TO DISAPPEAR.

Mikko HyppÖnenCHief researCH offiCer

FOREWORD

4

exeCutive suMMary

ExECUTIVE SUMMARY

executive summary

Three things visibly stand out in this past half year: botnets (with special reference to ZeroAcess), exploits (particularly against the Java development platform) and banking trojans (Zeus).

ZeroAccess was easily the most prevalent botnet we saw in 2012, with infections most visible in France, United States and Sweden. It is also one of the most actively developed and perhaps the most profitable botnet of last year. In this report, we go through the distribution methods and payment schemes of ZeroAccess’s ‘affiliate program’, as well as its two main profit-generating activities: click fraud and BitCoin mining. Aside from ZeroAccess, other notable botnets of 2012 are Zeus, Carberp, Dorkbot and SpamSoldier (a mobile botnet).

Java was the main target for most of the exploit-based attacks we saw during the past half year. This is aptly demonstrated in the statistics for the top 10 most prevalent detections recorded by our cloud lookup systems, in which the combined total of detections for the Java-specific CVE-2012-4681 and CVE-2012-5076 vulnerabilities and the Majava generic detections, which also identify samples that exploit Java-related vulnerabilities, account for one third of the samples identified during this period. Exploit kits plays a big role in this prevalence. In addition, exploits against other programs such as the PDF document reader (CVE-2010-0188) or Windows TrueType font (CVE-2011-3402) made notable impacts in H2 2012, as detailed further in this report. With regards to banking-trojans, a botnet known as Zeus—which is also the name for the malware used to infect the user’s machines—is the main story for 2012. Analysis of the geography for Zeus’s infection distribution highlights the United States, Italy and germany as the most affected countries. In addition to its banking-trojan capabilities, the Zeus malware also functions as a backdoor, allowing it to be directly controlled from the botnet’s command and control (C&C) servers. An examination of the different sets of backdoor commands used by Zeus derivatives (known as Citadel and Ice Ix) gives more detail of what other malicious actions this malware can perform.

In terms of online security, we look at the more ambiguous side of the ever-growing popularity of website hosting, and how its increasingly affordable and user-friendly nature also makes it well suited to supporting malware hosting and malvertising.

We also take a look at multi-platform attacks, in which a coordinated attack campaign is launched against multiple platforms (both desktop and mobile), often with multiple malware.

And finally on the mobile scene, the Android and Symbian platforms continue to be the main focus of threats, accounting for 79% and 19%, respectively, of all new mobile malware variants identified in 2012.

5

tHis tHreat report HigHligHts trends and new developMents seen in tHe Malware tHreat landsCape by analysts in f-seCure labs during tHe seCond Half of 2012. also inCluded are Case studies Covering seleCted notewortHy, HigHly-prevalent tHreats froM tHis period.

Contents

COnTEnTS

foreword 3

executive summary 4

contents 5

incidents calendar 6

in review 7

of note 10

the Password 11

corPorate esPionage 12

case studies 14

Bots 15

Zeroaccess 17

Zeus 21

exPloits 25

weB 28

multi-Platform attacks 32

moBile 35

sources 38

contributing AutHorS

broderick Aquilino

Karmina Aquino

christine bejerasco

Edilberto cajucom

Su gim goh

Alia Hilyati

timo Hirvonen

Mikko Hypponen

Sarah Jamaludin

Jarno niemela

Mikko Suominen

chin Yick Low

Sean Sullivan

Marko thure

Juha Ylipekkala

6

h2 2012 incidents calendar (July-decemBer)*

InCIDEnTS CALEnDAR

inCidents Calendar

online

Pc threats

in the news

hacktivism & espionage

mobile threats

sources: see page 38.

Jul

Australian hospital’s records ransomed

Huawei controversy in US Congress

ITU Telecom World ‘12 raised Internet/government concerns

Imuler.B backdoor found on OS x

Malware signed with Adobe certificate

Out-of-band Patch FridayFBI support for DnSChanger ended

Cool Exploit kit rivalling Blackhole

Berlin poice warned of Android banking trojans

Samsung TouchWiz exploit reported

new Linux rootkit found

new Mac Revir threat found

Mac threat found on Dalai Lama-related webite

Blackhole updated faster than flaws patched

One rogue ad hits Finnish web traffic

Samsung Exynos exploit reported

Java update closed 3 vulnerabilities

gauss threat targeted the London Olympics

Dexter malware hit point of sales (POS)

Syrian Internet,mobile connections cut off

Matt Honan ‘hack’ highlighted flaws in accounts systems

aug sePt oct nov dec

Multi-platform Intel/OS x backdoor found

Indian government email accounts hacked

Iran-targeted malware reported

Eurograbber attack on European banks reported

Commercial multi-platform surveillance tools found

7In REVIEW

changes in the threat landscaPe

Unlike the first half of 2012, the second half of the year saw no major malware outbreaks on any platform. Instead, a handful of incidents took place during this time period, most of which were notable as indications of how inventive the attackers have been in finding ways to compromise a user’s machine, data or money. These incidents included the hack into the Wired Matt Honan’s gmail and Apple accounts, which exposed loopholes in those account systems; the Adobe-certified malware episode, in which attackers went to the extent of stealing Adobe’s digital certificate in order to sign malware used in targeted attacks; and the Eurograbber attack, in which a variant of the Zeus crimeware was reportedly used to steal money from various corporations and banks in Europe.

An interesting development in 2012 has been the increasing public awareness of cyber-security and the various implications of being vulnerable to attack over a borderless Internet. news reports of alleged online or malware-based attacks against Iranian facilities drew attention to state-sponsored cyber-attacks. A conference gathering the various telecommunications entities to discuss basic infrastructure issues raised concerns about Internet governance, and the role of governments in it. The past year also saw US politicians, not generally considered the most tech-savvy of users, raise concerns over perceived reliance on IT solutions for sensitive government systems being provided by foreign corporations seen as potentially unreliable. Though it is probably a positive development that more people are becoming exposed to topics that have long been considered irrelevant or academic, only time will tell what will result from the increased awareness.

Rather than a single major event, perhaps the most noteworthy aspect of H2 2012 is the way that the various trends we saw emerging in the first two quarters of the year have continued to grow apace—that is, the growth of botnets, the ‘standardization’ of vulnerability exploitation and the increasing ‘establishment’ of exploit kits.

When it comes to botnets, the news has been mixed at best. The last few years have seen concerted efforts by players from different fields—telecommunications, information security and even government organizations—to take down or at least hamper the activities of various botnets, which have compromised millions of user’s computers and been used to perform such activities as monetary fraud and online hacking. These combined efforts resulted in totally shuttering, or at least seriously hampering, major botnets such as Rustock, Zeus and DnSChanger.

Unfortunately, despite these commendable efforts, the botnets have been regularly resurrecting, often with new strategies or mechanisms for garnering profit. In addition, the operators running these botnets have been aggressively marketing their ‘products’ to other hackers and malware distributors. Their efforts include offering affiliate programs with attractive ‘pay-per-installation’ rates and ‘rent-a-botnet’ schemes that allow attackers to use the combined power of the infected hosts to perform attacks or other nefarious activities. These sophisticated business tactics have garnered significant returns. In some cases, such as ZeroAccess, the reborn botnets have grown to count millions of infected hosts. See the cases studies Bots (pg. 15), ZeroAccess (pg. 17) and Zeus (pg. 21) for more information on botnets.

Another change we saw last year was the increasing use of vulnerability exploitation, often in tandem with established social engineering tactics. Unlike previous years, when most of the infections we saw involved trojans, 2012 was definitely the year of the exploit, as exploit-

in review

8In REVIEW

related detections accounted for approximately 28% of all detections F-Secure’s cloud lookup systems saw in H2 2012. In addition, malware designed to exploit vulnerabilities related to the Java development platform made up about 68% of all exploit-related detections recorded by our systems in the second half of last year.

If we look at the list of Top 10 Detections (above) seen by our cloud lookup systems in H2 2012 in more detail, two detections which specifically identify samples exploiting the Java-specific CVE-2012-4681 and CVE-2012-5076 vulnerabilities alone account for 9% of the malware identified by the top 10 detections. In addition, the Majava generic detections, which identify samples that exploit known vulnerabilities, including the Java-specific CVE-2012-0507 and CVE-2012-1723 vulnerabilities, account for another 26% of the top 10 detections, as well as having the dubious honor of being the second most common detection overall reported by our backend systems. The sheer volume of Java-related detections indicate both the widespread popularity of that platform and its susceptibility to the malicious inventiveness of malware authors.

Interestingly enough, when considering exploit attacks in general, though we saw attacks exploiting numerous vulnerabilities in multiple platforms and programs in 2012, the vast majority of the cases were related to only four vulnerabilities—CVE-2011-3402 and CVE-2010-0188, which are Windows-related vulnerabiltiies, and the previously mentioned Java vulnerabilities, CVE-2012-4681 and CVE-2012-5076. All of these vulnerabilities, incidentally, have already had security patches released by their relevant vendors.

FrZeroaccess

majava

downadup

Blackhole

cve-2012-4681

cve-2011-3402

cve-2010-0188

cve-2012-5076

Pdf exploits

sinowal

US

br

Fr

US

Fr

Fr

Fi

Fi

nl

US

Fr

Fr

Fi

Se

Se

Se

US

Fr

Se

Se

Fi

my

Se

nl

Fr

Fi

Fr

Se

Fi

dk

Se

iT

nl

de

Fi

nl

Se

de

others

others

others

others

others

others

others

others

others

others

100500

%25 75

27%

26%

11%

9%

6%

6%

6%

3%

3%

3%

toP 10 detections in h2 2012, & toP countries*

*Based on statistics from F-Secure’s cloud lookup systems from July to December 2012.

9

85+4+4+7+zrogue, 4%

others 4%Backdoor, 85%

trojan, 7%

*The total is counted based on unique variants detected from Jan to Dec 2012, rather than total file count. Riskware and repackaged installers are not counted; multi-component malware are only counted once.

mac malware By tyPe, Jan - dec 2012

total= 121 variants*

This skewed preference in attack targeting can be directly attributed to the popular usage of exploit kits such as Blackhole and Cool Exploit, which have incorporated the exploits for these vulnerabilities, in some cases faster than the vendors were able to patch them. It’s perhaps not too surprising then that BlackHole-related detections account for 9% of all samples detected by the top 10 detections of H2 2012. For more information on these exploits, see the Exploits case study on page 25.

