F-Secure H2 2012 Threat Report

celerymoldwarpΑσφάλεια

3 Δεκ 2013 (πριν από 3 χρόνια και 9 μήνες)

472 εμφανίσεις

ThreaT
reporT
H2 2012
Protecting the irreplaceable | www.f-secure.com
F-Secure Labs
At the F-Secure Response Labs in Helsinki, Finland,
and Kuala Lumpur, Malaysia, security experts work
around the clock to ensure our customers are
protected from the latest online threats.
At any given moment, F-Secure Response Labs
staff is on top of the worldwide security situation,
ensuring that sudden virus and malware outbreaks
are dealt with promptly and effectively.
Protection around the clock
Response Labs’ work is assisted by a host of
automatic systems that track worldwide threat
occurences in real time, collecting and analyzing
hundreds of thousands of data samples per day.
Criminals who make use of virus and malware to
profit from these attacks are constantly at work
on new threats. This situation demands around
the clock vigilance on our part to ensure that our
customers are protected.
3
Today, the most common way of getting hit by malware is by browsing the
Web. It hasn’t always been this way. Years ago, floppy disks were the main
malware vector. Then sharing of executable files. Then e-mail attachments.
But for the past five years, the Web has been the main source of malware.
The Web is the problem largely because of Exploit Kits. Kits such as
BlackHole, Cool Exploit, Eleanore, Incognito, Yes or Crimepack automate
the process of infecting computers via exploits.
There is no exploit without a vulnerability. Ultimately, vulnerabilities are
just bugs, that is, programming errors. We have bugs because programs
are written by human beings, and human beings make mistakes. Software
bugs have been a problem for as longs as we have had programmable
computers—and they are not going to disappear.
Bugs were not very critical until access to the Internet became widespread.
Before, you could have been working on a word processor and opening a
corrupted document file, and as a result, your word processor would have crashed.
Even if annoying, such a crash would not have been too big of a deal. You might have
lost any unsaved work in open documents, but that would have been it.
However, things changed as soon as the Internet entered the picture. Suddenly, bugs
that used to be just a nuisance could be used to take over your computer.
Yet, even the most serious vulnerabilities are worthless for the attacker, if they get
patched. Therefore, the most valuable exploits are targeting vulnerabilities that are
not known to the vendor behind the exploited product. This means that the vendor
cannot fix the bug and issue a security patch to close the hole.
If a security patch is available and the vulnerability starts to get exploited by the
attackers five days after the patch came out, the users have had five days to react. If
there is no patch available, the users have no time at all to secure themselves; literally,
zero days. This is where the term ‘Zero Day Vulnerability’ comes from: users are
vulnerable, even if they have applied all possible patches.
One of the key security mechanisms continues to be patching. Make sure all your
systems are always fully up-to-date. This drastically reduces the risk of getting
infected. But for Zero Day vulnerabilities, there are no patches available. However,
antivirus products can help against even them.
We’re in a constant race against the attackers. And this race isn’t going to be over any
time soon.
foreword
SOFTWARE BUgS HAVE BEEn A PROBLEM FOR AS LOngS AS WE HAVE HAD
PROgRAMMABLE COMPUTERS—AnD THEY ARE nOT gOIng TO DISAPPEAR.
Mikko HyppÖnen
CHief researCH offiCer
FOREWORD
4
exeCutive suMMary
ExECUTIVE SUMMARY
executive summary
Three things visibly stand out in this past half year: botnets (with special reference to
ZeroAcess), exploits (particularly against the Java development platform) and banking trojans
(Zeus).
ZeroAccess was easily the most prevalent botnet we saw in 2012, with infections most visible in
France, United States and Sweden. It is also one of the most actively developed and perhaps
the most profitable botnet of last year. In this report, we go through the distribution methods
and payment schemes of ZeroAccess’s ‘affiliate program’, as well as its two main profit-
generating activities: click fraud and BitCoin mining. Aside from ZeroAccess, other notable
botnets of 2012 are Zeus, Carberp, Dorkbot and SpamSoldier (a mobile botnet).
Java was the main target for most of the exploit-based attacks we saw during the past half
year. This is aptly demonstrated in the statistics for the top 10 most prevalent detections
recorded by our cloud lookup systems, in which the combined total of detections for the Java-
specific CVE-2012-4681 and CVE-2012-5076 vulnerabilities and the Majava generic detections,
which also identify samples that exploit Java-related vulnerabilities, account for one third of
the samples identified during this period. Exploit kits plays a big role in this prevalence. In
addition, exploits against other programs such as the PDF document reader (CVE-2010-0188)
or Windows TrueType font (CVE-2011-3402) made notable impacts in H2 2012, as detailed
further in this report.

