The report focuses on three things that stood out in the second half of 2012: botnets (with special reference to ZeroAcess), exploits (particularly against the Java development platform) and banking trojans (Zeus). Also discussed are multi-platform attack in which a coordinated attack campaign is launched against both desktop and mobile platforms, state of today's web concerning malware hosting and malvertising, and an update on the mobile threat scene.

1. Threat
Report
H2 2012
Protecting the irreplaceable | www.f-secure.com

2. F-Secure Labs
At the F-Secure Response Labs in Helsinki, Finland,
and Kuala Lumpur, Malaysia, security experts work
around the clock to ensure our customers are
protected from the latest online threats.
At any given moment, F-Secure Response Labs
staff is on top of the worldwide security situation,
ensuring that sudden virus and malware outbreaks Protection around the clock
are dealt with promptly and effectively.
Response Labs’ work is assisted by a host of
automatic systems that track worldwide threat
occurences in real time, collecting and analyzing
hundreds of thousands of data samples per day.
Criminals who make use of virus and malware to
profit from these attacks are constantly at work
on new threats. This situation demands around
the clock vigilance on our part to ensure that our
customers are protected.

3. foreword
Today, the most common way of getting hit by malware is by browsing the
Web. It hasn’t always been this way. Years ago, floppy disks were the main
malware vector. Then sharing of executable files. Then e-mail attachments.
But for the past five years, the Web has been the main source of malware.
The Web is the problem largely because of Exploit Kits. Kits such as
BlackHole, Cool Exploit, Eleanore, Incognito, Yes or Crimepack automate
the process of infecting computers via exploits.
There is no exploit without a vulnerability. Ultimately, vulnerabilities are
just bugs, that is, programming errors. We have bugs because programs
are written by human beings, and human beings make mistakes. Software
bugs have been a problem for as longs as we have had programmable
computers—and they are not going to disappear.
Bugs were not very critical until access to the Internet became widespread.
Before, you could have been working on a word processor and opening a Mikko HyppÖnen
corrupted document file, and as a result, your word processor would have crashed. Chief Research Officer
Even if annoying, such a crash would not have been too big of a deal. You might have
lost any unsaved work in open documents, but that would have been it.
However, things changed as soon as the Internet entered the picture. Suddenly, bugs
that used to be just a nuisance could be used to take over your computer.
Yet, even the most serious vulnerabilities are worthless for the attacker, if they get
patched. Therefore, the most valuable exploits are targeting vulnerabilities that are
not known to the vendor behind the exploited product. This means that the vendor
cannot fix the bug and issue a security patch to close the hole.
Software bugs have been a problem for as longs as we have had
programmable computers—and they are not going to disappear.
If a security patch is available and the vulnerability starts to get exploited by the
attackers five days after the patch came out, the users have had five days to react. If
there is no patch available, the users have no time at all to secure themselves; literally,
zero days. This is where the term ‘Zero Day Vulnerability’ comes from: users are
vulnerable, even if they have applied all possible patches.
One of the key security mechanisms continues to be patching. Make sure all your
systems are always fully up-to-date. This drastically reduces the risk of getting
infected. But for Zero Day vulnerabilities, there are no patches available. However,
antivirus products can help against even them.
We’re in a constant race against the attackers. And this race isn’t going to be over any
time soon.
FOREWORD 3

4. Executive Summary
executive summary
Three things visibly stand out in this past half year: botnets (with special reference to
ZeroAcess), exploits (particularly against the Java development platform) and banking trojans
(Zeus).
ZeroAccess was easily the most prevalent botnet we saw in 2012, with infections most visible in
France, United States and Sweden. It is also one of the most actively developed and perhaps
the most profitable botnet of last year. In this report, we go through the distribution methods
and payment schemes of ZeroAccess’s ‘affiliate program’, as well as its two main profit-
generating activities: click fraud and BitCoin mining. Aside from ZeroAccess, other notable
botnets of 2012 are Zeus, Carberp, Dorkbot and SpamSoldier (a mobile botnet).
Java was the main target for most of the exploit-based attacks we saw during the past half
year. This is aptly demonstrated in the statistics for the top 10 most prevalent detections
recorded by our cloud lookup systems, in which the combined total of detections for the Java-
specific CVE-2012-4681 and CVE-2012-5076 vulnerabilities and the Majava generic detections,
which also identify samples that exploit Java-related vulnerabilities, account for one third of
the samples identified during this period. Exploit kits plays a big role in this prevalence. In
addition, exploits against other programs such as the PDF document reader (CVE-2010-0188)
or Windows TrueType font (CVE-2011-3402) made notable impacts in H2 2012, as detailed
further in this report.
With regards to banking-trojans, a botnet known as Zeus—which is also the name for the
malware used to infect the user’s machines—is the main story for 2012. Analysis of the
geography for Zeus’s infection distribution highlights the United States, Italy and Germany as
the most affected countries. In addition to its banking-trojan capabilities, the Zeus malware
also functions as a backdoor, allowing it to be directly controlled from the botnet’s command
and control (C&C) servers. An examination of the different sets of backdoor commands used
by Zeus derivatives (known as Citadel and Ice IX) gives more detail of what other malicious
actions this malware can perform.
In terms of online security, we look at the more ambiguous side of the ever-growing popularity
of website hosting, and how its increasingly affordable and user-friendly nature also makes it
well suited to supporting malware hosting and malvertising.
We also take a look at multi-platform attacks, in which a coordinated attack campaign is
launched against multiple platforms (both desktop and mobile), often with multiple malware.
And finally on the mobile scene, the Android and Symbian platforms continue to be the main
focus of threats, accounting for 79% and 19%, respectively, of all new mobile malware variants
identified in 2012.
executive summary 4

5. Contents
This Threat Report highlights trends and new developments seen in the malware threat landscape by analysts
in F-Secure Labs during the second half of 2012. Also included are case studies covering selected noteworthy,
highly-prevalent threats from this period.
contributing foreword3
AUTHORS
Broderick Aquilino
Executive Summary 4
Karmina Aquino Contents5
Christine Bejerasco
Edilberto Cajucom Incidents Calendar 6
Su Gim Goh
In Review 7
Alia Hilyati
Timo Hirvonen Of Note 10
Mikko Hypponen the password 11
Sarah Jamaludin
COrporate espionage 12
Jarno Niemela
Mikko Suominen Case Studies 14
Chin Yick Low
BotS15
Sean Sullivan
ZeRoAccess17
Marko Thure
Juha Ylipekkala Zeus21
Exploits25
Web28
Multi-Platform attacks 32
Mobile35
Sources38
contents 5

