Malware Trend Report, Q2 2014 April May June

Malware Trend Report, Q2 2014 April May June 5 August 2014 Copyright RedSocks B.V. 2014. All Rights Reserved.

Table of Contents 1. Introduction... 3 2. Overview... 4 2.1. Collecting Malware... 5 2.2. Processing... 5 2.3. Identifying Malware... 6 2.4. Detecting Malware... 6 2.5. Classifying Malware... 9 3. Trends... 10 3.1. Adware... 10 3.2. Backdoors and Botnets... 11 3.3. Exploits... 12 3.4 Rootkits... 13 3.5. Trojans... 14 3.6. Worms... 15 3.7. Others... 16 4. Geolocation... 18 5. Final Word... 21 Appendix A: Detecting Malware... 23 Appendix B: Classifying Malware... 24 Page 1 of 26

Table of Figures Figure 1: Unique New Malicious Files... 5 Figure 2: Space Needed in GBs p/m for Storing New Files... 5 Figure 3: New Malicious Files in April... 7 Figure 4: New Malicious Files in May... 7 Figure 5: New Malicious Files in June... 8 Figure 6: Detected vs. Not Detected (April)... 8 Figure 7: Detected vs. Not Detected (May)... 8 Figure 8: Detected vs. Not Detected (June)... 8 Figure 9: Malware Classifications... 9 Figure 10: Amount of Identified Adware (Q2 2014)... 10 Figure 11: Amount of Identified Backdoors and Botnets (Q2 2014)... 11 Figure 12: Amount of Identified Exploits (Q2 2014)... 12 Figure 13: Amount of Identified Rootkits (Q2 2014)... 13 Figure 14: Amount of Identified Trojans (Q2 2014)... 14 Figure 15: Amount of Identified Worms (Q2 2014)... 15 Figure 16: Amount of Identified Other Malware (Q2 2014)... 16 Figure 17: Amount of Identified 64-bit Malware... 16 Figure 18: 64-bit Malware Q2 2014... 17 Figure 19: DexterPOS C&C (Map)... 18 Figure 20: JackPOS C&C (Map)... 19 Figure 21: AlinaPOS C&C (Map)... 19 Page 2 of 26

1. Introduction This is the second quarterly trend report for 2014 from the RedSocks Malware Research Lab. RedSocks is a Dutch company specialising in Malware detection. Our solution, RedSocks Malware Threat Defender, is a network appliance that analyses digital traffic flows in real-time, based on algorithms and lists of malicious indicators. This critical information is compiled by the RedSocks Malware Intelligence Team. The team consists of specialists whose job it is to identify new threats on the Internet and to translate them into state-of-the-art malware detection capabilities. With this report, we hope to provide the reader with a deeper insight into the trends we see in the Malware we process. In this report we will look at data collected during the second quarter of 2014. RedSocks analyses large numbers of malicious files on a daily basis, therefore we can cover only a few topics briefly in this trend report. Protecting your data from Internet-based threats is not an easy task and relying on protection from Anti-Virus companies, no matter how established their brand, is not enough. Comprehensive protection requires an entirely new approach. Page 3 of 26

2. Overview The total number of new and unique malicious files processed per month went from 7.1 million in April to 6.8 million in May, and up to 7.2 million in June. The overall detection by Anti-Virus software this quarter remains roughly the same compared to the last quarter. The detection rate for April was 75.72 percent. For May, it is 74.61 percent and in June, the average detection was 79.76 percent. Which might not sound too bad, but it means that around 24 percent, 25 percent and 20 percent was not detected. There is a slight improvement compared with the first quarter. Please note that identification rates can change based on samples chosen and time scanned. During the second quarter, the number of identified Adware dropped from 1.2 million in April, to 1 million in May, to 0.9 million in June. In April, the number of identified Backdoors and Botnets was 243,000. In May this number dropped to 92,000; in June, the numbers dropped further to 68,000 new Backdoors and Botnets. Only 0.04 percent of the files were detected as Exploit and 0.25 percent as Rootkit in April by Anti-virus software. In May, 0.03 percent were detected as Rootkits and 0.05 percent as Exploits. For June it is 0.02 percent Exploits and 0.05 percent for the Rootkits. Like the first quarter of this year, Trojans are by far the most popular type of Malware. In April and May, they made up for 2.9 million. In June, 3.4 million unique files were identified as Trojans. The second most popular Malware was Worms. In April, 554,000 Worm files were identified. In May, the number dropped to 444,000 and kept dropping. In June, only 394,000 thousand worms were added to our databases. Grouped together, all other malicious files such as Flooders, HackTools, Spoofers, Spyware, Viruses, etc., make up for 31, 35, and 34 percent of the total for April, May, and June, respectively. As in the first quarter, most Command & Control (C&C) servers were hosted in the United States, followed by the Russian Federation. During the second quarter, Germany occupied the third place. The Netherlands was the biggest riser in countries hosting C&C servers going from 8 th place in March and April, to 6 th place in May, and finishing on 5 th place in June. Page 4 of 26