With regards to banking-trojans, a botnet known as Zeus—which is also the name for the
malware used to infect the user’s machines—is the main story for 2012. Analysis of the
geography for Zeus’s infection distribution highlights the United States, Italy and germany as
the most affected countries. In addition to its banking-trojan capabilities, the Zeus malware
also functions as a backdoor, allowing it to be directly controlled from the botnet’s command
and control (C&C) servers. An examination of the different sets of backdoor commands used
by Zeus derivatives (known as Citadel and Ice Ix) gives more detail of what other malicious
actions this malware can perform.
In terms of online security, we look at the more ambiguous side of the ever-growing popularity
of website hosting, and how its increasingly affordable and user-friendly nature also makes it
well suited to supporting malware hosting and malvertising.
We also take a look at multi-platform attacks, in which a coordinated attack campaign is
launched against multiple platforms (both desktop and mobile), often with multiple malware.
And finally on the mobile scene, the Android and Symbian platforms continue to be the main
focus of threats, accounting for 79% and 19%, respectively, of all new mobile malware variants
identified in 2012.
5
tHis tHreat report HigHligHts trends and new developMents seen in tHe Malware tHreat landsCape by analysts
in f-seCure labs during tHe seCond Half of 2012. also inCluded are Case studies Covering seleCted notewortHy,
HigHly-prevalent tHreats froM tHis period.
Contents
COnTEnTS
foreword 3
executive summary 4
contents 5
incidents calendar 6
in review 7
of note 10
the Password 11
corPorate esPionage 12
case studies 14
Bots 15
Zeroaccess 17
Zeus 21
exPloits 25
weB 28
multi-Platform attacks 32
moBile 35
sources 38
contributing
AutHorS
broderick Aquilino
Karmina Aquino
christine bejerasco
Edilberto cajucom
Su gim goh
Alia Hilyati
timo Hirvonen
Mikko Hypponen
Sarah Jamaludin
Jarno niemela
Mikko Suominen
chin Yick Low
Sean Sullivan
Marko thure
Juha Ylipekkala
6
h2 2012 incidents calendar (July-decemBer)*
InCIDEnTS CALEnDAR
inCidents Calendar
online
Pc threats
in the news
hacktivism & espionage
mobile threats
sources: see page 38.
Jul
Australian hospital’s
records ransomed
Huawei controversy in US Congress
ITU Telecom World ‘12 raised
Internet/government concerns
Imuler.B backdoor found on OS x
Malware signed
with Adobe certificate
Out-of-band Patch Friday
FBI support for
DnSChanger ended
Cool Exploit kit
rivalling Blackhole
Berlin poice warned of
Android banking trojans
Samsung TouchWiz exploit
reported
new Linux rootkit found
new Mac Revir threat
found
Mac threat found on Dalai
Lama-related webite
Blackhole updated faster
than flaws patched
One rogue ad hits Finnish
web traffic
Samsung Exynos exploit
reported
Java update closed 3
vulnerabilities
gauss threat targeted
the London Olympics
Dexter malware hit point
of sales (POS)
Syrian Internet,mobile
connections cut off
Matt Honan ‘hack’ highlighted
flaws in accounts systems
aug sePt oct nov
dec
Multi-platform Intel/OS x
backdoor found
Indian government email
accounts hacked
Iran-targeted malware
reported
Eurograbber attack on
European banks reported
Commercial multi-platform
surveillance tools found
7In REVIEW
changes in the threat landscaPe
Unlike the first half of 2012, the second half of the year saw no major malware outbreaks
on any platform. Instead, a handful of incidents took place during this time period, most of
which were notable as indications of how inventive the attackers have been in finding ways
to compromise a user’s machine, data or money. These incidents included the hack into the
Wired Matt Honan’s gmail and Apple accounts, which exposed loopholes in those account
systems; the Adobe-certified malware episode, in which attackers went to the extent of
stealing Adobe’s digital certificate in order to sign malware used in targeted attacks; and the
Eurograbber attack, in which a variant of the Zeus crimeware was reportedly used to steal
money from various corporations and banks in Europe.
An interesting development in 2012 has been the increasing public awareness of cyber-security
and the various implications of being vulnerable to attack over a borderless Internet. news
reports of alleged online or malware-based attacks against Iranian facilities drew attention
to state-sponsored cyber-attacks. A conference gathering the various telecommunications
entities to discuss basic infrastructure issues raised concerns about Internet governance, and
the role of governments in it. The past year also saw US politicians, not generally considered
the most tech-savvy of users, raise concerns over perceived reliance on IT solutions for
sensitive government systems being provided by foreign corporations seen as potentially
unreliable. Though it is probably a positive development that more people are becoming
exposed to topics that have long been considered irrelevant or academic, only time will tell
what will result from the increased awareness.
Rather than a single major event, perhaps the most noteworthy aspect of H2 2012 is the way
that the various trends we saw emerging in the first two quarters of the year have continued to
grow apace—that is, the growth of botnets, the ‘standardization’ of vulnerability exploitation
and the increasing ‘establishment’ of exploit kits.
When it comes to botnets, the news has been mixed at best. The last few years have seen
concerted efforts by players from different fields—telecommunications, information security
and even government organizations—to take down or at least hamper the activities of various
botnets, which have compromised millions of user’s computers and been used to perform
such activities as monetary fraud and online hacking. These combined efforts resulted in
totally shuttering, or at least seriously hampering, major botnets such as Rustock, Zeus and
DnSChanger.
Unfortunately, despite these commendable efforts, the botnets have been regularly
resurrecting, often with new strategies or mechanisms for garnering profit. In addition,
the operators running these botnets have been aggressively marketing their ‘products’ to
other hackers and malware distributors. Their efforts include offering affiliate programs with
attractive ‘pay-per-installation’ rates and ‘rent-a-botnet’ schemes that allow attackers to use
the combined power of the infected hosts to perform attacks or other nefarious activities.
These sophisticated business tactics have garnered significant returns. In some cases, such as
ZeroAccess, the reborn botnets have grown to count millions of infected hosts. See the cases
studies Bots (pg. 15), ZeroAccess (pg. 17) and Zeus (pg. 21) for more information on botnets.
Another change we saw last year was the increasing use of vulnerability exploitation, often
in tandem with established social engineering tactics. Unlike previous years, when most of
the infections we saw involved trojans, 2012 was definitely the year of the exploit, as exploit-
in review
8In REVIEW
related detections accounted for approximately 28% of all detections F-Secure’s cloud
lookup systems saw in H2 2012. In addition, malware designed to exploit vulnerabilities
related to the Java development platform made up about 68% of all exploit-related
detections recorded by our systems in the second half of last year.
If we look at the list of Top 10 Detections (above) seen by our cloud lookup systems in
H2 2012 in more detail, two detections which specifically identify samples exploiting
the Java-specific CVE-2012-4681 and CVE-2012-5076 vulnerabilities alone account for
9% of the malware identified by the top 10 detections. In addition, the Majava generic
detections, which identify samples that exploit known vulnerabilities, including the
Java-specific CVE-2012-0507 and CVE-2012-1723 vulnerabilities, account for another
26% of the top 10 detections, as well as having the dubious honor of being the second
most common detection overall reported by our backend systems. The sheer volume
of Java-related detections indicate both the widespread popularity of that platform
and its susceptibility to the malicious inventiveness of malware authors.
Interestingly enough, when considering exploit attacks in general, though we saw
attacks exploiting numerous vulnerabilities in multiple platforms and programs in
2012, the vast majority of the cases were related to only four vulnerabilities—CVE-
2011-3402 and CVE-2010-0188, which are Windows-related vulnerabiltiies, and the
previously mentioned Java vulnerabilities, CVE-2012-4681 and CVE-2012-5076. All of
these vulnerabilities, incidentally, have already had security patches released by their
relevant vendors.
Fr
Zeroaccess
majava
downadup
Blackhole
cve-2012-4681
cve-2011-3402
cve-2010-0188
cve-2012-5076
Pdf exploits
sinowal
US
br
Fr
US
Fr
Fr
Fi
Fi
nl
US
Fr
Fr
Fi
Se
Se
Se
US
Fr
Se
Se
Fi
my
Se
nl
Fr
Fi
Fr
Se
Fi
dk
Se
iT
nl
de
Fi
nl
Se
de
others
others
others
others
others
others
others
others
others
others
10050
0
%
25
75
27%
26%
11%
9%
6%
6%
6%
3%
3%
3%
toP 10 detections in h2 2012,
& toP countries*
*Based on statistics from F-Secure’s cloud lookup systems from July to December 2012.
9
85+4+4+7+z
rogue, 4%
others 4%
Backdoor, 85%
trojan, 7%
*The total is counted based on unique variants detected from Jan to Dec
2012, rather than total file count. Riskware and repackaged installers are not
counted; multi-component malware are only counted once.
mac malware By tyPe, Jan - dec 2012
total=
121 variants*
This skewed preference in attack targeting can be directly attributed to the popular usage of
exploit kits such as Blackhole and Cool Exploit, which have incorporated the exploits for these
vulnerabilities, in some cases faster than the vendors were able to patch them. It’s perhaps not
too surprising then that BlackHole-related detections account for 9% of all samples detected
by the top 10 detections of H2 2012. For more information on these exploits, see the Exploits
case study on page 25.
And as a closing note, a quick look at our detection statistics for Mac indicates that even
though Windows machines continues to be the main target for attacks, the Mac platform
is increasingly coming in for a share of unwanted attention. Apart from the major Flashback
outbreak in early 2012, we saw a slow but steady increase in malware on the Mac platform,
as we detected 121 new, unique variants in all of 2012, the majority of them backdoors. By
contrast, in 2011, we recorded only 59 new unique variants discovered on that platform.
In REVIEW
of note
the Password 11
corPorate esPionage 12
11
tHe password
password
PASSWORD
Computer passwords are something like fifty years old. And
until a little over twenty years ago, they were very often a shared
resource where multiple people used the same password (or
set of passwords) for access to computer systems. The use of
individual passwords was actually something of an innovation
at the time.
Then came the World Wide Web, and with it, the ever growing
need for more and more account passwords. As time has
passed and our online lives have grown, it is now not at all
uncommon for people to have dozens of passwords to keep
track of. And what’s worse is that all of those passwords should
be “strong” passwords and people shouldn’t reuse them
between accounts. It’s too much!
The second half of 2012 provided more than enough evidence
to demonstrate the problem of passwords. Hacks, breaches,
database dumps—these are terms that average individuals
(not just techies) are now familiar with. With today’s processing
power, passwords that are strong enough to withstand brute
force attacks are too difficult for the human brain to remember.
Even if the passwords are strong, our systems of authenticating
account resets are flawed. A strong password is useless if social
engineering tactics can be used to reset those passwords.
The password is dead and we all know it. But unfortunately,
its successor has yet to turn up. So what’s to be done in the
meantime? Triage.
• Use a password manager such as KeePass or Password
Safe
• Kill old accounts that you no longer use
• Untangle cross-linked accounts
• Consider using a “secret” email address for account
maintenance
• Be careful about what you share on social media. If
you share, don’t rely on personal information for your
account password resets
• Use two-factor authentication options if available
Determine which accounts that are your critical points of
failure, and make sure they are all well defended. Two factor
authentication is good, but even that is not a bulletproof
solution. It is important to use every option available.
For example, google’s gmail allows users to create their own
security question for password resets. There is absolutely no
reason why this question needs to be based on reality. It can
just as easily be another “password”. One which is written
down and stored safely at home, where only you have access
to it.
And if you are a parent of teenage children… you really should
have “the talk” with them about their use of passwords. The
habits they form now will have a big impact on their future
online lives.
Hopefully, one day soon, a true successor will rise to take the
password’s place and we will all be able to let the password
die a dignified death. Unfortunately, we are more likely to
experience fits and starts towards a new solution. Prepare
yourself now, 2013 isn’t going to be kind for those who are
unprepared.
recommended reading
• HACKED: PASSWORDS HAVE FAILED AnD IT’S TIME
FOR SOMETHIng nEW
[1]
Matt Honan discusses the account hack that disrupted his
digital life and its implications for online security
• gOOgLE DECLARES WAR On THE PASSWORD
[2]
Find out more about google’s experiment with device-based
account authentication
dead Man walking
sources
[1] Wired; Matt Honan; Hacked: passwords have failed and it’s time for something new; published 17Jan 2013;
http://www.wired.co.uk/magazine/archive/2013/01/features/hacked?page=all
[2] Wired; Robert McMillan; google declares war on the password; published 18 Jan 2013;
http://www.wired.com/wiredenterprise/2013/01/google-password/
12
Corporate espionage
espionage
In Q4 2012, we watched the nature of corporate espionage
attacks change. Before, almost all recorded corporate
espionage cases were based on using specially crafted
documents containing exploits and a malware payload. now,
spies have started to leverage vulnerabilities in web browsers
and browser plugins to achieve their aims in so-called
‘watering hole’ attacks.
‘Watering hole’ attacks are called such because instead of
compromising a random website and infecting anyone who
happens to visit the site, the attackers are more discriminating
in both the users being targeted and the site used as the
infection vector. The attackers specifically attack a site
which is commonly used by employees of the actual target
organization. When these employees visit the compromised
site, their browser or computer is then attacked, typically by
exploiting a vulnerability that allows trojans or backdoors to
be installed on the machine. From that point on, the installed
malware becomes the gateway for attackers to reach their real
target: the internal network and/or communications of the
compromised employee’s companies.
CORPORATE ESPIOnAgE
numerous examples of corporate espionage attacks have
been reported in the F-Secure Weblog over the years, many of
them involving poisoned e-mail file attachments sent directly
to the targeted organizations.
These attacks contrast sharply with the most recent case of a
watering hole attack—the 21st December 2012 compromise of
the Council of Foreign Relations (CFR) website
[1]
. In this attack,
the website was injected with a previously unknown exploit
that affected versions 6, 7 and 8 of the Internet Explorer (IE)
web browser. Compromising the website itself was not the
attacker’s final objective; it was merely
used as a conduit to infect the website’s
visitors, which naturally include members
of the CSR itself. And considering that CSR
counts among its members both current
and former US political elite and the
founders of multinational companies, the
list of potential targets is very interesting.
The rise of web-based attacks in corporate espionage raises
two points: first, this trend means that any corporation with
an online presence that serves such potentially ‘interesting‘
targets may be at risk of unwittingly serving as an attack
conduit, and secondly; obviously, such organizations must
now find a way to mitigate such a risk, in order to protect
themselves and their clients.
“CROSS-REFEREnCIng THIS LIST [OF KnOWn ATTACK DOMAInS]
AgAInST THE ALExA.COM’S LIST OF 1 MILLIOn MOST COMMOn
DOMAInS SHOWED THAT 99.6% OF THESE POTEnTIAL C&C SITES
WERE OUTSIDE OF ALExA’S TOP DOMAInS.”
figure 1: Screenshots of an e-mail and
malicious file attachment used in a targeted attack
rise of tHe ‘watering Hole’ attaCk
13CORPORATE ESPIOnAgE
For companies with online resources that may be vulnerable
to ‘watering hole’ attacks, it is very important to invest in web
and server security. Performing regular audits to verify that
your web server is serving only what it should is also highly
recommended.
Defending against watering hole attacks does not require
anything new that should not already be in place to protect
against more mundane web attacks which target zero day
vulnerabilities, thereby circumventing detection-based
security coverage. A corporate security suite with behavioral
based detection should of course be a part of the protection
solution, as it can still provide a measure of protection by
actively looking for and red-flagging suspicious behavior,
rather than static reliance on known features to identify a
malicious file.
But when we consider dealing with advanced and persistent
attackers, one layer of protection is not enough. At a
minimum, corporate users should use Microsoft’s free Exploit
Mitigation Toolkit (EMET) to harden their system’s memory
handling for client applications such as web browsers, web
browser plugins and document readers.
espionage
exploit kit
www
targeted
organization
attacker
compromised
computer
attacker gains access to
compromised computer
www
A second, very effective method of ruining the spy’s day is to
use DnS whitelisting in the company‘s DnS server so that only
specific, approved public sites can be accessed on the user’s
machine. This precaution directly interferes with the spy’s
ability to communicate with its installed trojan(s), as well as
helping to prevent information stolen from the machine being
sent out to the attacker’s command and control (C&C) server.
Done right, this method also has the advantage of not
interfering with the way most users work or browse the
Internet. At F-Secure, we maintain a list of known attack
domains potentially associated with corporate espionage.
Cross-referencing this list against Alexa.com’s list of 1 million
most common domains showed that 99.6% of these potential
C&C sites were outside of Alexa’s top domains.
So if your organization is in possession of information that
might be interesting to other companies, we recommend
a custom DnS whitelisting solution that is relaxed enough
to allow your users to work, but still strict enough to block
unknown domains. And while attackers can use C&C channels
that are trickier to block, such as Twitter or Facebook, this
simple precaution does make it more difficult for attackers to
operate.
how a ‘watering hole’ attack works
source
[1] The Washington Free Beacon; Chinese Hackers Suspected in Cyber Attack on Council on Foreign Relations; published 27 Dec. 2012;
http://freebeacon.com/chinese-hackers-suspected-in-cyberattack-on-council-on-foreign-relations/
Case studies
Bots 15
Zeroaccess 17
Zeus 21
exPloits 25
weB 28
multi-Platform attacks 32
moBile 35
15
bots
bots
In the last few years, concerted efforts by various parties to take down or hamstring the operation of botnets, which were costing
millions of users control of their machines, their data and/or their money. In 2012 however, we saw the resurrection of many of
these botnets, often in a more aggressive form and with new malicious products, updated ‘packaging’ or marketing and distribution
strategies and more efficient money-making mechanisms.
Zeroaccess
Of all the botnets we saw this year, definitely the fastest
growing one was ZeroAccess, which racked up millions of
infections globally in 2012, with up to 140,000 unique IPs in the
US and Europe, as seen on the infection map at right
[27]
.
The actual malware that turns a users’s computers into a
bot is typically served by malicious sites which the user is
tricked into visiting The malicious site contains an exploit kit,
usually Blackhole, which targets vulnerabilities on the user’s
machine while they’re visiting the site. Once the machine is
compromised, the kit drops the malware, which then turns the
computer into a ZeroAccess bot.
The bot then retrieves a new list of advertisements from
ZeroAccess’s command and control (C&C) server every day.
The ZeroAccess botnet reportedly clicks 140 million ads a day.
As this is essentially click fraud, it has been estimated that the
botnet is costing up to USD 900,000 of daily revenue loss to
legitimate online advertisers. Click fraud has been on the rise
as the online advertisement vendors realistically have no way
to differentiate between a legitimate click and a fraudulent
one.
Another revenue source for ZeroAccess is its ability to mine for
Bitcoin, a virtual currency that is managed in a peer-to-peer
(P2P) infrastructure. Bitcoin miners harness the computational
power from the bots to perform complex calculations to find
a missing block to verify Bitcoin transactions, and that would
reward them in more Bitcoin currency that is agreed within
the same peer to peer network, and these can be converted
to cash. More than half of the botnet is dedicated to mining
Bitcoin for profit. Further details of ZeroAccess’s profit-
generating activities can be found in the case study on page 17.
Zeus
Moving on, Zeus (and its rival cum partner, SpyEye) are
perhaps still the most talked about banking-trojans in 2012.
Zeus has been referred to as “the god of Do-it-Yourself
botnets”. Despite various takedown efforts, as of the end of
December 2012, The ZeuS Tracker project has seen almost
900 ZeuS C&C servers around the world. This number may
not be truly reflective of the botnet’s size, as the latest version
of Zeus includes a peer to peers protocol that maintains
communication within the botnet itself, allowing a bot to fetch
configuration files and update from other infected hosts in the
botnet. This feature was dubbed “gameover” and removes the
need for a centralized C&C infrastructure, making it harder for
security researchers to track the botnet.
Apart from the introduction of the gameover feature, the main
change with Zeus has been tweaks done to make the malware
more user-friendly, in effect making it an attractive resource
even for wannabe attackers with low technical capabilities.
With its fancy control and administration panel, well
documented manual and a builder, Zeus allows both amateur
and expert attackers to craft, design and build executables to
infect the victim computers in a very short amount of time.
Citadel, the third derivative of Zeus, sets itself apart by
enabling a more rapid deployment of new features and
customization through an enhanced user interface, again with
the aim of helping novice hackers get in the game of deploying
their crimeware. This “dynamic config” functionality allows
botmasters to create web injections on the fly, a vital ability
in today’s online crime landscape as bots are also taken down
figure 1: google Earth map of ZeroAccess infections in the US

