Windows Malware Annual Report 2014 And prognosis 2015

Transcription

1 Windows Malware Annual Report 2014 And prognosis 2015 February 2015 Copyright RedSocks B.V All Rights Reserved.

2 This page is left blank on purpose. Page 1

3 Table of Contents 1. Introduction Summary Analysing Malware Processing Malware Detecting Malware Classifying Malware Adware & PUPs Backdoors & Bots Exploits Rootkits Trojans Keylogging Trojans Proxy Trojans PSW Trojans Rogue Trojans Trojan Downloaders Spy Trojans Worms bit Malware Other Malware Trends Adware Backdoors and Bots Exploits Rootkits Trojans Worms bit Malware Other Malware Geolocation Dridex Regin Prognosis Page 2

4 Appendix: MD5 file hashes of with Regin infected files: Table of Figures Figure 01: Detected vs. Not-Detected p/m Figure 02: New Malicious Files p/m Figure 03: Disk Space In GBs... 8 Figure 04: Percentage Detected By Anti-Virus Figure 05: Heuristic Detection Figure 06: Adware & PUPs Figure 07: Backdoors & Bots Figure 08: Exploits Figure 09: Rootkits Figure 10: Trojans Figure 11: Keylogging Trojans Figure 12: Proxy Trojans Figure 13: Password Stealing Trojans Figure 14: Rogue Trojans Figure 15: Download Trojans Figure 16: Spy Trojans Figure 17: Worms Figure 18: 64-bit Malware Figure 19: Other Malware Figure 20: Macro-based Malware Figure 21: Adware Trend Figure 22: B&B Trend Figure 23: Exploit Trend Figure 24: Rootkit Trend Figure 25: Trojan Trend Figure 26: Worm Trend Figure 27: 64-bit Malware Trend Figure 28: Other Malware Trend Figure 29: Top 10 C&C Countries Figure 30: Reported Dridex Attacks Figure 31: Distribution Dridex Banking Trojan Figure 32: Prognoses Malware Categories (large) Figure 33: Prognoses Malware Categories (small) Page 3

5 Table of Tables Table 01: New Malicious Files p/m & Space In GBs... 8 Table 02: Malware Categories Table 03: Top 3 Adware Families Table 04: Top 3 PUP Families Table 05: Top 3 B&B Families Table 06: Top 3 Exploits Table 07: Top 3 Rootkit Families Table 08: Top 10 Trojan Categories Table 09: Top 3 Worm Families Table 10: Top 3 64-bit Malware Table 11: Top 3 Macro-based Malware Table 12: Top 10 Packers & Encryptors Table 13: Top 3 C&C Servers Table 14: Top 10 Connecting IPs Page 4

6 1. Introduction From the RedSocks Malware Research Lab, we give you our first yearly malware trend report. RedSocks is a Dutch company specializing in malware detection. Our product, RedSocks Malware Threat Defender, is a network appliance that analyses network traffic flows in real-time, based on algorithms and lists of malicious indicators. This critical information is compiled by the RedSocks Malware Intelligence Team (RSMIT). The team consists of specialists who have a passion for identifying new threats and trends on the Internet and to translate them into state-of-the-art malware detection capabilities. With this report, we hope to provide you with a deeper insight into the world of malicious threats and trends, as we look back at the data collected and processed during Page 5

7 2. Summary Last year was an eventful year with many interesting events for RedSocks: small and large data breaches, new exploits and vulnerabilities, international spying and hacking. Heartbleed, Operation Blackshades, Point of Sales (POS) malware, Poodle, Regin, ShellShock, and The Interview, a.k.a. Sony hack to name only a few. One trend which had a big impact on internet users in 2014 were the ransomware attacks. Ransomware is a type of malware which restricts access to the computer system that it infects by encrypting the data. It demands a ransom paid to the creator(s) of the malware in order for the restriction to be removed. The cybercriminals behind the ransomware attacks pretend to be a legitimate company or government organ. The selected entity will claim that the victim has done something illegal and that government forces are searching for the victim or it will claim that it has encrypted files on the victim s device. The ransomware victim will be forced to pay a ransom to retrieve the files. In most cases a simple search on the Google Search Engine will provide information on how to remove the ransomware from the infected device. Decrypting the encrypted files can be quite a challenge. Some of the most used and active ransomware of 2014 were: Cryptolocker, TorrentLocker, Reveton, WinLocker, and Ransomweb. From January 1 st to December 31 st, 2014, we processed 87 million new unique malicious files. On average we collected new samples per day or 7.3 million per month. The overall detection by Anti-Virus software improved during the year. Their detection went from 66 percent in January to 86 percent in October. In November and December their detection dropped on average 3 and 10 percent respectively. This might not sound too bad, but it means that around 24 percent of all new malicious files were not detected. This leaves us with 20.4 million undetected samples in That is 1.7 million samples per month or per Figure 01: Detected vs. Not-Detected p/m 2014 day on average. Please note that identification rates change based on the anti-virus engines used, samples chosen and time scanned. During 2014, RedSocks identified: million unique samples as adware and 5.4 million as PUPs - B&B in 1.2 million unique new files unique files that used one or more exploits - Rootkits in files million trojans million worms Page 6

