THREAT ROUNDUP - Trend Micro

celerymoldwarpΑσφάλεια

3 Δεκ 2013 (πριν από 3 χρόνια και 6 μήνες)

163 εμφανίσεις

THREAT ROUNDUP
g
The
Trend Micro Quarterly Roundup
reports present key security highlights

and developing trends in the current
threat landscape.
September 30, 2011
2
| Q
uarterly
t
hreat
r
oundup
3Q 2011 t
hreat
r
oundup
I
n
t
hIs
I
ssue
Trend Micro researchers and analysts were instrumental in uncovering various
cybercriminal operations this quarter. In an effort to aid law enforcement authorities, they
uncovered some popular FAKEAV affiliate networks and a particular SpyEye operation,
which may bring authorities one step closer to catching the perpetrators.
Similar to the previous quarters, in the past three months, we witnessed an increase in
the
Android
malware volume, more enhancements to notorious crimeware toolkits such
as
ZeuS
and
SpyEye,
as well as the proliferation of survey scams in social media. As in
the previous months, cybercriminals continued to employ very enticing social engineering
tactics to lure targets.
Unlike in the past half of the year, however, mass compromises seemingly decreased in
number, most probably due to the shift to launching targeted attacks, particularly against
large enterprises and government institutions.
d
ata
B
reaches

and
h
Ighly
t
argeted
a
ttacks
South Korea Data Breaches
The
SK Communications data breach
this July
affected at least 35 million users in South

Korea.
Cyworld
and
NATE,
subsidiaries of SK
Communications, one of the most popular

social networking, telecommunications, and

instant-messaging service providers in the

country, were among those greatly affected by

the incident. Client information such as email

addresses, user names, and contact details,

among others, were stolen. SK

Communications sent out an advisory soon

after the breach’s discovery.
A week after
reports of the SK
Communications data breach came out, Trend

Micro analysts discovered a malware now detected as
BKDR_SOGU.A
, which may have
been related to the incident. Upon analysis, we found that when executed, the backdoor
had the capability to access databases stored in infected systems in order to gather
data. It also allowed remote malicious users to send commands to infected systems, thus
compromising their security.
After another week,
ESTsoft
, a South Korean software vendor, came forward and
disclosed that it may have also suffered the same fate. In a public statement, the
company admitted that one of its software update servers was also compromised with
the aid of the same backdoor program used in the SK Communications attack. Based on
ESTsoft’s investigation, one of its DLL update modules had a common vulnerability that
allowed attackers to drop BKDR_SOGU.A onto the systems of its product users. In an
effort to resolve the issue, ESTsoft released a patch for the said vulnerability and pushed
it as an update on August 4.
3
| Q
uarterly
t
hreat
r
oundup
3Q 2011 t
hreat
r
oundup
Spate of Highly Targeted “LURID Downloader” Attacks
More recently, variants of the LURID malware family were

used in what was dubbed the
“LURID Downloader
attacks”
that targeted major companies and
institutions in 61 countries, including Russia,

Kazakhstan, and the Ukraine. Considered an

advanced persistent threat (APT), the

cybercriminals behind the attacks launched over

300 malware campaigns to collect data from

their targets.
Based on Trend Micro researchers’ analysis, the

perpetrators sent out email that urged targets to

open a malicious file attachment. Users who were

tricked into doing so ended up executing a malicious

code that exploited vulnerabilities in
Microsoft Office
and
Adobe Reader
(i.e.,
CVE-2009-4324

