SlideShare uma empresa Scribd logo

Android under-siege-security-roundup-q3-2012-en

Комсс Файквэе
Комсс Файквэе

android security

Tecnologia
1 de 18
Baixar para ler offline
3Q 2012 SECURITY ROUNDUP Android Under Siege: Popularity Comes at a Price
Smartphones are to the early 21st century what the PC was to the late 20th century–a universal tool valued for its productivity and fun factor but hated for the problems it can bring. Since smartphones are handheld computers that communicate, the threats they face are both similar and different from the PC challenges many of us are familiar with. Like the PC, many of today’s mobile malware prey upon the unwary. However, the nature of the mobile malware threat is, in some ways, very different. Malware targeting Google’s Android platform increased nearly sixfold in the third quarter of 2012. What had been around 30,000 malicious and potentially dangerous or high-risk Android apps in June increased to almost 175,000 between July and September. This report will examine what led to the increase and what it means for users and developers alike. We’ve seen nearly 175,000 malicious and high-risk Android apps to date and we’re still counting!
Also in this report: • Dangerous zero-day exploits targeting Java and Internet Explorer (IE) were found. The IE vulnerability was used in an advanced persistent threat (APT) campaign. • ZeroAccess malware, sometimes found on peer-to- peer (P2P) sharing sites, were the top infector in the computing public this quarter. The old DOWNAD/ Conficker worm came a close second. • PayPal attracted the most phishermen while Linkedin topped the list of chosen Blackhole Exploit Kit targets. • See that spam? It likely arrived via Saudi Arabia (or India). • Corporations and governments were still viable APT targets. Lurid and Nitro APT campaign improvements were also noted. • Social media threats and privacy concerns lived on. Trend Micro TrendLabsSM continuously monitors the threat landscape to raise security awareness and come up with proactive solutions for home users and organizations alike. All of the figures contained in this report are based on Trend Micro™ Smart Protection Network™ data unless otherwise stated. The Smart Protection Network cloud security infrastructure rapidly and accurately identifies new threats, delivering global threat intelligence to secure data wherever it resides.
The number of malicious Android apps continued to increase. We also saw a significant rise in the number of aggressive mobile adware.1 Though most adware are designed to collect user information, a fine line exists between collecting data for simple advertising and violating one’s privacy. Because they normally collect user information for legitimate purposes, they can serve as an effective means to gather more data than some would want to give out. 1 http://about-threats.trendmicro.com/us/mobilehub/mobilereview/ rpt_mothly_mobile_review_201209_the_growing_problem_of_mobile_ adware.pdf As predicted... Smartphone and tablet platforms, especially Android, will suffer more cybercriminal attacks.
Malicious Android Application Package Files The Obama vs Romney Android app, which served potentially • Still in the early stages of development2 unwanted ads, was downloaded as • Developed by the Luckycat APT campaign attackers many as 1,000 times from Google Play alone. • Can execute commands sent from a remote * http://blog.trendmicro.com/trendlabs- command-and-control (C&C) server and collect device security-intelligence/us-2012-election- information apps-may-lead-to-data-disclosure/ 2 http://blog.trendmicro.com/trendlabs-security-intelligence/defcon-2012- android-malware-in-luckycat-servers/ “While it has been predicted that APT attackers will likely develop the Aggressive Mobile Adware capacity to attack targets via mobile devices, our discovery indicates that • Known for aggressively displaying ads on affected the development of such a capability is devices to generate profit for app developers something they are pursuing.” • Tend to gather personal information without the users’ * http://www.trendmicro.com/cloud-content/us/pdfs/ explicit knowledge or consent security-intelligence/white-papers/wp_adding- android-and-mac-osx-malware-to-the-apt-toolbox.pdf • Significantly contributed to the rise in the number of malicious and high-risk Android apps led by variants that used legitimate ad networks to push malicious ads3 • Some variants of which even pushed ads via notifications4 3 http://blog.trendmicro.com/trendlabs-security-intelligence/more- adware-and-plankton-variants-seen-in-app-stores/ 4 http://blog.trendmicro.com/trendlabs-security-intelligence/164-unique- android-adware-still-online/ “At the end of the day... all mobile apps are essentially web clients; therefore, they are as unsecure as a browser and that’s how you should treat them.” — David Sancho, senior threat researcher * http://blog.trendmicro.com/trendlabs-security- intelligence/apps-as-browsers-can-you-trust-your- mobile-apps/ Fake versions of legitimate Android apps are the most prevalent type of Android malware. This quarter, data stealers like Solar Charge and premium service abusers like Live Wallpapers in China or fake versions of best- selling apps that spread in Russia further raised concerns about the open nature of the Android ecosystem.
* Note that the numbers in this chart are for all time and not just for this quarter.
* Note that the numbers in this chart are for all time and not just for this quarter. Most mobile adware are simply a business model used to pay for an app offered for free or at low costs to users. But we also identified several adware that pose serious privacy-related threats. Apps that access your call history without informing you via an end-user license agreement (EULA) or their user interface (UI) constitute malicious behavior from a security perspective and are detected. Ad networks present a unique challenge though. They connect advertisers to app developers that want to host ads for a fee. Unfortunately, the in-app libraries that ad networks provide sometimes gather more information than developers declare. While in some instances this oversight is unintentional, failure to alert users of data-gathering behavior introduces privacy risks. App developers can either choose to closely examine ad libraries and ask their ad network to modify their code or rely on another ad network. We believe that the value of information stolen from users far outweighs the cost of due diligence on the side of developers and the ad networks that support them. Even worse, we’ve now seen evidence of mobile apps being developed as targeted attack tools. Attackers are no longer just limiting their sights to computers as points of entry into target networks. Android’s popularity has definitely not gone unnoticed. The fact that only 20% of Android device owners use a security app does not help.5 Using a solution that warns you of the potential problems certain apps can cause is one way to protect your data from thieving hands. In the end, you are responsible for the data you keep in your mobile device. Understand the permissions apps seek before giving them access to information that you may not even want to share. 5 http://fearlessweb.trendmicro.com/2012/misc/only-20-of-android-mobile-device- users-have-a-security-app-installed/