[1]
.

Red markers indicate an infected unique IP address or cluster of IP addresses.
tHe world of bots in 2012
BOTS
16BOTS
bots
quickly. The most important feature for Citadel however is the
availability of a “Customer Relationship Management” system
through the use of a social network platform to support
reporting and fixing bugs. This kit is definitely professional
grade, and we expect to see a continuous rise in infections by
Citadel in the near future.
carberp
Following the success of the Zeus and Spyeye, Carberp is most
notable for making a comeback with a tweaked product and
‘marketing’ approach. First appearing in 2011 a regular data-
stealing banking malware, Carberp’s spread was temporarily
hampered by a takedown effort from Russian agencies in early
2012. Unfortunately, in December this botnet was discovered
to have resurrected with a new ability to infect a computer’s
boot record, a component that launches even before the main
operating system (OS) starts, making any malware in the boot
record harder to detect and remove.
Carberp’s authors or operators also changed the way the
malware was distributed in order to attract more usage from
other malware distributors. Carberp was previously only
available as a standalone malware through private underground
marketplaces. Since its resurrection, Carberp has pursued a
new “malware-as-a-service” model that allows users to lease
use of the botnet itself for prices ranging from USD 2000 to
up to USD 10,000 a month. In addition, the buyer is offered a
choice of botnet configurations. The priciest format includes
the bootkit functionality, which has boosted its market price
to about USD 40,000. Though the prices may seem steep,
this rental scheme appears to be particularly attractive to less
tech-savvy users who simply want a means to an end - that is,
to install more trojans on more victim machines.
Carberp has also spread to the mobile platform in the form
of man in the mobile attacks. For a Carberp-in-the-mobile
(CitMo) attack to work, the user must have both a mobile
app and a computer infected with the desktop version of
the Carberp malware. Once the mobile app is installed, it is
able to intercept SMS messages containing mTAn’s (mobile
Transaction Authorization numbers), which are sent by
banks as an authentication measure used to validate online
transactions performed by the user. The intercepted mTAn
is then forwarded to a remote server, from which it is later
retrieved and used by the Carberp trojan installed on the same
user’s computer in order to gain access to the user’s banking
account.
The Carberp-infected mobile app is distributed on the Android
platform, with most of the targeted users being customers of
European and Russian banks. As online banking continues
to rise in many countries, making such online transactions
attractive targets to cybercriminals, banking-related botnets
such as Carberp are expected to continue growing in 2013.
dorkBot
Then there is DorkBot, which was discovered spreading
through Skype in October 2012. The malware steals user
account and passwords from FaceBook, Twitter, netflix and
various Instant Messaging (IM) channels. From an infected
social networking account, DorkBot sent out images to the
users’ contacts list asking the contacts if the attached image
was their profile pic. Falling for this cliched social engineering
tactic resulted in an executable installing a backdoor and the
DorkBot worm on the user’s machine, which was then enrolled
in a botnet.
Unlike previously mentioned botnets, DorkBot makes its
profit through ransom—literally by locking down the victim’s
computer, allegedly for the presence of ‘illegal content’ such
as pornography or pirated music. It then demands a ‘fine’
of $200 to be paid within 48 hours, failing which the victims
would be ‘reported to a government enforcement agency’
for further prosecution. DorkBot is also capable of making
more money out of its infected hosts by using their combined
power to perpetrate click fraud, which incidentally creates an
attractive revenue source for the authors.
mobile botnets
And finally, though it is still at an embryonic stage in
comparison, we are also seeing botnets operating on the
mobile platform, specifically Android. These mobile botnets
do exactly what botnets did when they first appeared on
computers - that is, generate spam.
The SpamSoldier malware sends SMS messages to a hundred
Android devices (in the US) at a time. The sender has no
idea of this activity, as the sent SMS messages are deleted
immediately once sent, making the sky high phone bills that
result an unpleasant surprise. These spam messages may also
contain social engineering content, including links that lead to
other malware, therefore compounding the malicious effect
of these spambots.
source
[1] F-Secure Weblog; Sean Sullivan; The United States of ZeroAccess; published 20 Sept. 2012;
http://www.f-secure.com/weblog/archives/00002430.html
17
ZeroaCCess
ZeroaCCess
affiliate program: Zeroaccess success story
Affiliate programs are a well-known marketing strategy and
are widely used by many e-commerce websites
[3]
. Essentially,
a business owner with an e-commerce site to promote
commissions other site owners to help drive customers to
it (and hopefully eventually make a purchase). The website
owners are then compensated for providing these customer
leads.
Adopting this concept, ZeroAccess’s author or operator(s)
has managed to distribute the program to a large number of
machines with the help of its enlisted partners.
The ZeroAccess gang advertises the malware installer in
Russian underground forums, actively looking for distributor
partners. Their objective is to seek other cybercriminals who
are more capable in distributing the malware and do so more
efficiently.
The malware distributors generally consist of experienced
affiliates, each of them employing their own methods of
distributing the Zeroaccess installers, in order to fulfill the
recruiter’s requirements.