8 - In total unique files as containing 64-bit malware million files were categorised as other-malware. The United States hosted the most Command & Control (C&C) servers in 2014, followed by the Russian Federation. In 3 rd place was Germany, followed by the United Kingdom. China can be found on the 5 th place. As hosting country for C& C Servers, The Netherlands increased in popularity. Starting on place 10 in January it climbed to place 8 in March and place 6 in May. From June until December, The Netherlands kept place 5 in the top 10 countries hosting C&C Servers. Overall The Netherlands became 6 th. On place 7 till 10: Ukraine, Turkey, Korea, and Iran. Of all the Command & Control (C&C) traffic we analysed: - The botnet controller Zeus and slight variations of it, was with 23 percent, by far the most popular C&C Servers among cybercriminals. - On the client-side or from the infected hosts, most traffic appeared to come from computers that were compromised by GhostBot (11.76 %), Bladabindi (8.66 %), or the Zegost (6.77 %). Page 7

9 3. Analysing Malware RedSocks Malware Research Labs tracks large numbers of malware from our globally-distributed honeypots, honeyclients, spam-nets and various botnet monitoring sensors. Due to the distribution of our honeypots, we are able to automatically collect and process new malicious samples from across the globe. We also exchange large quantities of malicious files with the Anti-Virus industry. Figure 02: New Malicious Files p/m 2014 Figure 02 and table 01, contain the total number of new unique malicious files per month. From January 1 st until December 31 st 2014, a total of 87 million unique new malicious files have been processed. Combined all new malicious files for 2014 required a total of 42 terabyte of disk space. In table 01 you can see the disk space in Gigabytes needed per month Processing Malware In 2014, on average, we processed over 235,000 new malicious files per day with our automated malware collecting and processing systems. All samples were renamed according to their hash calculation. We then checked to see if that particular piece of malware had already been processed. In figure 03, you will find the total amount of disk space needed to store all the new malicious files in gigabytes per month. Table 01: New Malicious Files p/m & Space In GBs Figure 03: Disk Space In GBs Page 8

10 3.2. Detecting Malware At RedSocks Malware Labs we use an in-house classification system for grouping malware. We have classified over 300 types for which we have created detailed statistics. Once multiple anti-virus scanners (in paranoid mode) have performed their on-demand scan, we know which malware was detected and, perhaps more importantly, which was not. The green section in figure 04 shows the percentage of all the files identified by Anti-Virus software and, in red, the percentage of files not detected. Figure 04: Percentage Detected By Anti-Virus 2014 Of all the new malicious files we processed in 2014, about 23.7 percent of them were not detected by any of the Anti-Virus products we currently use. In figure 05 the new malicious files that were detected by the Anti-Virus on heuristics in Every modern Anti- Virus solution, on the market today, uses various heuristics to detect known and unknown malware. Figure 05: Heuristic Detection 2014 Page 9

11 4. Classifying Malware We categorise malware according to its primary feature. In the 2014, malware was grouped as follows: Table 02: Malware Categories 2014 The category Others, consists of malicious samples that do not fit in any of the six main categories. First we will look at the six main categories. Page 10

12 4.1. Adware & PUPs Of all the identified malware, 9.5 million unique samples were categorised as adware in In figure 5 in green, the adware and in orange the PUPs. PUPs are the common abbreviation for Potentially Unwanted Programs, but they are also known as PUAs (Potential Unwanted Applications). A total of 5.4 million PUPs were identified in Figure 06: Adware & PUPs 2014 A PUP or PUA is an application that is installed along with the desired application the user actually asked for. In most cases, the PUP is spyware, adware or some other unwanted software. However, what makes spyware or adware a PUP rather than pure malware is the fact that the end user license agreement (EULA) informs the user that this additional program is being installed. Considering that people hardly ever read the license agreement, the distinction is a subtle one. Table 03: Top 3 Adware Families 2014 Table 04: Top 3 PUP Families 2014 Page 11