and
CVE-2010-2883
).
Infection allowed attackers
to obtain confidential data from and to take full control of affected users’ systems over an
extended period of time.
The backdoor program also had the ability to access a network of command-and-control
(C&C) servers that made use of 15 domain names and 10 IP addresses, which allowed
the attackers to issue commands to compromised systems. The targeted nature of the
campaigns for specific geographic locations and entities added to the success of this
spate of attacks, allowing them to compromise as many as 1,465 systems.
Rank
Country
Infection Count
1
Russia
1,063
2
Kazakhstan
325
3
Ukraine
102
4
Vietnam
93
5
Uzbekistan
88
6
Belarus
67
7
India
66
8
Kyrgyzstan
49
9
Mongolia
42
10
China
39
Table 1.
Most targeted countries in the LURID Downloader attacks
A more detailed discussion of the LURID Downloader attacks can be found in the Trend
Micro research paper,
“The ‘Lurid’ Downloader.”
The data breaches and highly targeted attacks mentioned above show that the threat
landscape is indeed changing. Cybercriminals are limiting their focus in terms of
target—by region as in the South Korea data breaches or by industry as in the LURID
Downloader attacks.
4
| Q
uarterly
t
hreat
r
oundup
3Q 2011 t
hreat
r
oundup
V
ulneraBIlIty
e
xploIts
osCommerce
Mass Compromise
The exploitation of various vulnerabilities in the
osCommerce

software led to a mass
compromise in July. An estimated 90,000 Web pages have been injected with an iframe
that pointed to malicious sites hosting an exploit kit.
Several e-commerce websites fell prey to the attack. According to a Trend Micro threat
response engineer, the malware used in this attack,
TROJ_JORIK.BRU
, gathered the
information it needed then immediately deleted itself from infected systems to evade
detection. To resolve the vulnerabilities exploited in the attack,
osCommerce’s
developers
strongly advised the owners of sites that use their software to update to the latest version
and to check their sites for signs of code injection.
Targeting Defense Companies
This quarter, cybercriminals staged
exploit attacks
targeting
defense companies in several countries, including the United

States and Japan. The first attack involved spam with

malicious .PDF attachments that Trend Micro detects as

TROJ_PIDIEF.EED
. Analysis showed that when executed,
this Trojan drops a backdoor program we detect as

BKDR_ZAPCHAST.QZ
. This backdoor can receive
commands from a remote malicious user,

compromising the security of victims’ systems.
The attackers commanded compromised systems to

gather network information and to download certain

custom .DLL files that Trend Micro now detects as

BKDR_HUPIG.B
. They also commanded the
compromised systems to download certain tools that would

permit them to move about the victims’ networks. The said tools turned out to be remote
access Trojans (RATs) that we detect as
BKDR_HUPIGON.ZXS
and
BKDR_HUPIGON.ZUY
. These RATs allowed remote malicious users to take full control of
compromised systems.
A few days after,
Adobe
also released
an out-of-band security patch
to address
CVE-2011-2444
,
another vulnerability cybercriminals have been abusing in a targeted
attack in order to compromise victims’ systems and/or networks.
5
| Q
uarterly
t
hreat
r
oundup
3Q 2011 t
hreat
r
oundup
Vulnerability Statistics
From being the top vendor in terms or reported vulnerabilities in products in the second
quarter, Microsoft dropped to the third post this quarter. Google ousted last quarter’s top
vendor after several reports of existing vulnerabilities in
Chrome.
Note, however, that
none of the vulnerabilities in
Chrome
were as severe as some of those found in Microsoft
products. The increase in the number of attacks targeting
Chrome
may primarily be
due to the browser’s
increasing usage and popularity
. The speed by which
Chrome
is
developed, which limits the amount of time for internal and external bug testing prior to
product release, may have something to do with Google’s rise in ranking as well.
The number of reported vulnerabilities in Oracle products also rose, most probably due
to the vendor’s acquisition of Sun Microsystems and its
Java
products. The fact that
Oracle’s codebase is rather large and complicated to maintain may have also contributed
to the rise in the number of exploitable bugs in its products, causing it to climb from the
top 5 spot in the second quarter to the top 2 spot this quarter.
Rank
2Q 2011
3Q 2011
Vendor
Number of
Reported
Vulnerabilities
Vendor
Number of
Reported
Vulnerabilities
1
Microsoft
96
Google
82
2
Google
65
Oracle
63
3
Adobe
62
Microsoft
58
4
HP
57
Apple
49
5
Oracle
50
Adobe
43
6
IBM
48
IBM
39
7
Mozilla
38
Mozilla
39
8
Linux
31
Opera
36
9
Cisco
30
HP
25
10
Sun
29
Cisco
20
Table 2.
Top 10 vendors in terms of number of distinct reported vulnerabilities
In the second quarter, we observed a continuous drop in the number of exploitable bugs
from April to June. This quarter, meanwhile, the number of exploitable bugs intermittently
rose and fell from month to month.
2Q 2011
3Q 2011
Month
Number of
Reported
Vulnerabilities
Month
Number of
Reported
Vulnerabilities
April
312
July
307
May
295
August
294
June
294
September
389
Source:
http://cve.mitre.org/
Source:
http://cve.mitre.org/
Table 3.
Overall number of reported vulnerabilities per month
6
| Q
uarterly
t
hreat
r
oundup
3Q 2011 t
hreat
r
oundup
M
oBIle
a
ttacks
Third-Generation DroidDreamLight Variant
Trend Micro threat analysts came across
a new DroidDreamLight
variant
with enhanced capabilities and routines. Disguised as
battery-monitoring or task-listing tools or apps that allow users