6. Incidents Calendar
H2 2012 incidents calendar (July-December)*
jul Aug SEPT OCT NOV DEC
FBI support for Out-of-band Patch Friday Syrian Internet,mobile
DNSChanger ended connections cut off
Imuler.B backdoor found on OS X
Multi-platform Intel/OS X
backdoor found Malware signed Berlin poice warned of
with Adobe certificate Android banking trojans
Commercial multi-platform
surveillance tools found
Samsung TouchWiz exploit Cool Exploit kit
Iran-targeted malware reported rivalling Blackhole
reported
New Mac Revir threat
Indian government email found
accounts hacked
New Linux rootkit found
Gauss threat targeted Dexter malware hit point
the London Olympics Huawei controversy in US Congress of sales (POS)
ITU Telecom World ‘12 raised Australian hospital’s
Blackhole updated faster Internet/government concerns records ransomed
than flaws patched
Java update closed 3 Mac threat found on Dalai
vulnerabilities Lama-related webite
Matt Honan ‘hack’ highlighted One rogue ad hits Finnish
flaws in accounts systems web traffic
Eurograbber attack on
European banks reported
Samsung Exynos exploit
reported
Online
In the news
PC threats
Mobile threats
Hacktivism espionage Sources: See page 38.
incidents calendar 6

7. In Review
changes in the threat landscape
Unlike the first half of 2012, the second half of the year saw no major malware outbreaks
on any platform. Instead, a handful of incidents took place during this time period, most of
which were notable as indications of how inventive the attackers have been in finding ways
to compromise a user’s machine, data or money. These incidents included the hack into the
Wired Matt Honan’s Gmail and Apple accounts, which exposed loopholes in those account
systems; the Adobe-certified malware episode, in which attackers went to the extent of
stealing Adobe’s digital certificate in order to sign malware used in targeted attacks; and the
Eurograbber attack, in which a variant of the Zeus crimeware was reportedly used to steal
money from various corporations and banks in Europe.
An interesting development in 2012 has been the increasing public awareness of cyber-security
and the various implications of being vulnerable to attack over a borderless Internet. News
reports of alleged online or malware-based attacks against Iranian facilities drew attention
to state-sponsored cyber-attacks. A conference gathering the various telecommunications
entities to discuss basic infrastructure issues raised concerns about Internet governance, and
the role of governments in it. The past year also saw US politicians, not generally considered
the most tech-savvy of users, raise concerns over perceived reliance on IT solutions for
sensitive government systems being provided by foreign corporations seen as potentially
unreliable. Though it is probably a positive development that more people are becoming
exposed to topics that have long been considered irrelevant or academic, only time will tell
what will result from the increased awareness.
Rather than a single major event, perhaps the most noteworthy aspect of H2 2012 is the way
that the various trends we saw emerging in the first two quarters of the year have continued to
grow apace—that is, the growth of botnets, the ‘standardization’ of vulnerability exploitation
and the increasing ‘establishment’ of exploit kits.
When it comes to botnets, the news has been mixed at best. The last few years have seen
concerted efforts by players from different fields—telecommunications, information security
and even government organizations—to take down or at least hamper the activities of various
botnets, which have compromised millions of user’s computers and been used to perform
such activities as monetary fraud and online hacking. These combined efforts resulted in
totally shuttering, or at least seriously hampering, major botnets such as Rustock, Zeus and
DNSChanger.
Unfortunately, despite these commendable efforts, the botnets have been regularly
resurrecting, often with new strategies or mechanisms for garnering profit. In addition,
the operators running these botnets have been aggressively marketing their ‘products’ to
other hackers and malware distributors. Their efforts include offering affiliate programs with
attractive ‘pay-per-installation’ rates and ‘rent-a-botnet’ schemes that allow attackers to use
the combined power of the infected hosts to perform attacks or other nefarious activities.
These sophisticated business tactics have garnered significant returns. In some cases, such as
ZeroAccess, the reborn botnets have grown to count millions of infected hosts. See the cases
studies Bots (pg. 15), ZeroAccess (pg. 17) and Zeus (pg. 21) for more information on botnets.
Another change we saw last year was the increasing use of vulnerability exploitation, often
in tandem with established social engineering tactics. Unlike previous years, when most of
the infections we saw involved trojans, 2012 was definitely the year of the exploit, as exploit-
In review 7

8. Top 10 detections in H2 2012,
top countries*
ZeroAccess 27% FR us se dk others
Majava 26% US fr fi se others
Downadup 11% br fr my it others
BlackHole 9% fr fi se nl others
CVE-2012-4681 6% us se fr de others
CVE-2011-3402 6% fr se nl fi others
CVE-2010-0188 6% fr se fi nl others
CVE-2012-5076 3% fi us fr se others
PDF Exploits 3% fi fr se de others
Sinowal 3% nl se fi others
%
0 25 50 75 100
*Based on statistics from F-Secure’s cloud lookup systems from July to December 2012.
related detections accounted for approximately 28% of all detections F-Secure’s cloud
lookup systems saw in H2 2012. In addition, malware designed to exploit vulnerabilities
related to the Java development platform made up about 68% of all exploit-related
detections recorded by our systems in the second half of last year.
If we look at the list of Top 10 Detections (above) seen by our cloud lookup systems in
H2 2012 in more detail, two detections which specifically identify samples exploiting
the Java-specific CVE-2012-4681 and CVE-2012-5076 vulnerabilities alone account for
9% of the malware identified by the top 10 detections. In addition, the Majava generic
detections, which identify samples that exploit known vulnerabilities, including the
Java-specific CVE-2012-0507 and CVE-2012-1723 vulnerabilities, account for another
26% of the top 10 detections, as well as having the dubious honor of being the second
most common detection overall reported by our backend systems. The sheer volume
of Java-related detections indicate both the widespread popularity of that platform
and its susceptibility to the malicious inventiveness of malware authors.
Interestingly enough, when considering exploit attacks in general, though we saw
attacks exploiting numerous vulnerabilities in multiple platforms and programs in
2012, the vast majority of the cases were related to only four vulnerabilities—CVE-
2011-3402 and CVE-2010-0188, which are Windows-related vulnerabiltiies, and the
previously mentioned Java vulnerabilities, CVE-2012-4681 and CVE-2012-5076. All of
these vulnerabilities, incidentally, have already had security patches released by their
relevant vendors.
in review 8

