Cyber Security Analysts and Specialist alike have noticed a significant downward trend in the number of infections being reported. This doesn’t mean that the Crimeware bosses have packed up shop and gone legit. There are many contributing factors to the current number of infections. Reviewing many of the largest security solution providers logs and examining the underground marketplace and open source there are many apparent factors leading towards this down trend.
To understand where the malware trends come from you need to first understand the main sources of malware. Over the last 5 years malware has primarily been delivered through the use of exploit kits. An exploit kit is used by crimeware perpetrators to exploit victim machines and than load malware. Typically a legit website is hacked, typically through a stored XSS vulnerability or through SQL Injection, once compromised the hostile actors inject an <iframe> that links to the exploit kit’s landing page. The user has no idea what is happening, they are browsing the site just as normal while an exploit kit is being activated in the background. After hitting the landing page of an exploit kit typically the kit will check plugins running on the clients machine (Java, Flash, Silverlight, etc) and it will compare the versions of these plugins on the client machine to those it has exploits for. If all client plugins are current and up to date and the kit does not host a 0-day exploit for one of these it will stop the process.
If the exploit kit has an exploit in its inventory for one of the plugin versions running on the host it will stop the exploit kit process, it does this so that researchers cannot land on the page intentionally and gain information about what the kit is exploiting and what it is delivering. After it finds a vulnerable plugin the client will be directed to download a file (.jar for Java, .swf for Flash, .eot IE Font and .PDF for Adobe) inside those files contact the exploit code to compromise the system.
Once the client downloads the exploit kit’s exploit package for the vulnerability it will exploit it (unless IPS or AV stops it) and after exploiting the client it will make the client request a malicious payload which contains an executable for whatever type of malware the campaign is installing.
The next common medium for delivering malware is done through spam e-mail, malware will be delivered as an attachment directly, a word document with a macro that will download an executable or a link within the e-mail that if a user clicks will result in the execution of the malware.
Major Influencing Factors Reducing Malware Infections:
- The first contributing factor we can thank to the Russian authorities, they arrested the creator of Blackhole Exploit Kit and Cool Exploit Kit which were two of the most prevalent exploit kits of all time. This immediately resulted in a decline in malware infections of 27%
- Next, several of the largest malware botnets from 2010 to 2015 were shut down by law enforcement agencies, Zero Access, ZeuS, Kuluoz and several FakeAV and Ransomware family variants. This can account for another drop in malware of 33% which decreases the number of infections already by half
- User awareness has also helped significantly, virtually everyone has some type of anti-virus software installed on their computer as well as Microsoft building in a Malware Defender application
- Users are thinking twice before opening e-mail attachments and clicking links in e-mails from those they do not trust
- E-mail spam filtering is at an all time high blocking most attachments matching malware criteria
- Microsoft developed and has implemented a solution known as The Enhanced Mitigation Experience Toolkit (EMET) which is a utility that helps prevent vulnerabilities in software from being successfully exploited. EMET achieves this goal by using security mitigation technologies. EMET has helped block even 0-day attacks from being successful
- Crimeware syndicates have realized that the risk is starting to not equal the reward, many malware groups such as Mevade, TDL,Torbot and a myriad of Click Fraud malware families have switched their infrastructure over to porn. There is far less risk involved and they seem to be doing well in this arena.
- Other groups have shifted into the PUP and Adware arena which allows them to operate in the United States, instead of malicious software being installed controlling users to click ads, mine bitcoins and hold their systems for ransome they are installing toolbars and internet pop ups in third party software which shields them from the FBI and law enforcement.
- Specific browsers have also taken a stance against malware, for instance FireFox disabled the use of flash within its browser while 0-day infections are suspected to be circulating, Google Chrome uses the Google search engine bot to find links to possibly malicious software and they present a block page for visitors which blocks them from entering the site.
- New malware is still constantly being written, the medium is changing however into the smartphone realm. More and more malware samples are showing up on Android devices and iOS phones. These phones do not typically have much if any built in malware defense making them an easy target for malware writers.
- Small, Medium and Large companies are now employing third party IPS solutions to help protect employees and their businesses from infection, FireEye, PaloAlto and Barracuda Networks are some key driving forces helping to eliminate the threat before it can enter their networks.
There are still a few active campaigns ongoing, we went from having 20+ active exploit kits to a hand full. Such exploit kits you should be aware of that are very active are Angler, RIK, Nuclear and Neutrino and they have been delivering mostly Ransomware variants such as CryptoWall, AlphaCrypt and CryptoLocker which are types of malware that will encrypt your data and hold it for ransom demanding a payment for your data to be released. Crypto* variants are reported to be earning $10,000+ a day from their campaigns so until they are shut down they pose a significant threat.A few other still popular and observed malware threats are Bedep and other Click Fraud based malware variants. If infected you will be basically blasted with ads that they want you to click on to earn revenue, some will install clickjacking software which will take your legit google search and redirect it to an ad page that they have control of. There are a few FakeAV variants still floating around such as Trapwot which will make your computer appear to be infected and send you to a link to download their fake anti-virus solution.
Make sure you are keeping your AV signatures up to date, don’t open attachments from someone you don’t know, don’t click links in e-mail from someone or a company you don’t know and make sure you install the latest flash and java updates as they become available. Taking these simple precautions will virtually eliminate your chances of becoming a victim of these attackers.