After more than six months, zero-day exploits again reared their ugly heads this quarter, proving they haven’t gone out of style.6 Aided by lack of discipline regarding patching for users and the difficulty of doing so for system administrators, exploits continued to wreak havoc. In 2011, we saw 1,822 critical vulnerabilities, which put a lot of organizations and company data at risk.7 Before the year ends, a new OS will come into the picture, which can be another venue for abuse.8 6 http://blog.trendmicro.com/trendlabs-security-intelligence/adobe-zero- day-vulnerability-installs-backdoor-another-targeted-attack/ 7 http://blog.trendmicro.com/trendlabs-security-intelligence/into-the- abyss-of-virtualization-related-threats/ 8 http://www.computerworld.com/s/article/9231076/Adobe_confirms_ Windows_8_users_vulnerable_to_active_Flash_exploits
* Note that the numbers in this chart only show the volume of declared OS/software vulnerabilities. * Based on data available from http://cve.mitre.org/ CVE-2012-4681 CVE-2012-4969 • A Java vulnerability exploited by a malicious • A vulnerability in IE versions 6 to 9 .JAR/.class file, which allowed remote attackers to • The zero-day exploit for which loads malicious .SWF execute commands on vulnerable systems and .HTML files that download and execute PoisonIvy • The zero-day exploit for which runs on all versions of and PlugX variants10 IE, Mozilla Firefox, Opera, Google Chrome, and Safari • A fix tool as well as an out-of-band security patch for • The exploit for which also runs on Macs9 which was released to ensure protection for affected users11 9 http://blog.trendmicro.com/trendlabs-security-intelligence/java- runtime-environment-1-7-zero-day-exploit-delivers-backdoor/ 10 http://blog.trendmicro.com/trendlabs-security-intelligence/new-ie- zero-day-exploit-leads-to-poisonivy/ and http://blog.trendmicro.com/ trendlabs-security-intelligence/plugx-new-tool-for-a-not-so-new- campaign/ 11 http://blog.trendmicro.com/trendlabs-security-intelligence/microsoft- releases-out-of-cycle-patch-for-ie/ Apple disclosed vulnerabilities in applications like Safari, iTunes, and iChat. Though it disclosed more “While some reports have gone on to product vulnerabilities than any other vendor, the data say that the zero-day exploit for in the following chart does not include how severe the CVE-2012-4681 may be used in targeted vulnerabilities reported were. In fact, despite the gap attacks, our analysis showed that this may between the number of recorded vulnerabilities for Apple not be the case… Targeted attacks are known and Microsoft and the former’s increasing market share, for staying under the radar to successfully the latter did suffer blows from the recently reported zero- operate. The domains/IP addresses in this day exploit attacks. attack say the attackers have no intention of staying hidden. — Manuel Gatbunton, threat response engineer * http://blog.trendmicro.com/trendlabs-security- intelligence/java-runtime-environment-1-7-zero- day-exploit-delivers-backdoor/
ZeroAccess malware, which have the ability to patch system files, rose in rank from third place in the second quarter to first place this quarter.12 We recorded more than 900,000 ZeroAccess malware detections to date. Backed by improvements to already-sophisticated cybercrime tools like the Blackhole Exploit Kit, more and more security risks are set to come into play. 12 http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/ reports/rpt-its-big-business-and-its-getting-personal.pdf As predicted… New threat actors will use sophisticated cybercrime tools to achieve their own ends.
ZeroAccess Malware Blackhole Exploit Kit 2.0 • May be hosted on P2P sharing sites, putting throngs of • The development of which download aficionados at risk may have been triggered by the success of the slew of • Has a new infection technique that patches system Blackhole Exploit Kit spam files with its variants runs14 • Loads a malicious .DLL file along with the Adobe Flash • Announced in underground Player installer, allowing the silent execution of the forums and via Pastebin posts malware when Adobe Flash Player runs in September • Accesses C&C servers to download other malicious • Believed to be undergoing beta components and monitor users’ activities13 testing using a different URL 13 http://blog.trendmicro.com/trendlabs-security-intelligence/ format as one of the improvements zaccesssirefef-arrives-with-new-infection-technique/ to evade detection15 14 http://www.trendmicro.com/cloud-content/us/ pdfs/security-intelligence/white-papers/wp_ blackhole-exploit-kit.pdf 15 http://blog.trendmicro.com/trendlabs-security- intelligence/blackhole-2-0-beta-tests-in-the-wild/ * Note that the numbers in this chart refer to the number of times each entity was used in a Blackhole Exploit Kit attack. Blackhole Exploit Kits are web pages designed to try and exploit “The unusual combination (i.e., several vulnerabilities on a visitor’s computer. Once any of the using Blackhole Exploit Kit 1.0 attack exploits runs, the page serves up the end payload, usually a URLs and removing the plugindetect malware. function in scripts) indicates that the authors of Blackhole Exploit Kit 2.0 may still be beta-testing specific features before fully releasing it into the wild.” — Jon Oliver, software architecture director * http://blog.trendmicro.com/trendlabs-security- intelligence/blackhole-2-0-beta-tests-in-the-wild/
* ZeroAccess: 929,015; DOWNAD/Conficker: 604,433; Keygen: 193,700 According to SpamRankings.net, the FESTI botnet uses SaudiNet for spamming activities,16 making Saudi Arabia, a newcomer, the top spam-sending country this quarter. Though Saudi Arabia was the top spam-sending country, that doesn’t mean the spammers live in it. They may just be taking advantage of the fact that Saudi Arabia-hosted IP addresses will not raise red flags as those of countries normally associated with cybercriminal activities as well as the likelihood that more botnets that send out spam exist in the country. 16 http://www.spamrankings.net/about/newandnews.php/
Users end up on malicious sites by clicking links embedded in spam or ads displayed on the sites they visit. Top 10 Malicious URLs Blocked Top 10 Malicious Domains Blocked Malicious URL Blocked Description Malicious Domain Blocked Description trafficconverter.biz:80/4vir/ Distributes malware, Distributes malware, trafficconverter.biz antispyware/loadadv.exe particularly DOWNAD variants particularly DOWNAD variants Distributes malware, Poses security risks for trafficconverter.biz:80/ particularly DOWNAD variants www   unad   o   r .f .c .k compromised systems and/or www   unad   o   r   0  .f .c .k :8 / Poses security risks for networks dynamic    dv    b    earchnq  /a /s /s _ compromised systems and/or Hosts malicious URLs, the popu   tml .h networks deepspacer.com registrant of which is a known deepspacer.com:80/y2x8ms42 spammer Hosts malicious URLs, the fge0otk4yjhmzwu4ztu5y2e4 Engages in the distribution of registrant of which is a known tags.expo9.exponential.com mtfjngewztqxnjmyodczfdmxm malicious software spammer a== Distributes malware and embed.redtube.com tags.expo9.exponential. Trojans through videos Engages in the distribution of com:80/tags/burstmediacom/ dl.baixaki.com.br Distributes malware malicious software audienceselectuk/tags.js Traffic site known for www   rafficholder   om   0  .t .c :8 / Traffic site known for www   rafficholder   om .t .c distributing malware in    n   hp /i .p distributing malware Mistaken for the Trend Micro mattfoll.eu.interia.pl:80/logos. oscex-en.url.trendmicro.co OfficeScan security suite site Distributes Trojans gif address www   uckytime   o   r   0  .l .c .k :8 / mattfoll.eu.interia.pl Distributes Trojans Hosts malware item    ata   hp _d .p www   uckytime   o   r .l .c .k Hosts malware 96.43.128.194:80/click.php Distributes Trojans Hosts adware and pop-ups am10.ru:80/code.php that redirect to phishing sites
