Where has all the Malware gone?
2015 has been the year of a series of major down trends of malware infections. The largest contributor in the decline of infections is based on a few significant factors. The hay days of exploit kits and Java 0-days seems to be at an all time low for the first time since 2010. Exploit kits such as Blackhole, Cool Exploit Kit, Fiesta, Sweet Orange, Popads and Styx have all been effectively eliminated. The writer of the most successful and prevalent exploit kits of all time (Blackhole & Cool Exploit Kit) known as Paunch was arrested in October of 2013 by Russian agents which began the beginning of what seems to be a fading industry. Exploit kits resulted in 76% of all malware infections from 2011 to 2013 with Java being the most common infection vector followed by Flash, PDF, Silverlight and Internet Explorer vulnerabilities.
The most common and profitable malware threats from 2010 to 2013 were TDL, ZeroAccess, ZeuS and FakeAV. The ZeroAccess group was reported to have been earning as much as $20 million dollars a month at its peak until they were finally shut down and dismantled by the FBI with help from some other worldwide agencies and independent security firms. Gameover ZeuS was a banking trojan that the FBI was able to destroy, however the source code for the malware was leaked and there have been many variants created but campaigns has trailed off as domain name algorithms have been able to sinkhole a lot of their domain names before they have had a chance of doing any damage and “calling home” with user banking credentials. The TDL group seems to have made it out while they were ahead without being locked up. TDL can be considered one of the most successful malware threats of all time. It has been rumored that the group got out of the game after earning as much as $175 million dollars with most of their holdings being in bitcoins making it virtually untouchable. FakeAV campaigns come and go but have not been sustained like some of its predecessors.
Since the days of Paunch there have been many exploit kits that have come and gone, 2015 marked the age of Angler Exploit Kit, Neutrino and Nuclear delivering various Ransomware variants such as CryptoWall, AlphaCrypt and CryptoLocker which encrypt user hard drive data and hold it for ransom, typically for around $200 which a surprising amount of infected users paying the ransom and most variants actually decrypting and returning the data to the user. Fairly interesting, the crimeware bosses trying to protect the integrity of their brand by returning data in the hopes that the word will spread and more infected users will pay up. The most common type of malware being delivered is monetized by click fraud which loads ads on an infected users computer in the hopes of constant exposure will generate significant revenue. Powelicks, a click fraud variant was rumored to have been earning over $10,000 a day from ad clicking.
The Angler Exploit Kit group has been dismantled and shut down as of October 2015 open source reports and limited sightings of other exploit kits have been appearing on and off. The most common infection vector of 2015 has been through social engineering in the form of spam e-mail. Kuluoz was the number one delivered type of malware until it too was also shut down in early 2015.
Most of the remaining malware infrastructure has moved on from malware and switched to safer methods of revenue generation. A large portion of the IP ranges are now hosting porn sites and sending out spam e-mails .
Will another crimeboss family take over the malware industry? Who knows what 2016 holds, increased user awareness and a surge in cyber security companies has led to many businesses deploying IDS/IPS systems, HBSS and Anti-Virus solutions as well as patch management focus which has left less available vulnerable applications exposed online to be exploited. Windows also has pushed out another product that has helped eliminate the success of exploitation attempts known as The Enhanced Mitigation Experience Toolkit (EMET) which is a utility that helps prevent vulnerabilities in software from being successfully exploited. EMET achieves this goal by using security mitigation technologies.
The new trends and malware campaigns are focusing on smartphones and tablets which are typically very exposed at this time. The next generation of smartphones will most likely counter this by including anti-virus and other protections built in and enabled by default. Who knows what the future holds.