Upload File

state of malware report [draft] under embargo … · state of malware report [draft] under embargo...

  • Home
  • Documents
  • STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO … · STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO UNTIL JANUARY 31, 2017 Executive summary ... • Adware.MoboGenie – 3.99 percent
17
STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO UNTIL JANUARY 31, 2017 Executive summary In 2016, we finally saw the headlines catch up with the hype. Cyberattacks and cybersecurity, or a lack thereof, grabbed media attention on both the corporate and consumer sides, even becoming a key issue in the US presidential election. In this respect, you could say that everyone, even those who have never logged on, was affected by cyberattacks and hacking in 2016. To get a better idea of just how much the threat landscape evolved in 2016, we examined data taken from nearly 100 million Windows, Mac, and Android devices in over 200 countries during the June-November 2016 time period. These devices were running Malwarebytes cybersecurity solutions in corporate and consumer environments and reported close to a billion malware detections/incidences in the time period. This is real-world data taken from attack events, not conjecture distilled from tangential data points. In addition, we utilize data obtained from our own internal honeypots and collection efforts to identify malware distribution, not only infection. Three key takeaways 1. Spurred by a massive shift in cybercriminal attack methodology, 2016 was the year that reality caught up to the hype. Threat actors ramped up attacks on businesses while engineering ever-more effective malware variants, including ad fraud and ransomware. 2. Cyberattack methodology and the favored malware tools used to commit cybercrime varies distinctly by nation/geography, reflecting increased “personalization” of cybercrime. 3. While a dedicated group of cybercriminals continues to attack enterprise businesses, low-level attacks focused on the consumer are taking greater advantage of the businesses they do snare. Cybercriminals change their methodology: Ransomware In 2016, ransomware made splashy headlines, and for good reason: In ransomware, cybercriminals truly have built themselves a better mousetrap. While traditional malware like banking Trojans, spyware, keyloggers, etc., requires the cybercriminal to oversee multiple steps before revenue is delivered to their bank account, ransomware makes it a seamless, automated

Upload: dinhthien

Post on 27-May-2018

216 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO … · STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO UNTIL JANUARY 31, 2017 Executive summary ... • Adware.MoboGenie – 3.99 percent

STATEOFMALWAREREPORT[DRAFT]UNDEREMBARGOUNTILJANUARY31,2017

ExecutivesummaryIn2016,wefinallysawtheheadlinescatchupwiththehype.Cyberattacksandcybersecurity,oralackthereof,grabbedmediaattentiononboththecorporateandconsumersides,evenbecomingakeyissueintheUSpresidentialelection.Inthisrespect,youcouldsaythateveryone,eventhosewhohaveneverloggedon,wasaffectedbycyberattacksandhackingin2016.Togetabetterideaofjusthowmuchthethreatlandscapeevolvedin2016,weexamineddatatakenfromnearly100millionWindows,Mac,andAndroiddevicesinover200countriesduringtheJune-November2016timeperiod.ThesedeviceswererunningMalwarebytescybersecuritysolutionsincorporateandconsumerenvironmentsandreportedclosetoabillionmalwaredetections/incidencesinthetimeperiod.Thisisreal-worlddatatakenfromattackevents,notconjecturedistilledfromtangentialdatapoints.Inaddition,weutilizedataobtainedfromourowninternalhoneypotsandcollectioneffortstoidentifymalwaredistribution,notonlyinfection.Threekeytakeaways

1. Spurredbyamassiveshiftincybercriminalattackmethodology,2016wastheyearthatrealitycaughtuptothehype.Threatactorsrampedupattacksonbusinesseswhileengineeringever-moreeffectivemalwarevariants,includingadfraudandransomware.

2. Cyberattackmethodologyandthefavoredmalwaretoolsusedtocommitcybercrimevariesdistinctlybynation/geography,reflectingincreased“personalization”ofcybercrime.

3. Whileadedicatedgroupofcybercriminalscontinuestoattackenterprisebusinesses,low-levelattacksfocusedontheconsumeraretakinggreateradvantageofthebusinessestheydosnare.

