SERT Q4 2013 Threat Intelligence Report on threat landscape evolution

Solutionary security firm published SERT Q4 2013 Threat Intelligence Report to provide an overview of the overall threat landscape.

Recently Solutionary security firm published SERT Q4 2013 Threat Intelligence Report to provide an overview of the overall threat landscape, the document is the result of a research conducted over the last three months correlating events across devices for Solutionary clients globally.

In Q4, Solutionary SERT focused analysis on the most active malware distribution channels, its Research team collected a large number of samples from more than 12,000 Registrars, 22,000 ISPs and evaluated the detection level of 40 antivirus engines.

Malware binaries show many analogies,the bad news is that these malware is undetectable from over 40 anti-virus engines, cyber criminals use them to drop further malicious payload on the victims and more than half of malware found being distributed by HTML web pages.

Following the principal highlights:

• Nearly all the binaries were 94% or better in similarity  based on fuzzy hashing, a process that compares files to  each other instead of a known signature.
• All binaries were self-extracting archive files.
• None of the binaries were detected as malicious by the  over 40 anti-virus engines tested.

Cloud computing is considered one of the paradigm that most of all are appreciated by marketers and IT industry, everything have to converge in the cloud and cyber criminals have noted it. Cyber criminal gangs even more use hosting providers like Amazon and GoDaddy to conduct illicit activities.

The result is disturbing, 44% of the entire cloud based malware distribution is located in the US, the giants Amazon and GoDaddy were the most popular for hosting malware.

“Now we have to maintain our focus not only on the most dangerous parts of the web but also on the parts we expect to be more trustworthy,” said Rob Kraus, director of research in Solutionary’s Security Engineering Research Team

Cloud services are mainly abused for malware distribution, cloud infrastructures are easily manageable and scalable being cost-effective.

Malware authors are using the big trusted cloud hosting platforms to rapidly serve malware, avoiding detection and geographic blacklisting through repeated changes  of IP and domain names.

According to SERT Q4 2013 Threat Intelligence Report, the malware authors are distributing malicious code from cloud Services from Amazon, GoDaddy and Google, the technique is effective and caused millions of infections all over the world. Amazon and GoDaddy are at the top of the chart, respectively, with a 16 percent and a 14 percent share.

The Cloud-based hosting services let malware distributors to avoid the detection because repeatedly changes IP addresses and domain names to avoid detection.

SERT Q4 2013 Threat Intelligence Report revealed that the majority of the top malware sites is domains commonly associated with the Potentially Unwanted Applications (PUA).

Resuming the key figures of the SERT Q4 2013 Threat Intelligence Report are:

• United States hosts 4.6 times more malware than the next leading country.
• Malware samples gathered in Q4 were undetectable from over 40 anti-virus engines tested.
• 58% of malicious files obtained were identified as HTML files, 26% were directly executable.
• Many malware developers and distributors are utilizing social engineering tactics, including the use of trusted keywords and services, to evade detection and increase potential infection counts.
• A single malicious domain was spread across 20 countries, 67 providers and 199 unique IPs evade detection.
• OVH and Amazon Web hosting services to distribute high volumes of DomaIQ adware.
• Many malware developers and distributors are utilizing social engineering tactics, including the use of trusted keywords and services, to evade detection and increase potential infection counts.
• Cloud hosters and service providers need to do more to prevent malicious use of their services.

SERT Q4 2013 Threat Intelligence Report closes with a series of simple and useful recommendations to Internet Service Provider (ISP), the document also includes a specific section on Server Vulnerabilities, a growing number of cyber attacks targeted cloud hosting server so it is crucial to have a clear idea of the principal cyber threats and how to mitigate the risk of exposure.

Pierluigi Paganini

(Security Affairs –  SERT Q4 2013, Security)