Symantec Intelligence Quarterly April - June, 2011

Security Response

Introduction This report discusses notable aspects of malicious activity that Symantec observed from April 1 to June 30, 2011. It also includes a timeline of notable events for the period, as well as two additional articles on noteworthy security threats—the Qakbot worm and MACDefender rogue security software.

Symantec has established some of the most comprehensive sources of Internet threat data in the world with the Symantec™ Global In- telligence Network. More than 240,000 sensors in over 200 countries and territories monitor attack activity through a combination of Symantec products and services such as Symantec DeepSight™ Threat Management System, Symantec™ Managed Security Ser- vices, Norton™ consumer products, and third-party data sources.

Symantec also gathers malicious code intelligence from more than 133 million client, server, and gateway systems that have deployed its antivirus products. Additionally, the Symantec distributed honeypot network collects data from around the globe, capturing previously unseen threats and attacks and providing valuable insight into attack methods.

In addition, Symantec maintains one of the world’s most comprehensive vulnerability databases, currently consisting of more than 40,000 Contents recorded vulnerabilities (spanning more than two decades) affect- Introduction...... 1 ing more than 105,000 technologies from more than 14,000 vendors. Highlights...... 2 Symantec also facilitates the BugTraq™ mailing list, one of the most Metrics...... 2 popular forums for the disclosure and discussion of vulnerabilities on Timeline...... 11 the Internet, which has approximately 24,000 subscribers who con- Articles...... 12 tribute, receive, and discuss vulnerability research on a daily basis. Symantec Intelligence Quarterly: April-June, 2011 Security Response

Spam and phishing data is captured through a variety of sources including: the Symantec probe network, a system of more than 5 million decoy accounts; MessageLabs™ Intelligence, a respected source of data and analysis for messaging security issues, trends and statistics; and, other Symantec technologies. Over 8 billion email messages (as well as over 1 billion Web requests) are processed each day across 16 data centers. Symantec also gathers phishing information through an extensive antifraud community of enterprises, security vendors, and over 50 million consumers.

These resources give Symantec security analysts unparalleled sources of data with which to identify, analyze, and provide informed commentary on emerging trends in attacks, malicious code activity, phishing, and spam.

An important note about these statistics The Symantec Global Intelligence Network uses automated systems to map the IP addresses of the attacking systems to identify the country in which they are located. However, because attackers frequently use compromised systems situated around the world to launch attacks remotely, the location of the attacking systems may differ from the location of the attacker.

Highlights

• Approximately 166 million unique malicious code threats were observed this quarter. • The takedown of two major botnets—Rustock and Coreflood—had a major effect on global malicious activity numbers and rankings, particularly for the United States and Germany, which both dropped significantly in several malicious activity rankings. • The average number of Web-based attacks per day in this quarter was 138,000. • Variants of the Ramnit virus rose to prominence during this quarter, fueling a rise in malicious activity rankings for India and Indonesia, where the virus is especially active.

Metrics

Total Unique Malicious Code Threats Background Symantec analyzes unique samples of new and existing malicious code variants to determine which threat types and attack vectors are being employed in the most prevalent threats. The number of unique malicious code threats observed in a specific period can provide insight into the overall variance of activity in the threat landscape. Methodology Symantec assesses the number of unique malicious code threats that are observed during a reporting period. Malicious code threats are made unique from each other when the code is generated using different parameters. The parameters may change depending on the preferences and requirements of the attacker generating them. For example, when an attacker defines which IP address the malicious code should report to after a successful installation, the malicious code will be unique from that which uses a different IP address. There are a multitude of parameters possible, including port numbers, command-and-control (C&C) IPs, activation dates, and specific files to download after installation, to name a few. These numbers are based in part on telemetry data of opt-in participants; therefore, they may not be directly synonymous with the overall number of variants active during the period.

Page 2 Symantec Intelligence Quarterly: April-June, 2011 Security Response

Data

Figure 1 Unique malicious code threats

30 (in millions) (in

20 Unique malicious code variants code malicious Unique

0 April May June Month

Observations By the numbers: Approximately 166 million unique malicious code threats were observed this quarter. The drop in unique malicious code threats observed in May and June may indicate that less malicious code was being generated from different sources than in April.

Targeted attacks influence variant numbers: A drop in observed malicious code threats from one month to the next may indicate that attackers are focusing their resources on launching a campaign of targeted attacks, or working to increase their attack resources (e.g., amassing bots) to better facilitate the gathering of sensitive information from which they can profit. For example, the RSA security breach that compromised the company’s SecurID products this past March—of which there are nearly 300 million users—opened an avenue for targeted attacks on RSA customers. Attackers reportedly then, as expected, used the stolen SecurID data in targeted attacks. • What the RSA breach means for you (FAQ) • Data stolen in RSA breach used to target defense contractor The role of botnets: The lower number of unique malicious code threats in May and June may also be related to the Rustock and Coreflood botnet takedowns earlier in the year (which are discussed further in “Malicious Activ- ity by Source,” below). Malicious code distributed through botnet attacks can contain slightly different code from server to server as parameters change. Therefore, when large botnets are removed from the threat landscape, the number of varying code threats will also subsequently decrease.

