In their regular quarterly report the experts at Kaspersky Lab examined the changes to the IT-threat landscape throughout Q3 2012. Of particular note were high-profile cyber-espionage investigations, changes to the geography of threats, and a shake-up of the top 10 vulnerabilities.
An average of eight different vulnerabilities were detected on each vulnerable computer. The two most frequently used vulnerabilities were in Oracle Java products found on 35% and 21.7% of affected computers respectively. The top 10 also includes five Adobe products, two Apple products – QuickTime player and iTunes – and the popular Nullsoft Winamp media player. The automatic updates mechanism introduced into recent versions of the Windows OS means Microsoft products no longer feature in the top 10.
The most significant incidents of the quarter were related to activity by the Madi, Gauss and Flame malware. The Madi campaign of penetrating computer systems went on for almost a year and targeted the infrastructure of engineering firms, government organisations, banks and universities in the Middle East. The malicious components were distributed via attacks that were based on a set of well-known, unsophisticated technologies. Despite the simplicity of the technology, the cybercriminals managed to keep their victims under close surveillance for extended periods of time.
The more sophisticated Gauss malware, classified as a ‘cyber-weapon’ by experts, was discovered in the course of an investigation initiated by the International Telecommunication Union (ITU) after the discovery of the Flame malware. Essentially, Gauss is a nation-state sponsored “banking” Trojan. In addition to its other spyware payload, it is aimed at stealing a variety of information about online banking systems of infected PC users in the Middle East. Gauss secretly forwards to administration servers passwords, inserted or saved in the browser, cookie files and configuration details of the infected system. Gauss is based on the Flame platform and shares some features with Flame, such as routines for infecting USB drives.
Kaspersky Lab experts were also able to gain new information on Flame command-and-control (C&C) servers. The C&C code supports three communication protocols. It handles requests from four malicious programmes, codenamed by the authors as SP, SPE, FL and IP. Of these four malicious programmes, only two are known at this time: Flame and SPE (a.k.a. miniFlame).
Threat geography also saw interesting changes. There was a new leader among countries hosting malicious content, with Russia (23.2%) overtaking the USA (20.3%).
In Q2, the top 20 countries where the risk of computer infection via the Internet was highest consisted exclusively of countries from the former Soviet Union, Africa and South-East Asia. In Q3 it also included two South European countries: Italy (36.5%) and Spain (37.4%). Russia was replaced by Tajikistan as the most dangerous place to surf the Web, with 61.1% of users in the Central Asian country encountering antivirus detections when online.
The full version of the report “IT Threat Evolution: Q3 2012” is available at securelist.com