Threat Report 13 q 1

McAfee Labs

McAfee :2013 1

McAfee : 2013 1

3

Citadel 4

4

5

6

12

13

Web 15

18

URL 19

20

20

22

24

26

DSN 27

28

28

31

32

33

McAfee Labs 35

35

3McAfee : 2013 1

McAfee Labs 2013 1 FacebookKoobface MBR 1

Citadel

Android OS 30%

1 2,800 2 Koobface MBR MBR

McAfee Global Threat IntelligenceTM IP iframe Java

Web URL12% 1 3 1 9,000 201212 2

EU European Cybercrime Centre DoS

4 McAfee : 2013 1

Citadel Citadel Zeus Citadel 2012 Citadel McAfee Labs Inside the World of the Citadel Trojan Citadel Citadel 1 2012

Zeus

Citadel Poetry Group

Citadel Citadel Citadel McAfee Labs 2013 Citadel Citadel

zoo 50,926 2013 28% 2011 792

100 APK Android McAfee Labs

0

10,000

20,000

30,000

40,000

50,000

60,000

2013201220112010200920082007200620052004

5McAfee : 2013 1

Android/Ssucl.A SMS Dropbox Google Ssucl.A autorun.inf PC

Android Android/Chuli.A SMS

Android/Smsilence.A SMS Smsilence.A

Android

Symbian

Java ME

Others

( )

