Malware in Q3-2010: 600 Million Attempted Infections, Stuxnet, Stolen Certificates and Exploits

17 Dec 2010
Virus News

During the third quarter of 2010, Kaspersky Lab’s products blocked over 600 million attempts to infect users’ computers with malicious and unwanted programs. This is a 10% increase on the second quarter’s figure. Of the total number of blocked objects, over 534 million were malicious programs.

The Stuxnet epidemic received the most attention during the third quarter and confirms the theory that malware is rapidly becoming more sophisticated. An analysis of the worm has shown that it was designed to change the logic within programmable logic controllers (PLCs) embedded into inverters which are used to control the rotation speed of electric motors. These PLCs operate with very high speed motors that have limited applications, such as those in centrifuges. Stuxnet is the most complex piece of malware in the cybercriminals’ arsenal to have appeared. The epidemic also marked the beginning of the era of attacks on industrial targets. Stuxnet is also unique in that it uses as many as four zero-day Windows vulnerabilities at the same time in order to infiltrate victim computers, and has a rootkit component signed with certificates stolen from integrated circuit manufacturers, Realtek Semiconductors and JMicron.

Digital certificates and signatures are one of the pillars upon which cybersecurity rests. A digital signature has an important role in certifying the trustworthiness of the file it is incorporated into. However, several cases were recorded in 2010 in which cybercriminals received digital certificates quite legally, just like any other software developer. In one instance, a group of cybercriminals received a certificate for ’Software with which to remotely operate a computer without a GUI’, which is, in essence, a backdoor. The creators of adware, riskware and Rogue AVs frequently use stolen certificates to prevent their malware from being detected. Apart from in the Stuxnet case, stealing certificates is one of the prime functions that Zbot (aka Zeus), a very widespread Trojan, performs. “Judging by what we are seeing today, the problem of stolen certificates may become even more significant in 2011,” according to Yury Namestnikov, author of the report ‘IT Threat Evolution for Q3-2010’.

Exploiting vulnerabilities, as before, has remained highly popular with the cybercriminal fraternity. Four new vulnerabilities emerged in the quarterly ranking of most commonly exploited vulnerabilities: two in Adobe Flash Player products, one in Adobe Reader and one in Microsoft Office. Additionally, the Top-10 included three vulnerabilities discovered in 2009 and one discovered in 2008. This statistic shows that some users have not bothered to update their software for years. All of the vulnerabilities listed in the Top-10 allow cybercriminals to take full control of the target system.

According to Kaspersky Lab’s experts, the number of virus incidents relating to malicious files bearing certificates will increase dramatically in the near future. More worryingly still, sophisticated malware capable of running on 64-bit platforms will also increase. It is a sure fact that the cybercriminals will take advantage of newly discovered vulnerabilities ever more quickly too.

“The third quarter’s events demonstrate that we are currently on the threshold of a new era in the evolution of cybercrime,” said Yury Namestnikov. “The concept of mass infection, as seen with the Klez, Medoom, Sasser and Kido worms is going to give way to precision strikes.”

The full version of the report is available at: www.securelist.com/en.