The most popular distribution methods we’ve seen involve
exploit kits, spam e-mails, trojans-downloaders, and seeding
fake media files on P2P file-sharing services and on video
sites, though the specific details in each case depend on the
distributor handling the operations.
ZeroAccess is one of today’s most notable botnets. It was first discovered by researchers back in 2010, when it drew a lot of attention
for its capability for terminating all processes related to security tools, including those belonging to anti-virus products. When too
many researchers focused on this self-protection capability however, ZeroAccess’ author decided to drop the feature and focus
more on improving its custom peer-to-peer (P2P) network protocol, which is unique to ZeroAccess. After the change
[1]
, ZeroAccess
became easier to spot by anti-virus products, yet it continued to spread like wildfire around the world due to the improved P2P
technique
[2]
. This success can be largely attributed to its affiliate program.
The variety of distribution schemes and methods used by the
numerous affiliates have contributed to the volume of trojan-
dropper variants detected by antivirus products every day.
All driven by the same motive which is to collect attractive
revenue share from the gang.
distriBution methods
downloader trojan Dropping a downloader trojan onto a
machine, which proceeds to download
and install the botnet
exploit kit Using an exploit kit (e.g., Blackhole) in a
drive-by-download attack
fake media file or
keygen or crack
Hosting infected files in P2P file sharing
services using enticing names, such as
‘microsoft.office.2010.vl.editi.keygen.
exe’
P2P file sharing service Abusing a P2P file sharing website to
host the ZeroAccess installer
spam email Sending spam emails containing an
attachment or a link that could enable
further exploitation
figure 1: A botnet operator seeking partners in an underground forum
methods used By Zeroaccess distriButors
tHe Most profitable botnet Malware in tHe wild
ZEROACCESS
18
The partners are compensated based on a Pay-Per-Install
(PPI) service scheme
[4]
and the rate differs depending on the
geographical location of the machine on which the malware
was successfully installed. A successful installation in the
United States will net the highest payout, with the gang willing
to pay USD 500 per 1,000 installations in that location.
ZeroaCCess
figure 2: Proof of payments made by recruiter
given the rate of pay, it is no surprise that ZeroAccess is
widespread in the US alone
[5]
. After the US, the commission
rate sorted from highest to lowest are Australia, Canada, great
Britain, and others. Some distributors even post screenshots
of the payment they’ve received in underground forums to
show the reliability of their recruiter.
The ZeroAccess gang can afford to pay such high incentives to
its recruits because the army of bots created by the affiliate’s
efforts is able to generate even more revenue in return.
Once the malware is successfully installed on the victim
machines, ZeroAccess will begin downloading and installing
additional malware onto the machines, which will generate
profit for the botnet operators through click fraud and Bitcoin
mining operations.
Botnet operators prefer the click fraud payload because since
2006
[6]
, it has been a proven way to generate income from the
pay-per-click (PPC) or the cost-per-click advertising.
underground forum
Zeroaccess botnet
operator
victims
exploit kits
spam emails
downloader
trojan
P2P network
click fraud
Bitcoin mining
$$$
distributor a
distributor B
distributor c
distributor
n
ZEROACCESS
Zeroaccess Botnet affiliate Program structure
19ZEROACCESS
Bitcoin mining has too many constraints. For instance, the
success of generating a bitcoin depends on the difficulty level
of the target specified in the Bitcoin network and might even
require some luck
[7]
. Furthermore, the victim’s machine needs
to run on a decent CPU power, preferably with gPU or FPgA
hardware, in a reasonable amount of time
[8]
. Even with a large
number of botnets, the difficulty factors in solving Bitcoin
blocks hinder Bitcoin mining operation from performing as
well as click fraud which only requires the victims to have an
internet connection and a web browser.
Despite the difficulties in Bitcoin mining, the fact that the
ZeroAccess botnet was modified to drop its problematic
self-protection feature and introduce the Bitcoin mining
operations indicates that ZeroAccess’s operators are very
ambitious to keep the botnet growing and are not afraid of
taking risks.
conclusion
given ZeroAccess’s current success as a huge, fully functional
profit-generating ‘machine’, it’s unlikely that we’ll see it going
away anytime soon. The ZeroAccess malware - which poses the
most direct threat to the users - will continue to exist as a hidden
danger on malicious or boobytrapped websites. The affiliate
program that encourages the spread of malware will continue
to attract more cybercriminals due to the botnet operators’
established reputation for reliably paying its affiliates and
adjusting commission rates to maintain their attractiveness.
And finally, the criminal organizations behind the botnet have
demonstrated that they’re willing to experiment and modify
their ‘product’ in order to increase their ability to make money.
As such, we expect the ZeroAccess botnet to grow and evolve,
with new features or feature updates being introduced in the
near future.
ZeroaCCess
sources
[1] F-Secure Weblog; Threat Research; ZeroAccess’s Way of Self-Deletion; published 13 June 2012;
http://www.f-secure.com/weblog/archives/00002385.html
[2] F-Secure Weblog; Sean Sullivan; ZeroAccess: We’re gonna need a Bigger Planet; published 17 September 2012;
http://www.f-secure.com/weblog/archives/00002428.html
[3] Wikipedia; Affiliate Marketing;
http://en.wikipedia.org/wiki/Affiliate_marketing
[4] Wikipedia; Compensation Methods;
http://en.wikipedia.org/wiki/Compensation_methods#Pay-per-install_.28PPI.29
[5] F-Secure Weblog; Sean Sullivan; The United States of ZeroAccess, published 20 September 2012;
http://www.f-secure.com/weblog/archives/00002430.html
[6] MSnBC; Associated Press; google settles advertising suit for $90 million; published 8 March 2006;
http://www.msnbc.msn.com/id/11734026/#.ULiDyn2sHvA
[7] Bitcoin Wiki; Target;
http://en.bitcoin.it/wiki/Target
[8] Wikipedia; Bitcoin;
http://en.wikipedia.org/wiki/Bitcoin
1783
17%
Bitcoin mining
83%
Click fraud
Zeroaccess’s Profit-generating activities,
By Percentage (%)
3538+8+6+5+4+4
Zeroaccess infections, toP countries
By Percentage (%)
35%
US
38%
Others
8% Japan
6% India
5% Canada
5% Romania
5% Italy
*Based on statistics gathered from national
ASn-registered networks.
20ZEROACCESS
Zeroaccess infections in the usa, JaPan, and euroPe*
euroPe
usa JaPan
ZeroaCCess
*Red markers indicate an infected unique IP address or cluster of IP addresses.
21
Zeus
Zeus
P2P Zeus geography
Of all derivatives and variants, the peer-to-peer (P2P) version
is particularly special because it is private and forms only one
large botnet. Other derivatives usually consist of numerous
yet smaller botnets, each run by someone who has purchased
a version of Zeus. From late August to mid-november 2012,
we monitored the P2P bots and tracked the websites that
they had targeted to compromise with web injections. The
targeted sites were defined by a configuration data that the
bots received from other infected machines, and is stored in
encrypted form to the Windows registry.
The configuration data revealed that a total of 644 unique
URLs were targeted for web-injections during the monitoring
period, with a special focus on sites based in north America.
not all of these URLs included the domain names. Sometimes,
only the path is used for identifying a targeted website. And
many domains had several different URLs leading to them,
using different paths. After excluding URLs with missing
domain names and duplicate domains, a total of 243 unique
domains were left. In summary, the targeted websites can be
categorized into the following types:
• Personal online banking
• Corporate online banking (mainly for north American
small businesses)
• Investment and online trading sites
• Credit card services
• Extremely popular global websites (e.g. Amazon, eBay,
Facebook, etc.)
geographically, north America is the primary focal point of
P2P Zeus botnet where it targeted 88 US-based websites and
23 Canadian-based websites. Several European countries were
also hot targets for web-injection. In the configuration data,
entries involving Italian websites were actively added, removed
or changed; throughout the changes, Italy still remains as one
of the favorite targeted countries. Poland started to creep into
one of the top spots when 15 Polish sites were added to the
targeted list in September and October when there were none
listed in August. A real surprise from the findings is the number
of targeted Middle Eastern banks as compared to the number
of infections in the same area.
Zeus makes up a significant portion of banking trojans; it compromises millions of computers around the world and causes millions
of dollars in loss to its victims. In a typical operation, Zeus modifies a targeted webpage to collect valuable information. For example,
adding a part that requests potential victims to enter additional login details or personal information when they visited the webpage.
The information is later used to access the victims’ online account and to perform unauthorized transactions.
When it comes to the number of machines infected with P2P
Zeus, the US leads the pack followed by Italy. This number
was based on 5395 random samples analyzed between July to
november. After the US and Italy, no other countries in the
subsequent positions really stand out from the pack as the
difference in the number of infection varies only slightly.
toP-10 countries with the most P2P Zeus
infections
country unique iPs % of all iPs
USA 1809 33.53%
Italy 439 8.14%
germany 205 3.80%
georgia 203 3.76%
Mexico 179 3.32%
Canada 168 3.11%
weB-inJection targets By country
usa
canada
italy
Poland
saudi arabia
uae
germany
rest of the world
88
23
18
15
14
11
10
47
ZEUS
robbing banks in Modern tiMes
22
country unique iPs % of all iPs
India 167 3.10%
Brazil 143 2.65%
Romania 133 2.47%
Taiwan 110 2.04%
Every month, the US and Italy were consistently positioned at
the top in terms of infection numbers. When Polish sites started
to become targets, the number of infection in Poland more
than doubled but this number only accounted for two percent
of the total amount even at its highest point in november.
Percentages (%) of infected iPs
USA
Italy
georgia
germany
Canada
India
Mexico
Taiwan
Poland
10%
20%
30%
40%
50%
60%
70%
80%
Jul aug seP oct nov
Earlier this year, Dell SecureWorks Counter Threat Unit
[3]
was
able to connect to approximately 100,000 P2P Zeus bots.
Using this number as a minimum botnet size, we can say that
the most affected Internet Service Providers (ISPs) could have
several thousand of P2P Zeus infections on their customers’
machines.
new backdoor commands in Zeus derivatives
Zeus capability is not limited to serving as a banking trojan
only. Since the beginning of its release, it has always contained
some backdoor features that are controlled by simple scripts
as ordered by the botnet owner. These scripts are delivered
to infected machines through command and control (C&C)
servers.
Different derivatives (i.e. Citadel, Ice Ix, and P2P) that popped
up after the original Zeus 2 source code was leaked online have
received drastically different commands since then. These
commands provide a good indication of the development
pace of each derivative. Citadel leads with 20 new commands
while Ice Ix only received one, making it the closest version to
the leaked version 2.0.8.9. For Citadel and Ice Ix, the earliest
date listed on each respective table was also the date when we
ran into the first sample of the derivative. For the P2P variant
however, we received the first sample on 3rd September 2011
but only saw the first changes to the backdoor commands six
months later.
The tables below list all new commands that are callable. Some
of these may not implement any action and we did not track
any possible changes in the behavior of each command. Please
take note that the dates used in the tables were based on when
we first received the sample with that particular command
rather than when the Zeus author rolled out the changes.
callaBle commands in the Zeus Botnet
P2P variant
Commands First seen
fs_find_by_keywords ** 2012-03-30
fs_find_add_keywords 2012-04-09
fs_find_execute 2012-04-09
fs_pack_path 2012-05-24
ddos_address 2012-05-24
ddos_execute 2012-05-24
ddos_type 2012-05-24
ddos_url 2012-05-24
** fs_find_by_keywords was a short lived command in the P2P
variant; it was last seen in a sample received on 3rd April 2012.
citadel

Commands
First seen
dns_filter_add 2011-12-10
dns_filter_remove 2011-12-10
url_open 2012-02-12
module_download_disable 2012-05-07
module_download_enable 2012-05-07
module_execute_disable 2012-05-07
module_execute_enable 2012-05-07
info_get_antivirus 2012-05-07
info_get_firewall 2012-05-07
info_get_software 2012-05-07
ddos_start 2012-07-03
Zeus
ZEUS
23ZEUS
citadel

Commands
First seen
ddos_stop 2012-07-03
close_browsers 2012-09-11
webinjects_update 2012-09-11
download_file 2012-09-11
search_file 2012-09-11
tokenspy_update 2012-09-11
upload_file 2012-09-11
tokenspy_disable 2012-10-06
bot_transfer 2012-10-06

