Developer of secure content and threat management solutions, Kaspersky Lab, delivers its malware report for the month of August, concerning malicious activity on Kaspersky Lab product users’ computers and on the internet.

Malware and Bitcoin

As of late August, Kaspersky Lab’s analysts detected 35 unique malicious programs that targeted the Bitcoin system in one way or another. A Bitcoin system is a decentralised, peer-to-peer network used to track and verify transactions.

This term refers to the actual network, to the digital currency implementation with which users transact over the network, as well as to the client software via which users access the network and conduct their transactions.

Realising that their potential earnings largely depend on the number of PCs they have access to, the cybercriminals have moved from stealing Bitcoin wallets, to using Twitter and P2P network-based botnets.

Cybercriminals have resorted to this measure to counter the antivirus companies that may block the operation of a single botnet C&C server, if no alternate servers exist in the malicious network. For example, a bot would send a request to a Twitter account, which provides commands that are left there by the botnet owner, i.e. where the Bitcoin-generating program is downloaded, along with instructions for which Bitcoin pools to work with.

The use of Twitter as a botnet command centre is not new, although this is the first time it has been used with the Bitcoin system.

In August, Kaspersky Lab also discovered that one of the largest botnets conceals actual accounts, as they can be deleted by server owners who take a proactive stance against unlawful mining programs. To achieve this, the botnet owners had to create a special proxy server that interacts with infected PCs, and their requests are then transferred to an unknown Bitcoin pool.

It is not possible to identify the specific pools that the botnet works with and thus block the fraudulent accounts. In this situation, the only means of intercepting such criminal activity is to gain full access to one of the proxy servers.

Ice IX: the illegitimate child of ZeuS

Almost a year after the original code of the most wide-spread threat targeting online banking users was leaked, Trojan ZeuS (Trojan-Spy.Win32.Zbot), Russian-speaking cybercriminals created its clone, which became quite popular among fraudsters this summer. The new variant which emerged in the spring was dubbed Ice IX by its creator and sells for $600-1800 (around R4444-R13 332).

One of Ice IX’s most remarkable innovations is the altered botnet control web module, which allows cybercriminals to use legitimate hosting services, instead of costly bulletproof servers maintained by the cybercriminal community. This difference is meant to keep hosting costs down for Ice IX owners. The appearance of Ice IX indicates that we should soon expect the emergence of new “illegitimate children” of ZeuS and an even greater number of attacks against the users of online banking services.

Remote-access worm

The new network worm Morto is interesting in that it does not exploit vulnerabilities in order to self-replicate. Furthermore, it spreads via the Windows RDP service that provides remote access to a Windows desktop, a method which has not been seen before. Essentially, the worm attempts to find the access password. Provisional estimates indicate that tens of thousands of PCs throughout the globe may currently be infected with this worm.

Attacks against individual users: mobile threats

In early August 2010, the first-ever malicious program for Google’s Android mobile operating system was detected, the SMS Trojan FakePlayer. Today, threats designed for Android represent approximately 23% of the overall number of detected threats targeting mobile platforms.

Excluding the J2ME platform, 85% of the total number of smartphone threats detected during August 2010 targeted the Android system.

In August, the Nickspy Trojan stood out among the multitude of threats targeting mobile platforms. Its distinguishing characteristics include an ability to collect information about the phone’s GPS coordinates as well as any phone calls that are made from the device. It can also record all the conversations that the infected device’s owner has. The audio files are then uploaded to a remote server managed by the malicious owner.

Attacks against the networks of corporations and major organisations

August saw a number of really high-profile hack attacks. The victims of hacktivists included the Italian cyber police, a number of companies cooperating with law enforcement agencies in the US, and the military contractor Vanguard, who works under contract to the US Department of Defense (DoD). However, these hack attacks were hardly surprising against the backdrop of this year’s events.

Nevertheless, the IT community was shaken by a news item from McAfee about their detection of what was potentially the largest cyber-attack in history, lasting over five years and targeting numerous organisations around the world, from the US DoD, to the Sports Committee of Vietnam.

The attack was dubbed Shady Rat. All would have been well and good, but the malicious user-run server that was allegedly “detected by researchers” had in fact already been known to the experts at many other antivirus companies for several months.

Moreover, at the time of the article’s publication the server was still up and running and all of the information that McAfee used in its report had already been made public. What is more, the long sought-after spyware that had allegedly been used in the most complex and largest attack in history had already been detected by many antivirus programs using simple heuristics.

In addition to these and other factors, the McAfee incident gives rise to many other questions, which were asked publicly, including by Kaspersky Lab’s experts.

“Our studies have confirmed that Shady Rat was not the longest-running or the largest, nor even the most sophisticated attack in history”, comments Alexander Gostev, chief security expert at Kaspersky Lab.

“Moreover, we believe that it is unacceptable to publish information about any attacks without a full description of all of the components and technologies used, since these incomplete reports do not allow experts to make all possible efforts to protect their own resources.”

In related news Kaspersky Lab also recently announced a collaboration with Emerging Threats Pro, which the company explained will ultimately result in better protection for computer users.