McAfee Threats Report: Fourth Quarter 2012

Transcription

1 Executive Summary McAfee Threats Report: Fourth Quarter By McAfee Labs In adipiscing elit vitae sapien

2 As drew to a close, the threat landscape continued to evolve on many fronts in ways that threaten both consumers and enterprises. The three primary trends and events observed by McAfee Labs researchers during were: Ballistic growth in malware aimed at Android-based devices Appearance of a new advanced persistent threat targeting financial services firms and their customers A return to double-digit growth in threats aimed at PC platforms and the appearance of new and more dangerous threats and tactics on the part of cybercriminal gangs Mobile Threats Trends Until very recently conventional wisdom held that the mobile malware threat landscape would evolve much like the PC threat landscape of a decade ago. This assessment, however, completely underestimated the abilities and ambitions of the cybercriminal community. As Figure 1 shows, the mobile malware threat segment is not evolving in anything like the linear fashion of the PC segment. The number of mobile malware samples discovered by McAfee Labs in was 44 times the number found in. This means that 95 percent of all mobile malware samples ever seen appeared in the last year. The other change that occurred in is that cybercriminals are now dedicating essentially all of their efforts to attacking Android, with 97 percent of malware samples found in the last year aimed at this one platform. In alone the number of new Android-based malware samples jumped 85 percent. Total Mobile Malware Samples in the Database 4, 35, 3, 25, 2, 15, 1, 5, Figure 1. New mobile malware samples The reasons for this explosive growth are many, but the primary motivations of the cybercriminal gangs developing and deploying mobile threats include: The inherent value of the information that can be found on mobile devices, including passwords and address books New business opportunities that aren t available on the PC platform, such as Trojans that send SMS messages to premium services that then charge the user for each message The propensity of some users to root their own phones to customize the interface or add functionality, 2 Executive Summary McAfee Threats Report: Fourth Quarter

3 which then allows hackers to exploit the device s underlying vulnerabilities The opportunity to quickly create very large mobile botnets The ability to install malware that blocks software updates from users carriers that would remove other previously installed malware Advanced Persistent Threats After a slight lull in the wake of Stuxnet, the appearance of new advanced persistent threats (APTs) accelerated in the second half of. The first APT development announced in was Operation High Roller. Originally designed to attack the Automated Transfer Systems in Europe, McAfee Labs researchers observed new High Roller based attacks aimed at manufacturing and import/export firms in the United States and Latin America. The expectation is that new variants of High Roller will target the Automated Clearing House infrastructure used to process much of the world s ecommerce transactions. In a new APT called Blitzkrieg appeared. Unlike High Roller, which primarily targeted financial services infrastructure, Blitzkrieg attacks both consumers and their banking institutions. Blitzkrieg first attacks user machines using a phishing attack and installs a Trojan known as Prinimalka. The Trojan then monitors user actions and web traffic to detect use of bank login credentials. The perpetrators of Blitzkrieg then export these credentials to a control server and use them to execute illicit electronic fund transfers. Malware After declining modestly in, new malware discoveries exhibited rather robust growth in with new samples growing 35 percent compared with (Figure 2). For the year, new malware sample discoveries increased 5 percent with more than 12 million samples now in the McAfee Labs zoo. New Malware 12,, 1,, 8,, 6,, 4,, 2,, Figure 2. New malware samples. In addition to the increased volume of threats, the nature of the threats aimed at PC users continues to become more dangerous and sophisticated. The instances of new, unique password-stealing Trojans, for example, grew 72 percent in. Cybercriminals have clearly figured out that user authentication credentials constitute some of the most valuable intellectual property that can be found on most computers. Cybercriminals have also determined that one of the best ways to circumvent standard system security is to electronically sign the malware using a stolen or fabricated certificate. saw pronounced growth in this tactic, with the instances of signed malware binaries increasing by three times (Figure 3). Executive Summary McAfee Threats Report: Fourth Quarter 3

