McAfee recently released the “McAfee Threats Report: First Quarter 2011.” With six million unique samples of recorded malware, Q1 2011 was the most active first quarter in malware history. The report revealed many of the trends that had a significant impact on the threat landscape, such as the takedown of the Rustock botnet, which resulted in spam remaining at its lowest levels since 2007, and confirmed that mobile malware is the new frontier of cybercrime.
“The Q1 Threats Report indicates that it’s been a busy start to 2011 for cybercriminals,” said Vincent Weafer, senior vice president of McAfee Labs. “Even though this past quarter once again showed that spam has slowed, it doesn’t mean that cybercriminals aren’t actively pursuing alternate avenues. We’re seeing a lot of emerging threats, such as Android malware and new botnets attempting to take over where Rustock left off, that will have a significant impact on the activity we see quarter after quarter.”
Click through for McAfee's Q1 cyber threat results.
With more than six million unique malware samples in Q1, this period far exceeds any first quarter in malware history. February 2011 saw the most new malware samples of the quarter, at approximately 2.75 million. Fake anti-virus software had a very active quarter as well, reaching its highest levels in more than a year, totaling 350,000 unique fake-alert samples in March 2011.
Malware no longer affects just PCs. As Android devices have grown in popularity, the platform solidified its spot as the second most popular environment for mobile malware behind Symbian OS during the first three months of the year.
A McAfee Labs mobile application security whitepaper, released in conjunction with the “McAfee Threats Report,” discusses how most Android devices allow the “side-loading” of apps and are not restricted to getting them from a centralized app store, and there is no centralized place where Google can check all apps for suspicious behavior. (See Downloading from Mobile App Stores Is a Risky Business.) The researcher Lompolo recently found a series of Android applications carrying backdoor Trojans in the Android Market, and with the estimated download rate of tens of thousands to the hundreds of thousands, the number of users who could be affected is significant. In Q1 2011 McAfee Labs found that the most prominent types of Android mobile malware were Android/DrdDream, Android/Drad, Adnroid/StemySCR.A and AndroidBgyoulu, which affected everything from games to apps to SMS data.
The cybercriminals behind the Zeus crimeware toolkit have also directed attacks toward the mobile platform, creating new versions of Zitmo mobile malware for both Symbian and Windows Mobile systems to steal user bank-account information.
The takedown of the Rustock botnet resulted in the shutoff of major zombies and command structures that caused spam volumes to fall all over the world. Spam, which has been at its lowest levels since 2007 in the past few quarters, significantly dropped once again to less than half of what it was only a year ago — at approximately 1.5 trillion messages per day, outnumbering legitimate email traffic by only a 3:1 ratio.
Although Zeus botnet development has declined, the author has apparently shifted efforts to merging the Zeus source code with the SpyEye botnet, resulting in large-scale threats affecting banking and online transactions. As of March 2011, the most recent SpyEye botnet can thrive on more than 150 modules, such as USB thumb drives, instant messaging and Firefox certificates.
Spam may be at its lowest levels in years, but many botnets are in the position to fill the gap left by the decline of Rustock and Zeus; the competition includes Maazben, Bobaz, Lethic, Cutwail and Grum. There was a strong uptick in new botnet infections toward the end of Q1, most likely due to the reseeding process, where cyber criminals slow down activity in order to spend time rebuilding botnets. The botnet takedowns have resulted in an increase in the price of sending spam on the underground marketplace, showing the laws of supply and demand also apply to cybercrime.
Cyber criminals often disguise malicious content by using popular “lures” to trick unsuspecting users. Spam promoting phony or real products was the most popular lure in most global regions. In Russia and South Korea, drug spam was the most popular; and in Australia and China, fake delivery status notifications were among the most popular. Q1 also brought a new trend among “banker” trojans, malware that steal passwords and other data, that use popular lures in their spam campaigns such as UPS, FedEx, USPS and the IRS.
McAfee Labs saw some significant spikes in malicious web content that corresponded with high-impact news events such as the Japanese earthquake and tsunami and major sporting events, with an average of 8,600 new bad sites per day. In the same vein, within the top 100 results of each of the daily top search terms, nearly 50 percent led to malicious sites, and on average contained more than two malicious links.