McAfee Q1 Threats Report Reveals Surge in Malware and Drop in Spam

Symbian and Android the most popular mobile malware environments; spam dips due to Rustock takedown

SANTA CLARA, Calif.--()--McAfee today released the McAfee Threats Report: First Quarter 2011 . With six million unique samples of recorded malware, Q1 2011 was the most active first quarter in malware history. The report revealed many of the trends that had a significant impact on the threat landscape, such as the takedown of the Rustock botnet, which resulted in spam remaining at its lowest levels since 2007, and confirmed that mobile malware is the new frontier of cybercrime.

“The Q1 Threats Report indicates that it’s been a busy start to 2011 for cybercriminals,” said Vincent Weafer, senior vice president, McAfee Labs. “Even though this past quarter once again showed that spam has slowed, it doesn’t mean that cybercriminals aren’t actively pursuing alternate avenues. We’re seeing a lot of emerging threats, such as Android malware and new botnets attempting to take over where Rustock left off, that will have a significant impact on the activity we see quarter after quarter.”

Busiest Quarter in History for Malware

With more than six million unique malware samples in Q1, this period far exceeds any first quarter in malware history. February 2011 saw the most new malware samples of the quarter, at approximately 2.75 million samples. Fake anti-virus software had a very active quarter as well, reaching its highest levels in more than a year, totaling 350,000 unique fake-alert samples in March 2011.

Malware Attacks on Android Devices

Malware no longer affects just PCs. As Android devices have grown in popularity, the platform solidified its spot as the second most popular environment for mobile malware behind Symbian OS during the first three months of the year.

A McAfee Labs mobile application security whitepaper, released today in conjunction with this McAfee Threats Report, discusses how most Android devices allow the “side-loading” of apps and are not restricted to getting them from a centralized app store, and there is no centralized place where Google can check all apps for suspicious behavior. (See Downloading from Mobile App Stores Is a Risky Business.) The researcher Lompolo recently found a series of Android applications carrying backdoor Trojans in the Android Market and, with the estimated download rate of tens of thousands to the hundreds of thousands, the number of users who could be affected is significant. In Q1 2011 McAfee Labs found that the most prominent types of Android mobile malware were Android/DrdDream, Android/Drad, Android/SteamyScr.A and Android/Bgyoulu, which affected everything from games to apps to SMS data.

The cybercriminals behind the Zeus crimeware toolkit have also directed attacks toward the mobile platform, creating new versions of Zitmo mobile malware for both Symbian and Windows Mobile systems to steal user bank-account information.

Rustock and Zeus Takedowns Result in Spam Decline

The takedown of the Rustock botnet resulted in the shutoff of major zombies and command structures that caused spam volumes to fall all over the world. Spam, which has been at its lowest levels since 2007 in the past few quarters, significantly dropped once again to less than half of what it was only a year ago—at approximately 1.5 trillion messages per day, outnumbering legitimate email traffic by only a 3:1 ratio.

Although Zeus botnet development has declined, the author has apparently shifted efforts to merging the Zeus source code with the SpyEye botnet, resulting in large-scale threats affecting banking and online transactions. As of March 2011, the most recent SpyEye botnet can thrive on more than 150 modules, such as USB thumb drives, instant messaging and Firefox certificates.

Spam may be at its lowest levels in years, but many botnets are in the position to fill the gap left by the decline of Rustock and Zeus; the competition includes Maazben, Bobaz, Lethic, Cutwail and Grum. There was a strong uptick in new botnet infections toward the end of Q1, most likely due to the reseeding process, where cybercriminals slow down activity in order to spend time rebuilding botnets. The botnet takedowns have resulted in an increase in the price of sending spam on the underground marketplace, showing that the laws of supply and demand also apply to cybercrime.

Popular Lures

Cybercriminals often disguise malicious content by using popular “lures” to trick unsuspecting users. Spam promoting phony or real products was the most popular lure in most global regions. In Russia and South Korea, drug spam was the most popular; and in Australia and China, fake delivery status notifications were among the most popular. Q1 also brought a new trend among “banker” Trojans, malware that steal passwords and other data, that use popular lures in their spam campaigns such as UPS, FedEx, USPS and the IRS.

McAfee Labs saw some significant spikes in malicious web content that corresponded with high-impact news events such as the Japanese earthquake and tsunami and major sporting events, with an average of 8,600 new bad sites per day. In the same vein, within the top 100 results of each of the daily top search terms, nearly 50 percent led to malicious sites, and on average contained more than two malicious links.

For more information on trends related to cybercrime, hacktivism, web threats, vulnerabilities and network attacks, please download a full copy of the McAfee Threats Report: First Quarter 2011 at http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2011.pdf.

About McAfee

McAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ:INTC), is the world's largest dedicated security technology company. McAfee delivers proactive and proven solutions and services that help secure systems, networks, and mobile devices around the world, allowing users to safely connect to the Internet, browse and shop the Web more securely. Backed by its unrivaled Global Threat Intelligence, McAfee creates innovative products that empower home users, businesses, the public sector and service providers by enabling them to prove compliance with regulations, protect data, prevent disruptions, identify vulnerabilities, and continuously monitor and improve their security. McAfee is relentlessly focused on constantly finding new ways to keep our customers safe. http://www.mcafee.com

Photos/Multimedia Gallery Available: http://www.businesswire.com/cgi-bin/mmg.cgi?eid=6744119&lang=en

Contacts

McAfee
Joris Evers, 408-346-3310
joris_evers@mcafee.com
or
H3O Communications
Heather Edell, 415-618-8814
heather@h3ocommunications.com

Contacts

McAfee
Joris Evers, 408-346-3310
joris_evers@mcafee.com
or
H3O Communications
Heather Edell, 415-618-8814
heather@h3ocommunications.com