Malware Trend Report, Q October November December

Transcription

1 Malware Trend Report, Q October November December January 2015 Copyright RedSocks B.V All Rights Reserved.

2 This page is left blank on purpose. Page 1 of 28

3 Table of Contents 1. Introduction Summary Collecting Malware Processing Malware Detecting Malware Classifying Malware Trends Adware Backdoors and Bots Exploits Rootkits Trojans Worms bit Malware Malicious Others Geolocation Final Word Miscreants say "Je suis Charlie" too Appendix A: Detecting Malware Appendix B: Classifying Malware Page 2 of 28

4 Table of Figures Figure 1: Unique Malicious Files Q3-Q Figure 2: Space Need To Store New Malicious Files Q3-Q Figure 3: Detected vs. Not Detected October Figure 4: Detected vs. Not Detected December Figure 5: Detected vs. Not Detected November Figure 6: Amount of Identified Adware Q Figure 7: Distribution of Adware.Symmi Q Figure 8: Amount of Identified Backdoors and Bots Q Figure 9: Distribution of Backdoor.Bot Q Figure 10: Amount of Identified Exploits Q Figure 11: Amount of Identified Rootkits Q Figure 12: Amount of Identified Trojans Q Figure 13: Amount of Identified Worms Q Figure 14: Amount of Identified 64-Bit Malware Q Figure 15: 64-bit Malware Families Q Figure 16: Other Malware Q Figure 17: Je Suis Charlie Figure 18: Fake Movie Maker Message Table of Tables Table 1: File Metrics Q3-Q Table 2: Malware Categories Q Table 3: Top 3 Worm Families Q Table 4: Other Malware Q4 vs. Q Table 5: Top 10 Countries Hosting C&C Servers Q Table 6: Top 10 Countries Hosting C&C Servers Q Table 7: Malware Categories Q3 vs. Q Page 3 of 28

5 1. Introduction This is the last quarterly trend report for 2014 from the RedSocks Malware Research Lab for RedSocks is a Dutch company specializing in malware detection. Our solution, RedSocks Malware Threat Defender, is a network appliance that analyses digital traffic flows in real-time, based on algorithms and lists of malicious indicators. This critical information is compiled by the RedSocks Malware Intelligence Team (RSMIT). The team consists of specialists whose job is to identify new threats and trends on the Internet and to translate them into state-of-the-art malware detection capabilities. With this report, we hope to provide the reader with a deeper insight into the trends we see in the malware we process as we look at data collected during the fourth quarter of At RedSocks we analyses large numbers of malicious files on a daily basis, therefore we can cover only a few topics briefly in this trend report. Protecting your data from Internet-based threats is not an easy task, and relying solely on protection from Anti-Virus companies - no matter how established their brand - is not enough. Comprehensive protection requires an entirely new approach. Page 4 of 28

6 2. Summary The total number of new and unique malicious files processed per month went from 7.2 million in October to 8.2 million in November, and down to 7.8 million in December. The overall detection by Anti-Virus software this quarter was roughly 5 percent lower compared to the third quarter. The detection rate for October was percent. For November, it is percent and in December, the average detection was only 73.0 percent. This might not sound too bad, but it means that around 14 percent, 16 percent and 27 percent, respectively, were not detected. Please note that identification rates can change based on samples chosen and time scanned. During the fourth quarter, the number of identified adware went up from 1.2 million in October to 1.6 million in November only to drop to 1.5 million in December. During the third quarter the amount of identified backdoors and bots (B&B) increased from 117,000 to 140,000. In the last quarter of 2014, the B&B start in October with unique samples, which increased to in November and in December. Only 0.03 percent of the files were detected by the Anti-Virus software as exploit and 0.04 percent as rootkit in October by Anti-Virus software. In November, 0.06 percent were detected as rootkits and 0.02 percent as exploits. For December it is 0.11 percent exploits and 0.06 percent rootkits. Like in the first, second, and third quarter of this year, trojans are by far the most popular type of malware. In October, they made up for 3 million, and in November and December, 3.6 million. In October, 471,000 worm files were identified. In November, the number increased to 622,000. In December, 674,000 worms were added to our databases. Grouped together, all other malicious files such as flooders, hacktools, spoofers, spyware, viruses, etc., make up for 34, 26 and 28 percent of the total for October, November and December, respectively. As in the third quarter, most Command & Control (C&C) servers were hosted in the United States, followed by the Russian Federation. Germany could be found on the third place, but lost it to the United Kingdom. The Netherlands, like in the third quarter, can be found at 5 th. Page 5 of 28