Page 3 Symantec Intelligence Quarterly: April-June, 2011 Security Response

Malicious Activity by Source Background Malicious activity usually affects computers that are connected to high-speed broadband Internet because these connections are attractive targets for attackers. Broadband connections provide larger bandwidth capacities than other connection types, faster speeds, the potential of constantly connected systems, and typically more stable connections. Symantec categorizes malicious activities as follows: • Malicious code: This includes viruses, worms, and Trojans that are covertly inserted into programs. The pur- poses of malicious code include destroying data, running destructive or intrusive programs, stealing sensitive information, or compromising the security or integrity of a victim’s computer data. • Spam zombies: These are compromised systems that are remotely controlled and used to send large volumes of junk or unsolicited emails. These emails can be used to deliver malicious code and phishing attempts. • Phishing hosts: A phishing host is a computer that provides website services for the purpose of attempting to illegally gather sensitive, personal and financial information while pretending that the request is from a trusted, well-known organization. These websites are designed to mimic the sites of legitimate businesses. • Bot-infected computers: These are compromised computers that are being controlled remotely by attackers. Typically, the remote attacker controls a large number of compromised computers over a single, reliable channel in a bot network (botnet), which is then used to launch coordinated attacks. • Network attack origins: This measures the originating sources of attacks from the Internet. For example, attacks can target SQL protocols or buffer overflow vulnerabilities. • Web-based attack origins: These are sources of attacks that are delivered via the Web or through HTTP on other systems. Typically, legitimate websites are compromised and used to attack unsuspecting visitors. Methodology This metric assesses the sources from which the largest amount of malicious activity originates. To determine malicious activity by source, Symantec has compiled geographical data on numerous malicious activities, including malicious code reports, spam zombies, phishing hosts, bot-infected computers, and network and Web-based attack origins.

The proportion of each activity originating in each source is then determined. The mean of the percentages of each malicious activity that originates in each source is calculated. This average determines the proportion of overall malicious activity that originates from the source in question and the rankings are determined by calcu- lating the mean average of the proportion of these malicious activities that originated in each source. Data

Figure 2 Malicious activity by source, overall Source Rank Percentage United States 1 22% China 2 11% 10 7 6 Brazil 3 6% India 4 6% 1 Taiwan 5 4% 2 5 Russia 6 4% 9 4 Germany 7 3% 3 8 Indonesia 8 3% Italy 9 3% United Kingdom 10 3%

Page 4 Symantec Intelligence Quarterly: April-June, 2011 Security Response

Figure 3 Malicious code by source Source Rank Percentage India 1 15% United States 2 13% 5 10 Indonesia 3 11% China 4 5% 2 4 United Kingdom 5 4% 1 Vietnam 6 4% 7 6 8 Egypt 7 4% 9 3 Bangladesh 8 3% Brazil 9 3% Russia 10 2%

Figure 4 Spam zombies by source Source Rank Percentage Brazil 1 14% India 2 13% 5 3 Russia 3 9% Vietnam 4 7% 8 7 Ukraine 5 5% 2 9 Indonesia 6 4% 4 Pakistan 7 3% 6 1 Romania 8 2% Taiwan 9 2% 10 Argentina 10 2%

Figure 5 Phishing hosts by source Source Rank Percentage United States 1 51% Germany 2 6% 9 2 4 3 8 United Kingdom 3 5% 7 Canada 4 3% 1 5 China 5 3% Colombia 6 3% France 7 3% 6 10 Russia 8 3% Netherlands 9 2% Brazil 10 2%

Page 5 Symantec Intelligence Quarterly: April-June, 2011 Security Response

Figure 6 Bots by source Source Rank Percentage Taiwan 1 17% 8 Brazil 2 13% 7 United States 3 10% Italy 4 9% 5 9 3 4 Hungary 5 7% 6 1 China 6 7% Poland 7 6% 2 Germany 8 5% Japan 9 5% 10 Argentina 10 3%

Figure 7 Network attack origins by source Source Rank Percentage China 1 36% 6 United States 2 14% 9 3 Russia 3 4% Brazil 4 4% 2 5 10 1 Italy 5 3% 7 8 United Kingdom 6 3% India 7 3% 4 Taiwan 8 2% Canada 9 2% Japan 10 2%

Figure 8 Web-based attack origins by source Source Rank Percentage United States 1 44% China 2 13% 7 8 South Korea 3 5% 10 5 4 6 Germany 4 4% 1 9 United Kingdom 5 3% 2 3 Japan 6 3% Netherlands 7 2% Russia 8 2% France 9 2% Canada 10 2%

Page 6 Symantec Intelligence Quarterly: April-June, 2011 Security Response

Observations Big botnets, big impact: Nearly all of the malicious activity that occurs in the threat landscape, aside from most targeted attacks, is automated using botnets. The large botnet shutdowns in 2011 has resulted in there being lower overall volumes in the second quarter of 2011 for all malicious activities related to botnets, such as spam zombies and phishing hosts. Notable decreases to numerous types of malicious activity usually result imme- diately after the infrastructure of a significantly large botnet is crippled or its C&C center is eliminated. This is because its bots are ostensibly isolated and unable to receive new instructions.