9. This skewed preference in attack targeting can be directly attributed to the popular usage of
exploit kits such as Blackhole and Cool Exploit, which have incorporated the exploits for these
vulnerabilities, in some cases faster than the vendors were able to patch them. It’s perhaps not
too surprising then that BlackHole-related detections account for 9% of all samples detected
by the top 10 detections of H2 2012. For more information on these exploits, see the Exploits
case study on page 25.
And as a closing note, a quick look at our detection statistics for Mac indicates that even
though Windows machines continues to be the main target for attacks, the Mac platform
is increasingly coming in for a share of unwanted attention. Apart from the major Flashback
outbreak in early 2012, we saw a slow but steady increase in malware on the Mac platform,
as we detected 121 new, unique variants in all of 2012, the majority of them backdoors. By
contrast, in 2011, we recorded only 59 new unique variants discovered on that platform.
85 +4+4+7+z
Mac Malware by type, Jan - Dec 2012
Total=
121 variants*
Backdoor, 85% Others 4%
Rogue, 4%
Trojan, 7%
*The total is counted based on unique variants detected from Jan to Dec
2012, rather than total file count. Riskware and repackaged installers are not
counted; multi-component malware are only counted once.
in review 9

10. Of Note
the Password 11
COrporate espionage 12

11. Password
the password dead man walking
Computer passwords are something like fifty years old. And Determine which accounts that are your critical points of
until a little over twenty years ago, they were very often a shared failure, and make sure they are all well defended. Two factor
resource where multiple people used the same password (or authentication is good, but even that is not a bulletproof
set of passwords) for access to computer systems. The use of solution. It is important to use every option available.
individual passwords was actually something of an innovation
at the time. For example, Google’s Gmail allows users to create their own
security question for password resets. There is absolutely no
Then came the World Wide Web, and with it, the ever growing reason why this question needs to be based on reality. It can
need for more and more account passwords. As time has just as easily be another “password”. One which is written
passed and our online lives have grown, it is now not at all down and stored safely at home, where only you have access
uncommon for people to have dozens of passwords to keep to it.
track of. And what’s worse is that all of those passwords should
be “strong” passwords and people shouldn’t reuse them And if you are a parent of teenage children… you really should
between accounts. It’s too much! have “the talk” with them about their use of passwords. The
habits they form now will have a big impact on their future
The second half of 2012 provided more than enough evidence online lives.
to demonstrate the problem of passwords. Hacks, breaches,
database dumps—these are terms that average individuals Hopefully, one day soon, a true successor will rise to take the
(not just techies) are now familiar with. With today’s processing password’s place and we will all be able to let the password
power, passwords that are strong enough to withstand brute die a dignified death. Unfortunately, we are more likely to
force attacks are too difficult for the human brain to remember. experience fits and starts towards a new solution. Prepare
yourself now, 2013 isn’t going to be kind for those who are
Even if the passwords are strong, our systems of authenticating unprepared.
account resets are flawed. A strong password is useless if social
engineering tactics can be used to reset those passwords.
The password is dead and we all know it. But unfortunately,
its successor has yet to turn up. So what’s to be done in the
meantime? Triage.
• Use a password manager such as KeePass or Password Recommended Reading
Safe
• Kill old accounts that you no longer use • Hacked: passwords have failed and it’s time
• Untangle cross-linked accounts for something new[1]
• Consider using a “secret” email address for account Matt Honan discusses the account hack that disrupted his
maintenance digital life and its implications for online security
• Be careful about what you share on social media. If
you share, don’t rely on personal information for your
• Google declares war on the password[2]
account password resets
Find out more about Google’s experiment with device-based
• Use two-factor authentication options if available
account authentication
SOURCES
[1] Wired; Matt Honan; Hacked: passwords have failed and it’s time for something new; published 17Jan 2013;
http://www.wired.co.uk/magazine/archive/2013/01/features/hacked?page=all
[2] Wired; Robert McMillan; Google declares war on the password; published 18 Jan 2013;
http://www.wired.com/wiredenterprise/2013/01/google-password/
Password 11

12. COrporate of the ‘watering hole’ attack
rise
espionage
Espionage
In Q4 2012, we watched the nature of corporate espionage Numerous examples of corporate espionage attacks have
attacks change. Before, almost all recorded corporate been reported in the F-Secure Weblog over the years, many of
espionage cases were based on using specially crafted them involving poisoned e-mail file attachments sent directly
documents containing exploits and a malware payload. Now, to the targeted organizations.
spies have started to leverage vulnerabilities in web browsers
and browser plugins to achieve their aims in so-called These attacks contrast sharply with the most recent case of a
‘watering hole’ attacks. watering hole attack—the 21st December 2012 compromise of
the Council of Foreign Relations (CFR) website[1]. In this attack,
‘Watering hole’ attacks are called such because instead of the website was injected with a previously unknown exploit
compromising a random website and infecting anyone who that affected versions 6, 7 and 8 of the Internet Explorer (IE)
happens to visit the site, the attackers are more discriminating web browser. Compromising the website itself was not the
attacker’s final objective; it was merely
“Cross-referencing this list [of known attack domains] used as which naturally include members
visitors,
a conduit to infect the website’s
against the Alexa.com’s list of 1 million most common of the CSR itself. And considering that CSR
domains showed that 99.6% of these potential CC sites counts among its members both current
and former US political elite and the
were outside of Alexa’s top domains.” founders of multinational companies, the
list of potential targets is very interesting.
in both the users being targeted and the site used as the
infection vector. The attackers specifically attack a site The rise of web-based attacks in corporate espionage raises
which is commonly used by employees of the actual target two points: first, this trend means that any corporation with
organization. When these employees visit the compromised an online presence that serves such potentially ‘interesting‘
site, their browser or computer is then attacked, typically by targets may be at risk of unwittingly serving as an attack
exploiting a vulnerability that allows trojans or backdoors to conduit, and secondly; obviously, such organizations must
be installed on the machine. From that point on, the installed now find a way to mitigate such a risk, in order to protect
malware becomes the gateway for attackers to reach their real themselves and their clients.
target: the internal network and/or communications of the
compromised employee’s companies.
Figure 1: Screenshots of an e-mail and
malicious file attachment used in a targeted attack
Corporate espionage 12

