1 ANNUAL REPORT PandaLabs 2007 Panda 2008
2 Index Introduction 3 Executive summary 4 The Quarter day by day 5 October November December Figures for Q4 11 Distribution of new threats detected 11 Month by month 13 Threats detected by Panda ActiveScan 14 New malware evolution 15 Active malware 19 Vulnerabilities 22 Evolution of kits for installing malware through exploits 25 Social engineering 28 At a glance 28 Notorious cases 29 Annual report on spam36 Introduction 36 Spam in Market evolution 42 Key requirements of clients 42 Malware trends and its evolution in the future 44 Trends 44 Distribution of malware 45 Conclusions 47 About PandaLabs 48
3 3 Introduction As 2007 comes to an end, we present the last quarterly report, giving us the perfect opportunity to summarize the most important events of We will offer the most relevant data in Q4 and analyze the evolution of malware throughout the year. Several changes have taken place this year. With Panda Software s transformation into Panda Security we have changed the style of the report, to better adapt it to the new focus of the organization. These changes have been very welcome, and the feedback received has been really positive. This report includes a new section covering the most important research results from PandaLabs. The section offers an overview of the most relevant data before it is analyzed in depth later. The amount of malware in circulation has continued to increase this year, so we have prepared an article on malware evolution over the last few years. Social engineering continues to be widely used as a powerful means of infection, attacking the weakest link in the security chain. PandaLabs has prepared a report to warn users of the strategies used by cyber-crooks. We hope it serves to raise awareness among the public of how infection techniques continue to evolve. Throughout the year, PandaLabs began piloting an initiative to measure malware prevalence on users computers. You can find information about the results of this study in the Active malware section. Finally, we have prepared a supplement on spam, one of the biggest worries in corporate environments due to the loss of productivity it causes. This report deals with the most widely used techniques and how they are evolving. We hope you find it interesting.
4 4 Executive summary During the first seven months of 2007, there was a continuous increase in the percentage of active malware, reaching its peak in July with 19.58%. The global volume of malware created yearly is multiplying, but what s more alarming is the number of Trojans, whose growth quintuples half-yearly. Trojans are growing exponentially as a means of obtaining financial gains. Trojans developed towards information theft are becoming ordinary. The progressive creation of online communities, with tens of thousands, or even millions, of users, will facilitate attacks launched against them. The vulnerabilities in client applications have increased significantly during this year, being Microsoft Office applications the most frequently targeted. Social engineering continues being one of the most used techniques by malware to spread. The most recurrent themes are those related with sex, celebrities, morbid themes, current affairs or pirate software. The degree of sophistication of the so-called kits for installing malware through exploits continues increasing, including new functionalities and consequently facilitating malware distribution. In 2007, almost 50% of the s received by home users are spam, whereas the amount of spam in circulation is between 80% and 95% for corporate users.
5 5 The Quarter day by day October 2007 Day 1: A security flaw was discovered in the gnu/linux Kernel that allowed malicious users to elevate their privileges to take control of computers. Day 2: SuSE released an update package to fix several security flaws. Day 3: Cisco reported a vulnerability in Cisco Catalyst 6500 and 7600 series. The flaw could be exploited to bypass security restrictions. Day 4: PandaLabs informed that Trojans were the most active malware type in September (they caused 25.94% of infections). Day 5: Sun reported several vulnerabilities in JDK, SDK and JRE. Day 8: Multiple vulnerabilities were reported in Borland InterBase that could lead to denial of service attacks and remote execution of arbitrary code. Day 9: A vulnerability was reported in HP System Management Homepage (SMH) that could be used by malicious users to carry out cross-site scripting (XSS) attacks. Day 10: Microsoft published six new security patches (MS to MS07-060), four of which were rated critical. Day 11: A vulnerability was found in Adobe Pagemaker that could allow malicious users to cause a buffer overflow and run arbitrary code on affected computers. Novell published the first "Support Pack" for Access Manager 3. This pack contained patches to fix multiple problems. Day 15: Three vulnerabilities were reported in DB2 Universal Database 8.1 and 8.2. The patches that solve these vulnerabilities are already available.