Rustock takedown: The Rustock botnet has been one of the most prominent botnets in recent years. The latest Symantec Internet Security Threat Report notes that Rustock accounted for 36 percent of all spam globally in 2010, including over 60 percent of all spam in August and October. Legal action taken at the end of the first quarter of 2011—based, in part, on trademark abuse in spam—was used to seize Rustock’s C&C servers and cut off its communication with its related bots. The result of the operation was a significant decrease in Rustock- related malicious activity that, combined with other botnet takedowns, has resulted in noticeable decreases in overall malicious activity from botnets during this quarter. This is especially true in the United States, where the majority of Rustock bots had been located. • Symantec Internet Security Threat Report, Volume 16: “Malicious Activity by Source” • Taking down botnets: Microsoft and the Rustock botnet • How Operation b107 decapitated the Rustock botnet U.S. and German zombies disappear: Typically, the United States and Germany rank in the top 10 for spam zombies. For example, in 2010, the two ranked second and third, respectively, behind only Brazil. However, during this reporting period they ranked only 15th and 22nd, respectively. This may indicate that a significant percentage of the spam zombies in those countries were related to the Rustock and Coreflood botnets. While these two botnets did control zombies in other countries, it may be that there is a more diverse distribution of other botnets controlling zombies elsewhere globally than in the United States and Germany. This would result in a less noticeable impact to overall zombie numbers elsewhere in the world following the shutdowns.

Coreflood botnet targeted: In April 2011, the FBI were able to debilitate the Coreflood botnet by being granted a temporary court order that allowed them to replace known Coreflood C&C servers with servers that they controlled. As a result, each time a Coreflood bot contacted an agency-controlled servers for instructions, that server would note the IP address of the bot and instruct it to stop operating. This would disable the bot until the next reboot of the compromised computer. Using the logged IP addresses, the FBI then worked with various ISPs to notify users that their computers were compromised and assisted them in the removal of the malicious code. • FBI vs. Coreflood botnet India and Indonesia rise in malicious code rankings: Both India and Indonesia ranked higher for malicious code during this reporting period than in 2010. India ranked first this quarter, compared to second during 2010. Indonesia ranked third this quarter, compared to 11th in 2010. One reason for their increases is that the current top three malicious code families—Ramnit, Sality, and Bamital—are very prominent in these two countries. While India’s ranking may be due, in part, to decreases observed in the United States (primarily due to the botnet shutdowns noted above), Indonesia’s rank is mainly due to the overwhelming prominence of three samples: Ramnit, Ramnit.B, and Bamital. In this quarter, these three samples each accounted for more than four times the number of reported potential infections in Indonesia than the next highest sample—with Bamital alone account- ing for the majority, by a considerable margin. • Read more about Bamital • Read more about Ramnit • Read more about Ramnit.B • Read more about Sality.AE

Page 7 Symantec Intelligence Quarterly: April-June, 2011 Security Response

Web-based Attack Prevalence Background The circumstances and implications of Web-based attacks vary widely. They may have specific targets or they may be widespread attacks of opportunity that exploit current events, zero-day vulnerabilities, or recent vulnerabilities against which some users are not yet protected. While some major attacks garner significant attention, examining Web-based attacks overall provides insight into the threat landscape and how attack patterns may be shifting. Moreover, analysis of the underlying trend can provide insight into potential shifts in Web-based attack usage and can help determine the likelihood of Web-based attacks increasing in the future. Methodology This metric assesses changes to the prevalence of Web-based attack activity by comparing the average number of attacks per day in each month. The averages are based on telemetry data of opt-in participants and, therefore, may not be directly synonymous with overall activity levels or fluctuations that occurred as a whole. However, underlying trends observed in the sample data provide a reasonable representation of overall activity trends. Data

Figure 9 Web-based attack prevalence

y 160,000

150,000

140,000

130,000 eb-based attacks per da per attacks eb-based

120,000

110,000

verage number of W of number verage 100,000 A April May June Month Observations Ebb and flow: Although the average number of Web-based attacks per day declined during this reporting period, the difference remains within typical fluctuation levels that can occur in the threat landscape. While the data provides an overview of changes within the period, what might appear as potentially large changes in the three months may not be indicative of the trends that are observable over longer year-over-year periods.

Browser specific attacks: Browser detection is a standard step in Web-based attacks. It allows the attack code to launch only the exploit code that has a chance of successfully compromising a potential victim’s browser. If the user’s browser is not vulnerable to one of the attackers exploits, then an attack might not be launched at all. This can influence fluctuations in Web-based attacks when new browsers are released. Until vulnerabilities in the software are discovered and exploited, there may be fewer attacks directed at users of the new browser. This may explain some of the decrease observed in June, which coincides with the release of Mozilla Firefox 5. (Firefox is estimated to currently have approximately 20 percent of the market share for Internet browsers.)