Android

0

2,000

4,000

6,000

8,000

10,000

12,000

14,000

16,000

18,000

2011Q1

2011Q2

2011Q3

2011Q4

2012Q1

2013Q1

2012Q2

2012Q3

2012Q4

6 McAfee : 2013 1

Android/Fakejoboffer.A Fakejoboffer.A

Android/Fksite.A mTAN mTAN mTAN Android/Fksite.A mTAN

2 zoo 1 2,800

McAfee Labs

0

20,000,000

40,000,000

60,000,000

80,000,000

100,000,000

120,000,000

140,000,000

20124 5 6

20131 2 37 8 9 10 11 12

0

2,000,000

4,000,000

6,000,000

8,000,000

10,000,000

12,000,000

14,000,000

16,000,000

2010Q1 Q2 Q3 Q4

2011Q1 Q2 Q3 Q4

2012Q1

2013Q1Q2 Q3 Q4

7McAfee : 2013 1

1 2 3

0

50,000

100,000

150,000

200,000

250,000

300,000

350,000

400,000

2010Q1 Q2 Q3 Q4

2011Q1 Q2 Q3 Q4

2012Q1

2013Q1Q2 Q3 Q4

Koutodoor

0

20,000

40,000

60,000

80,000

100,000

120,000

140,000

160,000

180,000

200,000

2010Q1 Q2 Q3 Q4

2011Q1 Q2 Q3 Q4

2012Q1

2013Q1Q2 Q3 Q4

8 McAfee : 2013 1

USB 2 170 Facebook Koobface 3 2009 4 2

TDSS

0

50,000

100,000

150,000

200,000

250,000

300,000

2010Q1 Q2 Q3 Q4

2011Q1 Q2 Q3 Q4

2012Q1

2013Q1Q2 Q3 Q4

ZeroAccess

0

50,000

100,000

150,000

200,000

250,000

2010Q1 Q2 Q3 Q4

2011Q1 Q2 Q3 Q4

2012Q1

2013Q1Q2 Q3 Q4

9McAfee : 2013 1

AutoRun

0

200,000

400,000

600,000

800,000

1,000,000

1,200,000

1,400,000

1,600,000

1,800,000

2010Q1 Q2 Q3 Q4

2011Q1 Q2 Q3 Q4

2012Q1

2013Q1Q2 Q3 Q4

AV

0

200,000

400,000

600,000

800,000

1,000,000

1,200,000

1,400,000

2010Q1 Q2 Q3 Q4

2011Q1 Q2 Q3 Q4

2012Q1

2013Q1Q2 Q3 Q4

Koobface

0

20,000

40,000

60,000

80,000

100,000

120,000

2010Q1 Q2 Q3 Q4

2011Q1 Q2 Q3 Q4

2012Q1

2013Q1Q2 Q3 Q4

10 McAfee : 2013 1

4 2

0

200,000

400,000

600,000

800,000

1,000,000

1,200,000

1,400,000

1,600,000

1,800,000

2010Q1 Q2 Q3 Q4

2011Q1 Q2 Q3 Q4

2012Q1

2013Q1Q2 Q3 Q4

0

500,000

1,000,000

1,500,000

2,000,000

2,500,000

3,000,000

201211 21 31

201211 21 3141 51 61 71 81 91 101111121

0

200,000

400,000

600,000

800,000

1,000,000

1,200,000

2011Q3

2011Q4

2012Q1

2012Q2

2012Q3

2012Q4

2013Q1

11McAfee : 2013 1

Mac 3 PC Mac

MBR MBR mebroot Tidserv CidoxShamoon 2

Mac

0

100

200

300

400

500

600

700

800

2010Q1 Q2 Q3 Q4

2011Q1 Q2 Q3 Q4

2012Q1

2013Q1Q2 Q3 Q4

MBR

0

100,000

200,000

300,000

400,000

500,000

600,000

700,000

800,000

900,000

2010Q1 Q2 Q3 Q4

2011Q1 Q2 Q3 Q4

2012Q1

2013Q1Q2 Q3 Q4

MBR

MBR

12 McAfee : 2013 1

25 2

Citadel Lyposit

0

50,000

100,000

150,000

200,000

250,000

300,000

2010Q1 Q2 Q3 Q4

2011Q1 Q2 Q3 Q4

2012Q1

2013Q1Q2 Q3 Q4

13McAfee : 2013 1

McAfee Global Threat IntelligenceTM SQL 2 3

Web SQL 2

SQL

SQL

14 McAfee : 2013 1

1 2 3

SQL

15McAfee : 2013 1

35% PDF 1 5 11% 2

WebWebWeb IP URL Web

3 McAfee Labs URL 6,430 412%URL2,7706% URL

PDF

URL

16 McAfee : 2013 1

47 1 260 URL 2012 2 3

URL 94% 2.5% 1.8%

URL

0

2,000,000

4,000,000

6,000,000

8,000,000

10000,000

12,000,000

14,000,000

16,000,000

2012Q2 2012Q3 2012Q4 2013Q1

URL

URL

URL

URL

URL

17McAfee : 2013 1

URL

1 2

/

/

/

18 McAfee : 2013 1

URL 50%

URL

URL

0

20,000

40,000

60,000

80,000

100,000

120,000

140,000

160,000

20122 20123 20124 20131

URL

URL

19McAfee : 2013 1

80% 5% 3%

Amazon

Blizzard Entertainment

eBay

Internal Revenue Service

J.P. Morgan Chase

PayPal

Wells Fargo

Barclays

HM Revenue & Customs

HSBC

Lloyds TSB

Natwest

Royal Bank of Scotland

Banco Bradesco

Banco do Brasil

Banco Itau

Intesa Sanpaolo

Posteitaliane

UniCredit

ANZ (Australia and New Zealand Banking Group)