6 6 The Quarter day by day Day 16: A vulnerability was reported in Apple ipod touch and Apple iphone. The flaw was due to an error in the handling of TIFF files. Day 17: A vulnerability was reported in FLAC, a library used by many programs to play audio files. The patch that fixes this vulnerability is already available. Day 18: Two new flaws were discovered in Opera which could be exploited to launch XSS attacks. The patch that fixes this vulnerability is already available. Day 19: A vulnerability was reported in LinkSys SPA. These products are used to deliver multimedia services over IP. Day 22: Oracle has published 51 new security patches to fix multiple vulnerabilities.. Day 23: A vulnerability was reported in Real Player, which was being exploited to run remote code on affected computers. Day 24: A vulnerability was reported in the secdrv.sys driver included by default in Windows XP SP2 and Windows Server 2003 SP1. Day 25: Multiple vulnerabilities were reported in IBM Lotus Notes that could be exploited by malicious users to bypass security restrictions. Day 29: Microsoft acknowledged that the problem with PDF files was not an Adobe vulnerability but a problem in the Windows ShellExecute module. Day 30: An exploit was published that took advantage of a critical vulnerability in old Windows versions. This flaw was already fixed in the MS security bulletin.
7 7 The Quarter day by day November 2007 Day 2: PandaLabs detected a new variant of the StormWorm which used Halloween as bait to spread massively. Day 5: A vulnerability was reported in IBM Tivoli Service Desk 6.x that can be used by remote attackers to carry out cross-site scripting attacks. Day 6: Apple launched version 7.3 of QuickTime, which fixes seven security flaws discovered in the previous version of the multimedia player. Day 8: A new vulnerability was reported in Microsoft Sysinternal DebugView (an application for viewing debug messages) which can be used to gain escalated privileges. Day 9: According to a report by Frost & Sullivan, the increasing sophistication of cell phones will turn them into one of cyber-crooks main targets over the next few years. Day 12: Sun published a security patch for Solaris that fixes two vulnerabilities in OpenSSL, preventing remote hackers from carrying out denial of service attacks. According to The Register and other media, DoubleClick, a popular Google-owned online advertising business, could be used as a means to spread malware. Day 14: Microsoft released two new security patches: MS07-061, classified as critical, and MS07-062, classified as important. Day 15: PandaLabs detected a spoof claiming to be from Microsoft (the MS security patch) that tries to install the Bandok.BO backdoor on computers. Day 16: A new spam technique that takes advantage of YouTube was detected. The technique consists of sending s with a link to a YouTube video containing an advert.
8 8 The Quarter day by day Day 19: A vulnerability was reported in Apple Quicktime 7.2 that could be exploited to run arbitrary code when users visit a specially-crafted page. Day 21: Two vulnerabilities were reported in the Linux kernel that could be used to cause denial of service conditions on affected computers. Day 22: A vulnerability was reported in IBM Director which can be used to carry out denial of service attacks. The vulnerability affects version and earlier versions. Day 23: A vulnerability was reported in the Safari browser and ichat of the Leopard OS, Apple s new operating system. Day 26: Israeli researchers disclosed a security flaw in PRNG (Pseudo-Random Number Generator), the algorithm used by Microsoft Windows 2000 and XP to generate random numbers. Day 28: A new vulnerability was reported in Quicktime, Apple s multimedia player, which could be used to run arbitrary code and take control of affected computers. Day 29: Several vulnerabilities were reported in Mozilla Firefox which could be exploited by malicious users to carry out attacks that compromise PC security. Day 30: In five months the FBI has discovered over a million computers controlled by a group of cyber-crooks, whose leader is known as AKILL.