13. How a ‘watering hole’ attack works
Espionage
Targeted
Organization
www
Exploit kit www
Compromised
Attacker Attacker gains access to computer
compromised computer
For companies with online resources that may be vulnerable A second, very effective method of ruining the spy’s day is to
to ‘watering hole’ attacks, it is very important to invest in web use DNS whitelisting in the company‘s DNS server so that only
and server security. Performing regular audits to verify that specific, approved public sites can be accessed on the user’s
your web server is serving only what it should is also highly machine. This precaution directly interferes with the spy’s
recommended. ability to communicate with its installed trojan(s), as well as
helping to prevent information stolen from the machine being
Defending against watering hole attacks does not require sent out to the attacker’s command and control (CC) server.
anything new that should not already be in place to protect
against more mundane web attacks which target zero day Done right, this method also has the advantage of not
vulnerabilities, thereby circumventing detection-based interfering with the way most users work or browse the
security coverage. A corporate security suite with behavioral Internet. At F-Secure, we maintain a list of known attack
based detection should of course be a part of the protection domains potentially associated with corporate espionage.
solution, as it can still provide a measure of protection by Cross-referencing this list against Alexa.com’s list of 1 million
actively looking for and red-flagging suspicious behavior, most common domains showed that 99.6% of these potential
rather than static reliance on known features to identify a CC sites were outside of Alexa’s top domains.
malicious file.
So if your organization is in possession of information that
But when we consider dealing with advanced and persistent might be interesting to other companies, we recommend
attackers, one layer of protection is not enough. At a a custom DNS whitelisting solution that is relaxed enough
minimum, corporate users should use Microsoft’s free Exploit to allow your users to work, but still strict enough to block
Mitigation Toolkit (EMET) to harden their system’s memory unknown domains. And while attackers can use CC channels
handling for client applications such as web browsers, web that are trickier to block, such as Twitter or Facebook, this
browser plugins and document readers. simple precaution does make it more difficult for attackers to
operate.
SOURCE
[1] The Washington Free Beacon; Chinese Hackers Suspected in Cyber Attack on Council on Foreign Relations; published 27 Dec. 2012;
http://freebeacon.com/chinese-hackers-suspected-in-cyberattack-on-council-on-foreign-relations/
Corporate espionage 13

14. Case Studies
BotS15
ZeRoAccess17
Zeus21
Exploits25
Web28
Multi-Platform attacks 32
Mobile35

15. BotS The world of bots in 2012
In the last few years, concerted efforts by various parties to take down or hamstring the operation of botnets, which were costing
millions of users control of their machines, their data and/or their money. In 2012 however, we saw the resurrection of many of
these botnets, often in a more aggressive form and with new malicious products, updated ‘packaging’ or marketing and distribution
strategies and more efficient money-making mechanisms.
ZeroAccess
Bots
Of all the botnets we saw this year, definitely the fastest
growing one was ZeroAccess, which racked up millions of
infections globally in 2012, with up to 140,000 unique IPs in the
US and Europe, as seen on the infection map at right [27].
The actual malware that turns a users’s computers into a
bot is typically served by malicious sites which the user is
tricked into visiting The malicious site contains an exploit kit,
usually Blackhole, which targets vulnerabilities on the user’s
machine while they’re visiting the site. Once the machine is
compromised, the kit drops the malware, which then turns the
computer into a ZeroAccess bot.
The bot then retrieves a new list of advertisements from Figure 1: Google Earth map of ZeroAccess infections in the US [1].
Red markers indicate an infected unique IP address or cluster of IP addresses.
ZeroAccess’s command and control (CC) server every day.
The ZeroAccess botnet reportedly clicks 140 million ads a day.
As this is essentially click fraud, it has been estimated that the 900 ZeuS CC servers around the world. This number may
botnet is costing up to USD 900,000 of daily revenue loss to not be truly reflective of the botnet’s size, as the latest version
legitimate online advertisers. Click fraud has been on the rise of Zeus includes a peer to peers protocol that maintains
as the online advertisement vendors realistically have no way communication within the botnet itself, allowing a bot to fetch
to differentiate between a legitimate click and a fraudulent configuration files and update from other infected hosts in the
one. botnet. This feature was dubbed “Gameover” and removes the
need for a centralized CC infrastructure, making it harder for
Another revenue source for ZeroAccess is its ability to mine for security researchers to track the botnet.
Bitcoin, a virtual currency that is managed in a peer-to-peer
(P2P) infrastructure. Bitcoin miners harness the computational Apart from the introduction of the Gameover feature, the main
power from the bots to perform complex calculations to find change with Zeus has been tweaks done to make the malware
a missing block to verify Bitcoin transactions, and that would more user-friendly, in effect making it an attractive resource
reward them in more Bitcoin currency that is agreed within even for wannabe attackers with low technical capabilities.
the same peer to peer network, and these can be converted With its fancy control and administration panel, well
to cash. More than half of the botnet is dedicated to mining documented manual and a builder, Zeus allows both amateur
Bitcoin for profit. Further details of ZeroAccess’s profit- and expert attackers to craft, design and build executables to
generating activities can be found in the case study on page 17. infect the victim computers in a very short amount of time.
Citadel, the third derivative of Zeus, sets itself apart by
Zeus enabling a more rapid deployment of new features and
Moving on, Zeus (and its rival cum partner, SpyEye) are customization through an enhanced user interface, again with
perhaps still the most talked about banking-trojans in 2012. the aim of helping novice hackers get in the game of deploying
Zeus has been referred to as “the God of Do-it-Yourself their crimeware. This “dynamic config” functionality allows
botnets”. Despite various takedown efforts, as of the end of botmasters to create web injections on the fly, a vital ability
December 2012, The ZeuS Tracker project has seen almost in today’s online crime landscape as bots are also taken down
Bots 15