Westpac Bank

URLURL Web URL 3 4 5 URL

MPG

URL

20 McAfee : 2013 1

2012 7 1020115

540% 150% 41% 58% 54% 53%

0

5,000,000

10,000,000

15,000,000

20,000,000

25,000,000

30,000,000

0

10,000,000

20,000,000

30,000,000

40,000,000

50,000,000

60,000,000

70,000,000

0

2,000,000

4,000,000

6,000,000

8,000,000

10,000,000

12,000,000

0

2,000,000

4,000,000

6,000,000

8,000,000

10,000,000

12,000,000

14,000,000

16,000,000

18,000,000

20124 5 6

20131 2 37 8 9 10 11 12

20124 5 6

20131 2 37 8 9 10 11 12

20124 5 6

20131 2 37 8 9 10 11 12

20124 5 6

20131 2 37 8 9 10 11 12

2.0

1.8

1.6

1.4

1.2

1.0

0.8

0.6

0.4

0.2

02012

42013

15 6 7 8 9 10 11 12 2 3

1

21McAfee : 2013 1

0

200,000

400,000

600,000

800,000

1,000,000

1,200,000

1,400,000

1,600,000

1,800,000

2,000,000

0

5,000,000

10,000,000

15,000,000

20,000,000

25,000,000

0

2,000,000

4,000,000

6,000,000

8,000,000

10,000,000

12,000,000

0

2,000,000

4,000,000

6,000,000

8,000,000

10,000,000

12,000,000

20124

201315 6 7 8 9 10 11 12 2 3

20124

201315 6 7 8 9 10 11 12 2 3

20124

201315 6 7 8 9 10 11 12 2 3

20124

201315 6 7 8 9 10 11 12 2 3

20124

201315 6 7 8 9 10 11 12 2 3

20124

201315 6 7 8 9 10 11 12 2 3

20124

201315 6 7 8 9 10 11 12 2 3

20124

201315 6 7 8 9 10 11 12 2 3

0

2,000,000

4,000,000

6,000,000

8,000,000

10,000,000

12,000,000

14,000,000

16,000,000

0

10,000,000

20,000,000

30,000,000

40,000,000

50,000,000

60,000,000

70,000,000

0

5,000,000

10,000,000

15,000,000

20,000,000

25,000,000

30,000,000

35,000,000

40,000,000

0

5,000,000

10,000,000

15,000,000

20,000,000

25,000,000

22 McAfee : 2013 1

2012 5 2011 4 1 3

0

1,000,000

2,000,000

3,000,000

4,000,000

5,000,000

6,000,000

7,000,000

20124

201315 6 7 8 9 10 11 12 2 3

0

2,000,000

4,000,000

6,000,000

8,000,000

10,000,000

12,000,000

14,000,000

16,000,000

20124

201315 6 7 8 9 10 11 12 2 3

20124

201315 6 7 8 9 10 11 12 2 3

20124

201315 6 7 8 9 10 11 12 2 3

20124

201315 6 7 8 9 10 11 12 2 3

20124

201315 6 7 8 9 10 11 12 2 3

20124

201315 6 7 8 9 10 11 12 2 3

0

5,000,000

10,000,000

15,000,000

20,000,000

25,000,000

0

2,000,000

4,000,000

6,000,000

8,000,000

10,000,000

12,000,000

14,000,000

16,000,000

0

50,000,000

100,000,000

150,000,000

200,000,000

250,000,000

0

5,000,000

10,000,000

15,000,000

20,000,000

25,000,000

0

2,000,000

4,000,000

6,000,000

8,000,000

10,000,000

12,000,000

14,000,000

23McAfee : 2013 1

Waledac Lethic Kelihos Slenfbot Cutwail Festi 4

Cutwail

Festi

Slenfbot

Kelihos

Maazben

0

500,000

100,000

1,500,000

2,000,000

2,500,000

20121 2 3 4 5 6 7 8 9 10 11 12

20131 2 3

CUTWAIL

FESTI

SLENFBOT

KELIHOS

MAAZBEN

24 McAfee : 2013 1

420% 270% 160% 145% 60% 50%

0

10,000

20,000

30,000

40,000

50,000

60,000

0

25,000

50,000

75,000

100,000

125,000

150,000

175,000

200,000

0

50,000100,000

150,000

200,000

250,000

300,000

350,000

400,000

450,000

500,000

0

10,000

20,000

30,000

40,000

50,000

60,000

0

20,000

40,000

60,000

80,000

100,000

120,000

140,000

20124

201315 6 7 8 9 10 11 12 2 3

20124

201315 6 7 8 9 10 11 12 2 3

20124

201315 6 7 8 9 10 11 12 2 3

20124

201315 6 7 8 9 10 11 12 2 3

20124

201315 6 7 8 9 10 11 12 2 3

20124

201315 6 7 8 9 10 11 12 2 3

20124

201315 6 7 8 9 10 11 12 2 3

20124

201315 6 7 8 9 10 11 12 2 3

0

5,000

10,000

15,000

20,000

25,000

0

5,000

10,000

15,000

20,000

25,000

30,000

35,000

40,000

45,000

0

5,000

10,000

15,000

20,000

25,000

30,000

35,000

25McAfee : 2013 1

0

50,000

100,000

150,000

200,000

250,000

300,000

350,000

0

10,000

20,000

30,000

40,000

50,000

60,000

70,000

0

100,000

200,000

300,000

400,000

500,000

600,000

20124

201315 6 7 8 9 10 11 12 2 3

20124

201315 6 7 8 9 10 11 12 2 3

20124

201315 6 7 8 9 10 11 12 2 3

20124

201315 6 7 8 9 10 11 12 2 3

20124

201315 6 7 8 9 10 11 12 2 3

20124

201315 6 7 8 9 10 11 12 2 3

20124

201315 6 7 8 9 10 11 12 2 3

20124

201315 6 7 8 9 10 11 12 2 3

20124

201315 6 7 8 9 10 11 12 2 3

20124

201315 6 7 8 9 10 11 12 2 3

0

10,000

20,000

30,000

40,000

50,000

60,000

70,000

80,000

0

20,000

40,000

60,000

80,000

100,000

0

10,000

20,000

30,000

40,000

50,000

0

10,000

20,000

30,000

40,000

50,000

60,000

0

20,000

40,000

60,000

80,000

100,000

120,000

140,000

160,000

0

10,000

20,000

30,000

40,000

50,000

60,000

70,000

80,000

90,000

0

10,000

20,000

30,000

40,000

50,000

60,000

70,000

26 McAfee : 2013 1

5 Cutwail Festi

Darkmailer

Cutwail

Festi

Slenfbot

Cutwail

Darkmailer2

Festi

Kelihos

Maazben

Slenfbot

27McAfee : 2013 1

DSN DSN DSN 1

ISP IP pump and dump

DSN

28 McAfee : 2013 1

CVE-2013-0422 (CButton): Oracle Java Runtime Environment setSecurityManager() Blackhole Nuclear Cool Sakura Sweet Orange