And as a closing note, a quick look at our detection statistics for Mac indicates that even though Windows machines continues to be the main target for attacks, the Mac platform is increasingly coming in for a share of unwanted attention. Apart from the major Flashback outbreak in early 2012, we saw a slow but steady increase in malware on the Mac platform, as we detected 121 new, unique variants in all of 2012, the majority of them backdoors. By contrast, in 2011, we recorded only 59 new unique variants discovered on that platform.

In REVIEW

of note

the Password 11

corPorate esPionage 12

11

tHe password pass

wo

rd

PASSWORD

Computer passwords are something like fifty years old. And until a little over twenty years ago, they were very often a shared resource where multiple people used the same password (or set of passwords) for access to computer systems. The use of individual passwords was actually something of an innovation at the time.

Then came the World Wide Web, and with it, the ever growing need for more and more account passwords. As time has passed and our online lives have grown, it is now not at all uncommon for people to have dozens of passwords to keep track of. And what’s worse is that all of those passwords should be “strong” passwords and people shouldn’t reuse them between accounts. It’s too much!

The second half of 2012 provided more than enough evidence to demonstrate the problem of passwords. Hacks, breaches, database dumps—these are terms that average individuals (not just techies) are now familiar with. With today’s processing power, passwords that are strong enough to withstand brute force attacks are too difficult for the human brain to remember.

Even if the passwords are strong, our systems of authenticating account resets are flawed. A strong password is useless if social engineering tactics can be used to reset those passwords.

The password is dead and we all know it. But unfortunately, its successor has yet to turn up. So what’s to be done in the meantime? Triage.

• Use a password manager such as KeePass or Password Safe

• Kill old accounts that you no longer use• Untangle cross-linked accounts• Consider using a “secret” email address for account

maintenance• Be careful about what you share on social media. If

you share, don’t rely on personal information for your account password resets

• Use two-factor authentication options if available

Determine which accounts that are your critical points of failure, and make sure they are all well defended. Two factor authentication is good, but even that is not a bulletproof solution. It is important to use every option available.

For example, google’s gmail allows users to create their own security question for password resets. There is absolutely no reason why this question needs to be based on reality. It can just as easily be another “password”. One which is written down and stored safely at home, where only you have access to it.

And if you are a parent of teenage children… you really should have “the talk” with them about their use of passwords. The habits they form now will have a big impact on their future online lives.

Hopefully, one day soon, a true successor will rise to take the password’s place and we will all be able to let the password die a dignified death. Unfortunately, we are more likely to experience fits and starts towards a new solution. Prepare yourself now, 2013 isn’t going to be kind for those who are unprepared.

recommended reading

• HACKED: PASSWORDS HAVE FAILED AnD IT’S TIME FOR SOMETHIng nEW[1]

Matt Honan discusses the account hack that disrupted his

digital life and its implications for online security

• gOOgLE DECLARES WAR On THE PASSWORD[2]

Find out more about google’s experiment with device-based

account authentication

dead Man walking

sources

[1] Wired; Matt Honan; Hacked: passwords have failed and it’s time for something new; published 17Jan 2013; http://www.wired.co.uk/magazine/archive/2013/01/features/hacked?page=all [2] Wired; Robert McMillan; google declares war on the password; published 18 Jan 2013; http://www.wired.com/wiredenterprise/2013/01/google-password/

12

Corporate espionage

espi

on

ag

e

In Q4 2012, we watched the nature of corporate espionage attacks change. Before, almost all recorded corporate espionage cases were based on using specially crafted documents containing exploits and a malware payload. now, spies have started to leverage vulnerabilities in web browsers and browser plugins to achieve their aims in so-called ‘watering hole’ attacks.

‘Watering hole’ attacks are called such because instead of compromising a random website and infecting anyone who happens to visit the site, the attackers are more discriminating

in both the users being targeted and the site used as the infection vector. The attackers specifically attack a site which is commonly used by employees of the actual target organization. When these employees visit the compromised site, their browser or computer is then attacked, typically by exploiting a vulnerability that allows trojans or backdoors to be installed on the machine. From that point on, the installed malware becomes the gateway for attackers to reach their real target: the internal network and/or communications of the compromised employee’s companies.

CORPORATE ESPIOnAgE

numerous examples of corporate espionage attacks have been reported in the F-Secure Weblog over the years, many of them involving poisoned e-mail file attachments sent directly to the targeted organizations.

These attacks contrast sharply with the most recent case of a watering hole attack—the 21st December 2012 compromise of the Council of Foreign Relations (CFR) website[1]. In this attack, the website was injected with a previously unknown exploit that affected versions 6, 7 and 8 of the Internet Explorer (IE) web browser. Compromising the website itself was not the

attacker’s final objective; it was merely used as a conduit to infect the website’s visitors, which naturally include members of the CSR itself. And considering that CSR counts among its members both current and former US political elite and the founders of multinational companies, the list of potential targets is very interesting.

The rise of web-based attacks in corporate espionage raises two points: first, this trend means that any corporation with an online presence that serves such potentially ‘interesting‘ targets may be at risk of unwittingly serving as an attack conduit, and secondly; obviously, such organizations must now find a way to mitigate such a risk, in order to protect themselves and their clients.

“CROSS-REFEREnCIng THIS LIST [OF KnOWn ATTACK DOMAInS] AgAInST THE ALExA.COM’S LIST OF 1 MILLIOn MOST COMMOn DOMAInS SHOWED THAT 99.6% OF THESE POTEnTIAL C&C SITES WERE OUTSIDE OF ALExA’S TOP DOMAInS.”

figure 1: Screenshots of an e-mail and malicious file attachment used in a targeted attack

rise of tHe ‘watering Hole’ attaCk

13CORPORATE ESPIOnAgE

For companies with online resources that may be vulnerable to ‘watering hole’ attacks, it is very important to invest in web and server security. Performing regular audits to verify that your web server is serving only what it should is also highly recommended.

Defending against watering hole attacks does not require anything new that should not already be in place to protect against more mundane web attacks which target zero day vulnerabilities, thereby circumventing detection-based security coverage. A corporate security suite with behavioral based detection should of course be a part of the protection solution, as it can still provide a measure of protection by actively looking for and red-flagging suspicious behavior, rather than static reliance on known features to identify a malicious file.

But when we consider dealing with advanced and persistent attackers, one layer of protection is not enough. At a minimum, corporate users should use Microsoft’s free Exploit Mitigation Toolkit (EMET) to harden their system’s memory handling for client applications such as web browsers, web browser plugins and document readers.

espi

on

ag

e

exploit kit

www

targeted organization

attackercompromised

computerattacker gains access to compromised computer

www

A second, very effective method of ruining the spy’s day is to use DnS whitelisting in the company‘s DnS server so that only specific, approved public sites can be accessed on the user’s machine. This precaution directly interferes with the spy’s ability to communicate with its installed trojan(s), as well as helping to prevent information stolen from the machine being sent out to the attacker’s command and control (C&C) server.

Done right, this method also has the advantage of not interfering with the way most users work or browse the Internet. At F-Secure, we maintain a list of known attack domains potentially associated with corporate espionage. Cross-referencing this list against Alexa.com’s list of 1 million most common domains showed that 99.6% of these potential C&C sites were outside of Alexa’s top domains.

So if your organization is in possession of information that might be interesting to other companies, we recommend a custom DnS whitelisting solution that is relaxed enough to allow your users to work, but still strict enough to block unknown domains. And while attackers can use C&C channels that are trickier to block, such as Twitter or Facebook, this simple precaution does make it more difficult for attackers to operate.

how a ‘watering hole’ attack works

source

[1] The Washington Free Beacon; Chinese Hackers Suspected in Cyber Attack on Council on Foreign Relations; published 27 Dec. 2012; http://freebeacon.com/chinese-hackers-suspected-in-cyberattack-on-council-on-foreign-relations/

Case studies

Bots 15

Zeroaccess 17

Zeus 21

exPloits 25

weB 28

multi-Platform attacks 32

moBile 35

15

bots

bots

In the last few years, concerted efforts by various parties to take down or hamstring the operation of botnets, which were costing millions of users control of their machines, their data and/or their money. In 2012 however, we saw the resurrection of many of these botnets, often in a more aggressive form and with new malicious products, updated ‘packaging’ or marketing and distribution strategies and more efficient money-making mechanisms.

Zeroaccess

Of all the botnets we saw this year, definitely the fastest growing one was ZeroAccess, which racked up millions of infections globally in 2012, with up to 140,000 unique IPs in the US and Europe, as seen on the infection map at right [27].

The actual malware that turns a users’s computers into a bot is typically served by malicious sites which the user is tricked into visiting The malicious site contains an exploit kit, usually Blackhole, which targets vulnerabilities on the user’s machine while they’re visiting the site. Once the machine is compromised, the kit drops the malware, which then turns the computer into a ZeroAccess bot.

The bot then retrieves a new list of advertisements from ZeroAccess’s command and control (C&C) server every day. The ZeroAccess botnet reportedly clicks 140 million ads a day. As this is essentially click fraud, it has been estimated that the botnet is costing up to USD 900,000 of daily revenue loss to legitimate online advertisers. Click fraud has been on the rise as the online advertisement vendors realistically have no way to differentiate between a legitimate click and a fraudulent one.

Another revenue source for ZeroAccess is its ability to mine for Bitcoin, a virtual currency that is managed in a peer-to-peer (P2P) infrastructure. Bitcoin miners harness the computational power from the bots to perform complex calculations to find a missing block to verify Bitcoin transactions, and that would reward them in more Bitcoin currency that is agreed within the same peer to peer network, and these can be converted to cash. More than half of the botnet is dedicated to mining Bitcoin for profit. Further details of ZeroAccess’s profit-generating activities can be found in the case study on page 17.

Zeus

Moving on, Zeus (and its rival cum partner, SpyEye) are perhaps still the most talked about banking-trojans in 2012. Zeus has been referred to as “the god of Do-it-Yourself botnets”. Despite various takedown efforts, as of the end of December 2012, The ZeuS Tracker project has seen almost

900 ZeuS C&C servers around the world. This number may not be truly reflective of the botnet’s size, as the latest version of Zeus includes a peer to peers protocol that maintains communication within the botnet itself, allowing a bot to fetch configuration files and update from other infected hosts in the botnet. This feature was dubbed “gameover” and removes the need for a centralized C&C infrastructure, making it harder for security researchers to track the botnet.