7 2.1. Collecting Malware At the RedSocks Malware Research Labs, we track large numbers of malware from our globally-distributed honeypots, honey-clients, spam-nets and various botnet monitoring sensors. Due to the distribution of our honeypots, we are able to automatically collect and process new malicious samples from across the globe. We also exchange large quantities of malicious files with the Anti-Virus industry. Figure 1: Unique Malicious Files Q3-Q Processing Malware Working with malware is what we love to do. More than 200,000 new malicious files arrive every day at our automated malware collecting machines. Figure 2: Space Need To Store New Malicious Files Q3-Q Page 6 of 28

8 All samples were renamed according to their hash calculation. We then check to see if that particular piece of malware has already been processed. In figure 2, the total amount of disk space needed to store all the new malicious files in gigabytes. While the numbers of new malicious files stayed more or less the same, the average file size decreased a little bit. During the second quarter, we saw that malicious files, on average, shrunk percent. During the third quarter, the average file size increased with percent. New file metrics by month July August September October November December Average number of new files per day 279, , , , , ,238 Average file size in bytes 455, , , , , ,770 Average Anti-Virus Detection % % % % % % Table 1: File Metrics Q3-Q Detecting Malware At RedSocks Malware Labs we use an in-house classification system for grouping malware. We have classified over 300 types for which we have created detailed statistics. Once multiple anti-virus scanners (in paranoid mode) have performed their on-demand scan, we know which malware was detected and, perhaps more importantly, which was not. In the next three figures all the new and unique malicious files per day. The green section shows the percentage of all the files identified by Anti-Virus software and, in red, the percentage of files not detected. Figure 3: Detected vs. Not Detected October 2014 Page 7 of 28

9 Figure 5: Detected vs. Not Detected November 2014 Figure 4: Detected vs. Not Detected December 2014 In October, of all the malicious files we processed, about 14 percent of them were not detected by any of the Anti-Virus products we currently use. In November; 16 percent of the samples on average remained undetected. In December; the Anti-Virus detection dropped, missing 27 percent of all malicious samples we processed. In appendix A: Detecting Malware you will find detection results by both day and month. Page 8 of 28

10 2.4. Classifying Malware We categorise malware according to its primary feature. In the third quarter, malware was grouped as follows: All Malware Adware B&B Exploits Rootkits Trojans Worms Others Adware Droppers Backdoors ADODB (D)DoS Trojans -Worms (D)DoS Tools Adware Downloaders Bots HTML Banking Trojans Generic Worms AV Tools Toolbars Java Batch Trojans IM-Worms Constructors Table 2: Malware Categories Q4 JS FakeAV IRC-Worms DOS based Linux GameThief Trojans Net-Worms Encrypted Malware MSExcel Generic Trojans Net-Worms Flooders MSPPoint IRC Trojans P2P-Worms Fraud Tools MSWord Java Trojan Packed Worms Generic Malware OSX LNK Trojans Script Worms Hack Tools PDF Packed Trojans Macro based Script Password Stealing Trojans Malware Heuristic SWF Proxy Trojans Monitors Win32 Randsom Trojans Nukers Win64 Rogue Trojans Porn-Dialers Script Trojans SMS Trojans Spy Trojans Trojan Clickers Trojan Dialers Trojan Downloaders Trojan Droppers Trojan Flooders Trojan Mailfinder Trojan Notifiers Trojan RATs WinREG Trojans Porn-Downloaders Porn-Tools PSW-Tools PUPs RemoteAdmin Riskware Spammers Spoofers SpyTools Spyware Suspicious Viruses The Others category consists of malicious samples that do not fit in any of the six main categories. See appendix B: Classifying Malware for the numbers by day, category and month. Page 9 of 28