APTs upped the ante with the addition of malicious Android application package (APK) files, the file format used to distribute and install application software and middleware in Android OSs, as possible attack tools.17 Attackers, particularly those behind the Luckycat campaign, are adapting to the evolving threat landscape by developing malicious APK files as additions to their existing toolkits. Campaigns like Lurid and Nitro underwent operational changes, apart from using zero-day instead of older and more widely available exploits for attacks this quarter. 17 http://blog.trendmicro.com/trendlabs-security-intelligence/defcon-2012- android-malware-in-luckycat-servers/ As predicted… More hacker groups will pose a bigger threat to organizations that protect highly sensitive data.
Enfal Malware Nitro Campaign • Infected 874 computers in 33 countries after • Used the Java zero-day prominently figuring in Lurid campaign attacks18 exploit to enter target networks • Known for communicating with specific servers that give potential attackers access to and even full control • Attacks related to which over infected systems continued even after the campaign’s exposure in 201123 • Have been used in targeted attacks against government departments in Vietnam, Russia, and • Proof that APT attackers also Mongolia as far back as 200619 use zero-day exploits though not as often as more readily 18 http://blog.trendmicro.com/trendlabs-security-intelligence/modified- available ones to get into target enfal-variants-compromised-874-systems/ 19 http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/ networks white-papers/wp_dissecting-lurid-apt.pdf 23 http://blog.trendmicro.com/trendlabs-security- intelligence/the-nitro-campaign-and-java-zero-day/ PlugX • A remote access Trojan (RAT) associated with PoisonIvy malware, which are commonly used in targeted attacks20 • Reportedly targets government organizations in various parts of Asia • Arrives as an attachment to spear-phishing emails21 • Exploits CVE-2010-3333, which was abused by a few APT campaigns like Luckycat and Taidoor22 20 http://blog.trendmicro.com/trendlabs-security-intelligence/plugx-new- tool-for-a-not-so-new-campaign/ 21 http://blog.trendmicro.com/trendlabs-security-intelligence/unplugging- plugx-capabilities/ 22 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3333; http:// www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white- papers/wp_luckycat_redux.pdf; and http://www.trendmicro.com/cloud- content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_ campaign.pdf Most APT campaigns target organizations in the corporate/government sector because these handle more sensitive data than any other kind of organization.24 “Campaigns like Nitro don’t ‘come back,’ because they 24 http://www.trendmicro.com/cloud-content/us/pdfs/business/white- papers/wp_apt-primer.pdf don’t go away. The Nitro attackers continued to be active after their activities were documented in 2011.” — Nart Villeneuve, senior threat researcher * http://blog.trendmicro.com/trendlabs-security- intelligence/the-nitro-campaign-and-java-zero- day/
Despite the fact that billions of people use various social media sites, related privacy issues remain. We found that only 50% of Facebook users check their privacy settings every 2–3 months. They aren’t likely to change their settings that often though.25 And so survey scams live on because the payoff—getting tons of personal data from users—is something the bad guys can’t pass up on.26 25 http://blog.trendmicro.com/trendlabs-security-intelligence/infographic- public-or-private-the-risks-of-posting-in-social-networks/ 26 http://blog.trendmicro.com/trendlabs-security-intelligence/threats-get- trickier-with-versatility-and-social-engineering/ As predicted… The new generation of young social networkers is more likely to reveal personal data to other parties such as in social networking sites.
Tumblr Survey Scams Fake WhatsApp for Facebook • Trick users into giving out personal information via the • Seen circulating via Facebook fake TumViewer web app notifications and posts touting pages contacts liked • Also come in the guise of work-from-home job posts for those in search of additional income27 • When associated links are clicked, lead users to a page 27 http://blog.trendmicro.com/trendlabs-security-intelligence/tumviewer- that requires them to give the and-online-income-survey-scams-hit-tumblr/ fake app certain permissions28 28 http://blog.trendmicro.com/trendlabs- security-intelligence/scam-disguised-as- whatsapp-for-facebook/ * http://blog.trendmicro.com/trendlabs-security-intelligence/the-risks-of-posting-in-social-networks “Familiarize yourself with both the privacy settings and the security policies of any social and professional networking site you use. If you’re not happy with them, stop using the sites.” — Rik Ferguson, director of security research and communications * http://countermeasures.trendmicro.eu/safer-social- networking/
TREND MICRO™ TRENDLABSSM Trend Micro Incorporated, a global cloud security leader, TrendLabs is a multinational research, development, and support creates a world safe for exchanging digital information with its center with an extensive regional presence committed to Internet content security and threat management solutions for 24 x 7 threat surveillance, attack prevention, and timely and businesses and consumers. A pioneer in server security with seamless solutions delivery. With more than 1,000 threat experts over 20 years experience, we deliver top-ranked client, server, and support engineers deployed round-the-clock in labs located and cloud-based security that fits our customers’ and partners’ around the globe, TrendLabs enables Trend Micro to continuously needs; stops new threats faster; and protects data in physical, monitor the threat landscape across the globe; deliver real-time virtualized, and cloud environments. Powered by the Trend data to detect, to preempt, and to eliminate threats; research on Micro™ Smart Protection Network™ infrastructure, our industry- and analyze technologies to combat new threats; respond in real leading cloud-computing security technology, products and time to targeted threats; and help customers worldwide minimize services stop threats where they emerge, on the Internet, and damage, reduce costs, and ensure business continuity. are supported by 1,000+ threat intelligence experts around the globe. For additional information, visit www.trendmicro.com. ©2012 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners.

