Motive_Security_Labs_Malware_Report_1H2015

Motive Security Labs Malware Report – H1 2015

2

Motive Security Labs Malware Report – H1 2015Alcatel-Lucent

Table of contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2015 first half highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Malware in mobile networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Mobile network infection rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

Infections by device type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

Android malware samples continue growth in 2015 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Top Android malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Examples of mobile threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Malware in fixed residential networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Top 20 residential network infections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Top 20 high-threat-level infections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Top 25 most prolific threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2015 so far . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Stagefright . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Encrypted command and control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Scanning, DDoS and NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

New adware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Mobile spyware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Summary and conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Terminology and definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

About Motive Security Labs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

3


IntroductionThe “Motive Security Labs H1 2015 Malware Report” examines general trends and statistics for malware infections in devices connected through mobile and fixed networks . The data in this report is aggregated across the networks where the Motive Security Guardian network-based malware detection solutions are deployed . This solution is deployed in major mobile and fixed networks around the world, covering over 100 million devices .

2015 first half highlights

Mobile

• The mobile infection rate declined to 0 .50% in Q1 due to a reduction in infections on devices running the Android™ operating system (Android) and then rose to 0 .75% at the end of Q2 due to a noticeable increase in adware infections on PCs running the Microsoft Windows® operating system (Windows/PCs) .

• 80% of infections on the mobile network are attributable to Windows/PCs connected via dongles, mobile Wi-Fi® hotspots or tethered through phones .

• Mobile spyware is definitely on the increase . Ten of the malware entries on the top 25 mobile infection list are mobile spyware . These are apps that are used to spy on the phone’s owner . They track the phone’s location, monitor ingoing and outgoing calls and text messages, monitor email and track the victim’s web browsing .

Residential

• The overall monthly infection rate in residential fixed broadband networks averaged 14 .4%, up slightly from 2014 . The increase is mostly

• attributable to an increase in moderate-threat-level adware infections .

• The infection rate for high-level threats such as a bots, rootkits, keyloggers and banking Trojans increased to 6 .3% from 5% in 2014 .

80%of mobile infections are on Windows PCs

14%of homes are infected with malware

of thetop10 25

smart phone infections are spyware

http://www.alcatel-lucent.com/solutions/security-guardian

4


Malware in mobile networksIn the first half of 2015 the overall mobile infection rate continued its upward trend . The number of Android malware samples continued to grow significantly, but not at the exponential rates seen in 2013 .

Mobile network infection rate

Figure 1 shows the percentage of infected mobile devices observed on a monthly basis since December 2012 . This data is averaged from actual mobile deployments .

Figure 1 . Mobile infection rate since December 2012

0.6%

0.7%

0.5%

0.4%

Mobile infection rate0.8%

Oct 12 May 13 Nov 13 Jun 14 Dec 14 Jul 15

After two years of growth, the infection rate for mobile devices actually dropped from 0 .68% in January 2015 to 0 .50% in April . It then rebounded to close the first half of 2015 at 0 .75% at the end of June . A number of factors caused this, but the major contributing factors have been a reduction in Android infections in the early part of the year followed by an increase in Windows/PC infections in Q2 .

Infections by device type

Figure 2 shows the percentage of infections by device type . Most people are surprised to find such a high proportion of Windows/PC devices involved . These Windows/PCs are connected to the mobile network via dongles and mobile Wi-Fi devices or simply tethered through smartphones . They are responsible for a large percentage of the malware infections observed . This is because these devices are still the favorite of hardcore professional cybercriminals who have a huge investment in the Windows malware ecosystem . As the mobile network becomes the access network of choice for many Windows/PCs, the malware moves with them . In June of 2015 Windows/PCs were responsible for about 80% of the malware infections that we detected on the mobile network .