CVE-2013-0431 (MBeanInstantiator): Oracle Java SE Java Runtime Environment JMX III BlackholeNuclearCoolSakuraStyxSweet Orange

CVE-2013-0437: Oracle Java SE Java Runtime Environment 2D 1

CVE-2013-0634: Adobe Flash Player Malformed Regular Expressions Gong Da Fiesta

CVE-2013-1493: Oracle Java JVM Process Styx

Exploit Pack Vulnerabilities

Gong Da 1.33

(January) CVE-2011-3544: Java Rhino

CVE-2012-0507: Java Atomic

CVE-2012-1535

CVE-2012-1723: Java Applet Field

CVE-2012-1889: MS XML Core

CVE-2012-4681: Java Gondvv

CVE-2012-5076: JAX-WS

CVE-2013-0422: CButton

Gong Da 1.44

(February) Same as Gong Da 1.3 with two exceptions:

CVE-2012-1535 (Removed) CVE-2013-0634 (Added)

WhiteHole5

(January) CVE-2011-3544: Java Rhino

CVE-2012-1723: Java Applet Field

CVE-2012-4681: Java Gondvv

CVE-2012-5076: JAX-WS

CVE-2013-0422: CButton

Neutrino6

(March) CVE-2012-1723: Java Applet Field

CVE-2013-0431

29McAfee : 2013 1

Vector Bot 1,000 Liberty Reserve

30 McAfee : 2013 1

Namtar Bot 1.0Zeus 2.0.8.9 1,500

DDoS : 350

Socks : 120

HOSTS File Modifi er : 50

Backconnect Socks : 380

Groupe-IB CERT-GIB Dump Memory Grabber Chase Capital OneCitibankUnion Bank of California 7POS ATM Track1 Track2 2,000

31McAfee : 2013 1

VSkimmer Windows Winodws 8 3 2012 6,000 vSkimmer Web 600

EU 111 EC3 FBI EC3 EC3 EU EU 9

EC3

1 FBI 3 24 200 10 Brian Krebs Zeus bx1 11

1FBIGozi3 12 100 NASA 4 Gozi

2 EC3 Operation Ransom 13 1 1001127 201212 UAE 10 6 2 2

3 EC3 2 15,000 7 14

32 McAfee : 2013 1

3 5 2012 25 200 15

3 EC3 44 Pandra Storm 400 82 44 16 36,000

McAfee Labs - DDoS 16 1 We the People Web DoS 17 25,000 6,000 18

111 AnonymousOperation Last Resort Anonymous 4,000 Anonymous COO VP .govWebPastebin Twitter Facebook Anonymous 19

#OpIsrael 2012 11 Anonymous Web DDoSWeb 2 Excel The Red Hack Sektor 404 DoS

33McAfee : 2013 1

Tal Pavel Web 20 2

- McAfee Labs

3xp1r3 Cyber Army: 1 600Web 21

Afghan Cyber Army: 1 34Web 22

Alarakai Cyber Army: 23

Armenian Cyber Army: 1915 2 Web 24

Bangladesh Cyber Army: 25

Brazilian Cyber Army: 2 Web 26

Indian Cyber Army: Pakistan Cyber Army 2012 Anonymous

Iranian Cyber Army: 27 3Web 28

Muslim Liberation Army: 2012Web 2 25Web 29

Pakistan Cyber Army: 2 Web 30

Philippine Cyber Army: 3175Web 31 Anonymous

Syrian Electronic Army: 2011 6 Electronic Army 32 2 AFP Twitter 33 3 34

Tunisian Cyber Army: 3 #opBlackSummer Web 35 Al-Qaeda Electronic Cyber Army

Turkey Cyber Army: Facebook

34 McAfee : 2013 1

Reporters Without Borders World Press Freedom Index 1 179 36 100 13 9 138176

www.mcafee.com/jp

150-0043 1- 12- 1 20F TEL 03-5428-1100 FAX 03-5428-1480 460-0002 3-20-17 3F TEL 052-954-9551 FAX 052-954-9552 530- 0003 2-2-2 18F TEL 06-6344-1511 FAX 06-6344-1517 810- 0801 5-3-8 5F TEL 092-287-9674 FAX 092-287-9675