ice ix
Commands
First seen
bot_update_exe 2011-11-03
Besides being used as a banking trojan, some Zeus botnets
may now also be used to perform distributed denial of service
(DDoS) attacks on targeted websites where interested parties
can rent a botnet from the controller for certain fees. As can
be seen from the new backdoor commands, both the Citadel
and the P2P versions received the DDoS features during the
summer, but the reason behind the P2P feature update may
be different. According to Dell SecureWorks Counter Threat
Unit
[3]
, the crew running the P2P variant used DDoS attacks to
prevent victims of banking trojans from accessing their online
banking accounts until the fraudulent transactions had been
completed. Thus reason for the DDoS feature update may be
to stop having to rent a third party botnet kit that the gang
had been using to conduct attacks that took place between
november 2011 and summer 2012.
Birth of Zeus 2.0.0.0
SpyEye author received Zeus source code
[1]
Earliest known date of Ice Ix debut
[2]
Zeus 2.0.8.9 source code leaked online
First public sale of Ice Ix on the internet
Earliest P2P Zeus variant identified by FS
Labs
First P2P Zeus backup domain registered
Earliest Ice Ix sample identified by FS Labs
P2P gang started incorporating DDoS
attack in their operations
[3]
First date of Citadel identification
[4]
Earliest Citadel sample seen by FS Labs
First change made to P2P Zeus backdoor
commands
Citadel received backdoor commands to
control additional modules
A custom Zeus 2 variant that includes
ransomware features found
DDoS feature added to P2P Zeus
DDoS feature added to CItadel
01.04.2010
xx.10.2010
xx.04.2011
xx.05.2011
xx.08.2011
03.09.2011
05.09.2011
03.11.2011
xx.11.2011
xx.12.2011
10.12.2011
30.03.2012
07.05.2012
14.05.2012
24.05.2012
03.07.2012
Zeus 2 timeline of notaBle events
sources
[1] KrebsonSecurity; Brian Krebs; SpyEye v. ZeuS Rivalry Ends in Quiet Merger; published 24 Oct 2010;
http://krebsonsecurity.com/2010/10/spyeye-v-zeus-rivalry-ends-in-quiet-merger/
[2] RSA FraudAction Research Labs; new Trojan Ice Ix Written Over Zeus’ Ruins; published 24 Aug 2011;
http://blogs.rsa.com/rsafarl/new-trojan-ice-ix-written-over-zeus-ruins/
[3] Dell SecureWorks; Brett Stone-goss; The Lifecycle of Peer-to-Peer (gameover) ZeuS; published 23 Jul 2012;
http://www.secureworks.com/cyber-threat-intelligence/threats/The_Lifecycle_of_Peer_to_Peer_gameover_ZeuS/
[4] Seculert Blog; Citadel - An Open-Source Malware Project; published 8 Feb 2012;
http://blog.seculert.com/2012/02/citadel-open-source-malware-project.html
Zeus
the complete infographic can be viewed at
http://bit.ly/how2robBanks
25
exploits
exploits
In 2012, we saw the exploitation of known vulnerabilities in
a popular program or the operating system become one of
the most popular, if not the most popular, technique used by
malware distributors, hackers and attackers in order to gain
access to or control of a user’s machine.
From the normal user’s perspective, the most likely scenario in
which they are likely to encounter an attempted vulnerability
exploit of their machine is through visiting a malicious or
compromised website. Though some attacks continue to use
tried-and-true social engineering tactics, which require an
element of deception and are relatively easy for an alert user
to spot (“Click this link for free stuff!” or “Download this codec
to view this tantalizing video!”), in more sophisticated attacks
users are unlikely to see any overt signs that an attack has
taken place at all; instead, their machine is quickly and silently
compromised during the short period it was exposed to the
malicious or compromised website.
In some cases, the attack is tailored specifically to target a
particular set of users. Targeted user groups are typically
either the users of specific banks (making the attack a case of
monetary theft) or users employed by a specific company or
in a specific field (essentially corporate or political espionage,
see the Corporate Espionage case study on page 12). These
targeted attacks are hardly new—we’ve seen cases of spear
phishing come and go over the years. The main change
that we’ve seen in the last few years is that rather than
depending on the user to download an infected attachment
or enter sensitive data into a malicious page masquerading as
a legitimate portal, the attacks now make use of exploits and/
or exploit kits to directly compromise the user’s machine,
without needing any action from the user.

In 2012, we saw a wide range of exploits being used to
target known vulnerabilities, but surprisingly, statistics
from F-Secure’s cloud lookup systems indicate that in most
countries, the majority of exploits detected were related to
only four vulnerabilities, all reported within the last two years
and designated with official Common Vulnerabilities and
Exposure (CVE) identifiers. The preference for targeting these
four vulnerabilities may be related to the fact the some of the
most popular exploit kits of today, particularly BlackHole and
Cool Exploit, have incorporated the exploits targeting these
vulnerabilities into their capabilities. Ironically, most of these
vulnerabilities have already had security updates or patches
released by the relevant software vendors. Two other Java-
specific vulnerabilities, though nowhere near as frequently
targeted as the first four, also saw enough attacks to be worth
noting.
These then are the most commonly targeted CVE
vulnerabilities of 2012:
cve-2011-3402
A vulnerability in the TrueType font parsing engine used in the
kernel drivers of various Microsoft Windows operating system
versions (including xP, Windows Vista and Windows 7) allows
remote attackers to run arbitrary code on a user’s machine.
The attack uses a Word document or web page containing
specially crafted malicious font data. More information on this
vulnerability can be found on the infographic on page 27.
cve-2010-0188
A vulnerability in Adobe Reader and various versions of
Adobe Acrobat allows attackers to use a specially crafted PDF
document to force the application to crash, causing a denial of
service. According to reports, the attack document is also able
to drop a malicious file onto the compromised system, which
then connects to a remote site for further instructions.
cve-2012-4681
Vulnerabilities in the Java Runtime Environment (JRE) running
in web browsers allow attackers to use a specially crafted
applet to run arbitrary code on the compromised machine.
Users are most commonly exposed to the malicious applet
when they are directed (either through social engineering or
poisoned search results) to a malicious webpage hosting the
attack applet.
cve-2012-5076
A vulnerability in the JRE component of Oracle Java SE 7 Update
7 and earlier allows attackers to use a specially crafted applet
to run arbitrary code on the compromised machine, usually to
download additional malicious files onto it.
cve-2012-0507
A vulnerability in the AtomicReferenceArray of various versions
of Oracle Java allows attackers to essentially breach the
‘sandbox’ or contained environment of the Java installation,
permitting the attacker to perform malicious actions on the
affected machine.
cve-2012-1723
A vulnerability in the Java HotSpot VM in the JRE component
of various versions of Oracle Java allows attackers to essentially
breach the ‘sandbox’ or contained environment of the Java
installation, permitting the attacker to perform malicious
actions on the affected machine.
ExPLOITS
top targeted vulnerabilities in 2012
2011-3402
2010-0188

2012-4681

2012-5076
2010-0188
2012-5076
2011-3402
2012-4681
2012-
4681
2011-3402
2010-
0188
2012-5076
2012-4681
2012-5076
2011-
3402
2010-
0188
2011-
3402
2010-0188
2012-4681
2012-
5076
2012-
4681
2010-0188
2011-3402
2012-
5076
2010-
0188
2012-4681
2011-3402
2012-
5076
netherlands
Exploit Prevalence:
139
2011-3402: 39%
2010-0188: 32%
2012-4681: 17%
2012-5076: 9%
belgium
Exploit Prevalence:
121
2011-3402: 36%
2010-0188: 35%
2012-4681: 16%
2012-5076: 11%
Sweden
Exploit Prevalence:
102
2011-3402: 31%
2010-0188: 29%
2012-4681: 29%
2012-5076: 9%
italy
Exploit Prevalence: 88
2010-0188: 38%
2012-4681: 29%
2011-3402: 22%
2012-5076: 8%
Germany
Exploit Prevalence: 78
2012-4681: 32%
2010-0188: 26%
2011-3402: 22%
2012-5076: 15%
France
Exploit Prevalence: 69
2011-3402: 32%
2010-0188: 28%
2012-4681: 24%
2012-5076: 13%
US
Exploit Prevalence:
87
2012-4681: 47%
2012-5076: 25%
2011-3402: 16%
2010-0188: 9%
Uk
Exploit Prevalence:
67
2011-3402: 30%
2012-4681: 28%
2010-0188: 28%
2012-5076: 11%
poland
Exploit Prevalence:
61
2010-0188: 35%
2012-5076: 24%
2011-3402: 21%
2012-4681: 16%
2010-0188
2012-5076
2011-
3402
2012-
4681
Finland
Exploit Prevalence:
45
2010-0188: 33%
2012-5076: 25%
2011-3402: 21%
2012-4681: 17%
infogrApHic
most Targeted CVe Vulnerabilities,
Top 10 Countries
h2 2012
These were the top 10 countries that saw the most exploits
targeting known CVE vulnerabilities in H2 2012, ranked by
Exploit Prevalence, which is calculated as the count of CVE-
related detections reported per 1,000 users in the country for
that time period. For example, during H2 2012, our systems
recorded a CVE-related exploit detection for 139 of every
1,000 users in the netherlands. Also listed are the top 4 CVE
vulnerabilities targeted in each country, as well as their relative
percentage of all CVE-related detections from that country.
2011-3402
2012-4681
2010-0188

2012-5076
2011-3402
2010-0188
2012-4681
2012-5076
16
most exploited Users,
Top 15 Countries
Calculated as the count of CVE-2011-3402-
related detections per 1,000 users in the
country, as seen by F-Secure’s cloud lookup
systems in H2 2012.
CVE-2011-3402
infogrApHic
11+87+2+
Cool
Blackhole
Others
87%
2%
11%
The Cool (kit) factor
In H2 2012, most of the malicious
sites we saw with the CVE-2011-
3042 exploit were using the Cool
Exploit kit to attack unsuspecting
site visitors.
First reported in 2011, the term CVE-2011-3402 refers to a
vulnerability in the Windows operating system component
that handles TrueType fonts.
Shortly afterwards, an exploit became public that took
advantage of this vulnerability to, among other things,
install malware onto the affected system.
The exploit was first used in the Duqu malware, which
only targeted specific organizations in certain countries.
In October 2012, the exploit was added to the Cool
Exploit kit, and shortly after to 5 other kits as well. It quickly
became one of the most common exploits seen by normal
computer users in H2 2012.
cVE-2012-4681
cVE-2011-3402
cVE-2010-0188
cVE-2012-5076
cVE-2012-0507
135 000
The greatest hits
Despite being relatively new, of all CVE-related hits
logged by F-Secure’s cloud lookup systems in H2 2012,
CVE-2011-3402-related detections were the second
most frequent.
USA
France
germany
Russia
USA
UK
Ukraine
26%
The euro zone
60% percent of malicious sites hosting kits with
the CVE-2011-3042 exploit were registered to just 2
countries: France and germany.
For example, in Belgium,
72 out of every 1,000 users
reported seeing a CVE-2011-
3402-related detection in the
second half of the year.
1000=
980=
950=
500=
100=
34%
26%
21
17
72
56
40
34
27
25
25
21
19
15
13
11
Belgium
Sweden
netherlands
Switzerland
greece
UK
Spain
France
germany
Poland
Italy
Austria
Czech Republic
Denmark
28
web
web
There is a worrying trend that is gaining momentum on the
Web today. The empowerment afforded by dynamic hosting
of all things virtual that continuously makes a staggering
amount of exciting content available at lightning speed is
at the same time contributing to an online landscape that’s
turning increasingly grey. More and more malware and
malicious content are becoming available, and to an ever
widening audience.
never has posting content online been so easy. Anything can
be backed-up and saved for posterity and websites can be
created in seconds without any special technical knowledge.
This is a happy state of affairs for everyone, from the fledgling
business owner who wants to minimize costs while reaching a
wider audience with his product, to the activist who wants to
remain anonymous while bringing more visibility to his cause
—and of course, the bad guys who want to rake in more profits
from infected user machines, stolen data and hijacked bank
accounts.
toP 20 toP-level domains (tlds)
serving malicious urls, aug-dec 2012
tld %
.in 1.10
.com 44.51.pl 1.01
.ru 6.62.uk 0.84
.net 6.53.eu 0.65
.org 4.44.it 0.58
.ua 3.67.kr 0.55
.info 2.49.fr 0.54
.cn 2.41.es 0.52
.cc 2.17.nl 0.51
.de 1.53.biz 0.50
.br 1.18
total 82.35
content hosting/channeling locations
Traditionally, the bad guys have hosted their malicious
products on standalone websites. Recent developments in
the site hosting industry have made this option even more
attractive for those with malicious intent.
Website hosting has not only become so generic and
affordable that domain purchases can be done in bulk, now
subdomain hosting has also emerged to make hosting content
online even cheaper, often even totally free.
As diverse as these hosting sites may be, some are more
conducive to hosting malware than others. Image-hosting
sites for example have not been heavily abused to host
malware yet. Some types of hosting sites though, by their very
nature, can readily serve malicious content. The following are
some services most heavily used by malware distributors:
• Dynamic DnS providers
• Subdomain and Redirection Hosting
• Blog and Content Hosting
• File Hosting
• App markets
All of the these services are favored due to the ease use, a high
level of anonymity and the fact that they are cheap or even
free. Although all these services have seen notable growth
in malware hosting, the heaviest growth is most evident in
dynamic DnS providers and app markets (for more on app
market malware hosting, see our Mobile case study on page
35).
As the number of subdomain hosting offerings from Dynamic
DnS providers have increased, so has the amount of malicious
content being channeled through them. On checking one of
the top 3 dynamic DnS providers (no-ip.com, dnsdynamic.org
and changeip.com) 165 out of 189 of the domains that they
support, or 87%, hosted malicious content.
granted, this rough estimate accounts for only 1% of all
malicious URLs from that time period, but it also doesn’t
yet factor in malicious content hosted by other providers,
including those like afraid.org, which currently has 98,302
domains at its disposal.
Then comes subdomain and redirection hosting. Although
they have surrendered a lot of of ground to dynamic DnS
providers, these sites are still around and providing their fair
share of malicious content. A significant number of them
(such as uni.me, 110mb.com, vv.cc, x10.mx and rr.nu) are
heavily used to host malware. Even when a major player, co.cc,
mysteriously vanished, most of these subdomain hosting sites
continue to thrive.
not to be left behind are various flavors of file, blog and other
content hosting sites. While these sites provide empowerment
to the masses, they also enable the bad guys to push their wares
with ease. Let’s take Wordpress, the most popular Content
tHe inCreasingly greying web
WEB
29
web
Management System (CMS) online at the moment 59% market
share
[1]
, as an example. Its user-friendliness has revolutionized
the content creation sphere, giving even the least tech-savvy
writer a voice and presence in the cyberworld. However, since
the bad guys are also well aware of the statistics, exploit kits
have been targeting sites served via the Wordpress CMS, using
them as redirection pages for malware, scamware and various
shades of greyware.
Finally, file hosting sites are an easy way to backup and share
both legitimate files and malware online. A significant amount
of the executable malware pulled from the file hosting sites is
dropped by trojan downloaders straight to the system without
any user intervention. File hosting sites provide a free and
readily disposable malware-hosting alternative for attackers,
who would otherwise have to use the more technically-
challenging dynamic DnS, subdomain hosting sites or even
standalone domains.
social networking and social media sites
While social networking and social media sites are very
effective locations to distribute grey content, big players such
as Facebook and Twitter have been very engaged in improving
their security. Facebook has partnered with security experts in
hopes of cleaning up the massive amount of data that handled
by their systems daily and their efforts have largely been
successful.
The amount of malicious apps and scams posted to Facebook
pages has lessened over the years, and in H2 2012 alone, we
found less than 30 grey apps on the social networking site.
Twitter also has their own URL shortening service (t.co) to help
sanitize as much greyware from the shared links as possible.
Even though Facebook and Twitter are boosting security,
that still leaves other social networking sites, often serving
country-specific users and each with their own security issues.
The fundamental problem with social-networking sites really is
they are perfect venues for social engineering attacks. Despite
continuing user education and increased user awareness,
there’s still the odd user who unwittingly clicks on a ‘juicy’ link
—and in that way, the grey stuff, which are mostly scams, still
spreads.
ad-serving networks
In the age of empowerment with all these platforms to post
free content floating around, someone needs to foot the
bill for all the infrastructure behind it. Techcrunch has an
interesting analysis
[2]
of modern-day monetization techniques
used by ad services and the way it affects the mobile landscape
as well. That aside, a darker side of advertising has also come
in, in the form of malvertising.
Malvertising is a rapidly growing trend. A quick look at the
Alexa’s domain rankings is enough to show the appeal: of
the top 1000 domains, 5.9% of them belong to ad-serving
networks. And of course users don’t
see the ads on these networks by
going to the ad-sites themselves,
but rather by visiting other content-
providing websites, which pulls the
ads from the ad-servers.