Apart from the introduction of the gameover feature, the main change with Zeus has been tweaks done to make the malware more user-friendly, in effect making it an attractive resource even for wannabe attackers with low technical capabilities. With its fancy control and administration panel, well documented manual and a builder, Zeus allows both amateur and expert attackers to craft, design and build executables to infect the victim computers in a very short amount of time.

Citadel, the third derivative of Zeus, sets itself apart by enabling a more rapid deployment of new features and customization through an enhanced user interface, again with the aim of helping novice hackers get in the game of deploying their crimeware. This “dynamic config” functionality allows botmasters to create web injections on the fly, a vital ability in today’s online crime landscape as bots are also taken down

figure 1: google Earth map of ZeroAccess infections in the US [1]. Red markers indicate an infected unique IP address or cluster of IP addresses.

tHe world of bots in 2012

BOTS

16BOTS

bots

quickly. The most important feature for Citadel however is the availability of a “Customer Relationship Management” system through the use of a social network platform to support reporting and fixing bugs. This kit is definitely professional grade, and we expect to see a continuous rise in infections by Citadel in the near future.

carberp

Following the success of the Zeus and Spyeye, Carberp is most notable for making a comeback with a tweaked product and ‘marketing’ approach. First appearing in 2011 a regular data-stealing banking malware, Carberp’s spread was temporarily hampered by a takedown effort from Russian agencies in early 2012. Unfortunately, in December this botnet was discovered to have resurrected with a new ability to infect a computer’s boot record, a component that launches even before the main operating system (OS) starts, making any malware in the boot record harder to detect and remove.

Carberp’s authors or operators also changed the way the malware was distributed in order to attract more usage from other malware distributors. Carberp was previously only available as a standalone malware through private underground marketplaces. Since its resurrection, Carberp has pursued a new “malware-as-a-service” model that allows users to lease use of the botnet itself for prices ranging from USD 2000 to up to USD 10,000 a month. In addition, the buyer is offered a choice of botnet configurations. The priciest format includes the bootkit functionality, which has boosted its market price to about USD 40,000. Though the prices may seem steep, this rental scheme appears to be particularly attractive to less tech-savvy users who simply want a means to an end - that is, to install more trojans on more victim machines.

Carberp has also spread to the mobile platform in the form of man in the mobile attacks. For a Carberp-in-the-mobile (CitMo) attack to work, the user must have both a mobile app and a computer infected with the desktop version of the Carberp malware. Once the mobile app is installed, it is able to intercept SMS messages containing mTAn’s (mobile Transaction Authorization numbers), which are sent by banks as an authentication measure used to validate online transactions performed by the user. The intercepted mTAn is then forwarded to a remote server, from which it is later retrieved and used by the Carberp trojan installed on the same user’s computer in order to gain access to the user’s banking account.

The Carberp-infected mobile app is distributed on the Android platform, with most of the targeted users being customers of European and Russian banks. As online banking continues to rise in many countries, making such online transactions attractive targets to cybercriminals, banking-related botnets such as Carberp are expected to continue growing in 2013.

dorkBot

Then there is DorkBot, which was discovered spreading through Skype in October 2012. The malware steals user account and passwords from FaceBook, Twitter, netflix and various Instant Messaging (IM) channels. From an infected social networking account, DorkBot sent out images to the users’ contacts list asking the contacts if the attached image was their profile pic. Falling for this cliched social engineering tactic resulted in an executable installing a backdoor and the DorkBot worm on the user’s machine, which was then enrolled in a botnet.

Unlike previously mentioned botnets, DorkBot makes its profit through ransom—literally by locking down the victim’s computer, allegedly for the presence of ‘illegal content’ such as pornography or pirated music. It then demands a ‘fine’ of $200 to be paid within 48 hours, failing which the victims would be ‘reported to a government enforcement agency’ for further prosecution. DorkBot is also capable of making more money out of its infected hosts by using their combined power to perpetrate click fraud, which incidentally creates an attractive revenue source for the authors.

mobile botnets

And finally, though it is still at an embryonic stage in comparison, we are also seeing botnets operating on the mobile platform, specifically Android. These mobile botnets do exactly what botnets did when they first appeared on computers - that is, generate spam.

The SpamSoldier malware sends SMS messages to a hundred Android devices (in the US) at a time. The sender has no idea of this activity, as the sent SMS messages are deleted immediately once sent, making the sky high phone bills that result an unpleasant surprise. These spam messages may also contain social engineering content, including links that lead to other malware, therefore compounding the malicious effect of these spambots.

source

[1] F-Secure Weblog; Sean Sullivan; The United States of ZeroAccess; published 20 Sept. 2012; http://www.f-secure.com/weblog/archives/00002430.html

17

ZeroaCCess

Zero

aC

Ces

s

affiliate program: Zeroaccess success story

Affiliate programs are a well-known marketing strategy and are widely used by many e-commerce websites[3]. Essentially, a business owner with an e-commerce site to promote commissions other site owners to help drive customers to it (and hopefully eventually make a purchase). The website owners are then compensated for providing these customer leads.

Adopting this concept, ZeroAccess’s author or operator(s) has managed to distribute the program to a large number of machines with the help of its enlisted partners.

The ZeroAccess gang advertises the malware installer in Russian underground forums, actively looking for distributor partners. Their objective is to seek other cybercriminals who are more capable in distributing the malware and do so more efficiently.

The malware distributors generally consist of experienced affiliates, each of them employing their own methods of distributing the Zeroaccess installers, in order to fulfill the recruiter’s requirements. The most popular distribution methods we’ve seen involve exploit kits, spam e-mails, trojans-downloaders, and seeding fake media files on P2P file-sharing services and on video sites, though the specific details in each case depend on the distributor handling the operations.

ZeroAccess is one of today’s most notable botnets. It was first discovered by researchers back in 2010, when it drew a lot of attention for its capability for terminating all processes related to security tools, including those belonging to anti-virus products. When too many researchers focused on this self-protection capability however, ZeroAccess’ author decided to drop the feature and focus more on improving its custom peer-to-peer (P2P) network protocol, which is unique to ZeroAccess. After the change[1] , ZeroAccess became easier to spot by anti-virus products, yet it continued to spread like wildfire around the world due to the improved P2P technique[2]. This success can be largely attributed to its affiliate program.

The variety of distribution schemes and methods used by the numerous affiliates have contributed to the volume of trojan-dropper variants detected by antivirus products every day. All driven by the same motive which is to collect attractive revenue share from the gang.

distriBution methods

downloader trojan Dropping a downloader trojan onto a machine, which proceeds to download and install the botnet

exploit kit Using an exploit kit (e.g., Blackhole) in a drive-by-download attack

fake media file or keygen or crack

Hosting infected files in P2P file sharing services using enticing names, such as ‘microsoft.office.2010.vl.editi.keygen.exe’

P2P file sharing service Abusing a P2P file sharing website to host the ZeroAccess installer

spam email Sending spam emails containing an attachment or a link that could enable further exploitation

figure 1: A botnet operator seeking partners in an underground forum

methods used By Zeroaccess distriButors

tHe Most profitable botnet Malware in tHe wild

ZEROACCESS

18

The partners are compensated based on a Pay-Per-Install (PPI) service scheme[4] and the rate differs depending on the geographical location of the machine on which the malware was successfully installed. A successful installation in the United States will net the highest payout, with the gang willing to pay USD 500 per 1,000 installations in that location.

Zero

aC

Ces

s

figure 2: Proof of payments made by recruiter

given the rate of pay, it is no surprise that ZeroAccess is widespread in the US alone[5]. After the US, the commission rate sorted from highest to lowest are Australia, Canada, great Britain, and others. Some distributors even post screenshots of the payment they’ve received in underground forums to show the reliability of their recruiter.

The ZeroAccess gang can afford to pay such high incentives to its recruits because the army of bots created by the affiliate’s efforts is able to generate even more revenue in return.

Once the malware is successfully installed on the victim machines, ZeroAccess will begin downloading and installing additional malware onto the machines, which will generate profit for the botnet operators through click fraud and Bitcoin mining operations.

Botnet operators prefer the click fraud payload because since 2006 [6], it has been a proven way to generate income from the pay-per-click (PPC) or the cost-per-click advertising.

un

der

gro

un

d f

oru

m

Zeroaccess botnet operator

victims

exploit kits

spam emails

downloader trojan

P2P network

clic

k fr

aud

Bitc

oin

min

ing

$$$

distributor a

distributor B

distributor c

distributor n

ZEROACCESS

Zeroaccess Botnet affiliate Program structure

19ZEROACCESS

Bitcoin mining has too many constraints. For instance, the success of generating a bitcoin depends on the difficulty level of the target specified in the Bitcoin network and might even require some luck[7]. Furthermore, the victim’s machine needs to run on a decent CPU power, preferably with gPU or FPgA hardware, in a reasonable amount of time[8]. Even with a large number of botnets, the difficulty factors in solving Bitcoin blocks hinder Bitcoin mining operation from performing as well as click fraud which only requires the victims to have an internet connection and a web browser.

Despite the difficulties in Bitcoin mining, the fact that the ZeroAccess botnet was modified to drop its problematic self-protection feature and introduce the Bitcoin mining operations indicates that ZeroAccess’s operators are very ambitious to keep the botnet growing and are not afraid of taking risks.

conclusion

given ZeroAccess’s current success as a huge, fully functional profit-generating ‘machine’, it’s unlikely that we’ll see it going away anytime soon. The ZeroAccess malware - which poses the most direct threat to the users - will continue to exist as a hidden danger on malicious or boobytrapped websites. The affiliate program that encourages the spread of malware will continue to attract more cybercriminals due to the botnet operators’ established reputation for reliably paying its affiliates and adjusting commission rates to maintain their attractiveness. And finally, the criminal organizations behind the botnet have demonstrated that they’re willing to experiment and modify their ‘product’ in order to increase their ability to make money. As such, we expect the ZeroAccess botnet to grow and evolve, with new features or feature updates being introduced in the near future.