16. quickly. The most important feature for Citadel however is the The Carberp-infected mobile app is distributed on the Android
availability of a “Customer Relationship Management” system platform, with most of the targeted users being customers of
through the use of a social network platform to support European and Russian banks. As online banking continues
reporting and fixing bugs. This kit is definitely professional to rise in many countries, making such online transactions
grade, and we expect to see a continuous rise in infections by attractive targets to cybercriminals, banking-related botnets
Citadel in the near future. such as Carberp are expected to continue growing in 2013.
Carberp DorkBot
Following the success of the Zeus and Spyeye, Carberp is most Then there is DorkBot, which was discovered spreading
notable for making a comeback with a tweaked product and through Skype in October 2012. The malware steals user
‘marketing’ approach. First appearing in 2011 a regular data- account and passwords from FaceBook, Twitter, Netflix and
Bots
stealing banking malware, Carberp’s spread was temporarily various Instant Messaging (IM) channels. From an infected
hampered by a takedown effort from Russian agencies in early social networking account, DorkBot sent out images to the
2012. Unfortunately, in December this botnet was discovered users’ contacts list asking the contacts if the attached image
to have resurrected with a new ability to infect a computer’s was their profile pic. Falling for this cliched social engineering
boot record, a component that launches even before the main tactic resulted in an executable installing a backdoor and the
operating system (OS) starts, making any malware in the boot DorkBot worm on the user’s machine, which was then enrolled
record harder to detect and remove. in a botnet.
Carberp’s authors or operators also changed the way the Unlike previously mentioned botnets, DorkBot makes its
malware was distributed in order to attract more usage from profit through ransom—literally by locking down the victim’s
other malware distributors. Carberp was previously only computer, allegedly for the presence of ‘illegal content’ such
available as a standalone malware through private underground as pornography or pirated music. It then demands a ‘fine’
marketplaces. Since its resurrection, Carberp has pursued a of $200 to be paid within 48 hours, failing which the victims
new “malware-as-a-service” model that allows users to lease would be ‘reported to a government enforcement agency’
use of the botnet itself for prices ranging from USD 2000 to for further prosecution. DorkBot is also capable of making
up to USD 10,000 a month. In addition, the buyer is offered a more money out of its infected hosts by using their combined
choice of botnet configurations. The priciest format includes power to perpetrate click fraud, which incidentally creates an
the bootkit functionality, which has boosted its market price attractive revenue source for the authors.
to about USD 40,000. Though the prices may seem steep,
this rental scheme appears to be particularly attractive to less
tech-savvy users who simply want a means to an end - that is, Mobile botnets
to install more trojans on more victim machines.
And finally, though it is still at an embryonic stage in
comparison, we are also seeing botnets operating on the
Carberp has also spread to the mobile platform in the form
mobile platform, specifically Android. These mobile botnets
of man in the mobile attacks. For a Carberp-in-the-mobile
do exactly what botnets did when they first appeared on
(CitMo) attack to work, the user must have both a mobile
computers - that is, generate spam.
app and a computer infected with the desktop version of
the Carberp malware. Once the mobile app is installed, it is
The SpamSoldier malware sends SMS messages to a hundred
able to intercept SMS messages containing mTAN’s (mobile
Android devices (in the US) at a time. The sender has no
Transaction Authorization Numbers), which are sent by
idea of this activity, as the sent SMS messages are deleted
banks as an authentication measure used to validate online
immediately once sent, making the sky high phone bills that
transactions performed by the user. The intercepted mTAN
result an unpleasant surprise. These spam messages may also
is then forwarded to a remote server, from which it is later
contain social engineering content, including links that lead to
retrieved and used by the Carberp trojan installed on the same
other malware, therefore compounding the malicious effect
user’s computer in order to gain access to the user’s banking
of these spambots.
account.
SOURCE
[1] F-Secure Weblog; Sean Sullivan; The United States of ZeroAccess; published 20 Sept. 2012;
http://www.f-secure.com/weblog/archives/00002430.html
Bots 16

17. ZeRoAccess botnet malware in the wild
The most profitable
ZeroAccess is one of today’s most notable botnets. It was first discovered by researchers back in 2010, when it drew a lot of attention
for its capability for terminating all processes related to security tools, including those belonging to anti-virus products. When too
many researchers focused on this self-protection capability however, ZeroAccess’ author decided to drop the feature and focus
more on improving its custom peer-to-peer (P2P) network protocol, which is unique to ZeroAccess. After the change[1] , ZeroAccess
became easier to spot by anti-virus products, yet it continued to spread like wildfire around the world due to the improved P2P
technique[2]. This success can be largely attributed to its affiliate program.
Affiliate program: ZeroAccess success story
Affiliate programs are a well-known marketing strategy and The variety of distribution schemes and methods used by the
are widely used by many e-commerce websites[3]. Essentially, numerous affiliates have contributed to the volume of trojan-
a business owner with an e-commerce site to promote dropper variants detected by antivirus products every day.
commissions other site owners to help drive customers to All driven by the same motive which is to collect attractive
ZeroAccess
it (and hopefully eventually make a purchase). The website revenue share from the gang.
owners are then compensated for providing these customer
leads.
Figure 1: A botnet operator seeking partners in an underground forum
Adopting this concept, ZeroAccess’s author or operator(s) Methods used by ZeroAccess distributors
has managed to distribute the program to a large number of
machines with the help of its enlisted partners.
Distribution methods
The ZeroAccess gang advertises the malware installer in Downloader trojan Dropping a downloader trojan onto a
Russian underground forums, actively looking for distributor machine, which proceeds to download
partners. Their objective is to seek other cybercriminals who and install the botnet
are more capable in distributing the malware and do so more Exploit kit Using an exploit kit (e.g., Blackhole) in a
efficiently. drive-by-download attack
Fake media file or Hosting infected files in P2P file sharing
The malware distributors generally consist of experienced keygen or crack services using enticing names, such as
affiliates, each of them employing their own methods of ‘microsoft.office.2010.vl.editi.keygen.
distributing the Zeroaccess installers, in order to fulfill the exe’
recruiter’s requirements. P2P file sharing service Abusing a P2P file sharing website to
host the ZeroAccess installer
The most popular distribution methods we’ve seen involve Spam email Sending spam emails containing an
exploit kits, spam e-mails, trojans-downloaders, and seeding attachment or a link that could enable
fake media files on P2P file-sharing services and on video further exploitation
sites, though the specific details in each case depend on the
distributor handling the operations.
ZeroAccess 17

18. ZeroAccess botnet affiliate program structure
ZeroAccess botnet
operator
$$$
Bitcoin mining
Click fraud
underground forum
Distributor A
Exploit kits
Distributor B
Victims
ZeroAccess
Distributor C Spam emails
Downloader
trojan
P2P network
Distributor n
The partners are compensated based on a Pay-Per-Install Given the rate of pay, it is no surprise that ZeroAccess is
(PPI) service scheme[4] and the rate differs depending on the widespread in the US alone[5]. After the US, the commission
geographical location of the machine on which the malware rate sorted from highest to lowest are Australia, Canada, Great
was successfully installed. A successful installation in the Britain, and others. Some distributors even post screenshots
United States will net the highest payout, with the gang willing of the payment they’ve received in underground forums to
to pay USD 500 per 1,000 installations in that location. show the reliability of their recruiter.
The ZeroAccess gang can afford to pay such high incentives to
its recruits because the army of bots created by the affiliate’s
efforts is able to generate even more revenue in return.
Once the malware is successfully installed on the victim
machines, ZeroAccess will begin downloading and installing
additional malware onto the machines, which will generate
profit for the botnet operators through click fraud and Bitcoin
mining operations.
Figure 2: Proof of payments made by recruiter
Botnet operators prefer the click fraud payload because since
2006 [6], it has been a proven way to generate income from the
pay-per-click (PPC) or the cost-per-click advertising.
ZeroAccess 18