Figure 2 . Infected device types from 2013 to 2015

Android Windows

Infected device type 2013 – 2015

Jan 1

3

Feb

Mar

Apr

May

June

July

Aug

Sept

Oct

Nov

Dec

Jan 1

4

Feb

Mar

Apr

May

June

July

Aug

Sept

Oct

Nov

Dec

Jan 1

5

Feb

Mar

Apr

May

June

0

10

20

30

40

50

60

70

80

90

100

5


Between 2013 and 2014 the contribution to the infection rates in the mobile network were roughly 50/50 between Android and Windows/PCs . This changed significantly in 2015 . At the end of Q2, 80% of infections observed on the mobile network were from Windows/PCs connected via dongles, mobile Wi-Fi hotspots or tethered through phones . Android devices made up 20% of the infections . The other smartphones (iPhone, Blackberry, Windows Mobile, etc .) made up less than 1% of the infections we have observed . The iPhone and Blackberry have a more controlled app distribution environment and are thus less of a target .

Two factors contributed to this change . In Q1 the actual number of Android infections declined . This was followed by a significant increase in Windows/PC adware infections in Q2 .

Currently most Android malware is distributed as “Trojanized” apps and Android offers the easiest target for this because of its open app environment . Specifically, the following Android issues have been observed:

• Android apps can be downloaded from third-party app stores and web sites .

• There is no control of the digital certificates used to sign Android apps .

¬ Android apps are usually self-signed and can’t be traced to the developer .

¬ It is easy to hijack an Android app, inject code into it and re-sign it .

Another way to look at the data is to show the contribution of the device types to the infection rate itself, as shown in Figure 3 .

Figure 3: Contribution to infection rate by device type

0.6%

0.7%

0.5%

0.4%

0.3%

0.2%

Infections by device type0.8%

0.1%

0.0%Oct 12 May 13

Android

Nov 13 Jun 14 Dec 14 Jul 15

Windows Total

This clearly indicates the reduction in Android infection in Q1 and the increase in Windows/PC infection in Q2 .

The Android reduction is probably due to efforts by Google to eliminate malware from Google Play and to the introduction of the Verify Apps feature on Android . Most Android malware is distributed as Trojanized apps that are downloaded and installed from Google Play and other third-party app stores . So eliminating malware from the app store and verifying apps at install time can have a major impact on the infection rate . The Verify Apps feature was introduced in Android 4 .2 (JellyBean) and is now available on close to 80% of deployed devices . It is activated by default, but the user does have to consent to have the service run the first time they side-load an app .

6


The increase in Windows/PC infections can be attributed to the fact that more people are using their phone’s data connection to provide Internet access for their devices . Most of these infections are due to a resurgence of moderate-threat-level adware, bundled with games and free software .

Android malware samples continue growth in 2015

An indicator of Android malware growth is the increase in the number of samples in our malware database . The chart below shows numbers since June 2012 .

Figure 4 . Mobile malware samples since June 2012

Mobile malware samples

0

50000

100000

150000

200000

250000

300000

Jul 12 Oct 12 Jan 13 Apr 13 Jul 13 Oct 13 Jan 14 Apr 14 Jul 14 Oct 14 Jan 15 Apr 15 Jul 15

The number of Android malware samples more than doubled in the first half of 2015 .

Top Android malware

Table 1 shows the top 25 Android malware infections detected in H2 2014 in the networks where the Motive solution is deployed .