Zero

aC

Ces

ssources

[1] F-Secure Weblog; Threat Research; ZeroAccess’s Way of Self-Deletion; published 13 June 2012; http://www.f-secure.com/weblog/archives/00002385.html[2] F-Secure Weblog; Sean Sullivan; ZeroAccess: We’re gonna need a Bigger Planet; published 17 September 2012; http://www.f-secure.com/weblog/archives/00002428.html[3] Wikipedia; Affiliate Marketing; http://en.wikipedia.org/wiki/Affiliate_marketing[4] Wikipedia; Compensation Methods; http://en.wikipedia.org/wiki/Compensation_methods#Pay-per-install_.28PPI.29[5] F-Secure Weblog; Sean Sullivan; The United States of ZeroAccess, published 20 September 2012;http://www.f-secure.com/weblog/archives/00002430.html[6] MSnBC; Associated Press; google settles advertising suit for $90 million; published 8 March 2006;http://www.msnbc.msn.com/id/11734026/#.ULiDyn2sHvA[7] Bitcoin Wiki; Target; http://en.bitcoin.it/wiki/Target[8] Wikipedia; Bitcoin;http://en.wikipedia.org/wiki/Bitcoin

178317%Bitcoin mining

83%Click fraud

Zeroaccess’s Profit-generating activities, By Percentage (%)

3538+8+6+5+4+4Zeroaccess infections, toP countries

By Percentage (%)

35%US

38%Others

8% Japan6% India

5% Canada

5% Romania

5% Italy

*Based on statistics gathered from national ASn-registered networks.

20ZEROACCESS

Zeroaccess infections in the usa, JaPan, and euroPe*

euroPe

usa JaPan Zero

aC

Ces

s

*Red markers indicate an infected unique IP address or cluster of IP addresses.

21

Zeus

Zeu

s

P2P Zeus geography

Of all derivatives and variants, the peer-to-peer (P2P) version is particularly special because it is private and forms only one large botnet. Other derivatives usually consist of numerous yet smaller botnets, each run by someone who has purchased a version of Zeus. From late August to mid-november 2012, we monitored the P2P bots and tracked the websites that they had targeted to compromise with web injections. The targeted sites were defined by a configuration data that the bots received from other infected machines, and is stored in encrypted form to the Windows registry.

The configuration data revealed that a total of 644 unique URLs were targeted for web-injections during the monitoring period, with a special focus on sites based in north America. not all of these URLs included the domain names. Sometimes, only the path is used for identifying a targeted website. And many domains had several different URLs leading to them, using different paths. After excluding URLs with missing domain names and duplicate domains, a total of 243 unique domains were left. In summary, the targeted websites can be categorized into the following types:

• Personal online banking• Corporate online banking (mainly for north American

small businesses)• Investment and online trading sites• Credit card services• Extremely popular global websites (e.g. Amazon, eBay,

Facebook, etc.)

geographically, north America is the primary focal point of P2P Zeus botnet where it targeted 88 US-based websites and 23 Canadian-based websites. Several European countries were also hot targets for web-injection. In the configuration data, entries involving Italian websites were actively added, removed or changed; throughout the changes, Italy still remains as one of the favorite targeted countries. Poland started to creep into one of the top spots when 15 Polish sites were added to the targeted list in September and October when there were none listed in August. A real surprise from the findings is the number of targeted Middle Eastern banks as compared to the number of infections in the same area.

Zeus makes up a significant portion of banking trojans; it compromises millions of computers around the world and causes millions of dollars in loss to its victims. In a typical operation, Zeus modifies a targeted webpage to collect valuable information. For example, adding a part that requests potential victims to enter additional login details or personal information when they visited the webpage. The information is later used to access the victims’ online account and to perform unauthorized transactions.

When it comes to the number of machines infected with P2P Zeus, the US leads the pack followed by Italy. This number was based on 5395 random samples analyzed between July to november. After the US and Italy, no other countries in the subsequent positions really stand out from the pack as the difference in the number of infection varies only slightly.

toP-10 countries with the most P2P Zeus infections

country unique iPs % of all iPs

USA 1809 33.53%

Italy 439 8.14%

germany 205 3.80%

georgia 203 3.76%

Mexico 179 3.32%

Canada 168 3.11%

weB-inJection targets By country

usa

can

ada

ital

y

Pola

nd

saud

i ara

bia

ua

e

ger

man

y

rest

of t

he w

orl

d

88

2318 15 14 11 10

47

ZEUS

robbing banks in Modern tiMes

22

country unique iPs % of all iPs

India 167 3.10%

Brazil 143 2.65%

Romania 133 2.47%

Taiwan 110 2.04%

Every month, the US and Italy were consistently positioned at the top in terms of infection numbers. When Polish sites started to become targets, the number of infection in Poland more than doubled but this number only accounted for two percent of the total amount even at its highest point in november.

Percentages (%) of infected iPs

USA

Italy

georgia

germany

Canada

India

Mexico

Taiwan

Poland

10%

20%

30%

40%

50%

60%

70%

80%

Jul aug seP oct nov

Earlier this year, Dell SecureWorks Counter Threat Unit[3] was able to connect to approximately 100,000 P2P Zeus bots. Using this number as a minimum botnet size, we can say that the most affected Internet Service Providers (ISPs) could have several thousand of P2P Zeus infections on their customers’ machines.

new backdoor commands in Zeus derivatives

Zeus capability is not limited to serving as a banking trojan only. Since the beginning of its release, it has always contained some backdoor features that are controlled by simple scripts as ordered by the botnet owner. These scripts are delivered to infected machines through command and control (C&C) servers.

Different derivatives (i.e. Citadel, Ice Ix, and P2P) that popped up after the original Zeus 2 source code was leaked online have received drastically different commands since then. These commands provide a good indication of the development pace of each derivative. Citadel leads with 20 new commands while Ice Ix only received one, making it the closest version to the leaked version 2.0.8.9. For Citadel and Ice Ix, the earliest date listed on each respective table was also the date when we ran into the first sample of the derivative. For the P2P variant however, we received the first sample on 3rd September 2011 but only saw the first changes to the backdoor commands six months later.

The tables below list all new commands that are callable. Some of these may not implement any action and we did not track any possible changes in the behavior of each command. Please take note that the dates used in the tables were based on when we first received the sample with that particular command rather than when the Zeus author rolled out the changes.

callaBle commands in the Zeus Botnet

P2P variant Commands First seen

fs_find_by_keywords ** 2012-03-30

fs_find_add_keywords 2012-04-09

fs_find_execute 2012-04-09

fs_pack_path 2012-05-24

ddos_address 2012-05-24

ddos_execute 2012-05-24

ddos_type 2012-05-24

ddos_url 2012-05-24

** fs_find_by_keywords was a short lived command in the P2P variant; it was last seen in a sample received on 3rd April 2012.

citadel Commands First seen

dns_filter_add 2011-12-10

dns_filter_remove 2011-12-10

url_open 2012-02-12

module_download_disable 2012-05-07

module_download_enable 2012-05-07

module_execute_disable 2012-05-07

module_execute_enable 2012-05-07

info_get_antivirus 2012-05-07

info_get_firewall 2012-05-07

info_get_software 2012-05-07

ddos_start 2012-07-03

Zeu

s

ZEUS

23ZEUS

citadel Commands First seen

ddos_stop 2012-07-03

close_browsers 2012-09-11

webinjects_update 2012-09-11

download_file 2012-09-11

search_file 2012-09-11

tokenspy_update 2012-09-11

upload_file 2012-09-11

tokenspy_disable 2012-10-06

bot_transfer 2012-10-06

ice ix Commands First seen

bot_update_exe 2011-11-03

Besides being used as a banking trojan, some Zeus botnets may now also be used to perform distributed denial of service (DDoS) attacks on targeted websites where interested parties can rent a botnet from the controller for certain fees. As can be seen from the new backdoor commands, both the Citadel and the P2P versions received the DDoS features during the summer, but the reason behind the P2P feature update may be different. According to Dell SecureWorks Counter Threat Unit[3], the crew running the P2P variant used DDoS attacks to prevent victims of banking trojans from accessing their online banking accounts until the fraudulent transactions had been completed. Thus reason for the DDoS feature update may be to stop having to rent a third party botnet kit that the gang had been using to conduct attacks that took place between november 2011 and summer 2012.

Birth of Zeus 2.0.0.0

SpyEye author received Zeus source code[1]

Earliest known date of Ice Ix debut[2]

Zeus 2.0.8.9 source code leaked online

First public sale of Ice Ix on the internet

Earliest P2P Zeus variant identified by FS Labs

First P2P Zeus backup domain registered

Earliest Ice Ix sample identified by FS Labs

P2P gang started incorporating DDoS attack in their operations[3]

First date of Citadel identification[4]

Earliest Citadel sample seen by FS Labs

First change made to P2P Zeus backdoor commands

Citadel received backdoor commands to control additional modules

A custom Zeus 2 variant that includes ransomware features found

DDoS feature added to P2P Zeus

DDoS feature added to CItadel

01.04.2010

xx.10.2010

xx.04.2011

xx.05.2011

xx.08.2011

03.09.2011

05.09.2011

03.11.2011

xx.11.2011

xx.12.2011

10.12.2011

30.03.2012

07.05.2012

14.05.2012

24.05.2012

03.07.2012

Zeus 2 timeline of notaBle events

sources

[1] KrebsonSecurity; Brian Krebs; SpyEye v. ZeuS Rivalry Ends in Quiet Merger; published 24 Oct 2010;http://krebsonsecurity.com/2010/10/spyeye-v-zeus-rivalry-ends-in-quiet-merger/[2] RSA FraudAction Research Labs; new Trojan Ice Ix Written Over Zeus’ Ruins; published 24 Aug 2011;http://blogs.rsa.com/rsafarl/new-trojan-ice-ix-written-over-zeus-ruins/[3] Dell SecureWorks; Brett Stone-goss; The Lifecycle of Peer-to-Peer (gameover) ZeuS; published 23 Jul 2012;http://www.secureworks.com/cyber-threat-intelligence/threats/The_Lifecycle_of_Peer_to_Peer_gameover_ZeuS/[4] Seculert Blog; Citadel - An Open-Source Malware Project; published 8 Feb 2012;http://blog.seculert.com/2012/02/citadel-open-source-malware-project.html

Zeu

s

the complete infographic can be viewed at http://bit.ly/how2robBanks

25

exploits

expl

oit

s

In 2012, we saw the exploitation of known vulnerabilities in a popular program or the operating system become one of the most popular, if not the most popular, technique used by malware distributors, hackers and attackers in order to gain access to or control of a user’s machine.

From the normal user’s perspective, the most likely scenario in which they are likely to encounter an attempted vulnerability exploit of their machine is through visiting a malicious or compromised website. Though some attacks continue to use tried-and-true social engineering tactics, which require an element of deception and are relatively easy for an alert user to spot (“Click this link for free stuff!” or “Download this codec to view this tantalizing video!”), in more sophisticated attacks users are unlikely to see any overt signs that an attack has taken place at all; instead, their machine is quickly and silently compromised during the short period it was exposed to the malicious or compromised website.