11 3. Trends Discovering malware-propagation-trends starts with an analysis of the raw data behind the collection and processing of malware. From October to December, RedSocks Malware Research Labs identified the following trends by malware category Adware During the third quarter, we identified around 3.3 million files as adware. During the fourth quarter, we identified 4.3 million. This is 18.7 percent of all the identified malware, a 4 percent increase compared with the third quarter. Figure 6: Amount of Identified Adware Q4 On the 29 th of December, over 119,000 variations of Symmi were identified. The distribution of Symmi started on Sunday the 7 th of December. The Symmi adware displays ads, usually in the internet browser by modifying displayed pages or opening additional pages which include ads. These adware programs are usually installed by the users themselves or come with other software that the users install themselves (usually in exchange for using the software for free or as a default install option). Users might be unaware that this software was installed or of its behaviour. This detection is meant to flag the file and the behaviour as part of legitimate ad-displaying software. It does not have its own spreading routine. Page 10 of 28

12 Figure 7: Distribution of Adware.Symmi Q Backdoors and Bots Files identified as having been infected with a backdoor, or as having bot functions, made up 1.4 percent in the third quarter. A total of 397,000 files were classified in this category in the fourth quarter. This is 1.7 percent of the total. Figure 8: Amount of Identified Backdoors and Bots Q4 Page 11 of 28

13 Since May 2014, the distribution of new and variations of backdoors and bots (B&B), have been low. From the second week of September the numbers are rising again. During the fourth quarter, B&B increased with 0.3 percent. All the spikes in figure 11 from 10,000 and or more are caused largely by variation of the Backdoor.Bot With over 165,000 unique samples, it was by far the most popular B&B. Figure 9: Distribution of Backdoor.Bot Q Exploits An exploit is an attack on a computer system, especially one that takes advantage of a particular vulnerability. The amount of exploits doubled compared to the third quarter. They went from 7,109 unique samples to 14,431 in the last quarter of Of all the samples we processed during the fourth quarter 0.06 percent were categorised as exploit. Page 12 of 28

14 Figure 10: Amount of Identified Exploits Q4 Like in the third quarter, variations of the Exploit CVE C are still very popular among cybercriminals. This exploit identifies malicious PDF files downloaded by the Blackhole exploit-kit that take advantage of a known vulnerability in Adobe Reader. To prevent successful exploitation, install the latest updates available for Adobe Reader and/or remove any old and unnecessary installations. Exploit CVE C was responsible for all spikes above the 500. From all the identified exploits a stunning percent made use of this exploit Rootkits A rootkit is a type of software designed to hide the fact that an operating system has been compromised. This can be done in various ways, such as replacing vital executables or by introducing a new kernel module. Rootkits allow malware to hide in plain sight. Rootkits themselves are not harmful, they are simply used to hide malware, bots and worms. To install a rootkit, an attacker must first gain sufficient access the target operating system. This could be accomplished by using an exploit, by obtaining valid account credentials or through social engineering. Because rootkits are activated before your operating system boots up, they are very difficult to detect and therefore provide a powerful way for attackers to access and use the targeted computer without the owner being aware of it. Due to the way rootkits are used and installed, they are notoriously difficult to remove. Rootkits today are usually not used to gain elevated access, but are instead used to mask malware payloads more effectively. Page 13 of 28

15 Figure 11: Amount of Identified Rootkits Q4 In the second and third quarter, we saw a slight drop in the usage of rootkits, and this drop continued in the fourth quarter. Around 800 rootkit families were identified in 9,759 unique files. The first two spikes above 300 are not caused by a specific rootkit family. The spikes on the 11 th and 20 th of December were primarily caused by members of Rootkit with 247 and 173 samples. Page 14 of 28

