- Security Center
- English ▾
Lavasoft Security Bulletin 2012
The outgoing year has revealed several trends in threat detection by the Lavasoft Lab. Among them are well designed backdoors, Vundo, Diacam, Carberp, Shiz, Nrgbot and ZeroAccess that are successfully acting so far according to our ratings and used to maintain corresponding botnets. Some of them contain rootkit components which help steal confidential information without the user’s knowledge or consent. The backdoors often penetrate the user’s system via drive-by attacks where recently discovered vulnerabilities in Java, Adobe Acrobat/Reader, Flash Player are exploited, using additional layers of obfuscation to help avoid detection by antivirus applications. When exploits are neutralized after applying security patches to the vulnerable software, cyber criminals try to exploit "human vulnerabilities" using social engineering techniques (spam, phishing) like this.
1. Top20 Malware in 2012
|Position||Ad-Aware detection||% of all threats|
Top20 blocked malware
The fact that the top spots in themalware prevalence ratings are occupied by the well-known old ones: Virus.Win32.Sality, Email-Worm.Win32.Brontok.a, can be explained by a peculiarity of Virus/Worm malware propagation.
In fact, the real trend is the appearance of many new versions of backdoors used to develop botnets. Among the most interesting examples we can highlight are the following backdoor families with live C&C servers.
2. Botnet Families
Botnets harness the power of millions of infected computers all over the world which can be called upon whenever their owners decide to organize DDoS, phishing, spam and other types of cyber-attacks. The backdoors within botnets also act as spyware, stealing confidential data and sending it to the C&C server. To hide themselves, many backdoors possess rootkit/bootkit functionality as well as anti-antivirus and anti-debugging techniques to prevent their components from being detected and removed from a computer system. Here are the most popular botnet families for 2012.
Trojan-Downloader.Win32.Vundo is a Trojan DLL which is injected into a system process and proceeds to download other malicious programs from the Internet to the infected PC without user’s knowledge or consent. It attempts to disguise itself as "Symantec Shared Component Scanner Stub".
Trojan.Win32.VB.qms/Trojan.Win32.Diacam is a Trojan program designed to steal confidential data as well as provide remote access to the computer without user’s knowledge or consent. The Trojan can collect cached passwords in Mozilla Firefox/Opera/Chrome/Chromium/Internet Explorer, accounts and mail server settings in MS Outlook/Mozilla Thunderbird, data within Mozilla SeaMonkey and IM accounts from Pidgin/MSN. It also performs typical bot activity: acting as a proxy server, downloading and launching executable files, key-logging, capturing desktop screenshots, etc.
Trojan.Win32.Carberp (version 1 and version 2) is a spyware designed to steal confidential data. The latest versions are equipped with bootkit technologies to take control over a system. Being undetected they can intercept online banking information in network traffic and counteract installed antiviruses. Moreover, a spy-in-the-mobile module exists that can intercept one-time passwords sent by online banking services.
Backdoor.Win32.Shiz is a Trojan spyware designed to provide the intruder remote access to the infected PC and steal confidential data. Shiz injects its DLL to "explorer.exe" and sets up hooks to control network traffic and encrypted/decrypted data. It blocks access to antivirus websites and contains anti-debugging protection. As a backdoor, Shiz provides the intruder a remote access via the VNC protocol. The backdoor steals internet banking credentials and even e-tokens connected to the infected PC.
Nrgbot is a Trojan-spy program designed to steal confidential data. The backdoor installs hooks to intercept the network traffic of system processes when using popular online services such as YouTube, Facebook, Gmail, Yahoo, Twitter and internet payment systems. It blocks access to antivirus websites as well. Moreover, to protect itself, the worm checks its file integrity. In case of any modifications it wipes out the first 63 sectors of any hard drive including MBR and prompts the message:
Virus.Win32.Xpaj.A possesses bootkit, virus and backdoor features. It modifies MBR to be executed when the PC is turned on. The original MBR, malicious body and additional encrypted data are stored on the last drive sectors.
Xpaj MBR modification can be identified using the "ARCH" signature.
Backdoor.Win32.Kelihos is designed to steal confidential data as well as send targeted spam emails, provide DDoS attacks and act as a proxy server. The backdoor spreads itself through removable drives exploiting a vulnerability in LNK files (CVE-2010-2568).
Backdoor.Win32.Kelihos sends spam messages
Trojan.Win32.Zbot provides the attacker with unauthorized remote access to the infected machine. It detects the current system locale and if it is Russian/Ukrainian, Zbot finishes its work with no destructive activities. As a bot it can perform the following actions: updating, counteracting antiviruses, steal confidential information from network traffic, key-logging, etc.
Win32.Backdoor.Zaccess is backdoor with advanced rootkit functionality. It infects randomly selected drivers from the "%SystemRoot%\system32\drivers" folder. After that it injects its code to the user-mode processes. ZeroAccess makes additional modifications in kernel objects to hide the infected driver. Moreover it can work on 64-bit versions of Windows not being revealed by PatchGuard. The backdoor obtains instructions from C&C server to download other malicious programs like fake antiviruses, click fraud applications, black SEO plugins.