10 10 The Quarter day by day Day 11: Microsoft published seven security bulletins (from MS to MS07-069), three of which were considered critical. Day 12: A vulnerability was found in the 3ivx codec (3ivx.dll) used to view MPEG-4 files. This flaw allowed attackers to run arbitrary code on affected computers remotely. Day 13: End of the Windows Vista SP1 RC beta period. During this beta phase, several bugs were fixed and some features added (improved BIOS and Exfat).
11 11 Figures for Q4 Distribution of new threats detected The graph below shows the types of malware detected by PandaLabs in the fourth quarter of 2007, from October 1 to December 15: Trojans Adware Spyware Worms Others 2% 5% 1% 71% 21% Figure 1. Malware detected in Q4. As seen in the graph, the most prevalent malware category in Q4 was Trojans, even though its presence has decreased by 4%. Note that backdoors, a subclass of Trojans, have been integrated within these, and bots have also been integrated within the worm and Trojan categories accordingly. The percentage of worms dropped significantly, currently representing 5% of all malware compared to 11% in Q3. This quarter s most significant fact was the notable increase in adware, which grew by 9% and reached 21% of total malware. Meanwhile, spyware stayed at 1%. We have grouped malware categories with low prevalence under the heading Other.
12 12 Figures for Q4 57% 1% 2% 1% 3% Hacking tools PUP Dialers Virus Security Risk Jokes 36% Figure 2. Classification of the "Other" category. In this category, hacking tools increased by 40% compared to Q3, staying at 57%. PUPs, however, decreased by 74% reaching 36% of malware in this category. Even though viruses increased by 1%, their use is decreasing as malware creators prefer to work on malware that provides them with financial return rather than destroying systems. The increasing number of users with broadband connections made dialers decrease from 5% in Q3 to 3%.
13 13 Figures for Q4 Month by month Below you can see the appearance of new malware month by month, broken down by the most important categories. As you can see, the dominant category is Trojans. 90% 80% 75% 69% 66% 70% 60% 50% 40% 30% 20% 10% 0% 5% 0,7% 1% 18,3% 26% 8% 2% 3% 4% 2% 20% October November December Trojans Adware Spyware Worms Others Figure 3. Appearance of new malware. The most prevalent malware categories each month are those that provide the largest financial return to threat creators.
14 14 Figures for Q4 Threats detected by Panda ActiveScan The following graph shows the distribution of detections made by the Panda ActiveScan online scanner throughout the fourth quarter of % 33% 9% Trojans Adware Spyware Worms Dialers Others 3% 3% 23% Figure 4. Detections carried out by Panda Active Scan. With an infection ratio similar to Q3 s, Trojans continued to be the most active malicious code (33% of total detections). Dialers stayed at 3%, holding on to the ranking despite their downward trend all through the year. Adware and spyware stayed approximately at the same level as in Q3. They decreased by 1%, staying at 26%.
15 15 New malware evolution This article will look at how new malware has evolved over the last few years. As we have mentioned on previous occasions, the progressive disappearance of massive infections has led to a false sense of security among users, who wrongly believe that the malware problem is under control. The data we present in this article will demonstrate that, contrary to appearances, the amount of malware created globally each year is multiplying, creating a much more dangerous scenario for those people or organizations that operate over the Internet. Just as humankind perfects, improves and invents the technology that surrounds us, malware creators are also developing new threats, with improved interfaces, stealthier, and more effective at achieving the objective for which they have been designed. Below you can see the quarterly evolution of the appearance of new malware detected by PandaLabs, which works round-the-clock in the detection and elimination of these new threats. 1 st Quarter nd Quarter rd Quarter th Quarter st Quarter nd Quarter rd Quarter 2007 Figure 5. Quarterly evolution of new malware. * Only includes statistical data from January 2006 to September The graph above shows how the amount of malware that could affect systems increases threefold every six months.
