Kaspersky Lab, a leading developer of secure content and threat management solutions, has published its annual report on the evolution of malware threats in 2010.
The year 2010 was certainly the year for vulnerabilities and online attacks. The average number of new malicious programs detected in one month remained around the same as in 2009, while there was even a decline in the activities of some types of threats. Stabilization in the flow of malicious activity was noted by Kaspersky Lab in last year’s annual report, and the reasons behind this leveling off are the same: a decrease in the activities of a number of Trojans, particularly those targeting online games, and more proactive efforts on the part of law enforcement agencies, antivirus developers and telecom companies in combating criminal services and cybercriminal groups.
At the same time, the number of online attacks skyrocketed. Over the course of the year, Kaspersky Security Network’s distributed monitoring and rapid response system recorded over 580 million web-based attacks against users’ computers — nearly 8 times more than the number of online attacks recorded in 2009. This sharp surge is related to the prevalence of exploits that allow hackers to infect website visitors’ computers without them noticing, using drive-by download technology. A single malicious program can penetrate a user's computer via dozens of vulnerabilities in browsers and other applications used to process web content, which has led to a proportionate increase in the number of online attacks.
In 2010, the total number of online attacks logged by Kaspersky Lab online antivirus products, and local virus incidents logged on user computers, exceeded 1.9 billion. Attacks launched via web browsers represented over 30% of this indicator, that’s over 500 million attacks. Browsers became the primary route for infecting users’ computers with malware and there is no reason to expect that to change in the near future.
According to Kaspersky Lab, P2P networks are the second most commonly used channel for spreading threats. Cybercriminals are also actively using popular social networks such as Facebook, VKontakte, Twitter and others. The rapid spread of malicious code is aided by the numerous vulnerabilities in these sites, which means the number of social network-based attacks will continue to grow.
Although new malicious programs appeared in 2010 at the same rate as in 2009, their complexity and functionality — and thus the threat they pose to users — increased. Some of the most complex threats used new technologies to penetrate the 64-bit platform, and many others propagated using the zero-day vulnerabilities. Examples of the most sophisticated threats include the Mariposa, ZeuS, Bredolab, TDSS, Koobface, Sinowal and Black Energy 2.0 botnets, each of which brought together millions of infected computers and the TDSS backdoor, which infects the MBR and launches destructive activity even before the OS boots up. The Stuxnet worm represents today’s technological peak in virus writing. This malicious program simultaneously uses several vulnerabilities in the Microsoft Windows operating system, bypasses system verification using legitimate digital certificates (that have since been revoked), and attempts to control programmable logic controllers and the frequency converters involved in critical engineering processes.
Malicious programs similar to Stuxnet could be used in targeted attacks against specific companies. The increased number of targeted attacks was another trend noted in 2010. Examples include some very narrowly-focused cyber attacks, such as Aurora, which was launched in order to steal user information and source code from software projects of several major companies, including Google and Adobe. It is possible that now, programs like Stuxnet will be more frequently included in the arsenals of some companies and secret services.
In the past year, the first malicious programs targeting iPhone and Android were detected. Thankfully, no incidents using such threats to the iPhone took place. However, cybercriminals have developed several Proofs of Concepts that could be used in the future. This signals the high probability of an increase in mobile threats.
In 2010, the Kaspersky Security Network cloud system helped detect 510 different software vulnerabilities on users’ computers. These vulnerabilities were most often found in the products of four major developers: Microsoft, Adobe, Oracle and ACDSee. In 2009, the leading position in terms of the number of vulnerabilities was held by Microsoft, in 2010 the situation changed, with Microsoft and Adobe sharing first place. The development of automatic updates for Microsoft products has led to a situation whereby users have started to update their Microsoft products more often and subsequently, vulnerabilities are patched. This has forced cybercriminals to search out ‘loopholes’ in other programs. Nearly one-half of the Top 20 most common vulnerabilities were identified prior to 2010, which means that vulnerabilities on users’ computers have been left unpatched for a long time, even after their respective patches have been released. Kaspersky Lab expects that in the future, software vulnerabilities will remain the primary means of launching attacks. Furthermore, the variety of the vulnerabilities exploited by malicious users and the speed with which they are starting to use them for destructive purposes are steadily on the rise.
In reviewing the risk of infection associated with any threat, it is noteworthy that users’ computers are the most vulnerable to infection in Iraq, Oman, Russia, Belarus and the US. It is in these countries that Kaspersky Lab programs logged the highest numbers of detections. The safest countries in terms of infection are Germany, Japan, Luxembourg, Austria and Norway.
The detection of threats that have already penetrated users’ systems gives us a picture of the computer infection level of any given country. The dubious honor of leading positions in this category was shared by developing countries in Asia and Africa in 2010, due to the rapid pace at which Internet access is becoming available, combined with low levels of computer literacy among the users in those regions. The countries with the lowest percentage of infected computers in 2010 were Japan, Germany, Luxembourg, Austria and Switzerland.