Malware in August: One Year After the First Android Malware Emerged, & the Clones of Zeus

09 Sep 2011
Virus News

Out-of-the-box activity

Malware and Bitcoin. As of late August, Kaspersky Lab’s analysts detected 35 unique malicious programs that targeted the Bitcoin system in one way or another. Realizing that their potential earnings largely depend on the number of computers they have access to, the cybercriminals have moved from stealing Bitcoin wallets to using Twitter and P2P network-based botnets. Cybercriminals have resorted to this measure to counter the antivirus companies that may block the operation of a single botnet C&C server if no alternate servers exist in the malicious network. For example, a bot would send a request to a Twitter account, which provides commands that are left there by the botnet owner — i.e., where the Bitcoin-generating program is downloaded, along with instructions for which Bitcoin pools to work with. The use of Twitter as a botnet command center is not new; although this is the first time it has been used with the Bitcoin system.

In August, Kaspersky Lab also discovered that one of the largest botnets conceals actual accounts as they can be deleted by server owners who take a proactive stance against unlawful mining programs. To achieve this, the botnet owners had to create a special proxy server that interacts with infected computers, and their requests are then transferred to an unknown Bitcoin pool. It is not possible to identify the specific pools that the botnet works with and thus block the fraudulent accounts. In this situation, the only means of intercepting such criminal activity is to gain full access to one of the proxy servers.

Ice IX: the illegitimate child of ZeuS. Almost a year after the original code of the most wide-spread threat targeting online banking users was leaked, Trojan ZeuS (Trojan-Spy.Win32.Zbot), Russian-speaking cybercriminals created its clone which became quite popular among fraudsters this summer. The new variant which emerged in the spring was dubbed Ice IX by its creator and sells for US $600-1,800. One of Ice IX’s most remarkable innovations is the altered botnet control web module which allows cybercriminals to use legitimate hosting services instead of costly bulletproof servers maintained by the cybercriminal community. This difference is meant to keep hosting costs down for Ice IX owners. The appearance of Ice IX indicates that we should soon expect the emergence of new “illegitimate children” of ZeuS and an even greater number of attacks against the users of online banking services.

Remote-access worm. The new network worm Morto is interesting in that it does not exploit vulnerabilities in order to self-replicate. Furthermore, it spreads via the Windows RDP service that provides remote access to a Windows desktop – a method which has not been seen before. Essentially, the worm attempts to find the access password. Provisional estimates indicate that tens of thousands of computers throughout the globe may currently be infected with this worm.

Attacks against individual users: mobile threats.

In early August 2010, the first-ever malicious program for the Android operating system was detected: the SMS Trojan FakePlayer. Today, threats designed for Android represent approximately 23% of the overall number of detected threats targeting mobile platforms.

top20_september_en.png
The distribution of malicious programs targeting mobile platforms, by operating system

Excluding the J2ME platform, 85% of the total number of smartphone threats detected during August 2010 targeted the Android system.

In August, the Nickspy Trojan stood out among the multitude of threats targeting mobile platforms. Its distinguishing characteristics include an ability to collect information about the phone’s GPS coordinates and any calls that are made from the device. It can also record all the conversations that the infected device’s owner has. The audio files are then uploaded to a remote server managed by the malicious owner.

Attacks against the networks of corporations and major organizations

August saw a number of really high-profile hack attacks. The victims of hacktivists included the Italian cyber police, a number of companies cooperating with law enforcement agencies in the US, and the military contractor Vanguard, who works under contract to the US Department of Defense. However, these hack attacks were hardly surprising against the backdrop of this year’s events.

Nevertheless, the IT community was shaken by a news item from McAfee about their detection of what was potentially the largest cyber-attack in history, lasting over five years and targeting numerous organizations around the world, from the US Department of Defense, to the Sports Committee of Vietnam. The attack was dubbed Shady Rat. All would have been well and good, but the malicious user-run server that was allegedly “detected by researchers” had in fact already been known to the experts at many other antivirus companies for several months. Moreover, at the time of the article’s publication the server was still up and running and all of the information that McAfee used in its report had already been made public. What is more, the long sought-after spyware that had allegedly been used in the most complex and largest attack in history had already been detected by many antivirus programs using simple heuristics. In addition to these and other factors, the McAfee incident gives rise to many other questions, which were asked publically, including by Kaspersky Lab’s experts.

“Our studies have confirmed that Shady Rat was not the longest-running or the largest, nor even the most sophisticated attack in history”, comments Alexander Gostev, Chief Security Expert at Kaspersky Lab. “Moreover, we believe that it is unacceptable to publish information about any attacks without a full description of all of the components and technologies used, since these incomplete reports do not allow experts to make all possible efforts to protect their own resources.”

© 1997 – 2014 Kaspersky Lab

All Rights Reserved. Industry-leading Antivirus Software