Report: Bandwith-Burning Malware Among Biggest Consumer Threats

A new malware report indicates Android malware samples grew three-fold last quarter and that one in every 140 devices connected to mobile networks was infected at some point.Closer to home, about 14 percent of household networks were hit by malware this spring, with a 50 percent increase in high-level bots, Trojans and backdoors, according to  the Q2 2012 Malware Report from Kindsight Security Labs.

A new malware report indicates Android malware samples grew three-fold last quarter and that one in every 140 devices connected to mobile networks was infected at some point.

Closer to home, about 14 percent of household networks were hit by malware this spring, with a 50 percent increase in high-level bots, Trojans and backdoors, according to  the Q2 2012 Malware Report from Kindsight Security Labs.

Among the biggest threats to consumers was the ZeroAccess botnet, which grew to more than 1.2 million super nodes resulting in ad-click fraud that at one point burned through bandwidth equivalent to 45 monthly movie downloads per subscriber.

“In recent months, we’ve seen the ZeroAccess botnet update its command and control protocol and grow to infect more computers while connecting to over one million computers globally,” Kevin McNamee, a security architect and director for Kindsight Security Labs said in a statement. “The concern with ZeroAccess is that it is using the subscriber’s bandwidth maliciously which will cost them money as they exceed bandwidth caps. And, once the computer is compromised, it can also spread additional malware or launch new attacks.”

The Mountain View, Calif. company’s findings are based on malicious network communications traffic detected at the service provider level.

During the three-month period, the top home network infections as ranked by Kindsight security researchers were Hijacker.MyWebSearchToolbar, Spyware.SCN-ToolBar, Hijacker.StartPage.KS, Adware.GameVance and Mac.Bot.Flashback.K/I. The Mac Flashback bot finished at the top of all high-level threats for the quarter, staying in the No. 1 spot for four weeks in a row in April.

Next in ranking were the ZeroAccess botnet and NineBall/Gumblar. DNSChanger, which received a lot of doomsday-like publicity as a deadline to pull servers tied to infected users drew near, ranked eighth on the list.

The ZeroAccess/Sirefef bot earlier this year modified its command-and-control protocol to evade detection and quietly distribute fraud-laced malware. By the end of June, Kindsight researchers found 3,321 infected computers actively communicating with more than 1.2 million Internet peers – nearly 2.5 times the number of infected machines from the same time the quarter before. India (18 percent) and the United States (10 percent) led nations with infected peers.

“The traffic generated by the ad-click fraud can burn through your bandwidth cap. We have been following a number of bots such as ZeroAccess whose primary function is ad-click fraud. These bots receive instructions from a controller directing them to click on ads on specific web sites. The web site owner gets paid by the advertiser on a per click basis usually through the intermediary of an ad network. The advertisers and ad network operator have a number of safeguards in place to protect against click fraud,” the report said.

“The bot tries to circumvent these by simulating normal human browsing behavior. This involves using a relatively low click rate and responding to redirects, cookies and scripting as would a regular browser. Despite this low profile, the bot operates 24 hour a day, seven days a week, so the bandwidth utilization for all that browsing adds up over time.”

On the mobile front, most malware involved “trojanized” apps that steal information about the phone or send SMS messages. However, a banking Trojan that intercepts access tokens and two spyware applications also made the Top 20 list.

Researcherse noted that Apple took a second hit to its security reputation with the “Find and Call” malware that targeted both iPhone and Android devices.

“First Flashback infected the Mac and now it appears that an iPhone app called ‘Find and Call’ uploads the users contact list to a remote server. The server then sends e-mail and text-message spam to the victim’s contacts. The messages are in Russian and encourage the recipient to download the app,” the researchers said.

The app has since been taken down from the Apple Store.

 

 

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.