Quite a lot of websites nowadays display content from remote,
third-party locations, in addition to the actual domain where
the sites reside. Let’s take the ESPn website as an example.
Aside from the actual webpage espn.go.com, it pulls content
from these locations:
• espncdn.com – page formatting and content
• dl-rms.com, doubleclick.net, 2mdn.net,
scorecardresearch.com, ooyala.com, adnxs.com, adroll.
com, mktoresp.com – ads and monetization-related
links
• chartbeat.com, google-analytics.com, etc – web traffic
statistics
• typekit.com, etc – kits/software
given the multiple content sources involved, the website’s
security is no longer about just the content-display site alone,
but is also affected by the integrity of the ad-serving networks
providing the content, and even the security of the kits or
softwares used on the site. Unfortunately, it can be tricky
managing security when it is spread over so many disparate
elements.
The bad guys are aware of this and readily exploit it. The most
common attacks via ads seen so far involve distribution of a
malicious ad and compromising the ad-platform used by
the host website. A clear example of this occurred when an
advertising network that serves one of Finland’s most popular
websites, suomi24, inadvertently served a rogue ad. Since
suomi24 is one of the top 15 websites in Finland, this resulted
in a dramatic spike in detections numbers for the country
during the period of 1–4 December 2012
[3]
.
WEB
“On CHECKIng OnE OF THE TOP 3 DYnAMIC DnS
PROVIDERS...165 OUT OF 189 OF THE DOMAInS THAT
THEY SUPPORT, OR 87%, HOSTED MALICIOUS COnTEnT.“
30WEB
web
Ad-platform attacks, though requiring rather more technical
sophistication, are also effective. A recent example was
reported by Websense
[4]
and involved the ad server itself being
compromised to serve malicious code on the site itself.
Another popular malvertising distribution mechanism is the
adf.ly URL shortening service that pays users for sharing links.
Alexa ranks it as the 76th most visited site worldwide, no. 37
in India. With 116,165 sites linking to it, this service has a very
wide reach. For more insight into the malicious ads being
served through this service, Malekal
[5]
tracks the spread of
malvertising on the service through all of 2012.
a glance at the top 1000 most visited sites
now let’s check Alexa’s top 1000 most visited sites and see what
is really here. The ranks are peppered with search engines,
social networking and social media sites, news and shopping
sites and a variety of content, file and ad-hosting sites.
File hosting sites make up 1.9% of the most visited sites, while
websites with some form of social networking and social media
sites account for 3.4%. Ad-serving networks account for 5.9%
of the top 1000 websites. Although only a handful of them
have been found to serve malicious content as of H2 2012, they
definitely provide a big playground for possible exploitation
and as such need to be secured.
The greatest amount of malicious content came from content-
hosting sites. In H2 2012 we saw that 56 out of Alexa’s top
1000 sites, or 5.6% of the top sites, hosted malicious content,
usually a link or redirection to malware or phishing scam.
More intriguingly, we saw that 95.4% of all the
malicious URLs found in these 56 sites are from
only a handful of domains.
note that so far, we’ve only considered
outrightly malicious programs or scams;
we haven’t included suspect but borderline
legitimate schemes that use health, beauty, money and
sexuality concerns to lure victims into parting with their
information or cash.
These types of scams are also creeping up the charts,
especially in the country-level top visited sites. For example,
in late H2, 2% of Argentina’s top 500 sites host survey/reward
sites. Australia, Spain, Iceland, Hungary and Armenia are also
seeing their own share of get-rich-quick or win-something-
quick websites.
These types of schemes however are generally considered
Potentially Unwanted, rather than Malicious, and therefore
belong to another shade of grey.
Sat Dec 1 2012
Sun Dec 2
Mon Dec 3
Tues Dec 4
Sun nov 25
Mon nov 26
Tues nov 27
Sat nov 24 2012
Count of detections
Count of detections
figure 1: Comparison of
detections in Finland reported by
F-Secure’s cloud lookup system
for the periods 24 - 27 november
and 1 - 4 December 2012
“...56 OUT OF ALExA’S TOP 1000 SITES, OR 5.6% OF THE TOP
SITES, HOSTED MALICIOUS COnTEnT, USUALLY A LInK OR
REDIRECTIOn TO MALWARE OR PHISHIng SCAM.”
31WEB
web
toP domains hosting malware, as listed
in alexa’s toP 1000 domains for h2 2012
DOMAIn DESCRIPTIOn
MAIL.RU blog hosting, file hosting,
various services
LETITBIT.nET file hosting
CLOUDFROnT.nET content hosting and delivery,
various services
DROPBOx.COM file hosting
HOTFILE.COM file hosting
FC2.COM blog hosting, file hosting,
various services
gOOgLE.COM document hosting, file hosting,
search engine, various services
COMCAST.nET site hosting, various services
SEnDSPACE.COM file hosting
4SHARED.COM file hosting
BLOgSPOT.DE blog hosting
AMAZOnAWS.COM general hosting, web services,
various other services
SAPO.PT site hosting
UCOZ.COM site hosting
RAPIDSHARE.COM file hosting
conclusion
It is truly amazing how much freedom the Internet offers to
its users, and how interconnected it makes its netizens. With
the only prerequisite nowadays being an ability to access the
Internet through whatever device is handy, it has become a
true force for empowerment for people from different corners
of the globe.
The dark side of this renaissance however is that malicious
behavior is also becoming so empowered that it can strike
from any corner of the internet. Internet safety has been
redefined. Although some sites are still safer than the others,
nothing is 100% safe anymore.
For users, this means that online safety is become more and
more a personal issue, requiring multiple layers of protection
and a healthy dose of paranoia to at least minimize the
exposure.
sources
[1] Opensource CMS; CMS Market Share;
http://www.opensourcecms.com/general/cms-marketshare.php
[2] Techcrunch; Keith Teare; Unnatural Acts And The Rise Of Mobile; published 29 Dec 2012;
http://techcrunch.com/2012/12/29/unnatural-acts-and-therise-of-mobile/
[3] F-Secure Weblog; Sean Sullivan; Finnish Website Attack via Rogue Ad; published 5 Dec 2012;
http://www.f-secure.com/weblog/archives/00002468.html
[4] Websense; Dissecting Cleartrip.com website compromise: Malicious ad tactics uncovered; published 29 Jun 2012;
http://community.websense.com/blogs/securitylabs/archive/2012/06/29/cleartrip-com-compromised-maliciousad-tactics-uncovered.aspx
[5] Malekal’s site; Malvertising adf.ly => Ransomware Sacem /
Police nationale; published 13 Mar 2012;
http://www.malekal.com/2012/03/13/malvertising-adf-lyransomware-sacem-police-nationale/
note:
Ranking data from Alexa .com was cross-checked against a
third-party partner’s URL rankings. Malware statistics came
from F-Secure’s cloud lookup systems, for the period August to
December 2012.
32
Multi-platforM attaCks
MultiplatforM
The perception that Mac is malware-free while its counterpart Windows is infection-prone is outdated. As Mac grows in popularity
and numbers, malware authors will not ignore this market anymore. The same situation also applies to the mobile operating systems.
With the diversity of platforms and the growing number of devices, it becomes less practical to develop an attack that only works on
a specific system.
In the latter half of 2012, we witnessed several cases of multi-platform attacks where malware(s) are used on different types of
operating systems (OS). The attacks consist of multiple components—some are OS-neutral while others are OS-specific, with the
OS-neutral components typically serving as the infection vector for the OS-specific ones. In most cases, the components do not
belong to the same family and are compilations of different tools obtained from various sources, which range from open source
software to programs purchased from the cyber black market.
the emergence of multi-platform attacks
Multi-platform, multi-malware attacks are not a new
phenomenon that debuted a few months ago; they have
been around for a while. Back in november 2011, the US
Federal Bureau of Investigation (FBI) revealed that over four
million users were infected with the DnSChanger trojan. This
malware, which has been circulating since 2007, infiltrates
both Windows and Mac machines by pretending to be a
codec installer needed to play pornographic videos. When
downloaded, the website hosting the trojan will check the
browser’s user agent and then push a corresponding installer.
This installer then changes the user’s Domain name System
(DnS) settings to divert traffic to unsolicited sites. Some
variants of DnSChanger may also affect routers
[1]
.
next, there was the Boonana trojan, which will run on
machines with a Java installation, regardless of the host
operating system. Unlike other previously-seen Java malware,
which made no special considerations for different platforms,
Boonana uses platform-specific components and does not
rely entirely on Java to perform its routines. This trojan
spread around social networking sites—
predominantly Facebook—during the fall of
2010, earning itself the alias ‘Koobface.’
Many of us may still remember the Fake Mac
Defender rogue that gained coverage back in
May 2011. Since it was the first case that came
close to an outbreak on the Mac platform,
many overlooked the fact that the attack
was actually targeting multiple platforms.
Similar to the DnSChanger trojan, websites hosting the rogue
will push out either a Mac or a Windows version (Figure 1) of
the rogue, depending on the information gained from the
browser’s user agent.
In the first quarter of 2012, an outbreak involving the Flashback
trojan on Mac systems has brought major attention to the
potential of malware targeting non-Windows platforms more
seriously
[2]
. Following Flashback, more attacks targeting
non-Windows platforms began to emerge, beginning with
a few cases of malicious Java applets exploiting the same
vulnerabilities. In the first case
[3]
, the applet checks for the
platform on which the user’s machine runs on, and then
deploys corresponding platform specific payload. On a
Windows system, the applet will install a typical backdoor
component, but on a Mac system, it set up a free remote
access tool called Matahari
[4]
.
The second case involved multiple incidents
[5]
that essentially
was a continuous, multi-waved attack against certain non-
governmental organizations (ngOs) that continued until the
end of 2012
[6]
. It was conducted by sending spearphishing
e-mails to potential targets that contained either (a) a malicious
link
[7]
that exploits Java vulnerabilities, or (b) a malicious
attachment
[8]
that exploit Microsoft Office vulnerabilities.
Some of the malicious emails contained links that check for
the browser’s user agent and only load an applet carrying
the correct platform-specific payload;
others indiscriminately loaded all
applets, hoping that some would be a
match. The differing infection strategies
used in the attacks suggest different
groups were behind the attacks. given
sustained nature of the attack, and that
the attackers had advance knowledge
that the ngOs used a mix of Windows
and Mac machines, it’s possible that the
attacks were targeted and motivated for political reasons.
every platform is fair game, none is spared
More malicious Java applets were found in the second half of
2012
[9,10]
. With most effort concentrated on infecting Windows
and Mac machines, attackers still manage to spend some time
figure 1: Fake Mac Defender equivalent in
Windows
MULTI-PLATFORM ATTACKS
eyeing windows & non-windows platforMs
33MULTI-PLATFORM ATTACKS
to craft malicious payloads for
Linux. But instead of exploiting
software vulnerabilities, the
applets look to exploit the
weakest link in the security
chain—uninformed users. The
attackers try to make their way
into a system by using the free
penetration testing tool, Social
engineer Toolkit (SET)
[11]
.
As the trend continued to
expand, even the Unix platform
is not spared. Soon enough,
a remote access tool called netWire (Figure 2) was found
being sold in the cyber black market. The tool has server
components for Windows, Mac, Linux and Solaris platforms
that can be controlled from a single client.
Multi-platform attacks are
not limited to the desktop
environment. In July 2012, a
rogue website distributing
fake Skype installer for mobile
devices was discovered
[12]
.
Depending on the device’s
operating system, the website
will proceed with different
actions. On Android and
Symbian devices, it pushes
an APK and Java version of an
SMS trojan; on iOS device, it displays a page that simulates the
look during application installation (Figure 3) even though no
installation is taking place.
In a more advanced attack, the same malware may target both
desktop and mobile platforms, such as the case of the FinSpy
trojan. During a raid on the state security headquarter of Egypt
after the 2011 revolution, protesters got hold of a document
that revealed a company named gamma International offering
to sell a surveillance suite called FinSpy to the former regime
[13]
.
At that time, no one had seen an actual sample until last year,
when Citizen Lab was able to identify several samples that
belong to the suite
[14]
. Among discovered versions include
FinSpy for Windows; and FinSpy Mobile
[15]
for Android, iOS,
BlackBerry, Windows Mobile and Symbian. Although no
sample is found, a leaked product description mentioned that
Mac and Linux versions of the program are also available
[16]
.
Citizen Lab also identified several other samples used in
targeted attacks that belong to another surveillance suite
called Remote Control System
[17]
. Only Windows and Mac
versions were found, but according to the official promotional
video (Figure 4), Android, iOS, BlackBerry, Symbian and Linux
versions are also available
[18]
.
the outlook
It is normal for surveillance tools to
support multiple platforms. As users
increasingly rely on mobile devices to
perform daily tasks and even work tasks,
surveillance tools are expected to be able
to capture these activities’ footprint. We
can expect that malware encountered
in the future that targets both desktop
and mobile platforms to still come
from a surveillance suite. But instead
of developing a malware that work on
every single platform, the author may
only focuses on the top desktop and
mobile platforms used by the mainstream consumers. Aside
from surveillance purposes, the trend of malware working on
both desktop and mobile environments may not take off. We
are not considering Zitmo-like malware here because they are
not really targeting mobile devices. The mobile components
are just used to complement the desktop components
[19]
.
For malware that focus on desktop platforms, Windows
and Mac will remain to be the main targets. However there
will likely be a few incidents where Linux is also targeted. In
the mobile landscape, it is likely that will be fewer multiple-
platform attacks, as Symbian’s market share continues to drop
and leave the mobile landscape essentially dominated by one
platform - Android.
figure 3: Fake iOS app installation
figure 4: Remote Control System promotional video
MultiplatforM
figure 2: netWire server generator
34MULTI-PLATFORM ATTACKS
MultiplatforM
sources