Page 8 Symantec Intelligence Quarterly: April-June, 2011 Security Response

Top Malicious Code Samples Background Symantec analyzes new and existing malicious code samples to determine which threat types and attack vectors are being employed in the most prevalent threats. This information also allows administrators and users to gain familiarity with threats that attackers may favor in their exploits. Insight into emerging threat development trends can help bolster security measures and mitigate future attacks. Methodology This metric assesses the top malicious code samples detected in the current reporting quarter. To determine this, Symantec ranks each malicious code sample based on the volume of potential infections reported during the period. The top 10 malicious code samples are analyzed for this metric. Data

Figure 10 Top malicious code samples

Rank Name Propagation Impacts/Features Mechanisms Virus Worm Backdoor Trojan 1 Ramnit Removable drives/executables Infects executable files 2 Sality.AE Removable drives/executables Removes security applications and services and downloads files from remote addresses 3 Bamital N/A Modifies Internet search results to include advertise- ment URLs 4 Ramnit.B Removable drives/executables/ Infects executable files and allows remote access remote vulnerability 5 Downadup.B P2P/CIFS/remote vulnerability Disables security applications and Windows Update, downloads and installs additional threats 6 Virut.CF Executables Downloads additional threats, infects executables and allows remote access 7 Almanahe.B CIFS/mapped drives/removable Infects executable files, ends security related process- drives/executables es and installs additional threats 8 SillyFDC.BDP CIFS/removable drives/remote Downloads additional threats and sends fake DHCP vulnerability packets to hijack DNS configurations 9 SillyFDC Removable drives Downloads additional threats 10 Mabezat.B SMTP/CIFS/removable drives Encrypts and infects files

Observations The Ramnit and Ramnit.B viruses: Ramnit was first discovered in January 2010 and became one of the top 10 malicious code families that year, as discussed in the latest Symantec Internet Security Threat Report. The report also notes that Sality.AE has been a top-ranking sample for several years—by a significant margin in 2010, in particular. The rise in prominence of Ramnit over Sality in the first two quarters of 2011—with Ramnit.B close behind—is a clear indicator of the effectiveness of the Ramnit family.

First discovered in November 2010, Ramnit.B is functionally similar to its predecessor. Ramnit.B, though, has extended its ability to propagate by exploiting the same vulnerability that was exploited by Stuxnet—the “Micro- soft Windows shortcut ‘LNK/PIF’ files automatic file execution vulnerability.” Ramnit.B also installs a backdoor on compromised computers, allowing remote access for attackers. • Read more about Ramnit • Read more about Ramnit.B

Page 9 Symantec Intelligence Quarterly: April-June, 2011 Security Response

• Read more about Sality.AE • Symantec Internet Security Threat Report, Volume 16: Malicious code families • Microsoft Windows shortcut ‘LNK/PIF’ files automatic file execution vulnerability The SillyFDC.BDP worm: SillyFDC has been a prominent malicious code family since it was discovered in 2007. In March 2011, the variant SillyFDC.BDP was detected, and it has quickly become one of the top 10 reported samples, rising up to rank eighth in this quarter.

While able to propagate like other SillyFDC variants by copying itself to removable drives, SillyFDC.BDP can also copy itself to network shares. As with Ramnit.B, it also exploits the “Microsoft Windows shortcut ‘LNK/PIF’ files automatic file execution vulnerability.” It also exploits the “Microsoft Windows Server service RPC handling remote code execution vulnerability.”

Once installed on a compromised computer, the worm will download and install additional threats. One of the threats is known to be the Tidserv worm, which subsequently sets up a backdoor. SillyFDC.BDP also sets up its own DHCP server and hijacks the DNS configurations of computers on the same network that attempt to renew their IP addresses. • Read more about SillyFDC • Read more about SillyFDC.BDP • Read more about Tidserv • Microsoft Windows Server service RPC handling remote code execution vulnerability

Page 10 Symantec Intelligence Quarterly: April-June, 2011 Security Response

Timeline

Figure 11 Notable events in the threat landscape: April-June, 2011 April JuneMay June 12 Operation Adeona 2 Death of Osama bin Laden 8 Citigroup Breach FBI kneecap Coreflood Osama bin Laden killing fuels a mountain Over 360K Citigroup customers’ personal botnet by replacing known of spam, phishing and information exposed, C&C servers with their own. malware campaigns, including names, including clickjacking account numbers, scams on social net- and contact info. 21 Major Fraud Verdict working sites. Rogelio Hackett Jr. gets 10 years and fined $500K for trafficking 676,000 10 “Anonymous” Arrests stolen credit cards 2 Second Sony Breach Spanish authorities arrest three alleged (that generated over Sony Online Entertainment members of Anonymous hacker organi- $36M in fraudulent network breached. Nearly zation. Three days later in Turkey, transactions). 25M users exposed. authorities arrest an additional 32 alleged members. 26 PlayStation Breach Sony PlayStation network breached. Over 77M accounts 10 Sega Breach stolen. Data quickly appears in under- 12 U.S. Cyberspace Policy Review Sega database breached, exposing ground economy. email addresses, White House moves to standardize birthdates, and national data breach reporting and encrypted increase penalties passwords for convicted on 1.3M cybercriminals, “Stars” Attacks users. 26 including manda- Iran claims to be tory sentences. again targeted, this time by “Stars” worm. 10 FBI Raids Scareware Scammers 26 EU Cookie Laws in effect FBI coordinates global raid, seizing 5 bank accounts Regulations come into effect requiring Major Events Exploited and 40 computers user permission before delivering hosting scareware. Japan tsunami, New Zealand cookies. Fines up Targets assets of earthquake, and British to 500K Euros for Scareware two groups believed royal wedding not complying. exploited in to have made over spam, phishing, $72 million from and malware scareware scams. campaigns.

