McAfee Labs Threats Report: Third Quarter 2013 Summary [PDF]

Executive Summary

McAfee® Labs Threats Report: Third Quarter 2013

Although summer can be a relatively slow season for cybercriminal activity (even the bad guys need a break occasionally), the third quarter of 2013 proved that the number and sophistication of new threats did not “take the summer off.” New PC malware sample growth this quarter was relatively steady, with 20 million new samples added to the McAfee “zoo,” bringing the total to more than 170 million. The Android malware zoo grew by nearly 700,000 samples to a total of 2.8 million. There were four main trends demonstrating the ongoing need for vigilance to protect sensitive data on the part of both enterprises and individuals. • Attacks

on the Android mobile operating system increased by more than 30%, driven at least partially by exploits aimed at Android’s well-documented master key vulnerability, which allows attackers to bypass the signature checking that would normally identify malicious apps.

• Growth

in the appearance of “signed” malware continues to call into question the validity of many of the digital certificates now in use and begs the question of how enterprises and individuals can tell the difference between valid and corrupt certificates.

• Global

spam increased 125%.

• Use

of new virtual currencies by cybercriminals both to execute illegal transactions and to launder profits generated by online and offline criminal activities is enabling new and previously unseen levels of criminal activity on what’s now known as the Deep Web.

Mobile Malware Attacks aimed at the Android platform continued their relentless march, with nearly 700,000 new Android malware samples cataloged this quarter. In 2012, Android malware spiked in the fourth quarter; we’ll see if history repeats itself in 2013. McAfee Labs researchers identified one entirely new family of Android malware, Exploit/MasterKey.A, which allows an attacker to bypass the digital signature validation of apps. As this validation is a key component of the Android security process, this is indeed a worrying development. McAfee Labs researchers also found a new class of Android malware that once installed downloads a second-stage payload without the user’s knowledge.

New Android Malware

1,000,000 900,000 800,000 700,000 600,000 500,000 400,000 300,000 200,000 100,000 0 Q2 2011

2

Q3 2011

Q4 2011

Q1 2012

Q2 2012

Q3 2012

Q4 2012

Q1 2013

Q2 2013

Executive Summary—McAfee Labs Threats Report: Third Quarter 2013

Q3 2013

Signed Malware Historically, many enterprises have put in place a malware detection rule in their firewalls and other perimeter defenses that detects when a binary is digitally “signed.” The belief is that binaries that are signed using a certificate from a known Certificate Authority (CA) are valid. Unfortunately, the cybercriminal community is fully aware of this and is now signing an ever-increasing fraction of their malicious payloads using either stolen certificates or certificates sourced from rogue CA vendors. McAfee Labs has been documenting the growth in digitally signed malware for some time. This trend continues to grow in popularity, as it’s a relatively easy way for cybercriminals to circumvent one of the most common binary filtering techniques. The observed increase in signed malware this quarter was nearly 50%. McAfee Labs reported in October that the percent of digitally signed malware increased from 1.3% in 2010 to 5.3% in 2013. Although this may seem like a small change, it means that more than 5 million digitally signed malware samples are in circulation. On the mobile front this trend is even more pronounced, with the percent of signed malware increasing from essentially zero to nearly 25% of known Android-based malware samples in the last three years. McAfee Labs reported at the Focus 2013 conference that though there are many rogue digital certificates in use, the cybercriminal community does appear to have favorites. We have identified a handful of rogue certificates that have each been used to sign more than 1,000 separate malicious binaries. We have identified another dozen certificates that have been used to sign at least 500 different pieces of malware. Time will tell if this concentration of certificates at the “top” of the pyramid allows security practitioners to block and isolate malicious payloads. New Malicious Signed Binaries

1,800,000 1,600,000 1,400,000 1,200,000 1,000,000 800,000 600,000 400,000 200,000 0

3

Q3 2011

Q4 2011

Q1 2012

Q2 2012

Q3 2012

Q4 2012

Q1 2013

Q2 2013

Q3 2013


Spam Spikes After years in decline and relatively flat growth in the last year, global spam spiked in the third quarter of 2013. In fact, the spike occurred mostly in the last four weeks of the quarter. For the quarter, global spam volume increased 125%. McAfee Labs researchers believe much of this spike is being driven by legitimate marketing firms purchasing and using mailing lists they are sourcing from less-than-reputable sources. Known as “snowshoe spammers” or affiliate marketers, these firms sell their services to legitimate consumer brand marketers, but then use whatever lists and techniques they can to maximize their distribution and response rates. These high-volume message campaigns generally don’t contain malware though it’s nearly impossible for users to tell the difference. Global Spam Volume, in Trillions of Messages 5.0

4.0

3.0

2.0

1.0

0 OCT 2012

NOV DEC JAN 2012 2012 2013

FEB MAR 2013 2013

APR MAY JUN 2013 2013 2013

JUL AUG 2013 2013

SEP 2013

Virtual Currencies One of the hottest “cyber-topics” of the last twelve months is the emergence of a class of virtual currencies whose value is not tied to traditional currencies (dollars, euros, yen, etc.). Yankee Group estimates that the so-called virtual currencies market grew to US$47.5 billion in 2012. These new virtual currencies serve a number of useful purposes, enabling users to buy and sell goods and services online without some of the constraints imposed by normal credit/debit cards or the complexities associated with electronic funds transfers. They have the added benefit that the transactions can be executed anonymously. It is this anonymity feature that has drawn the interest of the cybercriminal community as it allows them to offer illicit goods and services for sale in transactions that would normally be transparent to law enforcement. It also offers a uniquely effective way to “launder” the profits of both online and offline criminal activity. McAfee Labs recent report Digital Laundry: An analysis of online currencies, and their use in cybercrime1 examines how virtual currencies enable the cybercriminal community to offer drugs, weapons, and other nominally illegal goods and services online. The report also details how the virtual currency exchanges enable the criminal community to launder huge sums of ill-gotten gains.

4


The emergence of virtual currencies and their inherent anonymity has also led to the development of a number of “Deep Web” marketplace sites that specialize in retail distribution of illegal products and services.

The largest of these sites was Silk Road, which was closed by law enforcement officials on October 1. This location was primarily known as a drug market, but goods were available in more than 200 categories, including other illegal services such as hacking ATMs. Although the closure of Silk Road was a major victory for law enforcement, there are many of these Deep Web marketplaces operating globally, of which BlackMarket Reloaded is just one. This issue will not go away any time soon. A copy of the full report can be found here: http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2013.pdf.

1

2821 Mission College Boulevard Santa Clara, CA 95054 888 847 8766 www.mcafee.com

http://www.mcafee.com/us/resources/white-papers/wp-digital-laundry.pdf

McAfee and the McAfee logo are registered trademarks or trademarks of McAfee or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2013 McAfee, Inc. 60653exs_qtr-q3_1113_fnl_ETMG