Table 1 . Top 25 Android malware detected in H2 2014

NAME LEVEL % PREVIOUS

Android .MobileSpyware .Kasandra High 31 .30 New

Android .Adware .Uapush .A Moderate 28 .82 1

Android .Trojan .SmsTracker High 22 .36 3

Android .MobileSpyware .Gappusin High 2 .86 New

Android .MobileSpyware .SpyMob .a High 2 .05 5

Android .Trojan .FakeFlash High 1 .46 7

Android .MobileSpyware .CellSpy High 0 .98 New

Android .MobileSpyware .Tekwon .A High 0 .87 16

Android .Trojan .Wapsx High 0 .86 8

Android .Bot .Notcompatible High 0 .77 6

Android .Trojan .SMSreg .gc High 0 .74 41

Android .MobileSpyware .Phonerec High 0 .55 15

Android .Trojan .Qdplugin High 0 .54 10

Android .ScareWare .SLocker .A High 0 .52 New

Android .MobileSpyware .GinMaste High 0 .47 9

7


NAME LEVEL % PREVIOUS

Android .MobileSpyware .Spyoo .C High 0 .39 27

Android .Backdoor .Agent .bz High 0 .34 New

Android .Downloader .Stew .a High 0 .29 New

Android .MobileSpyware .FakeDoc High 0 .28 21

Android .ScareWare .Koler .C High 0 .26 13

Android .Adware .Kuguo .A Moderate 0 .22 18

Android .Backdoor .Advulna High 0 .21 14

Android .MobileSpyware .SpyBubbl High 0 .2 13

Android .Backdoor .Opfake .a High 0 .17 34

Android .Trojan .Cajino High 0 .15 New

Cybercriminals are quick to take advantage of opportunities that are unique to the mobile ecosystem . Ten of the top 25 are in the mobile spyware category . These are apps that are used to spy on the phone’s owner . They track the phone’s location and monitor ingoing and outgoing calls and text messages . These are functions that are unique to the mobile environment . Similarly the SMS Trojans that make their living by sending text messages to premium SMS numbers are unique to the mobile space . Two of the top 25 fall into this category .

However, there is also a cross-over from the traditional Windows/PC malware space . For example the top 25 includes:

• A variety of scare-ware apps that try to extort money by claiming to have encrypted the phone’s data

• Identity theft apps that steal personal information from the device

• Malicious adware that uses personal information without consent to provide annoying targeted ads

• A web proxy app that allows hackers to anonymously browse the web through an infected phone (at the owner’s expense)

Examples of mobile threats

Kasandra.B is a high-threat-level Android remote-access Trojan . It is packaged to look like Kaspersky’s Security for Mobile, but is actually a Trojan that gives the attacker unrestricted access to sensitive details such as Short Message Service (SMS) messages, contact lists, call logs, browser history (including banking credentials), and GPS location data stored in Android devices . It stores all the data in an “adaptive multi-rate file on the SD card” to later upload them to a remote command and control (C&C) server . It is also known as SandroRAT .

Figure 5 . Kasandra .B summary

MAP: ANDROID.MOBILESPYWARE.KASANDRA.B

Name: Android.MobileSpyware.Kasandra.BSignature State: ActiveType: MobileSpywareClass: CybercrimeLevel: High

30000

20000

10000

May 16 Jun 01 Jun 16 Jul 01 Jul 16 Aug 01


0

1000

750

500

250

0

Signature hits

Infections

8


Uapush.A is an Android adware Trojan with a moderate threat level; it also sends SMS messages and steals personal information from the compromised device . The malware has its web-based C&C site located in China .

Figure 6 . Uapush .A summary

Name: Android.Adware.Uapush.ASignature State: ActiveType: AdwareClass: SpywareLevel: Moderate

30000

20000

10000



0

1000

750

500

250

0

Signature hits

Infections

MAP: ANDROID.ADWARE.UAPUSH.A

SMSTracker is an Android spyphone app that provides a complete remote phone tracking and monitoring system for Android phones . It allows the attacker to remotely track and monitor all SMS, Multimedia Messaging Service (MMS), text messages, voice calls, GPS locations and browser history . This is also known as Android .Monitor .Gizmo .A .