In some cases, the attack is tailored specifically to target a particular set of users. Targeted user groups are typically either the users of specific banks (making the attack a case of monetary theft) or users employed by a specific company or in a specific field (essentially corporate or political espionage, see the Corporate Espionage case study on page 12). These targeted attacks are hardly new—we’ve seen cases of spear phishing come and go over the years. The main change that we’ve seen in the last few years is that rather than depending on the user to download an infected attachment or enter sensitive data into a malicious page masquerading as a legitimate portal, the attacks now make use of exploits and/or exploit kits to directly compromise the user’s machine, without needing any action from the user. In 2012, we saw a wide range of exploits being used to target known vulnerabilities, but surprisingly, statistics from F-Secure’s cloud lookup systems indicate that in most countries, the majority of exploits detected were related to only four vulnerabilities, all reported within the last two years and designated with official Common Vulnerabilities and Exposure (CVE) identifiers. The preference for targeting these four vulnerabilities may be related to the fact the some of the most popular exploit kits of today, particularly BlackHole and Cool Exploit, have incorporated the exploits targeting these vulnerabilities into their capabilities. Ironically, most of these vulnerabilities have already had security updates or patches released by the relevant software vendors. Two other Java-specific vulnerabilities, though nowhere near as frequently targeted as the first four, also saw enough attacks to be worth noting.

These then are the most commonly targeted CVE vulnerabilities of 2012:

cve-2011-3402A vulnerability in the TrueType font parsing engine used in the kernel drivers of various Microsoft Windows operating system versions (including xP, Windows Vista and Windows 7) allows remote attackers to run arbitrary code on a user’s machine. The attack uses a Word document or web page containing specially crafted malicious font data. More information on this vulnerability can be found on the infographic on page 27.

cve-2010-0188A vulnerability in Adobe Reader and various versions of Adobe Acrobat allows attackers to use a specially crafted PDF document to force the application to crash, causing a denial of service. According to reports, the attack document is also able to drop a malicious file onto the compromised system, which then connects to a remote site for further instructions.

cve-2012-4681Vulnerabilities in the Java Runtime Environment (JRE) running in web browsers allow attackers to use a specially crafted applet to run arbitrary code on the compromised machine. Users are most commonly exposed to the malicious applet when they are directed (either through social engineering or poisoned search results) to a malicious webpage hosting the attack applet.

cve-2012-5076A vulnerability in the JRE component of Oracle Java SE 7 Update 7 and earlier allows attackers to use a specially crafted applet to run arbitrary code on the compromised machine, usually to download additional malicious files onto it.

cve-2012-0507 A vulnerability in the AtomicReferenceArray of various versions of Oracle Java allows attackers to essentially breach the ‘sandbox’ or contained environment of the Java installation, permitting the attacker to perform malicious actions on the

affected machine.

cve-2012-1723A vulnerability in the Java HotSpot VM in the JRE component of various versions of Oracle Java allows attackers to essentially breach the ‘sandbox’ or contained environment of the Java installation, permitting the attacker to perform malicious

actions on the affected machine.

ExPLOITS

top targeted vulnerabilities in 2012

2011-3402

2010-0188

2012-4681

2012-5076

2010-0188

2012-5076

2011-3402

2012-4681

2012-4681

2011-3402

2010-0188

2012-5076

2012-4681

2012-5076

2011-3402

2010-0188

2011-3402

2010-0188

2012-4681 2012-5076

2012-4681

2010-0188

2011-34022012-5076

2010-0188

2012-4681

2011-34022012-5076

netherlandsExploit Prevalence: 139

2011-3402: 39%2010-0188: 32%2012-4681: 17%2012-5076: 9%

belgiumExploit Prevalence: 121

2011-3402: 36%2010-0188: 35%2012-4681: 16%2012-5076: 11%

SwedenExploit Prevalence: 102

2011-3402: 31%2010-0188: 29%2012-4681: 29%2012-5076: 9%

italyExploit Prevalence: 882010-0188: 38%2012-4681: 29%2011-3402: 22%2012-5076: 8%

GermanyExploit Prevalence: 782012-4681: 32% 2010-0188: 26%2011-3402: 22%2012-5076: 15%

FranceExploit Prevalence: 692011-3402: 32%2010-0188: 28%2012-4681: 24%2012-5076: 13%

USExploit Prevalence: 872012-4681: 47%2012-5076: 25% 2011-3402: 16%2010-0188: 9%

UkExploit Prevalence: 672011-3402: 30%2012-4681: 28%2010-0188: 28%2012-5076: 11%

polandExploit Prevalence: 612010-0188: 35%2012-5076: 24% 2011-3402: 21%2012-4681: 16%

2010-0188

2012-5076

2011-3402

2012-4681

FinlandExploit Prevalence: 452010-0188: 33%2012-5076: 25%2011-3402: 21%2012-4681: 17%

infogrApHicmost Targeted CVe Vulnerabilities, Top 10 Countriesh2 2012

These were the top 10 countries that saw the most exploits targeting known CVE vulnerabilities in H2 2012, ranked by Exploit Prevalence, which is calculated as the count of CVE-related detections reported per 1,000 users in the country for that time period. For example, during H2 2012, our systems recorded a CVE-related exploit detection for 139 of every 1,000 users in the netherlands. Also listed are the top 4 CVE vulnerabilities targeted in each country, as well as their relative percentage of all CVE-related detections from that country.

2011-34022012-4681

2010-0188

2012-5076

2011-34022010-0188

2012-4681

2012-5076

16

most exploited Users, Top 15 CountriesCalculated as the count of CVE-2011-3402-related detections per 1,000 users in the country, as seen by F-Secure’s cloud lookup systems in H2 2012.

CVE-2011-3402

infogrApHic

11+87+2+Cool

Blackhole

Others

87%

2%

11% The Cool (kit) factorIn H2 2012, most of the malicious sites we saw with the CVE-2011-3042 exploit were using the Cool Exploit kit to attack unsuspecting site visitors.

First reported in 2011, the term CVE-2011-3402 refers to a vulnerability in the Windows operating system component that handles TrueType fonts.

Shortly afterwards, an exploit became public that took advantage of this vulnerability to, among other things, install malware onto the affected system.

The exploit was first used in the Duqu malware, which only targeted specific organizations in certain countries. In October 2012, the exploit was added to the Cool Exploit kit, and shortly after to 5 other kits as well. It quickly became one of the most common exploits seen by normal computer users in H2 2012.

cVE-2012-4681

cVE-2011-3402

cVE-2010-0188

cVE-2012-5076

cVE-2012-0507

135 000

The greatest hitsDespite being relatively new, of all CVE-related hits logged by F-Secure’s cloud lookup systems in H2 2012, CVE-2011-3402-related detections were the second most frequent.

USA

Fran

ce

ger

man

y

Russ

ia

USA

UK

Ukr

aine26

%

The euro zone60% percent of malicious sites hosting kits with the CVE-2011-3042 exploit were registered to just 2 countries: France and germany.

For example, in Belgium, 72 out of every 1,000 users reported seeing a CVE-2011-3402-related detection in the second half of the year.

1000=980=950=500=100=

34%

26%

21

17

72 56

40

34

2725

25

21

19

15

13

11

Belgium

Sweden

netherlands

Switzerland

greece

UK

Spain

France

germany

Poland

Italy

Austria

Czech Republic

Denmark

28

web

web

There is a worrying trend that is gaining momentum on the Web today. The empowerment afforded by dynamic hosting of all things virtual that continuously makes a staggering amount of exciting content available at lightning speed is at the same time contributing to an online landscape that’s turning increasingly grey. More and more malware and malicious content are becoming available, and to an ever widening audience.

never has posting content online been so easy. Anything can be backed-up and saved for posterity and websites can be created in seconds without any special technical knowledge. This is a happy state of affairs for everyone, from the fledgling business owner who wants to minimize costs while reaching a wider audience with his product, to the activist who wants to remain anonymous while bringing more visibility to his cause —and of course, the bad guys who want to rake in more profits from infected user machines, stolen data and hijacked bank accounts.

toP 20 toP-level domains (tlds) serving malicious urls, aug-dec 2012

tld % .in 1.10

.com 44.51 .pl 1.01

.ru 6.62 .uk 0.84

.net 6.53 .eu 0.65

.org 4.44 .it 0.58

.ua 3.67 .kr 0.55

.info 2.49 .fr 0.54

.cn 2.41 .es 0.52

.cc 2.17 .nl 0.51

.de 1.53 .biz 0.50

.br 1.18 total 82.35

content hosting/channeling locations

Traditionally, the bad guys have hosted their malicious products on standalone websites. Recent developments in the site hosting industry have made this option even more attractive for those with malicious intent.

Website hosting has not only become so generic and affordable that domain purchases can be done in bulk, now

subdomain hosting has also emerged to make hosting content online even cheaper, often even totally free.

As diverse as these hosting sites may be, some are more conducive to hosting malware than others. Image-hosting sites for example have not been heavily abused to host malware yet. Some types of hosting sites though, by their very nature, can readily serve malicious content. The following are some services most heavily used by malware distributors:

• Dynamic DnS providers• Subdomain and Redirection Hosting• Blog and Content Hosting• File Hosting• App markets

All of the these services are favored due to the ease use, a high level of anonymity and the fact that they are cheap or even free. Although all these services have seen notable growth in malware hosting, the heaviest growth is most evident in dynamic DnS providers and app markets (for more on app market malware hosting, see our Mobile case study on page 35).

As the number of subdomain hosting offerings from Dynamic DnS providers have increased, so has the amount of malicious content being channeled through them. On checking one of the top 3 dynamic DnS providers (no-ip.com, dnsdynamic.org and changeip.com) 165 out of 189 of the domains that they support, or 87%, hosted malicious content.

granted, this rough estimate accounts for only 1% of all malicious URLs from that time period, but it also doesn’t yet factor in malicious content hosted by other providers, including those like afraid.org, which currently has 98,302 domains at its disposal.