4 Total Malicious Signed Binaries 2,5, 2,, 1,5, 1,, 5, JAN 1 FEB 1 MAR 1 APR 1 MAY 1 JUN 1 JUL 1 AUG 1 SEP 1 OCT 1 NOV 1 DEC 1 Figure 3. Total malicious signed binaries. In addition to their standard attack targets of operating system and applications, cybercriminals are now aggressively moving lower in the system to attack the BIOS and storage stacks. Storage subsystem attacks proved particularly popular in. One of the most popular methods used is to attack the master boot record (MBR) of the system s disk drive. A successful MBR attack will typically either steal data or root the system to give the attacker sufficient control to add the system to an existing botnet or install other malware. MBR attacks are a relatively small portion of the overall PC malware landscape at the moment, but McAfee Labs expects them to become a primary attack vector in the coming year. New Master Boot Record-Related Threats Identified MBR Components Variants of Families with Known MBR Payloads 7, 6, 5, 4, 3, 2, 1, Figure 4. New MBR attack-related samples. One of the most specious forms of attack that saw material growth in is ransomware. Ransomware attacks tend to come in two forms. In the first form of attack the cybercriminal expropriates confidential information either from a user system or enterprise IT infrastructure and then demands payment for not releasing the data into the public domain. In the second form of attack the cybercriminal establishes control of a user system (or mobile device), encrypts user data, and demands payment in exchange for the encryption key. Sadly, even users who agree to the ransom demand have no way of knowing if they will ever receive the promised encryption key. 4 Executive Summary McAfee Threats Report: Fourth Quarter

5 New Ransomware Samples 25, 2, 15, 1, 5, Figure 5. New ransomware samples. The final area of PC-targeted malware growth detected by McAfee Labs in is a marked increase in web-based threats. The basic infection mechanism allows a cybercriminal to surreptitiously download malware from a website without the user s knowledge. The malware then either adds the system to a botnet or expropriates data from the user s system. Distributing malware from infected websites became an increasingly popular tactic in due to law enforcement actions that took down some of the largest botnets. McAfee Labs has also detected a new trend in which a criminal gang builds out a superdomain of infected websites. Using this technique, hundreds or thousands of separate websites can be placed behind a single IP address. The address can then be changed frequently to avoid detection and traffic routed to it via DNS poisoning and other techniques. One of the advantages from a business perspective of this approach is that the gang operating the resulting web farm can either use it to distribute their own malware or lease it to other criminal gangs as a cloud-based service. McAfee Labs monitors and categorizes millions of websites each day based on their risk profile. McAfee s Global Threat Intelligence Web Reputation service detected a two-thirds increase in new suspect URL addresses in, identifying nearly 4.5 million suspect URLs in operation. New Suspect URLs 16,, 14,, 12,, 1,, URLs Associated Domains 8,, 6,, 4,, 2,, Figure 6. Suspect URLs. Executive Summary McAfee Threats Report: Fourth Quarter 5

6 Other Threat Trends Although the three trends discussed above comprised most of the news in the threat landscape in, there were also three other developments worth noting. First was the continued decline in the volume of spam and the number of infected systems controlled by botnet operators. The botnet trend is driven partly by the law enforcement actions cited earlier, but also by the declining appeal of the botnet business model. Spam volumes typically reflect botnet activity and reflected this (Figure 7). The continued downward trend in spam volume indicates that many spammers are moving on to other forms of cybercrime or focusing their efforts on much more targeting phishing attacks on specific groups of victims. Global Volume, in Trillions of Messages Monthly Spam Legitimate JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC Figure 7. Spam volume trillions of messages. Second, McAfee Labs discovered material growth in the use of the Internet to sell fake passports, ID cards, utility bills, and other forms of government-issued documents. While worrisome, this trend shows little more than criminal gangs applying ecommerce technology to a business that predates the Internet by generations. Finally, hacktivist activity increased modestly in, with attacks observed against public and private sector targets in Israel, Syria, the United Kingdom, and the United States. While attacks by hackers claiming association with the Anonymous syndicate will likely remain a fixture of the threat landscape throughout 213, McAfee Labs expects that these attacks will decline through the year to be replaced by attacks sponsored and executed by state actors. A copy of the full report can be found here: Mission College Boulevard Santa Clara, CA McAfee, the McAfee logo, and McAfee Global Threat Intelligence are registered trademarks or trademarks of McAfee or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright 213 McAfee, Inc. 674exs_quarterly_threat_q4_213_fnl_ETMG