Page 11 Symantec Intelligence Quarterly: April-June, 2011 Security Response

Articles Qakbot: Not Nearly as Funny as it Sounds Overview W32.Qakbot—usually pronounced “kwak-bot”—is a worm whose primary purpose is to steal online banking account information from compromised computers. While attacks targeting sensitive data continue to be prevalent in today’s threat landscape, Qakbot has proven to be a particularly sophisticated example.

First discovered in May 2009, there was a recent surge of Qakbot worm infections in the second quarter of 2011, due primarily to the release of several new variants in April (figure 13). Although Qakbot infections were reported worldwide during this latest surge, the majority of them affected systems in the United States (figure 14). This is because the main targets of Qakbot are the customers of U.S. banks. Figure 12 Qakbot infections by day

250,000

225,000

200,000

s 175,000

150,000

125,000

100,000

Qakbot infection 75,000

50,000

25,000

0 1 5 9 13 17 21 25 29 3 7 11 15 19 23 27 31 4 8 12 16 20 24 28 A p r i l M a y J u n e

Date

Figure 13 Qakbot infections by country Source Rank Percentage United States 1 91% India 2 2% 3 10 7 United Kingdom 3 1% China 4 1% 1 9 4 Australia 5 1% 8 2 Indonesia 6 < 1% Russia 7 < 1% 6 St. Kitts and Nevis 8 < 1% 5 Spain 9 < 1% Canada 10 < 1%

Page 12 Symantec Intelligence Quarterly: April-June, 2011 Security Response

Qakbot’s main method of propagation is through network shares and removable drives. Once on a compromised computer, it downloads additional files, opens a backdoor, and steals information. The worm also contains rootkit functionality to allow it to hide its presence.

One distinguishing feature of Qakbot is that it spreads slowly and stealthily in order to keep users from being alerted to its presence or activities. This has contributed to its longevity and persistence. Other factors that have contributed to its longevity are the numerous variants of the worm that have been released since its initial discovery and its ability to automatically update itself. The self-updating functionality of Qakbot enables it to elude or otherwise counter an array of mitigation efforts. One recent example of a major Qakbot attack occurred on the network of the UK National Health Service. In the attack, Qakbot managed to infect over 1,100 separate computers that were spread across multiple subnets within the organization’s network before it was discovered. Motivations and Targets As with most malware being developed today, the main purpose of Qakbot is to harvest financial data from victims’ computers. Qakbot was designed to steal information much like a keylogging Trojan is able to. Once present on a compromised system, Qakbot seeks out a range of information such as authentication cookies (including Adobe® Flash® local shared objects), FTP and IRC login credentials, and logins for email accounts.

In general, malware that targets cookies does so because cookies are used to store text information that is associated with users’ activities on websites. Depending on how they have set up their browser security and permissions, users often need to enter their information into a website only once; then, for as long as the cookie remains valid, the website will show relevant content upon future visits. For example, if a user selects a “remember me” button when logging in to a Web-based email site, the associated cookie will not expire until it is manually deleted. This means that, if a user closes the browser without logging out from the session, the cookie may keep the session active. This would cause the user’s account to remain accessible if the site is revisited from the same computer before the session timed out. (Most sites will end a session if there is no activity from the user after a set period.) Although this is a convenient feature, this can be a security issue if the user is accessing his or her account from a shared computer.

Qakbot is also programmed to steal the authentication cookies that some websites use to identify users in order to provide them with secure access. This enables the attacker to then impersonate the victim on the site that initially delivered the cookie (online banking site, Webmail, etc.). This is because the stolen cookies are afforded the same authenticity as legitimate ones. In addition, Qakbot has the ability to delete a site’s authentication cookies from compromised computers, thus forcing victims to re-enter their credentials when returning to that site. Qakbot then harvests the credentials using its keystroke logger when the victims re-type the usernames and passwords.

It is worth noting that, because cookies may contain personal information, a recent EU privacy directive will require website owners to gain explicit permission from users in the European Union prior to setting cookies that are not strictly necessary on their systems. (For example, a cookie that is used to remember the contents of a user’s shop- ping cart for the duration of his or her session is considered necessary, whereas a cookie that is used to remember visiting unsecured, publicly available pages is not.) This directive was introduced to address concerns regarding users’ privacy when visiting websites, because many users may not be aware of the personal information collected by these cookies.

One important aspect of Qakbot is that it is able to steal login information for certain online banking websites and can relay session authentication tokens to its C&C server. This allows an attacker to shadow a particular online banking session and perform transactions from a victim’s account without the victim’s knowledge. Moreover, because the attacker can act concurrently with the user, the attacker can circumvent many of the security features found on banking websites, such as session validity measures. For example, many banking websites will automatically terminate a user’s session after a specific period without any activity. This measure is applied in case the user has forgotten to sign out, thereby restricting access to the next person who uses the computer. Qakbot lets the attacker maintain the session as active and prevents the bank’s site from ending it.

In addition, Qakbot is able to alter how a page is displayed to a victim in order to hide certain elements, such as “sign out” buttons. Without this type of visual clue, the user may instead simply close the browser instance without actually logging out from the banking session. The attacker could then keep the session active and gain unhindered access to the user’s accounts.