Then comes subdomain and redirection hosting. Although they have surrendered a lot of of ground to dynamic DnS providers, these sites are still around and providing their fair share of malicious content. A significant number of them (such as uni.me, 110mb.com, vv.cc, x10.mx and rr.nu) are heavily used to host malware. Even when a major player, co.cc, mysteriously vanished, most of these subdomain hosting sites continue to thrive.

not to be left behind are various flavors of file, blog and other content hosting sites. While these sites provide empowerment to the masses, they also enable the bad guys to push their wares with ease. Let’s take Wordpress, the most popular Content

tHe inCreasingly greying web

WEB

29

web

Management System (CMS) online at the moment 59% market share[1], as an example. Its user-friendliness has revolutionized the content creation sphere, giving even the least tech-savvy writer a voice and presence in the cyberworld. However, since the bad guys are also well aware of the statistics, exploit kits have been targeting sites served via the Wordpress CMS, using them as redirection pages for malware, scamware and various shades of greyware.

Finally, file hosting sites are an easy way to backup and share both legitimate files and malware online. A significant amount of the executable malware pulled from the file hosting sites is

dropped by trojan downloaders straight to the system without any user intervention. File hosting sites provide a free and readily disposable malware-hosting alternative for attackers, who would otherwise have to use the more technically-challenging dynamic DnS, subdomain hosting sites or even standalone domains.

social networking and social media sites

While social networking and social media sites are very effective locations to distribute grey content, big players such as Facebook and Twitter have been very engaged in improving their security. Facebook has partnered with security experts in hopes of cleaning up the massive amount of data that handled by their systems daily and their efforts have largely been successful.

The amount of malicious apps and scams posted to Facebook pages has lessened over the years, and in H2 2012 alone, we found less than 30 grey apps on the social networking site. Twitter also has their own URL shortening service (t.co) to help sanitize as much greyware from the shared links as possible. Even though Facebook and Twitter are boosting security, that still leaves other social networking sites, often serving country-specific users and each with their own security issues.

The fundamental problem with social-networking sites really is they are perfect venues for social engineering attacks. Despite continuing user education and increased user awareness, there’s still the odd user who unwittingly clicks on a ‘juicy’ link —and in that way, the grey stuff, which are mostly scams, still spreads.

ad-serving networks

In the age of empowerment with all these platforms to post free content floating around, someone needs to foot the bill for all the infrastructure behind it. Techcrunch has an interesting analysis[2] of modern-day monetization techniques used by ad services and the way it affects the mobile landscape as well. That aside, a darker side of advertising has also come in, in the form of malvertising.

Malvertising is a rapidly growing trend. A quick look at the Alexa’s domain rankings is enough to show the appeal: of the top 1000 domains, 5.9% of them belong to ad-serving

networks. And of course users don’t see the ads on these networks by going to the ad-sites themselves, but rather by visiting other content-providing websites, which pulls the ads from the ad-servers.

Quite a lot of websites nowadays display content from remote, third-party locations, in addition to the actual domain where the sites reside. Let’s take the ESPn website as an example. Aside from the actual webpage espn.go.com, it pulls content from these locations:

• espncdn.com – page formatting and content • dl-rms.com, doubleclick.net, 2mdn.net,

scorecardresearch.com, ooyala.com, adnxs.com, adroll.com, mktoresp.com – ads and monetization-related links

• chartbeat.com, google-analytics.com, etc – web traffic statistics

• typekit.com, etc – kits/software

given the multiple content sources involved, the website’s security is no longer about just the content-display site alone, but is also affected by the integrity of the ad-serving networks providing the content, and even the security of the kits or softwares used on the site. Unfortunately, it can be tricky managing security when it is spread over so many disparate elements.

The bad guys are aware of this and readily exploit it. The most common attacks via ads seen so far involve distribution of a malicious ad and compromising the ad-platform used by the host website. A clear example of this occurred when an advertising network that serves one of Finland’s most popular websites, suomi24, inadvertently served a rogue ad. Since suomi24 is one of the top 15 websites in Finland, this resulted in a dramatic spike in detections numbers for the country during the period of 1–4 December 2012[3].

WEB

“On CHECKIng OnE OF THE TOP 3 DYnAMIC DnS PROVIDERS...165 OUT OF 189 OF THE DOMAInS THAT THEY SUPPORT, OR 87%, HOSTED MALICIOUS COnTEnT.“

30WEB

web

Ad-platform attacks, though requiring rather more technical sophistication, are also effective. A recent example was reported by Websense[4] and involved the ad server itself being compromised to serve malicious code on the site itself.

Another popular malvertising distribution mechanism is the adf.ly URL shortening service that pays users for sharing links. Alexa ranks it as the 76th most visited site worldwide, no. 37 in India. With 116,165 sites linking to it, this service has a very

wide reach. For more insight into the malicious ads being served through this service, Malekal[5] tracks the spread of malvertising on the service through all of 2012.

a glance at the top 1000 most visited sites

now let’s check Alexa’s top 1000 most visited sites and see what is really here. The ranks are peppered with search engines, social networking and social media sites, news and shopping sites and a variety of content, file and ad-hosting sites.

File hosting sites make up 1.9% of the most visited sites, while websites with some form of social networking and social media sites account for 3.4%. Ad-serving networks account for 5.9%

of the top 1000 websites. Although only a handful of them have been found to serve malicious content as of H2 2012, they definitely provide a big playground for possible exploitation and as such need to be secured.

The greatest amount of malicious content came from content-hosting sites. In H2 2012 we saw that 56 out of Alexa’s top 1000 sites, or 5.6% of the top sites, hosted malicious content, usually a link or redirection to malware or phishing scam.

More intriguingly, we saw that 95.4% of all the malicious URLs found in these 56 sites are from only a handful of domains.

note that so far, we’ve only considered outrightly malicious programs or scams; we haven’t included suspect but borderline

legitimate schemes that use health, beauty, money and sexuality concerns to lure victims into parting with their information or cash.

These types of scams are also creeping up the charts, especially in the country-level top visited sites. For example, in late H2, 2% of Argentina’s top 500 sites host survey/reward sites. Australia, Spain, Iceland, Hungary and Armenia are also seeing their own share of get-rich-quick or win-something-quick websites.

These types of schemes however are generally considered Potentially Unwanted, rather than Malicious, and therefore belong to another shade of grey.

Sat Dec 1 2012 Sun Dec 2 Mon Dec 3 Tues Dec 4

Sun nov 25 Mon nov 26 Tues nov 27Sat nov 24 2012

Co

unt o

f det

ecti

ons

Co

unt o

f det

ecti

ons

figure 1: Comparison of detections in Finland reported by F-Secure’s cloud lookup system for the periods 24 - 27 november and 1 - 4 December 2012

“...56 OUT OF ALExA’S TOP 1000 SITES, OR 5.6% OF THE TOP SITES, HOSTED MALICIOUS COnTEnT, USUALLY A LInK OR REDIRECTIOn TO MALWARE OR PHISHIng SCAM.”

31WEB

web

toP domains hosting malware, as listed in alexa’s toP 1000 domains for h2 2012

DOMAIn DESCRIPTIOn

MAIL.RU blog hosting, file hosting, various services

LETITBIT.nET file hosting

CLOUDFROnT.nET content hosting and delivery, various services

DROPBOx.COM file hosting

HOTFILE.COM file hosting

FC2.COM blog hosting, file hosting, various services

gOOgLE.COM document hosting, file hosting, search engine, various services

COMCAST.nET site hosting, various services

SEnDSPACE.COM file hosting

4SHARED.COM file hosting

BLOgSPOT.DE blog hosting

AMAZOnAWS.COM general hosting, web services, various other services

SAPO.PT site hosting

UCOZ.COM site hosting

RAPIDSHARE.COM file hosting

conclusion

It is truly amazing how much freedom the Internet offers to its users, and how interconnected it makes its netizens. With the only prerequisite nowadays being an ability to access the Internet through whatever device is handy, it has become a true force for empowerment for people from different corners of the globe.

The dark side of this renaissance however is that malicious behavior is also becoming so empowered that it can strike from any corner of the internet. Internet safety has been redefined. Although some sites are still safer than the others, nothing is 100% safe anymore.

For users, this means that online safety is become more and more a personal issue, requiring multiple layers of protection and a healthy dose of paranoia to at least minimize the exposure.

sources

[1] Opensource CMS; CMS Market Share;http://www.opensourcecms.com/general/cms-marketshare.php[2] Techcrunch; Keith Teare; Unnatural Acts And The Rise Of Mobile; published 29 Dec 2012;http://techcrunch.com/2012/12/29/unnatural-acts-and-therise-of-mobile/[3] F-Secure Weblog; Sean Sullivan; Finnish Website Attack via Rogue Ad; published 5 Dec 2012;http://www.f-secure.com/weblog/archives/00002468.html[4] Websense; Dissecting Cleartrip.com website compromise: Malicious ad tactics uncovered; published 29 Jun 2012;http://community.websense.com/blogs/securitylabs/archive/2012/06/29/cleartrip-com-compromised-maliciousad-tactics-uncovered.aspx[5] Malekal’s site; Malvertising adf.ly => Ransomware Sacem /Police nationale; published 13 Mar 2012;http://www.malekal.com/2012/03/13/malvertising-adf-lyransomware-sacem-police-nationale/

note: Ranking data from Alexa .com was cross-checked against a third-party partner’s URL rankings. Malware statistics came from F-Secure’s cloud lookup systems, for the period August to December 2012.

32

Multi-platforM attaCks

Mu

ltip

latf

orM

The perception that Mac is malware-free while its counterpart Windows is infection-prone is outdated. As Mac grows in popularity and numbers, malware authors will not ignore this market anymore. The same situation also applies to the mobile operating systems. With the diversity of platforms and the growing number of devices, it becomes less practical to develop an attack that only works on a specific system.

In the latter half of 2012, we witnessed several cases of multi-platform attacks where malware(s) are used on different types of operating systems (OS). The attacks consist of multiple components—some are OS-neutral while others are OS-specific, with the OS-neutral components typically serving as the infection vector for the OS-specific ones. In most cases, the components do not belong to the same family and are compilations of different tools obtained from various sources, which range from open source software to programs purchased from the cyber black market.

the emergence of multi-platform attacks

Multi-platform, multi-malware attacks are not a new phenomenon that debuted a few months ago; they have been around for a while. Back in november 2011, the US Federal Bureau of Investigation (FBI) revealed that over four million users were infected with the DnSChanger trojan. This malware, which has been circulating since 2007, infiltrates both Windows and Mac machines by pretending to be a codec installer needed to play pornographic videos. When downloaded, the website hosting the trojan will check the browser’s user agent and then push a corresponding installer. This installer then changes the user’s Domain name System (DnS) settings to divert traffic to unsolicited sites. Some variants of DnSChanger may also affect routers[1].

next, there was the Boonana trojan, which will run on machines with a Java installation, regardless of the host operating system. Unlike other previously-seen Java malware, which made no special considerations for different platforms, Boonana uses platform-specific components and does not rely entirely on Java to perform its routines. This trojan spread around social networking sites—predominantly Facebook—during the fall of 2010, earning itself the alias ‘Koobface.’