[1] F-Secure Weblog; Sean Sullivan; FBI: Operation ghost Click; published 10 november 2011;
http://www.f-secure.com/weblog/archives/00002268.html
[2] F-Secure Weblog; Sean Sullivan; Mac Flashback Infections; published 5 April 2012;
http://www.f-secure.com/weblog/archives/00002345.html
[3] Computer Weekly; Warwick Ashford; Malware targets Macs and PCs; published 30 April 2011;
http://www.computerweekly.com/news/2240149271/new-malware-targets-Macs-and-PCs
[4] Matahari: A simple reverse HTTP shell;
http://www.matahari.sourceforge.net
[5] F-Secure Weblog; Broderick Aquilino; More Mac Malware Exploitiing Java; published 17 April 2012;
http://www.f-secure.com/weblog/archives/00002348.html
[6] F-Secure Weblog; Sean Sullivan; new Mac Malware Found on Dalai Lama Related Website; published 3 December 2012;
http://www.f-secure.com/weblog/archives/00002466.html
[7] F-Secure Weblog; Sean Sullivan; China Targets Macs Used By ngO #Tibet; published 20 March 2012;
http://www.f-secure.com/weblog/archives/00002334.html
[8] F-Secure Weblog; Sean Sullivan; More Mac Malware (Word Exploit) Targeting ngOs; published 28 March 2012;
http://www.f-secure.com/weblog/archives/00002339.html
[9] F-Secure Weblog; Karmina Aquino; Multi-Platform Backdoor Lurks in Colombian Transport Site; published 9 July 2012;
http://www.f-secure.com/weblog/archives/00002397.html
[10] F-Secure Weblog; Broderick Aquilino; Multi-Platform Backdoor with Intel OS x Binary; published 13 July 2012;
http://www.f-secure.com/weblog/archives/00002400.html
[11] TrustedSec; Social Engineer Toolkit;
https://www.trustedsec.com/downloads/social-engineer-toolkit/
[12] F-Secure Weblog; Karmina Aquino; not Your normal Skype Download; published 9 July 2012;
http://www.f-secure.com/weblog/archives/00002396.html
[13] F-Secure Weblog; Mikko Hyppönen; Egypt, FinFisher Intrusion Tools and Ethics; published 8 March 2011;
http://www.f-secure.com/weblog/archives/00002114.html
[14] CitizenLab; From Bahrain With Love: FinFisher’s Spy Kit Exposed?; published 25 July 2012;
https://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposed/
[15] CitizenLab; The SmartPhone Who Loved Me: FinFisher goes Mobile?; published 29 August 2012;
https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/
[16] Wikileaks; FinSpy: Remote Monitoring & Infection Solutions;
http://wikileaks.org/spyfiles/files/0/289_gAMMA-201110-FinSpy.pdf
[17] CitizenLab; Backdoors are Forever: Hacking Team and the Targeting of Dissent; published 10 October 2012;
https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/
[18] HackingTeam; The Solution;
http://www.hackingteam.it/index.php/remote-control-system
[19] F-Secure Weblog; Sean Sullivan; Berlin Police: Beware Android Banking Trojans; published 15 november 2012;
http://www.f-secure.com/weblog/archives/00002457.html
35
Mobile
Mobile
MOBILE
25+25+25+25+a 33+33+34+a
50+50+a
25+25+25+25+a
10
20
30
40
50
60
70
80
90
100
J2me
windows mobile
symbian
ios
android
Blackberry
all threats
q1 q2 q3 q4
new families and variants received
Per quarter, q1-q4 2012
The mobile threat landscape continues to be focused on two platforms—Android, which accounted for 79% of all new malware
variants identified in 2012; and Symbian, with 19% of the remaining new variants. Though previously identified threats from past years
continued to trouble users of most mobile platforms there was little active malware development, with only a single new variant
identified on the BlackBerry and PocketPC platforms in the whole of 2012, and only two new variants for the iPhone and Java ME
(J2ME). Instead, malware authors have focused the main thrust of their efforts on the two most common mobile platforms today—
Android and Symbian.
android
In the third quarter of 2012, Android reportedly accounted 75%
of the global smartphone market, or three out of every four
phones shipped during that quarter, effectively making it the
most common mobile operating system in the world
[1]
.
In addition, in Q2 2012, China officially surpasssed the
United States as the world’s largest market for smartphone
consumers. Android handsets accounted for 81% of that
market and it’s therefore probably not surprising that many of
the new malware families we detected last year were targeted
specifically to Android users in mainland China.
data-stealing and profit-making
given its dominance, the Android platform has naturally
become the main target for active malware development,
with a total of 238 new, unique variants found on the platform
during that period.
The majority of these malware are distributed as trojanized
apps, in which a legitimate program has been engineered
to include a malicious component. Most of the new variants
found are categorized as trojans or monitoring-tools, which
are able to either compromise the user’s data or track the
user’s movements and activities.
Much like their Symbian counterparts, these malwares
generally attempt to profit from the user by silently subscribing
them to premium SMS-based services, or by placing calls to
premium-rate numbers. The confidential data harvested from
these devices are often silently forwarded to a remote server,
presumably for future use in an unwanted context.
Boosting security
Meanwhile, during 2012 google continued efforts to enhance
security on the Android platform, particularly in the Play Store
(the rebranded Android Market). These efforts included the
addition of exploit mitigation features in the 4.1 update
[2]
and
an (optional) app verification feature in the 4.2 update
[3]
.
For users who were, for various reasons, unable to receive
these updates, another security measure came in the form of
Bouncer, an app-scanning security tool in the Play Store that
figure 1: new malware families and variants received per quarter
throughout 2012
tHe ever-expanding tHreat Market
36
Mobile
MOBILE
reportedly reduced the number of malicious apps offered
through the app market.
In addition, in September 2012 google bought VirusTotal
[4]
, a
file analysis service. Though the company has not announced
its future plans or detailed how it would integrate the newly
acquired service into its security mechanisms, presumably
the purchase will be instrumental in boosting the platform’s
security capabilities.
Though the effectiveness of google’s security-related efforts
has come under criticism, they do represent concrete steps
towards better protecting the data and device security of
Android users. As Android continues its apparently unstoppable
domination of the mobile platform market—thereby making
itself the favoured target for malware developers—device and
data security will continue to be an important issue to users on
this platform.
symbian
In stark contrast to the Symbian roadmap, the malware scene is
far from dead. The most common origin of malware for Symbian
today is, as it has been for a while, China. Other countries are
still represented on our radar, but there are differences in the
quality and quantity. What we see is that whereas western
countries generally encounter commercial spyware targeted
to mobile users, malware in China is predominantly aimed at
monetizing the victim.
mechanics of monetization
given the sheer amount of Symbian devices in circulation in
China, a malware author does not need to infect a significant
fraction of the mobile phones in order to generate revenue.
The easiest, most logical way to turn an infection into money
is to use the built-in billing mechanism and send out SMS
messages that silently subscribe the user to premium services.
A more sophisticated method—placing automated calls to
premium rate numbers—is only slightly more challenging.
We have also seen Chinese malware that emulates user
behavior and silently uses WAP services, which is then billed
through the mobile operator. Similarly, some malware families
have the capability to act as scripted bots, playing regular,
albeit simple browser-based games online.
data-stealing, stealthy behavior and self-protection
A typical Symbian malware is a Trojan mimicking as a system
update or a legitimate application. The capability model
designed to protect the device from harmful software
installation allows signed applications to do things that one
would not expect. For example, roughly the same set of
capabilities is required of a legitimate action game and an
application that can download and install new software from
the Internet without user intervention.
nearly every malicious Symbian application uses programmatic
access to the device International Mobile Equipment Identity
(IMEI) and International Mobile Subscriber Identity (IMSI)
numbers. Profit-driven malware may also access the user’s
core personal information, such as SMS messages, location
and voice or user input. We have seen many examples of
malware reading the Contacts database, primarily to send out
unsolicited and malicious SMS messages to these contacts.
Hiding malicious activity from the user is a defining character
of malware. Many samples present a believable front to the
user as a distraction. Others simply hide their presence—for
example, most legitimate Symbian applications include an
application icon that the user can select to launch the program;
most malware lack this, and silently launch themselves during
installation and device boot.
moBile threats motivated By Profit, 2012
32
40
34 27
26
42
q1 2012
q2 2012
q3 2012
PROFIT-MOTIVATED
nOT PROFIT-MOTIVATED
33
q4 2012 67
figure 2: Breakdown of profit-motivated vs no profit-motivated malware in 2012
37
Other malwares are stealthier and avoid detection by
suppressing regular system notifications, by terminating the
system process responsible for displaying message indications
on the screen or even temporarily changing the message
ringtone to Silent. Any logged system events are purged from
the device afterwards.
nearly every Symbian malware contacts a remote server over
the Internet. Most samples simply retrieve new software to
silently install, but based on static analysis, some also include
functionality that allows a user (the attacker) to remotely
trigger any of its functions via a configuration or custom script.
Communication is typically scrambled or encrypted.
A common tactic used by malware to hide instructions
sent from a remote attacker is to listen on incoming SMS
messages by hooking a low-level system API, then capturing
the messages from the attacker before the system can deliver
them to the user’s Inbox. Another common tactic is to wait
until the phone is not in user’s immediate control before
performing any malicious actions, as detecting idle mode is
very easy.
Many malicious apps try to prevent detection by security
products, usually by detecting the security program’s running
Mobile
MOBILE
processes and terminating them. More aggressively, they
can uninstall the security product completely. The malware
can also prevent the user from uninstalling a suspicious or
unwanted app by terminating the uninstaller application,
preventing any attempt at removal.
future outlook
Of late, we have noticed that in Symbian malware components
are being reused and malware have begun to resemble
engineered products rather than hacked together snippets of
copy-pasted code, as they used to be.
It is hard to tell whether the malware authors are just elevating
the level of grunt software engineering by bringing in
modularization and dynamic features, or deliberately doing so
to make the analysis and reverse engineering harder. It may be
that a combination of both motivations is at work here. Either
way, it’s an indication that Symbian malware will continue to
evolve and remain a threat to users in markets such as China,
where the platform is still going strong.
sources

