Security Experts:

Q3 2012 Security Vendor Threat Report Roundup

Now that September has come and gone, many security firms are publishing their Q3 reports, loaded with malware and cybercrime trends and statistics.

Earlier this month, SecurityWeek covered Microsoft’s most recent Security Intelligence Report (SIR). The report included a warning that key generators, and the jump in the number of downloads for them, used to crack Windows installations were linked to an increase in the number of infections seen by Microsoft.

The SIR also mentioned unsecure supply chains, where the malware has been preinstalled on computers sold at retail. The most notable example of malware that has been preinstalled is Nitol, which spreads via USB drives, attachable storage, and open network shares. Microsoft took down the Nitol botnet in September, but released some interesting findings from the investigation on Wednesday.

Security Threat ReportsAccording to the numbers, from January to October of this year, China was the number one source for Nitol infections, with nearly 32% of the total instances. After China, the U.S. (18.5%), Taiwan (16.8%), Thailand (11.62%), and Korea rounded out the top five. After the takedown, Microsoft added Nitol to their Malicious Software Removal Tool (MSRT), causing the number of infections to plummet.

The MSRT was responsible for removing nearly one million infections of Onescan, a Korean Rogue Anti-Virus application. Sailty, Darkbot, Medfos, and Zeus were the other infections detected by MSRT one week after it was released with October’s security updates.

Sticking to malware, AVG reported that the Blackhole Exploit Kit is responsible for 63% of the criminal malware market, and 75% of the toolkit market. The versatile tool allows criminals to create attack campaigns on the fly, and is responsible for a majority of the drive-by downloads observed online.

“Blackhole is a sophisticated and powerful exploit kit, mainly because it is polymorphic and its code is heavily obfuscated to evade detection by anti-virus solutions. The rapid update capabilities of the kit have also made it challenging for traditional antivirus vendors to track, which are the main reasons it has a high success rate,” said Yuval Ben-Itzhak, Chief Technology Officer at AVG Technologies.

Android malware, as highlighted in our report with data coming from Trend Micro, was also mentioned by Commtouch in their Q3 report. Commtouch highlights Android's increasing popularity with a look at an attack in July, which targeted the Google OS exclusively.

The July Android attack made use of compromised email accounts to send simple one-link emails. Commtouch notes that this scheme has been used in the past, to distribute links to spam products or links to drive-by malware downloads. In this case the malware URLs only worked for Android devices. 

Speaking of Spam, Commtouch released a breakdown of Q3 2012, which is seen here. 

87 billion - The average number of daily spam/phishing emails sent

74 percent - Percent of all email that was spam

1.9 billion - The average number of daily emails sent with attached malware

Education - The Web site category most likely to contain malware

Pharmacy ads - The most popular spam topic, representing 41.2 percent of all spam

India - The country with the most zombies (bots that send spam messages)

Commtouch’s findings aligns with anti-Spam vendor Eleven, who said that emails spoofing popular brand such as Amazon or LinkedIn, contained a malicious URL 10% of the time, without fail. The 1:10 ratio is an 80% increase from the data recorded in August.

Numbers from Moscow-based Kaspersky Lab's September 2012 Spam report were in line with what Commtouch reported. According to Kaspersky's numbers, the percentage of spam in overall email averaged 72.5 percent. Kaspersky also said that the percentage of phishing emails increased threefold compared to August. In September, malicious files were found in 3.4% of all emails, a decrease of 0.5 percentage points from the previous month, Kaspersky said.

In its report for September 2012, threat researchers from GFI Software noted a number of cybercrime campaigns directed at users of social networking sites including direct message spam on Twitter, and a fake Pinterest application.

GFI also echoed the Android malware woes, noting malicious android apps including a fake "Results for the Olympics" app that sends premium text messages from a victim's phone. GFI also said that Mobile gamers were targeted with a fake Android version of the popular video game Grand Theft Auto: Vice City, which was loaded with a Boxer Trojan disguised as a Flash Player.

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.