Page 13 Symantec Intelligence Quarterly: April-June, 2011 Security Response

A review of the banks targeted by Qakbot indicates that they are all located in the United States. This likely indicates that the authors of the worm are familiar with U.S. banking institutions and that the customers of these banks are the attackers’ main targets. Although the number of people doing their banking online is increasing worldwide, it has become especially popular in the United States. For example, a recent survey showed that 36 percent of bank customers preferred to do their banking online versus using an ATM or seeing a teller. This provides a target-rich environment from which to steal financial information and funds. Attack Methods The Qakbot worm tries to infect computers by attempting to exploit vulnerabilities on a user’s system when the user visits a compromised website or when the user unwittingly clicks on a malicious link (found in spam, social networking site scams, etc.). Some of the vulnerabilities exploited in a Qakbot attack include “Microsoft® Internet Explorer® ADODB.Stream Object File Installation Weakness” and “Apple® QuickTime® RTSP URI Remote Buffer Overflow.” Once a compromise occurs, the worm and its files are downloaded onto the computer without any further interaction required from the user, thereby infecting it.

Once it is on an infected computer, Qakbot opens a backdoor in order to create an entry point into the system to facilitate remote access. From then on, the attacker can proceed to search for and steal sensitive information. Qakbot also contains rootkit functionality that it uses to hide its presence on the system. This enables Qakbot to alter system processes using hooks to hide files, processes, registry keys, and network connections from the system itself. In addition, Qakbot is able to block access to security vendor websites by checking for URLs that contain keywords related to these sites, and then returning an invalid IP address when the browser performs a DNS lookup. This tactic is likely used by attackers to hinder the user from accessing information on security vendor sites that would explain how to remove the Qakbot worm.

Qakbot’s primary C&C communication method is through HTTP, while a secondary FTP channel is used by the worm for uploading and downloading files. Qakbot is programmed to upload all stolen information to C&C servers controlled by the attacker. One technique that attackers use to elude detection is to frequently shift to different servers. Symantec monitored a number of the FTP servers and observed over 4 GB of stolen information uploaded in two weeks. (Four gigabytes of data can contain more than 100,000 credit card numbers, expiry dates, and cardholder names. ) The stolen data included online banking information, credit card information, social network credentials, Internet mail credentials, and Internet search histories. Propagation Qakbot spreads and infects other systems through three primary channels: • Network-share drives • Removable drives • Infected Web pages hosted on compromised FTP servers Network-share drives: Qakbot can infect all accessible network resources—including all users on a network that the compromised computer is on—by copying a version of itself onto the network and starting a remote service that accesses it.

Removable drives: The worm can copy itself onto removable drives using a random filename. It then creates an autorun.inf file for itself on the removable drive. This will result in Qakbot automatically executing when the removable drive is connected to another computer—thereby infecting it.

Infected Web pages: Qakbot uses stolen FTP credentials to gain access to servers that host Web pages. It modifies Web pages hosted on those FTP servers by adding extra code to the pages so that a drive-by download of Qakbot is initiated when a user visits the site using a vulnerable browser. In order to gain access to FTP servers, Qakbot communicates with its C&C server, which in turn sends the worm a list of previously stolen FTP addresses and credentials, as well as HTML code to inject into the Web pages.

Self-Updating Variants One of the main reasons for the longevity of the Qakbot worm is its ability to self-update and download new versions of itself. The update process can either be instigated by the attacker or automatically executed by the

Page 14 Symantec Intelligence Quarterly: April-June, 2011 Security Response

worm itself as part of its initialization routine. Qakbot uses two process commands to update itself, “instwd” and “update”: • Instwd: With the “instwd” command, the worm sends a query to its C&C server to check for newer versions of itself. The server will then send a newer version of the Qakbot executable if one is available, which is saved as a random filename in the ‘temp’ directory of the victim’s computer. • Update: With the “update” command, the C&C server directs the worm to a URL from which it can receive instructions on downloading custom updates for a compromised computer or common updates for all compromised computers. The instructions can include URLs of other files to download (including updates to Qakbot itself) as well as additional commands to execute. Such customized updates and the ability to hide files within a computer make it difficult for victims to remove Qakbot from their systems. As such, the best protection from Qakbot is to prevent the initial infection. Protection and Mitigation Attackers have become increasingly motivated by profit and are attracted by the proliferation of malicious code designed to steal personal information. The increasing popularity of using the Web for a range of daily activities, including sensitive financial transactions, makes it likely that users will continue to be subject to more threats of this nature. Successful compromises can result in substantial financial losses; therefore, it is critical that you protect your computer from malicious code attacks. This is true for both individual users as well as companies.

Users and administrators should ensure they are doing everything possible to reduce exposure to Qakbot and other malicious threats by employing a modern Internet security solution consisting of multiple layers of protection technologies. Relying on antivirus software alone to detect malware is no longer sufficient. For example, threats such as Web-attack toolkits can simultaneously exploit up to 25 different vulnerabilities using a wide range of attack vectors such as drive-by downloads. Moreover, many attacks employ self-updating, polymorphic exploits that can undermine positive identification by antivirus applications.

