Malware taking a bite out of Apple security

• Mac and mobile viruses make their impact
• Duqu is back, modded to avoid detection

 
 
AFTER a quiet 2011, where botmasters failed to come up with anything new, 2012 started with a bang, Kaspersky Lab’s antivirus experts said in their quarterly malware report for Q1.
 
In the first quarter of this year, for the first time, cybercriminals used a “fileless” bot to build a zombie-net, where computers are infected with a virus that allows them to be remotely controlled.
 
The Kaspersky Lab experts said there was also the discovery of a mobile network with infection numbers similar to typical Windows botnets, and a zombie-net of 700,000 Mac OS X computers. A botnet is made up of compromised computers which are connected to the Internet.
 
“Among the growing malware problems for Macs, we saw the rise of targeted attacks against this operating system (OS),” Kaspersky Lab said in a statement.
 
“Users need to be alert to the risk of cybercriminals targeting organizations which use both Windows and Mac platforms. In the first quarter of 2012, one case involved cybercriminals using two Trojans – one for Mac and another for Windows – to gain access to confidential records.
 
“Depending on which OS was running on the target machine, the appropriate malware was loaded. Both Trojans got their commands from a single control center. To make the initial intrusion into the system, the criminals used an exploit that works in both Windows and Mac OS X environments; a successful attack gave them control over the infected machine,” the company said.
 
After a four-month break the authors of the Duqu worm got back to work; in the first quarter of 2012, a new Duqu driver with functions similar to previous versions was detected.
 
Duqu is a computer worm – or a piece of standalone malicious software that replicates itself in order to spread to other computers – that was discovered last September and thought to be related to the Stuxnet worm.
 
The difference in the code was negligible; all the changes were aimed at evading detection, Kaspersky Lab said. The main Duqu module related to the driver has not yet been found.
 
“We were right in our suppositions: when so much money has been invested in a project, as it was with the development of Duqu and Stuxnet, it is impossible to suddenly just halt that process,” said Alexander Gostev, chief security expert at the company.
 
“Instead, the cybercriminals are persevering as usual – they have changed the code so it avoids detection and will continue to attack,” he added.
 
The first quarter of 2012 was also notable for the successful joint efforts of antivirus companies and law enforcement bodies: they took over control of the 110,000-strong Hlux (Kelihos) botnet, shut down control centers of several ZeuS botnets targeting online banking users and arrested several Russian cybercriminals.
 
The full version of the report ‘IT Threat Evolution: Q1 2012’ is available at: http://www.securelist.com/.