2.1. Collecting Malware At the RedSocks Malware Research Labs, we track large numbers of Malware from our global-distributed honeypots, honeyclients, spamnets, and through various botnet monitoring sensors. Due to the distribution of our Honeypots, we are able to automatically collect and process new malicious samples from across the globe. We also exchange large quantities of malicious files with the Anti-Virus industry. Figure 1: Unique New Malicious Files 2.2. Processing Working with Malware is what we love to do. More than 200,000 new malicious files arrive every day at our automated Malware collecting machines. All samples were renamed to their hash calculation. We check to see if that particular piece of Malware has already been processed. The picture on the right shows the total amount of disk space needed to store all the new malicious files. While the Figure 2: Space Needed in GBs p/m for Storing New Files numbers of new malicious files stayed more or less the same, the average file size decreased a little bit. During the second quarter, we saw that malicious files, on average, shrunk 12.73 percent. New file metrics by month April May June Average number of new files per day 236,719 218,280 239,528 Average file size in bytes 471,319 453,797 411,308 Average Anti-Virus Detection 75.52% 74.61% 79.76% Page 5 of 26

2.3. Identifying Malware Although we collect all types and categories of Malware for all operating systems at RedSocks, we do have a special interest in certain types and categories of Malware. A simple means of identifying malware is by file type. RSMIT uses various analysis tools to determine the statistically most likely file type for each malware sample we analyse. The majority of malware samples target Windows users this causes Windows executable files to be very common while executables for other operating systems are far less common. The top 10 file types are listed in the tables below. April May June Extension Amount Extension Amount Extension Amount EXE 5,549,734 EXE 5,497,557 EXE 6,601,953 DLL 720,121 DLL 553,190 DLL 1,959,634 OCX 109,226 OCX 96,741 SCR 224,864 SCR 54,003 AX 69,730 OCX 201,857 AX 36,644 PDF 3,753 AX 144,237 XLS 5,661 XLS 3,218 DOC 57,450 DOC 4,287 DOC 2,310 PDF 2,378 PDF 4,073 CPL 1,517 XLS 1,681 CAB 1,280 CAB 1,247 CPL 1,598 CPL 1,433 DSK 483 CAB 996 In the second quarter of this year, we saw a total of 43, 41 and 47 different extensions being used by Malware, respectively. Like in the previous quarter,.exe files are by far the most popular way to distribute Malware. 81 percent of all malicious files in the second quarter were.exe files. 2.4. Detecting Malware Within the RedSocks Malware Labs, we use an in-house built classification system for grouping Malware. We have classified over 300 types for which we have created detailed statistics. Once multiple anti-virus scanners (in paranoid mode) have performed their on-demand scan, we know which Malware was detected and, perhaps more importantly, which was not. In the graph below, the blue section shows all the new and unique malicious files per day, the green section shows the sum of all files identified by Anti-Virus software and, in red, the number of files not detected. Page 6 of 26

Figure 3: New Malicious Files in April Figure 4: New Malicious Files in May Page 7 of 26

Figure 5: New Malicious Files in June Of all the malicious files we processed in April, on average 24 percent of them were not detected by any of the Anti-Virus products we currently use. In May, 25 percent of the samples on average remained undetected. In June, the Anti-Virus detection improved but still missed 20 percent of all malicious samples we processed. Figure 6: Detected vs. Not Detected (April) Figure 7: Detected vs. Not Detected (May) Figure 8: Detected vs. Not Detected (June) Page 8 of 26

2.5. Classifying Malware We categorise Malware according to its primary feature. In the second quarter, Malware was grouped as follows: The 'Other' category in 'All Malware' consists of malicious samples that do not fit in the six categories, such as 64-bit Malware, malicious Macros, Packed Malware, Riskware, Spamming Tools, Spoofers, Spyware, All kinds of (Hacking) Tools and the classic Viruses. See Appendix B for the numbers per day, per category and per month. Figure 9: Malware Classifications Page 9 of 26