Many of us may still remember the Fake Mac Defender rogue that gained coverage back in May 2011. Since it was the first case that came close to an outbreak on the Mac platform, many overlooked the fact that the attack was actually targeting multiple platforms. Similar to the DnSChanger trojan, websites hosting the rogue will push out either a Mac or a Windows version (Figure 1) of the rogue, depending on the information gained from the browser’s user agent.

In the first quarter of 2012, an outbreak involving the Flashback trojan on Mac systems has brought major attention to the

potential of malware targeting non-Windows platforms more seriously[2]. Following Flashback, more attacks targeting non-Windows platforms began to emerge, beginning with a few cases of malicious Java applets exploiting the same vulnerabilities. In the first case[3], the applet checks for the platform on which the user’s machine runs on, and then deploys corresponding platform specific payload. On a Windows system, the applet will install a typical backdoor component, but on a Mac system, it set up a free remote access tool called Matahari[4].

The second case involved multiple incidents[5] that essentially was a continuous, multi-waved attack against certain non-governmental organizations (ngOs) that continued until the end of 2012[6]. It was conducted by sending spearphishing e-mails to potential targets that contained either (a) a malicious link[7] that exploits Java vulnerabilities, or (b) a malicious attachment[8] that exploit Microsoft Office vulnerabilities. Some of the malicious emails contained links that check for the browser’s user agent and only load an applet carrying

the correct platform-specific payload; others indiscriminately loaded all applets, hoping that some would be a match. The differing infection strategies used in the attacks suggest different groups were behind the attacks. given sustained nature of the attack, and that the attackers had advance knowledge that the ngOs used a mix of Windows and Mac machines, it’s possible that the

attacks were targeted and motivated for political reasons.

every platform is fair game, none is spared

More malicious Java applets were found in the second half of 2012 [9,10]. With most effort concentrated on infecting Windows and Mac machines, attackers still manage to spend some time

figure 1: Fake Mac Defender equivalent in Windows

MULTI-PLATFORM ATTACKS

eyeing windows & non-windows platforMs

33MULTI-PLATFORM ATTACKS

to craft malicious payloads for Linux. But instead of exploiting software vulnerabilities, the applets look to exploit the weakest link in the security chain—uninformed users. The attackers try to make their way into a system by using the free penetration testing tool, Social engineer Toolkit (SET)[11].

As the trend continued to expand, even the Unix platform is not spared. Soon enough, a remote access tool called netWire (Figure 2) was found being sold in the cyber black market. The tool has server components for Windows, Mac, Linux and Solaris platforms that can be controlled from a single client.

Multi-platform attacks are not limited to the desktop environment. In July 2012, a rogue website distributing fake Skype installer for mobile devices was discovered [12]. Depending on the device’s operating system, the website will proceed with different actions. On Android and Symbian devices, it pushes an APK and Java version of an

SMS trojan; on iOS device, it displays a page that simulates the look during application installation (Figure 3) even though no installation is taking place.

In a more advanced attack, the same malware may target both desktop and mobile platforms, such as the case of the FinSpy trojan. During a raid on the state security headquarter of Egypt after the 2011 revolution, protesters got hold of a document that revealed a company named gamma International offering to sell a surveillance suite called FinSpy to the former regime[13]. At that time, no one had seen an actual sample until last year, when Citizen Lab was able to identify several samples that belong to the suite[14]. Among discovered versions include FinSpy for Windows; and FinSpy Mobile[15] for Android, iOS, BlackBerry, Windows Mobile and Symbian. Although no sample is found, a leaked product description mentioned that Mac and Linux versions of the program are also available [16].

Citizen Lab also identified several other samples used in targeted attacks that belong to another surveillance suite called Remote Control System[17]. Only Windows and Mac versions were found, but according to the official promotional video (Figure 4), Android, iOS, BlackBerry, Symbian and Linux versions are also available [18].

the outlook

It is normal for surveillance tools to support multiple platforms. As users increasingly rely on mobile devices to perform daily tasks and even work tasks, surveillance tools are expected to be able to capture these activities’ footprint. We can expect that malware encountered in the future that targets both desktop and mobile platforms to still come from a surveillance suite. But instead of developing a malware that work on every single platform, the author may only focuses on the top desktop and

mobile platforms used by the mainstream consumers. Aside from surveillance purposes, the trend of malware working on both desktop and mobile environments may not take off. We are not considering Zitmo-like malware here because they are not really targeting mobile devices. The mobile components are just used to complement the desktop components [19].

For malware that focus on desktop platforms, Windows and Mac will remain to be the main targets. However there will likely be a few incidents where Linux is also targeted. In the mobile landscape, it is likely that will be fewer multiple-platform attacks, as Symbian’s market share continues to drop and leave the mobile landscape essentially dominated by one platform - Android.

figure 3: Fake iOS app installation

figure 4: Remote Control System promotional video

Mu

ltip

latf

orM

figure 2: netWire server generator

34MULTI-PLATFORM ATTACKS

Mu

ltip

latf

orM

sources [1] F-Secure Weblog; Sean Sullivan; FBI: Operation ghost Click; published 10 november 2011; http://www.f-secure.com/weblog/archives/00002268.html[2] F-Secure Weblog; Sean Sullivan; Mac Flashback Infections; published 5 April 2012; http://www.f-secure.com/weblog/archives/00002345.html[3] Computer Weekly; Warwick Ashford; Malware targets Macs and PCs; published 30 April 2011;http://www.computerweekly.com/news/2240149271/new-malware-targets-Macs-and-PCs[4] Matahari: A simple reverse HTTP shell;http://www.matahari.sourceforge.net[5] F-Secure Weblog; Broderick Aquilino; More Mac Malware Exploitiing Java; published 17 April 2012;http://www.f-secure.com/weblog/archives/00002348.html[6] F-Secure Weblog; Sean Sullivan; new Mac Malware Found on Dalai Lama Related Website; published 3 December 2012; http://www.f-secure.com/weblog/archives/00002466.html[7] F-Secure Weblog; Sean Sullivan; China Targets Macs Used By ngO #Tibet; published 20 March 2012;http://www.f-secure.com/weblog/archives/00002334.html[8] F-Secure Weblog; Sean Sullivan; More Mac Malware (Word Exploit) Targeting ngOs; published 28 March 2012; http://www.f-secure.com/weblog/archives/00002339.html [9] F-Secure Weblog; Karmina Aquino; Multi-Platform Backdoor Lurks in Colombian Transport Site; published 9 July 2012;http://www.f-secure.com/weblog/archives/00002397.html[10] F-Secure Weblog; Broderick Aquilino; Multi-Platform Backdoor with Intel OS x Binary; published 13 July 2012; http://www.f-secure.com/weblog/archives/00002400.html[11] TrustedSec; Social Engineer Toolkit;https://www.trustedsec.com/downloads/social-engineer-toolkit/[12] F-Secure Weblog; Karmina Aquino; not Your normal Skype Download; published 9 July 2012;http://www.f-secure.com/weblog/archives/00002396.html[13] F-Secure Weblog; Mikko Hyppönen; Egypt, FinFisher Intrusion Tools and Ethics; published 8 March 2011; http://www.f-secure.com/weblog/archives/00002114.html[14] CitizenLab; From Bahrain With Love: FinFisher’s Spy Kit Exposed?; published 25 July 2012; https://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposed/[15] CitizenLab; The SmartPhone Who Loved Me: FinFisher goes Mobile?; published 29 August 2012;https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/[16] Wikileaks; FinSpy: Remote Monitoring & Infection Solutions; http://wikileaks.org/spyfiles/files/0/289_gAMMA-201110-FinSpy.pdf[17] CitizenLab; Backdoors are Forever: Hacking Team and the Targeting of Dissent; published 10 October 2012; https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/[18] HackingTeam; The Solution; http://www.hackingteam.it/index.php/remote-control-system[19] F-Secure Weblog; Sean Sullivan; Berlin Police: Beware Android Banking Trojans; published 15 november 2012; http://www.f-secure.com/weblog/archives/00002457.html

35 Mo

bile

Mobile

MOBILE

25+25+25+25+a 33+33+34+a50+50+a

25+25+25+25+a

10

20

30

40

50

60

70

80

90

100

J2mewindows mobilesymbian

ios

androidBlackberry

all threats

q1 q2 q3 q4

new families and variants received Per quarter, q1-q4 2012

The mobile threat landscape continues to be focused on two platforms—Android, which accounted for 79% of all new malware variants identified in 2012; and Symbian, with 19% of the remaining new variants. Though previously identified threats from past years continued to trouble users of most mobile platforms there was little active malware development, with only a single new variant identified on the BlackBerry and PocketPC platforms in the whole of 2012, and only two new variants for the iPhone and Java ME (J2ME). Instead, malware authors have focused the main thrust of their efforts on the two most common mobile platforms today—Android and Symbian.

android

In the third quarter of 2012, Android reportedly accounted 75% of the global smartphone market, or three out of every four phones shipped during that quarter, effectively making it the most common mobile operating system in the world[1].

In addition, in Q2 2012, China officially surpasssed the United States as the world’s largest market for smartphone consumers. Android handsets accounted for 81% of that market and it’s therefore probably not surprising that many of the new malware families we detected last year were targeted specifically to Android users in mainland China.

data-stealing and profit-making

given its dominance, the Android platform has naturally become the main target for active malware development, with a total of 238 new, unique variants found on the platform during that period.

The majority of these malware are distributed as trojanized apps, in which a legitimate program has been engineered to include a malicious component. Most of the new variants found are categorized as trojans or monitoring-tools, which are able to either compromise the user’s data or track the user’s movements and activities.

Much like their Symbian counterparts, these malwares generally attempt to profit from the user by silently subscribing them to premium SMS-based services, or by placing calls to premium-rate numbers. The confidential data harvested from these devices are often silently forwarded to a remote server, presumably for future use in an unwanted context.