13 4.2. Backdoors & Bots As the name suggests, in this category we find threats that are used to provide a channel through which a remote attacker can access and control a computer. The backdoors & bots (B&Bs) vary in sophistication, ranging from those that only allow for the performance of limited functions to those that allow almost any action to be carried out, allowing the remote attacker to completely take over control of a computer. Figure 07: Backdoors & Bots 2014 A computer with a sophisticated B&B installed may also be referred to as a "zombie" or a "bot". A network of such bots may often be referred to as a "botnet". Botnets can have hundreds of thousands of infected nodes. Typical back door capabilities may allow a remote attacker to: - Collect information (system and personal) from the computer and any storage device attached to it - Terminate tasks and processes - Run tasks and processes - Download additional files - Upload files and other content - Report on status - Open remote command line shells - Perform denial of service attacks on other computers - Change computer settings - Shut down or restart the computer Table 05: Top 3 B&B Families 2014 B&Bs have become increasingly popular among malware creators because of the shift in motivation from fame and glory to money and profit. In today's black market economy, a computer with a backdoor can be put to work performing various criminal activities that earn money for their controllers. Schemes such as pay-per-installation, sending spam s, and harvesting personal information and identities are all ways to generate revenue. In 1.2 million unique new samples, a B&B was found. Page 26

14 4.3. Exploits An exploit is a piece of software that uses one or more vulnerabilities in a computer system to bypass security controls, especially one that takes advantage of a particular vulnerability that the system offers to intruders. Exploits can be very dangerous and can be worth a lot of money on the black market. Figure 08: Exploits 2014 The most common exploit in 2014 was CVE C. Exploit CVE C, which identifies malicious PDF files downloaded by the Blackhole exploit kit that exploits a known vulnerability. When the PDF file is loaded, Adobe Reader opens and then closes, while a malicious executable file is dropped directly onto the C:\ drive. The dropped executable, which is actually embedded into the PDF file, tries to connect to various registered domains to download other files. The downloaded files may contain trojans or other malware. Because JavaScript is used to successfully exploit this vulnerability, disabling it for unknown documents might be Table 06: Top 3 Exploits 2014 a good idea. In 2014, we identified unique files that used one or more exploits. Page 27

15 4.4. Rootkits A rootkit is a type of software designed to hide the fact that an operating system has been compromised, sometimes by replacing vital executables. Rootkits allow viruses and other malware to hide in plain sight by disguising themselves as necessary files that your anti-virus software will overlook. Rootkits themselves are not harmful; they are simply used to hide malware, bots and worms. To install a rootkit, an attacker must first gain access to the root account by either using an exploit, or by obtaining the password, and this by cracking it or through social engineering. Rootkits are usually activated before the operating system is loaded. Because of the early loading of rootkits, they are very difficult to detect and are therefore a very powerful way for attackers to access and use the targeted computer without the owner s notice. Due to the way rootkits are used and installed, they are notoriously difficult to remove. Figure 09: Rootkits 2014 Rootkits are not used to gain elevated access, but instead are used to mask the malware and its payloads more effectively. Malware which uses rootkit technology can stay undetected for a very long time. Rootkit technology is often used in spy trojans and spyware. Table 07: Top 3 Rootkit Families 2014 Of all the new malicious files we processed in 2014, were categorised as rootkit. Page 28

16 4.5. Trojans In 2014, 28.6 million files were identified as trojan. With 43 percent they are the leading malware category. Figure 10: Trojans 2014 The trojans can be further divided into many subcategories. In table 7, you will find a top 10 of the trojan subcategories with their percentages of the total identified trojans. At nearly 62 percent of all identified trojans, are generic trojans. They were detected with heuristics. We could fill many pages with figures and tables on trojan subcategories. Instead the following six were selected for this year s report. In no particular order: keyloggers, proxy, PSW, rogue, spy, and downloaders. Table 08: Top 10 Trojan Categories Keylogging Trojans First a quick look at the trojan keyloggers. In figure 11, you will find the identification of keylogging trojans in Trojan Keyloggers are designed to track the strokes on a keyboard without the knowledge of the user. This information is then collected and used to access private accounts or collect personal information. In 7,100 unique files, a trojan keylogger was found. Figure 11: Keylogging Trojans 2014 Page 29