3. Trends Discovering Malware propagation trends starts with an analysis of the raw data behind the collection and processing of Malware. From April to June, RedSocks Malware Research Labs identified the following trends by Malware category. New in this trend report is the Adware category. 3.1. Adware During the second quarter, we identified around three million files as Adware. This makes up for about 15 percent of the total. The overall popularity of Adware seems to have decreased somewhat. During the first quarter, we saw the opposite. Figure 10: Amount of Identified Adware (Q2 2014) Page 10 of 26

3.2. Backdoors and Botnets In the first two weeks of April, there was a huge distribution of variants from the Backdoor.Bot.158614 family. From the 4 th untill the 13 th of April we identified a little over 48,000 new members. Figure 11: Amount of Identified Backdoors and Botnets (Q2 2014) In the first week of May, we saw two backdoor families being widely distributed. The Backdoor.Nateyes.A, with almost 9,000 new members, and the Backdoor.Wabot.A, with a little over 14,000 new members. The last spike, on the 9 th of June, was mainly caused by almost 9,000 minor variants of the Backdoor:W32/Udr.gen! malware family. During the first quarter of 2014, the popularity of Backdoors-and-Botnets increased. The second quarter shows a decreasing trend in the use of Backdoors-and-Botnets. Page 11 of 26

3.3. Exploits An exploit is an attack on a computer system, especially one that takes advantage of a particular vulnerability. Looking at malicious files that were identified with exploits, we see several spikes above 250. Figure 12: Amount of Identified Exploits (Q2 2014) The first spike was mainly caused by variations of the Exploit.PDF-JS.Gen (175). Members of the Exploit.PDF-TTF.Gen family caused the second and third spike on the 3 rd and 6 th of May (67 and 71). Then, on the 13 th of May, we see 54 new variations of the Exploit:W32/Kakara.A. The last spike we want to mention here are 125 variations on the Exploit:W32/CVE-2010-0188.B seen on the 29 th of May. A dozen exploits were seen for the Apple Macintosh OSX. All of them are slight modifications of the Exploit:OSX/MS09027.A (used to avoid Anti-Virus detection). During the first quarter of this year, the usage of exploits stayed more or less the same. In the second quarter, we saw a slight decrease in the overall usage of exploits. Page 12 of 26

3.4 Rootkits A rootkit is a type of software designed to hide the fact that an operating system has been compromised. This can be done in various ways; for example, by replacing vital executables or by introducing a new kernel module. Rootkits allow Malware to hide in plain sight. Rootkits themselves are not harmful; they are simply used to hide Malware, bots and worms. To install a rootkit, an attacker must first gain sufficient access to the target operating system. This could be accomplished by using an exploit, by obtaining valid account credentials or through social engineering. Because rootkits are activated before your operating system boots up, they are very difficult to detect, and therefore provide a powerful way for attackers to access and use the targeted computer without the owner being aware of it. Due to the way rootkits are used and installed, they are notoriously difficult to remove. Rootkits today are usually not used to gain elevated access, but are instead used to mask Malware payloads more effectively. Figure 13: Amount of Identified Rootkits (Q2 2014) There was only one rootkit worth mentioning during the second quarter, the Rootkit.13610. Distribution started on the 11 th and was last seen on the 16 th of April. A total of 7,321 new members were identified. In the first quarter, we saw a slight drop in rootkits. This drop continued in the second quarter. Page 13 of 26

3.5. Trojans Trojans are by far the biggest category of Malware. With more than 9.1 million new unique samples in the second quarter of this year, they amounted to 43 percent of the total. Figure 14: Amount of Identified Trojans (Q2 2014) Of all the Trojan families, we will only discuss the top three. At third place, we find Trojan.Inject.ARJ, with 155,000 different samples distributed over 14 days its best day was on the 11 th of June with almost 36,000. Second place is Trojan.Generic.11210422 with 349,000 files spread over 71 days its best day was on the 12 th of May. Without doubt, the most distributed Trojan family is Trojan.Agent.BDMJ : in 16 days we counted nearly a half million new samples. AV-Identifier Total Amount First Seen Last Seen Best Day Amount Best Day Trojan.Agent.BDMJ 469,414 15-06-14 30-06-14 17-06-14 48,125 16 Trojan.Generic.11210422 348,686 17-04-14 30-06-14 12-05-14 69,553 71 Trojan.Inject.ARJ 155,608 06-06-14 26-06-14 11-06-14 35,763 14 Days Seen The slight increase in Trojan use in the first quarter continued during the second quarter. Page 14 of 26