16 3.5. Trojans With more than 9.9 million (43 percent) new unique samples in the fourth quarter of 2014, trojans are by far the biggest category of malware. In the third quarter 8.8 million files (39 percent) were Trojans. An increase of 4 percent. Figure 12: Amount of Identified Trojans Q4 Of all the trojan families, we will only discuss the top three. In third place we find Trojan.Unruy.1, with 115,000 different samples distributed over 86 days its best day was on the 21 st of November, with almost 15,000 samples. In second place is Trojan.Symmi.47633, with 124,000 files spread over 64 days its best day was on the 4 th of December. Without a doubt, the most distributed trojan family is Trojan.Kazy : in 92 days we counted nearly a 141,000 new samples. Page 15 of 28

17 3.6. Worms In roughly 1.8 million new files we identified worm traces and functionalities. The first spike above 50,000, on the 12 th of November, was primarily caused by 44,000 samples of Worm.Generic On the 24 th and the 25 th of November, 25,000 and 26,000 minor variations of Win32.Worm.Benjamin.A were counted. Figure 13: Amount of Identified Worms Q3 The top 3 most identified Worm families include: AV-Identifier Total Amount First Seen Last Seen Best Day Amount Best Day Worm.Generic , , Win32.Worm.P2p.Picsys.C 113, , Win32.Worm.Benjamin.A 96, , Table 3: Top 3 Worm Families Q Days Seen Compared with the third quarter, a slight decrease in worm usage can be seen. In the third quarter 7.97 percent were worms. For the fourth quarter 7.63 percent of the total was classified as worm. Page 16 of 28

18 bit Malware Malware designed to run on Windows 64-bit was identified in 205,000 new malicious files in the fourth quarter - a gigantic increase when compared with the 33,000 of the third quarter. From all new files, 0.89 percent was able to infect 64-bit Windows files. Figure 14: Amount of Identified 64-Bit Malware Q4 Expiro designed to infect 32-bit and 64-bit files aims to maximise profit and infects executable files on local, removable and network drives. As for the payload, this malware installs extensions for the Google Chrome and Mozilla Firefox browsers. The malware also steals stored certificates and passwords from Internet Explorer, Microsoft Outlook and from the FTP client FileZilla. Browser extensions are used to redirect the user to a malicious URL as well as to hijack confidential information, such as account credentials or online banking information. The virus disables some services on the compromised computer, including Windows Defender and Windows Security Center, and can also terminate processes. In the third quarter a drop in the old Expiro usage and the rise of the second and third generation was seen. The Expiro third generation variations were seen three times more than the second generation in the fourth quarter. In figure 18 we can see the seven 64-bit families we intercepted and the amount of files which were infected by them. Page 17 of 28

19 Figure 15: 64-bit Malware Families Q Malicious Others After the adware, B&Bs, exploits, rootkits, worms, and the 64-bit malware, we are still left with 6.4 million identified malicious files. This is 28 percent of the total of this quarter and a decrease of 7.7 percent compared with the third quarter. Figure 16: Other Malware Q4 Page 18 of 28

20 In table 4, we divided the others over 10 categories. Q4 Category Count % of total +/- Count % of total +/- DOS based 5, % % 2, % % Encrypted Malware 9, % % 10, % % Generic Malware 4.018, % % 4,083, % % Macro based 7, % % 9, % % Malware Heuristic 465, % % 153, % % PUPs 768, % % 2,088, % % Riskware % % % % Suspicious 149, % % 62, % % (Hack)Tools 5, % % 3, % % Windows viruses % % 2, % % Total 5,430, % % 6,415, % % Table 4: Other Malware Q4 vs. Q3 % of total: The percentage of the category of all the malicious files processed in that quarter. +/-: Increase/decrease in percentage compared with the quarter before. Windows viruses: These are so called classic viruses for Microsoft Windows, true file infectors. Q3 Using generic malware detection we found Ramnit.N leftovers and infections in 1.1 million files. Ramnit.N spreads by infecting EXE, DLL, and HTML files; it can also be distributed via removable drives. Once active, the virus infects EXE, DLL and HTML files found on the computer. It will also drop a malicious file that attempts to connect to and download other files from a remote server. Page 19 of 28

