ThreaT reporT H2 2012 Protecting the irreplaceable | www.f-secure.com F-Secure Labs At the F-Secure Response Labs in Helsinki, Finland, and Kuala Lumpur, Malaysia, security experts work around the clock to ensure our customers are protected from the latest online threats. At any given moment, F-Secure Response Labs staff is on top of the worldwide security situation, Protection around the clock ensuring that sudden virus and malware outbreaks are dealt with promptly and effectively. Response Labs’ work is assisted by a host of automatic systems that track worldwide threat occurences in real time, collecting and analyzing hundreds of thousands of data samples per day. Criminals who make use of virus and malware to profit from these attacks are constantly at work on new threats. This situation demands around the clock vigilance on our part to ensure that our customers are protected. foreword Today, the most common way of getting hit by malware is by browsing the Web. It hasn’t always been this way. Years ago, floppy disks were the main malware vector. Then sharing of executable files. Then e-mail attachments. But for the past five years, the Web has been the main source of malware. The Web is the problem largely because of Exploit Kits. Kits such as BlackHole, Cool Exploit, Eleanore, Incognito, Yes or Crimepack automate the process of infecting computers via exploits. There is no exploit without a vulnerability. Ultimately, vulnerabilities are just bugs, that is, programming errors. We have bugs because programs are written by human beings, and human beings make mistakes. Software bugs have been a problem for as longs as we have had programmable computers—and they are not going to disappear. Bugs were not very critical until access to the Internet became widespread. Before, you could have been working on a word processor and opening a Mikko HyppÖnen corrupted document file, and as a result, your word processor would have crashed. CHief researCH offiCer Even if annoying, such a crash would not have been too big of a deal. You might have lost any unsaved work in open documents, but that would have been it. However, things changed as soon as the Internet entered the picture. Suddenly, bugs that used to be just a nuisance could be used to take over your computer. Yet, even the most serious vulnerabilities are worthless for the attacker, if they get patched. Therefore, the most valuable exploits are targeting vulnerabilities that are not known to the vendor behind the exploited product. This means that the vendor cannot fix the bug and issue a security patch to close the hole. SOFTWARE BUgS HAVE BEEn A PROBLEM FOR AS LOngS AS WE HAVE HAD PROgRAMMABLE COMPUTERS—AnD THEY ARE nOT gOIng TO DISAPPEAR. If a security patch is available and the vulnerability starts to get exploited by the attackers five days after the patch came out, the users have had five days to react. If there is no patch available, the users have no time at all to secure themselves; literally, zero days. This is where the term ‘Zero Day Vulnerability’ comes from: users are vulnerable, even if they have applied all possible patches. One of the key security mechanisms continues to be patching. Make sure all your systems are always fully up-to-date. This drastically reduces the risk of getting infected. But for Zero Day vulnerabilities, there are no patches available. However, antivirus products can help against even them. We’re in a constant race against the attackers. And this race isn’t going to be over any time soon. FOREWORD 3 exeCutive suMMary executive summary Three things visibly stand out in this past half year: botnets (with special reference to ZeroAcess), exploits (particularly against the Java development platform) and banking trojans (Zeus). ZeroAccess was easily the most prevalent botnet we saw in 2012, with infections most visible in France, United States and Sweden. It is also one of the most actively developed and perhaps the most profitable botnet of last year. In this report, we go through the distribution methods and payment schemes of ZeroAccess’s ‘affiliate program’, as well as its two main profit- generating activities: click fraud and BitCoin mining. Aside from ZeroAccess, other notable botnets of 2012 are Zeus, Carberp, Dorkbot and SpamSoldier (a mobile botnet). Java was the main target for most of the exploit-based attacks we saw during the past half year. This is aptly demonstrated in the statistics for the top 10 most prevalent detections recorded by our cloud lookup systems, in which the combined total of detections for the Java- specific CVE-2012-4681 and CVE-2012-5076 vulnerabilities and the Majava generic detections, which also identify samples that exploit Java-related vulnerabilities, account for one third of the samples identified during this period. Exploit kits plays a big role in this prevalence. In addition, exploits against other programs such as the PDF document reader (CVE-2010-0188) or Windows TrueType font (CVE-2011-3402) made notable impacts in H2 2012, as detailed further in this report. With regards to banking-trojans, a botnet known as Zeus—which is also the name for the malware used to infect the user’s machines—is the main story for 2012. Analysis of