Recomendados

Rp data breach-investigations-report-2013-en_xg
Rp data breach-investigations-report-2013-en_xgRp data breach-investigations-report-2013-en_xg
Rp data breach-investigations-report-2013-en_xgКомсс Файквэе
 
Joomla! XSS Vulnerabilities by Riyaz Walikar
Joomla! XSS Vulnerabilities by Riyaz WalikarJoomla! XSS Vulnerabilities by Riyaz Walikar
Joomla! XSS Vulnerabilities by Riyaz Walikarn|u - The Open Security Community
 
t r
t rt r
t relectronicmingle01
 
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE Magno Logan
 
عرض محاضرة كيفية انشاء المطاعم لرؤوس الاموال الناشئة والمبتدئة
عرض محاضرة كيفية انشاء المطاعم لرؤوس الاموال الناشئة والمبتدئةعرض محاضرة كيفية انشاء المطاعم لرؤوس الاموال الناشئة والمبتدئة
عرض محاضرة كيفية انشاء المطاعم لرؤوس الاموال الناشئة والمبتدئةMazen AlDarrab
 
Segurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSegurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSantiago Cavanna
 
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURE
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTUREVULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURE
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURENurul Haszeli Ahmad
 
Ksb 2013 ru
Ksb 2013 ruKsb 2013 ru
Ksb 2013 ruКомсс Файквэе
 

Recomendados

Rp data breach-investigations-report-2013-en_xg
Rp data breach-investigations-report-2013-en_xgRp data breach-investigations-report-2013-en_xg
Rp data breach-investigations-report-2013-en_xgКомсс Файквэе
 
Joomla! XSS Vulnerabilities by Riyaz Walikar
Joomla! XSS Vulnerabilities by Riyaz WalikarJoomla! XSS Vulnerabilities by Riyaz Walikar
Joomla! XSS Vulnerabilities by Riyaz Walikarn|u - The Open Security Community
 
t r
t rt r
t relectronicmingle01
 
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE Magno Logan
 
عرض محاضرة كيفية انشاء المطاعم لرؤوس الاموال الناشئة والمبتدئة
عرض محاضرة كيفية انشاء المطاعم لرؤوس الاموال الناشئة والمبتدئةعرض محاضرة كيفية انشاء المطاعم لرؤوس الاموال الناشئة والمبتدئة
عرض محاضرة كيفية انشاء المطاعم لرؤوس الاموال الناشئة والمبتدئةMazen AlDarrab
 
Segurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSegurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSantiago Cavanna
 
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURE
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTUREVULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURE
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURENurul Haszeli Ahmad
 
Ksb 2013 ru
Ksb 2013 ruKsb 2013 ru
Ksb 2013 ruКомсс Файквэе
 
Rp quarterly-threat-q3-2013
Rp quarterly-threat-q3-2013Rp quarterly-threat-q3-2013
Rp quarterly-threat-q3-2013Комсс Файквэе
 
Apwg trends report_q2_2013
Apwg trends report_q2_2013Apwg trends report_q2_2013
Apwg trends report_q2_2013Комсс Файквэе
 
Mobile threat report_q3_2013
Mobile threat report_q3_2013Mobile threat report_q3_2013
Mobile threat report_q3_2013Комсс Файквэе
 
Scimp paper
Scimp paperScimp paper
Scimp paperКомсс Файквэе
 
Ey giss-under-cyber-attack
Ey giss-under-cyber-attackEy giss-under-cyber-attack
Ey giss-under-cyber-attackКомсс Файквэе
 
Hta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijackingHta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijackingКомсс Файквэе
 
Analitika web 2012_positive_technologies
Analitika web 2012_positive_technologiesAnalitika web 2012_positive_technologies
Analitika web 2012_positive_technologiesКомсс Файквэе
 
B istr main-report_v18_2012_21291018.en-us
B istr main-report_v18_2012_21291018.en-usB istr main-report_v18_2012_21291018.en-us
B istr main-report_v18_2012_21291018.en-usКомсс Файквэе
 
Threat report h1_2013
Threat report h1_2013Threat report h1_2013
Threat report h1_2013Комсс Файквэе
 
B intelligence report-08-2013.en-us
B intelligence report-08-2013.en-usB intelligence report-08-2013.en-us
B intelligence report-08-2013.en-usКомсс Файквэе
 
Dtl 2013 q2_home.1.2
Dtl 2013 q2_home.1.2Dtl 2013 q2_home.1.2
Dtl 2013 q2_home.1.2Комсс Файквэе
 