Cybercriminalschangetheirmethodology:RansomwareIn2016,ransomwaremadesplashyheadlines,andforgoodreason:Inransomware,cybercriminalstrulyhavebuiltthemselvesabettermousetrap.WhiletraditionalmalwarelikebankingTrojans,spyware,keyloggers,etc.,requiresthecybercriminaltooverseemultiplestepsbeforerevenueisdeliveredtotheirbankaccount,ransomwaremakesitaseamless,automated

Page 2: STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO … · STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO UNTIL JANUARY 31, 2017 Executive summary ... • Adware.MoboGenie – 3.99 percent

process.Scriptkiddies(hackerswithlittleornocodingskills)canevenbuyturnkeyransomwarekitsknownas“RansomwareasaService”(RaaS)thattakeallthehassleoutofdigitalthievery.Inthefourthquarterof2016alone,wecataloguednearly400variantsofransomware,themajoritycreatedsimplybyanewcriminalgrouptryingtogetapieceofthepie.Thetrendofransomwareisnotnew,however,aswe’vewatcheddistributiongrowthoverthelasttwoyearsandhaveobservedspecificfamiliesthathavemadeittothetopofthecybercrimemarket.

Figure1.January2016Exploit/MalSpamPayloads

Page 3: STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO … · STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO UNTIL JANUARY 31, 2017 Executive summary ... • Adware.MoboGenie – 3.99 percent

Figure2.November2016Exploit/MalSpamPayloads

Asyoucanseefromtheabovecharts,ransomwaredistributionbetweenJanuary2016andNovember2016increasedby267percent.Thisisanunprecedenteddominationofthethreatlandscapelikenothingwehaveeverseenbefore.Todelvedeeperintothespreadofransomware,wecanlookatourowndetectionsandtheirgeographicspread:

• Top10countiesimpactedbyransomwareincidents:1. UnitedStates2. Germany3. Italy4. UnitedKingdom5. France6. Australia7. Canada8. Spain9. India10. Austria

• Percentageofransomwareincidentsbycontinent:

Page 4: STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO … · STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO UNTIL JANUARY 31, 2017 Executive summary ... • Adware.MoboGenie – 3.99 percent

o Europe 49.26%o NorthAmerica 32.51%o Asia 9.84%o Oceania 3.72%o SouthAmerica 3.67%o Africa 1.00%

Itshouldn’tbeasurprisethattheUnitedStatesisthecountrywiththemostincidentsofransomware,beingoneofthelargestrepresentationsofWesternculture.ManygroupsfromEasternEurope,aswellasacrosstheworld,targetAmericansnotonlybecauseofthewideaccessibilitytotechnology,butalsothemeanstopaytheransomand,possibly,ideologicalviews. However,WesternEuropeisjustasmuchatrisk.OurstatsrevealedEuropetobethecontinentwiththegreatestamountofinfections,withcountrieslikeGermany,Italy,theUKandFrancemakingupthenextfourspotsincountriesimpactedmostbyransomware.Occurrencesofransomwareencountersdiffer,eveninhigh-incidentrateregions.Byvolume:

• 81percentofransomwareattacksagainstbusinessesoccurredinNorthAmerica• 51percentofransomwareattacksagainstconsumersoccurredinEurope

AcountrythatseemstobemissingfromthislistisRussia.Thisisn’tbecauseRussiancitizenshaveafirmgrasponcomputersecurity–thiswillmakemoresenseafterlookingatthetopfamiliesandtheirfunctionality.TopRansomwareFamilies2016In2016,therewerethreemainplayersintheransomwaregame.Oneofthoseplayersdroppedoutoftheraceandtwoothersareconstantlycompetingfordominance.Thesefamiliesare/were:

- TeslaCrypt- Locky- Cerber

Fromthebelowchartyoucanseesomeofthemostprominentfamilieslistedandchartedthroughout2016.

Page 5: STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO … · STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO UNTIL JANUARY 31, 2017 Executive summary ... • Adware.MoboGenie – 3.99 percent

Figure3.RansomwareFamilyTrends2016

ThebeginningoftheyearshowedahugespikeintheuseofTeslaCrypt.However,inMayTeslaCryptcloseditsdoorsandreleasedthemasterdecryptionkeyforalltheirvictims.

Figure4.CourtesyofBleepingComputer

WhenTeslaCryptshutdown,itcreatedavacuumthatwasquicklyoccupiedbytwootherrisingfamilies,LockyandCerber.IttookmostofQ3andQ4butthesefamilieshavemanagedtomakeittothesamelevelofdistributionasTeslaCrypthadinMarchandMay.LockyandCerberhavealotincommonasfarasransomwarefamiliesgo.BothfamiliesutilizeRSAlevelencryption,makingthedevelopmentofadecrypterdifficultifnotimpossible.Theybothhavethecapabilitytoencryptfiles“offline”orwithoutneedingtocommunicatewiththeCommandandControl(CnC)serverbeforeinitiatingencryptionoperations,somethingwhichwasoneofthebestmethodsofdefenseintheearlydaysofCryptoLocker.