[1] IDC; IDC - Press Release: Android Marks Fourth Anniversary Since Launch with 75.0% Market Share in Third Quarter, According to IDC;
published 1 nov 2012;
http://www.idc.com/getdoc.jsp?containerId=prUS23771812#.UPzbakU3S3A
[2] Android Developers; Jelly Bean Android 4.1;
http://developer.android.com/about/versions/jelly-bean.html
[3] Android Developers; Jelly Bean Android 4.2;
http://developer.android.com/about/versions/jelly-bean.html
[4] Virustotal Blog; An update from VirusTotal; published 7 Sep 2012;
http://blog.virustotal.com/2012/09/an-update-from-virustotal.html
38
sourCes
SOURCES
h2 2012 inCidenTS Calendar
1. F-Secure Weblog; DnSChanger Wrap Up; published 9 Jul 2012;
http://www.f-secure.com/weblog/archives/00002395.html
2. F-Secure Weblog; Multi-platform Backdoor with Intel OS x
Binary; published 13 Jul 2012;
http://www.f-secure.com/weblog/archives/00002400.html
3. F-Secure Weblog; Emails from Iran; published 23 Jul 2012;
http://www.f-secure.com/weblog/archives/00002403.html
4. F-Secure Weblog; gauss: the Latest Event in the Olympic
games; published 10 Aug 2012;
http://www.f-secure.com/weblog/archives/00002406.html
5. F-Secure Weblog; Blackhole: Faster Than the Speed of Patch;
published 28 Aug 2012;
http://www.f-secure.com/weblog/archives/00002414.html
6. F-Secure Weblog; Java SE 7u7 AnD SE 6u35 Released; published
30 Aug 2012;
http://www.f-secure.com/weblog/archives/00002415.html
7. F-Secure Weblog; Cosmo The Hacker god; published 13 Sep
2012;
http://www.f-secure.com/weblog/archives/00002427.html
8. F-Secure Weblog; It’s Out of Cycle Patch Friday; published 21
Sep 2012;
http://www.f-secure.com/weblog/archives/00002431.html
9. F-Secure Weblog; Backdoor:OSx/Imuler.B no Likes Wireshark;
published 24 Sep 2012;
http://www.f-secure.com/weblog/archives/00002432.html
10. F-Secure Weblog; Samsung TouchWiz Devices Vulnerable to
Mischief; published 26 Sep 2012;
http://www.f-secure.com/weblog/archives/00002434.html
11. F-Secure Weblog; Adobe Cert Used to Sign Malware; published
28 Sep 2012;
http://www.f-secure.com/weblog/archives/00002435.html
12. F-Secure Weblog; Hackable Huawei; published 10 Oct 2012;
http://www.f-secure.com/weblog/archives/00002442.html
13. CitizenLab; Morgan Marquis-Boire; Backdoors are Forever:
Hacking Team and the Targeting of Dissent; published 10
October 2012;
http://citizenlab.org/2012/10/backdoors-are-forever-hacking-
team-and-the-targeting-of-dissent/
14. F-Secure Weblog; new Variant of Mac Revir Found; published
14 nov 2012;
http://www.f-secure.com/weblog/archives/00002455.html
15. F-Secure Weblog; Berlin Police: Beware Android Banking
Trojans; published 15 nov 2012;
http://www.f-secure.com/weblog/archives/00002457.html
16. F-Secure Weblog; Cool-er Than Blackhole?; published 16 nov
2012;
http://www.f-secure.com/weblog/archives/00002458.html
17. F-Secure Weblog; A new Linux Rootkit; published 20 nov 2012;
http://www.f-secure.com/weblog/archives/00002459.html
18. F-Secure Weblog; google Joins World War 3.0; published 23
nov 2012;
http://www.f-secure.com/weblog/archives/00002461.html
19. F-Secure Weblog; next Week: “World War”; published 23 nov
2012;
http://www.f-secure.com/weblog/archives/00002443.html
20. The Register; Iain Thomson;Syria cuts off internet and mobile
communications; published 29 nov 2012;
http://www.theregister.co.uk/2012/11/29/syria_internet_
blackout/
21. F-Secure Weblog; new Mac Malware Found on Dalai Lama
Related Website; published 3 Dec 2012;
http://www.f-secure.com/weblog/archives/00002466.html
22. F-Secure Weblog; Finnish Website Attack via Rogue Ad;
published 5 Dec 2012;
http://www.f-secure.com/weblog/archives/00002468.html
23. The Register; John Leyden; Major £30m cyberheist pulled off
using MOBILE malware; published 7 Dec 2012;
http://www.theregister.co.uk/2012/12/07/eurograbber_
mobile_malware_scam/
24. F-Secure Weblog; Australian Medical Records Encrypted, Held
Ransom; published 10 Dec 2012;
http://www.f-secure.com/weblog/archives/00002469.html
25. The Register; neil McAllister; Dexter malware targets point of
sale systems worldwide; published 14 Dec 2012;
http://www.theregister.co.uk/2012/12/14/dexter_malware_
targets_pos_systems/
26. The Register; Phil Muncaster; 10,000 Indian government and
military emails hacked; published 21 Dec 2012;
http://www.theregister.co.uk/2012/12/21/indian_government_
email_hacked/
F-Secure has been protecting the digital lives of
consumers and businesses for over 20 years. Our
Internet security and content cloud services are
available through over 200 operators in more than
40 countries around the world and are trusted in
millions of homes and businesses.
In 2011, the company’s revenues were EUR 146
million and it has over 900 employees inmore than
20 offices worldwide. F-Secure Corporation is listed
on the nASDAQ OMx Helsinki Ltd. since 1999.
F-Secure in Brief
Protecting
the Irreplaceable
F-Secure proprietary materials. © F-Secure Corporation 2013.
All rights reserved.
F-Secure and F-Secure symbols are registered trademarks
of F-Secure Corporation and F-Secure names and symbols/
logos are either trademark or registered trademark of
F-Secure Corporation.
Protecting the irreplaceable | f-secure.com