Figure 7 . SMSTracker summary

Name: Android.MobileSpyware.SMSTrackerSignature ID: 2807732Signature State: ActiveType: Mobile SpywareClass: Identity TheftLevel: High

30000

20000

10000



0

1000

750

500

250

0

Signature hits

Infections

MAP: ANDROID.TROJAN.SMSTRACKER

SpyMob.A is a commercial monitoring tool that collects information pertaining to SMS messages, contact list, call log and GPS location of a targeted device . These details are later uploaded to Spy2Mobile servers and can be viewed by logging in to the user’s account at Spy2Mobile .com . For more details on its capabilities and features, see http://spytomobile .com/en .

http://spytomobile.com/en

9


Figure 8 . SpyMob .A summary

Name: Android.MobileSpyware.SpyMob.ASignature State: ActiveType: MobileSpywareClass: CybercrimeLevel: High

30000

20000

10000



0

1000

750

500

250

0

Signature hits

Infections

MAP: ANDROID.MOBILESPYWARE.SPYMOB.A

NotCompatible is an Android bot that uses the infected phone to provide anonymous proxy web browsing services . This can consume large amounts of bandwidth and airtime, as the phone serves as a proxy for illicit web browsing activity . The C&C is located in Germany and Holland . The C&C protocol is the same as that of a Windows-based web proxy bot .

Figure 9 . NotCompatible summary

Name: Android.Bot.NotCompatibleSignature State: ActiveType: BotClass: CybercrimeLevel: High

30000

20000

10000



0

1000

750

500

250

0

Signature hits

Infections

MAP: ANDROID.BOT.NOTCOMPATIBLE

Koler is an Android scareware Trojan that claims it has encrypted all the data on your phone and demands a ransom to restore the data . The victims are usually visitors to Internet-based pornographic sites, who are duped into downloading and installing a “premium access video player .” The malware “lock-screen” is customized depending on the location of the phone .

Figure 10 . Koler summary

Name: Android.Scareware.KolerSignature State: ActiveType: ScarewareClass: CybercrimeLevel: High

30000

20000

10000



0

1000

750

500

250

0

Signature hits

Infections

MAP: ANDROID.SCAREWARE.KOLER.C

10


Malware in fixed residential networksIn 2014 the infection rate in residential networks rose significantly, as can be seen the chart in Figure 11 . However the increase was almost entirely due to moderate-threat-level “adware” infections . This dropped off somewhat in the first half of 2015, while high-threat-level infections remained fairly level .

Figure 11 . Residential infection rate

2012Q1

Residential infection rate (%)

2012Q2

2012Q3

2012Q4

2013Q3

2013Q4

2014Q1

2014Q2

2014Q3

2014Q4

2015Q1

2015Q2

2013Q1

2013Q2

TotalHighModerate

2

0

4

6

8

10

12

14

16

18

20

In Q1 2015, 15 .7% of residences had some sort of malware infection . Of these, 6 .6% had a high-threat-level infection and 10 .8% had a moderate infection . In Q2 2015, the overall infection rate dropped to 13 .1%, with 6 .0% high-threat-level infections and 8 .8% moderate .

Top 20 residential network infections

Table 2 shows the top home network infections detected in Motive deployments . The results are aggregated and the order is based on the number of infections detected over the six-month period of this report .