19. Zeroaccess infections, top countries
Bitcoin mining has too many constraints. For instance, the
success of generating a bitcoin depends on the difficulty level
by percentage (%)
of the target specified in the Bitcoin network and might even
require some luck[7]. Furthermore, the victim’s machine needs 35%
3538+8654
to run on a decent CPU power, preferably with GPU or FPGA US
hardware, in a reasonable amount of time[8]. Even with a large
number of botnets, the difficulty factors in solving Bitcoin
blocks hinder Bitcoin mining operation from performing as
well as click fraud which only requires the victims to have an
internet connection and a web browser. 38%
5% Italy Others
Despite the difficulties in Bitcoin mining, the fact that the 5% Romania
ZeroAccess botnet was modified to drop its problematic
self-protection feature and introduce the Bitcoin mining 5% Canada
operations indicates that ZeroAccess’s operators are very
6% India
ambitious to keep the botnet growing and are not afraid of 8% Japan
taking risks.
*Based on statistics gathered from national
ASN-registered networks.
ZeroAccess
Conclusion
Given ZeroAccess’s current success as a huge, fully functional
profit-generating ‘machine’, it’s unlikely that we’ll see it going zeroaccess’s profit-generating activities,
away anytime soon. The ZeroAccess malware - which poses the by percentage (%)
1783
most direct threat to the users - will continue to exist as a hidden
danger on malicious or boobytrapped websites. The affiliate
program that encourages the spread of malware will continue 17%
to attract more cybercriminals due to the botnet operators’ Bitcoin mining
established reputation for reliably paying its affiliates and
adjusting commission rates to maintain their attractiveness.
And finally, the criminal organizations behind the botnet have
demonstrated that they’re willing to experiment and modify
their ‘product’ in order to increase their ability to make money.
As such, we expect the ZeroAccess botnet to grow and evolve,
with new features or feature updates being introduced in the
near future. 83%
Click fraud
Sources
[1] F-Secure Weblog; Threat Research; ZeroAccess’s Way of Self-Deletion; published 13 June 2012;
http://www.f-secure.com/weblog/archives/00002385.html
[2] F-Secure Weblog; Sean Sullivan; ZeroAccess: We’re Gonna Need a Bigger Planet; published 17 September 2012;
http://www.f-secure.com/weblog/archives/00002428.html
[3] Wikipedia; Affiliate Marketing;
http://en.wikipedia.org/wiki/Affiliate_marketing
[4] Wikipedia; Compensation Methods;
http://en.wikipedia.org/wiki/Compensation_methods#Pay-per-install_.28PPI.29
[5] F-Secure Weblog; Sean Sullivan; The United States of ZeroAccess, published 20 September 2012;
http://www.f-secure.com/weblog/archives/00002430.html
[6] MSNBC; Associated Press; Google settles advertising suit for $90 million; published 8 March 2006;
http://www.msnbc.msn.com/id/11734026/#.ULiDyN2sHvA
[7] Bitcoin Wiki; Target;
http://en.bitcoin.it/wiki/Target
[8] Wikipedia; Bitcoin;
http://en.wikipedia.org/wiki/Bitcoin
ZeroAccess 19

20. ZEROACCESS INFECTIONS In the USA, Japan, and europe*
ZeroAccess
Europe
USA japan
*Red markers indicate an infected unique IP address or cluster of IP addresses.
ZeroAccess 20

21. Zeus
robbing banks in modern times
Zeus makes up a significant portion of banking trojans; it compromises millions of computers around the world and causes millions
of dollars in loss to its victims. In a typical operation, Zeus modifies a targeted webpage to collect valuable information. For example,
adding a part that requests potential victims to enter additional login details or personal information when they visited the webpage.
The information is later used to access the victims’ online account and to perform unauthorized transactions.
P2P Zeus geography
Of all derivatives and variants, the peer-to-peer (P2P) version Web-Injection Targets by country
is particularly special because it is private and forms only one
large botnet. Other derivatives usually consist of numerous
yet smaller botnets, each run by someone who has purchased
88
a version of Zeus. From late August to mid-November 2012,
we monitored the P2P bots and tracked the websites that
they had targeted to compromise with web injections. The
targeted sites were defined by a configuration data that the
47
bots received from other infected machines, and is stored in
encrypted form to the Windows registry.
23
18 15
The configuration data revealed that a total of 644 unique 14 11 10
URLs were targeted for web-injections during the monitoring
Zeus
period, with a special focus on sites based in North America.
Not all of these URLs included the domain names. Sometimes,
USA
Canada
Italy
Poland
Saudi Arabia
UAE
Germany
Rest of the world
only the path is used for identifying a targeted website. And
many domains had several different URLs leading to them,
using different paths. After excluding URLs with missing
domain names and duplicate domains, a total of 243 unique
domains were left. In summary, the targeted websites can be
categorized into the following types:
• Personal online banking When it comes to the number of machines infected with P2P
• Corporate online banking (mainly for North American Zeus, the US leads the pack followed by Italy. This number
small businesses) was based on 5395 random samples analyzed between July to
• Investment and online trading sites November. After the US and Italy, no other countries in the
• Credit card services subsequent positions really stand out from the pack as the
• Extremely popular global websites (e.g. Amazon, eBay, difference in the number of infection varies only slightly.
Facebook, etc.)
Geographically, North America is the primary focal point of Top-10 countries with the most P2P Zeus
P2P Zeus botnet where it targeted 88 US-based websites and infections
23 Canadian-based websites. Several European countries were
also hot targets for web-injection. In the configuration data,
entries involving Italian websites were actively added, removed country unique ips % of all ips
or changed; throughout the changes, Italy still remains as one USA 1809 33.53%
of the favorite targeted countries. Poland started to creep into Italy 439 8.14%
one of the top spots when 15 Polish sites were added to the Germany 205 3.80%
targeted list in September and October when there were none Georgia 203 3.76%
listed in August. A real surprise from the findings is the number Mexico 179 3.32%
of targeted Middle Eastern banks as compared to the number
Canada 168 3.11%
of infections in the same area.
zeus 21

