Home Tags Argentina

Tag: Argentina

Driverless race cars dodge stray dog in Argentina—but one wipes out...

Roborace brought two DevBots to Buenos Aires for a demonstration run.

The fastest man in electric racing talks cars, tracks, and the...

We interview DS Virgin Racing's Sam Bird ahead of this weekend's race in Argentina.

Fake news peddlers and muckrakers risk “sickness of coprophilia,” says Pope

European Parliamentreader comments 27 Share this story Fake news hawkers have copped a sizeable telling off from Pope Francis, who has compared the phenomenon of spreading scandalous and false stories online to coprophilia—an abnormal fascination with poop. The Pope's pop at phony folk who run fake news stories on the Web—published mostly to stir up bizarre and frenzied smears against politicians and other public figures—sits at the extreme end of clickbait and, for many commentators, it left a skid-mark over the recent US election. "I believe that the media should be very clear, very transparent, and not fall prey—without offence, please—to the sickness of coprophilia, which is always wanting to communicate scandal, to communicate ugly things, even though they may be true," he told Belgian Catholic weekly newspaper Tertio. "And since people have a tendency towards the sickness of coprophagia, it can do great harm." The Oxford English Dictionary describes coprophilia as an "Abnormal interest and pleasure in faeces and defecation," while the word coprophagia refers to people who eat faecal matter. He said that it was sinful to circulate fake news, adding it was "probably the greatest damage that the media can do." And described the spread of misinformation as deeply harmful because "opinion is guided in one direction, neglecting the other part of the truth." He also warned—in a nod to the so-called "right to be forgotten" debate—against the use of slander to smear politicians that "can be used as a means of defamation," adding: "in defamation, we leak a document, as we say in Argentina, 'Se hace un carpetazo'—and we uncover something that is true, but already in the past, and which has already been paid for with a jail sentence, with a fine, or whatever.

There is no right to this.

This is a sin and it is harmful." The Pope's pungent words on fake news and coprophilia can be read in full on the Vatican's website, which has published a transcript of his interview with Tertio. This post originated on Ars Technica UK