16 16 New malware evolution The graph below shows the quarterly increases in the most important categories of malware. 1 st Quarter nd Quarter rd Quarter th Quarter st Quarter nd Quarter rd Quarter 2007 Trojans Adware Worms Figure 6. Quarterly evolution of new malware (most important categories). It is clear that Trojans are still on the increase, and this is due to the fact that it is the type of malware that offers most financial benefits to its creators. It is no surprise then, that it is the most widespread type of malware. At present, the amount of new Trojans detected by PandaLabs increases fivefold every six months. With respect to worms, there has also been a considerable increase, and the number detected is doubling every six months. Adware/spyware increases more or less at the same rate as worms and are still among the most important categories.
17 17 New malware evolution The following graph offers a retrospective view of the relative distribution of new strains of malware by type, as detected by PandaLabs: 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Adware Spyware Trojans Worms Others Figure 7. Annual evolution of types of malware. The major difference with respect to previous years is the considerable growth of Trojans, which have increased from 48.33% in 2005 to 77.40%. All other categories have receded, including worms, which have dropped from 23.21% in 2005 to 9.21% currently. With adware and spyware, the decrease is not as notable as in previous cases, going from 15.72% and 2.02% in 2005, to 11.20% and 1.08% respectively. In the others group we have included less significant categories, such as PUP, hacking tools, viruses, dialers, etc which have also decreased from 10.72% in 2005 to 1.12%.
18 18 New malware evolution The most representative malware families throughout 2007 were: Downloader [ Trojan ] Generally used for downloading other types of malware Trojans, dialers and adware- in the background without users consent. Hupigon [ Backdoor ] Using stealth techniques to prevent detection, it opens one or more ports to allow remote access to the infected computer. Banker/Nabload/Banbra [ Banker Trojan ] Can capture keystrokes in order to obtain information for accessing online banking services, passwords or other confidential information. Nurech/Nuwar [ Worm ] Uses social engineering based on current affairs to spread through a range of channels, including , instant messaging, P2P, etc. Affects the productivity of the computer, the network to which it s connected or other remote sites. Lineage/Wow [ Trojan ] Generally offering an inoffensive appearance, this is designed to capture login details for online games (Lineage, World of Warcraft, Ogame, etc...).
19 19 Active malware In this section we will focus on the evolution of active malware during To understand what active malware is, let s first define the two possible statuses: active and latent. Latent malware is hosted on the PC but doesn t take any action. It is waiting to be run directly by users, or remotely by hackers. Once run, it starts launching the harmful actions it is programmed to execute. The malware status therefore shifts from latent to active. We have monitored the malware evolution month-by-month on our website: Thanks to this service, users can scan their PC online for free and check whether it is infected. This website also provides real-time statistical data about active and latent malware infection levels. It also includes an interactive worldwide infection map that contains infection percentages of the top countries, as can be seen in the image below:
20 20 Active malware The following graph represents the evolution of active malware during % 20% 15% 10% 5% 0% February March April May June July August September October Figure 9. Evolution of active malware during The percentage of active malware increased during the first seven months of 2007, reaching its peak in July (19.58%). This was a turning point in the evolution of malware. From then on, the situation began to normalize and active malware stayed at around 18% during August, September and October. Nevertheless, globally, active malware has been increasing as can be seen in the graph. Bearing in mind that active malware hit the highest point in July, we will focus on the countries with the highest percentages.
21 21 Active malware The graph below shows the ten countries with most active malware in July: 30% 25% 20% 15% 10% 5% 26,39% 25,41% 24,08% 21,57% 21,50% 20,78% 20,48% 19,74% 19,00% 18,86% 0% Mexico Taiwan France Venezuela USA Chile Portugal Spain Brasil Canada Active malware in July per country. Figure 10. Acitve malware in July per country. In July, Mexico (26.39%), Taiwan (25.41%) and France (24.08%) were way above the average worldwide rates (19.58%). Other countries such as Venezuela (21.57%), USA (21.50%), Chile (20.77%) and Portugal (20.48%) were also above the average percentage, while Spain, Brazil and Canada were very close to the average. These results show a significant increase of active malware worldwide during 2007.