the geography for Zeus’s infection distribution highlights the United States, Italy and germany as the most affected countries. In addition to its banking-trojan capabilities, the Zeus malware also functions as a backdoor, allowing it to be directly controlled from the botnet’s command and control (C&C) servers. An examination of the different sets of backdoor commands used by Zeus derivatives (known as Citadel and Ice Ix) gives more detail of what other malicious actions this malware can perform. In terms of online security, we look at the more ambiguous side of the ever-growing popularity of website hosting, and how its increasingly affordable and user-friendly nature also makes it well suited to supporting malware hosting and malvertising. We also take a look at multi-platform attacks, in which a coordinated attack campaign is launched against multiple platforms (both desktop and mobile), often with multiple malware. And finally on the mobile scene, the Android and Symbian platforms continue to be the main focus of threats, accounting for 79% and 19%, respectively, of all new mobile malware variants identified in 2012. ExECUTIVE SUMMARY 4 Contents tHis tHreat report HigHligHts trends and new developMents seen in tHe Malware tHreat landsCape by analysts in f-seCure labs during tHe seCond Half of 2012. also inCluded are Case studies Covering seleCted notewortHy, HigHly-prevalent tHreats froM tHis period. contributing foreword 3 AutHorS executive summary 4 broderick Aquilino Karmina Aquino contents 5 christine bejerasco incidents calendar 6 Edilberto cajucom Su gim goh in review 7 Alia Hilyati of note 10 timo Hirvonen Mikko Hypponen the Password 11 Sarah Jamaludin corPorate esPionage 12 Jarno niemela Mikko Suominen case studies 14 chin Yick Low Bots 15 Sean Sullivan Zeroaccess 17 Marko thure Zeus 21 Juha Ylipekkala exPloits 25 weB 28 multi-Platform attacks 32 moBile 35 sources 38 COnTEnTS 5 inCidents Calendar h2 2012 incidents calendar (July-decemBer)* Jul aug sePt oct nov dec FBI support for Out-of-band Patch Friday Syrian Internet,mobile DnSChanger ended connections cut off Imuler.B backdoor found on OS x Multi-platform Intel/OS x backdoor found Malware signed Berlin poice warned of with Adobe certificate Android banking trojans Commercial multi-platform surveillance tools found Samsung TouchWiz exploit Cool Exploit kit Iran-targeted malware reported rivalling Blackhole reported new Mac Revir threat Indian government email found accounts hacked new Linux rootkit found gauss threat targeted Dexter malware hit point the London Olympics Huawei controversy in US Congress of sales (POS) Australian hospital’s ITU Telecom World ‘12 raised Blackhole updated faster Internet/government concerns records ransomed than flaws patched Java update closed 3 Mac threat found on Dalai vulnerabilities Lama-related webite Matt Honan ‘hack’ highlighted One rogue ad hits Finnish flaws in accounts systems web traffic Eurograbber attack on European banks reported Samsung Exynos exploit reported online in the news Pc threats mobile threats hacktivism & espionage sources: see page 38. InCIDEnTS CALEnDAR 6 in review changes in the threat landscaPe Unlike the first half of 2012, the second half of the year saw no major malware outbreaks on any platform. Instead, a handful of incidents took place during this time period, most of which were notable as indications of how inventive the attackers have been in finding ways to compromise a user’s machine, data or money. These incidents included the hack into the Wired Matt Honan’s gmail and Apple accounts, which exposed loopholes in those account systems; the Adobe-certified malware episode, in which attackers went to the extent of stealing Adobe’s digital certificate in order to sign malware used in targeted attacks; and the Eurograbber attack, in which a variant of the Zeus crimeware was reportedly used to steal money from various corporations and banks in Europe. An interesting development in 2012 has been the increasing public awareness of cyber-security and the various implications of being vulnerable to attack over a borderless Internet. news reports of alleged online or malware-based attacks against Iranian facilities drew attention to state-sponsored cyber-attacks. A conference gathering the various telecommunications entities to discuss basic infrastructure issues raised concerns about Internet governance, and the role of governments in it. The past year also saw US politicians, not generally considered the most tech-savvy of users, raise concerns over perceived reliance on IT solutions for sensitive government systems being provided by foreign corporations seen as potentially unreliable. Though it is probably a positive development that more people are becoming exposed to topics that have long been considered irrelevant or academic, only time will tell what will result from the increased awareness. Rather than a single major event, perhaps the most noteworthy aspect of H2 2012 is the way that the various trends we saw emerging in the first two quarters of the year have continued to grow apace—that is, the growth of botnets, the ‘standardization’ of vulnerability exploitation and the increasing ‘establishment’ of exploit kits. When