You Won T Make Money From W32:Sality.ao
Linda Berens
Mobile botnets actually offer a significant advantage over traditional botnets: smartphones are rarely shut down, making the botnet far more reliable since almost all its assets are always available and ready for new instructions. Common tasks performed by botnets include mass spam mail-outs, DDoS attacks and mass spying on personal information, all of them non-demanding actions in terms of performance and easily achieved on smartphones. The MTK botnet, appearing in early 2013, and Opfake, among many others, are proof that mobile botnets are no longer just a playground for cybercriminals, but have become common practice to serve the main purpose: financial profit.
To date we have collected 8,260,509 unique malware installation packs. Note that different installation packs may launch applications with the same features. The difference is in the malware interface and, for instance, the content of the text messages they send out.
90.52% of all detected attempts to exploit vulnerabilities targeted Oracle Java. These vulnerabilities are exploited by drive-by attacks conducted via the Internet, and new Java exploits are now present in lots of exploit packs. More details can be found in our article about Java exploits.
In third place with 2.5% are exploits for Android. Cybercriminals (and sometimes users themselves) use Android vulnerabilities in order to gain root privileges, which grants unlimited abilities to manipulate a system. These breaches are not used in drive-by attacks, and exploits for them are detected either by an antivirus, if there was an attempt to download an application containing an exploit, or by a file antivirus when an exploit is found on a device. It was recently reported that the Chrome browser for Nexus 4 and Samsung Galaxy S4 contained a vulnerability which could be used in future exploitation of Android vulnerabilities in drive-by attacks.
The statistics in this section were derived from web antivirus components which protect users when malicious code attempts to download from infected websites. Infected websites might be created by malicious users, or they could also be made up of user-contributed content (such as forums) and legitimate resources that have been hacked.
Compared to last year, there has been a fall in the growth rate of browser-based attacks. The number of neutralized web-based attacks in 2013 is 1.07 times more than in 2012, while in 2012 the corresponding figure was 1.7. The main tool behind browser-based attacks is still the exploit pack, which gives cybercriminals a surefire way of infecting victim computers that do not have a security product installed, or have at least one popular application that is vulnerable (requiring security updates).
*These statistics represent detection verdicts of the web-based antivirus module and were submitted by users of Kaspersky Lab products who consented to share their local data.
**The percentage of unique incidents recorded by web-based antivirus on user computers.
Seven entries in this Top 20 rating were verdicts identifying threats that are blocked during attempted drive-by attacks, which are currently the most common attack method for web-borne malware. They are the heuristic verdicts Trojan.Script.Generic, Trojan.Script.Iframer, Exploit.Script.Blocker, Trojan-Downloader.Script.Generic, Exploit.Java.Generic, Exploit.Script.Generic and the non-heuristic. These verdicts are assigned to scripts that redirect to exploits as well as to the exploits themselves.
The following stats are based on the physical location of the online resources, which were used in attacks, blocked by the antivirus (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host might become a source of one or more web attacks.
In order to determine the geographical source of web-based attacks, a method was used by which domain names are matched up against actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.
In 2013 there was little change to the Top 10 rating of leading malware sources compared to 2012. China, which was the traditional leader prior to 2010, dropped out of the top 10 and Vietnam appeared in 8th place. In 2010 the Chinese authorities succeeded in shutting down lots of malicious hosting resources in their part of cyberspace, at the same time hardening their legislation on domain names in the .cn domain zone, which resulted in the reduction of malicious sources in China. In 2010 China was in 3rd place, 6th in 2011, 8th in 2012 and in 2013 it fell to 21st place in the rating.
Countries where users face the highest risk of online infectionIn order to assess in which countries users face cyber-threats most often, we calculated how often Kaspersky users encountered detection verdicts on their machines in each country. The resulting data characterizes the risk of infection to which computers are exposed in different countries across the globe, providing an indicator of the aggressiveness of the environment in which computers work in different countries.