Based on common bot behavior, we have observed the following malware trend features.
- The most popular protocols used for communication with C&C are HTTP (Xpaj, Shiz, Carberp, Kelihos, Vundo, Zaccess) and IRC (Nrgbot). Sometimes traffic between the bot and the server is encrypted (Shiz, Carberp).
- The majority of backdoors/worms use polymorphic encryption to avoid detection of malicious copies. You can read more about detecting polymorphic malware.
- Bootkit/rootkit technologies are employed to deeply embed malware in the system allowing for the ability to intercept confidential information through network traffic.
- Counteracting antivirus software and blocking security websites is a commonly observed function.
- The main focus is on online banking and Internet payment systems.
- The ability to spread via removable drives using autorun scripts and lnk files.
- Using randomly generated names for installed malware files.
- Generating C&C domain names using special algorithm (Shiz, Zaccess).
Drive-by attacks continue to be the most popular way to penetrate systems. To avoid detection by antiviruses, the exploits used in such attacks are heavily obfuscated, sometimes even multiple times. Some of the exploits have been used as a part of malware propagation modules (e.g. LNK exploit has been utilized by Stuxnet worm).
For instance, since the 2007 vulnerability exploitation in LNK files which appeared in Stuxnet, Trojans taking advantage of this exploit have grown in numbers. Now it can be found in many popular malware such as Stuxnet and Flame. The exploit is separated within the special families Worm.LNK.Autorun and Trojan.LNK.Autostart. We noticed a significant increase in number of detected samples during April, 2012.
Detection rates of Worm.LNK.Autorun and Trojan.LNK.Autostart families
We also should mention Blackhole Exploit Kit – a standalone set of exploits that vastly increases the likelihood of a successful infection when running in users’ Internet browser. We noticed that the exploit kit has been continuously updated during the year with the addition of new exploits for Java, Adobe Reader, Adobe Acrobat and Flash Player to the pack. The multiple levels of obfuscation help to protect exploit kit against detection by AV.
Zero detection ratio shows the efficiency of new exploit kit obfuscation
4. 0-Day Vulnerabilities
The most significant 0-day vulnerability of the year was found in Internet Explorer and fixed by Microsoft on Friday 21st October with Security Update MS012-063 a week later.
The vulnerabilities can allow for the remote execution of arbitrary code when a user opens a malicious html page in Internet Explorer versions 6-9. Before the security patch, Microsoft published "Fix it KB2757760" – a special configuration tool that blocks known exploits on user’s computers. The attack scheme was reasonably simple as described by AlienVault Labs.
The SWF file (Moh2010.swf) that runs the attack contains shell-code to download a backdoor, 111.exe, stored on a compromised server – it is detected by Ad-Aware as Trojan.Generic.BT and by Microsoft as Backdoor:Win32/Poison.BR. You can find more information about the backdoor in our Malware Encyclopedia.
The AlienVault researchers assume that Chinese hacker WHG was behind this attack. He seems to be also related to the "The Network Crack Program Hacker" (NCPH) group.
5. Written in Visual Basic
According to statistics of autumn 2012, we saw an increase in VB malware.
VB samples detected by Lavasoft Sep-Oct 2012
We can see that VB malware has raised based on our internal detection engines from 3% in September to 7% in October 2012. If we consider the most widespread VB families according to AV companies’ detection rates, we notice the same trend:
VB samples detected by other antiviruses Sep-Oct 2012
According to Avast detections of our collection, we can see that the amount of samples flagged as being written in VB increased from 6% in September to 8% in October 2012.The possible reasons of such growth are explained in the whitepaper "Visual Basic Platform is Becoming Increasingly Popular among Malware Writers".
6. Cyberwar in the Middle East
As discussed in previous Security Bulletins, during 2012, there were several instances of Middle East countries being attacked by the malware chain Stuxnet/Duqu/Flame/Gauss. The project was initiated by G. Bush in 2006 and was called "Olympic Games"
The first Stuxnet worm was designed to damage Iran’s nuclear enrichment facilities successfully reaching its goal by taking out 1 000 of the 5 000 centrifuges for some period of time.
Stuxnet’s descendant – Duqu - is a spyware designed to provide a backdoor channel to an infected computer. After its detection in September 2011 the attackers wiped out all C&C servers to remove any footprints.
Flame and Gauss are considered next generation Trojans designed to steal confidential information and monitor user’s activity. Moreover, they can propagate in local networks using removable drives.
In April 2012 the Trojan Wiper attacked Iran. The assumed payload was intended to destroy sensitive data on a computer system. The biggest oil terminal in Iran had to stop operation due to the deletion of company information by Wiper. No samples have been caught so far which can be explained by well-designed self-removal feature.
In July 2012 Kaspersky Lab and Seculert discovered another malicious program called Mahdi. The main purpose of Mahdi is to monitor users’ activity, particularly those visiting US government websites and social networking services: Facebook, Google, Yahoo!, Gmail, Myspace, MSN Messenger, and the Russian vkontakte. The interesting part is a propagation mechanism based on social engineering techniques. It is spread by means of a PowerPoint Slide Show with attractive images and songs. The PPS contains a special code to start downloading the spyware.