17 Proxy Trojans A little over 1,800 proxy trojans were identified in Proxy trojans or trojan proxies are designed to use the victim s computer as a proxy server. This gives the attacker the opportunity to do almost everything from your computer, including the possibility of conducting credit card fraud and other illegal activities. Trojan proxies are often used to launch malicious attacks against other networks. Figure 12: Proxy Trojans PSW Trojans PSW trojans are designed to steal user account information such as logins and passwords from infected computers. When launched, a PSW trojan searches system files which store a range of confidential data. If such data is found, the trojan sends it to its master. , FTP, the web (including data in a request), or other methods may be used to transmit the stolen data. Some such Trojans also steal registration information for certain software programs and games. In unique files, password stealing trojans were found. Figure 13: Password Stealing Trojans Rogue Trojans In the sub-category rogue trojans we grouped all the rogue- or fake-ware (rogue antivirus, rogue security software, etc.). A rogue trojan deceives or misleads users into paying money for fake or simulated malware removal or it claims to get rid of malware, but instead installs it. Rogue security software mainly relies on social engineering (fraud) to defeat the security. Figure 14: Rogue Trojans 2014 Cold-calling has also become a vector for distribution of this type of malware, with callers often claiming to be from "Microsoft Support" or another legitimate organization. In a little over unique files we found rogue trojans. Page 30

18 Trojan Downloaders In third place in the category trojans, with unique samples, we find the trojan downloaders or download trojans. A trojan downloader is a trojan that installs itself to the system and waits until an Internet connection becomes available. Once a connection is available, it connects to one or more remote servers or websites in order to download additional programs (usually malware or adware) onto the infected computer. Figure 15: Download Trojans 2014 Trojan downloaders are often distributed as part of the payload of another malware Spy Trojans And finally in the category trojans that we like to share are the spy trojans. Spy trojans can spy on how you are using your computer for example, by tracking the data you enter via the keyboard, mouse clicks and movements, but also by taking screen shots, or getting a list of running applications, or websites you visited. Spy trojans can be very advanced and will try to use all possible methods to spy on you. During 2014, we identified 185,000 spy trojans and 4,500 spyware. Figure 16: Spy Trojans 2014 Spyware is identical to spy trojans when analysed and when considering the various features to spy. The difference is that spyware is sold through legally registered companies, as a tool (for instance to keep an eye on your children), while spy trojans are used by cybercriminals to spy on you and the company you work for. At RedSocks we deal with spyware in the same way as we deal with spy trojans, as both are used without knowledge of the user or owner. Page 31

19 4.6. Worms Of all the identified malware, 4.6 million new samples were categorised as worm. Figure 17, shows all the different worms ( -, Generic-, IM-, IRC-, Net-, P2P-, and Script-Worms) that were identified in Figure 17: Worms 2014 Worms frequently spread by exploiting vulnerabilities in operating systems. On average 2,611 files per day were infected with the peer-to-peer worm Picsys.C, making it the most identified worm of Table 09: Top 3 Worm Families 2014 Page 32

20 bit Malware The more people switch to 64-bit platforms, the more 64-bit malware appears. We have been following this process for some time now. In figure 18 you will find the 64-bit malware we identified in Cybercriminals don t actually need a 64-bit version to infect 64-bit Windows. One of the features of 64-bit Windows is WOW64 which is an acronym for Windows On Windows 64. WOW64 emulates a 32-bit Windows environment to allow software to run on the 64-bit operating system. Figure 18: 64-bit Malware 2014 In total, unique files were identified as containing 64-bit malware. In the top 3 of 64-bit malware, we see only members of the notorious Expiro malware family. The Expiro malware family has been around since The file infector portion Infects multiple.exe and.lnk files on all available drives. It will also compromise network mapped drives. Expiro collects user credentials and system information, and intercepts and redirects web requests. Most Expiro variations can download additional add-ons, becoming a proxy server and implementing a (D)DoS attack. Table 10: Top 3 64-bit Malware 2014 The source code for Expiro leaked in the summer of With the availability of the source code it is to be expected that many additional variants will be created and used by cyber criminals. Page 33