Rp quarterly-threat-q1-2012
Rp quarterly-threat-q1-2012Rp quarterly-threat-q1-2012
Rp quarterly-threat-q1-2012Комсс Файквэе
 
Kaspersky lab av_test_whitelist_test_report
Kaspersky lab av_test_whitelist_test_reportKaspersky lab av_test_whitelist_test_report
Kaspersky lab av_test_whitelist_test_reportКомсс Файквэе
 
The modern-malware-review-march-2013
The modern-malware-review-march-2013 The modern-malware-review-march-2013
The modern-malware-review-march-2013 Комсс Файквэе
 
Dtl 2012 kl-app_ctl1.2
Dtl 2012 kl-app_ctl1.2Dtl 2012 kl-app_ctl1.2
Dtl 2012 kl-app_ctl1.2Комсс Файквэе
 
Panda labs annual-report-2012
Panda labs annual-report-2012Panda labs annual-report-2012
Panda labs annual-report-2012Комсс Файквэе
 
H02 syllabus
H02 syllabusH02 syllabus
H02 syllabusКомсс Файквэе
 
Course reader-title
Course reader-titleCourse reader-title
Course reader-titleКомсс Файквэе
 
Rp threat-predictions-2013
Rp threat-predictions-2013Rp threat-predictions-2013
Rp threat-predictions-2013Комсс Файквэе
 
2012 browser phishing
2012 browser phishing2012 browser phishing
2012 browser phishingКомсс Файквэе
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 

Mais conteúdo relacionado

Mais de Комсс Файквэе

Hta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijackingHta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijackingКомсс Файквэе
 

Mais de Комсс Файквэе (20)

Rp quarterly-threat-q3-2013
Rp quarterly-threat-q3-2013Rp quarterly-threat-q3-2013
Rp quarterly-threat-q3-2013
 
Apwg trends report_q2_2013
Apwg trends report_q2_2013Apwg trends report_q2_2013
Apwg trends report_q2_2013
 
Mobile threat report_q3_2013
Mobile threat report_q3_2013Mobile threat report_q3_2013
Mobile threat report_q3_2013
 
Scimp paper
Scimp paperScimp paper
Scimp paper
 
Ey giss-under-cyber-attack
Ey giss-under-cyber-attackEy giss-under-cyber-attack
Ey giss-under-cyber-attack
 
Hta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijackingHta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijacking
 
Analitika web 2012_positive_technologies
Analitika web 2012_positive_technologiesAnalitika web 2012_positive_technologies
Analitika web 2012_positive_technologies
 
B istr main-report_v18_2012_21291018.en-us
B istr main-report_v18_2012_21291018.en-usB istr main-report_v18_2012_21291018.en-us
B istr main-report_v18_2012_21291018.en-us
 
Threat report h1_2013
Threat report h1_2013Threat report h1_2013
Threat report h1_2013
 
B intelligence report-08-2013.en-us
B intelligence report-08-2013.en-usB intelligence report-08-2013.en-us
B intelligence report-08-2013.en-us
 
Dtl 2013 q2_home.1.2
Dtl 2013 q2_home.1.2Dtl 2013 q2_home.1.2
Dtl 2013 q2_home.1.2
 
Rp quarterly-threat-q1-2012
Rp quarterly-threat-q1-2012Rp quarterly-threat-q1-2012
Rp quarterly-threat-q1-2012
 
Kaspersky lab av_test_whitelist_test_report
Kaspersky lab av_test_whitelist_test_reportKaspersky lab av_test_whitelist_test_report
Kaspersky lab av_test_whitelist_test_report
 
The modern-malware-review-march-2013
The modern-malware-review-march-2013 The modern-malware-review-march-2013
The modern-malware-review-march-2013
 
Dtl 2012 kl-app_ctl1.2
Dtl 2012 kl-app_ctl1.2Dtl 2012 kl-app_ctl1.2
Dtl 2012 kl-app_ctl1.2
 
Panda labs annual-report-2012
Panda labs annual-report-2012Panda labs annual-report-2012
Panda labs annual-report-2012
 
H02 syllabus
H02 syllabusH02 syllabus
H02 syllabus
 
Course reader-title
Course reader-titleCourse reader-title
Course reader-title
 
Rp threat-predictions-2013
Rp threat-predictions-2013Rp threat-predictions-2013
Rp threat-predictions-2013
 
2012 browser phishing
2012 browser phishing2012 browser phishing
2012 browser phishing
 

Último

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Último (20)