In 2010, Symantec protection technologies blocked more than 3 billion attacks—approximately 48 percent of which were blocked using network-based protection technologies such as an intrusion prevention system (IPS) and browser protection. These solutions can prevent initial infection vectors of Qakbot and are an effective layer of protection that some users may not be using beyond having an antivirus solution in place. For more details on these solutions, please see the Symantec Endpoint Protection Best Practices.

To reduce the chances of being infected by Qakbot, Symantec advises implementing the following recommenda- tions: • Qakbot infects enterprises via Web-attack toolkits exploiting vulnerabilities in software applications against which IPS provides protection. Enabling IPS in Symantec Endpoint Protection (SEP) can prevent the initial infection. • Use IPS “post-infection” signatures in SEP for IPS-enabled systems to detect infected systems and prevent them from updating and infecting other systems. • Learn about Qakbot. For example, Symantec has a detailed family write-up on W32.Qakbot. The article de- scribes the worm and includes comprehensive prevention mechanisms and how to remove Qakbot if your computer is infected (this includes the Symantec W32.Qakbot Permission Reset Tool). For additional information on Qakbot, please see the Symantec whitepaper, W32.Qakbot in Detail.

Page 15 Symantec Intelligence Quarterly: April-June, 2011 Security Response

MACDefender: Not Protecting Macs at All Overview In early May 2011, new rogue security software called MACDefender emerged that affected computers running the Apple Mac OS® X operating system. In a likely bid to defy subsequent protective measures, other variants soon followed; these include MacProtector, MacSecurity, and MacGuard.

By May 23, 2011, there were an estimated 60,000 to 125,000 computers infected with MACDefender and its subsequent rebranded variants. This Trojan acts like a typical rogue security software program; because of this, it has been compared to rogue applications such as MacSweeper and iMunizator (both of which are discussed in the Symantec Report on Rogue Security Software.)

Rogue security software programs have been in existence for years, primarily affecting Windows-based plat- forms. Symantec defines rogue security software as a type of misleading application that purports to be legitimate security software, such as an antivirus scanner or registry cleaner, but which actually provides a user with little or no protection and that, in some cases, can actually facilitate the installation of malicious code that it claims that it protects against. To lure users into downloading and installing these malicious programs, rogue security software programs often report false or exaggerated system security threats on the computer. Motivations and Targets Although malicious code targeting Mac computers is not new, the recent surge in threats may indicate that the Mac computer market has reached a point that attackers believe they can effectively exploit Mac users. For example, although PCs still make up the majority of computers being sold, vendor shipments of Apple computers have grown by almost 19 percent since 2010.

As with the majority of malware being developed and released, the primary motivation of misleading applications is profit. The creators and distributors of rogue security software scams try to trick users into believing that these programs are legitimate and valid so that the victims will download them and then pay to “enable installation.” For example, MACDefender is usually offered to potential victims for $99 (USD). Recently, a Russian online payment processing company (that has previously profited from other rogue security software scams) has been allegedly linked to MACDefender. Attack Methods Attackers most often use fear tactics to lure victims into installing and purchasing these programs. Such tactics include social engineering ploys through false pop-up warnings and advertisements on legitimate websites. MACDefender follows this norm while also using search engine optimization (SEO) poisoning so that malicious links to it get ranked higher in certain Web searches.

MACDefender is also propagated using compromised image searches. In this technique, when users conduct certain image searches, if they click on a malicious image that has been seeded into results via SEO poisoning, they will be redirected to a website for the rogue security software. The SEO poisoning is accomplished by compromising websites (by injecting them with malicious scripts) that will then load images from a third-party site controlled by the attackers. Once the images are indexed by search engine bots, they will appear higher in search results. Attackers count on users being more likely to trust that the images are legitimate if they appear high up in search results and if they appear on legitimate sites alongside otherwise innocuous images and page content.

Once a user clicks on a malicious link, his or her system is checked by the scareware to verify that the user is running OS X. Upon validation, a Java-based script is launched that simulates a scan of the computer. The script inevitably reports that the user’s computer contains malware. If the user falls for the scam and downloads the “solution” (i.e., the rogue security software), and the “open safe files after downloading” option is enabled in the user’s Safari® browser, the rogue application will prompt the user to enter an administrator password to allow the program to be installed. (Safari is the default browser for Mac computers.) Since “open safe files after downloading” is the default setting for Safari, it is likely that most people will have this function enabled—especially considering the historical lack of Web-based threats targeting Mac computers.

Page 16 Symantec Intelligence Quarterly: April-June, 2011 Security Response

MACDefender and its variants also propagate via fake links posted onto social networking sites. Attackers are likely attracted by the target-rich environment presented by these sites. A recent survey suggested that 47 percent of adults in the United States have profiles on at least one social networking site—an increase of almost 80

percent from 2008—and nearly half Figure 14 of those with profiles checked them MACDefender false security warning of infection on a daily basis.