22. country unique ips % of all ips Different derivatives (i.e. Citadel, Ice IX, and P2P) that popped
up after the original Zeus 2 source code was leaked online have
India 167 3.10%
received drastically different commands since then. These
Brazil 143 2.65% commands provide a good indication of the development
Romania 133 2.47% pace of each derivative. Citadel leads with 20 new commands
Taiwan 110 2.04% while Ice IX only received one, making it the closest version to
the leaked version 2.0.8.9. For Citadel and Ice IX, the earliest
date listed on each respective table was also the date when we
Every month, the US and Italy were consistently positioned at ran into the first sample of the derivative. For the P2P variant
the top in terms of infection numbers. When Polish sites started however, we received the first sample on 3rd September 2011
to become targets, the number of infection in Poland more but only saw the first changes to the backdoor commands six
than doubled but this number only accounted for two percent months later.
of the total amount even at its highest point in November.
The tables below list all new commands that are callable. Some
of these may not implement any action and we did not track
PERCENTAGEs (%) OF INFECTED IPs any possible changes in the behavior of each command. Please
take note that the dates used in the tables were based on when
80% we first received the sample with that particular command
rather than when the Zeus author rolled out the changes.
70%
60% Callable commands in the Zeus botnet
50% Poland P2P Variant
Taiwan Commands First seen
Zeus
Mexico fs_find_by_keywords ** 2012-03-30
40%
India fs_find_add_keywords 2012-04-09
fs_find_execute 2012-04-09
30% Canada
fs_pack_path 2012-05-24
Germany
ddos_address 2012-05-24
20% Georgia
ddos_execute 2012-05-24
Italy
ddos_type 2012-05-24
10% USA
ddos_url 2012-05-24
** fs_find_by_keywords was a short lived command in the P2P
JUL AUG SEP OCT NOV variant; it was last seen in a sample received on 3rd April 2012.
Citadel
Earlier this year, Dell SecureWorks Counter Threat Unit[3] was Commands First seen
able to connect to approximately 100,000 P2P Zeus bots.
dns_filter_add 2011-12-10
Using this number as a minimum botnet size, we can say that
dns_filter_remove 2011-12-10
the most affected Internet Service Providers (ISPs) could have
several thousand of P2P Zeus infections on their customers’ url_open 2012-02-12
machines. module_download_disable 2012-05-07
module_download_enable 2012-05-07
module_execute_disable 2012-05-07
New backdoor commands in Zeus derivatives module_execute_enable 2012-05-07
Zeus capability is not limited to serving as a banking trojan info_get_antivirus 2012-05-07
only. Since the beginning of its release, it has always contained info_get_firewall 2012-05-07
some backdoor features that are controlled by simple scripts info_get_software 2012-05-07
as ordered by the botnet owner. These scripts are delivered ddos_start 2012-07-03
to infected machines through command and control (CC)
servers.
zeus 22

23. Citadel Zeus 2 Timeline of Notable Events
Commands First seen
ddos_stop 2012-07-03
01.04.2010 Birth of Zeus 2.0.0.0
close_browsers 2012-09-11
xx.10.2010 SpyEye author received Zeus source code[1]
webinjects_update 2012-09-11
download_file 2012-09-11
search_file 2012-09-11
tokenspy_update 2012-09-11
upload_file 2012-09-11 xx.04.2011 Earliest known date of Ice IX debut[2]
tokenspy_disable 2012-10-06
bot_transfer 2012-10-06 xx.05.2011 Zeus 2.0.8.9 source code leaked online
xx.08.2011 First public sale of Ice IX on the internet
Ice IX 03.09.2011 Earliest P2P Zeus variant identified by FS
Commands First seen
Labs
bot_update_exe 2011-11-03
05.09.2011 First P2P Zeus backup domain registered
03.11.2011 Earliest Ice IX sample identified by FS Labs
Besides being used as a banking trojan, some Zeus botnets
may now also be used to perform distributed denial of service xx.11.2011 P2P gang started incorporating DDoS
(DDoS) attacks on targeted websites where interested parties attack in their operations[3]
can rent a botnet from the controller for certain fees. As can
be seen from the new backdoor commands, both the Citadel xx.12.2011 First date of Citadel identification[4]
Zeus
and the P2P versions received the DDoS features during the
summer, but the reason behind the P2P feature update may 10.12.2011 Earliest Citadel sample seen by FS Labs
be different. According to Dell SecureWorks Counter Threat
Unit[3], the crew running the P2P variant used DDoS attacks to
prevent victims of banking trojans from accessing their online
banking accounts until the fraudulent transactions had been
completed. Thus reason for the DDoS feature update may be
30.03.2012 First change made to P2P Zeus backdoor
to stop having to rent a third party botnet kit that the gang
commands
had been using to conduct attacks that took place between
November 2011 and summer 2012.
07.05.2012 Citadel received backdoor commands to
control additional modules
14.05.2012 A custom Zeus 2 variant that includes
ransomware features found
24.05.2012 DDoS feature added to P2P Zeus
03.07.2012 DDoS feature added to CItadel
SOURCES
[1] KrebsonSecurity; Brian Krebs; SpyEye v. ZeuS Rivalry Ends in Quiet Merger; published 24 Oct 2010;
http://krebsonsecurity.com/2010/10/spyeye-v-zeus-rivalry-ends-in-quiet-merger/
[2] RSA FraudAction Research Labs; New Trojan Ice IX Written Over Zeus’ Ruins; published 24 Aug 2011;
http://blogs.rsa.com/rsafarl/new-trojan-ice-ix-written-over-zeus-ruins/
[3] Dell SecureWorks; Brett Stone-Goss; The Lifecycle of Peer-to-Peer (Gameover) ZeuS; published 23 Jul 2012;
http://www.secureworks.com/cyber-threat-intelligence/threats/The_Lifecycle_of_Peer_to_Peer_Gameover_ZeuS/
[4] Seculert Blog; Citadel - An Open-Source Malware Project; published 8 Feb 2012;
http://blog.seculert.com/2012/02/citadel-open-source-malware-project.html
zeus 23