3.6. Worms In roughly 1.4 million new files, we identified worm traces and functionalities. The first spike above 60,000 is primarily caused by 44,000 samples of Win32.Worm.P2p.Picsys.C. On the 27 th of April Worm.Generic.389275, Win32.Worm.P2p.Picsys.C and Win32.Worm.P2p.Picsys.B accounted for 51,000 samples. The last spike, on the last day of May, was again caused by Win32.Worm.P2p.Picsys.C this day we saw 84,000 files. Figure 15: Amount of Identified Worms (Q2 2014) AV-Identifier Total Amount First Seen Last Seen Best Day Amount Best Day Worm.Generic.508508 23,615 17-05-14 17-05-14 17-05-14 23,615 1 Worm.Generic.389275 25,477 27-04-14 27-04-14 27-04-14 25,477 1 Win32.Worm.P2p.Picsys.C 414,002 02-04-14 30-06-14 31-05-14 83,897 90 Days Seen During the first quarter, the tendency of the worms decreased. In the second quarter, it stabilised again. Page 15 of 26

3.7. Others After grouping the adware, backdoors/botnets, exploits, rootkits and worms, we are still left with 3.4 million identified malicious files. This is 33 percent of the total detected by the Anti-Virus programs. Figure 16: Amount of Identified Other Malware (Q2 2014) We could fill many pages with graphs conveying the large number of malicious files detected. We would, however, like to share two graphs concerning 64-bit Malware. Figure 17: Amount of Identified 64-bit Malware Page 16 of 26

A closer look at the 35,000 identified 64-bit Malware reveals that, besides a handful samples of Backdoor.Win64.Winnti.B and Win64.Abul.A, we only saw members of the Win64.Expiro family. Figure 18: 64-bit Malware Q2 2014 Recently, anti-virus laboratory discovered an interesting new modification of a file virus known as Expiro which targets 64-bit files for infection. However, the body of this versatile new modification is surprising because it is fully cross-platform, able to infect 32-bit and 64-bit files (also, 64-bit files can be infected by an infected 32-bit file). The virus aims to maximise profit and infects executable files on local, removable and network drives. As for the payload, this Malware installs extensions for the Google Chrome and Mozilla Firefox browsers. The Malware also steals stored certificates and passwords from Internet Explorer, Microsoft Outlook and from the FTP client FileZilla. Browser extensions are used to redirect the user to a malicious URL, as well as to hijack confidential information, such as account credentials or online banking information. The virus disables some services on the compromised computer including Windows Defender and Windows Security Center and can also terminate processes. Page 17 of 26

4. Geolocation We can see where the hotspots are located by plotting the Command & Control (C&C) servers with the most traffic and connections on a map. Over the past few months, a number of Malware families targeting Point of Sale (POS) systems got some media attention. First there was DexterPOS (first image below), then there was its sister, AlinaPOS (second image below) and more recently there was JackPOS (third image below). One of the most interesting threads of commonality between these samples is the command and control (C&C) structure used between them. Using a C&C communication channel for data exfiltration, while previously rare, has become more and more common in POS Malware. Figure 19: DexterPOS C&C (Map) Page 18 of 26

Figure 21: AlinaPOS C&C (Map) Figure 20: JackPOS C&C (Map) Page 19 of 26

During the first quarter of 2014, there were only minor changes at the top of the C&C landscape. Below, the top 10 countries from the first quarter of 2014. Top 10 Countries Hosting C&C January February March United States 1129 United States 1196 United States 1596 Russian Federation 472 Russian Federation 473 Russian Federation 424 Germany 282 United Kingdom 262 United Kingdom 261 United Kingdom 234 Germany 256 China 249 China 224 China 247 Germany 240 Turkey 196 Ukraine 201 Iran 179 Iran 191 Iran 170 Turkey 179 Ukraine 160 Turkey 150 Netherlands 147 Korea 134 Korea 129 Ukraine 132 Netherlands 125 Netherlands 116 Korea 128 In the second quarter, the United States still led followed by the Russian Federation. Germany dropped during the first quarter, but held third place during the second quarter. Top 10 Countries Hosting C&C April May June United States 1274 United States 1203 United States 1128 Russian Federation 453 Russian Federation 474 Russian Federation 490 Germany 289 Germany 236 Germany 257 China 226 United Kingdom 206 United Kingdom 200 United Kingdom 213 China 172 The Netherlands 184 Iran 185 The Netherlands 166 China 182 Turkey 142 Turkey 138 Turkey 133 The Netherlands 137 Korea 123 Korea 126 Korea 130 Ukraine 110 Iran 118 Ukraine 118 France and Sweden 107 Ukraine 113 Page 20 of 26