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

Android under-siege-security-roundup-q3-2012-en

  • 1. 3Q 2012 SECURITY ROUNDUP Android Under Siege: Popularity Comes at a Price
  • 2. Smartphones are to the early 21st century what the PC was to the late 20th century–a universal tool valued for its productivity and fun factor but hated for the problems it can bring. Since smartphones are handheld computers that communicate, the threats they face are both similar and different from the PC challenges many of us are familiar with. Like the PC, many of today’s mobile malware prey upon the unwary. However, the nature of the mobile malware threat is, in some ways, very different. Malware targeting Google’s Android platform increased nearly sixfold in the third quarter of 2012. What had been around 30,000 malicious and potentially dangerous or high-risk Android apps in June increased to almost 175,000 between July and September. This report will examine what led to the increase and what it means for users and developers alike. We’ve seen nearly 175,000 malicious and high-risk Android apps to date and we’re still counting!
  • 3. Also in this report: • Dangerous zero-day exploits targeting Java and Internet Explorer (IE) were found. The IE vulnerability was used in an advanced persistent threat (APT) campaign. • ZeroAccess malware, sometimes found on peer-to- peer (P2P) sharing sites, were the top infector in the computing public this quarter. The old DOWNAD/ Conficker worm came a close second. • PayPal attracted the most phishermen while Linkedin topped the list of chosen Blackhole Exploit Kit targets. • See that spam? It likely arrived via Saudi Arabia (or India). • Corporations and governments were still viable APT targets. Lurid and Nitro APT campaign improvements were also noted. • Social media threats and privacy concerns lived on. Trend Micro TrendLabsSM continuously monitors the threat landscape to raise security awareness and come up with proactive solutions for home users and organizations alike. All of the figures contained in this report are based on Trend Micro™ Smart Protection Network™ data unless otherwise stated. The Smart Protection Network cloud security infrastructure rapidly and accurately identifies new threats, delivering global threat intelligence to secure data wherever it resides.
  • 4. The number of malicious Android apps continued to increase. We also saw a significant rise in the number of aggressive mobile adware.1 Though most adware are designed to collect user information, a fine line exists between collecting data for simple advertising and violating one’s privacy. Because they normally collect user information for legitimate purposes, they can serve as an effective means to gather more data than some would want to give out. 1 http://about-threats.trendmicro.com/us/mobilehub/mobilereview/ rpt_mothly_mobile_review_201209_the_growing_problem_of_mobile_ adware.pdf As predicted... Smartphone and tablet platforms, especially Android, will suffer more cybercriminal attacks.
  • 5. Malicious Android Application Package Files The Obama vs Romney Android app, which served potentially • Still in the early stages of development2 unwanted ads, was downloaded as • Developed by the Luckycat APT campaign attackers many as 1,000 times from Google Play alone. • Can execute commands sent from a remote * http://blog.trendmicro.com/trendlabs- command-and-control (C&C) server and collect device security-intelligence/us-2012-election- information apps-may-lead-to-data-disclosure/ 2 http://blog.trendmicro.com/trendlabs-security-intelligence/defcon-2012- android-malware-in-luckycat-servers/ “While it has been predicted that APT attackers will likely develop the Aggressive Mobile Adware capacity to attack targets via mobile devices, our discovery indicates that • Known for aggressively displaying ads on affected the development of such a capability is devices to generate profit for app developers something they are pursuing.” • Tend to gather personal information without the users’ * http://www.trendmicro.com/cloud-content/us/pdfs/ explicit knowledge or consent security-intelligence/white-papers/wp_adding- android-and-mac-osx-malware-to-the-apt-toolbox.pdf • Significantly contributed to the rise in the number of malicious and high-risk Android apps led by variants that used legitimate ad networks to push malicious ads3 • Some variants of which even pushed ads via notifications4 3 http://blog.trendmicro.com/trendlabs-security-intelligence/more- adware-and-plankton-variants-seen-in-app-stores/ 4 http://blog.trendmicro.com/trendlabs-security-intelligence/164-unique- android-adware-still-online/ “At the end of the day... all mobile apps are essentially web clients; therefore, they are as unsecure as a browser and that’s how you should treat them.” — David Sancho, senior threat researcher * http://blog.trendmicro.com/trendlabs-security- intelligence/apps-as-browsers-can-you-trust-your- mobile-apps/ Fake versions of legitimate Android apps are the most prevalent type of Android malware. This quarter, data stealers like Solar Charge and premium service abusers like Live Wallpapers in China or fake versions of best- selling apps that spread in Russia further raised concerns about the open nature of the Android ecosystem.
  • 6. * Note that the numbers in this chart are for all time and not just for this quarter.
  • 7. * Note that the numbers in this chart are for all time and not just for this quarter. Most mobile adware are simply a business model used to pay for an app offered for free or at low costs to users. But we also identified several adware that pose serious privacy-related threats. Apps that access your call history without informing you via an end-user license agreement (EULA) or their user interface (UI) constitute malicious behavior from a security perspective and are detected. Ad networks present a unique challenge though. They connect advertisers to app developers that want to host ads for a fee. Unfortunately, the in-app libraries that ad networks provide sometimes gather more information than developers declare. While in some instances this oversight is unintentional, failure to alert users of data-gathering behavior introduces privacy risks. App developers can either choose to closely examine ad libraries and ask their ad network to modify their code or rely on another ad network. We believe that the value of information stolen from users far outweighs the cost of due diligence on the side of developers and the ad networks that support them. Even worse, we’ve now seen evidence of mobile apps being developed as targeted attack tools. Attackers are no longer just limiting their sights to computers as points of entry into target networks. Android’s popularity has definitely not gone unnoticed. The fact that only 20% of Android device owners use a security app does not help.5 Using a solution that warns you of the potential problems certain apps can cause is one way to protect your data from thieving hands. In the end, you are responsible for the data you keep in your mobile device. Understand the permissions apps seek before giving them access to information that you may not even want to share. 5 http://fearlessweb.trendmicro.com/2012/misc/only-20-of-android-mobile-device- users-have-a-security-app-installed/
