Threats evolution in Q1, 2014: distressing but expectable

The first quarter of 2014 has passed, so Kaspersky Lab’s researchers have released their quarterly report on IT threat evolution for the first three months of 2014. It’s quite an

The first quarter of 2014 has passed, so Kaspersky Lab’s researchers have released their quarterly report on IT threat evolution for the first three months of 2014. It’s quite an expansive doc with many figures and diagrams, showing the turmoil of the threat landscape these days.

Indeed there is a lot going on. The first part of the study is dedicated to ATPs, like Icefog and its Java counterpart; The Mask – an advanced and vast cyber-espionage campaign of unknown origins; then there is Turla (aka Snake or Uroburos), which has been linked to a notorious Agent.btz malware, active since 2007. It looks like Red October, Flame, Gauss and miniFlame have some similarities to Agent.btz – is it one big family?

“So far, all we know is that all of these malicious programs share some points of similarity,” the study says. “It’s clear that Agent.btz was a source of inspiration for those who developed the other malware. But we’re not able to say for sure if it was the same people behind all these threats.”

Well, of course in these cases it’s always a, ‘whodunnit’, but the people behind these APTs are good at covering their tracks. What is even more important is the fact that the cyberwar from science fiction of the past is here now, and it’s here to stay.

What really caught our attention in the last study is the recent developments regarding TOR (The Onion Router) and Bitcoin.

Tor is software designed to allow its users to remain anonymous when accessing the Internet. It has been around for some time, but for many years was used mainly by experts and enthusiasts. Due to a growing concern over privacy, use of the Tor network has spiked in recent months: Tor has become a helpful solution for those who, for whatever reason, fear the surveillance and the leakage of confidential information.

Kaspersky Lab experts expect that encrypted anonymous networks may become mainstream in the near future: the topic of privacy is very hot these days, so even ordinary users are looking for the tools to prevent eavesdropping (which is actually good!).

On the darker side, criminals are equally concerned about their privacy, anonymity and stealth. From our experts’ recent investigations, it’s become clear that Tor is also very attractive to cybercriminals: of course, they value the anonymity too. Now there’s a flourishing underground market on the Tor network and illegal activity is in full swing.

“It all started with the notorious Silk Road market and has evolved into dozens of specialist markets – for drugs, arms and, of course, malware,” the study says.

The development of the black market on Tor has coincided with the emergence of the anonymous crypto-currency, Bitcoin, which is now commonly used in the cyber underground. Its rate of exchange has skyrocketed since the end of last year ($1,300 per one Bitcoin) so it attracts a huge interest from cybercriminals, which has already become a problem for all Web users (even those who had never heard about Bitcoins before). There is a growing number of malware whose purpose is to steal or ‘mine’ Bitcoins abusing other people’s PC or even mobile devices.


Last February Mt.Gox, one of the biggest Bitcoin exchanges, went down with a bang (reportedly after a hack that led to the loss of 744,408 Bitcoins – worth around $350 million at that point), and exchange rates dropped. Still, Bitcoin-mining and Bitcoin-stealing malware is around.

Now, let’s highlight a few other important areas of the study.

– According to Kaspersky Security Network data, Kaspersky Lab products blocked a total of 1,131,000 866 malicious attacks on computers and mobile devices in the first quarter of 2014.

– In the first quarter of 2014, a Trojan targeting iOS was detected. This malicious program is a plug-in for Cydia Substrate, a widely used framework for rooted/hacked devices.

– The percentage of threats targeting Android exceeded 99% of all mobile malware. It’s not going to change any time soon either. Detections over the past three months included more than 1.25 million installation packages, over 110 thousands new malicious programs for mobile devices and over 1,000 new mobile banking Trojans. The number of banking malware has nearly doubled in Q1 of 2014, which is a very distressing, but equally expected development.

– Banking Trojans are most active in Russia: in Q1 over 88% of attacks involving this malware took place there.

– 39% of web attacks neutralized by Kaspersky Lab products were carried out using malicious web resources located in the US and Russia.

– Russia is the most malware-attacked country in the world (48,90% of all attacks), with India a distant second.

Full text of the report is available here.


Home smart home

Chances are your home already contains a few smart components. But can you make them even smarter so as to reap yet more benefits from them?