21 4. Geolocation Last quarter, we located RAT hotspots by plotting the servers with the most traffic and connections on a map. RATs are short for Remote Administration Trojans or Remote Access Trojans (sometimes described as Remote Access Tools 1 ). This quarter we look at GoSmartVPS. According to their own website; GoSmartVPS provides cheap and affordable high quality virtual private servers. We're excited to start offering virtual private servers for as low as $7/mo. With no long term contracts and a 72 hour cancellation policy, there's no risk to try out GoSmartVPS!. This VPS (Virtual Private Server) network seems to host only botnet controllers (range /24): /32 controller no RSMIT-NLS - Citadel Botnet Controller /32 controller no RSMIT-NLS - Zeus Botnet Controller /32 controller no RSMIT-NLS - Citadel Botnet Controller /32 controller no RSMIT-NLS - Citadel Botnet Controller /32 controller no RSMIT-NLS - Citadel Botnet Controller /32 controller no RSMIT-NLS - Citadel Botnet Controller /32 controller no RSMIT-NLS - Citadel Botnet Controller /32 controller no RSMIT-NLS - Citadel Botnet Controller /32 controller no RSMIT-NLS - Citadel Botnet Controller /32 controller no RSMIT-NLS - Citadel Botnet Controller /32 controller no RSMIT-NLS - Citadel Botnet Controller /32 controller no RSMIT-NLS - Citadel Botnet Controller /32 controller no RSMIT-NLS - Zeus Botnet Controller /32 controller no RSMIT-NLS - Citadel Botnet Controller /32 controller no RSMIT-NLS - Citadel Botnet Controller /32 controller no RSMIT-NLS - Citadel Botnet Controller /32 controller no RSMIT-NLS - Citadel Botnet Controller GoSmartVPS /24 - DNS Registrations: ns1.fireballs.asia, ns2.fireballs.asia aaaaaaaaaaaaaaaaaaaazzzzzzzzzzzzzzzzzzzzzzbbbbbbbbbbbb.net gosmartvps.com onetapgaming.net Domain Name: GOSMARTVPS.COM Registrar: ENOM, INC. Sponsoring Registrar IANA ID: 48 Whois Server: whois.enom.com Referral URL: Name Server: NS-1370.AWSDNS-43.ORG Name Server: NS-153.AWSDNS-19.COM Name Server: NS-1590.AWSDNS-06.CO.UK Name Server: NS-975.AWSDNS-57.NET Status: clienttransferprohibited 1 These are not regular administrator tools, but ones which are developed and used for malicious remote access. Page 20 of 28

22 Updated Date: 17-sep-2014 Creation Date: 20-jul-2014 Expiration Date: 20-jul-2015 Website: At the moment GoSmartVPS seems to be down. But daily we see new Citadel Botnet Controllers added to the network daily. Top 10 Countries Hosting C&C July August September United States 1,491 United States 1,163 United States 870 Russian Federation 521 Russian Federation 529 Russian Federation 446 Germany 315 Germany 318 Germany 260 United Kingdom 311 United Kingdom 302 United Kingdom 259 Netherlands 225 Netherlands 208 Netherlands 156 China 216 Ukraine 202 China 152 Ukraine 160 China 196 Turkey 146 Korea 132 Turkey 154 Ukraine 130 France 129 Korea 137 Korea 102 Turkey 129 France 132 France 101 Table 5: Top 10 Countries Hosting C&C Servers Q3 In the third quarter the United States still led the pack, followed by the Russian Federation and Germany: Top 10 Countries Hosting C&C October November December United States 841 United States 898 United States 723 Russian Federation 471 Russian Federation 470 Russian Federation 513 Germany 282 United Kingdom 261 Germany 260 United Kingdom 265 Germany 247 United Kingdom 242 Netherlands 159 Netherlands 167 Netherlands 202 Turkey 142 China 146 Ukraine 163 Ukraine 140 Ukraine 143 China 144 China 139 Brazil 116 France 131 Brazil 128 France 113 India 113 France 115 Korea 94 Brazil 110 Table 6: Top 10 Countries Hosting C&C Servers Q4 The C&C Servers hosted in The Netherlands increased slightly during the last quarter. New on the list are C&C Servers hosted in India and Brazil. In total 11,642 active C&C servers were found and added to our blacklist (4,050 in October, 3,875 November, and 3,717 in December). And last but not least, below are some backdoors we found on North Korean IP s (all 1024 IP s): Page 21 of 28