21 4.8. Other Malware In this last category we have combined all the malware that did not fit into the previously described categories. The total number of new malicious files in this category is 22.7 million. Figure 19: Other Malware 2014 Within Other we can find macro-based malware. During the summer of 2014, security researcher Szappi from Sophos noticed that macro malware has been making a return. We included figure 20, which shows the macro-based malware we identified in Cybercriminals often use a little social engineering trick, claiming that the document is somehow "protected" until you enable macros to decrypt or unscramble it. Figure 20: Macro-based Malware 2014 In table 14, you can see the top 3 most seen macro-based malware of Mailcab.A is a Microsoft Excel macro worm, that mass-mails itself to everyone in your address book. Lexar.B and Marker.C are both written for Microsoft Word. Table 11: Top 3 Macro-based Malware 2014 Page 34

22 5. Trends Discovering malware-propagation-trends starts with an analysis of the raw data behind the collection and processing of malware. From January to December, RedSocks Malware Research Labs identified the trends by malware category Adware Of all the identified malware, percent was categorised as adware. In figure 21, we can clearly see that adware has been increasing in popularity during the year. Cybercriminals use adware as a quick and easy cash-cow. Figure 21: Adware Trend Backdoors and Bots Of all the malicious files we analysed in 2014, 1.88 percent was identified as B&B. That is close to an average of 3,400 new unique samples per day. In April and May the amounts of new B&B started dropping. The drop was caused by Microsoft and others in an effort to bring down some of the biggest C&C servers. Figure 22: B&B Trend Exploits In 0.06 percent of all analysed malware, we found code to exploit known vulnerabilities, which amounts to, on average, in 95 new malicious files per day. Figure 23: Exploit Trend 2014 Page 35

23 5.4. Rootkits In 0.07 percent of the new malicious files, a rootkit was identified. The clear spike in April is due to 7,300 new malicious files that hide themselves with the help of Rootkit based code Trojans Figure 24: Rootkit Trend 2014 Trojans, at percent, are the largest malware category. On average 78,000 samples were identified as containing one or more trojans per day. Since 2007 trojans have been on the rise as tools for cybercriminals. Keylogging trojans were mostly active in Q1 + Q2, PSW and Spy Trojans in Q2, and in Q3 we identified more proxy trojans than in the other quarters. Rogue trojans like fake anti-virus were mainly used in Q3 and Q4. The last we want to mention are the trojan downloaders, which were mostly distributed in Q4. Figure 25: Trojan Trend Worms Altogether, worms were good for 6.83 percent of the total. With the exception of the summer holiday season, the amount of worms we saw on a daily bases increased every three months. The worms Generic , Generic and the peer-to-peer worm Picsys.C were mainly responsible for the summer spike. On average we identified 12,700 new malicious files as a worm. Figure 26: Worm Trend 2014 Page 36

24 bit Malware Malware designed to run on Windows 64-bit was identified in new malicious files in 2014, merely 205,000 in the fourth quarter only. Files infected by Expiro third generation variations were seen three times more than the second generation Expiro malware in the fourth quarter. Figure 27: 64-bit Malware Trend Other Malware After the adware, B&Bs, exploits, rootkits, worms, and the 64-bit malware, we are still left with 22.7 million identified malicious files. This is 34 percent of the total identified malware in Cybercriminals try to use various tricks to hide their malicious intentions. By compressing and/or encrypting their malicious programs, they hope to avoid detection by anti-virus programs. Figure 28: Other Malware Trend 2014 In table 11, you will find the top 10 packers and encryptors with their percentage of all packers and encryptors identified in Table 12: Top 10 Packers & Encryptors 2014 Page 37

25 6. Geolocation In the top 3 countries - hosting C&C Servers, not much changed. Throughout the year, we saw the United States leading (13,512), followed by the Russian Federation (5,736). The third place was for Germany (3,242) and United Kingdom (3,016), which kept changing places during the year. The Netherlands (1,992) increased in popularity - as a country to host C&C Servers. Starting at 10 th place in January, it climbed to 8 th place in March and 6 th in May. From June till December, The Netherlands kept 5 th place in the top 10 countries hosting C&C Servers. Figure 29: Top 10 C&C Countries 2014 We search for new C&C Servers or controllers 24 hours a day, and one out of every four C&C servers we added to our blacklist was (or still is) a Zeus botnet controller. C&C Servers are controlling countless infected devices and machines all over the world for financial gain. Table 13: Top 3 C&C Servers 2014 From the infected devices and machines, we saw the GhostBot worm more than any other malware trying to connect to its C&C Server for updates and new instructions. Table 14: Top 10 Connecting IPs 2014 Page 38