5. Final Word In the second quarter of 2014, the total number of new malicious files processed per month changed from 7.1 million in April, to 6.8 million in May, and up to 7.2 million in June. The average sample size in May was 3 percent smaller than in April. Moreover, in June, the average sample was even 9 percent smaller than in May. The overall detection by Anti-Virus software is comparable with the first quarter. In April, 24 percent of threats were not detected, in May 25 percent and in June 20 percent. Altogether, around 8.6 million malicious files were not detected during the second quarter. By grouping and classifying the identified Malware, we detected a decrease of popularity in 5 of the 7 main Malware categories during the second quarter. These five categories are Adware, Backdoors/Botnets, Exploits, Rootkits and Worms. The remaining two categories, Trojans and Others, increased. The most distributed Malware families per main category per month are: Category Family Total number Q2 Adware DomaIQ 655,690 Backdoors/Botnets Bot.158614 49,932 Exploit PDF-JS.Gen 1,248 Rootkits Rootkit.13610 7,321 Trojans Agent.BDMJ 469,414 Worms Picsys.C 414,002 Others Generic.Malware.FP!dldPk!.A3F6BED5 169,884 Within the top 10 of countries hosting C&C servers, the United States led the second quarter of 2014, followed by the Russian Federation and Germany. In March and April, China held the fourth place. In May and June, Chine dropped two places. While in March, the United Kingdom could be found at the third place in April it dropped to fifth place. Nevertheless, in May, the United Kingdom climbed up to fourth place and stayed there. The Netherlands is found at 8 th place at the end of quarter one. In May, it climbed to 6 th place and ended at 5 th place in June. Page 21 of 26

We hope you that you enjoyed our second Malware Trend Report of this year and that it may provide you with insight into the trends we have seen during the second quarter of 2014. We continue to innovate so please check back with us for our next trend report for the 3 rd quarter of 2014. Questions, comments and requests can be directed towards the RedSocks Malware Research Labs. G.J.Vroon Anti-Malware Behavioural Researcher RedSocks B.V. W: www.redsocks.nl T: +31 (0) 55 36 61 396 E: info@redsocks.nl Page 22 of 26

