Recent reports from Panda Security, Trend Micro, Websense, Verizon, Sophos, Symantec, Group-IB and Bit9 have shed light on the current state of malware, phishing, and other attack methods.
From the rise of Trojans and ransomware to the functionality of Android malware, these reports provide an insight into the current state of the ever-changing threat landscape.
Key findings include the following: almost all malware infections are now the result of installation or injection by a remote attacker, smaller organizations are increasingly being hit with targeted attacks, ransomware is expanding from a focus on Russia to target a wide range of countries, and two thirds of security professionals expect their organizations to be hit by a cyber attack within the next six months. For details, and for many more findings, read on.
NEW MALWARE STRAINS IN Q1 2012, BY TYPE:
According to Panda Security's PandaLabs Q1 2012 Report [PDF file], six million new malware samples were created in the first quarter of 2012. During that time period, Trojans represented 80.77 percent of all new malware, up from 73 percent of all malware in 2011. Worms comprised 9.3 percent of samples, up from 8 percent in 2011, while viruses made up 6.43 percent of samples, down from 14.25 percent in 2011.
MALWARE INFECTIONS BY TYPE IN Q1 2012:
Panda Security's PandaLabs Q1 2012 Report [PDF file] found that Trojans caused 66.3 percent of all infections, followed by worms at 8.39 percent and viruses at 7.9 percent. The researchers highlight the fact that worms only caused 8.39 percent of infections despite accounting for 9.3 percent of all new malware, which is notable because worms usually cause more infections thanks to their ability to propagate automatically. "This demonstrates that massive worm epidemics have become a thing of the past, and have been replaced by a silent Trojan invasion," they write.
MOST MALWARE INFECTED COUNTRIES IN Q1 2012:
According to Panda Security’s PandaLabs Q1 2012 Report [PDF file], 35.51 percent of PCs are infected in the average country. China has the most infections, with 54.25 of PCs infected, followed by Taiwan and Turkey. Nine of the 10 least infected countries are in Europe – the only non-European country in the top 10 list is Japan. Sweden is the least infected country, with a record-setting infection rate of less than 20 percent of computers.
THE RISE OF RANSOMWARE:
Trend Micro's TrendLabs Q1 2012 Security Roundup Report [PDF file] states that ransomware, which holds systems and/or files hostage unless victims pay a fee, was previously concentrated in Russia but now targets a wide range of other countries. "The growth of ransomware outside of Russia may be attributed to the growing difficulties associated with payment methods and fake anti-virus," Trend Micro threat response engineer Roland Dela Paz wrote in a blog post. "[Fake anti-virus] as a business is composed of an economic ecosystem that involves ring leaders, developers, middle men (affiliate networks), advertisers, etc. Because of these challenges, some criminal groups involved with [fake anti-virus] may seek alternative underground businesses such as the ransomware business, thereby making the ransomware market expand and flourish."
MALWARE COMING FROM TRUSTED LOCATIONS:
According to the Websense 2012 Threat Report, malware redirects, malware hosting, and phishing are increasingly occurring in "trusted locations" such as the U.S. and Canada. "Almost no organization is going to block U.S. domains (the Web experience for users would be impacted too severely)," the authors write. "So it makes sense for cybercriminals to leverage these 'trusted' Web locations."
MALWARE INFECTION VECTORS:
According to Verizon's 2012 Data Breach Investigations Report [PDF file], the most common malware infection vector has long been installation or injection by a remote attacker. While just over half of attackers used this vector in 2009, fully 95 percent used it last year. "Its popularity as an infection vector likely stems both from the attacker's desire to remain in control after gaining access to a system, and its use in high-volume automated attacks against remote access services," the report states.
According to Verizon's 2012 Data Breach Investigations Report [PDF file], the three most common functions of malware are logging keystrokes and other forms of user input, sending data to external locations, and backdoors. "It is important to note that none of these functionalities are mutually exclusive and it's common for a single piece of malware to feature several components," the report states. Data exfiltration proved far less common in Verizon's 2012 report than in the previous year, dropping from 79 percent in the 2011 report to 43 percent in the 2012 report.
MALWARE ON MACS:
Sophos recently analyzed a snapshot of 100,000 of the millions of Mac computers that run the company's free anti-virus software and found that one in five machines was carrying Windows malware, while one in 36 (2.7 percent) of Mac were found to be carrying Mac OS X malware. While the latter case would certainly be more troublesome for the user, Macs that are carrying Windows malware can easily spread it to other computers. Some of the malware that Sophos detected dates back to 2007, and would have been easily detected by any anti-virus software. "Cybercriminals view Macs as a soft target, because their owners don't typically run anti-virus software and are thought to have a higher level of disposable income than the typical Windows user," Sophos senior technology consultant Graham Cluley said in a statement. "Mac users must protect their computers now or risk making the malware problem on Macs as big as the problem on PCs."