to see a list of permissions installed apps utilize, copies of this

new
Android
malware littered a Chinese third-party app
store. This particular variant, which Trend Micro now

detects as
ANDROIDOS_DORDRAE.N
, had the ability
to obtain call logs, text messages, contact details,

Google
account details, and other information saved in
infected devices. Apart from having additional data theft

routines, this new variant’s code also featured other changes,

one of which allowed it to update its configuration file. Like

previous variants, this malware sends stolen data to a

specific URL.
Other Notable
Android
Malware Attacks
Trend Micro security experts also came across several other
Android
malware in
both the
Android Market
and third-party app stores. Two of these malware were
Trojanized versions of games, namely,
“Fast Racing,”
which Trend Micro now detects as
ANDROIDOS_SPYGOLD.A
aka GoldDream, and
“Coin Pirates,”
detected
as
ANDROIDOS_PIRATES.A
.
Trend Micro engineers also came across
Android
malware types that came in the guise
of a variety of apps. These include
ANDROIDOS_LUVRTAP.B
, which came in the form of
either
a love test
, an e-book reader, or a location tracker app;
a premium service abuser
,
which we detect as
ANDROIDOS_AUTOSUBSMS.A
; and
fake spying tools
such as
ANDROIDOS_NICKISPY.A
and
ANDROIDOS_NICKISPY.C
, which
gather confidential
information
from infected devices.
NICKISPY variants
are known for monitoring affected users’ activities and whereabouts,
including their text messages, phone call logs, and geographic locations. For a long
time, we wondered what happens to the information stolen from infected
Android-
based
devices. In August, a Trend Micro researcher found a Chinese site that offers
access to
information
stolen from
Android-
based devices for a certain fee. This site provides one
example of how cybercriminals can monetize stolen data from users’ infected

mobile devices.
For more details on the various
Android
malware we have seen so far, check out
“A
Snapshot of
Android
Threats [INFOGRAPHIC].”
Fake
Opera
Apps
Two mobile malware
posing as
Opera Mini
(aka
ANDROIDOS_FAKEBROWS.A
) and
as
Opera Mobile
(aka
J2ME_FAKEBROWS.A
) were recently found in the wild. Both
malware were premium service abusers that sent out text messages to premium service
numbers without the users’ knowledge. J2ME_FAKEBROWS.A affects mobile devices
that support
MIDlets—
applications that use the Mobile Information Device Profile (MIDP)
of the Connected Limited Device Configuration (CLDC) for the
Java ME
environment.
Cybercriminals are clearly not limiting their range of targets in terms of platform, as they
also create malware for devices running mobile OSs other than
Android.
7
| Q
uarterly
t
hreat
r
oundup
3Q 2011 t
hreat
r
oundup
s
ocIal
n
etworkIng
s
caMs
Celebrity Deaths and Natural Disasters
This quarter, we were met with three
Facebook
scams that leveraged probably two issues that