Appendix A: Detecting Malware April May June Day Files/day Detected Undetected Files/day Detected Undetected Files/day Detected Undetected 1 303,836 243,528 60,308 209,678 149,424 60,254 150,218 130,277 19,941 2 206,379 132,474 73,905 226,630 185,716 40,914 208,646 128,795 79,851 3 187,347 124,013 63,334 241,424 205,390 36,034 180,994 152,614 28,381 4 164,975 118,181 46,794 229,673 187,352 42,321 222,468 183,512 38,955 5 197,311 142,265 55,046 269,297 212,392 56,905 207,632 167,915 39,717 6 192,520 128,935 63,585 242,726 203,072 39,654 158,068 127,851 30,216 7 181,543 136,531 45,012 228,126 181,430 46,696 173,208 146,423 26,785 8 230,819 177,300 53,519 187,989 133,670 54,319 236,853 182,761 54,092 9 264,205 199,836 64,369 281,090 227,697 53,393 240,029 186,247 53,781 10 236,485 189,691 46,794 334,772 243,087 91,685 226,261 181,629 44,632 11 173,878 113,332 60,546 259,127 171,625 87,502 223,672 180,618 43,054 12 253,272 195,098 58,174 292,671 242,357 50,314 279,510 224,506 55,004 13 222,354 144,882 77,472 331,838 180,788 151,050 246,975 195,697 51,277 14 222,375 180,051 42,324 139,203 96,594 42,609 282,227 216,106 66,121 15 88,168 65,819 22,349 267,702 181,625 86,077 277,196 234,424 42,772 16 188,121 136,240 51,881 212,650 161,992 50,658 344,929 273,047 71,882 17 203,327 156,737 46,590 283,848 215,615 68,233 324,388 240,160 84,228 18 190,938 145,172 45,766 218,070 159,739 58,331 247,620 181,094 66,525 19 260,778 197,877 62,901 183,855 124,076 59,779 261,151 205,919 55,232 20 399,379 310,589 88,790 126,511 82,669 43,842 399,491 297,408 102,083 21 222,511 178,447 44,064 94,432 73,421 21,011 175,625 151,225 24,400 22 361,175 293,055 68,120 123,639 90,488 33,151 303,142 212,224 90,919 23 230,291 166,411 63,880 130,790 101,808 28,982 181,138 135,215 45,923 24 209,830 151,434 58,396 201,459 132,524 68,935 265,431 212,512 52,918 25 375,978 299,751 76,227 261,062 214,568 46,494 191,110 145,441 45,668 26 270,859 223,209 47,650 159,790 99,017 60,773 159,533 136,835 22,698 27 222,139 179,716 42,423 183,464 127,021 56,443 182,478 151,947 30,531 28 376,348 316,664 59,684 175,736 131,654 44,082 220,917 187,855 33,062 29 244,349 198,000 46,349 188,515 157,135 31,380 345,254 310,107 35,147 30 220,068 176,596 43,472 266,027 199,199 66,828 269,689 227,605 42,084 31 214,894 184,965 29,929 7,101,558 5,421,834 1,679,724 6,766,688 5,058,110 1,708,578 7,185,850 5,707,969 1,477,881 Page 23 of 26

Appendix B: Classifying Malware April Day Adware Backdoors Exploits Rootkits Trojans Worms Other 1 62,898 6,179 24 59 123,182 8,439 103,056 2 71,748 1,412 13 40 91,411 7,206 34,549 3 62,841 2,200 51 96 82,173 4,671 35,315 4 41,215 1,257 50 50 83,703 2,712 35,990 5 45,000 5,574 103 87 83,271 10,736 52,539 6 63,740 15,331 22 58 53,062 10,291 50,016 7 33,303 19,045 21 42 77,171 13,430 38,529 8 25,136 11,736 95 88 97,949 28,201 67,614 9 32,097 32,669 412 989 132,936 5,298 59,805 10 24,987 27,238 165 780 119,206 5,811 58,298 11 31,677 11,549 161 409 66,877 9,652 53,552 12 44,251 11,024 184 4,662 107,630 12,787 72,734 13 27,573 11,610 92 6,776 88,821 17,364 70,119 14 31,252 6,647 57 467 107,893 7,853 68,207 15 9,566 1,735 36 12 47,382 4,562 24,875 16 17,201 3,004 62 186 105,002 9,323 53,343 17 32,739 3,239 105 53 91,061 11,676 64,454 18 26,084 2,012 39 23 57,156 64,733 40,892 19 49,165 7,238 29 95 91,034 18,735 94,481 20 57,075 9,685 96 506 154,938 15,467 161,612 21 30,440 3,490 105 333 61,032 8,549 118,564 22 42,876 12,106 188 154 128,816 20,154 156,881 23 72,172 2,657 215 119 76,973 7,153 71,002 24 57,982 4,833 151 230 76,249 7,277 63,109 25 66,273 7,329 74 457 188,702 21,924 91,218 26 47,630 3,046 172 7 109,276 34,258 76,470 27 32,698 2,646 124 114 96,286 37,070 53,202 28 27,974 8,538 127 580 131,900 99,473 107,756 29 13,330 3,357 22 142 72,163 38,616 116,719 30 34,835 4,698 163 64 75,383 10,637 94,287 Totals 1,215,758 243,084 3,158 17,678 2,878,638 554,058 2,189,188 Page 24 of 26