In the “fake link” ploy, a link to a video is posted on the user’s page using a friend’s account that has already been compromised by MACDefender. The scam link uses a sensational headline to entice the user to click it. If clicked, the link directs the victim to a website with pornographic video footage. An- other window is then launched that features MACDefender and informs the victim that his or her computer has been infected with malicious code. In addition, by clicking on the scam link, the victim will unwittingly rec- ommend the link to all of his or her friends. Clicking the link also results in it being posted on the victim’s profile page. Designed to increase the viral spread of the scam, this technique is known as clickjacking, whereby a Web page is modified to show a set of “dummy” links that actually mask links to other destinations. These social networking ploys rely on the likelihood that users will trust a posting from a networked friend. The same survey cited earlier also discovered that a large percentage of frequent social network users are far more likely to believe that most people can be trusted, compared to other Internet users,

Once present on a Mac computer, MACDefender will launch each time the computer is rebooted. To elude discovery, it prevents an icon of the program from appearing in the dock, which would make it more difficult for the user to detect its presence. (On a Mac computer, Figure 15 the dock is a bar of icon shortcuts of active pro- MACDefender registration pop-up grams that usually sits on the side or bottom of the user`s screen. As with the task bar on a PC, it is meant to provide easy access to currently open and frequently used applications.)

To bilk the victim, MACDefender prompts the user to purchase a subscription following a false scan of the computer and alerts directed at the user regarding the (nonexistent) threats found on the system (figure 15). If the user does not agree to purchase a subscription, the application will then start to display pornographic websites at random. Due to the professional appearance of the program and similarities to legitimate security software, many victims may not realize that it is a scam.

Page 17 Symantec Intelligence Quarterly: April-June, 2011 Security Response

Despite a security update issued by Apple to mitigate this threat, the authors of MACDefender apparently antici- pated the company’s probable response; within eight hours of the update, they released the MacGuard variant that bypassed the update to block MACDefender. The MacGuard variant assumes that most Mac computer users are operating with administrator rights to their computers—which is the default setting. In this scenario, any user operating with an administrator account can, without a password, install software into the applications folder. Because of this, the MacGuard variant will download as “avSetup.pkg” into the “Applications” folder (versus the default “Downloads” folder). Prior to this variant, MACDefender required users to enter an administrator password in order to complete the installation of the application. With MacGuard, if the browser’s option to open “safe” files after download is selected, the package automatically installs without requiring the user to enter an administrator password. The program will then call to a remote IP address as part of its setup routine in order to download and install MacGuard. This likely indicates that the creators of the rogue security software monitor security updates in order to continually adapt and improve their threats. Protection and Mitigation Historically, malicious code and scam authors have targeted Windows-based systems because of their dominant market share. With the increasing market share of Apple computers, however, it may be the case that more malicious code authors and attackers will be attracted to the Mac OS X platform. As a result, Mac OS X users may see more malicious code and scams targeted at them as cybercriminals attempt to test the success of exploiting this user base for profitability.

The exploitation of automatic installation is a relatively old tactic for malware. Windows users have been dealing with this for years, to the point that it has been mitigated significantly by default security features in Windows- based applications. Due to the relative rarity of threats to Mac computers, though, users have had comparatively little exposure to such threats. As a result, they may take fewer preventative measures, such as not deploying antivirus software.

To limit exposure to MACDefender and its variants, administrators and users on Mac OS X systems should take a number of precautions: • Administrators should employ defense-in-depth strategies and deploy the most up-to-date antivirus software and a firewall. • To protect against potential rogue security software scam activity, organizations should educate their end users about these scams. They should keep their employees notified of the latest scams and how to avoid fall- ing victim to them. Organizations should also provide a means to report suspected malicious rogue security software websites. • Organizations can minimize the effect of malicious activity and hence minimize the effect on day-to-day operations by creating and enforcing policies that identify and restrict applications that can access the network. • Be careful when installing programs from an unknown source because these programs may contain malicious code. • Be cautious when clicking on links within social networking sites or emails, especially if they are about recent news topics and have catchy titles or descriptions such as “You have to see this!” or “OMG, this is a great video!” Be suspicious of these postings even if they are from trusted friends because attackers may have compromised a friend’s account. • Beware of pop-up displays and banner advertisements that mimic legitimate displays or that try to promote security products. • Do not accept or open suspicious error displays from within a Web browser; these are often methods used by rogue security software scams to lure users into downloading and installing a fake product. • Only purchase security software from reputable and trusted sources and only download applications directly from the vendor’s website or legitimate partners.

Page 18 Security Response

Any technical information that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation.

NO WARRANTY . The technical information is being delivered to you as is and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained herein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice.

Credits

Marc Fossi, Executive Editor Manager, Development Security Technology and Response

Eric Johnson, Editor Security Technology and Response About Symantec Trevor Mack, Editor Symantec is a global leader in Security Technology and Response providing security, storage and systems management solutions to Téo Adams, Threat Analyst help businesses and consumers Security Technology and Response secure and manage their information. , Threat Analyst Headquartered in Moutain View, Calif., Joseph Blackbird Security Technology and Response Symantec has operations in more than 40 countries. More information Mo King Low, Threat Analyst is available at www.symantec.com. Security Technology and Response

For specific country offices and contact num- Symantec Corporation Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec logo are trademarks or registered bers, please visit our Web site. For product World Headquarters trademarks of Symantec Corporation or its affiliates in the information in the U.S., call 350 Ellis Street U.S. and other countries. Other names may be trademarks of their respective owners. toll-free 1 (800) 745 6054. Mountain View, CA 94043 USA +1 (650) 527-8000 www.symantec.com