McAfee Labs Threat Report for Q1 2012: Threats Gone Wild

McAfee Labs has just released the McAfee Threats Report, First Quarter 2012, and I’m proud of it. I am cribbing from the intro to this quarter’s report, but it kinda says it all:


“The Greek philosopher Heraclitus, known for his doctrine of change as central to the universe, once wrote that ‘everything flows, nothing stands still.’ The first quarter of 2012 embodies Heraclitus’ doctrine in almost all areas of the threats landscape. Although we observed declines in many areas in the numbers of malware and threats at the end of 2011, this quarter is almost its polar opposite.

PC malware had its busiest quarter in recent history, and mobile malware also increased at a huge rate.

We saw growth in established rootkits as well as the emergence of several new families. Many of the familiar malware we analyze and combat rebounded this quarter, but none more so than password-stealing Trojans. In this edition of the Threats Report we introduce our tracking of new threats such as

the ZeroAccess rootkit and signed malware.”


Malicious code is on the rise again. Plain and simple. We are seeing more malware than in the recent past and you can count on that figure to rise in the coming year. In particular, mobile platforms present today’s cybercriminal with an almost irresistible target, specifically Android-based for now, but that can certainly evolve. Some highlights of the report include:


Mobile Malware Explosion


Mobile malware raced up a significant incline during the quarter, with 8,000 total mobile malware samples collected. This large increase was due in part to McAfee Labs’ advancements in the detection and accumulation of mobile malware samples.


Financial profit is one of the main motivators for spreading malware on the Android platform, as identified by McAfee Labs malware researcher Carlos Castillo in a recent blog post. Nearly 7,000 Android threats have been collected and identified through the end of the quarter, a more than 1,200 percent increase compared with the 600 Android samples collected by the end of the last quarter of 2011. Most of these threats stem from third-party app markets, and are typically not found in the official Android market.


Malware Increase in PCs and Macs


By the end of 2011, McAfee Labs collected more than 75 million malware samples. This quarter had the largest number of PC malware detected in the last four years. This increase brought the grand total to 83 million pieces of malware samples by the end of the period, up from 75 million samples at the end of 2011. Major contributors to the total were strong increases in rootkits, a stealth form of malware, as well as password stealers, which reached approximately 1 million new samples this quarter. Email continued to be a medium used for highly targeted attacks, and nearly all targeted attacks began with a spear phish.


As the Flashback Trojan began to wreak havoc among Apple Mac users in March, Mac malware had already been growing at a consistent rate. Despite the growth, Mac malware is still significantly less prevalent than PC malware, with approximately 250 new Mac malware samples, and approximately 150 new Mac fake antivirus malware samples in this period.


Spam Low, Botnets High


Global spam levels dropped to slightly more than 1 trillion monthly spam messages by the end of March. Decreases were most significant in Brazil, Indonesia, and Russia, while increases in spam were found in China, Germany, Poland, Spain, and the United Kingdom.


Botnet growth increased this quarter, reaching nearly 5 million infections at its highest point. Columbia, Japan, Poland, Spain, and the United States were areas with the largest botnet increase, while Indonesia, Portugal, and South Korea were regions that continued to decline. The most prevalent botnet of the quarter was Cutwail, with more than 2 million new infections.


The McAfee Labs report depicts the price breakdown for a botnet sold on the black market. Citadel, a Zeus variant and financial botnet, will cost a cybercriminal US$2,399 plus $125 for “rent” of a botnet builder and administration panel, with an extra $395 for automatic updates for antivirus evasion. For Darkness, by SVAS/Noncenz, a distributed denial of service botnet, options range from $450 for a minimal package to approximately $1,000 for more advanced offerings.


United States the Primary Source of Cyberattacks


A compromised machine is often used as a proxy for spam, botnets, denial of service, or other types of malicious activities. These machines can be located anywhere in the world, but this quarter many were located in the United States. Based on data collected from the McAfee Global Threat Intelligence™ network, the United States was the primary source of SQL-injection attacks and cross-site scripting attacks, and also had the highest number of victims of both attacks. The United States currently houses the most botnet control servers, and the location point for the vast majority of new malicious websites, with an average of 9,000 new bad sites recorded per day.


Download the McAfee Threats Report here.