Page 6: STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO … · STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO UNTIL JANUARY 31, 2017 Executive summary ... • Adware.MoboGenie – 3.99 percent

CerberandLockyalsoidentifytheirvictimsbasedonwhichcountrytheyarelikelytoreside.Forexample,ifavictimresidesinRussia,insteadofinfectingandencryptingthesystem,theydonothingatall.Thisisakeyclueinpossibleattributionofthegroupsbehindthesefamiliesasbeingassociatedwith,ifnotlocatedin,EasternEurope.ItalsorevealswhyRussiaisnotonourlistofthetopmostinfectedcountries,despiteitslargepopulationandaccessibilitytotechnology.ThesefamiliesarenotlimitedtoNorthAmericaeither.CerberandLockyarealsothetopransomwarefamiliescurrentlyplaguingcountrieslikeGermany,makingtheirspreadaworldwidethreat.FromanEnterprisepointofview,ransomwarecybercriminalsconcentratedtheireffortsonenterprisebusinesses,particularlyNorthAmericanenterprises,nodoubtrealizingthatthesecompanieshadthemosttolose,andtheresourcestopay.Infact,ransomwaredetectionsoutnumberedbankingTrojandetectionsinNorthAmericanbusinessesbyaratioof3:1.Globally,12.3percentofenterprisebusinessdetectionswereransomware,comparedtoonly1.8percentontheconsumerside. KovterWhileransomwarehasbeentheprimarilydistributedmalwareof2016,thisisn’ttosaythattherehasn’tbeenshiftsindistributionlevelsfrommonthtomonth.Infact,formultiplepartsoftheyear,adfraudmalware,specificallyKovter,hasbeentheprimarypayload,asseenbelow(thegreenline):

Figure5.Exploit/MalSpamDrops2016

Kovterisoneofthemostadvancedfamiliesofmalwarecurrentlyfoundinthewild.Itsportssophisticatedfunctionalitysuchastheabilitytoinfectthesystemwithoutdroppingafilebutratherbycreatingaspecialregistrykey,makingitdifficulttodetectformanyantivirusvendors.Inaddition,itutilizesrootkitcapabilitiestofurtherhideitspresenceandwillactivelyidentify

Page 7: STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO … · STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO UNTIL JANUARY 31, 2017 Executive summary ... • Adware.MoboGenie – 3.99 percent

anddisablesecuritysolutions.WhileKovteritselfisnotnew,firstappearingin2015,ithashistoricallybeenusedasadownloaderforothermalwarefamilies,atooltostealpersonalinformation,abackdoorforattackerstogainaccesstothesystemandevenitsownransomwarefamily.However,in2016weobserveditprimarilybeingusedfor“adfraud”whichisatermusedformalwarethathijacksthesystemandusesittovisitandclickonadvertisementsandwebsitesonlinetocreatemoreclicks/hitsforanadcampaign(knownasclick-jacking)runbyeitherthecriminalsbehindtheKovterdeploymentortheirclients.Inadditiontothenoveluseofthemalware,thedistributionhasalsomadesomechangesover2016.WhilepreviouslyKovterwasprimarilyspreadusingdrivebyexploitsandExploitKits,wesawamassivesurgeinitbeingdistributedthroughmaliciousphishingemailsaswell.Thischangeindistribution,combinedwithaverylargetargetoftheUnitedStates,madeKovteroneofthebiggestthreatsofthislastyearforAmericansmorethananyoneelse:Top5countiesimpactedbyKovterinfections:

• UnitedStates 68.64%• Germany 2.58%• Canada 1.65%• France 1.34%• Italy 1.30%

TheimportanceofKovterbeingusedinthisfashionliesinthesamereasonransomwarehastakenoff;itprovidesasourceofdirectprofitfortheattackers.Ratherthansellingpassworddumps,creditcardinformationandsocialmediaaccountstoothercriminals,havingthevictimeitherpaytogettheirimportantfilesbackORutilizingthemtodefraudtheadvertisingindustryarebothviablemethodsofprofitingoffusersdirectly.Thismethodisalsoamassiveclueintothemindsetofthemoderncybercriminalwheretheattacksfocusmoreontheuserandlessonthetechnology.Wewilldiscussthatmorelater.Cybercriminalschangetheirmethodology:AdwareandTechSupportScamsSidesteppingfromadfraudtoadware,weobservedamassivesurgeintheamountwedetectedin2016.Theterm“adware”identifiesaformofmalicioussoftwarethatdisplaysunwantedadvertising,andcancompriseseveralnoxiousmalwaresubspecies,includingPotentiallyUnwantedPrograms(PUPs),browserlockers,andspyware.Inrecentyears,adwarehasgrownmoreaggressiveandintrusive,withVonteeraadwareevendisablingantivirusandanti-malwaresoftwareonthecomputeritinfects.Somevariantsfakeacomputerfailure(BlueScreenofDeath)tospuracalltoashadytechsupportfirmthatwillfixtheuser’scomputerforafee.Thisbehaviorslidesadwareclosertoitsshadiermalwarecousins.