Boosting security

Meanwhile, during 2012 google continued efforts to enhance security on the Android platform, particularly in the Play Store (the rebranded Android Market). These efforts included the addition of exploit mitigation features in the 4.1 update[2] and an (optional) app verification feature in the 4.2 update[3].

For users who were, for various reasons, unable to receive these updates, another security measure came in the form of Bouncer, an app-scanning security tool in the Play Store that

figure 1: new malware families and variants received per quarter throughout 2012

tHe ever-expanding tHreat Market

36 Mo

bile

MOBILE

reportedly reduced the number of malicious apps offered through the app market.

In addition, in September 2012 google bought VirusTotal[4], a file analysis service. Though the company has not announced its future plans or detailed how it would integrate the newly acquired service into its security mechanisms, presumably the purchase will be instrumental in boosting the platform’s security capabilities.

Though the effectiveness of google’s security-related efforts has come under criticism, they do represent concrete steps towards better protecting the data and device security of Android users. As Android continues its apparently unstoppable domination of the mobile platform market—thereby making itself the favoured target for malware developers—device and data security will continue to be an important issue to users on this platform.

symbian

In stark contrast to the Symbian roadmap, the malware scene is far from dead. The most common origin of malware for Symbian today is, as it has been for a while, China. Other countries are still represented on our radar, but there are differences in the quality and quantity. What we see is that whereas western countries generally encounter commercial spyware targeted to mobile users, malware in China is predominantly aimed at monetizing the victim.

mechanics of monetization

given the sheer amount of Symbian devices in circulation in China, a malware author does not need to infect a significant fraction of the mobile phones in order to generate revenue. The easiest, most logical way to turn an infection into money is to use the built-in billing mechanism and send out SMS

messages that silently subscribe the user to premium services. A more sophisticated method—placing automated calls to premium rate numbers—is only slightly more challenging.

We have also seen Chinese malware that emulates user behavior and silently uses WAP services, which is then billed through the mobile operator. Similarly, some malware families have the capability to act as scripted bots, playing regular, albeit simple browser-based games online.

data-stealing, stealthy behavior and self-protection

A typical Symbian malware is a Trojan mimicking as a system update or a legitimate application. The capability model designed to protect the device from harmful software installation allows signed applications to do things that one would not expect. For example, roughly the same set of capabilities is required of a legitimate action game and an application that can download and install new software from the Internet without user intervention.

nearly every malicious Symbian application uses programmatic access to the device International Mobile Equipment Identity (IMEI) and International Mobile Subscriber Identity (IMSI) numbers. Profit-driven malware may also access the user’s core personal information, such as SMS messages, location and voice or user input. We have seen many examples of malware reading the Contacts database, primarily to send out unsolicited and malicious SMS messages to these contacts.

Hiding malicious activity from the user is a defining character of malware. Many samples present a believable front to the user as a distraction. Others simply hide their presence—for example, most legitimate Symbian applications include an application icon that the user can select to launch the program; most malware lack this, and silently launch themselves during installation and device boot.

moBile threats motivated By Profit, 2012

32

40

34 27

26

42

q1 2012

q2 2012

q3 2012

PROFIT-MOTIVATED nOT PROFIT-MOTIVATED

33q4 2012 67

figure 2: Breakdown of profit-motivated vs no profit-motivated malware in 2012

37

Other malwares are stealthier and avoid detection by suppressing regular system notifications, by terminating the system process responsible for displaying message indications on the screen or even temporarily changing the message ringtone to Silent. Any logged system events are purged from the device afterwards.

nearly every Symbian malware contacts a remote server over the Internet. Most samples simply retrieve new software to silently install, but based on static analysis, some also include functionality that allows a user (the attacker) to remotely trigger any of its functions via a configuration or custom script. Communication is typically scrambled or encrypted.

A common tactic used by malware to hide instructions sent from a remote attacker is to listen on incoming SMS messages by hooking a low-level system API, then capturing the messages from the attacker before the system can deliver them to the user’s Inbox. Another common tactic is to wait until the phone is not in user’s immediate control before performing any malicious actions, as detecting idle mode is very easy.

Many malicious apps try to prevent detection by security products, usually by detecting the security program’s running

Mo

bile

MOBILE

processes and terminating them. More aggressively, they can uninstall the security product completely. The malware can also prevent the user from uninstalling a suspicious or unwanted app by terminating the uninstaller application, preventing any attempt at removal.

future outlook

Of late, we have noticed that in Symbian malware components are being reused and malware have begun to resemble engineered products rather than hacked together snippets of copy-pasted code, as they used to be.

It is hard to tell whether the malware authors are just elevating the level of grunt software engineering by bringing in modularization and dynamic features, or deliberately doing so to make the analysis and reverse engineering harder. It may be that a combination of both motivations is at work here. Either way, it’s an indication that Symbian malware will continue to evolve and remain a threat to users in markets such as China, where the platform is still going strong.

sources [1] IDC; IDC - Press Release: Android Marks Fourth Anniversary Since Launch with 75.0% Market Share in Third Quarter, According to IDC; published 1 nov 2012; http://www.idc.com/getdoc.jsp?containerId=prUS23771812#.UPzbakU3S3A[2] Android Developers; Jelly Bean Android 4.1;http://developer.android.com/about/versions/jelly-bean.html[3] Android Developers; Jelly Bean Android 4.2;http://developer.android.com/about/versions/jelly-bean.html[4] Virustotal Blog; An update from VirusTotal; published 7 Sep 2012;http://blog.virustotal.com/2012/09/an-update-from-virustotal.html

38

sourCes

SOURCES

h2 2012 inCidenTS Calendar

1. F-Secure Weblog; DnSChanger Wrap Up; published 9 Jul 2012; http://www.f-secure.com/weblog/archives/00002395.html

2. F-Secure Weblog; Multi-platform Backdoor with Intel OS x Binary; published 13 Jul 2012; http://www.f-secure.com/weblog/archives/00002400.html

3. F-Secure Weblog; Emails from Iran; published 23 Jul 2012; http://www.f-secure.com/weblog/archives/00002403.html

4. F-Secure Weblog; gauss: the Latest Event in the Olympic games; published 10 Aug 2012; http://www.f-secure.com/weblog/archives/00002406.html

5. F-Secure Weblog; Blackhole: Faster Than the Speed of Patch; published 28 Aug 2012; http://www.f-secure.com/weblog/archives/00002414.html

6. F-Secure Weblog; Java SE 7u7 AnD SE 6u35 Released; published 30 Aug 2012; http://www.f-secure.com/weblog/archives/00002415.html

7. F-Secure Weblog; Cosmo The Hacker god; published 13 Sep 2012; http://www.f-secure.com/weblog/archives/00002427.html

8. F-Secure Weblog; It’s Out of Cycle Patch Friday; published 21 Sep 2012; http://www.f-secure.com/weblog/archives/00002431.html

9. F-Secure Weblog; Backdoor:OSx/Imuler.B no Likes Wireshark; published 24 Sep 2012; http://www.f-secure.com/weblog/archives/00002432.html

10. F-Secure Weblog; Samsung TouchWiz Devices Vulnerable to Mischief; published 26 Sep 2012; http://www.f-secure.com/weblog/archives/00002434.html

11. F-Secure Weblog; Adobe Cert Used to Sign Malware; published 28 Sep 2012; http://www.f-secure.com/weblog/archives/00002435.html

12. F-Secure Weblog; Hackable Huawei; published 10 Oct 2012; http://www.f-secure.com/weblog/archives/00002442.html

13. CitizenLab; Morgan Marquis-Boire; Backdoors are Forever: Hacking Team and the Targeting of Dissent; published 10 October 2012; http://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/

14. F-Secure Weblog; new Variant of Mac Revir Found; published 14 nov 2012; http://www.f-secure.com/weblog/archives/00002455.html

15. F-Secure Weblog; Berlin Police: Beware Android Banking Trojans; published 15 nov 2012; http://www.f-secure.com/weblog/archives/00002457.html

16. F-Secure Weblog; Cool-er Than Blackhole?; published 16 nov 2012; http://www.f-secure.com/weblog/archives/00002458.html

17. F-Secure Weblog; A new Linux Rootkit; published 20 nov 2012; http://www.f-secure.com/weblog/archives/00002459.html

18. F-Secure Weblog; google Joins World War 3.0; published 23 nov 2012; http://www.f-secure.com/weblog/archives/00002461.html

19. F-Secure Weblog; next Week: “World War”; published 23 nov 2012; http://www.f-secure.com/weblog/archives/00002443.html

20. The Register; Iain Thomson;Syria cuts off internet and mobile communications; published 29 nov 2012; http://www.theregister.co.uk/2012/11/29/syria_internet_blackout/

21. F-Secure Weblog; new Mac Malware Found on Dalai Lama Related Website; published 3 Dec 2012; http://www.f-secure.com/weblog/archives/00002466.html

22. F-Secure Weblog; Finnish Website Attack via Rogue Ad; published 5 Dec 2012; http://www.f-secure.com/weblog/archives/00002468.html

23. The Register; John Leyden; Major £30m cyberheist pulled off using MOBILE malware; published 7 Dec 2012; http://www.theregister.co.uk/2012/12/07/eurograbber_mobile_malware_scam/

24. F-Secure Weblog; Australian Medical Records Encrypted, Held Ransom; published 10 Dec 2012; http://www.f-secure.com/weblog/archives/00002469.html

25. The Register; neil McAllister; Dexter malware targets point of sale systems worldwide; published 14 Dec 2012; http://www.theregister.co.uk/2012/12/14/dexter_malware_targets_pos_systems/

26. The Register; Phil Muncaster; 10,000 Indian government and military emails hacked; published 21 Dec 2012; http://www.theregister.co.uk/2012/12/21/indian_government_email_hacked/

F-Secure has been protecting the digital lives of consumers and businesses for over 20 years. Our Internet security and content cloud services are available through over 200 operators in more than 40 countries around the world and are trusted in millions of homes and businesses.

In 2011, the company’s revenues were EUR 146 million and it has over 900 employees inmore than 20 offices worldwide. F-Secure Corporation is listed on the nASDAQ OMx Helsinki Ltd. since 1999.

F-Secure in Brief

Protecting the Irreplaceable

F-Secure proprietary materials. © F-Secure Corporation 2013. All rights reserved.

F-Secure and F-Secure symbols are registered trademarks of F-Secure Corporation and F-Secure names and symbols/logos are either trademark or registered trademark of F-Secure Corporation.

Protecting the irreplaceable | f-secure.com