IT threat evolution Q3 2016. Statistics

 Download the full report (PDF) Statistics All the statistics used in this report were obtained using Kaspersky Security Network (KSN), a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to provide it. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity. Q3 figures According to KSN data, Kaspersky Lab solutions detected and repelled 171,802,109 malicious attacks from online resources located in 190 countries all over the world. 45,169,524 unique URLs were recognized as malicious by web antivirus components. Kaspersky Lab’s web antivirus detected 12,657,673 unique malicious objects: scripts, exploits, executable files, etc. Attempted infections by malware that aims to steal money via online access to bank accounts were registered on 1,198,264 user computers. Crypto ransomware attacks were blocked on 821,865 computers of unique users. Kaspersky Lab’s file antivirus detected a total of 116,469,744 unique malicious and potentially unwanted objects. Kaspersky Lab mobile security products detected: 1,520,931 malicious installation packages; 30,167 mobile banker Trojans (installation packages); 37,150 mobile ransomware Trojans (installation packages). Mobile threats Q3 events Pokémon GO: popular with users and hackers One of the most significant events of the third quarter was the release of Pokémon GO. Of course, cybercriminals could not ignore such a popular new product and tried to exploit the game for their own purposes. This was primarily done by adding malicious code to the original app and spreading malicious versions via third-party stores. This method was used, for example, to spread Trojan-Banker.AndroidOS.Tordow, which exploits vulnerabilities in the system to obtain root access to a device. With root access, this Trojan protects itself from being deleted, and it can also steal saved passwords from browsers. But perhaps the most notable case of Pokémon GO’s popularity being used to infect mobile devices involved fraudsters publishing a guide for the game in the official Google Play store. The app turned out to be an advertising Trojan capable of gaining root access to a device by exploiting vulnerabilities in the system. We later came across two more modifications of this Trojan, which were added to Google Play under the guise of different apps. According to Google Play data, one of them, imitating an equalizer, was installed between 100,000 and 500,000 times. Trojan.AndroidOS.Ztorg.ad in the official Google Play store Interestingly, one of the methods used by the cybercriminals to promote the Trojan was a company that pays users for the installation of advertising apps. Screenshot of the app that prompts the user to install the Trojan for 5 cents According to this company’s rules, it doesn’t work with users whose devices have root access. The users may be looking to earn some money, but they end up with an infected device and don’t actually receive any money, because after infection the device gains root access. Ad with a Trojan The most popular mobile Trojan in the third quarter of 2016 was Trojan-Banker.AndroidOS.Svpeng.q. During the quarter, the number of users attacked by it grew almost eightfold. Over 97% of users attacked by Svpeng were located in Russia. The attackers managed to make the Trojan so popular by advertising it via Google AdSense – one of the most popular advertising networks on the Russian Internet. Many popular sites use it to display targeted advertising. Anyone can pay to register their ad on the network, and that was exactly what the attackers did. Along with the advert, however, they added the AdSense Trojan. When a user visited the page with the advert, Svpeng was downloaded to their device. Bypassing protection mechanisms in Android 6 In our report for the second quarter of 2016 we mentioned the Trojan-Banker.AndroidOS.Asacub family that can bypass several system controls. Of special note this quarter is the Trojan-Banker.AndroidOS.Gugi family that has learned to bypass the security mechanisms introduced in Android 6 by tricking the user. The Trojan first requests rights to overlay other applications, and then uses those rights to trick the user into giving it privileges to work with text messages and to make calls. Trojan ransomware in the Google Play store In the third quarter, we registered the propagation of Trojan-Ransom.AndroidOS.Pletor.d, a mobile ransomware program, via Google Play. The Trojan imitated an app for servicing devices, including deleting unnecessary data, speeding up device performance and even antivirus protection. Trojan-Ransom.AndroidOS.Pletor.d in Google Play The Trojan checks which country the device is located in, and if it is not Russia or Ukraine, it requests administrator rights and calls the command server. Earlier versions of this Trojan encrypted user data, but this modification doesn’t possess such functionality. Instead, the Trojan blocks operation of the device by opening a window that covers all other open windows and demanding a ransom to unblock it. Mobile threat statistics In Q3 2016, Kaspersky Lab detected 1,520,931 malicious installation packages, which is 2.3 times fewer than in the previous quarter. Number of detected malicious installation packages (Q4 2015 – Q1 2016) Distribution of mobile malware by type Distribution of new mobile malware by type (Q2 2016 and Q3 2016) In Q3 2016, RiskTool software, or legitimate applications that are potentially dangerous to users, topped the rating of malicious objects detected for mobile devices. Their share continued to grow from 45.1% in Q2 to 55.8% this quarter. Due to the large number of RiskTool programs and the considerable increase in their overall share of the total flow of detected objects, the proportion of almost all other types of malicious programs decreased, even where the actual number of detected programs increased compared to the previous quarter. The most affected was Trojan-Ransom – its share decreased from 5.72% to 2.37%. This was caused by a decline in activity by the Trojan-Ransom.AndroidOS.Fusob family (covered in more detail below). At the same time, we registered a slight growth in the share of Trojan-Bankers – from 1.88% to 1.98%. TOP 20 mobile malware programs Please note that this rating of malicious programs does not include potentially dangerous or unwanted programs such as RiskTool or adware. Name % of attacked users* 1 DangerousObject.Multi.Generic 78,46 2 Trojan-Banker.AndroidOS.Svpeng.q 11,45 3 Trojan.AndroidOS.Ztorg.t 8,03 4 Backdoor.AndroidOS.Ztorg.c 7,24 5 Backdoor.AndroidOS.Ztorg.a 6,55 6 Trojan-Dropper.AndroidOS.Agent.dm 4,91 7 Trojan.AndroidOS.Hiddad.v 4,55 8 Trojan.AndroidOS.Agent.gm 4,25 9 Trojan-Dropper.AndroidOS.Agent.cv 3,67 10 Trojan.AndroidOS.Ztorg.aa 3,61 11 Trojan-Banker.AndroidOS.Svpeng.r 3,44 12 Trojan.AndroidOS.Ztorg.pac 3,31 13 Trojan.AndroidOS.Iop.c 3,27 14 Trojan.AndroidOS.Muetan.b 3,17 15 Trojan.AndroidOS.Vdloader.a 3,14 16 Trojan-Dropper.AndroidOS.Triada.s 2,80 17 Trojan.AndroidOS.Muetan.a 2,77 18 Trojan.AndroidOS.Triada.pac 2,75 19 Trojan-Dropper.AndroidOS.Triada.d 2,73 20 Trojan.AndroidOS.Agent.eb 2,63 * Percentage of unique users attacked by the malware in question, relative to all users of Kaspersky Lab’s mobile security product that were attacked. First place is occupied by DangerousObject.Multi.Generic (78.46%), the verdict used for malicious programs detected using cloud technologies. Cloud technologies work when the antivirus database contains neither the signatures nor heuristics to detect a malicious program, but the cloud of the antivirus company already contains information about the object. This is basically how the very latest malware is detected. In Q3 2016, 17 Trojans that use advertising as their main means of monetization (highlighted in blue in the table) made it into the TOP 20. Their goal is to deliver as many adverts as possible to the user, employing various methods, including the installation of new adware. These Trojans may use superuser privileges to conceal themselves in the system application folder, from which it will be very difficult to delete them. In Q3 2016, attempted infections by financial #malware were registered at 1.2m users’ computers #KLreport #banking Tweet With root access on the device, Trojans can do many different things without the user being aware, such as installing apps from Google Play, including paid apps. It’s worth noting that the Trojans from the Ztorg family, which occupied four places in the TOP 20, are often distributed via the official Google Play store. Since the end of 2015, we have registered more than 10 such cases (including a fake guide for Pokemon GO). Several times the Trojan notched up over 100,000 installations, and on one occasion it was installed more than 500,000 times. Trojan.AndroidOS.Ztorg.ad masquerading as a guide for Pokemon GO in Google Play The ranking also included two representatives of the Trojan-Banker.AndroidOS.Svpeng mobile banker family. As we mentioned above, Svpeng.q became the most popular malware in the third quarter of 2016. This was down to the Trojan being distributed via the AdSense advertising network, which is used by a large number of sites on the Russian segment of the Internet. The geography of mobile threats The geography of attempted mobile malware infections in Q3 2016 (percentage of all users attacked) TOP 10 countries attacked by mobile malware (ranked by percentage of users attacked) Country* % of users attacked ** 1 Bangladesh 35,57 2 Nepal 31.54 3 Iran 31.38 4 China 26.95 5 Pakistan 26.83 6 Indonesia 26.33 7 India 24,35 8 Nigeria 22.88 9 Algeria 21,82 10 The Philippines 21.67 * We eliminated countries from this rating where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab’s mobile security product in the country. Bangladesh topped the rating, with almost 36% of users there encountering a mobile threat at least once during the quarter. China, which came first in this rating two quarters in a row, dropped to fourth place. The most popular mobile malware in all the countries of this rating (except China) was the same – advertising Trojans that mostly belonged to the Ztorg, Iop, Hiddad and Triada families. A significant proportion of attacks in China also involved advertising Trojans, but the majority of users there encountered Trojans from the Backdoor.AndroidOS.GinMaster and Backdoor.AndroidOS.Fakengry families. Russia (12.1%) came 24th in this rating, France (6.7%) 52nd, the US (5.3%) 63rd, Italy (5.1%) 65th, Germany (4.9%) 68th, and the United Kingdom (4.7%) 71st. The situation in Germany and Italy has improved significantly: in the previous quarter, 8.5% and 6.2% of users in those countries respectively were attacked. This was due to a decline in activity by the Fusob family of mobile ransomware. The safest countries were Austria (3.3%), Croatia (3.1%) and Japan (1.7%). Mobile banking Trojans Over the reporting period, we detected 30,167 installation packages for mobile banking Trojans, which is 1.1 times as many as in Q2. Number of installation packages for mobile banking Trojans detected by Kaspersky Lab solutions(Q4 2015 – Q3 2016) Trojan-Banker.AndroidOS.Svpeng became the most popular mobile banking Trojan in Q3 due to its active distribution via the advertising network AdSense. More than half the users that encountered mobile banking Trojans in the third quarter faced Trojan-Banker.AndroidOS.Svpeng.q. It was constantly increasing the rate at which it spread – in September the number of users attacked by the Trojan was almost eight times greater than in June. The number of unique users attacked by the Trojan-Banker.AndroidOS.Svpeng banking Trojan family(June-September 2016) Over 97% of attacked users were in Russia. This family of mobile banking Trojans uses phishing windows to steal credit card data and logins and passwords from online banking accounts. In addition, fraudsters steal money via SMS services, including mobile banking. Geography of mobile banking threats in Q3 2016 (percentage of all users attacked) TOP 10 countries attacked by mobile banker Trojans (ranked by percentage of users attacked) Country* % of users attacked** 1 Russia 3.12 2 Australia 1.42 3 Ukraine 0.95 4 Uzbekistan 0.60 5 Tajikistan 0.56 6 Kazakhstan 0.51 7 China 0.49 8 Latvia 0.47 9 Russia 0.41 10 Belarus 0.37 * We eliminated countries from this rating where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab’s mobile security product in the country. In Q3 2016, first place was occupied by Russia (3.12%) where the proportion of users that encountered mobile banker Trojans almost doubled from the previous quarter. In second place again was Australia (1.42%), where the Trojan-Banker.AndroidOS.Acecard and Trojan-Banker.AndroidOS.Marcher families were the most popular threats. The most widely distributed mobile banking Trojans in Q3 were representatives of the Svpeng, Faketoken, Regon, Asacub, Gugi and Grapereh families. In particular, the third quarter saw the Trojan-Banker.AndroidOS.Gugi family learn how to bypass protection mechanisms in Android by tricking users. Mobile Ransomware In Q3 2016, we detected 37,150 mobile Trojan-Ransomware installation packages. Number of mobile Trojan-Ransomware installation packages detected by Kaspersky Lab(Q4 2015 – Q3 2016) The sharp rise in the number of mobile Trojan-Ransomware installation packages in Q1 and Q2 of 2016 was caused by the active proliferation of the Trojan-Ransom.AndroidOS.Fusob family of Trojans. In the first quarter of 2016, this family accounted for 96% of users attacked by mobile ransomware; in Q2 it accounted for 85%. Its share in Q3 was 73%. Number of users attacked by the Trojan-Ransom.AndroidOS.Fusob family, January-September 2016 The highest number of users attacked by the mobile Trojan-Ransomware family was registered in March 2016. Since then the amount of attacked users has been decreasing, especially in Germany. Despite this, Trojan-Ransom.AndroidOS.Fusob.h remained the most popular mobile Trojan-Ransomware in the third quarter, accounting for nearly 53% of users attacked by mobile ransomware. Once run, the Trojan requests administrator privileges, collects information about the device, including GPS coordinates and call history, and downloads the data to a malicious server. After that, it may receive a command to block the device. Geography of mobile Trojan-Ransomware in Q3 2016 (percentage of all users attacked) TOP 10 countries attacked by mobile Trojan-Ransomware (ranked by percentage of users attacked) Country* % of users attacked ** 1 Canada 0.95 2 USA 0.94 3 Kazakhstan 0.71 4 Germany 0.63 5 UK 0.61 6 Mexico 0.58 7 Australia 0.57 8 Spain 0,54 9 Italy 0.53 10 Switzerland 0.51 * We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).** Percentage of unique users in each country attacked by mobile Trojan-Ransomware, relative to all users of Kaspersky Lab’s mobile security product in the country. In all the TOP 10 countries apart from Kazakhstan, the most popular Trojan-Ransom family was Fusob. In the US, the Trojan-Ransom.AndroidOS.Svpeng family was also popular. This Trojan family emerged in 2014 as a modification of the Trojan-Banker.AndroidOS.Svpeng family. These Trojans demand a ransom of $100-$500 from victims to unblock their devices. In Q3 2016, #crypto #ransomware attacks were blocked on 821,865 unique computers #KLreport Tweet In Kazakhstan, the main threat to users originated from representatives of the Small mobile Trojan-Ransom family. This is a fairly simple ransomware program that blocks the operation of a device by overlaying all the windows with its own and demanding $10 to remove it. Vulnerable apps exploited by cybercriminals In Q3 2016, the Neutrino exploit kit departed the cybercriminal market, following in the wake of Angler and Nuclear which also left the market in the previous quarter. RIG and Magnitude remain active. RIG was especially prominent – it has quickly filled the vacant niche on the exploit kit market. This is the overall picture for the use of exploits this quarter: Distribution of exploits used in attacks by the type of application attacked, Q3 2016 Exploits for different browsers and their components (45%) once again topped the rating, although their share decreased by 3 percentage points. They are followed by exploits for Android OS vulnerabilities (19%), whose share fell 5 p.p. in the third quarter. Exploits kits for Microsoft Office rounded off the top three. Their contribution actually saw an increase from 14% to 16% in Q3. Exploits for Adobe Flash Player remained popular. In fact, their share more than doubled from 6% to 13%. This was caused by the aforementioned RIG exploit kit: its use in several campaigns saw the share of SWF exploits increase dramatically. Online threats (Web-based attacks) The statistics in this section were derived from web antivirus components that protect users from attempts to download malicious objects from a malicious/infected website. Malicious websites are created deliberately by malicious users; infected sites include those with user-contributed content (such as forums), as well as compromised legitimate resources. In the third quarter of 2016, Kaspersky Lab’s web antivirus detected 12,657,673 unique malicious objects (scripts, exploits, executable files, etc.) and 45,169,524 unique URLs were recognized as malicious by web antivirus components. Kaspersky Lab solutions detected and repelled 171,802,109 malicious attacks from online resources located in 190 countries all over the world. Online threats in the banking sector These statistics are based on detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data. Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via online banking on 1,198,264 computers in Q3 2016. The number of users attacked by financial malware increased by 5.8% from the previous quarter (1,132,031). The third quarter is traditionally holiday season for many users of online banking services in Europe, which means the number of online payments made by these users increases during this period. This inevitably sees an increase in financial risks. Number of users attacked by financial malware, Q3 2016 In Q3, the activity of financial threats grew month on month. Geography of attacks To evaluate and compare the risk of being infected by banking Trojans worldwide, we calculate the percentage of Kaspersky Lab product users in the country who encountered this type of threat during the reporting period, relative to all users of our products in that country. Geography of banking malware attacks in Q3 2016 (percentage of attacked users) TOP 10 countries by percentage of attacked users Country* % of attacked users** 1 Russia 4.20 2 Sri Lanka 3.48 3 Brazil 2.86 4 Turkey 2.77 5 Cambodia 2.59 6 Ukraine 1.90 7 Venezuela 1.90 8 Vietnam 1.86 9 Argentina 1.86 10 Uzbekistan 1.77 These statistics are based on detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (under 10,000).** Unique users whose computers have been targeted by banking Trojan attacks as a percentage of all unique users of Kaspersky Lab products in the country. In the third quarter of 2016, Russia had the highest proportion of users attacked by banking Trojans. Representatives of the Trojan-Banker ZeuS (Zbot) family, which leads the way in terms of the number of attacked users worldwide, were especially active in Russia. This is unsurprising since Russian cybercriminals are allegedly behind the development of this malware. They know the specifics of Russia’s online banking systems as well as the mentality of Russian users and take them into consideration when developing their malware. In Russia, the Gozi banking Trojan continues to proliferate. It displayed a burst of activity in the previous quarter after its developers joined forces with the creators of the Nymaim Trojan. Russia also topped the TOP 10 countries with the highest proportion of users attacked by mobile bankers. Sri Lanka, a favorite destination with tourists, was a newcomer to the rating, going straight in at second. Financial threats were encountered by 3.48% of users in the country. Among them are likely to be foreigners who arrived in the country on holiday and used online banking services to make payments. The most active representatives of banking malware in the region were those from the Fsysna banker family. This family has previously been noted for attacks targeting customers of Latin American banks. In Q3 2016, @kaspersky #mobile security products detected 1.5m malicious installation packages #KLreport Tweet Brazil rounds off the top three for the second quarter in a row. In Q2, we forecast a surge of financial threat activity in Latin America and specifically in Brazil because of this summer’s Olympic Games. However, the increase in the proportion of users attacked in Brazil was negligible: in the third quarter, 2.86% of users in Brazil encountered financial threats compared to 2.63% in Q2. At the same time, users in Argentina were subjected to a surge in malicious attacks, and as a result, the country ranked ninth. The holiday season affected almost all countries in the TOP 10. In Russia, Ukraine and Uzbekistan, people traditionally have vacations at this time of the year, while other countries (Sri Lanka, Brazil, Turkey, Cambodia, etc.) are considered popular tourist destinations. Tourists tend to be active users of online banking systems, which in turn attracts cybercriminals and their banking malware. The share of banking Trojan victims in Italy was 0.60%, in Spain it was 0.61%, while in Germany and the UAE the figures were 1.21% and 1.14% respectively. The TOP 10 banking malware families The table below shows the TOP 10 malware families used in Q3 2016 to attack online banking users (as a percentage of users attacked): Name* % of attacked users** 1 Trojan-Spy.Win32.Zbot 34.58 2 Trojan.Win32.Qhost/Trojan.BAT.Qhost 9.48 3 Trojan.Win32.Fsysna 9.467 4 Trojan-Banker.Win32.Gozi 8.98 5 Trojan.Win32.Nymaim 8.32 6 Trojan-Banker.Win32.Shiotob 5.29 7 Trojan-Banker.Win32.ChePro 3.77 8 Trojan-Banker.Win32.BestaFera 3.31 9 Trojan-Banker.Win32.Banbra 2.79 10 Trojan.Win32.Neurevt 1.79 * The detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data.** Unique users whose computers have been targeted by the malware in question as a percentage of all users attacked by financial malware. The undisputed leader of the rating is Trojan-Spy.Win32.Zbot. Its source codes have been publicly available since a leak and are now widely exploited as an easy-to-use tool for stealing user payment data. Unsurprisingly, this malware consistently tops this rating – cybercriminals regularly enhance the family with new modifications compiled on the basis of the source code and containing minor differences from the original. The family of Qhost Trojans (verdicts Trojan.Win32.Qhost and Trojan.BAT.Qhost) came second. The functionality of this family’s malicious programs is relatively simple: the Trojan modifies the content of the Host file (a special text file that contains a database of domain names that are used when transmitting to the network addresses of nodes) and as soon as specific resources are visited, the Trojan’s malicious components are loaded to an infected workstation and used to steal payment information. The Trojan adds a number of records to the Host file preventing the user’s browser from connecting to web-based apps and resources of popular antivirus vendors. The Q3 rating also includes a new malware representative that has already demonstrated its capabilities in Sri Lanka – the Trojan.Win32.Fsysna family of banking Trojans. Members of this family, in addition to stealing payment data from infected workstations, are also used by cybercriminals to distribute spam. The Trojan uses an infected machine to redirect spam messages from the command center to a mail server. Some representatives of this family also possess Trojan cryptor functionality. Fsysna is kind of a ‘Swiss army knife’ used by cybercriminals to steal money. Q3 2016 saw a decline in the activity of the notorious financial threat Trojan-Spy.Win32.Lurk: the number of users attacked by this malware fell by 7.1%. Lurk was not included in the TOP 10 banking malware families, but it still poses a threat to users of online banking systems. The cybercriminal group behind this financial threat has been arrested (something we wrote about in a separate article), so we expect to see a further decrease in activity by this banking Trojan next quarter. Ransomware Trojans Cryptors are currently one of the biggest threats to users and companies. These malicious programs are becoming more and more popular in the cybercriminal world because they are capable of generating large profits for their owners. A total of 21 new cryptor families and 32,091 new modifications were detected in Q3. We also added several existing cryptor families to our virus collection. The number of new cryptor families added to our virus collection is slightly less than in the second quarter (25), but the number of newly created modifications increased 3.5 times compared to the previous quarter. The number of newly created cryptor modifications, Q1 – Q3 2016 Malware writers are constantly trying to improve their creations. New ways to infect computers are always being sought, especially for attacks on companies, which cybercriminals see as far more profitable than attacks on standard users. Remote launching of cryptors by cybercriminals We are increasingly seeing incidents where cybercriminals crack passwords to gain remote access to a victim’s system (usually an organization) and infect a compromised machine with Trojan ransomware. Examples of this in Q3 were Dcryptor and Xpan. Dcryptor/Mamba Trojan-Ransom.Win32.Dcryptor is known on the Internet under the pseudonym ‘Mamba’. Infection is carried out manually. The fraudsters brute-force the passwords for remote access to the victim machine and run the Trojan, passing on the password for encryption as a command line argument. During infection, the Trojan uses the legitimate DiskCryptor utility. As a result, it’s not just individual files on network drives that are infected but entire hard drive sectors on the local machine. System boot is blocked: once the computer is started, a message appears on the screen demanding a ransom and displaying an email address for communicating with the attackers. This Trojan reminds us of the notorious Petya/Mischa Trojan and continues the growing trend of cybercriminals looking for new ways to block access to data. Xpan/TeamXRat ransomware Trojan-Ransom.Win32.Xpan is yet another example of ransomware that is launched after attackers remotely penetrate a system. This Trojan is distributed by Brazilian cybercriminals. They brute-force the RDP password (the standard protocol for remote access to Windows computers) and infect the compromised system using the Xpan Trojan that encrypts files and displays a ransom demand. Ransomware in scripting languages Another trend that has attracted our attention is the growing number of cryptors written in scripting languages. In the third quarter of 2016, we came across several new families written in Python: HolyCrypt (Trojan-Ransom.Python.Holy) CryPy (Trojan-Ransom.Python.Kpyna) Trojan-Ransom.Python.Agent Another example that emerged in June was Stampado (Trojan-Ransom.Win32.Stampa) written in AutoIt, the automation language. The number of users attacked by ransomware In Q3 2016, 821,865 unique KSN users were attacked by cryptors – that is 2.6 times more than the previous quarter. Number of unique users attacked by Trojan-Ransom cryptor malware (Q3 2016) The largest contribution was made by representatives of the Trojan-Downloader.JS.Cryptoload family. These Trojan downloaders, written in JavaScript, were designed to download and install representatives of different cryptor families in the system. Geography of Trojan-Ransomattacks in Q3 2016 (percentage of attacked users) Top 10 countries attacked by cryptors Country* % of users attacked by cryptors** 1 Japan 4.83 2 Croatia 3.71 3 Korea 3.36 4 Tunisia 3.22 5 Bulgaria 3.20 6 Hong Kong 3.14 7 Taiwan 3.03 8 Argentina 2.65 9 Maldives 2.63 10 Australia 2.56 * We excluded those countries where the number of Kaspersky Lab product users is relatively small (under 10,000).** Unique users whose computers have been targeted by ransomware as a percentage of all unique users of Kaspersky Lab products in the country. As in the previous quarter, Japan topped this rating. Newcomers to this Top 10 were Tunisia, Hong Kong, Argentina, and Australia, with Italy, Djibouti, Luxembourg, and the Netherlands all making way. Top 10 most widespread cryptor families Name Verdict* % of attacked users** 1 CTB-Locker Trojan-Ransom.Win32.Onion/ Trojan-Ransom.NSIS.Onion 28.34 2 Locky Trojan-Ransom.Win32.Locky 9.60 3 CryptXXX Trojan-Ransom.Win32.CryptXXX 8.95 4 TeslaCrypt Trojan-Ransom.Win32.Bitman 1.44 5 Shade Trojan-Ransom.Win32.Shade 1.10 6 Cryakl Trojan-Ransom.Win32.Cryakl 0.82 7 Cryrar/ACCDFISA Trojan-Ransom.Win32.Cryrar 0.73 8 Cerber Trojan-Ransom.Win32.Zerber 0.59 9 CryptoWall Trojan-Ransom.Win32.Cryptodef 0.58 10 Crysis Trojan-Ransom.Win32.Crusis 0.51 * These statistics are based on detection verdicts received from users of Kaspersky Lab products who have consented to provide their statistical data.** Unique users whose computers have been targeted by a specific Trojan-Ransom family as a percentage of all users of Kaspersky Lab products attacked by Trojan-Ransom malware. CTB-Locker once again occupied first place in the Q3. The top three also included the now infamous Locky and CryptXXX. Despite the fact that the owners of TeslaCrypt disabled their servers and posted a master key to decrypt files back in May 2016, it continues to make it into our rating (although its contribution dropped by 5.8 times in Q3) Crysis Crysis (verdict Trojan-Ransom.Win32.Crusis) was a newcomer to the TOP 10 in Q3. This Trojan was first detected in February 2016 and since then has undergone several code modifications. Interestingly, the list of email addresses used for ransom demands by the distributors of Crysis partly matches the list associated with the Cryakl and Aura Trojans. Analysis of the executable files from these families, however, shows that they do not share the same code. It appears that these malicious programs are spread via a partner scheme, and because some distributors are distributing several different Trojans simultaneously they are using the same email address to communicate their ransom demands to the victims. Polyglot/MarsJoke This Trojan appeared in August 2016 (we recently published a detailed analysis of Polyglot/ MarsJoke). It is not included in the TOP 10, but it does have one interesting feature: the authors have tried to imitate the well-known CTB-Locker, which tops the rating for the second quarter in a row. Both the external and internal design of this piece of malware is very similar to the “original”, but the cybercriminals made a mistake that allows files to be decrypted without paying a ransom. Top 10 countries where online resources are seeded with malware The following statistics are based on the physical location of the online resources used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks. In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established. In Q3 2016, Kaspersky Lab solutions blocked 171,802,109 attacks launched from web resources located in 190 countries around the world. 45,169,524 unique URLs were recognized as malicious by web antivirus components. 83% of notifications about blocked web attacks were triggered by attacks coming from web resources located in 10 countries. Distribution of web attack sources by country, Q3 2016 The US (33.51%) remained top of this rating in Q3. Russia (9%) dropped from second to fourth, while Germany came second with a share of 10.5%. Canada left the Top 10, with Cyprus a newcomer in ninth place (1.24%). Countries where users faced the greatest risk of online infection In order to assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users in each country who encountered detection verdicts on their machines during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers work in different countries. In Q3 2016, 30,167 #mobile #banking Trojans were detected by @kaspersky mobile security products #KLreport Tweet Please note that starting this quarter, this rating only includes attacks by malicious programs that fall under the Malware class. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware. Country* % of users attacked ** 1 Slovenia 30.02 2 Bulgaria 29.49 3 Armenia 29.30 4 Italy 29.21 5 Ukraine 28.18 6 Spain 28.15 7 Brazil 27.83 8 Belarus 27.06 9 Algeria 26.95 10 Qatar 26.42 11 Greece 26.10 12 Portugal 26.08 13 Russia 25.87 14 France 25.44 15 Kazakhstan 25.26 16 Azerbaijan 25.05 17 United Arab Emirates 24.97 18 Vietnam 24.73 19 China 24.19 20 Albania 23.23 These statistics are based on detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data. * These calculations excluded countries where the number of Kaspersky Lab users is relatively small (under 10,000 users).** Unique users whose computers have been targeted by Malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country. On average, 20.2% of computers connected to the Internet globally were subjected to at least one Malware-class web attack during the quarter. Geography of malicious web attacks in Q3 2016 (ranked by percentage of users attacked) The countries with the safest online surfing environments included Croatia (14.21%), the UK (14.19%), Singapore (13.78%), the US (13.45%), Norway (13.07%), Czech Republic (12.80%), South Africa (11.98%), Sweden (10.96%), Korea (10.61%), the Netherlands (9.95%), Japan (9.78%). Local threats Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.). Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. In Q3 2016, Kaspersky Lab’s file antivirus detected 116,469,744 unique malicious and potentially unwanted objects. Countries where users faced the highest risk of local infection For each country, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus was triggered during the quarter. These statistics reflect the level of personal computer infection in different countries. In Q3 2016, @kaspersky #mobile security products detected 37,150 mobile #ransomware Trojans #KLreport Tweet Please note that starting this quarter, the rating of malicious programs only includes Malware-class attacks. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware. Country* % of users attacked** 1 Vietnam 52.07 2 Afghanistan 52.00 3 Yemen 51.32 4 Somalia 50.78 5 Ethiopia 50.50 6 Uzbekistan 50.15 7 Rwanda 50,14 8 Laos 49.27 9 Venezuela 49.27 10 Philippines 47.69 11 Nepal 47.01 12 Djibouti 46.49 13 Burundi 46,17 14 Syria 45.97 15 Bangladesh 45.48 16 Cambodia 44.51 17 Indonesia 43.31 18 Tajikistan 43,01 19 Mozambique 42.98 20 Myanmar 42.85 These statistics are based on detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data include detections of malicious programs located on users’ computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives. * These calculations exclude countries where the number of Kaspersky Lab users is relatively small (under 10,000 users).** The percentage of unique users in the country with computers that blocked Malware-class local threats as a percentage of all unique users of Kaspersky Lab products. An average of 22.9% of computers globally faced at least one Malware-class local threat during the third quarter. The safest countries in terms of local infection risks were: Spain (14.68%), Singapore (13.86%), Italy (13.30%), Finland (10.94%), Norway (10.86%), France (10.81%), Australia ( 10.77%), Czech Republic (9.89%), Croatia (9.70%), Ireland (9.62%), Germany (9.16%), the UK (9.09%), Canada (8.92%), Sweden (8.32%), the USA (8.08%), Denmark (6.53%), and Japan (6.53%).