Table 2 . Top 20 home network infections

NAME THREAT LEVEL % PREVIOUS

Win32 .Adware .PullUpdate Moderate 8 .33 20

Win32 .Trojan .Poweliks .A High 6 .41 New

Win32 .Adware .BrowseFox .G Moderate 6 .07 6

Win32 .Adware .ShopperPro .AR Moderate 5 .71 29

Win32 .AdWare .AddLyrics .T Moderate 5 .58 4

Win32 .Adware .MarketScore Moderate 5 .29 12

Win32 .Adware .Wysotot Moderate 4 .74 2

Win32 .Adware .iBryte Moderate 4 .33 1

Win32 .Adware .Eorezo Moderate 3 .74 3

Win32 .Downloader .Obvod .K High 3 .37 35

Win32 .Adware .Megasearch Moderate 2 .68 8

Win32 .Downloader .WinOptimizer High 2 .42 New

Win32 .Adware .OptimizerPro Moderate 2 .4 22

11


NAME THREAT LEVEL % PREVIOUS

Win32 .Bot .ZeroAccess2 High 1 .65 15

Win32 .Adware .Bundlore Moderate 1 .62 17

Win32 .Trojan .Bunitu .B High 1 .37 27

Win32 .Adware .InstallMonetizer Moderate 1 .36 19

Win32 .Trackware .Binder High 1 .28 9

Android .MobileSpyware .Kasandra High 1 .16 New

Win32 .ScareWare .Crowti .A High 1 .06 New

In 2015 moderate-threat-level adware continued to dominate . Of the top 20 threats in the first half of 2015, 12 are adware . The activity of high-threat-level bots has declined somewhat, with the exception of bots associated with DDoS, which have remained the same . It could be that cybercriminals now find it more cost effective to rent cloud-based computing power for spam and phishing activity .

Top 20 high-threat-level infections

Table 3 shows the top 20 high-threat-level malware infections that lead to identity theft, cybercrime or other online attacks .

Table 3 . Top 20 high-threat-level infections

NAME % PREVIOUS

Win32 .Trojan .Poweliks .A 18 .7 35

Win32 .Downloader .Obvod .K 9 .84 12

Win32 .Downloader .WinOptimizer 7 .05 New

Win32 .Bot .ZeroAccess2 4 .82 3

Win32 .Trojan .Bunitu .B 3 .99 7

Android .MobileSpyware .Kasandra 3 .38 New

Win32 .ScareWare .Crowti .A 3 .1 New

Win32 .Trojan .Malagent 3 .03 8

Win32 .Downloader .Banload .AUN 1 .6 19

Win32 .Trojan .Comine .M 1 .33 36

Win32 .Trojan .Pesut .A 1 .21 44

Win32 .Trojan .Usinec .A 1 .14 37

Win32 .Trojan .Googost .A 1 .13 84

Win32 .Trojan .Zeprox .A 1 .1 55

Win32 .Trojan .Clicker 1 .1 20

Win32 .Downloader .DownloadAssis 1 .1 25

Indep .Bot .DNSAmplification 1 .07 1

Win32 .Trojan .CI .A 0 .96 5

Win32 .Downloader .Ramnit .J 0 .94 47

Win32 .Worm .Koobface .gen .B 0 .84 10

The top 20 list contains the usual suspects from previous reports with bots, downloaders, banking Trojans, and password stealers .

12


Top 25 most prolific threats

Figure 12 shows the top 20 most prolific malware infections found on the Internet . The order is based on the number of distinct samples we have captured from the Internet at large . Finding a large number of samples indicates that the malware distribution is extensive and that the malware author is making a serious attempt to evade detection by antivirus products .

Figure 12 . Most prolific malware

Most prolific malware

Worm:Win32/Allaple.A

Worm.Win32/Soltern.L

Virus:Win32/Elkern.B

Worm:Win32/Vobfus.EK

Trojan:Win32/Beaugrit.gen!AAA

Virus:Win32/Nabucur.D

SoftwareBundler:Win32/InstalleRex

Virus:Win32/Ramnit.A

Virus:Win32/Virut.BN

Virus:Win32/Sality.AT

Virus:Win32/Virut.BR

TrojanDownloader:Win32/Upatre.AA

Virus:Win32/Parite.B

Virus:Win32/Mikcer.B

Virus:Win32/Expiro.CD

TrojanSpy:Win32/Lydra.gen!A

Virus:Win32/Virut.EPO

TrojanDownloader:Win32/Upatre

TrojanDownloader:Win32/Tugspay.A

Virus:Win32/Virut.BO

0% 1% 2% 3% 4% 5% 6% 8% 9%7%

2015 so farStagefright

Stagefright was the major story at the end of Q2 2015 . It is a series of vulnerabilities in Android’s media display software that provides attackers with complete control of the phone by simply sending it an MMS message with a specially crafted media attachment . When the message is received, Android automatically tries to open the attachment and the device is infected without any interaction from the user . So far there is no known malware in the wild that exploits this vulnerability, but a proof-of-concept exploit that provided remote root access to the phone was demonstrated at the Black Hat USA conference in August 2015 . Google has pointed out that the Android’s built in “Address Space Layout Randomization” feature will make it difficult for attackers to exploit this vulnerability . I guess we’ll find out .