Page 8: STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO … · STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO UNTIL JANUARY 31, 2017 Executive summary ... • Adware.MoboGenie – 3.99 percent

Figure6.FakeBSOD

Wefoundadwaretobeanequalopportunityoffenderin2016,posingasignificantproblemfromconsumersandbusinessesalike.Infact,ofthesixcategoriesofmalwarewereviewedforthisstudy,adwarerepresentedthelargestthreatbyvolume.Seventy-eightpercentofthemalwaredetectedonbusinessendpointswasadware.Infact,thisthreatissowidespreadthatweevenfoundsystemsinfectedwithitinAntarctica!CosttoBusiness:MoreAdwareWhileadedicatedgroupofcybercriminalscontinuestolaunchtargetedattacksagainsttheenterprise(especiallyusingransomwareasapayload),businessesareimpactedthemost,byvolume,bylow-level(i.e.lesssophisticated)adwareattacks.Infact,77percentofallthreatsenterprisesseegloballyareadware.Coststobusinesses:

• WhileadwareisclassifiedasaPotentiallyUnwantedProgram(PUP),andthereforenotconsideredasmuchofathreatasransomwareistobusinesses,itcanstillrepresentasignificantcosttotheenterprisetoremediatetheinfectionorre-imagethemachine.

• Adwarealsocreatesdowntimeforemployees,whomayexperienceslowercomputersandpop-upadsthatdistractusersfromproductivity.

Thetopadwarevariantsimpactingtheenterpriseinclude:

• Adware.PremierOpinion–8.86percentoftotaldetections• Adware.MoboGenie–3.99percentoftotaldetections• Adware.Agent–2.07percentoftotaldetections

Whyarelow-levelattacksbeingseenatsuchhighrates?Attacksthatprimarilyfocusontheconsumeraretakinggreateradvantageofbusinessestheyensnare.Ownersoflow-levelcampaignsarepayingmoreattentiontowhomtheyinfect.Iftheyfindtheyareinfectingabusiness,they’llchangethegamebyraisingthepriceofransomwareorlookinglaterallywithin

Page 9: STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO … · STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO UNTIL JANUARY 31, 2017 Executive summary ... • Adware.MoboGenie – 3.99 percent

theorganizationfordataofmorevalue.Cybercriminalsaretryingtomaximizetheimpactofthebusinessinfectionstheydoget.Cybercriminalschangetheirmethodology:BotnetsBotnets(anetworkofprivatecomputersinfectedwithmalicioussoftwareandusedtosendspam)havebeenoneofthemostcommonlydevelopedmechanismsfordeployingmalwareforthelast10years.Thisisduetotheirsmallsize,abilitytohideandabilitytoexecuteaninnumerableamountofoperationsdependingonwhatitisdevelopedfor.Thisyear,wesawanewuseforbotnets,tocompromiseandinfecttheInternetofThings(IoT)atermusedfrequentlytodescribeinterconnecteddevicesthataren’tnecessarilyfullyfledgedcomputers.Forexample,athermostatthatallowsitsusertochangethetemperaturefromacrossthecountry,ahomesecuritycamerathatallowstheownertoviewtheirhomeremotely,andevensomebabymonitorsallfallintotheIoTcategory.LateSeptemberamassiveattackusedtheMiraibotnettocompromisemanyIoTdevicesandhomerouters,withalltheinfecteddevicestakingordersfromasinglesource.Onceassemblingthearmyofbots,theattackerusedwhatisreferredtoasaDDoS(DistributedDenialofService)attacktobringdowncertainwebsites,notably“KrebsonSecurity”.Amonthlater,Miraiwasusedtoattackoneofthebackbonesoftheinternet,Dyn,andindoingsopreventedmillionsofusersfromaccessingpopularsiteslikeTwitter,RedditandNetflix.ThistypeofmalwareiseasyenoughtoevadesimplybyupdatingsecuritypatchesforIoTdevicesandusingnon-standardconfigurations.Forexample,creatingcustompasswordandadministratorloginsandremovingwhatcomesdefault.OneofthekeyfeaturesofMiraiwasnotonlyscanningtheinternetforconnecteddevices,butalsoutilizinganinternaldatabaseofdefaultusernameandpasswordstogainaccesstothedevices.ApartfromMirai,2016wasnotagreatyearforbotnets,atleastnotintheUnitedStates.However,AsiaandEuropedealtwithanincreaseinvariantsdevelopedfrompopularfamilies.Forexample,theKelihosbotnet,grew785percentinJulyand960percentinOctober,whileIRCBotgrew667percentinAugustandQbotgrew261percentinNovember.