usually piqued users’ interest—celebrity news

and natural disasters. One scam abused news

of
Amy Winehouse’s death
while another
leveraged
Lady Gaga’s supposed death
. Both
scams employed the use of
Wall
posts that led to
either a survey page or to an advertising site, which put users at risk.
The huge following of “The Twilight Saga” movies did not escape cybercriminal interest
as well. As early as August, attackers spread
Facebook Wall
posts that enticed users to
click a malicious link in order to get free tickets to
“The Twilight Saga: Breaking Dawn
Part 2.”
As in other survey scams, of course, all the users ended up with were potential
security risks.
Cybercriminals also did not pass up the opportunity to lure
Facebook
users in search of
news of
Hurricane Irene
into their traps. This particular scam led users who wanted to
watch a supposed video to advertising sites instead.
More Social Networking Sites, More Threats
Despite
Facebook’s
continuing reign in terms of social media popularity, less-known
social networking sites like
Google+
and
LinkedIn,
also had their time in the cybercrime
spotlight. In the first half of July, Trend Micro engineers came across a page that enticed
users to click a link to get free invitations to Google’s latest stab at taking a slice of the
social media pie—
Google+
.
Instead of invitations to join the site, however, all the users
got was an “opportunity” to take part in a survey that put them at risk.
A week earlier,
LinkedIn
also had its time in the spotlight when cybercriminals used it
as a redirector. Users who were tricked into clicking the malicious link to a supposed
Justin Bieber video were redirected to a page under
LinkedIn’s
domain before landing on
another survey page with the aid of a malicious script that Trend Micro detects

as
JS_FBJACK.D
.
Other Notable Social Media Attacks
Apart from the various survey scams seen this quarter, Trend Micro threat experts also
found
Facebook
scams that used fake friend request notifications to infect users’ systems
with a ZBOT variant we detect as
TSPY_ZBOT.FAZ
.
To know more about the threats users commonly encounter in social networking sites,
check out
“The Geography of Social Media Threats [INFOGRAPHIC].”
8
| Q
uarterly
t
hreat
r
oundup
3Q 2011 t
hreat
r
oundup
t
op
s
ysteM
I
nfectors
Spam Runs and Banking Trojans
The most notorious spam runs this quarter led to the download and execution of two
banking Trojans. The first campaign featured a spam that supposedly came from
the
Spain National Police
. Users who clicked the link embedded in the message’s
body downloaded
TROJ_BANLOD.QSPN
onto their systems. When executed, this
malware downloads another malware Trend Micro detects as
TSPY_BANCOS.QSPN
.
Like other BANKER Trojans, this gathers personal information, particularly related to
financial institutions such as Caixa, Cajasol, and Banco Popular, from affected users’
systems. The most notable factor, however, in this attack was the cybercriminals’ use of
compromised sites and phone-home URLs, which allowed them to confirm the success of
system infections and to update the spyware so it can more effectively evade detection.
The second campaign featured a spam that supposedly came from the
Internal Revenue
Service (IRS)
. Users who clicked a link embedded in the message’s body downloaded
a LICAT variant we detect as
TSPY_ZBOT.WHZ
onto their systems. Like other LICAT
variants, this malware generates URLs to access in order to update its configuration file,
which contains a list of sites it will monitor and to which it will send stolen information.
Apart from the two data theft-related spam runs above, we also saw a noticeable spike in
the volume of spam with malicious attachments, some of which were
vacation related
.
Spam Statistics
As in the previous quarter, India and South Korea continued to be part of the top 3 spam-
sending countries. Surprisingly, however, the United States, which commonly takes the
top spot was not on the top 10 spam-sending countries list. As the top spam-sending
countries are also the most spambot-infected ones, the United States’s drop in ranking
possibly indicates a lower infection level. This may be a result of the botnet takedowns
that occurred in the last few months.
Figure 1.
Top 10 spam-sending countries in 3Q 2011
9
| Q
uarterly
t
hreat
r
oundup
3Q 2011 t
hreat
r
oundup
The top 3 spam languages this quarter remained English, German, and Russian
compared with the two previous quarters.
Figure 2.
Top 10 spam languages in 3Q 2011
For a more comprehensive discussion of the current state of the spam landscape, check
out
“Spam in Today’s Business World.”
ZeuS
Updates and Stealthier Variants
ZeuS’s
source code leakage may have led to the proliferation of variants that have been
dubbed
“Ice IX.”

