The month of February saw the most new malware samples of the quarter, at approximately 2.75 million. Fake anti-virus software had a very active quarter as well, reaching its highest levels in more than a year, totaling 350,000 unique fake-alert samples in March, according to McAfee Threats Report: First Quarter 2011.
McAfee Labs saw a significant spike in malicious web content corresponding to news events such as the Japanese earthquake and tsunami, as well as major sporting events, with an average of 8,600 new bad websites per day.
At the same time, spam dropped to its lowest levels since 2007, as a result of the takedown of the Rustock and Zeus botnets, the report said. The level of spam dropped to less than half of what it was a year ago - to 1.5 trillion messages per day, outnumbering legitimate email traffic by a three to one ratio.
“There has been a lot of cooperation between governments and other authorities to shut those things down. There is a lot more momentum in that direction, which has reduced the amount of overall spam”, said Adam Wosotowsky, principal engineer at McAfee Labs.
The report noted the author of Zeus is merging the Zeus source code with the rival SpyEye botnet, resulting in increased threats to banking and online transactions. As of March 2011, “the most recent SpyEye botnet can thrive on more than 150 modules, such as USB thumb drives, instant messaging and Firefox certificates”, McAfee said.
While overall spam levels have declined, the number of botnets has increased, with entrants Maazben, Bobaz, Lethic, Cutwail, and Grum stepping up to fill in gaps left by Rostock and Zeus. This was demonstrated by a strong increase in new botnet infections near the end of the quarter, due to the reseeding process where cybercriminals slow down activity in order to spend time rebuilding botnets.
“What has been reduced is the counterfeit pharmaceutical spam. We still see the same level or increase in phishing attacks and malware. This indicates to me that even though the botnets have lost a lot of their structure through takedowns, they are focusing on starting that up again”, Wosotowsky told Infosecurity.
Cybercriminals are using lures to trick consumers into clicking on spam, with spam promoting phony or real products as the most popular lure in most regions. According to McAfee, Russia and South Korea were the most popular places for drug spam, while Australia and China were popular countries for fake delivery status notifications.
The Android smartphone has become the second most popular platform for mobile malware behind the Symbian operating system used in Nokia phones, according to the report.
“There has been evolution of botnets using mobile malware. There is more sophisticated command and control between different websites, where cybercriminals are able to upload new information or download commands to the smartphone. Criminals are getting better at making money off of the phone through mobile banking applications, for example”, Wosotowsky said.
Released in conjunction with the quarterly security report, a McAfee Labs mobile application security white paper examines vulnerabilities in mobile applications, such as how most Android devices allow the “side-loading” of apps. Users are not restricted to getting apps from a centralized app store, and there is no centralized place where Google can check all apps for suspicious behavior, the white paper observed.
In the first quarter of 2011, McAfee Labs found that the most prominent types of Android mobile malware were Android/DrdDream, Android/Drad, Android/StemySCR.A and AndroidBgyoulu.
The cybercriminals behind the Zeus crimeware toolkit have also directed attacks toward the mobile platform, creating new versions of Zitmo mobile malware for both Symbian and Windows Mobile systems to steal user bank-account information, McAfee Labs noted.