• Percentageofbotnetsbycontinent:o Asia 53.97%o Europe 13.21%o NorthAmerica 11.03%o SouthAmerica 5.79%o Africa 3.81%o Oceania 0.45%

Asitturnsout,Germanydealtwithaseriousbotnetproblem.Thecountrysawa550percent

Page 10: STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO … · STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO UNTIL JANUARY 31, 2017 Executive summary ... • Adware.MoboGenie – 3.99 percent

increaseintheamountofbotnetdetectionsfrom2015to2016. Cybercriminalschangetheirmethodology:MalwareDistributionOneofthebiggestchangesintermsofdistributionin2016wastheuseofattachedscriptstophishinge-mails.ThesescriptsusuallyresideinsideofaZIPfileandonceopenedandlaunched,wouldreachouttoaremoteservertodownloadandinstallmalicioussoftwareonthesystem.

Figure7.MaliciousphishingemailwithZIPfileattached

Anothermethodthatbecamepopularagainin2016includedtheuseofmacroscriptsinsideofMicrosoftOfficedocuments(.docx,.xlsx,etc.)whichwouldexecuteoncetheuseropensthedocumentandenabledmacros.Utilizingsophisticatedsocialengineeringtactics,theattackerscoaxedtheuserintoenablingthesefeatures,whichwouldalsodownloadandexecutemalwareonthesystem.

Page 11: STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO … · STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO UNTIL JANUARY 31, 2017 Executive summary ... • Adware.MoboGenie – 3.99 percent

Figure8.MaliciousWordDocumentusingsocialengineeringtogettheusertoenablemacros

Inadditiontothechangesinwhatwasattachedorhowmalwarewasinstalledonthesystemthroughphishingattacks,therewasamassiveincreaseoftheuseofthismethodoverexploitkitsinJune.Thereasonforthisisbecauseoneofthemajorexploitkitsof2015andtheearlypartof2016,Angler,shutdownitsoperations.Anglerwastheexploitkittopdogforquiteawhileandevennow,morethansixmonthslater,therehasyettobeanexploitkitthathasrisentoitssamelevelofusebycybercriminals.However,RIGexploitkitismakingarapidascensiontotaketheplaceofAnglerandwearelikelytoseemorefromthiskitin2017.ThemajorityofexploitsusedbyRIGareprimarilypre-existingexploitsagainstpatchedvulnerabilitiesforInternetExplorer,FlashandSilverlight,whichreinforcestheimportancetokeepyoursoftwareuptodate.Inaddition,muchoftheactivityhasbeentargetingthegeographicareaaroundKorea,TaiwanandSingapore.Thisdistributiontrendislikelygoingtochangesoon,butinthemeantime,utilizinganomalousbehavioractivitymonitorsaswellasheuristicdetectionenginesshouldprotectusersfromtheseattacksandthepayloadstheydrop.Educationisalsoanimportantfactorwhendealing

Page 12: STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO … · STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO UNTIL JANUARY 31, 2017 Executive summary ... • Adware.MoboGenie – 3.99 percent

withphishing.Inanenterpriseenvironment,refreshingyouremployeesonhowtorecognizeaphishingattackwouldbeidealtocombatthisthreat.Cybercriminalschangetheirmethodology:AndroidmalwareOverthelastfewyears,themobilethreatlandscapehasn’tchangedmuch.MobilemalwarecreatorsareprimarilystillplayingcatchupbyattemptingtoduplicatemaliciousfunctionalityfoundinmodernWindowsdesktopmalware,whichcanbedifficultwhenitcomestotheAndroidoperatingsystem.However,anotabletrendin2016wastheincreaseduseofrandomizationutilizedbythemalwareauthorsinanattempttoevadedetectionfrommobilesecurityengines.Thishasresultedinaseriousincreaseintheamountofmobilemalwarebeingdetected.Infact,morethanhalf(53.1percent)ofallconsumerthreatsdetectedaroundtheworldin2016wereAndroidmalware,includingmobileransomware.

