After a quiet 2011, where bot masters failed to come up with anything new, 2012 started with a bang, according to the internet security company Kaspersky Lab. For the first time in Q1 2012, cybercriminals used a “fileless” bot to build a zombie-net. Q1 also saw the discovery of a botnet made up of mobile devices with infection numbers similar to typical Windows botnets, and a zombie-net of 700,000 Mac OS X computers.
Among the growing malware problems for Mac computers, there was a rise in the number of targeted attacks against the OS. Users need to be aware of the risk cybercriminals pose in targeting organisations which use both Windows and Mac platforms. In the first quarter of 2012, one case involved cybercriminals using two Trojans – one for Mac and another for Windows – to gain access to confidential records. Depending on which OS was running on the target machine, the appropriate malware was loaded. Both Trojans received commands from a single control centre. To make the initial intrusion into the system, the criminals used an exploit that works in both Windows and Mac OS X environments; a successful attack gave them control over the infected machine.
“Judging by the speed with which new malware is being created for targeted attacks on Mac OS X, it is not that complicated for cybercriminals to develop. Meanwhile, the careless attitude of many Mac users, coupled with a lack of security on their computers, makes Macintosh the weakest link in business security systems,” said Yury Namestnikov, Senior Malware Analyst at Kaspersky Lab, and author of the report.
Duqu authors get back to work
After a four-month break, the authors of Duqu have resurfaced. In Q1 2012 a new Duqu driver with functions similar to previous versions was detected. The difference in the code was negligible; all the changes were aimed at evading detection. The main Duqu module related to the driver has not yet been found.
“We were right in our suppositions: when so much money has been invested in a project, as it was with the development of Duqu and Stuxnet, it is impossible to suddenly just halt that process. Instead, the cybercriminals are persevering – they have changed the code so it avoids detection and will continue to attack,” added Alexander Gostev, Chief Security Expert at Kaspersky Lab.
The first quarter of 2012 was also notable for the successful joint efforts of antivirus companies and law enforcement bodies, who took control of the 110,000-strong Hlux (Kelihos) botnet. These partnerships also managed to shut down control centres of several ZeuS botnets targeting online banking users and arrested several Russian cybercriminals.
The full version of the report ‘IT Threat Evolution: Q1 2012’ is available at: www.securelist.com.