Trump's 'extreme' anti-terrorism vetting may be H-1B nightmare

Donald Trump’s call for "extreme vetting" of visa applications, as well as the temporary suspension of immigration from certain countries, would raise fees and add delays for anyone seeking a visa, including H-1B visas, immigration experts said. In particular, a plan by Trump, the Republican presidential candidate, to stop issuing visas -- at least temporarily -- "from some of the most dangerous and volatile regions of the world" may make it difficult for a significant number of people to get visas. Data assembled by Computerworld through a Freedom of Information Act request shows foreign workers come from all corners of the world, including "dangerous and volatile regions." Trump outlined his immigration enforcement plan in a speech Monday. In 2014, the U.S. approved more than 370,000 H-1B applications.
Some were new entries, and others were for previously approved workers who were either renewing or updating their status. Of that number, 2,234 of the H-1B visa holders were from Pakistan, a country that might appear on a Trump list.

Another 1,102 approved visa holders were from Iran.

There were 658 H-1B visa holders from Egypt, and 256 were from Syria. (Article continues below chart.) Country of Birth for H-1B Visa Holders Country Frequency INDIA 262,730 CHINA 29,936 CANADA 7,653 PHILIPPINES 6,055 KOREA, SOUTH 5,024 UNITED KINGDOM 3,822 MEXICO 3,216 TAIWAN 2,785 FRANCE 2,570 JAPAN 2,268 PAKISTAN 2,234 NEPAL 1,997 GERMANY 1,895 TURKEY 1,850 BRAZIL 1,831 ITALY 1,497 COLOMBIA 1,491 RUSSIA 1,461 VENEZUELA 1,432 SPAIN 1,329 IRAN 1,102 NIGERIA 1,015 ISRAEL 949 IRELAND 932 KOREA 813 UKRAINE 795 ARGENTINA 778 MALAYSIA 771 SINGAPORE 755 VIETNAM 695 EGYPT 658 ROMANIA 648 BANGLADESH 647 INDONESIA 637 SRI LANKA 608 PERU 583 POLAND 576 AUSTRALIA 564 GREECE 556 SOUTH AFRICA 547 HONG KONG 503 BULGARIA 477 THAILAND 476 LEBANON 462 JAMAICA 461 KENYA 437 NETHERLANDS 432 JORDAN 415 CHILE 395 SWEDEN 374 NEW ZEALAND 353 GHANA 341 TRINIDAD AND TOBAGO 333 ECUADOR 302 SYRIA 256 PORTUGAL 253 SWITZERLAND 249 BELGIUM 238 DOMINICAN REPUBLIC 231 SAUDI ARABIA 205 ZIMBABWE 205 HUNGARY 203 Spain 189 AUSTRIA 179 UNKNOWN 179 DENMARK 174 HONDURAS 171 COSTA RICA 165 UNITED ARAB EMIRATES 155 BOLIVIA 150 CZECH REPUBLIC 149 GUATEMALA 149 EL SALVADOR 147 SERBIA AND MONTENEGRO 142 KUWAIT 141 MOROCCO 138 ETHIOPIA 133 CAMEROON 126 FINLAND 125 BAHAMAS 123 MOLDOVA 111 KAZAKHSTAN 108 SLOVAK REPUBLIC 103 CROATIA 102 NORWAY 102 ARMENIA 101 UZBEKISTAN 101 PANAMA 99 URUGUAY 94 ALBANIA 88 UGANDA 88 USSR 87 Serbia 86 LIBYA 84 MONGOLIA 83 TANZANIA 83 BURMA 76 NIGER 74 LITHUANIA 70 GEORGIA 66 GRENADA 58 SENEGAL 58 BARBADOS 57 MACEDONIA 56 LATVIA 54 AZERBAIJAN 52 BOSNIA-HERZEGOVINA 51 CYPRUS 51 ST. LUCIA 51 IRAQ 50 SLOVENIA 50 BELIZE 48 ICELAND 47 ZAMBIA 47 GUYANA 45 NICARAGUA 45 PARAGUAY 45 BAHRAIN 43 TUNISIA 43 ALGERIA 42 MAURITIUS 42 DOMINICA 40 USA 39 ESTONIA 35 KYRGYZSTAN 34 HAITI 30 RWANDA 28 BURKINA FASO 26 MACAU 25 TURKMENISTAN 25 CAMBODIA 24 COTE D'IVOIRE 24 TAJIKISTAN 24 CONGO 22 ST. KITTS-NEVIS 22 SUDAN 22 MALAWI 21 OMAN 21 ST.
VINCENT/GRENADINES 21 MALI 20 ANTIGUA-BARBUDA 19 BOTSWANA 18 IVORY COAST 18 BERMUDA 17 BENIN 16 AFGHANISTAN 15 Kosovo 15 QATAR 15 LUXEMBOURG 13 MADAGASCAR 13 Montenegro 13 YEMEN-SANAA 13 TOGO 12 SIERRA LEONE 11 YUGOSLAVIA 11 GABON 10 GAMBIA 10 NORTHERN IRELAND 10 MALTA 8 NAMIBIA 8 SURINAME 8 SWAZILAND 8 BHUTAN 7 FIJI 7 FRENCH POLYNESIA 7 MOZAMBIQUE 7 BURUNDI 6 CUBA 6 GUINEA 6 LIBERIA 6 BRUNEI 5 NETHERLANDS ANTILLES 5 ARUBA 4 ERITREA 4 KIRIBATI 4 LESOTHO 4 MALDIVES 4 MAURITANIA 4 ANGOLA 3 CAPE VERDE 3 CHAD 3 DEMOCRATIC REPUBLIC OF CONGO 3 SEYCHELLES 3 UNITED STATES 3 ANGUILLA 2 LAOS 2 SOMALIA 2 ARABIAN PENINSULA 1 CAYMAN ISLANDS 1 DJIBOUTI 1 GERMANY, WEST 1 GIBRALTAR 1 GUINEA-BISSAU 1 MARTINIQUE 1 MONACO 1 REUNION 1 Samoa 1 SAO TOME AND PRINCIPE 1 ST.
VINCENT-GRENADINES 1 STATELESS 1 TONGA 1 TURKS AND CAICOS ISLANDS 1 VANUATU 1 Source: USCIS data for approved applications in fiscal year 2014 Trump's plan to admit only people "who share our values and respect our people" didn't indicate how it would be applied.
It also didn't say whether all visa holders -- visitor, H-1B and green card -- would be subject to an ideological litmus test. And what is the correct answer to such a question about American values? "If you ask people born in this country what is an American ideology, I'm not quite sure that we would come out with one answer," said Jessica Lavariega-Monforti, a professor and chair of the political science department at Pace University in New York. "The immigration system, as it currently stands, could not process additional vetting without creating backlogs and increasing wait times for applicants.