This new type of ZeuS variant boasts of better protection
against tracking.
Trend Micro researchers also got hold of an updated ZBOT sample, now detected as
TSPY_ZBOT.IMQU
, which may have been created with
ZeuS version 2.3.2.0.
This
particular variant exhibited enhanced decryption and encryption routines, making its
configuration file more difficult to analyze compared with previous variants. It also
showed signs of possible use for a global campaign targeting financial institutions from
countries such as the United States, Germany, Brazil, Spain, and Hong Kong.
10
| Q
uarterly
t
hreat
r
oundup
3Q 2011 t
hreat
r
oundup
Other Notable Malware Attacks
This quarter, Trend Micro engineers came across several other notable malware,
including a rootkit, two worms, and Bitcoin miners. The rootkit, detected as

RTKT_POPUREB.A
, is capable of overwriting an infected system’s
Master Boot Record
(MBR)
. The rootkit, along with
TROJ_POPUREB.SMB
, is written by
TROJ_POPUREB.SMA
on an infected system’s disk. These malware arrive on systems
when users visit malicious sites and steal personal information stored on

infected systems.
Although not as notorious as ZeuS and SpyEye operations these days,
the KOOBFACE
gang
has taken to spreading Trojanized applications, which we detect as
WORM_KOOBFACE.AV
, in torrent peer-to-peer (P2P) sharing networks. This malware
allows a torrent client process to run on infected systems without the users’ knowledge,
turning them into “peers” that seed or host malicious binaries. The shift to spreading via
P2P networks from social media may be a result of the social networking sites’ efforts to
prevent the KOOBFACE botnet from abusing their framework. This does not, however,
mean the gang has stopped luring victims via social networking sites.
Our engineers also found
WORM_MORTO.SMA
that spread via
the Remote Desktop
Protocol (RDP)
. This worm, with the aid of a .DLL component—
WORM_MORTO.SM
, can
give attackers full control of infected systems and of entire networks by allowing them to
log in using administrator accounts.
We have also been seeing various Bitcoin-related

attacks featuring a number of what have been

dubbed “Bitcoin miners.” In the last three months,

we came across Bitcoin miners such as

BKDR_BTMINE.MNR
and
BKDR_BTMINE.DDOS

as well as a related grayware,

HKTL_BITCOINMINE
. Cybercriminals turned
users’ systems into Bitcoin miners so they would

not overwork their own systems due to the

resource-intensive mining process. For more

detailed information on what Bitcoins are, how Bitcoin

mining works, and why we are seeing more Bitcoin

miners in the threat landscape, check out
“Cashing in on
Cybercrime: New Malware Target
Bitcoin.”
Malware Statistics
As in the previous quarters,
WORM_DOWNAD.AD
and
CRCK_KEYGEN
(a serial key
generator) remained the top 2 malware. It is interesting to note that although the URLs
that DOWNAD/Conficker uses to call home have long been dead, a DOWNAD variant
continued to rank first in the top malware list. This may, however, not be about system
protection against malware but about setting and enforcing good security policies.
Meanwhile,
HKTL_KEYGEN
(a hacking tool) ousted
ADW_SAHAGENT
(an adware) from
the top 3 spot and out of this quarter’s top 5.
Rank
Malware Detection Name
1
WORM_DOWNAD.AD
2
CRCK_KEYGEN
3
HKTL_KEYGEN
4
PE_SALITY.RL
5
HKTL_ULTRASURF
Table 4.
Top 5 malware in 3Q 2011
11
| Q
uarterly
t
hreat
r
oundup
3Q 2011 t
hreat
r
oundup
h
ow
h
as