Figure9.AndroidRansomware

Interestingly,Brazil,Indonesia,PhilippinesandMexicomadethetop10countriesformobilemalwaredetections.However,mobilemalwareiswidelydispersed,withthefourtopregionsgettingsimilarsharesofmobilemalwaredissemination.Only15percentagepointsseparatethe

Page 13: STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO … · STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO UNTIL JANUARY 31, 2017 Executive summary ... • Adware.MoboGenie – 3.99 percent

topregion,Europe(31percentofmobilemalware)fromthefourth-highestregion,SouthAmerica(15percentofmobilemalware).Thebrightsideis,whiletherearemoremobilemalwarevariantscurrentlyinthewildthaneverbefore,mostofthemareonlyfoundonthirdpartyappstores.So,thebestadvicetoavoidthisthreatwouldbetosticktotrustedsourcesliketheGooglePlayStore,utilizemobilesecuritysoftwaretonotonlydetectmobilemalwarebutalsoaudityourcurrentsecurityconfigurationandidentifyappsthatareaskingforafewtoomanypermissions.Malwareattacksvarybynations/geographyOurdatashowedregionaldifferencesinthemalwareusedandtheattackmethodology.Unsurprisingly,US-targetedandEuropean-targetedattackswerehighlydifferentiated:

• TheUSrecordedthemostmalwaredetections,andleadsallcountriesinthedetectionsofeverycategorycharted,exceptbankingTrojans.(Turkeyleads)

• RansomwareisamoresignificantthreatinNorthAmericaandEuropewhilebankingTrojansaremoreprevalentinSouthAmericaandAsia.

• AsianbusinessesseetwiceasmanybankingTrojansasransomwaredetections.• Brazil,Thailand,VietnamandTurkeyallmadethetop10countriesforbankingTrojan

incidents.• However,whenlookingatcontinents,ratherthancountries,Europehadthemost

numberofmalwaredetections.(mostsheernumberofdetections)• Amongthemalwarecategoriesexaminedinthisreport,Europeingeneralisthemost

malware-riddencontinent,andsaw20percentmoreinfectionsthanNorthAmericaand17timesmorethanOceania.

• Europeleadsallcontinentsinransomware–49percentofransomwaredetectionswerefromEurope-baseddevices.

• EuropeleadsallcontinentsinAndroidmalware—31percentofAndroidmalwaredetectionswerefromEurope-baseddevices.

• Europeleadsallcontinentsinadware—37percentofadwaredetectionswerefromEurope-baseddevices.

Europeanmalware:SetsSightsonFrance,UKandSpain

• ThecountrieshithardestbymalwareinEuropeareFrance,theUKandSpain—althoughtheVaticanCitysawthesteepestrisewitha1,200percentincreaseinallmalwarevariantsduringthetimeperiod!

• TheUnitedKingdomwasthesecondmosttargetedcountryinEuropeforalltypesofmalwarebehindFrance.Inthesix-monthperiod,theUKsawalmosttwiceasmanyincidentsasRussia.

• Germanyisthesecond-mostimpactedcountrybyransomware,followingtheUS,supportingthetheorythatmalwareauthorsuseGermanyasatestinggroundfortheirwaresbeforewiderdistribution.

• Meanwhile,Russiawasdisproportionatelyunder-impactedbyransomware,butremains

Page 14: STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO … · STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO UNTIL JANUARY 31, 2017 Executive summary ... • Adware.MoboGenie – 3.99 percent

themostpopulartargetforbankingTrojans–thoughstillahuge41percentbehindTurkey,whichwasthehardesthit.

Page 15: STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO … · STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO UNTIL JANUARY 31, 2017 Executive summary ... • Adware.MoboGenie – 3.99 percent

2017PredictionsRansomwareLookingbackatthelastyearandthetrends,shiftsandtakeoverconcerningransomware,wehaveafewpredictionsaboutwhatwearelikelytoseein2017.Itispossiblethatwiththemajorplayerstakingthemainstageattheendoftheyear,weareunlikelytoseemany,ifany,advancedfamiliesenterthemarketandrisetothesamelevelasCerberandLocky.Thistrendwillcontinuefrom2016wherenearly60percentoftheransomwarevariantsdetectedinthelastsixmonthswerelessthanone-year-old,furtherdrivinghomethefactthatmostransomwareinexistencetodayisdevelopedbynewcomerstotheransomwareindustry.Morethanlikely,wewillcontinuetoobserveunsophisticatedfamiliesemergetomakeaprofitfromamateurcybercriminalsandinturn,thesefamilieswilllikelymakeitpossibletodevelopdecryptorstoassistthevictimsofthemalware.Unfortunately,aswith2016,thesesmallerfamiliesarelessdistributedandsometimesnotevenseeninthewild.So,whiledecryptordevelopmentwillbehelpfultosomevictims,manyofthosewithencryptedfilesareleftwithlimitedoptions.TheonefunctionalitythatmightmakeagreaterimpactwithsmallerfamiliesistheabilitytomodifytheMasterBootRecord(MBR)whichisaparamountpartofasystembeingabletobootintoitsoperatingsystem.Oncemodified,thesystemwillbootintoalockscreensetupbythemalware,demandingpaymenttonotonlydecryptfilesbutalsorestoreaccesstothemainoperatingsystem.

Figure10.PetyaLockscreen

Page 16: STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO … · STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO UNTIL JANUARY 31, 2017 Executive summary ... • Adware.MoboGenie – 3.99 percent

MBRransomwarehasbeenobservedthroughout2016withfamilieslikePetyaandGoldenEye,howeverthisfunctionalityhasyettobecomepartofthefeaturesofferedbyCerberorLocky.Theadditionofthisfunctionalityreducedtheoptionsforavictimtobasically“PayorWipe.”Inotherwords,giveintothecriminalsdemandsorcompletelywipethesystemandstartfresh,losingeverything.MalwareDistributionOvertheyears,wehaveobservedonlyonestabletruthofthemalwaredevelopmentanddistributionworld-distributionthroughe-mail.Asmentionedpreviously,phishingattacksincludingmaliciousattachmentshadabigcomebackinthesecondhalfoftheyear.However,wepredictthatexploitkits(RIGspecifically)arelikelytobecomethestandardfordistributionofmalwareagainintheverynearfuture.TheinitialsignofanewseasonforexploitkitdominationtypicallyalignswiththecreationofZero-Dayexploits,orcodethattargetsvulnerabilitiesforwhichthereisnopatchcurrentlyavailabletoprotecttheuser.OnceyouhearaboutanewFlashorInternetExplorerexploit,expectdrive-byexploitsandmalvertisingtogetmoreattentionshortlyafter.However,asbefore,wewillnotseemaliciousphishingattacksdisappear.Duetothenewdevelopmentsinthedownloadandinstallationofmalwareoriginatingfromphishingemails,aswellastheuseofmacroscriptsinOfficedocuments,thismethodofattackwillcontinueatsteadylevelsthroughouttherestoftheyear,likelywithincreasedsophistication.PotentiallyUnwantedProgramsWeprimarilycoveredAdwareasbeingoneofthelargestdetectedthreatsof2016.However,thetermPotentiallyUnwantedPrograms(PUP)spansnumeroustypesofsoftwarefromtoolbarstoregistrycleanersand,asmoreandmoresecuritycompanieshavestartedtodetectthisformofsoftware,theactorsbehinditsdevelopmentanddistributionhavemodifiedtheirmethodstoensurethegreatestamountofexposure.ThesemethodsincludemodifyingtheirsoftwarejustenoughtoslidebythecriteriamanysecuritysoftwarecompaniescreateforclassifyingPUPs,workingtogetherwithTechSupportScamorganizationstoshareuserbases,changingthenameoftheirproductsandcompaniesandotheractivitieswhicharemoreakintomalwareauthorsthan‘legitimate’companies.Wecanexpectthesedevelopmentstocontinueinto2017,likelywithsophisticatedPUPsbecomingmoreaggressive.InternetofThingsTheIoTisafantasticsignofourfuturerealityandassuchisbeingdeveloped,adoptedandanalyzedheavilybyusers,securitypersonnelandcompanies.However,thesurgeofnew

Page 17: STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO … · STATE OF MALWARE REPORT [DRAFT] UNDER EMBARGO UNTIL JANUARY 31, 2017 Executive summary ... • Adware.MoboGenie – 3.99 percent

developmentswithlackofconcernforsecurityhasresultedinbotnetslikeMiraibeingabletotakedownabackboneoftheinternet.Itisimperativethat,asacommunity,weencouragedevelopersofIoTdevicestospendthetimenecessaryinmakingsurethesedevicesarenotonlysafeandfunctional,butalsosecureenoughtonotbeusedfornefariouspurposes.Despitewhattheindustrydecidestodo,becomemoresecureorignoreitaltogether,thedoorshavebeenopenedbymalwarelikeMiraifornewmalwaredevelopmentandattackstrategiesutilizedbycybercriminalstostealpersonalinformation,reducepersonalsafetyandcreateliteralrobotarmiesin2017.


Reversing malware analysis training part8 malware memory forensics

Ch 12: Covert Malware Launching - samsclass.info · Practical Malware Analysis Ch 12: Covert Malware Launching Last revised: 4-10-17. Hiding Malware • Malware used to be visible

Android Malware Exposed-Evolution of Android Malware

MALWARES MALWARE REVIEWED ISE DE Malware Reviewed · MALWARES There are public reports about spreading of malware named as ServHelper malware. It is a backdoor malware used by attacker

Using optimization algorithms for malware deobfuscationsigurnost.zemris.fer.hr/ns/malware/2010_spasojevic/Diplomski_Spasojevic.pdf · Using optimization algorithms for malware deobfuscation

Reversing & malware analysis training part 8 malware memory forensics

Reversing malware analysis trainingpart9 advanced malware analysis

Reversing & malware analysis training part 9 advanced malware analysis

Intrusion Detection and Malware Analysis - Malware collection134.2.173.140/lehre/ws10/ids-malware/12-malware-collection.pdf · Intrusion Detection and Malware Analysis Malware collection

Malware Nilgün Kablan. Malware …………………………………….…….……………………………………………… Geschichte der Malware ……………….…………………………………………………

Advanced Malware Analysis Training Session 7 - Malware Memory Forensics

Windows Malware Firewall: Remove Windows Malware Firewall

Chapter 8 Malware - FTMS · – Boot virus – Logic Bomb virus – Directory virus – Resident virus. CSCA0101 Computing Basics 8 Malware Types of Malware ... Malware Types of Malware

Analisis dan Deteksi Malware Menggunakan Metode Malware

Malware & Anti-Malware

Intrusion Detection and Malware Analysis - Malware collection

Mobile Malware Network View - Black Hat · Mobile Malware Network View ... ... Windows Malware impacts mobile

Threat Bulletin Fileless Malware The Stealth Attacker · Threat Bulletin See. Control. Secure. Fileless Malware - The Stealth Attacker Fileless malware (FM), aka “non-malware”,

Metamorphic Malware 1 Metamorphic Malware Research

Advanced malware analysis training session6 malware sandbox analysis

THE EVOLUTION OF MALWARE & FUTURE MALWARE MITIGATION

Malware Analysis Analysis.pdf · Definisi Malware Analysis • What is a malware? • Malware (malicious software) ... Malware Sinkronisasi Token • Pelaku: Zeus Banking Trojan •

Malware and anti-malware (fun with Trojans) - Z. …z.cliffe.schreuders.org/edu/FS/Malware and anti-malware... · 2014-04-02 · Malware and anti-malware (fun with Trojans) ... with

Malware Detection with Malware Images using …cosc.canterbury.ac.nz/research/reports/HonsReps/2018/...Malware Detection with Malware Images using Deep Learning Techniques by Ke HE

La primera será malwarebytes anti-malware. Un vez ... · Malwarebytes Anti-Malware Malware ANTI-MALWARE Registros Lista de ignorados Configuración Más herramientas Escáner Protección

Malware, Malware y más Malware ¿Cómo me puedo proteger? “Dijo el cliente web”

Malware Analysis and Antivirus Technologies: Kernel Malware & A Look at Malware … · 2011-08-16 · Malware Analysis and Antivirus Technologies: Kernel Malware & A Look at Malware

Malware Analysis Without Looking At Assembly Codegauss.ececs.uc.edu/Courses/c5155/pdf/malware-analysis.pdf · 2015. 11. 20. · Malware Analysis Malware typically employs encryption:

1 Automated malware audit service Automatischer Malware Audit

Malware Analysis Workshop June 5, 2012 - CCDCOE · Malware Analysis Workshop June 5, 2012 ... •Malware Analysis methods ... •Some malware doesnt run in Norman Sandbox

Fileprint analysis for Malware Detectionwl318/papers/wormpaper2005.pdfWORMS 2005 Columbia IDS Lab June 19, 2005 1 Review Draft Fileprint analysis for Malware Detection Columbia University

Evaluating Open Source Malware Sandboxes with Linux malware

Malware - Northern Kentucky University · Malware detection. 2. Theory of malware. 3. ... target backdoors and worm flaws. ... Malware factories . are software and processes to

Malware and Anti-Malware Seminar by Benny Czarny

DRAFT 6 - Anti-Malware Testing Standards Organization · ©Anti-Malware Testing Standards Organization, Inc., ... opaque or unfair testing can create misleading results and ... NSS