22 22 Vulnerabilities In this section we will examine the most important aspects of vulnerabilities. During 2007 we have discovered interesting data regarding vulnerabilities. Firstly, we have detected a significant increase in vulnerabilities in client applications, such as browsers, office applications, audio and video multimedia players, pdf readers, antivirus products, compression applications, etc. Secondly, we have detected a decrease in operating system vulnerabilities, unlike previous years, in which these vulnerabilities were used by malicious codes to cause large epidemics. There has been no massive-spreading worms (via operating system vulnerabilities) compromising users computers this year. In this sense, this year has been relatively peaceful and untypical. However, we have observed a significant increase in attacks aimed at client application vulnerabilities. In general these vulnerabilities require user interaction: to open the file attached to an (Word document, Power Point presentation, Excel spreadsheet, MP3 or QuickTime file ), visit a web page, decompress or scan a file, etc. However, this has never been a problem for malware creators, since social engineering techniques and user curiosity have made this job easier. Office applications Microsoft Office applications have been the most frequently targeted this year, most of them (Outlook, Word, PowerPoint, Excel, Visio, FrontPage and Access) were affected by severe vulnerabilities. Bear in mind, as commented in previous reports, that malware creators have known how to exploit the distribution of Microsoft updates, usually launched once a month (every second Tuesday). Malware creators wait until the second Wednesday in the month to exploit unknown vulnerabilities and achieve higher impact and duration. This way, they have a month before the next update is launched.
23 23 Vulnerabilities Browsers Browsers have become the focal point of hackers to compromise corporate users. Companies that allow their employees to browse online have become malware creators main target. Some years ago, adequate protection of the company s Internet-connected services (Web, mail and DNS servers, etc.) and the implementation of perimeter security solutions (firewalls, DMZ, IDS ) were enough to protect an organization from IT attacks. Nowadays, these security measures are not enough, and it is far more important to prevent employees PCs from being compromised through web pages that exploit vulnerabilities or targeted attacks on client applications. A system for controlling the page content would seem an effective measure. If users were denied access to web pages with inadequate or malicious content (porn, warez, pirate programs, etc.), they would be less vulnerable to these attacks. However, during this year, numerous web servers have been detected (embassies, banks, online stores, and even ISPs) whose pages have been modified to include an iframe with the exploits of the vulnerabilities. From now on, even browsing through trusted servers can be dangerous. Solutions for corporate environments must no longer focus on perimeter protection exclusively. It is vital to protect employees PCs in the corporate environment because they are the main target of these attacks and they can become a serious security hole in organizations.
24 24 Vulnerabilities Multimedia applications Multimedia applications (Windows Media Player, QuickTime and Apple itunes, RealPlayer, Adobe Flash Player, WinAmp...) have also been affected by serious vulnerabilities. At present, computers have one or more of these applications installed and many users are tempted into running multimedia files received by , through an attachment or a link. It is difficult enough to increase users awareness and prevent them from running applications from unknown sources, and even more difficult, when it is multimedia content. The point is viewing multimedia content from unknown sources can seriously compromise system security.
25 25 Evolution of kits for installing malware through exploits This article describes this year s evolution of kits for installing malware through exploits. Due to an increase in their complexity and degree of automation, they have become more successful and easier to manage. Single exploit The most basic attacks regarding exploits, are those that use a single exploit. Some websites still try to exploit vulnerabilities using this method. The chances of success are obviously scarce. In this sense, the higher the number of exploits used and the newer they are, the greater the possibilities of infecting users. This way, the natural evolution has been oriented towards introducing modifications to increase the kits probability of success. Several exploits + Statistics In multi-exploit attacks, the most appropriate exploit is chosen depending on the user s operating system and browser. Additionally, it usually stores statistical data, such as infections per country, exploits it has successfully exploited, etc Some can even target IP addresses that belong to a specific geographical zone.