1 http://www.mcafee.com/us/resources/white-papers/wp-citadel-trojan.pdf2 http://home.mcafee.com/virusinfo/global-virus-map3 http://eromang.zataz.com/2013/01/13/gong-da-gondad-exploit-pack-add-java-cve-2013-0422-support/4 http://eromang.zataz.com/2012/12/02/cool-exploit-kit-remove-support-of-java-cve-2012-1723/5 http://malware.dontneedcoffee.com/2013/02/briefl y-wave-whitehole-exploit-kit-hello.html6 http://malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html7 http://www.securityweek.com/exclusive-new-malware-targeting-pos-systems-atms-hits-major-us-banks8 https://blogs.mcafee.com/mcafee-labs/vskimmer-botnet-targets-credit-card-payment-terminals9 http://europa.eu/rapid/press-release_IP-13-13_en.htm10 http://www.security-faqs.com/alleged-algerian-bank-hacker-arrested-by-fbi-in-thailand.html11 http://krebsonsecurity.com/2013/01/police-arrest-alleged-zeus-botmaster-bx1/12 http://www.justice.gov/usao/nys/pressreleases/January13/GoziVirusPR.php13 https://www.europol.europa.eu/content/police-dismantle-prolifi c-ransomware-cybercriminal-network14 https://www.europol.europa.eu/content/international-network-line-card-fraudsters-dismantled-newsletter15 http://www.cert.si/obvestila/obvestilo/article/slovenian-police-cracks-down-on-a-gang-netting-almost-2-million-EUR-from-companies-via-e-banking-hac.

html16 Page 32. http://www.mcafee.com/us/resources/white-papers/wp-hacktivism.pdf17 http://news.cnet.com/8301-1009_3-57563188-83/anonymous-petitions-u.s-to-see-ddos-attacks-as-legal-protest/18 http://njtoday.net/2013/02/06/petition-to-have-white-house-recognize-ddos-as-legitimate-protest-unlikely-to-draw-response/19 http://www.zdnet.com/anonymous-posts-over-4000-u-s-bank-executive-credentials-7000010740/20 http://www.timesofi srael.com/dont-believe-hack-claims-against-mossads-website-expert-says/21 http://news.softpedia.com/news/Over-600-Indian-Websites-Defaced-by-3xp1r3-Cyber-Army-Hacker-318967.shtml22 http://www.thehackerspost.com/2013/01/34-pakistan-sites-hacked-defaced-by.html23 http://www.cyber-expertz.net/2013/01/68-italy-sites-include-3-govt-hacked-by.html24 http://www.armenews.com/article.php3?id_article=8775425 http://news.softpedia.com/news/Bangladesh-Cyber-Army-Attacks-Indian-Sites-in-Memory-of-15-Year-Old-Girl-Video-319234.shtml26 http://www.ehackingnews.com/2013/02/sierra-leone-police-website-hacked-by.html27 http://www.popsci.com/technology/article/2013-03/how-iran-censors-internet-infographic28 http://www.innsalzach24.de/innsalzach/waldkraiburg/waldkraiburg/waldkraiburg-homepage-realschule-ziel-eines-hacker-angriffs-innsalzach24-2783344.

html29 http://www.thehackerspost.com/2013/02/israeli-server-hacked-by-hitcher-from.html30 http://hackread.com/bangalore-city-police-website-hacked-defaced-by-pakistan-cyber-army/31 http://www.malaysia-chronicle.com/index.php?option=com_k2&view=item&id=64242:sabah-crisis-sparks-cyberwar&Itemid=232 http://www.npr.org/2011/09/25/140746510/pro-assad-army-wages-cyberwar-in-syria33 http://www.esecurityplanet.com/hackers/afp-twitter-feed-hacked-by-syrian-electronic-army.html34 http://www.globalpost.com/dispatches/globalpost-blogs/the-grid/syria-rebel-hackers-syrian-electronic-army-anonymous-support35 http://hackread.com/tunisian-cyber-army-founds-xss-vulnerability-on-pentagon-website/36 http://fr.rsf.org/IMG/pdf/classement_2013_gb-bd.pdf

McAfee McAfee McAfee Global Threat IntelligenceMcAfee, Inc. 2013 McAfee, Inc. All Rights Reserved. MCARPT-1306-MC

McAfee LabsMcAfee Labs McAfee Web McAfee Labs McAfee Global Threat Intelligence

30McAfee Labs 500 www.mcafee.com/labs

NASDAQINTC Security Connected Global Threat Intelligence http://www.mcafee.com/jp/ web http://www.mcafee.com/japan/security/publication.asp

Documents

Threat Report 13 q 1