At the same time, it is unclear how these policy changes would increase safety against a terrorist attack," said Lavariega-Monforti. John Lawit, an immigration attorney in Irving, Texas, said the U.S. already has a vetting process that begins as soon as someone applies for a tourist visa.

There are different levels of threat, such as being a citizen of Syria, that trigger a much higher level of vetting, he said. "There is a huge financial commitment that must be made in terms of human resources in order to carry on such a vetting program, and a huge, huge increase in fees,” Lawit said. Requiring oaths of some kind is "a lot of posturing with very little substance," he added, and are ineffective in improving security. Lawit said he once assisted H-1B workers who were employed in non-classified jobs at the Sandia and Los Alamos National Laboratories.

The processing time for security checks could run months.

That's an example of extreme vetting, while "extraordinary detailed security investigations are conducted," he said. This story, "Trump's 'extreme' anti-terrorism vetting may be H-1B nightmare" was originally published by Computerworld.

IT threat evolution in Q2 2016. Statistics

 Download the full report (PDF) All the statistics used in this report were obtained using Kaspersky Security Network (KSN), a distributed antivirus network that works with various anti-malware protection components.

The data was collected from KSN users who agreed to provide it. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity.
Q1 figures According to KSN data, Kaspersky Lab solutions detected and repelled 171,895,830 malicious attacks from online resources located in 191 countries all over the world. 54,539,948 unique URLs were recognized as malicious by web antivirus components. Kaspersky Lab’s web antivirus detected 16,119,489 unique malicious objects: scripts, exploits, executable files, etc. Attempted infections by malware that aims to steal money via online access to bank accounts were registered on 1,132,031 user computers. Crypto ransomware attacks were blocked on 311,590 computers of unique users. Kaspersky Lab’s file antivirus detected a total of 249,619,379 unique malicious and potentially unwanted objects. Kaspersky Lab mobile security products detected: 3,626,458 malicious installation packages; 27,403 mobile banker Trojans (installation packages); 83,048 mobile ransomware Trojans (installation packages). Mobile threats In Q2 2016, Kaspersky Lab detected 3,626,458 malicious installation packages – 1.7 times more than in the previous quarter. Number of detected malicious installation packages (Q3 2015 – Q2 2016) Distribution of mobile malware by type As of this quarter, we will calculate the distribution of mobile malware by type based on the number of detected malicious installation packages rather than modifications, as was the case in earlier reports. Distribution of new mobile malware by type (Q1 2016 and Q2 2016) In Q2 2016, RiskTool software, or legal applications that are potentially dangerous to users, topped the ranking of detected malicious objects for mobile devices.

Their share increased from 31.6% in Q1 to 45.1% this quarter. Adware occupies second place.

The share of these programs fell 1.4 p.p. compared to the previous quarter, and accounted for 14.2%. The share of SMS Trojans fell from 18.5% to 10.8%, pushing this category of malicious programs down from second to third place in the ranking.

Trojan-SMS.AndroidOS.Agent.qu and Trojan-SMS.AndroidOS.Agent.f accounted for most of the detected SMS Trojans, with both accounting for approximately 30% of all malicious files in this category. The Trojan-Dropper share also fell – from 14.5% in Q1 to 9.2%.

Trojan-Dropper.AndroidOS.Agent.v led the way: we detected more than 50,000 installation packages related to this Trojan. TOP 20 mobile malware programs Please note that this ranking of malicious programs does not include potentially dangerous or unwanted programs such as RiskTool or adware. Name % of attacked users* 1 DangerousObject.Multi.Generic 80.87 2 Trojan.AndroidOS.Iop.c 11.38 3 Trojan.AndroidOS.Agent.gm 7.71 4 Trojan-Ransom.AndroidOS.Fusob.h 6.59 5 Backdoor.AndroidOS.Ztorg.a 5.79 6 Backdoor.AndroidOS.Ztorg.c 4.84 7 Trojan-Ransom.AndroidOS.Fusob.pac 4.41 8 Trojan.AndroidOS.Iop.t 4.37 9 Trojan-Dropper.AndroidOS.Gorpo.b 4.3 10 Trojan.AndroidOS.Ztorg.a 4.30 11 Trojan.AndroidOS.Ztorg.i 4.25 12 Trojan.AndroidOS.Iop.ag 4.00 13 Trojan-Dropper.AndroidOS.Triada.d 3.10 14 Trojan-Dropper.AndroidOS.Rootnik.f 3.07 15 Trojan.AndroidOS.Hiddad.v 3.03 16 Trojan-Dropper.AndroidOS.Rootnik.h 2.94 17 Trojan.AndroidOS.Iop.o 2.91 18 Trojan.AndroidOS.Rootnik.ab 2.91 19 Trojan.AndroidOS.Triada.e 2.85 20 Trojan-SMS.AndroidOS.Podec.a 2.83 * Percentage of unique users attacked by the malware in question, relative to all users of Kaspersky Lab’s mobile security product that were attacked. First place is occupied by DangerousObject.Multi.Generic (80.87%), the classification used for malicious programs detected by cloud technologies.

Cloud technologies work when the antivirus database contains neither the signatures nor heuristics to detect a malicious program, but the cloud of the antivirus company already contains information about the object.

This is basically how the very latest malware is detected. As in the previous quarter, 16 Trojans that use advertising as their main means of monetization (highlighted in blue in the table) made it into the TOP 20.

Their goal is to deliver as many adverts as possible to the user, employing various methods, including the installation of new adware.

These Trojans may use superuser privileges to conceal themselves in the system application folder, from which it will be very difficult to delete them. Trojan.AndroidOS.Iop.c (11.38%) moved from third to second in the TOP 20 and became the single most popular malicious program of the quarter. Over the reporting period we detected this Trojan in 180 countries, but the majority of attacked users were in Russia, India and Algeria.
Iop.c can exploit a variety of vulnerabilities in the system to gain superuser privileges.

The main method of monetization is displaying advertising and installing (usually secretly) various programs on the user’s device, including other malicious programs. In Q2 2016, @kaspersky repelled 172M malicious attacks via online resources located in 191 countries #KLreport #Infosec Tweet Representatives of the Trojan-Ransom.AndroidOS.Fusob ransomware family claimed fourth and seventh places.

These Trojans demand a ransom of $100-200 from victims to unblock their devices.

Attacks using this Trojan were registered in over 120 countries worldwide in Q2, with a substantial number of victims located in Germany and the US. Trojan-SMS.AndroidOS.Podec.a (2.83%) has now spent over a year in the mobile malware TOP 20, although it is starting to lose ground.
It used to be an ever-present in the TOP 5 mobile threats, but for the second quarter in a row it has only made it into the bottom half of the ranking.
Its functionality has remained practically unchanged; its main means of monetization is to subscribe users to paid services. The geography of mobile threats The geography of attempted mobile malware infections in Q2 2016 (percentage of all users attacked) TOP 10 counties attacked by mobile malware (ranked by percentage of users attacked) Country* % of users attacked ** 1 China 36.31 2 Bangladesh 32.66 3 Nepal 30.61 4 Uzbekistan 22.43 5 Algeria 22.16 6 Nigeria 21.84 7 India 21.64 8 Indonesia 21.35 9 Pakistan 19.49 10 Iran 19.19 * We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab’s mobile security product in the country. China topped the ranking, with more than 36% of users there encountering a mobile threat at least once during the quarter.

