Q1 Malware Skyrockets, Spam Levels Decline: McAfee Report
The first quarter of 2011 was the most active in history for malware, with a sharp increase in malware boosted by the explosion of malicious code written for Symbian and Android platforms, according to a McAfee report.
These and other findings were included in McAfee’s Threats Report: First Quarter 2011, which examined the most salient malware threats, phishing attacks and spam during the last three months.
Specifically, the report found that malware experienced a sharp rise, with six million new unique samples, making for the most active first quarter in malware history.
However, the rise in mobile malware contrasted sharply with a significant decrease in spam, which fell to its lowest levels since 2007, primarily resulting from the takedown of the Rostock botnet in March.
’The Q1 Threats Report indicates that it’s been a busy start to 2011 for cybercriminals,’ said Vincent Weafer, senior vice president of McAfee Labs, in a statement. ’Even though this past quarter once again showed that spam has slowed, it doesn’t mean that cyber criminals aren’t actively pursuing alternate avenues. We’re seeing a lot of emerging threats, such as Android malware and new botnets attempting to take over where Rustock left off, that will have a significant impact on the activity we see quarter after quarter.’
In particular, February experienced the biggest spike in malware, with around 2.75 million new samples.
Of the unique samples of malware, fake antivirus appeared prominently, reaching its highest levels in more than a year, totaling 350,000 unique pieces in March.
The rise in malware was attributed to, in part, a growth of mobile malware congruent with the increasing popularity of mobile platforms such as Symbian and Android.
In a whitepaper, ’Mobile Apps Stores Is a Risky Business,’ McAfee researchers said that most Android devices allow side-loading, which is not restricted to one centralized app store, and seriously limits Google’s ability to effectively screen the apps for malware. In Q1, McAfee researchers found that the most prominent types of malware included Android/DrdDream, Android/Drad, Android/Steamyscr.A and Android/Bgyoulu, which were transmitted via mobile online games as well as SMS data.
In addition, McAfee researchers found that cyber criminals also directed attacks utilizing the Zeus botnet toward the mobile platform, with new versions of Zitmo mobile malware for both Symbian and Windows Mobile, designed to steal bank account information, the study found.
However, the rise in mobile malware was tempered with a sharp decline in spam, stemming from the takedown of the Rustock botnet last March. Zeus botnet activity also slowed, however the bot’s authors merged source code with that of SpyEye, in an effort to create large-scale attacks on banking and other major online retail sites.
The disintegration of both Rustock and Zeus was reflected in spam levels bottoming out during the first quarter of 2011 to 1.5 trillion messages per day -- less than half of what it was a year ago.
During Q1, lures for spam varied by region. As expected, high-profile sporting and news events, such as Japan’s earthquake and tsunami, were popular hooks, resulting in an average of 8,600 new malicious sites per day. As usual, product spam, whether phony or real, was the most popular lure throughout the world. A new spam trend also distributed banking Trojans, designed to steal passwords and financial data, along with standard subject line lures such as UPS, FedEx, USPS and the IRS.
Next: New Botnets Replace Rustock, Zeus
However, while spam was on the decline, a crop of new and existing botnets have emerged on the security front to take their place, including Maazben, Bobaz, Lethic, Cutwail and Grum, the report found.
Other trends included a search term abuse, manifesting in SEO poisoning attacks that move up the ranks of search pages on sites such as Google and Bing.
In addition, client side attacks are on the rise, as hackers continue to exploit vulnerabilities in Adobe applications with SQL injection.