With six million unique samples of recorded malware, Q1 2011 was the most active first quarter in malware history, according to McAfee.
The report revealed many of the trends that had a significant impact on the threat landscape, such as the takedown of the Rustock botnet, which resulted in spam remaining at its lowest levels since 2007, and confirmed that mobile malware is the new frontier of cybercrime.
February 2011 saw the most new malware samples of the quarter, at approximately 2.75 million samples. Fake anti-virus software had a very active quarter as well, reaching its highest levels in more than a year, totaling 350,000 unique fake-alert samples in March 2011.
Malware attacks on Android devices
Malware no longer affects just PCs. As Android devices have grown in popularity, the platform solidified its spot as the second most popular environment for mobile malware behind Symbian OS during the first three months of the year.
A McAfee Labs mobile application security whitepaper, released today in conjunction with this McAfee Threats Report, discusses how most Android devices allow the “side-loading” of apps and are not restricted to getting them from a centralized app store, and there is no centralized place where Google can check all apps for suspicious behavior. (See Downloading from Mobile App Stores Is a Risky Business.)
The researcher Lompolo recently found a series of Android applications carrying backdoor Trojans in the Android Market and, with the estimated download rate of tens of thousands to the hundreds of thousands, the number of users who could be affected is significant. In Q1 2011 McAfee Labs found that the most prominent types of Android mobile malware were Android/DrdDream, Android/Drad, Android/SteamyScr.A and Android/Bgyoulu, which affected everything from games to apps to SMS data.
The cybercriminals behind the Zeus crimeware toolkit have also directed attacks toward the mobile platform, creating new versions of Zitmo mobile malware for both Symbian and Windows Mobile systems to steal user bank-account information.
Rustock and Zeus takedowns result in spam decline
The takedown of the Rustock botnet resulted in the shutoff of major zombies and command structures that caused spam volumes to fall all over the world.
Spam, which has been at its lowest levels since 2007 in the past few quarters, significantly dropped once again to less than half of what it was only a year ago—at approximately 1.5 trillion messages per day, outnumbering legitimate email traffic by only a 3:1 ratio.
Although Zeus botnet development has declined, the author has apparently shifted efforts to merging the Zeus source code with the SpyEye botnet, resulting in large-scale threats affecting banking and online transactions. As of March 2011, the most recent SpyEye botnet can thrive on more than 150 modules, such as USB thumb drives, instant messaging and Firefox certificates.
Spam may be at its lowest levels in years, but many botnets are in the position to fill the gap left by the decline of Rustock and Zeus; the competition includes Maazben, Bobaz, Lethic, Cutwail and Grum.
There was a strong uptick in new botnet infections toward the end of Q1, most likely due to the reseeding process, where cybercriminals slow down activity in order to spend time rebuilding botnets. The botnet takedowns have resulted in an increase in the price of sending spam on the underground marketplace, showing that the laws of supply and demand also apply to cybercrime.
Cybercriminals often disguise malicious content by using popular “lures” to trick unsuspecting users. Spam promoting phony or real products was the most popular lure in most global regions. In Russia and South Korea, drug spam was the most popular; and in Australia and China, fake delivery status notifications were among the most popular.
Q1 also brought a new trend among “banker” Trojans, malware that steal passwords and other data, that use popular lures in their spam campaigns such as UPS, FedEx, USPS and the IRS.
McAfee Labs saw some significant spikes in malicious web content that corresponded with high-impact news events such as the Japanese earthquake and tsunami and major sporting events, with an average of 8,600 new bad sites per day.
In the same vein, within the top 100 results of each of the daily top search terms, nearly 50 percent led to malicious sites, and on average contained more than two malicious links.