  • 8. After more than six months, zero-day exploits again reared their ugly heads this quarter, proving they haven’t gone out of style.6 Aided by lack of discipline regarding patching for users and the difficulty of doing so for system administrators, exploits continued to wreak havoc. In 2011, we saw 1,822 critical vulnerabilities, which put a lot of organizations and company data at risk.7 Before the year ends, a new OS will come into the picture, which can be another venue for abuse.8 6 http://blog.trendmicro.com/trendlabs-security-intelligence/adobe-zero- day-vulnerability-installs-backdoor-another-targeted-attack/ 7 http://blog.trendmicro.com/trendlabs-security-intelligence/into-the- abyss-of-virtualization-related-threats/ 8 http://www.computerworld.com/s/article/9231076/Adobe_confirms_ Windows_8_users_vulnerable_to_active_Flash_exploits
  • 9. * Note that the numbers in this chart only show the volume of declared OS/software vulnerabilities. * Based on data available from http://cve.mitre.org/ CVE-2012-4681 CVE-2012-4969 • A Java vulnerability exploited by a malicious • A vulnerability in IE versions 6 to 9 .JAR/.class file, which allowed remote attackers to • The zero-day exploit for which loads malicious .SWF execute commands on vulnerable systems and .HTML files that download and execute PoisonIvy • The zero-day exploit for which runs on all versions of and PlugX variants10 IE, Mozilla Firefox, Opera, Google Chrome, and Safari • A fix tool as well as an out-of-band security patch for • The exploit for which also runs on Macs9 which was released to ensure protection for affected users11 9 http://blog.trendmicro.com/trendlabs-security-intelligence/java- runtime-environment-1-7-zero-day-exploit-delivers-backdoor/ 10 http://blog.trendmicro.com/trendlabs-security-intelligence/new-ie- zero-day-exploit-leads-to-poisonivy/ and http://blog.trendmicro.com/ trendlabs-security-intelligence/plugx-new-tool-for-a-not-so-new- campaign/ 11 http://blog.trendmicro.com/trendlabs-security-intelligence/microsoft- releases-out-of-cycle-patch-for-ie/ Apple disclosed vulnerabilities in applications like Safari, iTunes, and iChat. Though it disclosed more “While some reports have gone on to product vulnerabilities than any other vendor, the data say that the zero-day exploit for in the following chart does not include how severe the CVE-2012-4681 may be used in targeted vulnerabilities reported were. In fact, despite the gap attacks, our analysis showed that this may between the number of recorded vulnerabilities for Apple not be the case… Targeted attacks are known and Microsoft and the former’s increasing market share, for staying under the radar to successfully the latter did suffer blows from the recently reported zero- operate. The domains/IP addresses in this day exploit attacks. attack say the attackers have no intention of staying hidden. — Manuel Gatbunton, threat response engineer * http://blog.trendmicro.com/trendlabs-security- intelligence/java-runtime-environment-1-7-zero- day-exploit-delivers-backdoor/
  • 10. ZeroAccess malware, which have the ability to patch system files, rose in rank from third place in the second quarter to first place this quarter.12 We recorded more than 900,000 ZeroAccess malware detections to date. Backed by improvements to already-sophisticated cybercrime tools like the Blackhole Exploit Kit, more and more security risks are set to come into play. 12 http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/ reports/rpt-its-big-business-and-its-getting-personal.pdf As predicted… New threat actors will use sophisticated cybercrime tools to achieve their own ends.
  • 11. ZeroAccess Malware Blackhole Exploit Kit 2.0 • May be hosted on P2P sharing sites, putting throngs of • The development of which download aficionados at risk may have been triggered by the success of the slew of • Has a new infection technique that patches system Blackhole Exploit Kit spam files with its variants runs14 • Loads a malicious .DLL file along with the Adobe Flash • Announced in underground Player installer, allowing the silent execution of the forums and via Pastebin posts malware when Adobe Flash Player runs in September • Accesses C&C servers to download other malicious • Believed to be undergoing beta components and monitor users’ activities13 testing using a different URL 13 http://blog.trendmicro.com/trendlabs-security-intelligence/ format as one of the improvements zaccesssirefef-arrives-with-new-infection-technique/ to evade detection15 14 http://www.trendmicro.com/cloud-content/us/ pdfs/security-intelligence/white-papers/wp_ blackhole-exploit-kit.pdf 15 http://blog.trendmicro.com/trendlabs-security- intelligence/blackhole-2-0-beta-tests-in-the-wild/ * Note that the numbers in this chart refer to the number of times each entity was used in a Blackhole Exploit Kit attack. Blackhole Exploit Kits are web pages designed to try and exploit “The unusual combination (i.e., several vulnerabilities on a visitor’s computer. Once any of the using Blackhole Exploit Kit 1.0 attack exploits runs, the page serves up the end payload, usually a URLs and removing the plugindetect malware. function in scripts) indicates that the authors of Blackhole Exploit Kit 2.0 may still be beta-testing specific features before fully releasing it into the wild.” — Jon Oliver, software architecture director * http://blog.trendmicro.com/trendlabs-security- intelligence/blackhole-2-0-beta-tests-in-the-wild/
  • 12. * ZeroAccess: 929,015; DOWNAD/Conficker: 604,433; Keygen: 193,700 According to SpamRankings.net, the FESTI botnet uses SaudiNet for spamming activities,16 making Saudi Arabia, a newcomer, the top spam-sending country this quarter. Though Saudi Arabia was the top spam-sending country, that doesn’t mean the spammers live in it. They may just be taking advantage of the fact that Saudi Arabia-hosted IP addresses will not raise red flags as those of countries normally associated with cybercriminal activities as well as the likelihood that more botnets that send out spam exist in the country. 16 http://www.spamrankings.net/about/newandnews.php/
  • 13. Users end up on malicious sites by clicking links embedded in spam or ads displayed on the sites they visit. Top 10 Malicious URLs Blocked Top 10 Malicious Domains Blocked Malicious URL Blocked Description Malicious Domain Blocked Description trafficconverter.biz:80/4vir/ Distributes malware, Distributes malware, trafficconverter.biz antispyware/loadadv.exe particularly DOWNAD variants particularly DOWNAD variants Distributes malware, Poses security risks for trafficconverter.biz:80/ particularly DOWNAD variants www   unad   o   r .f .c .k compromised systems and/or www   unad   o   r   0  .f .c .k :8 / Poses security risks for networks dynamic    dv    b    earchnq  /a /s /s _ compromised systems and/or Hosts malicious URLs, the popu   tml .h networks deepspacer.com registrant of which is a known deepspacer.com:80/y2x8ms42 spammer Hosts malicious URLs, the fge0otk4yjhmzwu4ztu5y2e4 Engages in the distribution of registrant of which is a known tags.expo9.exponential.com mtfjngewztqxnjmyodczfdmxm malicious software spammer a== Distributes malware and embed.redtube.com tags.expo9.exponential. Trojans through videos Engages in the distribution of com:80/tags/burstmediacom/ dl.baixaki.com.br Distributes malware malicious software audienceselectuk/tags.js Traffic site known for www   rafficholder   om   0  .t .c :8 / Traffic site known for www   rafficholder   om .t .c distributing malware in    n   hp /i .p distributing malware Mistaken for the Trend Micro mattfoll.eu.interia.pl:80/logos. oscex-en.url.trendmicro.co OfficeScan security suite site Distributes Trojans gif address www   uckytime   o   r   0  .l .c .k :8 / mattfoll.eu.interia.pl Distributes Trojans Hosts malware item    ata   hp _d .p www   uckytime   o   r .l .c .k Hosts malware 96.43.128.194:80/click.php Distributes Trojans Hosts adware and pop-ups am10.ru:80/code.php that redirect to phishing sites
