Escolar Documentos
Profissional Documentos
Cultura Documentos
The Trend Micro Quarterly Roundup reports present key security highlights and developing trends in the current threat landscape.
In thIs Issue
Trend Micro researchers and analysts were instrumental in uncovering various cybercriminal operations this quarter. In an effort to aid law enforcement authorities, they uncovered some popular FAKEAV affiliate networks and a particular SpyEye operation, which may bring authorities one step closer to catching the perpetrators. Similar to the previous quarters, in the past three months, we witnessed an increase in the Android malware volume, more enhancements to notorious crimeware toolkits such as ZeuS and SpyEye, as well as the proliferation of survey scams in social media. As in the previous months, cybercriminals continued to employ very enticing social engineering tactics to lure targets. Unlike in the past half of the year, however, mass compromises seemingly decreased in number, most probably due to the shift to launching targeted attacks, particularly against large enterprises and government institutions.
A more detailed discussion of the LURID Downloader attacks can be found in the Trend Micro research paper, The Lurid Downloader. The data breaches and highly targeted attacks mentioned above show that the threat landscape is indeed changing. Cybercriminals are limiting their focus in terms of targetby region as in the South Korea data breaches or by industry as in the LURID Downloader attacks.
VulneraBIlIty exploIts
osCommerce Mass Compromise
The exploitation of various vulnerabilities in the osCommerce software led to a mass compromise in July. An estimated 90,000 Web pages have been injected with an iframe that pointed to malicious sites hosting an exploit kit. Several e-commerce websites fell prey to the attack. According to a Trend Micro threat response engineer, the malware used in this attack, TROJ_JORIK.BRU, gathered the information it needed then immediately deleted itself from infected systems to evade detection. To resolve the vulnerabilities exploited in the attack, osCommerces developers strongly advised the owners of sites that use their software to update to the latest version and to check their sites for signs of code injection.
Vulnerability Statistics
From being the top vendor in terms or reported vulnerabilities in products in the second quarter, Microsoft dropped to the third post this quarter. Google ousted last quarters top vendor after several reports of existing vulnerabilities in Chrome. Note, however, that none of the vulnerabilities in Chrome were as severe as some of those found in Microsoft products. The increase in the number of attacks targeting Chrome may primarily be due to the browsers increasing usage and popularity. The speed by which Chrome is developed, which limits the amount of time for internal and external bug testing prior to product release, may have something to do with Googles rise in ranking as well. The number of reported vulnerabilities in Oracle products also rose, most probably due to the vendors acquisition of Sun Microsystems and its Java products. The fact that Oracles codebase is rather large and complicated to maintain may have also contributed to the rise in the number of exploitable bugs in its products, causing it to climb from the top 5 spot in the second quarter to the top 2 spot this quarter. 2Q 2011 Number of Vendor Reported Vulnerabilities Microsoft Google Adobe HP Oracle IBM Mozilla Linux Cisco Sun 96 65 62 57 50 48 38 31 30 29 3Q 2011 Number of Vendor Reported Vulnerabilities Google Oracle Microsoft Apple Adobe IBM Mozilla Opera HP Cisco 82 63 58 49 39 39 36 25 20
Source: http://cve.mitre.org/ Source: http://cve.mitre.org/
Rank 1 2 3 4 5 6 7 8 9 10
43
In the second quarter, we observed a continuous drop in the number of exploitable bugs from April to June. This quarter, meanwhile, the number of exploitable bugs intermittently rose and fell from month to month. 2Q 2011 Number of Month Reported Vulnerabilities April May June 312 295 294 3Q 2011 Number of Month Reported Vulnerabilities July August September 307 294 389
MoBIle attacks
Third-Generation DroidDreamLight Variant
Trend Micro threat analysts came across a new DroidDreamLight variant with enhanced capabilities and routines. Disguised as battery-monitoring or task-listing tools or apps that allow users to see a list of permissions installed apps utilize, copies of this new Android malware littered a Chinese third-party app store. This particular variant, which Trend Micro now detects as ANDROIDOS_DORDRAE.N, had the ability to obtain call logs, text messages, contact details, Google account details, and other information saved in infected devices. Apart from having additional data theft routines, this new variants code also featured other changes, one of which allowed it to update its configuration file. Like previous variants, this malware sends stolen data to a specific URL.
Spam Statistics
As in the previous quarter, India and South Korea continued to be part of the top 3 spamsending countries. Surprisingly, however, the United States, which commonly takes the top spot was not on the top 10 spam-sending countries list. As the top spam-sending countries are also the most spambot-infected ones, the United Statess drop in ranking possibly indicates a lower infection level. This may be a result of the botnet takedowns that occurred in the last few months.
The top 3 spam languages this quarter remained English, German, and Russian compared with the two previous quarters.
For a more comprehensive discussion of the current state of the spam landscape, check out Spam in Todays Business World.
Malware Statistics
As in the previous quarters, WORM_DOWNAD.AD and CRCK_KEYGEN (a serial key generator) remained the top 2 malware. It is interesting to note that although the URLs that DOWNAD/Conficker uses to call home have long been dead, a DOWNAD variant continued to rank first in the top malware list. This may, however, not be about system protection against malware but about setting and enforcing good security policies. Meanwhile, HKTL_KEYGEN (a hacking tool) ousted ADW_SAHAGENT (an adware) from the top 3 spot and out of this quarters top 5. Rank 1 2 3 4 5 Malware Detection Name WORM_DOWNAD.AD CRCK_KEYGEN HKTL_KEYGEN PE_SALITY.RL HKTL_ULTRASURF
Table 4. Top 5 malware in 3Q 2011
10
11
12
Description
Distributes malware Distributes malware, particularly DOWNAD variants Distributes malware, particularly DOWNAD variants Included in the list of domains associated with the proliferation of pirated applications, Android malware, and rogue antivirus software as well as with other malicious activities Contacts various servers to download and aggressively display pop-up ads Distributes TDSS and ZBOT malware Distributes malware Contacts various servers to download and aggressively display pop-up ads Distributes malware, particularly DOWNAD variants Distributes malware
5 6 7 8 9 10
Please help us improve our articles and other write-ups by participating in a quick survey. Just click the image above to start.
Rank
1 2
Description
Distributes malware Distributes malware, particularly DOWNAD variants Included in the list of domains associated with the proliferation of pirated applications, Android malware, and rogue antivirus software as well as with other malicious activities Contacts various servers to download and aggressively display pop-up ads Distributes malware Distributes TDSS and ZBOT malware Downloads malware Distributes malware Distributes malware Contacts various servers to download and aggressively display pop-up ads
serw.clicksor.com
4 5 6 7 8 9 10
TREND MICRO
Trend Micro Incorporated is a pioneer in secure content and threat management. Founded in 1988, Trend Micro provides individuals and organizations of all sizes with award-winning security software, hardware, and services. With headquarters in Tokyo and operations in more than 30 countries, Trend Micro solutions are sold through corporate and value-added resellers and service providers worldwide. For additional information and evaluation copies of Trend Micro products and services, visit our website at www.trendmicro.com.
TRENDLABSSM
TrendLabs is Trend Micros global network of research, development, and support centers committed to 24 x 7 threat surveillance, attack prevention, and timely and seamless solutions delivery.
2011 by Trend Micro, Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners.
13