23 IP : /32 (Past: /32, /32) Port : 7070/TCP Domain : hxxp://fgwegasgxcxb.ddns.net Totalhash : Detection : Dynamer, ServStart, Vehidis inetnum: netname: STAR-KP descr: Ryugyong-dong descr: Potong-gang District country: KP /24 badhood no - RSMIT-NLS - Known Hostile Network Ryugyong-dong (North Korea) /24 badhood no - RSMIT-NLS - Known Hostile Network Ryugyong-dong (North Korea) /24 badhood no - RSMIT-NLS - Known Hostile Network Ryugyong-dong (North Korea) /24 badhood no - RSMIT-NLS - Known Hostile Network Ryugyong-dong (North Korea) Page 22 of 28

24 5. Final Word In the third quarter of 2014, the total number of new malicious files processed was 21.6 million. For the fourth quarter it was 23.2 million an increase of 2.4 percent. The overall detection by Anti-Virus software improved by 3.32 percent compared with the third quarter. Altogether, around 4.4 million malicious files went undetected during the fourth quarter. By grouping and classifying the identified malware, we detected a decrease of popularity in 3 of the 7 main malware categories during the third quarter. These three categories are: rootkits, worms and others. The remaining four categories (adware, B&B, exploits, and trojans) increased. Category Total % of Total +/- compared to Q3 Largest Family Total number Q4 Adware 4,326, % % Adware.Linkury.M 361,707 Backdoors & Bots 396, % % Backdoor.Bot ,197 Exploits 14, % % Exploit:W32/CVE C 7,014 Rootkits 9, % % OnLineGames Trojans 9,951, % % Gen:Variant.Kazy ,419 Worms 1,767, % % Worm.Generic ,784 Others 6,706, % % Win32.Ramnit.N 1,117,874 Table 7: Malware Categories Q3 vs. Q4 Within the top 10 countries hosting C&C servers, there was little change. The top 3 countries stayed the same during the fourth quarter. United States led the third quarter of 2014, followed by the Russian Federation. Germany and the United Kingdom switched places three and four. The Netherlands kept the 5 th place in the fourth quarter Miscreants say "Je suis Charlie" too With thanks to Ashwin K. Vamshi from Blue Coat 2 : January 14, 2015 It is very common for malicious actors to attempt to exploit trending news in order to lure users to execute malicious programs. As a regular practice we keep track of such instances. In the most recent case I happened to come across an interesting malware (md5 hash 3c5266cab10c78f3a c217a40) with the theme "Je Suis Charlie", a slogan that has gone viral after the 7 January 2015 massacre at the Charlie Hebdo offices in Paris. This malware was found in our stream of incoming material so we don't yet know how it has been distributed. It is likely, given the subject, that it has been attempted to be spread using some kind of social engineering trick. The malware in question is the infamous DarkComet RAT, a freely available remote administration tool which also can double as a powerful backdoor trojan. DarkComet was originally developed by the French hacker DarkCoderSc, who stopped further development on the project in Nevertheless, its ease of 2 Page 23 of 28