What’s so remarkable about the Stagefright vulnerability is that the sheer number of potentially affected mobile devices is estimated to be close to 1 billion . While the scale of the exposure is unprecedented in the mobile device landscape, the really scary part is that the attacker can take complete control of the phone by simply sending it an MMS message, bypassing any on-device security solutions .

Patches are available, but the real question is how to get them deployed . One positive aspect of Stagefright is that it has forced Google, Android phone manufacturers and the mobile carriers to take a serious look at how to improve the ability to get security patches deployed in the field . Updates are now available for Google’s Nexus line and Samsung, HTC, LG, Sony and Motorola all have updates available . One interim solution is to disable automatic processing of multimedia attachments .

http://www.cnet.com/news/researcher-finds-mother-of-all-android-vulnerabilities/

13


Stagefright is not the only vulnerability discovered in 2015 . Security researchers have been fairly busy so far this year . Researchers at MWR discovered a flaw in the Google Admin app that could be used by a malicious app to “break into the app’s sandbox environment and read its files .” Trend Micro reported another vulnerability in the media display software that can be used in a similar manner to Stagefright . IBM researchers also demonstrated an Android deserialization flaw that allows code execution in the system server process .

Despite the reduction in Android infections in the first half of 2015, vulnerabilities like Stagefright remind us that the potential for a major infection event is always a possibility . We have also noticed that smartphone malware is becoming more sophisticated in both its C&C and its persistence on the device . For the first time we recently witnessed Android malware that was able to survive a factory reset .

Encrypted command and control

Motive Security Guardian detects malware infections by looking for known C&C exchanges in the network traffic . So how can we detect malware if the C&C traffic is encrypted? This is an excellent question that has been made more relevant by the fact that over the past year the use of Secure Sockets Layer (SSL) encryption for web applications has increased significantly . The assumption is that as more regular apps move to SSL, so will the malware C&C .

So we reviewed some stats from our malware analysis lab . Only 2 .6% of active malware families used encrypted C&C protocols and most of those could be detected by inspecting the traffic . Often encrypted C&C traffic can be identified by characteristics in the initial handshake between the bot and its controller, key exchanges, file downloads, exploit attempts and scanning activity . This can include specific packet content, port numbers, packet lengths and packet sequences . In some cases it is very easy to identify the bot . For example:

• Malware that uses its own home-grown cryptography is usually the easiest to detect due to its use of fixed keys that result in fixed binary content, use of specific ports, or use of an easily recognizable key exchange sequence .

• Malware that spreads by means of a network vulnerability can be detected from the use of that vulnerability, which is something that can’t be encrypted .

• Malware that generates other network activity, such as DDoS, spam or scanning can be identified by that activity even although the C&C is secure .

Malware that uses standard cryptography such as SSL is more difficult, but in these cases we can often use the certificate exchange, which is done in clear text, to identify the malware . In cases where this is not possible, we can often accurately identify the malware using IP or Domain Name System (DNS) blacklists .

In the first half of this year we have analyzed network traffic from 332 unique malware families . We were unable to develop detection rules for only four of those due to encryption .