F-Secure published a letter in July from an anonymous scientist working at the Atomic Energy Organization of Iran (AEOI). He noticed that Iranian nuclear systems were attacked by yet another worm. An interesting fact is that infected machines were playing AC/DC "Thunderstruck" song at midnight.
The most recently discovered threat was a Persian Trojan called Narilam described by Symantec in the middle of November. This Trojan has no any relation to the "Olympic Games" project but still provides a targeted attack on the products of Tarrah System, a company based in Iran - the payload deletes and modifies corporate databases. After revealing the sabotage, Tarrah System put a message on a website warning users to make a backup of all databases.
Among the huge variety of Trojan-Ransoms, mostly originating in former Soviet Union countries (Russia, Ukraine), we would like to highlight a particular family spread in EU and US called Nertra.
The Nertra Trojan (Trojan.Win32.Ransom.jc) has numerous modifications of itself translated into every European language.
All these examples show a window which blocks the user’s computer system, supposedly due to the violation of EU/US laws by accessing child pornography, for instance. The victim is solicited to pay administrative fees - $200 using e-payment services. In the picture you will notice the insignia of popular antiviruses, FBI and local police to make the scam more believable.
This class of software is well known and provides an easy way to monetize botnets by tricking users into buying fake antivirus programs. The design of some fake antiviruses can even compete with the top10 antiviruses and have even simply copied the interfaces of popular AV solutions in an effort to fool a user. You can find more examples of them in our Rogue Gallery.
9. FlashFake Botnet for Mac OSX
FlashFake Trojan, created in 2011, revealed the extent of the Mac OSX security problem in 2012 by infecting more than 700 000 Mac computers. The Trojan used several Java vulnerabilities and spread using social engineering techniques – users were offered a fake Adobe Flash Player update. Despite the fact that Oracle had already patched the vulnerability, the patch was not delivered to Mac OSX users by Apple immediately. It was the biggest Mac epidemic so far.
10. Passwords Leakages in 2012
In June, LinkedIn confirmed that around 6.5 million hashed user passwords had been stolen. It was not a big deal to restore actual passwords by hackers. The hashes had been generated using SHA1 algorithm, which could be easily cracked by ordinary graphical processor. Read the news.
Hot on the heels of the LinkedIn password breach, dating site, eHarmony, reported that "a small fraction" (about 1.5 million) of their user base had also been affected. Like LinkedIn, eHarmony reset the compromised account's passwords and sent notification explaining how to reset them. You can read more about it here.
In July, the hacker team D33Ds Co published a text file containing 453 491 emails with user passwords. Among them are more than 138000 Yahoo accounts. In case of Yahoo, the hackers also revealed that despite all security measures the passwords were stored in database unencrypted. Read the news.
The Dropbox online service was also hacked in 2012. After the breach, the Dropbox CTO claimed: “This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.” It is believed, that after such cases the companies running cloud services will provide more efforts to secure theirs users against the hackers next year.
11. New Incomings to the Lab in 2012
Let’s review and consider information on the number of unique files with the same detection name in 2012.
|Position||Ad-Aware detection||% of all threats|
New malicious programs entered the Top 20
12. Top20 Potentially Unwanted Programs in 2012
Below are the Top20 Potentially Unwanted Programs blocked by Ad-Aware on user’s PCs. These are advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings.
|Position||Ad-Aware detection||% of all threats|
Top20 PUPs detected on user’s PC
13. Operating Systems During 2012
Infections by OS in 2012
14. Geography of Infections During 2012
Malware upload geography shows that the United States is the biggest contributor of malware samples which is to be expected given the number of Lavasoft customers in North America.
Infections by country of origin
15. Trends for 2013
We are expecting the following threats and attacks in 2013:
1) The growth of already existing botnets that will use drive-by attacks to penetrate users’ unpatched computers not being protected by antivirus. The botnet backdoors will continue using passive methods of protection: traffic encryption and polymorphism.
2) The Mac OSX platform will continue to attract hackers due to low security protection and delayed releases of security patches by Apple.
3) Among mobile platforms, the Android platform will continue to be the most attacked next year because of the lack of software verification on apps uploaded to the Android market, which is becoming the popular place to spread fake antiviruses and rogue banking tools (Carberp-in-the-Mobile).
4) The use of cyberweapons by governments and special services is becoming a trend as there are no regulations in this area.
5) Attacks to critical infrastructure objects and government institutions as a manifestation of "Hacktivism" aimed to promote political ends by means of hacking activity will continue.
6) Targeted attacks with specially designed spyware are becoming a means of competitive activity all over the world. Some of them even may cause damage to companies’ confidential data.
7) Attacks on the most popular cloud services. Based on 2012 experiences, cloud service providers must pay more attention to security issues to keep users’ data safe.
8) Trojan-Ransoms on behalf of "FBI" and "police" mentioned by the Trojans will still be "finding guilty" users for downloading "prohibited content" by blocking computers until victims pay, so called, "administrative fees".
9) Exploit Kits will continue protecting themselves with evasive obfuscation techniques for hidden penetration to users’ systems.
Share this post: Twitter Facebook