26 26 Evolution of kits for installing malware through exploits The most representative case was that of Mpack, whose interface is shown below: Several exploits + Statistics + Iframer The next step in the evolution of kits is the integration of an Iframer function. Iframers allow hackers to insert iframe-type fields on web pages that direct users to other web pages where the kits are installed. Cyber-crooks usually access the web pages via ftp connections, with the user name and password of the website to be modified. They then insert an iframe-type reference at the end of the file (usually index.php, index.html, etc...), which when run on users PCs, redirects them to the pages containing the kit.
27 27 Evolution of kits for installing malware through exploits IcePack is the most representative case of such a kit and its home page can be seen below: Kits for installing malware through exploits have adapted and evolved, integrating different tools in one and making them easier to manage. During 2007 we have carried out several studies in which we have analyzed the characteristics and performance of these kits. These studies can be found in the PandaLabs Reports section of Security Info.
28 28 Social engineering At a glance In this section we will focus on social engineering as a means of distributing malware and on specific malicious codes that use this technique. Social engineering is still one of the techniques most frequently used by malware to spread. This concept was defined in the 2006 annual report, as a set of techniques used with the objective of manipulating users into performing certain actions or providing confidential information. To do so, malware creators use attractive names to camouflage the malicious files. Most of these names relate to sex, famous people, pirate software, current affairs or generally try to appeal to people s morbid curiosity. The use of these techniques significantly increases around dates such as Valentine s Day, Christmas and Halloween. In other words, malware creators have found this method very effective in distributing malicious code. Social engineering often operates hand-in-hand with as a means of spreading malware. One such example is the Iloveyou worm detected by PandaLabs as LoveLetter.A. which spread by . Under the guise of a love letter, this worm caused a massive global epidemic in Apart from , malware also uses P2P networks and instant messaging programs to spread, both of which have become more vulnerable due to their growing popularity. Whatever the infection channel, social engineering is a vital strategy for malware distribution. Below you will find a description of some of the malware samples detected during this quarter which use social engineering to spread: Nuwar.HU is a worm especially designed for Halloween, and Bandok.BO is a backdoor Trojan that spreads through a message disguised as a Windows update. Both samples spread through . Other samples such as the Mimbot.A, MSNPhoto.I, MSNWorm.BB and MSNFunny.D worms spread through MSN Messenger by sending instant messages containing a file or a link to a web page, to entice users into viewing a photo.
29 29 Social engineering The Bindo.A and CivilArmy.B worms use appealing names to copy themselves onto shared folders of P2P programs. This way, when users run a file thinking it is pirate software (music, porn ), they actually download malware onto their PCs. Some malicious codes combine several infection techniques, such as the Destructor.A worm, which uses instant messaging and P2P networks to spread. For more information about these and other computer threats, visit Panda Security's Encyclopedia. Next we will take a look at the most important social engineering cases detected during this quarter. Notorious cases The social engineering cases detected during this quarter are many and varied. These include: A highly innovative technique An innovative social engineering technique detected in October consists of an application that allows users to watch a female striptease. Users must enter several characters in the application for the woman to strip, as can be seen in the image below:
30 30 Social engineering These characters are known as Captchas (Completely Automated Public Turing test to tell Computers and Humans Apart). It consists of displaying distorted characters that only humans, and not PCs, can interpret correctly. The use of Captchas is increasing. Captchas impede bots entry to online services, and among others, prevent them from registering addresses for spam-sending. However, cyber-crooks have found a way to crack this security measure, thought to be effective, through social engineering. Instead of getting computers to interpret the characters, cyber-crooks have managed to lure users. Users who follow the application steps, will not download malware onto their computer, but will be helping hackers.