Kindsight Blog

Today, we released new features for Kindsight Mobile Security to expand the protection mobile operators can offer their subscribers. Mobile operators can now alert users of suspicious apps that would be missed by device-only security apps, block infected devices from communicating with attackers’ command-and-control (C&C) servers, and help the subscriber locate missing phones and remotely lock or wipe data from stolen phones. 

Today, we released the Kindsight Security Labs Malware Report for Q2 2012. The quarterly report reveals statistics and security trends for malware infections in home networks and mobile devices, including Flashback, ZeroAccess and DNSChanger. Because Kindsight is embedded within service provider networks, the Security Labs team has unparalleled insight into malicious network communications traffic.

We have been investigating the appearance of a new variation of the ZeroAccess/Sirefef bot. In February, we published a detailed analysis of the network behavior of this bot and the encrypted p2p protocol that it uses to communicate with its peers. The main purpose of this botnet is to distribute malware responsible for ad-click fraud.

Download the Malware Analysis Report - New C&C Protocol for ZeroAccess/Sirefef.

The traffic generated by the ad-click fraud is 0.1MBits/second when averaged out. For the infected consumer, this adds up to 32GBytes per month which it is the equivalent of downloading 45 full length movies. For the service provider, the impact on their network depends on the number of infected subscribers. The observed infection rate in mid-June was about 0.8%. This means that at any instant this bot alone is consuming 800MBits/sec of bandwidth for every 1M users on the network.

Despite months of warning, hundreds of thousands of users could try to go online in July only to find that they can no longer connect to the Internet. The reason is that, on July 9, the FBI will decommission the DNS servers that it began to operate after it shut down an Estonian hacker ring in November 2011.

The takedown of the DNSChanger botnet, which consisted of over four million infected computers worldwide, in November 2011 was easily the biggest to date. However, computers that have not removed DNSChanger and reconfigured their DNS setting before July 9 will no longer be able to connect to the Internet.

DNSChanger is not the result of a single malware infection. The Kindsight Security Labs Q1 2012 Malware Report revealed that malware related to DNSChanger was the most prevalent infection with 1 in 400 households affected. Further analysis found that 1 in 625 households were still visiting the rogue DNS servers in early June and will lose Internet connectivity on July 9.