25 use and rich set of features have kept it popular by all sorts of attackers from script kiddies and activists to more sinister players. The variant used in the present attack is obfuscated to make it less noticed by AV scanners. The DarkComet Delphi code is enveloped in a.net wrapper, making the telltale signs of DarkComet hard to spot. Indeed, the AV detection rate of this executable is at the time of writing poor only 2/53 scanners had detection on the VirusTotal online scanner service. The sample drops a copy of itself with the name svchost.exe and launches an image of a new-born baby with a band carrying the name Je suis Charlie. This image appears to have been harvested from public sources. Figure 17: Je Suis Charlie The sample also displays a message in French to mislead the user to believe that the binary is created a previous version of MovieMaker: Figure 18: Fake Movie Maker Message The Command and Control host is a subdomain under the no-ip dynamic DNS domain. This is a well-known legitimate dynamic DNS service which is however often used by malicious actors. The actual domain address is: snakes63.no-ip.org This address currently resolves to an IP address located with the French service provider Orange. The French IP address and the error message in French reinforces the impression that this malware was targeted at French users, though we have no indication as to who the attackers are or what they are after. The French authorities have been informed about this malware. We will continue to monitor activities in this space and keep you posted. For now, just be alert that items of great media interest like this may contain malware. There really is nothing so sacred that bad people won t try to exploit it. We hope you that you enjoyed our last Malware Trend Report of 2014 and that it provides you with insight into the trends we have seen during the fourth quarter of We continue to innovate, so please check back with us for our next quarterly trend report. Questions, comments and requests can be directed towards the RedSocks Malware Research Labs. RedSocks B.V. W: T: +31 (0) E: info@redsocks.nl G.J.Vroon Anti-Malware Behavioural Researcher Page 24 of 28

26 Appendix A: Detecting Malware October November December Day Files/day Detected Undetected Files/day Detected Undetected Files/day Detected Undetected 1 221, ,528 21, , ,643 29, , ,287 79, , ,146 7, , ,018 37, , ,627 69, , ,775 23, , ,869 76, , ,940 83, , ,034 16, , ,877 27, , ,720 28, , ,983 14, , ,853 53, , ,133 36, , ,114 51, , ,029 51, , ,824 33, , ,171 42, , ,800 51, , ,247 62, , ,867 42, , ,714 54, , ,055 57, , ,431 34, , ,353 50, , ,446 14, , ,366 48, , ,994 44, , ,309 27, , ,244 48, , ,742 76, , ,534 73, , ,136 58, , ,380 21, , , , , ,397 32, , ,394 33, , ,878 60, , ,297 46, , ,911 28, , , , , ,408 39, , ,486 43, , , , , ,631 31, , ,825 48, , ,681 49, , ,926 39, , ,366 20, , ,886 53, , ,651 40, , ,577 76, , ,455 63, , ,891 31, , ,024 21, , ,201 55, , ,104 79, , ,826 86, , ,483 65, , ,454 28, , ,213 18, , ,288 72, , ,374 23, , ,708 31, , ,313 69, , ,158 9, , ,522 93, , ,555 81, , ,505 24, , ,747 22, , ,215 75, , ,447 21, , ,505 72, , ,065 53, , ,228 18, , ,750 9, , ,761 38, , ,240 28, , ,730 26, , ,061 80, , ,458 25, , ,548 52, , ,278 77, , ,706 22, , ,482 35, , ,679 42, , ,906 17, , ,670 28, , ,613 64, , ,665 27, , ,493 67,249 7,233,995 6,235, ,377 8,150,022 6,826,555 1,323,467 7,788,369 5,705,903 2,082,467 Page 25 of 28

27 Appendix B: Classifying Malware October Day Adware Backdoors Exploits Rootkits Trojans Worms Other 1 29,142 3, ,371 21,971 75, ,304 4, ,061 16,921 51, ,977 3, ,731 38, , ,499 1, ,273 19,933 47, ,258 1, ,170 16,586 39, ,250 3, ,577 15, , ,607 6, ,077 12,122 83, ,251 6, ,111 12,690 73, ,105 8, ,391 15,580 61, ,341 9, ,025 15,720 83, ,726 7, ,938 14,279 80, ,129 3, ,788 16, , ,742 6, ,265 13,382 81, ,803 4, ,580 32, , ,787 5, ,987 29,158 89, ,506 8, ,135 27, , ,128 1, ,503 9,970 75, ,505 1, ,228 5,402 51, , ,649 11,941 66, ,477 2, , ,007 19, , ,952 2, ,511 16,512 74, ,956 2, ,081 10,863 84, ,879 2, ,415 8,553 69, ,910 2, ,932 12,110 93, ,613 1, ,131 2,910 45, ,172 2, ,035 4,614 77, ,102 2, ,727 8,190 67, ,489 1, ,147 13,727 58, ,507 3, ,669 15,447 72, ,067 3, ,188 8,435 95, ,450 2, ,161 3,789 75,179 Total 1,217, ,868 1,911 3,042 2,975, ,243 2,445,466 Page 26 of 28