EMAIL-BORNE MALWARE WORLDWIDE:
According to the Symantec Intelligence Report [PDF file] for February 2012, the global ratio of email-borne viruses in e-mail traffic was one in 274 e-mails, or 0.37 percent in February, up 0.3 percent since January. In February, the report states, 27.4 percent of email-borne malware contained links to malicious Web sites, a decrease of 1.6 percent from January. Luxembourg had the highest rate of malicious e-mail activity in February, with one in every 63.9 e-mails identified as malicious – in the U.S., the rate was one in every 436.5 e-mails. The most targeted industry in February was the public sector, with one in 71.2 e-mails blocked as malicious. Education was the second most targeted vertical, with one in 124.1 e-mails containing malicious content.
GLOBAL GROWTH OF PHISHING:
The Symantec Intelligence Report [PDF file] for February 2012 states that the global phishing rate increased in February by 0.01 percent, with one in 358.1 e-mails (0.28 percent) comprising some form of phishing attack. The Netherlands was the country most targeted by phishing attacks in February, with one in 152.8 e-mails identified as phishing. In the U.S., the rate was one in 753.5. The industry most targeted by phishing attacks in February was the public sector, with one in 84.1 e-mails comprising a phishing attack. Small to medium sized businesses with 1-250 employees were the most targeted, with one in 265.7 e-mails comprising a phishing attacks, while large enterprises with more than 2,500 employees saw one in 361.9 e-mails containing a phishing attack.
SMALLER ORGANIZATIONS BEING TARGETED:
Symantec’s Internet Security Threat Report, Volume 17 [PDF file] notes that targeted attacks aren't just a source of concern for larger companies – more than half of all targeted attacks in 2011 were directed at organizations with fewer than 2,500 employees, and fully 17.8 percent were directed at organizations with fewer than 250 employees. The company notes that smaller organizations may be targeted as a stepping stone because they're in the supply chain or partner ecosystem of a larger, more well defended company. Similarly, while 42 percent of the targeted users are high-level executives, senior managers and people in research and development, the majority of targets don't themselves have access to confidential information – instead, they’re targeted as a way of getting a foot in the door of a target company.
Verizon's 2012 Data Breach Investigations Report [PDF file] breaks down the leading methods of hacking into two groups: authentication attacks (stealing, brute forcing, or guessing of credentials) and technical attacks that bypass or break authentication altogether (e.g. SQL injection or backdoors). According to the report, there are few clear distinctions between the methods used to target small companies and those used to target larger ones. "Larger companies do seem to be more adept at warding off the easier-to-prevent attacks; however, approximately 98 percent of all records breached via stolen credentials occurred in larger organizations," the report states.
MOBILE ATTACK FUNCTIONALITY:
According to Symantec's Internet Security Threat Report, Volume 17 [PDF file], three factors are required for a major increase in mobile malware to occur: a widespread platform, readily accessible development tools, and sufficient attacker motivation. The first of those factors was recently fulfilled with Android's rapid growth in popularity. Symantec reports that more than half of all Android threats collect device data or track user activities, and almost a quarter of the mobile threats identified in 2011 were designed to send content. A popular way for mobile malware writers to make money is by sending premium SMS messages from infected devices, a technique that was used by 18 percent of all mobile threats identified in 2011. Still, mobile malware does much more than just send SMS – several attacks have been identified that track a victim's location via GPS and steal personal information from the victim's device.
THE RUSSIAN CYBERCRIME MARKET:
Russian cybercrime investigation and computer forensics firm Group-IB recently released a report entitled State and Trends of the Russian Digital Crime Market 2011 [PDF file], which estimates the financial performance of the entire global cybercrime market in 2011 at $12.5 billion, and the Russian share of that market at $2.3 billion. Russian-speaking cybercriminals, both in and outside of Russia itself, hold more than a third of the global cybercrime market, with estimated earnings of $4.5 billion. Key areas of growth, Group-IB reports, include online banking fraud and DDoS attacks. "The number of DDoS attacks in 2011 has grown as compared to previous periods," the report states. "The main targets were usually online stores and other representatives of the online business sphere. It should be noted, however, that the average strength of attacks in 2011, as compared to 2010, has weakened, with botnets typically numbering no more than 10,000 nodes used for attacking."
FEAR OF A CYBER ATTACK:
According to the 2012 Bit9 Cyber Security Research Report, a survey of 1,861 IT and security professionals worldwide found that almost two thirds of those surveyed expect their companies to be targeted by a cyber attack in the next six months. Those who work at larger organizations with more than 500 employees are much more concerned that those who work at smaller companies. And while most than half of the respondents in every market segment anticipate an attack, almost three quarters of government security professionals do so. The majority of respondents blame those fears on an increase in the number of hackers, rather than media hype or any perceived security weaknesses.
Jeff Goldman is a freelance journalist based in Los Angeles. He can be reached at email@example.com.