26 6.1. Dridex In 2014, some cybercriminals started to exploit Microsoft Word macros, but not in the same manner as the almost extinct macro viruses and trojans. The Dridex malware, a banking trojan, has been causing a lot of problems in This trojan has been used by cybercriminals to steal financial information from unaware internet users. The Dridex malware is related to the Cridex malware, which is also being actively used by cybercriminals to steal financial information. The Dridex malware has been used in attacks which exploited the macro functions in Microsoft Word. The macro function used by this malware is a piece of code that installs the malware on the targeted device. Figure 30: Reported Dridex Attacks 2014 Figure 31: Distribution Dridex Banking Trojan 2014 Page 39

27 6.2. Regin There is one last piece of malware we want to share with you, Regin. Identified as a very complex piece of malware, Regin was created to perform spying campaigns on international targets. This spy trojan has been in the media since 2014, but Symantec 1 has reported that the malicious code has been active since The Regin malware has been targeting at least the following identified sectors: government organizations infrastructure operators businesses researchers private individuals The Symantec report claimed that the development of the Regin malware has likely taken months or even years to complete. Systems infected with the Regin malware installed, have been found in the following countries: Pakistan Austria Belgium Iran Afghanistan India Ireland Mexico Saudi Arabia Russian Federation Below a list of compromised IP addresses: In the appendix, you will find all the MD5 file hashes that are identified to be related to the Regin spy trojan. 1 Page 40

28 7. Prognosis 2015 Without a decent working crystal ball, we cannot predict the future. We can make a few prognoses for 2015 based on the data we have (manually) collected, processed, and on the analyses we made in Since criminals became cybercriminals, they have been using malware as a tool for financial gain. For 2015 we can make the following prognoses: With the rate Adware and PUPs keep increasing, we are expecting to see ~20 million of them in The amount of B&Bs and C&C servers have been going up and down. They drop after clean-up operations, but popup elsewhere in the same or slightly modified versions. The hunt for exploits is on. Large companies like Microsoft and Google, spy agencies, and security researchers all over the world are looking for bugs to exploit. And so will the cybercriminals. Rootkits are complicated and expected to double to 100,000 new samples in Figure 32: Prognoses Malware Categories (large) In 2014, ~43 percent of the Figure 33: Prognoses Malware Categories (small) new malicious files we analysed were trojans. In 2015, 50 percent of all the new malicious files will be a trojan. During 2014, cybercriminals have gained interest in worms as tools for financial gain. Of all the new malware we expect to see in 2015, around 10 million will be worms. The amount of 64-bit Malware doubled in the last quarter of Because cybercriminals don t really need 64-bit versions of their malware, it is hard to say if this is going to be a trend or not. For 2015 we expect around 500,000 new and unique 64-bit samples. C&C Servers will remain the most used method for cybercriminals to control large international networks with infected client will be a year with many small and large data breaches, new exploits and vulnerabilities, international spying and hacking. Cybercriminals will use mobile malware and - via BYOD - infect, hack, and spy on your work. The growing popularity of Cloud storage and in particular the home-based Clouds will be exploited by cybercriminals for their own usage and get infected with ransomware. Page 41

29 More and more skimmers will switch to PoS as skimming becomes more difficult. Encrypting will be key for More malware will be encrypted and more infected computers will use encrypted communication with their C&C Servers to make detection and reverse engineering more difficult. But more importantly, organisations and companies should start encrypting their sensitive information. While some countries fear that professional encryption is a danger to national security, in The Netherlands it might become mandatory. The Dutch First Parliamentary Committee for Security and Justice (V&J) will - on February 24, discuss the proposed bill concerning mandatory data leak reports. This bill adds an obligation to report breaches of security for personal data to the Data Protection Act 2. With the obligation to report data breaches, the government wants to limit the impact of a data breach for those involved. With this proposal, the manager at a data breach - involving probability gain loss or unlawful processing of personal data - must provide not just a notification to the supervisor, the Dutch Data Protection Authority (DPA), but also inform the person concerned. This duty applies to all those responsible for the processing of personal data in both the private and public sectors. The failure to report a data breach could result in significant administrative fines from the DPA. This summary is based on the bill and the explanatory memorandum as filed with the House. The proposal (EK , A) 3 was adopted by the House unanimously on February 10, When this proposal is accepted, it will be effective immediately. We hope that you enjoyed our first Windows Malware Trend Year Report and that it provides you with insight into the threats and trends we have seen during We continue to innovate our methods, so please check back with us for our next quarterly trend report. Questions, comments, and requests can be directed towards the RedSocks Malware Research Labs. G.J.Vroon Anti-Malware Behavioural Researcher RedSocks B.V. W: T: +31 (0) E: info@redsocks.nl 2 (Dutch) 3 (Dutch) Page 42