28 November Day Adware Backdoors Exploits Rootkits Trojans Worms Other 1 41,245 2, ,422 8,238 74, ,454 1, ,944 5,188 51, , ,116 1,322 61, , ,653 5,471 36, ,242 1, ,849 3,278 55, ,446 5, ,430 4,288 55, ,531 7, ,434 5,596 75, ,808 2, ,932 4,833 89, ,441 3, ,497 10,960 84, ,751 3, ,853 31,226 69, ,319 5, ,658 36,641 83, ,788 5, ,523 37,257 85, ,887 1, ,962 25,362 56, ,560 1, ,468 7,537 60, ,295 3, ,699 10,661 57, ,774 2, ,981 17,628 86, ,906 5,059 2, ,590 32,967 77, ,854 2, ,994 14,302 69, ,746 4, ,367 7,640 74, ,683 1, ,790 14,164 68, ,703 1, ,161 6,934 69, ,302 18, ,852 19,613 75, ,842 12, ,202 60, , ,160 4, ,995 47,645 56, ,584 5, ,701 71,258 68, ,982 2, ,518 20,353 48, ,650 1, ,136 20,019 67, ,060 2, ,854 39,141 75, ,060 8, ,668 39, , ,580 14, ,540 13,377 80,269 Totals 1,646, ,044 4,330 1,928 3,618, ,496 2,119,594 Page 27 of 28

29 December Day Adware Backdoors Exploits Rootkits Trojans Worms Other 1 39,265 18, ,313 14,661 79, ,897 9, ,362 15,609 65, ,607 1, ,543 35, , ,775 1, ,917 19,731 54, ,194 1, ,620 22,771 61, ,800 2, ,756 47,126 73, ,206 5, ,010 32,907 84, ,462 2, ,705 23,010 67, ,710 5, ,928 27,473 81, ,945 4, ,780 22,715 59, ,175 4, ,473 30,280 57, ,504 4, ,558 41,199 55, ,202 9, ,159 42,448 45, ,162 11,512 2, ,305 41,233 61, ,627 5,781 1, ,880 37,848 51, ,624 5, ,225 32,882 45, ,407 9, ,989 23,183 69, ,248 5, ,682 18,232 82, ,051 4, ,168 12,577 84, ,203 5, ,592 13, , ,744 1, ,397 13,382 97, ,292 1, ,016 22,089 92, ,187 2, ,963 19,049 80, ,876 2, ,316 14,884 71, ,356 1, ,349 4,669 43, ,059 2, ,786 4,591 41, ,119 1, ,986 9, , ,095 1, ,224 5,910 79, ,926 2, ,228 10,820 8, ,262 1, ,311 6,928 55, ,651 1, ,952 7,187 64,386 Totals 1,461, ,973 8,191 4,788 3,356, ,163 2,141,133 Page 28 of 28

30 REDSOCKS RedSocks is a Dutch company specialised in malware detection. RedSocks supplies RedSocks malware threat defender as a network appliance. This innovative appliance analyses digital traffic flows in real time based on the algorithms and lists of malicious indicators compiled by the RedSocks Malware Intelligence Team. This team consists of specialists in identifying new threats on the internet and translating them into state-of-the-art malware detection. Boogschutterstraat 9C, 7324 AE Apeldoorn, The Netherlands Tel +31 (0) info@redsocks.nl Website