Mobile Malware, Fake AV, Web Threats Dominated Q1 2011: McAfee

Cyber-criminals kicked off 2011 with a bang with more than six million unique malware samples and a surge in fake antivirus and mobile malware attacks.

Cyber-criminals were busy during the first quarter of 2011, as there were more unique malware samples circulating during this time period, McAfee said.

Attacks surged in the first quarter of 2011, as researchers counted six million unique malware samples, McAfee said in its first quarter Threat Report, released June 1. There were 2.75 million new malware samples in February, McAfee found. McAfee specifically highlighted mobile malware as the "new frontier of cyber-crime" in its report.

Criminals are actively pursuing alternate attack vectors, said Vincent Weafer, senior vice president of McAfee Labs. For example, McAfee security experts found that the most recent version of SpyEye can "thrive" on more than 150 different "modules," including USB thumb drives, instant messaging and Firefox certificates.

Mobile devices are increasingly targeted by attackers, the report found. Google's Android mobile operating system became the second most popular target for malware, after Symbian, which accounted for nearly three-quarters of all mobile malware, according to the report.

McAfee Labs also released a white paper, "Downloading from Mobile App Stores is Risky Business," which focuses on the rise of mobile malware and the security risks of mobile app stores, especially alternative third-party markets. As users can download and install apps from other sources than just the official Android Market, there is no central clearinghouse where Google can check every single Android app, according to the McAfee Labs white paper.

Google yanked apps infected with DroidDream malware from the Android Market in March, and again a few days ago when DroidDream Light was discovered in more than 20 apps. DroidDream uses two exploits, Exploit/LVedu and Exploit/DiutesEx, which were initially used by users to gain root access to their own devices. McAfee Labs also highlighted Android/Drad in its white paper, which is also distributed via maliciously modified apps. The Drad malware listens for commands from a centralized server and can download additional software, although "it stops short of being a full-fledged mobile botnet," McAfee Labs said.

The criminals behind the Zeus crimeware toolkit have also targeted mobile devices, creating new versions of Zitmo mobile malware for both Symbian and Windows Mobile systems to steal user bank account information, according to McAfee.

While PC malware often rely on known software and operating system vulnerabilities to trigger drive-by downloads that infect machines visiting specially designed or compromised Websites, most mobile malware malware has required user interaction, the researchers wrote. "In the near future mobile exploits will certainly allow automatic malware installation," McAfee said.

The company noted that fake antivirus scams were also prolific during the quarter, with 350,000 unique fake-alert samples being detected in March 2011. The recent spate of rogue scareware for the Mac OS X hit in May, too late to be included in McAfee's report.

While month-to-month numbers haven't really shown a dramatic decline in spam traffic, the shutdown of Rustock did significantly reduce the volume of Internet spam. Spam levels dropped down to 2007 levels, at about 1.5 trillion messages per day, in this quarter, McAfee said. However, spam continues to outnumber legitimate email by a ratio of three to one, and there are plenty of other botnets, such as Maazben, Bobaz, Lethic, Cutwal and Grum, that are poised to "fill the gap."

Even with the decline in overall spam volume, cyber-criminals still rely on popular "lures" to trick users into opening malicious attachments or clicking on dangerous links. Spam promoting phony or real products was the most popular form used by attackers, such as drug spam in Russia and South Korea, and fake delivery status notifications in Australia and China. Zeus Trojans and other banking malware also used spam messages purporting to be from UPS, FedEx, United States Postal Service and the Internal Revenue Service.

McAfee Labs also saw significant spikes in malicious Web content corresponding with the Japanese earthquake and tsunami. There was an average of 8,600 new bad sites per day in the first quarter, and nearly half of the top 100 results of the daily top search terms led to malicious sites.