the
t
hreat
l
andscape
c
hanged
?
Apart from the changes that
ZeuS
underwent in order to better evade detection and
takedown, Trend Micro researchers also noticed marked improvements in mobile
malware. Traditional malware such as
TDL4
also underwent more enhancements in
terms of malicious routines and tactics.
Even though we noted a decrease in Anonymous and LulzSec attacks, probably due
to various law enforcement efforts, we also saw an increase in the number and scope
of highly targeted attacks. Cybercriminals are setting their sights for bigger and better
targets than ever before.
n
otaBle
s
ecurIty
w
Ins
Soldier’s SpyEye Operation Uncovered
Trend Micro researchers discovered
a SpyEye operation
controlled by a cybercriminal
who used the handle “Soldier.” This botnet operation mainly targeted large enterprises
and government institutions in the United States though it also affected organizations in
Canada, the United Kingdom, India, and Mexico.
Through monitoring since March of this year, our researchers found that Soldier’s
operation has amassed more than US$3.2 million in a span of six months. The discovery
of such an operation is a Trend Micro attempt to show how many users can be exposed
to this threat and how damaging successful compromises can become. We also showed
just how profitable a single SpyEye botnet can be for cybercriminals.
For more details on this recent Trend Micro win, check out our research paper,
“From
Russia to Hollywood: Turning Tables on a SpyEye Cybercrime Ring.”
FAKEAV Affiliate Networks Exposed
Apart from uncovering a SpyEye operation, Trend Micro researchers were also

able to gather in-depth information on two of the largest

FAKEAV affiliate networks
to date—BeeCoin and
MoneyBeat, through careful monitoring of the

servers FAKEAV suppliers used. Our researchers

found that between January and June 2011

alone, BeeCoin and its affiliates were able to

install FAKEAV malware in more than

214,000 systems. They also found that one in

every 44 people that installed the malware

actually purchased the full version of the rogue

antivirus software, allowing BeeCoin to

collect US$123,475.
Through the exposure of the relationships

among FAKEAV affiliate networks, botnets, and other

malicious activities, our researchers hope that the security community

and that law enforcement agencies can better understand the challenges that this
malicious monetization strategy poses for traditional defenses and investigations.
More details on how FAKEAV affiliate networks work can be found in the Trend Micro
research paper,
“Targeting the Source: FAKEAV Affiliate Networks.”
12
| Q
uarterly
t
hreat
r
oundup
3Q 2011 t
hreat
r
oundup
LURID Downloader Attacks Unearthed
In an effort to keep up with the shift in focus to highly targeted attacks, Trend Micro
researchers discovered a series of highly targeted attacks leveraging what has been
dubbed the
“LURID Downloader.”
Our researchers found that related campaigns
successfully compromised 1,465 computers in 61 different countries. They were able to
identify 47 victims, including diplomatic missions, government ministries, space-related
government agencies, as well as other companies and research institutions.
The use of
Enfal
, the malware family to which LURID belongs, has been historically
linked with threat actors in China. In this particular case, the attack vector (a malicious
email with an attachment) we analyzed was related to the Tibetan community, which
many believe indicates an association with China. However, as Chinese entities were
also victimized, we dared not make a final attribution.
For more information on the LURID Downloader attacks, check out our research paper,
“The ‘Lurid’ Downloader.”
w
hat

the
f
uture
s
pells
Trend Micro researchers surmised that the volume of mobile

malware, specifically those targeting
Android-
based devices,
along with the number of highly targeted attacks (aka APTs),