Scanning, DDoS and NAT

A lot of scanning is taking place out there on the Internet . Most of it is due to cybercriminals (or security researchers) looking for vulnerable hosts . In mobile networks this can have an unexpected side effect . When a mobile device establishes a data connection, it is assigned an IP address and provided with connectivity to the Internet . Although the Internet connection will remain logically established, the actual radio connection to the local cell is typically timed out after 10 to 20 seconds of inactivity and the device is moved to an idle state . If someone on the Internet sends an IP packet to an idle device, the radio connection must be re-established via a mechanism called paging in order to deliver the packet . This paging process uses significant radio resources . Since many devices will typically be in the idle state, scanning through an IP subnet can cause a “paging storm” and overload limited radio resources .

14


We commonly see scans looking for hosts that will participate (unwillingly) in DDoS amplification attacks . We have seen this for both DNS and Network Time Protocol (NTP) amplification attacks . For example, it is quite common in mobile networks to have mobile Wi-Fi hotspots that act as recursive DNS servers and can be leveraged to participate in a DNS DDoS attack . Here the mobile operator has double jeopardy . The scanning causes “paging storms” and the actual DDoS attack puts a huge stress on the mobile carrier’s DNS infrastructure .

Both the scanning and DDoS problems are not an issue if network address translation (NAT) is used . Since many mobile carriers use NAT, they are not currently vulnerable to these problems . However if they migrate to Internet-accessible IPv6 addresses, their mobile devices will become visible to the Internet and they will have to worry about scanning and DDoS activities .

New adware

Adware has definitely been on the increase in 2015 with the ads themselves becoming more sinister . One of interest is called BetterSurf . This is moderate-threat-level Windows adware . This malware arrives with software bundlers that offer free applications or games . When installed, it adds a plugin to the Internet Explorer, Firefox and Chrome browsers that injects popup ads into web pages . So far it looks like regular, run-of-the-mill adware; however the ads themselves are dangerous .

Many are phishing attempts that redirect the browser to web sites that attempt to install additional unwanted applications on the infected device . Some of the ads are full screen popups that are designed to look like instructions from Microsoft asking you to download and install the latest security patch . One popup looked like a “blue screen error” with instructions to call a 1-800 number for technical support . When you call the numbers you are taken to a “help desk” that immediately asks for remote access to your computer and then charges exorbitant rates for bogus technical support for non-existent problems . The screen shot is shown in Figure 13 .

Figure 13 . Example of BetterSurf adware infection

15


Mobile spyware

In the mobile space the use of commercial spyphone apps has really taken off . These apps allow you to track the movements of the phone’s owner, their phone calls, text messages, e-mails and browsing habits . Often these are used for reasonable activities, like keeping track of your children, but there are also far more sinister uses for these types of applications .

The modern smartphone also presents the perfect platform for cyber-espionage . First, it can be used simply as a tool that the owner (spy) can use to photograph, film, record audio, scan networks and send the results immediately through the air to a safe site for analysis . In the “bring your own device” (BYOD) context it makes a perfect target for advanced persistent threat (APT) attacks . A smartphone infected with professional mobile spyware allows the attacker to:

• Monitor the victim’s location

• Monitor phone calls and text message

• Monitor e-mail and contacts

• Access data on the phone

• Take pictures and video

• Record conversations

• Scan and probe the local corporate network

• Exfiltrate data through the air, bypassing corporate firewalls

Summary and conclusionOn the fixed residential side, the overall malware infection rate rose to 15 .7% in Q1 and then dropped to 13 .1% in Q2 . The biggest factor in these changes was moderate-threat-level adware . The infection rate for high-threat-level infections increased in 2015 . Currently 6% of homes monitored by Motive Security Guardian are infected with a high-threat-level variety of malware such as a bots, rootkits or banking Trojans .

On the mobile front, infection levels rose to 0 .75% in Q2 2015 from 0 .68% in December 2014 . However the increase was due to infections on Windows/PCs and laptops connected to the mobile network via phones, dongles and mobile Wi-Fi hotspots . Android infection rates actually fell in 2015 . Less than 1% of the infections are from other devices such as iPhones, BlackBerry smartphones and Windows Phones . The number of Android malware samples in our database more than doubled in the first half of 2015 .

