malware analysis

Today Kindsight released the Kindsight Security Labs Malware Report for Q4 2012. The report reveals the latest research from Kindsight on security threats to home and mobile networks, including a small decline in home network infections and an increase in mobile network infections. This report also marks the first time that Kindsight has released annual metrics from its security research.

Today, we released the Kindsight Security Labs Malware Report for Q3 2012. The quarterly report reveals statistics and security trends for malware infections in home networks and mobile devices, including ZeroAccess, TDSS/Alureon family (also known as TDL-4), ad-click fraud and mobile adware. Because Kindsight is embedded within service provider networks, the Security Labs team has unparalleled insight into malicious network communications traffic.

Today, we released the Kindsight Security Labs Malware Report for Q2 2012. The quarterly report reveals statistics and security trends for malware infections in home networks and mobile devices, including Flashback, ZeroAccess and DNSChanger. Because Kindsight is embedded within service provider networks, the Security Labs team has unparalleled insight into malicious network communications traffic.

The Warp Trojan demonstrates a bold new method by which malware writers are forcing computers to visit their exploit sites on the Internet and recruit those systems into their army of compromised machines. Warp does this by becoming a network middleman, arranging for all local network traffic to flow through it, and then injecting a malicious URL into any passing web traffic.

This Trojan is particularly stealthy in that the injected HTML code is not obvious to the recipient of the compromised web page and should it be discovered, one would more likely conclude that the web-server itself was compromised, not that the flow of network traffic between the computers has been “Warped”. Finding the true source of that URL injection, the middle-man, on a larger network requires a network sniffer and the ability to identify the offending machine by its MAC address.

We have been investigating the appearance of a new variation of the ZeroAccess/Sirefef bot. In February, we published a detailed analysis of the network behavior of this bot and the encrypted p2p protocol that it uses to communicate with its peers. The main purpose of this botnet is to distribute malware responsible for ad-click fraud.

Download the Malware Analysis Report - New C&C Protocol for ZeroAccess/Sirefef.

The traffic generated by the ad-click fraud is 0.1MBits/second when averaged out. For the infected consumer, this adds up to 32GBytes per month which it is the equivalent of downloading 45 full length movies. For the service provider, the impact on their network depends on the number of infected subscribers. The observed infection rate in mid-June was about 0.8%. This means that at any instant this bot alone is consuming 800MBits/sec of bandwidth for every 1M users on the network.

Today, we released the Kindsight Security Labs Malware Report for Q1 2012. This quarterly report reveals statistics and security trends for malware infections in home networks and mobile devices. Kindsight Security Labs brings a unique perspective to the space because we detect threats in the network by looking for communications from subscribers’ infected devices to cybercriminal servers.

Late last year, we noticed an encrypted p2p command and control protocol used by malware identified as ZeroAccess, Sirefef, Vobfus and many of other names. The use of this protocol, with slight variations, has been seen in a variety of seemingly unrelated malware samples in our lab, indicating fairly common usage of this component in a number of different malware bundles.

The scale of the infection was quite large. In November, we started to see a significant number of infections. For example, in one network on a single day, we saw 313 infected computers out of a population of 150K. This indicates that roughly one in every 500 computers is infected with some variant of malware that is using this command and control protocol.

As many of us do, before blindly purging Spam folders, you scan for senders that may have been dumped there inadvertently by the Spam filters. Other than a larger amount of emails that are unreadable for a number of reasons, you don’t notice anything unusual.

But wait, what’s this email from the New York State Department of Transportation - “I am in arrears and that I should follow the embedded link to resolve issues.” Since you were in New York State just weeks before, you pause but click on the link in the email anyway.

DO NOT FOLLOW THESE NEXT STEPS. They are for illustration only.

Thankfully, anti-virus software, in this case AVG, was running and up-to-date on the test laptop because…

Wham-o! The Blackhole Exploit. This email is not from the New York State Department but it’s a phishing attack and AVG detected and blocked the malware.

But what would happen if anti-virus software is not running?

This may not actually be malware but instead is just a badly written app that uses dubious techniques to access information and leaves the phone in a compromised state but you can never be sure what the intention was these days.

The Trojan attempts to root the phone without the user’s knowledge, changes file permissions to allow world-write access to some system files and sends information about the phone to Google Analytics. Once the damage is done the user will require root access to undo the access permission changes that were made.

When started the app admits it will not work on 2.3 and prompts the user to press the “Recovery” button.

Along with Zeus, the SpyEye Banking Trojan has been one of the more sophisticated banking Trojans during the past year. To combat this increasing fraud, some banks send a one-time code to their customer’s mobile phone that must be entered in addition to the username and password. SpyEye has now added Andriod malware, called Spitmo, to its toolkit in order to steal this one time passcode.

Initially the only evidence of infection is a “System” app in the “Downloaded”