May Day Adware Backdoors Exploits Rootkits Trojans Worms Other 1 50,326 6,632 49 49 64,940 17,141 70,541 2 27,599 6,258 81 74 91,340 19,682 81,595 3 29,486 6,086 374 88 81,537 18,445 105,409 4 24,936 8,539 148 89 94,239 18,160 83,563 5 29,631 11,170 161 161 84,610 21,884 121,679 6 18,362 5,727 378 256 99,340 22,017 96,647 7 33,558 3,972 128 37 79,361 12,858 98,213 8 30,133 2,479 43 90 83,409 10,826 61,009 9 33,601 1,848 21 21 150,941 22,071 72,585 10 69,602 2,935 18 109 190,408 7,750 63,951 11 39,337 1,383 0 49 158,597 2,502 57,260 12 39,064 1,512 0 158 164,737 6,666 80,534 13 62,546 3,805 255 141 150,537 12,956 101,598 14 22,974 1,289 16 59 69,585 2,984 42,296 15 36,874 1,965 49 40 153,432 6,220 69,121 16 33,872 1,437 67 48 92,252 5,160 79,813 17 39,675 2,213 124 83 134,846 6,821 100,086 18 35,434 1,490 135 48 76,854 5,276 98,833 19 32,924 1,824 197 33 66,612 7,035 75,231 20 24,521 902 28 9 38,542 2,691 59,818 21 13,401 842 31 63 45,233 2,235 32,626 22 14,598 935 173 42 53,644 7,371 46,874 23 12,611 1,729 151 28 48,756 7,965 59,549 24 25,672 1,947 37 21 63,254 13,688 96,841 25 39,172 2,833 99 132 92,006 6,062 120,757 26 18,864 1,021 30 50 83,723 2,232 53,870 27 26,303 2,433 221 38 82,005 5,887 66,577 28 23,213 762 37 66 72,249 11,676 67,734 29 31,026 1,364 291 90 67,881 13,793 74,070 30 25,290 4,482 81 150 113,455 41,582 80,987 31 21,611 391 0 10 60,422 102,167 30,294 Totals 966,216 92,205 3,423 2,332 2,908,747 443,803 2,349,961 Page 25 of 26

June Day Adware Backdoors Exploits Rootkits Trojans Worms Other 1 16,098 1,156 0 37 64,859 6,800 61,268 2 24,298 2,293 0 81 113,226 8,993 59,756 3 25,457 2,435 43 87 81,118 12,797 59,057 4 25,896 3,897 57 57 100,230 17,294 75,037 5 31,946 2,328 36 72 88,630 16,052 68,569 6 23,879 1,492 41 20 67,959 7,560 57,116 7 34,315 1,899 47 58 74,729 3,751 58,408 8 33,960 2,230 237 59 110,610 17,164 72,593 9 31,293 12,364 28 56 88,227 17,850 90,211 10 28,724 1,388 9 35 107,444 10,272 78,390 11 34,558 635 10 20 135,284 6,011 47,153 12 46,722 4,915 69 104 138,676 10,740 78,283 13 39,768 2,570 17 33 116,974 7,819 79,793 14 44,395 4,310 127 81 95,731 15,669 121,914 15 47,126 3,968 118 188 114,168 14,146 97,482 16 41,545 2,253 100 90 183,746 26,181 91,015 17 38,460 2,114 64 48 177,195 20,698 85,809 18 27,438 980 31 46 155,087 11,200 52,839 19 24,121 1,321 55 424 50,852 18,120 166,259 20 47,902 1,675 32 530 197,429 32,772 119,151 21 23,054 1,009 6 67 98,306 13,374 39,809 22 28,757 1,115 90 487 160,612 15,737 96,344 23 21,585 795 43 86 86,984 8,455 63,190 24 40,242 1,782 42 241 111,798 11,339 99,987 25 18,983 1,322 26 19 95,963 12,381 62,415 26 17,743 994 8 67 79,080 7,004 54,637 27 20,340 1,122 33 90 109,227 7,261 44,405 28 23,358 1,036 12 58 126,548 6,820 63,084 29 20,314 900 20 108 105,243 13,259 205,412 30 24,743 1,928 139 196 126,117 16,278 127,097 Totals 907,020 68,226 1,540 3,545 3,362,052 393,797 2,476,483 Page 26 of 26

REDSOCKS RedSocks is a Dutch company specialised in malware detection. RedSocks supplies RedSocks malware threat defender as a network appliance. This innovative appliance analyses digital traffic flows in real time based on the algorithms and lists of malicious indicators compiled by the RedSocks Malware Intelligence Team. This team consists of specialists in identifying new threats on the internet and translating them into state-of-the-art malware detection. www.redsocks.nl Boogschutterstraat 9C, 7324 AE Apeldoorn, The Netherlands Tel +31 (0)55 36 61 396 E-mail info@redsocks.nl Website www.redsocks.nl