China also came first in this ranking in Q1 2016. In all the countries of this ranking, except China, the most popular mobile malware was the same – advertising Trojans that appeared in the TOP 20 mobile malware, and AdWare.

The most popular malicious program was Trojan.AndroidOS.Iop.c.
In China, a significant proportion of attacks also involved advertising Trojans, but the majority of users there encountered the Backdoor.AndroidOS.GinMaster and Backdoor.AndroidOS.Fakengry families, while Trojan.AndroidOS.Iop.c only occupied sixteenth place. Russia (10.4%) was 26th in this ranking, Germany (8.5%) 38th, Italy (6.2%) 49th, and France (5.9%) 52th.

The US (5.0%) came 59th and the UK (4.6%) 64th. The safest countries were Austria (3.6%), Sweden (2.9%) and Japan (1.7%). Mobile banking Trojans As of this quarter, we will calculate the distribution of mobile malware by type based on the number of detected malicious installation packages rather than modifications, as was the case in earlier reports. Over the reporting period, we detected 27,403 mobile Trojans, which is 1.2 times less than in Q1. Number of mobile banking Trojans detected by Kaspersky Lab solutions (Q3 2015 – Q2 2016) The TOP 5 most popular mobile banking Trojans in Q2 consisted of representatives from just two families – Trojan-Banker.AndroidOS.Asacub and Trojan-Banker.AndroidOS.Svpeng. Trojan-Banker.AndroidOS.Asacub.i was the most popular mobile banking Trojan of the quarter.
It uses different methods to trick users and bypass system constraints.
In Q1 we identified a modification of this mobile Trojan that overlaid the regular system window requesting device administrator privileges with its own window containing buttons.

The Trojan thereby conceals the fact that it is gaining elevated privileges in the system from the user, and tricks the user into approving these privileges.
In Q2, we detected a modification that requested the user’s permission to become the main SMS application. Dialog window of Trojan-Banker.AndroidOS.Asacub.i asking for the user’s approval to become the main SMS application This allows the Trojan to bypass the system constraints introduced in Android 4.4, and to hide incoming SMSs from the user (as a rule, it hides messages from banks and payment systems).
In order to make users save this malicious program in the settings as the main SMS application, the Trojan authors had to, among other things, implement a messenger interface. The Trojan-Banker.AndroidOS.Asacub.i interface used to create and send messages Asacub is actively distributed via SMS spam. Russia and Germany lead in terms of the number of users attacked by mobile banking Trojans: Geography of mobile banking threats in Q2 2016 (percentage of all users attacked) The number of attacked users depends on the overall number of users within each individual country.

To assess the risk of a mobile banker Trojan infection in each country, and to compare it across countries, we created a country ranking according to the percentage of users attacked by mobile banker Trojans.
TOP 10 counties attacked by mobile banker Trojans (ranked by percentage of users attacked) Country* % of users attacked** 1 Russia 1.51 2 Australia 0.73 3 Uzbekistan 0.45 4 Korea 0.35 5 China 0.34 6 Ukraine 0.33 7 Denmark 0.28 8 Germany 0.24 9 Turkey 0.23 10 Kyrgyzstan 0.17 * We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab’s mobile security product in the country. In Q2 2016, first place was occupied by Russia (1.51%) where the majority of affected users encountered the Trojan-Banker.AndroidOS.Asacub, Trojan-Banker.AndroidOS.Svpeng and Trojan-Banker.AndroidOS.Faketoken families of mobile banker Trojans. China, last quarter’s leader, fell to fifth place this quarter. In second place again was Australia where the Trojan-Banker.AndroidOS.Acecard family was replaced by the Trojan-Banker.AndroidOS.Marcher family as the most popular threat. Banking Trojans were especially popular with attackers in Russia and Australia.

The percentage of users attacked by this malware in the two countries relative to all attacked users accounted for 14%. Mobile Trojan-Ransomware As of this quarter, we will calculate the distribution of mobile malware by type based on the number of detected malicious installation packages rather than modifications, as was the case in earlier reports. In Q2 2016, we detected 83,048 mobile Trojan-Ransomware installation packages, which is about the same number as the previous quarter and seven times more than in Q4 2015. Number of mobile Trojan-Ransomware installation packages detected by Kaspersky Lab(Q3 2015 – Q2 2016) The sharp rise in the number of mobile Trojan-Ransomware installation packages in 2016 was caused by the active proliferation of the Trojan-Ransom.AndroidOS.Fusob family of Trojans.
In the first quarter of 2016, this family accounted for 96% of users attacked by mobile ransomware.
In Q2 its share was 85%. In Q2 2016, 54.5M unique malicious URLs were recognized by @kaspersky web antivirus components #KLreport #IT Tweet Trojan-Ransom.AndroidOS.Fusob.h became the most popular mobile Trojan-Ransomware in the second quarter – it accounted for nearly 60% of users attacked by mobile ransomware. Once run, the Trojan requests administrator privileges, collects information about the device, including the GPS coordinates and call history, and downloads the data to a malicious server.

After that, it may get a command to block the device.
In the second quarter we registered a growth in the number of installation packages related to Trojan-Ransom.AndroidOS.Congur.b: their share grew from 0.8% to 8.8%.

This Trojan, targeting Chinese-speaking users, changes the system password (PIN), or installs it if no password was installed earlier, thus making it impossible to use the device.

The notification containing the ransom demand is displayed on the screen of the blocked device. Germany, the US and Russia had the highest number of users attacked by Trojan-Ransomware this quarter: Geography of mobile Trojan-Ransomware in Q2 2016 (percentage of all users attacked) To assess the risk of a mobile banker Trojan infection in each country, and to compare it across countries, we created a country ranking according to the percentage of users attacked by mobile Trojan-Ransomware. TOP 10 counties attacked by mobile Trojan-Ransomware (ranked by percentage of users attacked) Country* % of users attacked** 1 Canada 2.01 2 Germany 1.89 3 US 1.66 4 Switzerland 1.63 5 Mexico 1.55 6 UK 1.51 7 Denmark 1.35 8 Italy 1.35 9 Kazakhstan 1,35 10 Netherlands 1.15 * We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.** Percentage of unique users in each country attacked by mobile Trojan-Ransomware, relative to all users of Kaspersky Lab’s mobile security product in the country. In all the countries of the TOP 10, except for Kazakhstan, the most popular Trojan-Ransom family was Fusob.
In the US, the Trojan-Ransom.AndroidOS.Svpeng family was also popular.
These Trojans demand a ransom of $100-500 from victims to unblock their devices. In Kazakhstan and Uzbekistan, the main threat to users originated from representatives of the Small mobile Trojan-Ransom family.

This is a fairly simple ransomware program that blocks operation of a device by overlaying all the windows on the device with its own window and demanding $10 to unblock it. Vulnerable applications exploited by cybercriminals In Q2 2016, exploits for Adobe Flash Player remained popular.

During the reporting period two new vulnerabilities were discovered in this software: СVE-2016-4117 CVE-2016-4171 An exploit for CVE-2016-4117 was added to the Magnitude and Neutrino exploit kits.

The CVE-2016-4171 vulnerability was used by the ScarCruft group to carry out targeted attacks. We wrote a more detailed account of this group’s activities in a blog published in mid-June. In Q2 2016, @kaspersky web #antivirus detected 16,119,489 unique malicious objects #KLreport #netsec Tweet The main event this quarter was the demise of the long-term market leaders – the Angler and Nuclear exploit kits.

Angler’s departure resulted in market players shifting to other kits to distribute malware.
In particular, we registered a dramatic growth in the popularity of the Neutrino exploit kit. This is how the overall picture for the use of exploits in the second quarter looks: Distribution of exploits used in attacks by the type of application attacked, Q2 2016 The chart shows that despite the exit of the market leaders the breakdown of exploits was almost unchanged from the previous quarter: the proportion of exploits for Microsoft Office (14%) and Java (7%) fell by 1 p.p., while the share for Android grew 2 p.p. and reached 24%.

This suggests that demand for exploit kits has been spread among the remaining players: RIG, Magnitude and Neutrino.

The latter was the undisputed leader this quarter in terms of the number of attempts to download malware. Online threats (Web-based attacks) The statistics in this section were derived from web antivirus components that protect users from attempts to download malicious objects from a malicious/infected website. Malicious websites are created deliberately by malicious users; infected sites include those with user-contributed content (such as forums), as well as compromised legitimate resources. In the second quarter of 2016, Kaspersky Lab’s web antivirus detected 16,119,489 unique malicious objects: scripts, exploits, executable files, etc. 54,539,948 unique URLs were recognized as malicious by web antivirus components. Online threats in the banking sector These statistics are based on the detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data. Number of users attacked by malware targeting finances< Due to the constant emergence of new representatives of banking Trojans and functional changes in existing banking Trojans, in the second quarter of 2016 we have significantly updated the list of verdicts classed as banking risks.

This means the number of financial malware victims has changed significantly compared to the data published in previous quarters.

As a comparison, we have recalculated the statistics for the previous quarter, taking into account all the malware from the updated list.
Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via online banking on 1,132,031 computers in Q2 2016.