will continue to increase in the near future.
However, in an attempt to not just keep up with but to stay

ahead of cybercriminal efforts, Trend Micro researchers are

striking deals with law enforcement agencies worldwide to

gain even more wins this year. Should these efforts push

through, we may even become instrumental to

cybercriminal arrests.
To stay abreast of developing threat trends and to constantly keep employees’ systems
and your corporate networks safe from the impending doom that can spell disastrous
results for your organization, watch out for the release of the “4Q 2011 Threat Roundup”
this coming December.
TREND MICRO™
Trend Micro Incorporated is a pioneer in secure content and
threat management. Founded in 1988, Trend Micro provides
individuals and organizations of all sizes with award-winning
security software, hardware, and services. With headquarters
in Tokyo and operations in more than 30 countries, Trend
Micro solutions are sold through corporate and value-added
resellers and service providers worldwide. For additional
information and evaluation copies of Trend Micro products
and services, visit our website at
www.trendmicro.com
.
TRENDLABS
SM
TrendLabs is Trend Micro’s global network of research,
development, and support centers committed to 24 x 7 threat
surveillance, attack prevention, and timely and seamless
solutions delivery.
©2011 by Trend Micro, Incorporated. All rights reserved. Trend Micro,
the Trend Micro t-ball logo are trademarks or registered trademarks of
Trend Micro, Incorporated. All other product or company names may be
trademarks or registered trademarks of their owners.
13
| Q
uarterly
t
hreat
r
oundup
3Q 2011 t
hreat
r
oundup
a
ppendIx
a: M
alIcIous
url s
tatIstIcs
The following tables show the top 10 malicious URLs and IP domain addresses blocked
by the
Trend Micro™ Smart Protection Network™
infrastructure in the third quarter
of 2011.
Rank
Malicious URL Blocked
Description
1
www . bit89 . com : 80 / download /

dpclean / ibdp . exe
Distributes malware
2
trafficconverter.biz:80/4vir/
antispyware/loadadv.exe
Distributes malware, particularly DOWNAD
variants
3
trafficconverter.biz:80/
Distributes malware, particularly DOWNAD
variants
4
serw.clicksor.com:80/newserving/
getkey.php
Included in the list of domains associated
with the proliferation of pirated applications,
Android
malware, and rogue antivirus software
as well as with other malicious activities
5
serw.myroitracking.com:80/
newserving/tracking_id.php
Contacts various servers to download and
aggressively display pop-up ads
6
ad.globe7.com:80/imp
Distributes TDSS and ZBOT malware
7
cherry-lovepour.com:80/con1.php
Distributes malware
8
www . myroitracking . com : 80 /

newserving / tracking _ id . php
Contacts various servers to download and
aggressively display pop-up ads
9
221.8.69.25:80/search
Distributes malware, particularly DOWNAD
variants
10
zs11.cnzz.com:80/stat.htm
Distributes malware
Table A-1.
Top 10 malicious URLs blocked in 3Q 2011
Rank
Malicious IP Address
Blocked
Description
1
www . bit89 . com
Distributes malware
2
trafficconverter.biz
Distributes malware, particularly DOWNAD
variants
3
serw.clicksor.com
Included in the list of domains associated
with the proliferation of pirated applications,
Android malware, and rogue antivirus software
as well as with other malicious activities
4
serw.myroitracking.com
Contacts various servers to download and
aggressively display pop-up ads
5
d3lvr7yuk4uaui.cloudfront.net
Distributes malware
6
ad.globe7.com
Distributes TDSS and ZBOT malware
7
dl.91rb.com
Downloads malware
8
cherry-lovepour.com
Distributes malware
9
conf.baidupapa.com
Distributes malware
10
www . myroitracking . com
Contacts various servers to download and
aggressively display pop-up ads
Table A-2.
Top 10 malicious domain IP addresses blocked in 3Q 2011
Please help us improve our articles and other
write-ups by participating in a quick survey. Just
click the image above to start.