24. The complete infographic can be viewed at
http://bit.ly/How2RobBanks

25. Exploits Top Targeted Vulnerabilities in 2012
In 2012, we saw the exploitation of known vulnerabilities in These then are the most commonly targeted CVE
a popular program or the operating system become one of vulnerabilities of 2012:
the most popular, if not the most popular, technique used by
malware distributors, hackers and attackers in order to gain CVE-2011-3402
access to or control of a user’s machine. A vulnerability in the TrueType font parsing engine used in the
kernel drivers of various Microsoft Windows operating system
From the normal user’s perspective, the most likely scenario in versions (including XP, Windows Vista and Windows 7) allows
which they are likely to encounter an attempted vulnerability remote attackers to run arbitrary code on a user’s machine.
exploit of their machine is through visiting a malicious or The attack uses a Word document or web page containing
compromised website. Though some attacks continue to use specially crafted malicious font data. More information on this
tried-and-true social engineering tactics, which require an vulnerability can be found on the infographic on page 27.
element of deception and are relatively easy for an alert user
to spot (“Click this link for free stuff!” or “Download this codec CVE-2010-0188
to view this tantalizing video!”), in more sophisticated attacks A vulnerability in Adobe Reader and various versions of
users are unlikely to see any overt signs that an attack has Adobe Acrobat allows attackers to use a specially crafted PDF
taken place at all; instead, their machine is quickly and silently document to force the application to crash, causing a denial of
compromised during the short period it was exposed to the service. According to reports, the attack document is also able
malicious or compromised website. to drop a malicious file onto the compromised system, which
then connects to a remote site for further instructions.
In some cases, the attack is tailored specifically to target a
particular set of users. Targeted user groups are typically CVE-2012-4681
either the users of specific banks (making the attack a case of Vulnerabilities in the Java Runtime Environment (JRE) running
monetary theft) or users employed by a specific company or in web browsers allow attackers to use a specially crafted
in a specific field (essentially corporate or political espionage, applet to run arbitrary code on the compromised machine.
exploits
see the Corporate Espionage case study on page 12). These Users are most commonly exposed to the malicious applet
targeted attacks are hardly new—we’ve seen cases of spear when they are directed (either through social engineering or
phishing come and go over the years. The main change poisoned search results) to a malicious webpage hosting the
that we’ve seen in the last few years is that rather than attack applet.
depending on the user to download an infected attachment
or enter sensitive data into a malicious page masquerading as
CVE-2012-5076
a legitimate portal, the attacks now make use of exploits and/
A vulnerability in the JRE component of Oracle Java SE 7 Update
or exploit kits to directly compromise the user’s machine,
7 and earlier allows attackers to use a specially crafted applet
without needing any action from the user.
to run arbitrary code on the compromised machine, usually to
download additional malicious files onto it.
In 2012, we saw a wide range of exploits being used to
target known vulnerabilities, but surprisingly, statistics
from F-Secure’s cloud lookup systems indicate that in most CVE-2012-0507
countries, the majority of exploits detected were related to A vulnerability in the AtomicReferenceArray of various versions
only four vulnerabilities, all reported within the last two years of Oracle Java allows attackers to essentially breach the
and designated with official Common Vulnerabilities and ‘sandbox’ or contained environment of the Java installation,
Exposure (CVE) identifiers. The preference for targeting these permitting the attacker to perform malicious actions on the
four vulnerabilities may be related to the fact the some of the affected machine.
most popular exploit kits of today, particularly BlackHole and
Cool Exploit, have incorporated the exploits targeting these CVE-2012-1723
vulnerabilities into their capabilities. Ironically, most of these A vulnerability in the Java HotSpot VM in the JRE component
vulnerabilities have already had security updates or patches of various versions of Oracle Java allows attackers to essentially
released by the relevant software vendors. Two other Java- breach the ‘sandbox’ or contained environment of the Java
specific vulnerabilities, though nowhere near as frequently installation, permitting the attacker to perform malicious
targeted as the first four, also saw enough attacks to be worth actions on the affected machine.
noting.
exploits 25

26. Netherlands Belgium
Exploit Prevalence: Exploit Prevalence:
139
2011-3402 2012-4681
121
2011-3402: 39% 2011-3402 2011-3402: 36%
2010-0188: 32% 2010-0188 2010-0188: 35%
2012-4681: 17% 2012-5076 2012-4681: 16%
2012-5076: 9% 2012-5076: 11%
2012-4681
2010-0188 Sweden
Exploit Prevalence:
2010-0188 102
2012-4681
2011-3402
2012-5076 2011-3402: 31%
2010-0188: 29%
2012-5076 2012-4681: 29%
2012-5076: 9%
infographic
These were the top 10 countries that saw the most exploits
Most Targeted CVE Vulnerabilities, targeting known CVE vulnerabilities in H2 2012, ranked by
Exploit Prevalence, which is calculated as the count of CVE-
Top 10 Countries related detections reported per 1,000 users in the country for
H2 2012 that time period. For example, during H2 2012, our systems
recorded a CVE-related exploit detection for 139 of every
1,000 users in the Netherlands. Also listed are the top 4 CVE
vulnerabilities targeted in each country, as well as their relative
percentage of all CVE-related detections from that country.
2010- 2012-4681 2010-0188 2010-0188
2012-
0188 4681 2011-
2012- 2012- 3402 2012-4681 2012-
2011-3402 5076 2011-3402 5076 5076
Italy Germany France
Exploit Prevalence: 88 Exploit Prevalence: 78 Exploit Prevalence: 69
2010-0188: 38% 2012-4681: 32% 2011-3402: 32%
2012-4681: 29% 2010-0188: 26% 2010-0188: 28%
2011-3402: 22% 2011-3402: 22% 2012-4681: 24%
2012-5076: 8% 2012-5076: 15% 2012-5076: 13%
2011-3402 2010-0188 2010-0188
2012-5076
2012-4681 2012- 2010- 2012-5076 2012-5076
4681 0188
2010-
2011- 0188 2011-3402 2011- 2012-
3402 4681
3402
2012-5076 2012-4681
US UK Poland Finland
Exploit Prevalence: Exploit Prevalence: Exploit Prevalence: Exploit Prevalence:
87 67 61 45
2012-4681: 47% 2011-3402: 30% 2010-0188: 35% 2010-0188: 33%
2012-5076: 25% 2012-4681: 28% 2012-5076: 24% 2012-5076: 25%
2011-3402: 16% 2010-0188: 28% 2011-3402: 21% 2011-3402: 21%
2010-0188: 9% 2012-5076: 11% 2012-4681: 16% 2012-4681: 17%

27. infographic
Belgium
Sweden
34
72 56
Netherlands
CVE-2011-3402
UK
21
11Denmark
USA
16 13 Poland
17
Germany
25 19 Czech Republic
Most Exploited Users, 25 Austria
27
France
Top 15 Countries
Greece
Calculated as the count of CVE-2011-3402-
related detections per 1,000 users in the
country, as seen by F-Secure’s cloud lookup
15 Switzerland
40
Spain
systems in H2 2012.
For example, in Belgium,
21 Italy
72 out of every 1,000 users
reported seeing a CVE-2011-
3402-related detection in the
second half of the year. 2% Blackhole
11% The Cool (kit) factor
11
Others In H2 2012, most of the malicious
First reported in 2011, the term CVE-2011-3402 refers to a Cool sites we saw with the CVE-2011-
87%
vulnerability in the Windows operating system component
3042 exploit were using the Cool
that handles TrueType fonts. Exploit kit to attack unsuspecting
site visitors.
Shortly afterwards, an exploit became public that took
advantage of this vulnerability to, among other things,
install malware onto the affected system.
+87+2+
34%
The exploit was first used in the Duqu malware, which
Germany
26%
26%
Ukraine
only targeted specific organizations in certain countries.
France
Russia
USA
In October 2012, the exploit was added to the Cool
UK
Exploit kit, and shortly after to 5 other kits as well. It quickly
became one of the most common exploits seen by normal The Euro zone
computer users in H2 2012. 60% percent of malicious sites hosting kits with
the CVE-2011-3042 exploit were registered to just 2
countries: France and Germany.
CVE-2012-4681 1000=
CVE-2011-3402 980=
CVE-2010-0188 950= The greatest hits
Despite being relatively new, of all CVE-related hits
CVE-2012-5076 500=
logged by F-Secure’s cloud lookup systems in H2 2012,
CVE-2012-0507 100= CVE-2011-3402-related detections were the second
most frequent.
135 000