The quarter saw an increase in financial malware activity: the figure for Q2 is 15.6% higher than that for the previous quarter (979, 607). Number of users attacked by malware targeting finances, Q2 2016 Geography of attack To evaluate and compare the risk of being infected by banking Trojans worldwide, we calculate the percentage of Kaspersky Lab product users who encountered this type of threat during the reporting period in the country, relative to all users of our products in the county. Geography of banking malware attacks in Q2 2016 (percentage of attacked users) TOP 10 countries by percentage of attacked users Country* % of attacked users** 1 Turkey 3.45 2 Russia 2.92 3 Brazil 2.63 4 Pakistan 2.60 5 Venezuela 1.66 6 Tunisia 1.62 7 Japan 1.61 8 Singapore 1.58 9 Libya 1.57 10 Argentina 1.48 These statistics are based on the detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (less than 10,000).** Unique users whose computers have been targeted by banking Trojan attacks as a percentage of all unique users of Kaspersky Lab products in the country. The highest percentage of Kaspersky Lab users attacked by banking Trojans was in Turkey. One of the reasons for the growth in financial threats there was a burst of activity by the Gozi banking Trojan whose developers have joined forces with the creators of the Nymaim Trojan. In Russia, 2.92% of users encountered a banking Trojan at least once in Q2, placing it second in this ranking. Brazil rounds off the top three. We expect a surge in financial threats in Latin America in the next quarter due to the Olympic Games in Brazil.

This event is just too tempting for cybercriminals to ignore – they regularly use the theme of major sporting events in their attacks to lure potential victims. The top five countries where users were least affected by banking Trojans were Canada (0.33%), the US (0.4%), the UK (0.4%), France (0.43%) and the Netherlands (0.5%). The percentage of banking Trojan victims in Italy was 0.62%, in Spain it was 0.83%, while in Germany the figure was 1.03%. The TOP 10 banking malware familie> The table below shows the top 10 malware families most commonly used in Q2 2016 to attack online banking users (as a percentage of users attacked): Name* Percentage of users attacked** 1 Trojan-Spy.Win32.Zbot 15.72 2 Trojan-Banker.Win32.Gozi 3.28 3 Trojan.Win32.Qhost 2.35 4 Trojan-Banker.Win32.Shiotob 2.27 5 Trojan-Banker.Win32.BestaFera 2.12 6 Trojan.Win32.Nymaim 1.98 7 Trojan-Banker.Win32.ChePro 1.90 8 Trojan-Banker.Win32.Banbra 1.77 9 Trojan.Win32.Neurevt 0.67 10 Backdoor.Win32.Shiz 0.66 * The detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data.** Unique users whose computers have been targeted by the malware in question as a percentage of all users attacked by financial malware. Trojan-Spy.Win32.Zbot in first place is a permanent fixture in the leading positions of this ranking, and it is no coincidence: the source codes of this Trojan became publicly available back in 2012.

This has resulted in the emergence of new banking Trojans that have adopted fragments of the Zbot code. The second quarter of 2016 saw a surge in malicious activity by Trojan.Win32.Nymaim.

As a result, this Trojan made it into the top 10 for the first time, going straight in at sixth place. Nymaim was initially designed to block access to valuable data and then demand a ransom (ransomware) to unblock it, but the latest version now also includes banking Trojan functionality for stealing financial information.

This can be explained by the fact that the creators of Nymaim and Gozi (which also appears in the Q2 TOP 10 financial risks) have joined forces. Nymaim’s source code now includes fragments of Gozi code that provide attackers with remote access to infected computers. In Q2 2016, Attempted infections by financial #malware were registered on 1.1M user computers #KLreport #banking Tweet A permanent resident in this ranking and one of the reasons financial threats are so prominent in Brazil is the Trojan-Banker.Win32.ChePro family.

This banking malware lets cybercriminals take screenshots, register keystrokes, and read the contents of the clipboard, i.e., it possess functionality capable of attacking almost any online banking system.

Criminals are trying to implement new techniques to avoid detection for as long as possible.
Some of the Trojans from this family use geolocation or ask for the time zone and the Windows version from the system in order to infect users in a particular region. Yet another newcomer to the top 10 most active financial threats in Q2 was the Trojan.Win32.Neurevt family. Representatives of this family were first discovered in 2013 and are used by cybercriminals not only to steal user payment data in online banking systems but also to send out spam (some versions, for example, sent spam messages on Skype) and implement DDoS attacks (with the addition of functionality capable of performing the Slowloris HTTP flooding scenario). Ransomware Trojans The overall number of cryptor modifications in our virus collection to date is approximately 26,000.

A total of 28 new cryptor families and 9,296 new modifications were detected in Q2. The following graph shows the rise in the number of newly created cryptor modifications over the last two quarters. Number of Trojan-Ransom cryptor modifications (Q1 2016 vs Q2 2016) Some of the more high-profile or unusual Trojans detected in Q2 2016 are listed below: CryptXXX (Trojan-Ransom.Win32.CryptXXX) This cryptor has been widely distributed via exploit kits since April 2016.
Its earlier versions contained gaps in the file encryption algorithm which allowed Kaspersky Lab to release a utility to decrypt them. Unfortunately, the attackers have made adjustments to subsequent versions, making it impossible to decrypt the files affected by later CryptXXX modifications. ZCryptor (Trojan-Ransom.MSIL.Zcryptor) This malware combines cryptor functionality and a worm distribution method.

Trojan ransomware does not usually include tools for self-propagation, and ZCryptor just happens to be an exception to this rule. Like a classic worm, while infecting, it creates copies of its body on removable media and generates the autorun.inf file to implement the automatic launch of its executable file once the media is connected to another system (if, of course, autorun is not disabled). RAA (Trojan-Ransom.JS.RaaCrypt) Sometimes we come across cryptors that differ from their peers in terms of functionality, and sometimes an unusual implementation will catch the attention of an analyst.
In the case of RAA, the choice of programming language was curious: it was written entirely in JavaScript.

The whole body of the program was included in a single .js file delivered to the victim as an attachment in a spam message. When run, it displays a fake error message, and in the meantime, encrypts the user’s files. Bart (Trojan-Ransom.Win32.Bart) This cryptor puts the victim’s files in password-protected ZIP archives; and it creates passwords using the Diffie-Hellman algorithm on an elliptic curve.

The design of the ransom note and the payment site is an exact copy of that used by the notorious Locky. Satana (Trojan-Ransom.Win32.Satan) This is a combination of MBR blocker and file cryptor, probably inspired by similar functionality in the notorious Petya + Mischa Trojans.
Satana, unlike Petya, does not encrypt MFT; in fact, its MBR module is obviously incomplete because the process of checking the password entered by the victim results in nothing more than a continuous cycle.

Below is a fragment of the code demonstrating this. The number of users attacked by ransomware Number of users attacked by Trojan-Ransom cryptor malware (Q2 2016) In Q2 2016, 311,590 unique users were attacked by cryptors, which is 16% less than the previous quarter.

Approximately 21% of those attacked were in the corporate sector. It is important to keep in mind that the real number of incidents is several times higher: the statistics reflect only the results of signature-based and heuristic detections, while in most cases Kaspersky Lab products detect encryption Trojans based on behavior recognition models and issue the Generic verdict, which does not distinguish the type of malicious software. Top 10 countries attacked by cryptors Country* % of users attacked by cryptors** 1 Japan 2.40 2 Italy 1.50 3 Djibouti 1.46 4 Luxembourg 1.36 5 Bulgaria 1.34 6 Croatia 1.25 7 Maldives 1.22 8 Korea 1.21 9 Netherlands 1.15 10 Taiwan 1.04 * We excluded those countries where the number of Kaspersky Lab product users is relatively small (less than 10,000).** Unique users whose computers have been targeted by ransomware as a percentage of all unique users of Kaspersky Lab products in the country. In Q2, half of the top 10 were European countries – one less than the previous quarter. Japan, which came ninth in Q1, topped the ranking of countries attacked by cryptors with 2.40%: the most widespread cryptor families in the country were Teslacrypt, Locky and Cryakl. Newcomers to this ranking were Djibouti (1.46%), Korea (1.21%) and Taiwan (1.04%). Top 10 most widespread cryptor families Name Verdict* Percentage of users** 1 CTB-Locker Trojan-Ransom.Win32.Onion/Trojan-Ransom.NSIS.Onion 14.59 2 Teslacrypt Trojan-Ransom.Win32.Bitman 8.36 3 Locky Trojan-Ransom.Win32.Locky 3.34 4 Shade Trojan-Ransom.Win32.Shade 2.14 5 Cryrar/ ACCDFISA Trojan-Ransom.Win32.Cryrar 2.02 6 Cryptowall Trojan-Ransom.Win32.Cryptodef 1.98 7 Cryakl Trojan-Ransom.Win32.Cryakl 1.93 8 Cerber Trojan-Ransom.Win32. Zerber 1.53 9 Scatter Trojan-Ransom.BAT.Scatter/Trojan-Downloader.JS.Scatter/Trojan-Dropper.JS.Scatter/Trojan-Ransom.Win32.Scatter 1.39 10 Rakhni Trojan-Ransom.Win32.Rakhni/Trojan-Downloader.Win32.Rakhni 1.13 * These statistics are based on detection verdicts received from users of Kaspersky Lab products who have consented to provide their statistical data.** Unique users whose computers have been targeted by a specific Trojan-Ransom family as a percentage of all users of Kaspersky Lab products attacked by Trojan-Ransom malware. First place in Q2 was occupied by the CTB-Locker (Trojan-Ransom.Win32/NSIS.Onion) family.
In second place was the TeslaCrypt family represented by one verdict: Trojan-Ransom.Win32.Bitman.