In 2013 saw a new leader emerge, with Azerbaijan finishing in first place with 56.3% of attacked users. Russia, which came top in the previous two years, fell to 4th place with 54.4% (4.1 percentage points less than the previous year).
The USA, Spain, Oman, Sudan, Bangladesh, the Maldives and Turkmenistan dropped out of the TOP 20 list of countries. Among the newcomers are Austria, Germany, Greece, Georgia, Kyrgyzstan, Vietnam and Algeria.
The African countries with a low risk level turned out to have high and moderate risk of infection by local threats (see below). The Internet in these countries is still not highly developed. Therefore, to share data users still make use of a variety of removable media. That is why web attacks are threatening so few users, while malware, distributed over removable data carriers, is frequently detected on computers.
Local infection statistics for user computers are a critically important indicator. This data points to threats that have penetrated a computer system through something other than the Internet, email, or network ports.
This section of the report contains an analysis of statistics based on data obtained from the on-access scanner and scanning statistics for different disks, including removable media (the on-demand scanner).
These statistics are compiled from malware detection verdicts generated by the on-access and on-demand scanner modules on the computers of those users running Kaspersky Lab products that have consented to submit their statistical data.
* The proportion of individual users on whose computers the antivirus module detected these objects as a percentage of all individual users of Kaspersky Lab products on whose computers a malicious program was detected.
Exploit.Win32.CVE-2010-2568.gen (5th place) and Trojan.WinLNK.Runner.ea (20th place) are the verdicts assigned to malicious Ink files (shortcuts) are detected. The Ink files of these families launch other malicious executable files. They are actively used by worms for distribution via USB storage media.
Trojan.Win32.Hosts2.gen is in 18th place. This verdict is assigned to malicious programs that try to change the special hosts file redirecting user requests to certain domains to hosts under their control.
Countries can be divided into categories in terms of local threats. Considering the overall reduction in the level of local infections most probably caused by the decline in the use of flash drives for exchanging information, we have lowered the threshold for the group levels (compared with the statistics for 2012).
In April, we reported a new Flash Player zero-day that we believe was used in watering-hole attacks from a compromised Syrian web site. The site ( ), launched in 2011 by the Syrian Ministry of Justice, was designed to enable citizens to complain about law and order violations. We believe that this attack was developed to target Syrian dissidents complaining about the government.
The attackers removed all the sensitive components on 22 January, two days after our investigation started. Based on the transaction activity, we believe that this represents an infrastructure change rather than a complete shutdown of the operation. Our analysis of attack indicates that the cybercriminals behind the campaign are highly professional and very active. They have also shown proactive operational security activities, changing tactics and removing traces when discovered.
When we first found the C2 server, we reported the matter to the bank concerned and to the appropriate law enforcement agencies. We are maintaining our contact with these agencies and continue to investigate the attack.
One of the servers we analyzed contained a long list of victims dating back to April 2012. There were 265 different identifiers on the server, assigned to victims from 139 unique IPs: the geographical distribution of the victims included Georgia, Russia, the USA, the UK, Kazakhstan, India, Belarus, Cyprus, Ukraine and Lithuania.
(2) Reconnaissance. The malware not only steals files with specific extensions, but also harvests passwords, history, network information, address books, information displayed on the screen (screenshots are made every five minutes) and other sensitive data.
One of the more technically advanced parts of the malware relates to data storage. The internal configuration of the malware is encrypted, compressed and serialized as a complicated registry-like structure, which has various record types including strings, integers and internal references.
They are also taking advantage of how easy it is to buy certificates in order to distribute digitally-signed malware. They start by sending messages offering free World Cup tickets, with a link that leads to a banking Trojan:
If the victim clicks on the document, another malicious file is downloaded to their computer, from a hacked server in Ecuador. This is designed to steal passwords for online games, PayPal, file-sharing systems, social networks (including Facebook and Twitter), online bank accounts and more.
7fc3f7cf58