Despite the reduction in Android infections in the first half of 2015, vulnerabilities like Stagefright remind us that the potential for a major infection event is always a possibility . We have also noticed that smartphone malware is becoming more sophisticated in both its C&C and its persistence on the device . For the first time we recently witnessed Android malware that was able to survive a factory reset .

In terms of malware trends, on the mobile side we have seen an increase in the area of mobile spyware that tracks the victim’s calls, text messages and location . On the residential side, we have seen a significant increase in adware with 14 out of the top 20 being in that category .

16


Terminology and definitionsThis section defines some of the terminology used in the report .

TERM DEFINITION

Advanced persistent threat (APT) A targeted cyber-attack launched against a company or government department by professional hackers using state-of-the-art tools, usually with information theft as the main motivation

Infection vector The mechanism used to infect a computer or network device . For example, in computers running the Windows operating system, the most popular infection vector is a web-based exploit kit, whereas on the Android phone it is a Trojanized application .

Bot An infected computer that is part of a botnet . A botnet is a network of infected computers that are controlled remotely via the Internet by cyber-criminals . Botnets are used for sending spam email, ad-click fraud, DDoS attacks, distributing additional malware, Bitcoin mining and a variety of other purposes .

Rootkit A malware component that compromises the computer’s operating system software for the purposes of concealing the malware from antivirus and other detection technologies

Trojan Computer program or application that looks fine on the surface, but actually contains malware hidden inside . From the term Trojan Horse .

High/moderate threat level We split malware into high and moderate threat levels . High is any threat that does damage, steals personal information or steals money . A moderate threat is one that does no serious damage, but will be perceived by most as annoying and disruptive .

Ad-click fraud Advertisers pay money, typically a few cents, when someone clicks on a web-based advertisement . Ad-click fraud occurs when someone uses software to fake these ad clicks and collects money from the advertisers for the fake clicks . Typically the ad-click software is packaged as malware and distributed through a botnet that is controlled by cyber-criminals who make money from the ad-click fraud .

Bitcoin mining Bitcoins are a form of virtual cyber-currency that can be created through complex arithmetic calculations that take a lot of computing power to perform . The process of executing these calculations to generate new Bitcoins is referred to as Bitcoin mining . Cyber-criminals use large botnets to efficiently generate new Bitcoins .

www.alcatel-lucent.com Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners. The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility for inaccuracies contained herein. Copyright © 2015 Alcatel-Lucent. All rights reserved. PR1508013821EN (September)

About Motive Security Labs Motive Security Labs focuses on the behavior of malware communications to develop network detection rules that specifically and positively detect current threats . This approach enables the detection of malware in the service provider’s network and the signatures developed form the foundation of the Motive Security Guardian product suite .

To accurately detect that a user is infected, our detection rule set looks for network behavior that provides unequivocal evidence of infection coming from the user’s computer . This includes:

• Malware command and control (C&C) communications

• Backdoor connections

• Attempts to infect others (for example, exploits)

• Excessive e-mail

• Denial of Service (DoS) and hacking activity

Four main activities support our signature development and verification process:

1 . Monitor information sources from major security vendors and maintain a database of currently active threats

2 . Collect malware samples (>10,000/day), classify and correlate them against the threat database

3 . Execute samples matching the top threats in a sandbox environment and compare against our current signature set

4 . Conduct a detailed analysis of the malware’s behavior and build new signature if a sample fails to trigger a signature

As an active member of the security community, Motive Security Labs also shares this research by publishing a list of home network infections and the top emerging threats on the Internet — and this report .

http://www.alcatel-lucent.com/solutions/security-guardian

https://www.alcatel-lucent.com/solutions/home-network-infections

https://www.alcatel-lucent.com/solutions/internet-threats

Motive_Security_Labs_Malware_Report_1H2015

Documents