The Trojan-Ransom.JS.Cryptoload verdict, which in the past downloaded malware and was associated with TeslaCrypt, is no longer characteristic of this family only.

TeslaCrypt was earlier a major contributor to the statistics, but fortunately ceased to exist in May 2016 – the owners disabled their servers and posted a master key to decrypt files. In Q2 2016, #crypto #ransomware attacks were blocked on 311,590 computers of unique users #KLreport Tweet Cerber and Cryrar are the only changes to this ranking compared to the previous quarter. The Cerber cryptor spreads via spam and exploit kits.

The cryptor’s site on the Tor network is translated into lots of languages.

Cerber’s special features include the following: It explores the infected system meticulously: checks for the presence of an antivirus, if it is running under a virtual machine (Parallels, VmWare, QEMU, VirtualBox) or Wine, checks for utilities from various researchers and analysts (it does this by searching for certain processes and files on the disk drive), it even has a blacklist of system drive serial numbers. It checks the keyboard layout and the IP address of the infected system.
If it detects that the machine is located in a CIS country, it stops infecting it. It attempts to bypass antivirus protection by terminating their processes, interrupting services, deleting files. In addition to notifying users about encryption in the form of TXT and HTML files, as is the case with other families, it also runs the VBS script which reproduces the following voice message: “Attention! Attention! Attention! Your documents, photos, databases and other important files have been encrypted!” The Cryrar cryptor also known as the Anti Cyber Crime Department of Federal Internet Security Agency (ACCDFISA), Anti-Child Porn Spam Protection, etc. first appeared back in 2012.
It has the distinctive feature of placing the victim’s files in password-protected self-extracting RAR archives.

According to KSN statistics, it shows no signs of conceding its position to newer rivals. Top 10 countries where online resources are seeded with malware The following statistics are based on the physical location of the online resources that were used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.).

Any unique host could be the source of one or more web attacks.
In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established. In Q2 2016, Kaspersky Lab solutions blocked 171,895,830 attacks launched from web resources located in 191 countries around the world. 54,539,948 unique URLs were recognized as malicious by web antivirus components. 81% of notifications about blocked web attacks were triggered by attacks coming from web resources located in 10 countries. Distribution of web attack sources by country, Q2 2016 The US (35.44%) returned to the top of this ranking in the second quarter. Russia (10.28%) moved up one place to second.

The previous quarter’s leader, the Netherlands, dropped to fourth place after its share fell by 17.7 percentage points.

Germany completed the Top 3 with a share of 8.9%.

Bulgaria left the Top 10, while Canada was a newcomer in ninth place with 0.96%. Countries where users faced the greatest risk of online infection In order to assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users in each country who encountered detection verdicts on their machines during the quarter.

The resulting data provides an indication of the aggressiveness of the environment in which computers work in different countries. Country* % of unique users attacked** 1 Azerbaijan 32.10 2 Russia 30.80 3 China 29.35 4 Slovenia 27.54 5 Ukraine 27.46 6 Kazakhstan 27.03 7 Vietnam 26.02 8 Algeria 25.63 9 Armenia 25.09 10 Belarus 24.60 11 Brazil 24.05 12 France 22.45 13 Moldova 22.34 14 Kyrgyzstan 22.13 15 Bulgaria 22.06 16 Italy 21.68 17 Chile 21.56 18 Qatar 20.10 19 India 20.00 20 Portugal 19.84 These statistics are based on the detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data. * These calculations excluded countries where the number of Kaspersky Lab users is relatively small (fewer than 10,000 users).** Unique users whose computers have been targeted by web attacks as a percentage of all unique users of Kaspersky Lab products in the country. In Q2, Azerbaijan moved up from fourth to first place and became the new leader of this ranking with 32.1%. Russia (30.8%) dropped from first to second, while Kazakhstan (27.03%) fell from second to sixth place. Since the previous quarter, Spain, Lithuania, Croatia and Turkey have all left the TOP 20.

The newcomers to this ranking were Bulgaria (22.06%), Chile (21.56%), Qatar (20.10%) and Portugal (19.84%). The countries with the safest online surfing environments included Canada (15%), Romania (14.6%), Belgium (13.7%), Mexico (13.2%), the US (12.8%), Switzerland (12. 4%), New Zealand (12.1%), Czech Republic (12%), Argentina (9.9%), Japan (9.5%), the Netherlands (8.3), Sweden (8.2%) and Germany (8%). On average, 19.4% of computers connected to the Internet globally were subjected to at least one web attack during the three months.

This is a fall of 1.8 p.p. compared to Q1 2016. Local threats Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.). Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. In Q2 2016, Kaspersky Lab’s file antivirus detected 249,619,379 unique malicious and potentially unwanted objects. Countries where users faced the highest risk of local infection For each of the countries, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus was triggered during the quarter.

These statistics reflect the level of personal computer infection in different countries. Top 20 countries with the highest levels of computer infection Country* % of unique users** 1 Somalia 65.80 2 Vietnam 63.33 3 Tajikistan 62.00 4 Russia 61.56 5 Kyrgyzstan 60.80 6 Bangladesh 60.19 7 Afghanistan 60.00 8 Armenia 59,74 9 Ukraine 59.67 10 Nepal 59.66 11 Ethiopia 59.63 12 Laos 58.43 13 Kazakhstan 57.72 14 Rwanda 57.33 15 Djibouti 56.07 16 Yemen 55.98 17 Venezuela 55.76 18 Algeria 55.58 19 Cambodia 55.56 20 Iraq 55.55 These statistics are based on the detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data.

The data include detections of malicious programs located on users’ computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives.
* These calculations exclude countries where the number of Kaspersky Lab users is relatively small (fewer than 10,000 users).** The percentage of unique users in the country with computers that blocked local threats as a percentage of all unique users of Kaspersky Lab products. Somalia remained the leader of this ranking in Q2 2016 with 65.8%. Yemen (55.98%) fell from second to sixteenth place, while Vietnam (63.33%) jumped from eighth to second.

Tajikistan (62%) rounded off the TOP 3. Russia moved up one place from fifth to fourth, although the figure for that country declined by 2.62 percentage points to 61.56%. In Q2 2016, 27,403 #mobile #banking Trojans were detected by @kaspersky mobile security products #KLreport Tweet Newcomers to this ranking are Djibouti in fifteenth place (56.07%), Venezuela in seventeenth (55.76%), and Cambodia in nineteenth (55.56%). The safest countries in terms of local infection risks were Croatia (29%), Singapore (28.4%), Germany (28.1%), Norway (27.6%), the US (27.1%), Switzerland (26.3%), Japan (22.1%), Denmark (21.4%) and Sweden (21.3%). An average of 43.3% of computers globally faced at least one local threat during Q2 2016, which is 1.2 p.p. less than in the previous quarter.

Guilt by ASN: Compiler’s bad memory bug could sting mobes, cell...

Telco, embedded systems may inherit remote vulns A vulnerability in a widely used ASN.1 compiler isn't a good thing: it means a bunch of downstream systems – including mobile phones and cell towers – will inherit the bug. And an ASN.1 bug is what the Sadosky Foundation in Argentina has turned up, in Objective Systems' software. The Argentinean research foundation says Objective's ASN1C compiler for C/C++ version 7.0.0 (other builds are probably affected) generates code that suffers from heap memory corruption.

This could be potentially exploited to run malware on machines and devices that run the vulnerable compiler output or interfere with their operation. We're in fairly arcane territory here, so Vulture South will beg your patience.

ASN.1 (it stands for Abstract Syntax Notation) is a standard, rather than a programming language.

Among other things, LDAP, H.323, Kerberos, SS7 and the Simple Network Management Protocol (SNMP) use it to describe their data interchange. ASN compilers relieve the developer from having to learn the complicated notation themselves, by automating code production: in other words, rather than writing software that handles ASN data, you use a tool like Objective's ASN1C compiler to generate the source code you need to process ASN-encoded information for your application. You then build that machine-written code, and ship it. That makes a bug in the compiler a serious issue even if, as the Sadosky Foundation's detailed advisory says, it's hard to assess just how big the issue might be right now. The compiler-generated code that controls your mobile phone's radio – the baseband component – and the network providing your phone signal and connectivity may be buggy as a result of this toolchain weakness.

Those bugs, exploitable via data thrown at them over the airwaves, will end up built into critical gear and no one will realize there are security holes present – until now. “The vulnerability could be triggered remotely without any authentication in scenarios where the vulnerable code receives and processes ASN.1 encoded data from untrusted sources, these may include communications between mobile devices and telecommunication network infrastructure nodes, communications between nodes in a carrier's network or across carrier boundaries, or communication between mutually untrusted endpoints in a data network,” the advisory states. “Due to the fact that the bugs are located in the core runtime support library, it is hard to assess its exploitability in all scenarios but it is safe to assume that it would lead [to] attacker controlled memory corruption.” Objective has issued an interim release, ASN1C 7.0.1, and says the patch will be incorporated in the upcoming 7.0.2 release. And, of course, any programmer using the compiler will have to check whether their software inherits the bug from the toolchain, and push out their own patches. Which then have to be included in shipping products.

And that's where it'll get messy. US CERT is due to publish an advisory detailing the known vulnerable systems and software. ® Sponsored: 2016 Cyberthreat defense report