30 Appendix: MD5 file hashes of with Regin infected files: 01c2f321b6bfdb9473c079b ba bb90f71cf d9b90e2da 06665b96e293b23acc80451abb413e50 0c7ca986a0397a90d6929c6f7e6e0154 0d2ebc37da17c222e5874fc c 0e8fb612120bb1f95f53f5d61469aa a9210c8d9120f55f98f90fa5fc5c 148c1bb9d405d717252c77593aff4bd de78ae62417fcc9caa691b8644b bc1328efa0ed636d8aa4a5c 18b1b2b3f00e59db059086adafe51fcc 1c024e599ac055312a4ab75b a 1c7bc938e5f175e97b6d f08c0 22bfc970f707fd775d49e875b63c2f0c 26297dc3cd0b688de3b846983c5385e5 2c8b9d d7ade3cae98225e263b 370db49bcbab2cb3f32a339360f262c3 3ef5decc426a fc90 46cd9e65f993f54d54c7782cfedbd65b 47d0e8f9d7a a32ecc2e 4b6b86c7fec1c574706cecedf44abded 52897d02af0f7658e64e0db6af537dc2 55b8dbe7bb0c37c05a30cc a5 57c8b4c47e95acac68e0587e633be652 5ad58f99355f7f10014bd8b07eb0f5a4 5ecff6d766ec3fcce9208c3e37f a8e876f5022c6d17c215dcc c390b2bbbd291ec fc75d7 66afaa303e13faa4913eaad50f7237ea a55fb c8bf36f00f 744c07e886497f7b68f6f7fe57b7ab54 7c e63feb7cb93247f1b6bae c aba03ffd9d 85bd9de0382a13c09705c26a8306e22e a942908f76069a239a4 92a6d0366a56e5cce347a04b11c0c27c 92df53840ba6285dc baa251 92e958073ec38a487d8082e8e67c69ce a4e0ca7b0113ee cbd8291c2a a790d9291cf4af7e1c408a9b7b085cdf a8c032ba411c1f63220d7e7ce883ee8e afaee56bc5e19f92b97e8f3e7aa2187a b0a35d8ed2d bff39e57d9e5 b269894f434657db2b a67532 b29ca4f22ae7b7b25f79c1d4a421139d b505d65721bb2453d5039a389113b566 b7cbb79edd04c32dc46e23407d0c4139 b b38339abd993d07d3c33c ba7bb65634ce1e30c1e5415be3d1db1d bc4db38f a4a33bd661c5cc7d0 bfbe8c3ee78750c3a e440f8 c051614abe2b6ee986b080fba4c32f87 ca14e20cd0ef1db4a531c70f1bc7009e cf77ac7f58eb0d210df16f10613f346a cfac99d112095bedebf5eeb612e51c90 d240f06e98c8d3e647cbf4d442d79475 db405ad775ac887a337b02ea8b07fddc ee766d7a dccddc01de8eb fae3021f7e74166feaa706c302446fee fb1cde39064b b1ffd1b07b fb33fb1d9ef00c1cfb070417a fb5f1b78e8ae608a08c08755a515dce5 ffb0b9b5b a7bdf0806e1e bb6ee1de2927c90556e46e7cfe1 Page 43

31 REDSOCKS RedSocks is a Dutch company specialised in malware detection. RedSocks supplies RedSocks malware threat defender as a network appliance. This innovative appliance analyses digital traffic flows in real time based on the algorithms and lists of malicious indicators compiled by the RedSocks Malware Intelligence Team. This team consists of specialists in identifying new threats on the internet and translating them into state-of-the-art malware detection. Boogschutterstraat 9C, 7324 AE Apeldoorn, The Netherlands Tel +31 (0) info@redsocks.nl Website