it comes to botnets, the news has been mixed at best. The last few years have seen concerted efforts by players from different fields—telecommunications, information security and even government organizations—to take down or at least hamper the activities of various botnets, which have compromised millions of user’s computers and been used to perform such activities as monetary fraud and online hacking. These combined efforts resulted in totally shuttering, or at least seriously hampering, major botnets such as Rustock, Zeus and DnSChanger. Unfortunately, despite these commendable efforts, the botnets have been regularly resurrecting, often with new strategies or mechanisms for garnering profit. In addition, the operators running these botnets have been aggressively marketing their ‘products’ to other hackers and malware distributors. Their efforts include offering affiliate programs with attractive ‘pay-per-installation’ rates and ‘rent-a-botnet’ schemes that allow attackers to use the combined power of the infected hosts to perform attacks or other nefarious activities. These sophisticated business tactics have garnered significant returns. In some cases, such as ZeroAccess, the reborn botnets have grown to count millions of infected hosts. See the cases studies Bots (pg. 15), ZeroAccess (pg. 17) and Zeus (pg. 21) for more information on botnets. Another change we saw last year was the increasing use of vulnerability exploitation, often in tandem with established social engineering tactics. Unlike previous years, when most of the infections we saw involved trojans, 2012 was definitely the year of the exploit, as exploit- In REVIEW 7 toP 10 detections in h2 2012, & toP countries* Zeroaccess 27% Fr US Se dk others majava 26% US Fr Fi Se others downadup 11% br Fr my iT others Blackhole 9% Fr Fi Se nl others cve-2012-4681 6% US Se Fr de others cve-2011-3402 6% Fr Se nl Fi others cve-2010-0188 6% Fr Se Fi nl others cve-2012-5076 3% Fi US Fr Se others Pdf exploits 3% Fi Fr Se de others sinowal 3% nl Se Fi others % 0 25 50 75 100 *Based on statistics from F-Secure’s cloud lookup systems from July to December 2012. related detections accounted for approximately 28% of all detections F-Secure’s cloud lookup systems saw in H2 2012. In addition, malware designed to exploit vulnerabilities related to the Java development platform made up about 68% of all exploit-related detections recorded by our systems in the second half of last year. If we look at the list of Top 10 Detections (above) seen by our cloud lookup systems in H2 2012 in more detail, two detections which specifically identify samples exploiting the Java-specific CVE-2012-4681 and CVE-2012-5076 vulnerabilities alone account for 9% of the malware identified by the top 10 detections. In addition, the Majava generic detections, which identify samples that exploit known vulnerabilities, including the Java-specific CVE-2012-0507 and CVE-2012-1723 vulnerabilities, account for another 26% of the top 10 detections, as well as having the dubious honor of being the second most common detection overall reported by our backend systems. The sheer volume of Java-related detections indicate both the widespread popularity of that platform and its susceptibility to the malicious inventiveness of malware authors. Interestingly enough, when considering exploit attacks in general, though we saw attacks exploiting numerous vulnerabilities in multiple platforms and programs in 2012, the vast majority of the cases were related to only four vulnerabilities—CVE- 2011-3402 and CVE-2010-0188, which are Windows-related vulnerabiltiies, and the previously mentioned Java vulnerabilities, CVE-2012-4681 and CVE-2012-5076. All of these vulnerabilities, incidentally, have already had security patches released by their relevant vendors. In REVIEW 8 This skewed preference in attack targeting can be directly attributed to the popular usage of exploit kits such as Blackhole and Cool Exploit, which have incorporated the exploits for these vulnerabilities, in some cases faster than the vendors were able to patch them. It’s perhaps not too surprising then that BlackHole-related detections account for 9% of all samples detected by the top 10 detections of H2 2012. For more information on these exploits, see the Exploits case study on page 25. And as a closing note, a quick look at our detection statistics for Mac indicates that even though Windows machines continues to be the main target for attacks, the Mac platform is increasingly coming in for a share of unwanted attention. Apart from the major Flashback outbreak in early 2012, we saw a slow but steady increase in malware on the Mac platform, as we detected 121 new, unique variants in all of 2012, the majority of them backdoors. By contrast, in 2011, we recorded only 59 new unique variants discovered on that platform. +4+4+7+z mac malware By tyPe, Jan - dec 2012 85 total= 121 variants* others 4% Backdoor, 85% rogue, 4% trojan, 7% *The total is counted based on unique variants detected from Jan to Dec 2012, rather than total file count. Riskware and repackaged installers are not counted; multi-component malware are only counted once. In REVIEW 9 of note the Password 11 corPorate esPionage 12