internet security tHreAt rePOrt GOVernMent 2013
internet security tHreAt rePOrt GOVernMent 2013
internet security tHreAt rePOrt GOVernMent 2013
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
p. 101<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
MALICIOUS CODE TRENDS<br />
Commentary<br />
• Ramnit again beats Sality to become the most prevalent<br />
malicious code family in 2012. Ranked first again in 2011,<br />
the top malicious code family by volume of potential<br />
infections in 2012 was Ramnit.<br />
Samples of the Ramnit family of malware were responsible<br />
for significantly more potential infections (15.4 percent)<br />
than the second ranked malicious code family in 2012,<br />
Sality (7.6 percent).<br />
First discovered in 2010, W32.Ramnit has been a prominent<br />
feature of the threat landscape since then, often switching<br />
places with Sality throughout the year as the two families<br />
jockey for first position.<br />
Ramnit spreads by encrypting and then appending itself<br />
to DLL, EXE, and HTML files. It can also spread by copying<br />
itself to the recycle bin on removable drives and creating<br />
an AUTORUN.INF file so that the malware is potentially<br />
automatically executed on other computers. This can occur<br />
when an infected USB device is attached to a computer. The<br />
reliable simplicity of spreading via USB devices and other<br />
media makes malicious code families such as Ramnit, and<br />
Sality (as well as SillyFDC and others) effective vehicles for<br />
installing additional malicious code on computers.<br />
• The Sality family of malware, ranked second, remains<br />
attractive to attackers because it uses polymorphic<br />
code that can hamper detection. Sality is also capable<br />
of disabling <strong>security</strong> services on affected computers.<br />
These two factors may lead to a higher rate of successful<br />
installations for attackers. Sality propagates by infecting<br />
executable files and copying itself to removable drives such<br />
as USB devices. Similar to Ramnit, Sality also relies on<br />
AUTORUN.INF functionality to potentially execute when<br />
those drives are accessed.<br />
• Downadup gains a bit of momentum: Downadup (a.k.a.<br />
Conficker) was ranked in third position in 2012, compared<br />
with 2011 when it was ranked fourth-most malicious code<br />
family by volume of potential infections in 2011. Downadup<br />
propagates by exploiting vulnerabilities in order to copy<br />
itself to network shares. Downadup was estimated to have<br />
infected slightly more than 2 million PCs worldwide at the<br />
end of 2012, 1 compared with approximately 3 million at the<br />
end of 2011.<br />
• Overall in 2012, 1 in 281.8 emails was identified as<br />
malicious, compared with 1 in 238.8 in 2011; 22.5 percent<br />
of email-borne malware comprised hyperlinks that<br />
referenced malicious code, in contrast with malware that<br />
was contained in an attachment to the email. This figure<br />
was 39.1 percent in 2010, an indication that cybercriminals<br />
are attempting to circumvent <strong>security</strong> countermeasures<br />
by changing the vector of attacks from purely email to the<br />
Web.<br />
• In 2012, 12.6 percent of malicious code detected was<br />
identified and blocked using generic detection technology.<br />
Many new viruses and Trojans are based on earlier versions,<br />
where code has been copied or altered to create a new strain,<br />
or variant. Often these variants are created using toolkits<br />
and hundreds of thousands of variants can be created from<br />
the same piece of malware. This has become a popular<br />
tactic to evade signature-based detection, as each variant<br />
would traditionally need its own signature to be correctly<br />
identified and blocked. By deploying techniques, such as<br />
heuristic analysis and generic detection, it’s possible to<br />
correctly identify and block several variants of the same<br />
malware families, as well as identify new forms of malicious<br />
code that seek to exploit certain vulnerabilities that can be<br />
identified generically.<br />
• Exploit/SpoofBBB was the most frequently blocked<br />
malware in email traffic by Symantec.cloud in 2012, with<br />
Trojan.Bredolab taking the second position.<br />
• Trojan.JS.Iframe.AOX was the most frequently blocked<br />
malicious activity in Web traffic filtered by Symantec.cloud<br />
in 2012. Detection for a malicious IFRAME is triggered in<br />
HTML files that contain hidden IFRAME elements with<br />
JavaScript code that attempts to perform malicious actions<br />
on the computer; for example, when visiting a malicious<br />
Web page, the code attempts to quietly direct the user to a<br />
malicious URL while the current page is loading.<br />
• Stuxnet in 2012: Despite being developed for a very specific<br />
type of target, the number of reports of potential Stuxnet<br />
infections observed by Symantec in 2012 placed the<br />
worm at a rank beyond 30 among malicious code families,<br />
compared with 18 in 2011. The Stuxnet worm generated<br />
a significant amount of attention in 2010 because it was<br />
the first malicious code designed specifically to attack<br />
Programmable Logic Controller (PLC) industry control<br />
systems. 2 Notably, Stuxnet was the first malicious code<br />
family that may directly affect the physical world and<br />
proves the feasibility for malicious code to cause potentially<br />
dramatic physical destruction.