  • 14. APTs upped the ante with the addition of malicious Android application package (APK) files, the file format used to distribute and install application software and middleware in Android OSs, as possible attack tools.17 Attackers, particularly those behind the Luckycat campaign, are adapting to the evolving threat landscape by developing malicious APK files as additions to their existing toolkits. Campaigns like Lurid and Nitro underwent operational changes, apart from using zero-day instead of older and more widely available exploits for attacks this quarter. 17 http://blog.trendmicro.com/trendlabs-security-intelligence/defcon-2012- android-malware-in-luckycat-servers/ As predicted… More hacker groups will pose a bigger threat to organizations that protect highly sensitive data.
  • 15. Enfal Malware Nitro Campaign • Infected 874 computers in 33 countries after • Used the Java zero-day prominently figuring in Lurid campaign attacks18 exploit to enter target networks • Known for communicating with specific servers that give potential attackers access to and even full control • Attacks related to which over infected systems continued even after the campaign’s exposure in 201123 • Have been used in targeted attacks against government departments in Vietnam, Russia, and • Proof that APT attackers also Mongolia as far back as 200619 use zero-day exploits though not as often as more readily 18 http://blog.trendmicro.com/trendlabs-security-intelligence/modified- available ones to get into target enfal-variants-compromised-874-systems/ 19 http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/ networks white-papers/wp_dissecting-lurid-apt.pdf 23 http://blog.trendmicro.com/trendlabs-security- intelligence/the-nitro-campaign-and-java-zero-day/ PlugX • A remote access Trojan (RAT) associated with PoisonIvy malware, which are commonly used in targeted attacks20 • Reportedly targets government organizations in various parts of Asia • Arrives as an attachment to spear-phishing emails21 • Exploits CVE-2010-3333, which was abused by a few APT campaigns like Luckycat and Taidoor22 20 http://blog.trendmicro.com/trendlabs-security-intelligence/plugx-new- tool-for-a-not-so-new-campaign/ 21 http://blog.trendmicro.com/trendlabs-security-intelligence/unplugging- plugx-capabilities/ 22 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3333; http:// www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white- papers/wp_luckycat_redux.pdf; and http://www.trendmicro.com/cloud- content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_ campaign.pdf Most APT campaigns target organizations in the corporate/government sector because these handle more sensitive data than any other kind of organization.24 “Campaigns like Nitro don’t ‘come back,’ because they 24 http://www.trendmicro.com/cloud-content/us/pdfs/business/white- papers/wp_apt-primer.pdf don’t go away. The Nitro attackers continued to be active after their activities were documented in 2011.” — Nart Villeneuve, senior threat researcher * http://blog.trendmicro.com/trendlabs-security- intelligence/the-nitro-campaign-and-java-zero- day/
  • 16. Despite the fact that billions of people use various social media sites, related privacy issues remain. We found that only 50% of Facebook users check their privacy settings every 2–3 months. They aren’t likely to change their settings that often though.25 And so survey scams live on because the payoff—getting tons of personal data from users—is something the bad guys can’t pass up on.26 25 http://blog.trendmicro.com/trendlabs-security-intelligence/infographic- public-or-private-the-risks-of-posting-in-social-networks/ 26 http://blog.trendmicro.com/trendlabs-security-intelligence/threats-get- trickier-with-versatility-and-social-engineering/ As predicted… The new generation of young social networkers is more likely to reveal personal data to other parties such as in social networking sites.
  • 17. Tumblr Survey Scams Fake WhatsApp for Facebook • Trick users into giving out personal information via the • Seen circulating via Facebook fake TumViewer web app notifications and posts touting pages contacts liked • Also come in the guise of work-from-home job posts for those in search of additional income27 • When associated links are clicked, lead users to a page 27 http://blog.trendmicro.com/trendlabs-security-intelligence/tumviewer- that requires them to give the and-online-income-survey-scams-hit-tumblr/ fake app certain permissions28 28 http://blog.trendmicro.com/trendlabs- security-intelligence/scam-disguised-as- whatsapp-for-facebook/ * http://blog.trendmicro.com/trendlabs-security-intelligence/the-risks-of-posting-in-social-networks “Familiarize yourself with both the privacy settings and the security policies of any social and professional networking site you use. If you’re not happy with them, stop using the sites.” — Rik Ferguson, director of security research and communications * http://countermeasures.trendmicro.eu/safer-social- networking/
  • 18. TREND MICRO™ TRENDLABSSM Trend Micro Incorporated, a global cloud security leader, TrendLabs is a multinational research, development, and support creates a world safe for exchanging digital information with its center with an extensive regional presence committed to Internet content security and threat management solutions for 24 x 7 threat surveillance, attack prevention, and timely and businesses and consumers. A pioneer in server security with seamless solutions delivery. With more than 1,000 threat experts over 20 years experience, we deliver top-ranked client, server, and support engineers deployed round-the-clock in labs located and cloud-based security that fits our customers’ and partners’ around the globe, TrendLabs enables Trend Micro to continuously needs; stops new threats faster; and protects data in physical, monitor the threat landscape across the globe; deliver real-time virtualized, and cloud environments. Powered by the Trend data to detect, to preempt, and to eliminate threats; research on Micro™ Smart Protection Network™ infrastructure, our industry- and analyze technologies to combat new threats; respond in real leading cloud-computing security technology, products and time to targeted threats; and help customers worldwide minimize services stop threats where they emerge, on the Internet, and damage, reduce costs, and ensure business continuity. are supported by 1,000+ threat intelligence experts around the globe. For additional information, visit www.trendmicro.com. ©2012 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners.