Windows Malware Annual Report 2015

Transcription

Windows Malware Annual Report 2015
And Prognosis 2016
February2016
Copyright RedSocks B.V. © 2014-2016. All Rights Reserved.
Windows Malware Annual Report 2015 and Prognosis 2016
Table of Contents
1. Introduction ............................................................................................................................................................................ 5
2. Summary .................................................................................................................................................................................. 6
2.1. Data Breaches and Security News ............................................................................................................................ 7
Cybercriminals use these WEAK PASSWORDS to exfiltrate stolen data……………………………………………………..7
The EU General Data Protection Regulation is now law!.........................................................................................8
3. Methodology ......................................................................................................................................................................... 10
3.1. Collecting Malware ...................................................................................................................................................... 10
3.2. Processing Malware .................................................................................................................................................... 11
3.3. Detecting Malware ....................................................................................................................................................... 11
3.4. Classifying Malware ..................................................................................................................................................... 12
4. Trends ..................................................................................................................................................................................... 13
4.1. Adware............................................................................................................................................................................ 13
4.2. Backdoors ...................................................................................................................................................................... 13
4.3. Exploits ........................................................................................................................................................................... 15
4.4. Rootkits........................................................................................................................................................................... 16
4.4. Trojans ............................................................................................................................................................................ 17
4.5. Worms ............................................................................................................................................................................ 21
4.6. 64-Bit Malware.............................................................................................................................................................. 23
4.7. Others ............................................................................................................................................................................. 24
5. Geolocation ........................................................................................................................................................................... 26
6. Final Word and Prognoses 2016 ...................................................................................................................................... 28
Appendix A: The Numbers ..................................................................................................................................................... 27
Page | 2
Table of Figures
Figure 01: Wolf Rat V2.1 Control Center ............................................................................................................................... 7
Figure 02: Top 10 RAT C&C Passwords Used By Cybercriminals ................................................................................... 8
Figure 03: Storage in GBs Needed 2015 vs. 2014 ........................................................................................................... 10
Figure 04: Unique New Malicious Files 2015 vs. 2014 .................................................................................................... 10
Figure 05: Detection by Anti-Virus Engines 2015 ............................................................................................................. 11
Figure 06: Files Identified as Adware 2015 vs. 2014........................................................................................................ 13
Figure 07: Distribution of Adware 2015 .............................................................................................................................. 13
Figure 08: Files Identified as Backdoor 2015 vs. 2014 .................................................................................................... 14
Figure 09: Distribution of Backdoors 2015 ........................................................................................................................ 14
Figure 010: Files Identified as Exploits 2015 vs. 2014 ..................................................................................................... 15
Figure 011: Distribution of Exploits 2015 ........................................................................................................................... 15
Figure 12: Files Identified as Rootkit 2015 vs. 2014......................................................................................................... 16
Figure 13: Distribution of Rootkits 2015 ............................................................................................................................. 16
Figure 14: Files Identified as Trojan 2015 vs. 2014 .......................................................................................................... 17
Figure 15: Distribution of Trojans 2015 .............................................................................................................................. 17
Figure 16: Distribution of Banking Trojans 2015 .............................................................................................................. 18
Figure 17: Distribution of Trojan Downloaders 2015 ...................................................................................................... 18
Figure 18: Distribution of Trojan Droppers 2015 ............................................................................................................. 19
Figure 19: Distribution of Trojan PWS 2015 ...................................................................................................................... 19
Figure 20: Distribution of Ransom Trojans 2015.............................................................................................................. 20
Figure 21: Distribution of Spy Trojans 2015 ...................................................................................................................... 21
Figure 22: Files Identified as Worm 2015 ........................................................................................................................... 21
Figure 23: Distribution of Worms 2015 .............................................................................................................................. 22
Figure 24: Distribution of Alleaple.e Worm 2015 ............................................................................................................. 22
Figure 25: Files Identified with 64-Bit Malware 2015 ...................................................................................................... 23
Figure 26: Distribution of 64-Bit Malware 2015 ................................................................................................................ 23
Figure 27: Files Identified as Other Malware 2015 vs. 2014 .......................................................................................... 24
Figure 28: Distribution of Other Malware 2015 ................................................................................................................ 24
Figure 29: Files Identified as Macro-based Malware 2015............................................................................................. 25
Figure 30: Top 10 C&C Hosting Countries 2015 vs. 2014 (1) ........................................................................................ 26
Figure 31: Top 10 C&C Hosting Countries 2015 vs. 2014 (2) ........................................................................................ 26
Figure 32: Active C&C Server in The Netherlands 2015 ................................................................................................. 27
Page | 3
Table of Tables
Table 01: Malware Categories 2015 .................................................................................................................................... 12
Table 02: Top 10 Backdoor Families 2015 ......................................................................................................................... 14
Table 03: Top 10 Exploit Families 2015 .............................................................................................................................. 15
Table 04: Top 10 Rootkit Families 2015 .............................................................................................................................. 16
Table 05: Top 10 Banking Trojans 2015 ............................................................................................................................. 18
Table 07: Top 10 Trojan Droppers 2015 ............................................................................................................................ 19
Table 06: Top 10 Trojan Downloaders 2015 ..................................................................................................................... 19
Table 08: Top 10 Ransom Trojans 2015 ............................................................................................................................. 20
Table 09: Top 10 Password Stealing Trojans 2015 .......................................................................................................... 20
Table 10: Top 10 Spy Trojans Families 2015 ..................................................................................................................... 21
Table 11: Top 10 Worm Families 2015 ............................................................................................................................... 22
Table 12: Top 10 64-Bit Malware Families 2015 ............................................................................................................... 23
Table 13: Top 10 Macro-based Malware 2015 ................................................................................................................. 25
Table 14: Top 10 Countries Hosting C&C 2015 vs. 2014 ............................................................................................... 27
Table 15: Identified Malware per Category 2015 vs. 2014 ............................................................................................ 28
Page | 4
1. Introduction
This is the second Windows Malware Year report from the RedSocks Malware Research Lab.
RedSocks is a 100 percent Dutch company specializing in malware detection. Our product, the
RedSocks Malware Threat Defender, is a network appliance that analyses digital traffic flows in
real-time, based on algorithms and lists of malicious indicators. This critical information is
compiled by the RedSocks Malware Intelligence Team (RSMIT). The team consists of specialists
whose job it is to identify and analyse new threats and trends on the Internet and to translate our
analyses into state-of-the-art malware detection capabilities.
With this report we hope to provide the reader with a deeper insight into the trends we see in the
malware we process as we look at data collected during 2015 and the prognoses for 2016. At
RedSocks we analyse large numbers of malicious files on a daily basis, therefore we can only cover
a few topics briefly in this annual report.
Protecting your data from Internet-based threats is not an easy task, and relying solely on
protection from Anti-Virus companies - no matter how established their brand - is not enough.
Comprehensive protection requires an entirely new approach.
Page | 5
Summary
The overall detection by Anti-Virus software in 2015
was only 65.73 %
In 2015, over 101 million new and unique malicious files were
processed in the RedSocks Malware Labs. Compared with 2014,
that is an increase of 116 percent.
The overall detection by Anti-Virus software was only 65.73
percent, which is a small decrease of 1.78 percent when
compared to the overall detection of 2014. Please note that
identification rates can change based on samples chosen,
scanning engines used, and time of scanning.
In 2015, a total of 8.3 million unique files were identified as
Adware - a decrease of 19 percent when compared with 2014.
The amount of unique files identified as backdoor in 2015 was
601 thousand, which is a 52 percent decrease when compared
to the amount of backdoor files found in 2014.
The Anti-Virus software identified 30,982 exploits and 67,496
rootkits in 2015. The identified exploits decreased by a 12
percent, and the rootkits increased by 145 percent when
compared to the amount from 2014.
A total of just under 13.7 million Trojan files were found in 2015
- a decrease of 53 percent when compared with 2014.
Looking at the new and unique malicious files, most were worms.
Over 15.1 million worm files were identified in 2015, which is a
321 percent increase when compared with 2014.
Grouped together, all other malicious files - such as flooders,
hacktools, spoofers, spyware, viruses, etc. – added up to 18.4
million unique malicious which is a decrease of 20 percent when
compared to the amount of files found in 2014.
Within the top 10 countries hosting C&C servers, there was little
change in 2015. As in 2014, the United States is still leading,
followed by the Russian Federation. China took the third place in
2015 from Germany. The sum of the top 10 hosting countries
dropped with 24 percent when compared with 2014. The
Netherlands hosted a total of 1,916 active C&C servers in 2015 a
drop of 4 percent when compared with 2014. Within the top 10
countries, The Netherlands dropped from 6th place in 2014 to 7th
place in 2015.
116%
In 2015, with an average of 277,797
new malicious files per day, the total
number of samples processed was
101.4 million, an increase of 116
percent compared to 2014.
25%
The amounts of active C&C servers of
the top 10 countries with 2014, a
decrease of 25 percent is visible. The
top 10 countries together were
responsible for 27,683 active C&C
servers.
10.98%
In 2015, the average detection by antivirus engines was only 54.39 percent.
This is a drop of 10.98 percent when
compared with the 65.37 percent on
average of 2014.
2.1. Data Breaches and Security News
Cybercriminals use these WEAK PASSWORDS to exfiltrate stolen data
The art of hacking has become extremely simple in the last couple of years. In the past 10 years,
hundreds of new remote administration tool builders were released to the public.
Figure 01: Wolf Rat V2.1 Control Center
The hacking (cybercrime) community took the code of Remote Administration Tools and made
sure that the Remote Administration Tools would stay alive without the official developer – the
community continued to work on RATs and as a result, we are still seeing RATs.
“But once the art of hacking becomes more simplified, more people will be able to perform
hacking attempts.”
Top 10 C&C passwords
In order to get some insight into password hygiene used by cybercriminals we have analysed
17,373 binaries for this blog post. From those binaries, we were able to create the following top 10
chart of most used C&C passwords by cybercriminals.
Page | 7
abcd1234
admin
123456
mypass
cybergate
1234
12345
@client
$321$
123456789
6,000
5,000
4,000
3,000
2,000
1,000
0
123
Top 10 RAT C&C Passwords Used By
Cybercriminals
1
2
3
4
5
6
7
8
9
10
Figure 02: Top 10 RAT C&C Passwords Used By Cybercriminals
(Source: http://redsocks.nl/blog-2/cybercriminals-use-these-weak-passwords-to-ex-filtrate-stolen-data/)
The EU General Data Protection Regulation is now law!
The EU’s General Data Protection Regulation (GDPR) has achieved final approval after a long twoyear process. With the final draft clearing up a few ambiguities and loose ends, many are calling it
a ‘milestone of the digital age.’
Here are a few key points regarding the GDPR:
•
•
A company can be fined up to 2% for not having their records in order (article 28), not
notifying the supervising authority and data subject about a breach (articles 31, 32), or not
conducting impact assessments (article 33). More serious infringements can be fined up to
4% of annual revenue.
The EU GDPR rules apply to both controllers and processors that is “the cloud”. So huge
that cloud providers are not off the hook when it comes to GDPR enforcement.
Data Protection Officers
You will likely need a Data Protection Officer (DPO) according to article 35.
If the core activities of your company involve “systematic monitoring of data subjects on a larger
scale”, or large-scale processing of ‘special categories’ of data – racial or ethnic origin, political
opinions, religious or philosophical beliefs, biometric data, health or sex life, or sexual orientation–
then you’re required to have a DPO.
Data Breach Notification
Article 31 tells us that controllers are required to notify the appropriate supervisory authority of a
personal data breach within 72 hours (at the latest) on learning about the exposure if it results in
risk to the consumer. But even if the exposure is not serious, the company still has to keep the
records internally.
Page | 8
Rapid incident response and rem ediation
The guidelines, which have now been published, stipulate that incidents must be reported within
three working days of becoming aware of them.
W ith the RedSocks M alicious Threat Detector (M TD) network solution, which
analyses digital traffic flows in real-tim e; m alicious traffic is detected in real tim e,
helping your organization:
•
To simplify data breach reporting
•
•
•
To put in place a data breach notification procedure
To create compliance statements for annual business reports
To set up and undertake regular compliance audits
•
And to store your data forensically sound for up to 36 months
For more information contact us at sales@redsocks.nl.
(Source: http://redsocks.nl/news/the-eu-general-data-protection-regulation-is-now-law/)
Page | 9
3. Methodology
3.1. Collecting Malware
At the RedSocks Malware Research Labs, we track large numbers of malware from our globally
distributed honeypots, honey-clients, spam-nets, and various botnet monitoring sensors. Due to
the distribution of our honeypots, we are able to automatically collect and process new malicious
samples from across the globe. We also exchange large quantities of malicious files with the AntiVirus industry.
Space in GBs to Store Only the New Samples 2015
vs. 2014
6,000
4,000
2,000
0
2014
2015
Figure 03: Storage in GBs Needed 2015 vs. 2014
In 2015, we needed 51.2 Terabytes of disk space to store only the new and unique malicious
samples. This is an increase of 124 percent when compared with 2014.
Unique New Malicious Files 2015 vs. 2014
15,000,000
10,000,000
5,000,000
0
2014
2015
Figure 04: Unique New Malicious Files 2015 vs. 2014
In figure 02, over 101 million new and unique malicious files were collected and processed in
2015. This is 14.2 million more files – an increase of 116 percent – when compared with 2014.
With just over 11.3 million new malicious files, May was the best month of 2015.
Page | 10
3.2. Processing Malware
Working with malware is what we love to do. In 2015, on average, 278,000 new malicious files
arrive at our automated malware collecting machines every day. This is a slight increase with the
239.,00 of 2014.
All samples were renamed according to their hash calculation. We then checked to see if that
particular piece of malware had already been processed.
3.3. Detecting Malware
At RedSocks Malware Labs we use an in-house classification system for grouping malware. We
have classified over 300 types for which we have created detailed statistics. Once multiple antivirus scanners (in ‘paranoid’ mode) have performed their on-demand scan, we know which
malware was detected by them and, perhaps more importantly, which was not.
Figure 03 shows the percentage detected per month for 2015 in green and the missed samples in
red.
December
November
October
September
August
July
June
May
April
February
January
100%
80%
60%
40%
20%
0%
March
Detection by Anti-Virus Software 2015
2015
Figure 05: Detection by Anti-Virus Engines 2015
In 2015, the average detection by anti-virus engines was only 54.39 percent. This is a drop of 10.98
percent when compared with the 65.37 percent on average of 2014.
A stunning 45.5 million new malicious files were not detected by Anti-Virus Software in 2015.
Page | 11
3.4. Classifying Malware
We categorise malware according to its primary feature. In 2015, malware was grouped as follows:
Malware Categories
Backdoors
Exploits
Rootkit
s
Trojans
Worms
Others
Backdoors
ADODB
(D)DoS Trojans
Email-Worms
Adware
Bot-Trojans
HTML
Banking Trojans
Generic Worms
(D)DoS Tools
Java
Batch Trojans
IM-Worms
AV Tools
JS
FakeAV
IRC-Worms
Constructors
Linux
GameThief Trojans
Net-Worms
DOS based
MSExcel
Generic Trojans
P2P-Worms
Encrypted Malware
MSPPoint
IRC Trojans
Packed Worms
Flooders
MSWord
Java Trojan
Script Worms
Fraud Tools
OSX
LNK Trojans
Generic Malware
PDF
Packed Trojans
Hack Tools
Script
Password Stealing Tr.
Macro based
SWF
Proxy Trojans
Malware Heuristic
Win32
Ransom Trojans
Monitors
Win64
Rogue Trojans
Nukers
Script Trojans
Porn-Dialers
SMS Trojans
Porn-Downloaders
Spy Trojans
Porn-Tools
Trojan Clickers
PSW-Tools
Trojan Dialers
PUPs
Trojan Downloaders
RemoteAdmin
Trojan Droppers
Riskware
Trojan Flooders
Spammers
Trojan Mailfinder
Spoofers
Trojan Notifiers
SpyTools
Trojan RATs
Spyware
WinREG Trojans
Suspicious
Viruses
Table 01: Malware Categories 2015
The ‘Others’ category consists of malicious samples that do not fit in any of the six main categories.
See appendix A for the numbers by month and category.
Page | 12
4. Trends
Discovering malware-propagation trends starts with an analysis of the raw data behind the
collection and processing of malware. From October to December, RedSocks Malware Research
Labs identified the following trends by malware category.
4.1. Adware
The amounts of new malicious files identified as Adware have been dropping since they reached
1.6 million in November 2014.
Files Identified as Adware 2015 vs. 2014
2,000,000
1,500,000
1,000,000
500,000
0
2014
2015
Figure 06: Files Identified as Adware 2015 vs. 2014
In figure 06 we can see the distribution of Adware in 2015.
Distribution of Adware 2015
1,500,000
1,000,000
500,000
0
Figure 07: Distribution of Adware 2015
The total of new files identified as Adware is 8.3 million for 2015, a decrease of nearly 16 percent
when compared with 2014.
4.2. Backdoors
In 2015, over 601,000 unique files were identified either as have been infected with a backdoor, or
as having backdoor functions. This is a decrease of 52 percent when compared with the 1.3 million
of 2014.
Page | 13
Files Identified as Backdoor 2015 vs. 2014
200,000
150,000
100,000
50,000
0
2014
2015
Figure 08: Files Identified as Backdoor 2015 vs. 2014
In figure 07, we see that the amount of new files identified as backdoor, or as having bot functions,
create a wave between 27,000 and 70,000 unique samples.
Distribution of Backdoor 2015
80,000
60,000
40,000
20,000
0
Figure 09: Distribution of Backdoors 2015
Wabot.a was first reported on March 14, 2014.
In 2015 it was by far the most seen backdoor.
When the backdoor is executed, it creates in
the %System% directory two files, an executable
copy of itself, and a text file containing ASCII art.
It will add an auto-start entry to the registry
entry.
The backdoor renames itself to that file and
Top 10 Backdoor Fam ilies 2015
Family
Backdoor.Win32.Wabot.a
Backdoor.Win32.Generic
Backdoor.Win32.Poison.dyvj
Backdoor.Win32.Allaple.a
Backdoor.Win32.DarkKomet.xyk
Backdoor.Win32.Plite.bhrm
Backdoor.Win32.Padodor.gen
Backdoor.Win32.Agent.dele
Backdoor.Win32.Udr.a
Backdoor.Win32.Spammy.gf
adds random data to the end of itself so it
matches the file's length.
Table 02: Top 10 Backdoor Families 2015
Amount
87,292
55,594
39,664
26,934
19,542
19,361
13,630
12,701
9,121
7,768
Page | 14
4.3. Exploits
Exploits are used for attacking computer systems, especially by taking advantage of a particular
vulnerability. In 2015, 30,982 unique files were identified as exploit. This is a decrease of 12
percent when compared to 2014.
Files Identified as Exploit 2015 vs. 2014
10,000
5,000
0
2014
2015
Figure 010: Files Identified as Exploits 2015 vs. 2014
Distribution of Exploits 2015
10,000
8,000
6,000
4,000
2,000
0
Figure 011: Distribution of Exploits 2015
In figure 09, we can see that exploits identified
in June peak at a surprising 8,327 new
examples.
Looking closer we see that, by far, the most
identified exploits are taking advantage of
vulnerabilities in Adobe’s .PDF Reader
Top 10 Exploit Fam ilies 2015
Family
Exploit.PDF.Generic
Exploit.Script.Generic
Exploit:W32/Kakara.A
Exploit:W32/CVE-2010-0188.C
Exploit.JS.Pdfka.fhg
Exploit.PDF-JS.Gen
Exploit.JS.PDF.EE
Exploit.CVE-2009-0927.Gen
Exploit.JS.Pdfka.fmg
Exploit.JS.Pdfka.fkc
Amount
17,875
2,817
1,316
1,186
1,144
1,129
909
876
730
683
Table 03: Top 10 Exploit Families 2015
Page | 15
4.4. Rootkits
A rootkit is a type of software designed to hide the fact that an operating system has been
compromised. This can be done in various ways, such as replacing vital executables or by
introducing a new kernel module. Rootkits allow malware to hide in plain sight. Rootkits
themselves are not harmful; they are simply used to hide malware, bots, and worms.
Files Identified as Rootkit 2015 vs. 2014
30,000
20,000
10,000
0
2014
2015
Figure 12: Files Identified as Rootkit 2015 vs. 2014
The total amount of identified rootkits in 2015 was 67,496, a 145 percent increase when
compared with 2015.
Distribution of Rootkits 2015
30,000
25,000
20,000
15,000
10,000
5,000
0
Figure 13: Distribution of Rootkits 2015
The Agent.egxj was the most seen rootkit of
2015. The malware is normally compressed
with UPX and used to hide other malware.
Like other rootkits, Agent.egxj is not able to
spread and multiply by itself.
Top 10 Rootkit Fam ilies 2015
Family
Rootkit.Win32.Agent.egxj
Rootkit.Win32.Agent.diuy
Rootkit.Win32.Lapka.an
Rootkit.Win32.Agent.ehck
Rootkit.Win32.Plite.pvb
Rootkit.Win32.Small.bse
Rootkit.Win32.Small.vkd
Rootkit.Win32.Agent.dqkh
Rootkit.Win32.Agent.dqnx
Rootkit.Win32.Small.bsf
Amount
18,370
5,544
4,858
3,581
2,933
2,016
1,913
1,738
981
978
Table 04: Top 10 Rootkit Families 2015
Page | 16
4.4. Trojans
With almost 13.7 million new unique samples in 2015, trojans are no longer the biggest category
of malware. On average 37,000 new files per day were identified as trojan in 2015. This is a drop of
53 percent when compared with the amount of trojans from 2014.
Files Identified as Trojan 2015 vs. 2014
4,000,000
3,000,000
2,000,000
1,000,000
0
2014
2015
Figure 14: Files Identified as Trojan 2015 vs. 2014
In figure 15 we see the distribution of all the different types of trojans in 2015.
Distribution of Trojan 2015
2,500,000
2,000,000
1,500,000
1,000,000
500,000
0
Figure 15: Distribution of Trojans 2015
We want to share six of the many trojan subcategories with you. These are the Banking Trojans,
Trojan Downloaders, Trojan Droppers, Password Stealing Trojans, Ransom Trojans, and the Spy
Trojans.
Page | 17
Distribution of Banking Trojans 2015
30,000
25,000
20,000
15,000
10,000
5,000
0
Figure 16: Distribution of Banking Trojans 2015
A total of 82,101 unique files were identified as
Banking Trojan in 2015. In May a stunning
26,954
Banking Trojans were identified. With 28,058
unique files, the Banbra.bjyk Banking Trojan
was the most common in this subcategory in
2015.
Top 10 Banking Trojans 2015
Family
Trojan-Banker.Win32.Banbra.bjyk
Trojan-Banker.Win32.ChePro.ink
Trojan-Banker.Win32.Lohmys.a
Trojan-Banker.Win32.Metel.cai
Trojan-Banker.Win32.Banker.etk
Trojan-Banker.Win32.Dyre.dl
Trojan-Banker.Win32.Bancos.u
Trojan-Banker.Win32.Bancos.ha
Trojan-Banker.Win32.Banz.qdn
Trojan-Banker.Win32.Banker.azm
Amount
28,058
2,364
2,107
1,229
953
505
482
414
349
342
Table 05: Top 10 Banking Trojans 2015
Distribution of Trojan Downloaders 2015
250,000
200,000
150,000
100,000
50,000
0
Figure 17: Distribution of Trojan Downloaders 2015
On average 2,728 unique samples per day were identified as Trojan Downloader in 2015. In total
995,616 unique samples were classified as Trojan Downloader. In August, we saw almost 205.000
Trojan Downloaders.
On the next page, in table 6, you find the top 10 Trojan Download families, and in table 7, the top
10 Trojan Droppers.
Page | 18
Top 10 Trojan Downloaders 2015
Family
Amoun
t
Trojan-Downloader.Win32.Klevate.j
Trojan-Downloader.Win32.Agent.hfxr
Trojan-Downloader.Win32.Upatre.dfv
Trojan-Downloader.Win32.Generic
Trojan-Downloader.Win32.Adload.hkrf
Trojan-Downloader.Win32.Small.jzm
Trojan-Downloader.Win32.Adload.icjy
Trojan-Downloader.Win32.Adload.cfms
Trojan-Downloader:Win32.Upatre.I
Trojan-Downloader:Win32.Upatre.D
44,071
42,625
32,823
29,501
23,912
16,128
14,905
13,714
13,592
12,576
Table 07: Top 10 Trojan Downloaders 2015
Top 10 Trojan Droppers 2015
Family
Trojan-Dropper.Win32.Dinwod.unm
Trojan-Dropper.Win32.VB.canh
Trojan-Dropper.Win32.Agent.bjpedi
Trojan-Dropper.Win32.Agent.sbcy
Trojan-Dropper.Win32.Injector.ltsy
Trojan-Dropper.Win32.Agent.jkob
Trojan-Dropper.Win32.Injector.hxbu
Trojan-Dropper.Win32.Agent.peok
Trojan-Dropper.Win32.Agent.jkoa
Trojan-Dropper.Win32.Daws.awfy
Amount
343,412
33,588
12,581
10,224
9,763
8,764
8,639
7,623
7,050
5,612
Table 06: Top 10 Trojan Droppers 2015
Distribution of Trojan Droppers 2015
300,000
250,000
200,000
150,000
100,000
50,000
0
Figure 18: Distribution of Trojan Droppers 2015
In 2015, a total of 1,135,946 samples were identified as Trojan Dropper. Most Trojan Droppers
were intercepted in May (275,390). With 343,412 unique samples, the Dinwod.unm was by far the
most common Trojan Dropper of 2015.
Distribution of Password Stealing Trojans
2015
100,000
80,000
60,000
40,000
20,000
0
Figure 19: Distribution of Trojan PWS 2015
Password Stealing Trojans were identified in 366,949 unique samples in 2015. During August we
identified an incredible 92,901unique malicious files as Password Stealing Trojans.
Page | 19
With 33,145 unique samples, the OnLineGames.bomg malware family was by far the most
common Password Stealing Trojan of 2015.
Top 10 PSW Trojans 2015
Family
Top 10 Ransom Trojans 2015
Amoun
t
Trojan-PSW.Win32.OnLineGames.bomg
Trojan-PSW.Win32.OnLineGames2.nf
Trojan-PSW.Win32.OnLineGames.tcou
Trojan-PSW.Win32.QQPass.cosb
Trojan-PSW.Win32.OnLineGames.tavh
Trojan-PSW.Win32.OnLineGames.bomh
Trojan-PSW.Win32.OnLineGames.bomf
Trojan-PSW.Win32.Makuha.bxs
Trojan-PSW.Win32.Tepfer.gen
Trojan-PSW.Win32.Magania.dpvu
33,145
13,659
12,087
8,709
6,683
6,267
6,264
5,407
4,539
4,112
Family
Trojan-Ransom.Win32.Blocker.mgn
Trojan-Ransom.Win32.Agent.ife
Trojan-Ransom.Win32.Crypmodadv.fe
Trojan-Ransom.Win32.Blocker.pxa
Trojan-Ransom.Win32.PornoAsset.cphk
Trojan-Ransom.Win32.Blocker.frrr
Trojan-Ransom.Win32.Foreign.mvgc
Trojan-Ransom.Win32.Cidox.aajq
Trojan-Ransom.Win32.Cryptodef.zv
Trojan-Ransom.Win32.PornoBlocker.bbeo
Amount
33,676
28,888
6,424
5,918
5,014
4,395
1,748
1,730
1,587
1,545
Table 08: Top 10 Ransom Trojans 2015
Table 09: Top 10 Password Stealing Trojans 2015
Distribution of Ransom Trojans 2015
80,000
60,000
40,000
20,000
0
Figure 20: Distribution of Ransom Trojans 2015
210,106 unique samples were identified in 2015 as Ransom Trojan, of which a stunning 70,245
samples were identified in March. The Blocker.mgn family was, with 33,676 samples, by far the
most common Ransom Trojan of 2015.
Page | 20
Distribution of Spy Trojan 2015
150,000
100,000
50,000
0
Figure 21: Distribution of Spy Trojans 2015
Looking at the Spy Trojans 654,743 unique
samples were identified in 2015.
Top 10 Spy Trojans Fam ilies 2015
Family
In table 10 we can see that the Lydra.aamt and
Agent.cpyi amounted to 182,691 and 77,505
respectively, the most common Spy Trojans of
2015.
By far the most Spy Trojans were identified in
April: 141,671.
Trojan-Spy.Win32.Lydra.aamt
Trojan-Spy.Win32.Agent.cpyi
Trojan-Spy.Win32.Agent.cvbc
Trojan-Spy.Win32.Zbot.sjqo
Trojan-Spy.Win32.Zbot.rmwh
Trojan-Spy.Win32.Zbot.sjyj
Trojan-Spy.Win32.Zbot.qntr
Trojan-Spy.Win32.Agent.btsm
Trojan-Spy.Win32.Zbot.side
Trojan-Spy.Win32.Zbot.txpe
Amount
182,691
77,505
15,995
12,814
10,013
9,791
9,302
8,508
7,836
7,240
Table 10: Top 10 Spy Trojans Families 2015
4.5. Worms
We identified worm traces and functionalities in more than 15.1 million new files – a stunning
increase of 321 percent when compared to the 4.7 million worms of 2014.
Files Identified as Worm 2015 vs. 2014
4,000,000
3,000,000
2,000,000
1,000,000
0
2014
2015
Figure 22: Files Identified as Worm 2015
Page | 21
Distribution of Worms 2015
4,000,000
3,000,000
2,000,000
1,000,000
0
Figure 23: Distribution of Worms 2015
In figure 22, we see that from July the amount of identified worms are increasing rapidly. In
December the amount of identified worms was a stunning 3.1 million.
In table 11, we can see that the most common
worm is the Allaple.e.
Allaple.e is a network worm that was first
reported back in 2008. It spreads by replicating
across existing network shares with weak
Top 10 W orm Fam ilies 2015
Family
Amount
Net-Worm.Win32.Allaple.e
12,457,172
P2P-Worm.Win32.Sytro.o
1,538,081
Net-Worm.Win32.Allaple.b
737,100
Net-Worm.Win32.Allaple.a
304,254
Worm.Win32.VBNA.alxm
249,145
P2P-Worm.Win32.Sytro.j
184,614
It will make modifications to the system settings
Email-Worm.Win32.Runouce.b
115,501
and the registry, which may cause the system to
perform slower than usual.
P2P-Worm.Win32.Picsys.c
72,119
P2P-Worm.Win32.Sytro.k
61,395
Worm:W32/Palevo.DZ
56,100
passwords. Allaple.e will use brute force to get
access to the network shares.
Allaple.e is a computer threat that should be
Table 11: Top 10 Worm Families 2015
taken seriously.
400,000
300,000
200,000
100,000
0
19/02/2015
07/04/2015
16/04/2015
25/04/2015
04/05/2015
13/05/2015
22/05/2015
31/05/2015
09/06/2015
18/06/2015
27/06/2015
06/07/2015
15/07/2015
24/07/2015
02/08/2015
11/08/2015
20/08/2015
29/08/2015
07/09/2015
16/09/2015
25/09/2015
04/10/2015
13/10/2015
22/10/2015
31/10/2015
09/11/2015
18/11/2015
27/11/2015
06/12/2015
15/12/2015
24/12/2015
Distribution of the Allaple.e Net-Worm 2015
Figure 24: Distribution of Alleaple.e Worm 2015
Page | 22
4.6. 64-Bit Malware
Malware designed to run on Windows 64-bit was identified in nearly 242,000 new malicious
samples in 2015 - a decrease of 25 percent when compared with 2014.
64-Bit Malware 2015 vs. 2014
100,000
50,000
0
2014
2015
Figure 25: Files Identified with 64-Bit Malware 2015
In figure 24, we see that in September 62,910 samples were identified with 64-bit malware.
Distribution of 64-Bit Malware 2015
80,000
60,000
40,000
20,000
0
Figure 26: Distribution of 64-Bit Malware 2015
A closer look at all the 64-bit malicious files
reveals that 50.72 percent are viruses. Second
with 31.29 percent are the adware followed by
the tools with 14.52 percent. Only 1.5 percent
were trojans.
In table 12, we can see the top 10 64-bit
malware families of 2015.
Top 10 64-Bit M alware Fam ilies 2015
Family
Amount
Win64.Expiro.Gen.3
AdWare.Win64.Agent.ar
Win64.Expiro.Gen.2
NetTool.Win64.NetFilter.k
Win64.Expiro.A
Win64.Expiro.Gen.4
NetTool.Win64.NetFilter.l
Virus.Win64.Expiro.e
AdWare.Win64.Agent.j
Virus.Win64.Expiro.f
48,076
27,795
27,751
25,207
14,094
10,445
7,388
6,275
5,386
3,227
Table 12: Top 10 64-Bit Malware Families 2015
Page | 23
4.7. Others
After the backdoors, exploits, rootkits, trojans, worms, and the 64-bit malware, we are still left with
18.4 million identified malicious files. This is a decrease of 20 percent when compared with 2014.
Files Identified as Other Malware 2015 vs.
2014
3,000,000
2,000,000
1,000,000
0
2014
2015
Figure 27: Files Identified as Other Malware 2015 vs. 2014
Distribution of Other Malware 2015
3,000,000
2,500,000
2,000,000
1,500,000
1,000,000
500,000
0
Figure 28: Distribution of Other Malware 2015
Within the category Other Malware, we find Macro-based malware. Macro-based malware was
identified in 52,968 new malicious samples in 2015.
Files Identified with Macro-based Malware 2015
10,000
8,000
6,000
4,000
2,000
0
Page | 24
Figure 29: Files Identified as Macro-based Malware 2015
In figure 28, the distribution of Macro-based
malware per month for 2015. Most macro-based
malware was identified in February 9,398.
September was, with 8,550 samples, second to
best. During the last quarter of 2015, Macrobased malware declines rapidly in popularity.
In table 7, we see that Macro-based malware is
primarily targeting Microsoft Excel and Word.
Top 10 M acro Fam ilies Q4-2015
Family
Amount
Virus.MSExcel.Agent.f
14,247
Virus.MSWord.Marker.kn
4,505
Virus.MSExcel.Sic.f
2,508
Trojan-Downloader.MSWord.Agent.oa
1,865
Virus.MSExcel.Laroux.jm
1,700
Virus.MSWord.Xaler.g
1,642
Trojan-Dropper.MSWord.Agent.jj
1,511
Virus.MSExcel.Laroux.zc
1,360
Virus.MSExcel.Laroux.cs
1,299
Virus.MSExcel.NetSnak.a
1,289
Table 13: Top 10 Macro-based Malware 2015
Page | 25
5. Geolocation
When we compare the amounts of active C&C servers of the top 10 countries with 2014, a
decrease of 25 percent is visible. The top 10 countries together were responsible for 27,683 active
C&C servers.
Top 10 C&C Hosting Countries 2015 vs. 2014
8,000
6,000
4,000
2,000
0
2014
2015
Figure 30: Top 10 C&C Hosting Countries 2015 vs. 2014 (1)
In April and in August the number of active C&C servers drop dramatically. This is a direct effect of
the multi-national effort from Microsoft, FBI, and Security companies, to disrupt various large
botnets.
In figure 29, a closer look at the top C&C-hosting countries in 2015 and 2014.
Top 10 C&C Hosting Countries 2015 vs. 2014
16,000
14,000
12,000
10,000
8,000
6,000
4,000
2,000
0
2014
2015
Figure 31: Top 10 C&C Hosting Countries 2015 vs. 2014 (2)
Like in 2014, the United States still led the pack (8,626), followed by the Russian Federation (4,444).
Germany could be found on the 3rd place in 2014. In 2015 the 3rd place is for China (2,559).
Page | 26
Top 10 Countries Hosting C&C Servers
2015
United States
Russian Federation
China
Germany
United Kingdom
Ukraine
The Netherlands
France
Korea
Canada
2014
8,626
4,444
2,595
2,463
2,069
1,927
1,916
1,397
983
357
United States
Russian Federation
Germany
United Kingdom
China
The Netherlands
Ukraine
Turkey
Korea
Iran
13,512
5,736
3,242
3,016
2,293
1,992
1,772
1,509
1,235
843
Table 14: Top 10 Countries Hosting C&C 2015 vs. 2014
The Netherlands, as a hosting country for C&C Servers, dropped one place and ended up 7th in
2015. In figure 30, we can see the amount of active C&C servers per month for The Netherlands.
Active C&C Server in The Netherlands 2015
400
300
200
100
0
Figure 32: Active C&C Server in The Netherlands 2015
The multi-national clean up in April and August also had a direct impact on the amount of C&C
servers hosted in The Netherlands.
Page | 27
6. Final Word and Prognoses 2016
Without a decent working crystal ball, we
cannot predict the future. We can make a
few prognoses for 2016 based on the data
we have collected, processed, and analysed
in 2015.
In 2015, with an average of 277,797 new
malicious files per day, the total number of
samples processed was 101.4 million, an
increase of 116 percent compared with the
Category
Total 2015
% of Total
Identified
Compared
with 2014
8,265,109
14.78%
+0.06%
601,319
1.08%
-0.81%
Exploits
30,982
0.06%
+0.00%
Rootkits
67,496
0.12%
+0.05%
Trojans
13,684,161
24.47%
-19.23%
Worms
15,131,085
27.05%
+19.99%
Others
18,382,908
32.45%
-0.07%
Adware
Backdoors
amount of new malicious files from 2014. Table 15: Identified Malware per Category 2015 vs. 2014
For 2016 a 120 percent increase is
expected bringing the amount of new malicious files to ~125 million.
For 2016 we can make the following prognoses:
•
Adware numbers have been dropping in 2015. But we expect to see them grow to ~10
million of them in 2016.
•
The amount of backdoors, Botnets, and C&C servers have been going up and down. They
drop after clean-up operations, but popup elsewhere in the same or slightly modified
versions. C&C Servers will remain the most used method for cybercriminals to control large
•
international networks with infected client.
The hunt for exploits is on. Large companies, like Microsoft and Google, spy agencies, and
security researchers all over the world are looking for bugs to exploit, and so will the
cybercriminals. Exploits decreased 12 percent in 2015, but are expected to increase to
40,000 for 2016.
•
Rootkits have increased 145 percent in 2015. If this trend continues, we might reach
100,000 new rootkit samples in 2016.
In 2014, ~43 percent of the new malicious files we analysed were trojans. In 2015, only 25
•
percent of all the new malicious files were identified as trojan. For 2016, we expect the
amount of new trojans to stabilise around 15 million.
During 2014, cybercriminals have gained interest in worms as tools for financial gain. Of all
•
the new malware we have seen in 2015, around 15 million were worms. If this trend
continues, we might see ~50 million worms in 2016 - but we don t think so. A more
realistic estimate would be 20 to 25 million.
•
The amount of 64-bit Malware dropped by 25 percent in 2015. Because cybercriminals don
t really need 64-bit versions of their malware, it is hard to say if this is going to be a trend
or not. For 2016 we expect around 400,000 new and unique 64-bit samples.
Page | 28
2016 will be a year with many small and large data breaches, new exploits and vulnerabilities, and
international spying and hacking. Cybercriminals will use mobile malware and - via BYOD - infect,
hack, and spy on your work. The growing popularity of Cloud storage, and in particular, the homebased Clouds will be exploited by cybercriminals for their own usage and get infected with
ransomware. In 2016 more ransomware will infect additional smart-devices like smart-tvs, smartwatches, etc.
The RedSocks Malware Intelligence Team has formulated five predictions for the year ahead.
These predictions conclude that in 2016, cyber security threats will become the new normal, yet
security efforts and behaviours – of both businesses and consumers – will fail to catch up.
Hybrid threats using cyber-attacks as a battering-ram will continue to rise. Cyber-attacks are
increasingly being used as part of a bigger plan. Concepts and techniques from the commercial
hacker industry (aimed at gaining financial advantage) will increasingly be incorporated into nationsponsored and targeted cyber-attacks. Critical environments and supervisory control and data
acquisition (SCADA)-systems will continue to be targeted. Since they target operational capabilities
within power plants, factories and refineries, SCADA attacks tend to be political in nature. Wellknown examples of such attacks are Shamoon hitting companies in the oil and gas industry, such
as Saudi Aramco, and Stuxnet, sabotaging the Iranian nuclear program.
Harm ful hardware will play a growing role in the risk and strength of cyber-attacks. Why? First,
the chances of acquiring hardware components with a backdoor is high. And as Edward Snowden
revealed, western countries are no stranger to using this tactic. Second, hardware is cheap as
chips,. This means it could cost as little as €9,000 to build a 1,000 core machine capable of
wreaking exponential havoc.
Virtualized Environm ents – Cyber security on a shoestring will leave companies virtually
exposed. Virtualized environments are complex and create new network layers. According to
Gartner, the hypervisor layer is particularly vulnerable to attack because of the privileged layer it
holds in the stack. As organizations move to virtualized environments, security needs to be
designed from the outset to deliver effective protection. The increase in system complexity,
impacted by developments such as virtualization, IoT and mobile, is still not being matched with an
increase in security effort or budget. Both remain minimal.
M obile paym ents will become increasingly attractive to cyber criminals. The growth of mobile
payment platforms is currently overwhelming. Banks
investment in security for new mobile
platforms doesn’t (yet) match this growth. Traditional banking tools such as ATMs and bank/credit
cards are increasingly difficult to hack or copy. However, with mobile payments on the rise,
criminals
interest will gravitate towards these new forms of digital (mobile) payments.
Hactivism will spread substantially. Generation Z (those aged between 5 and 19) is coming of age
in the aftermath of the great recession and the era of war on terrorism. Hactivism, their means of
rebellion, will rise significantly. Recent attacks on Ziggo in the Netherlands and TalkTalk in the UK
have shown that these teenagers do not shy away from paralyzing large parts of national
networks. All generations will be confronted by more fake social media profiles which criminal
organizations are using to educate followers for criminal activities (grooming).
Page | 29
On a larger scale, hactivism will continue to be used by nations as a strategy to intim idate or
retaliate. Russia, ISIS Cyber Caliphate and China are examples of nations or states that are
typically associated with this type of attack. A good example of this is the recent Pawn Storm
attack on the Dutch Safety Board following publication of its detailed report on the MH17 incident
on October 13, 2015.
Cybercrime investigations in 2016 must be robust. Citizens and businesses alike must assume
responsibility for their own security. Public sector cyber security levels should also be raised with
government institutions and businesses having access to threat assessments and advanced
knowledge about how to reduce vulnerabilities.
Special attention to the public sector is warranted. Public servants working with IT, which is almost
all of them, must understand how important they are in the current cyber security arena and step
up to the plate. With its sheer scale and reach, the public sector can, and should, become a
formidable force in the defence and defeat of all but the most persistent adversarial actors and
cyber threats. It is, after all, the largest organized group that represents a nation.
RedSocks attributing Malware Intelligence Team (Niels Groeneveld, Pepijn Janssen, Adrianus
Warmenhoven, Rickey Gevers, and Reza Rafati).
We hope that you have enjoyed our fourth Malware Trend Report of 2015, and that it provided
you with insight into the trends we have seen during this quarter of 2015. We continue to
innovate, so please check back with us for our next quarterly trend report which will also include
mobile threats.
Questions, comments, and requests can be directed towards the RedSocks Malware Research
Labs.
RedSocks B.V.
W: www.redsocks.nl
T: +31 (0) 55 36 61 396
G.J.Vroon
Anti-Malware Behavioural Researcher
E: info@redsocks.nl
Page | 30
Appendix A: The Numbers
Diskspace in GBs
Month
January
February
March
April
May
June
July
August
September
October
November
December
Grand
Total
2015
2014
4,706
4,308
4,104
4,284
4,878
3,809
3,798
4,262
3,281
5,179
4,352
4,216
3,016
2,731
3,272
3,348
3,071
2,956
3,949
3,647
3,549
3,616
3,969
4,087
51,177
New Samples
2015
6,961,880
5,989,640
7,031,834
7,770,861
11,315,818
8,794,698
7,893,833
8,919,549
9,471,431
9,317,916
8,628,175
9,300,184
Detected
2014
2015
2014
6,958,809
5,177,386
8,206,419
7,101,558
6,766,688
7,185,853
8,679,055
7,370,594
6,580,583
7,233,993
8,150,025
7,788,370
2,779,828
2,464,672
2,816,098
3,084,641
6,989,419
5,027,612
3,601,974
5,358,500
6,115,967
6,457,363
5,317,162
5,917,462
4,617,329
3,383,198
6,153,370
5,421,834
5,058,110
5,707,969
6,600,384
5,741,453
5,339,496
6,235,241
6,826,556
5,705,904
41,211 101,395,819 87,199,333 55,930,698 66,790,844
Adware
Backdoors
2015
Month
2015
2014
January
February
March
April
May
June
July
August
September
October
November
December
Grand
Total
535,462
407,114
12,813
574
785,173
689,028
811,100
1,326,380
1,196,560
1,095,267
690,082
715,556
304,819
310,829
574,776
909,793
712,782
720,297
865,256
902,668
742,090
1,036,728
1,646,837
1,100,656
63,626
26,501
56,181
40,398
65,356
46,843
50,483
59,404
70,197
59,081
31,962
31,287
114,006
62,443
187,311
184,083
70,316
54,097
39,407
94,489
117,540
102,062
136,043
100,514
3,338
2,237
2,112
345
1,559
8,327
1,086
4,626
5,429
610
160
1,153
2,156
5,316
4,497
2,409
2,598
1,222
1,835
1,647
2,094
1,628
4,329
5,298
8,265,109
9,827,531
601,319
1,262,311
30,982
35,029
Rootkits
Month
January
February
March
April
May
June
July
August
September
October
November
December
2015
2,725
1,193
4,524
8,478
12,287
2,538
2,496
24,138
2,178
3,530
867
2,542
2014
Exploits
Trojans
2014
2,289
1,456
2,248
17,678
1,769
2,775
3,301
5,969
1,052
2,480
1,928
3,493
2015
2014
Worms
2015
2014
2015
1,592,039
1,007,195
1,460,899
1,018,494
2,204,454
793,623
1,015,408
1,195,820
1,398,650
1,033,545
479,176
484,858
2,253,204
1,445,814
2,969,842
2,195,606
2,161,105
2,659,318
2,354,007
2,494,340
2,001,113
2,579,294
3,618,789
2,450,271
85,573
138,671
126,303
132,813
1,435,055
2,461,350
417,760
573,818
1,563,707
2,245,907
2,817,724
3,132,404
2014
243,197
211,503
185,658
432,775
348,065
311,519
772,820
306,350
392,367
408,064
622,495
482,449
Page | 27
Grand
Total
67,496
46,438
13,684,161
29,182,703
15,131,085
4,717,262
Other Malware
Month
2015
2014
January
February
March
April
May
June
July
August
September
October
November
December
Grand
Total
650,679
939,040
1,174,735
1,883,539
2,485,535
1,025,903
1,303,641
2,174,314
1,879,246
2,019,423
1,297,191
1,549,662
1,697,658
1,345,834
2,229,039
1,684,339
1,761,475
1,981,372
2,563,757
1,935,990
2,083,236
2,104,987
2,119,592
1,563,220
18,382,908 23,070,499
Page | 28
REDSOCKS
RedSocks is a cyber-security company specialised in malware detection. RedSocks supplies RedSocks
Malicious Threat Detection (MTD) as a hardware or a virtual network appliance. This innovative appliance
analyses digital traffic flows in real time based on the algorithms and lists of malicious indicators compiled
by the RedSocks Malware Intelligence Team. This team consists of specialists in identifying new threats on
the internet and translating them into state-of-the-art malware detection.
www.redsocks.eu

Windows Malware Annual Report 2015

Transcription

Similar documents

Overview of Binary Reversing Tools

Safe Christmas - Panda Security

Slides

Evasive Tactics: Terminator RAT | FireEye Blog

Security Liaison Meeting

Shut the Front Door (and the Back Door too)

Misery from Social Media (and other thoughts)

Albert Kramer Technical Director Trend Micro