1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Threat Summaries


2011 Threat Summary



2011 saw rapid growth and significant shifts in the global smartphone market, with Google’s Android and Apple’s iOS dominating the battle between mobile operating systems. Malware threats continued to proliferate on the Android platform throughout the year.

Despite the increasing visibility and media attention on mobile malware, desktop machines remain the most targeted devices, and desktop PC based malware remain the most prevalent threats.  This year also saw the rise of three major forces in online threats – online criminals, hacktivists and nation-states.

 In terms of malware development, the most significant milestone in 2011 is the discovery of Duqu, successor to 2010’s Stuxnet. Also of interest is a rash of malware on the Mac OS X platform in the later months of the year.

Click on the link below to jump to the relevant section:


Emergence of major players

Organized criminals continue to use online attacks as money-making activities, mainly by using malicious programs or online scams to infect computers, target bank accounts or hijack online transactions. According to Mikko Hypponen, F-Secure’s Chief Research Officer, “[today], it’s more likely for any of us to become a victim of crime online than here in the real world. And it’s very obvious that it’s only going to get worse. In the future, the majority of crime will be online.”

2011 was the year when ‘hacktivism’ – as performed by the amorphous Anonymous collective and its counterparts – also proved capable of organizing significant off-line political protests. Unlike previous outbreaks of online activism, these groups were able to move beyond attacks against government or commercial databases to successfully organizing multiple real-world protests.   

Nation-states have also become heavily implicated or suspected actors in a number of online attacks, in particular sophisticated, targeted campaigns against perceived ‘dissidents’, ‘rogue nations’ or even simple corporate espionage.

These trends are presented in more detail in Hypponen’s presentations, in various public forums:


Duqu follows in Stuxnet’s footsteps

In purely technical terms, the most interesting development of 2011 is the appearance of Duqu, which appeared almost one year after its predecessor, Stuxnet, was discovered. 

Given strong code similarities between the two malware, there is a strong probability that the two malwares were created by the same party. The similarities between the two extend to the use of stolen certificates to sign their driver files, though the details of the certificates differ.

According to Mikko Hypponen, F-Secure’s Chief Research Officer, “unlike Stuxnet, [Duqu] does not target automation or PLC gear. Instead, it's used for reconnaissance. Duqu collects various types of information from infected systems for a future attack. It's possible we'll eventually see a new attack based on the information gathered by Duqu.”

Though speculation is rampant about the origins and intentions of this new malware, like Stuxnet before it, no one has claimed responsibility for Duqu.


Windows 7 overtakes XP

2011 is the year when Windows 7 finally overtook Windows XP[1] as the leading desktop operating systems (OS), with 40.5% of the global web market.  Despite the decline in market share however, at 38.5% market share Windows XP remains one of the most common operating systems installed worldwide, particularly for home users, and as such continues to be the favored target for online criminals.

Sean Sullivan, Security Advisor at F-Secure says: “People seem to be adding new systems without necessarily abandoning their old XP machines, which is great news for online criminals, as XP continues to be their favorite target.”

As the increased market share makes the platform a more attractive target to attackers, a likely development in 2012 will be the development of threats targeting Windows 7.


OS X Lion gains market share and malware

Desktop OS market share figures also shifted to reflect the release of Mac OS X Lion in July, which rapidly gained over 16% of the Mac user base in the US[4]. For the first time, Mac OS X machines topped 6% of the worldwide desktop market, and just over 13% in the US[5].

Perhaps not coincidentally, the latter half of 2011 also saw the emergence of a number of new threats on the OS X platform, including the Revir and Flashback trojans, the Tsunami IRC bot and DevilRobber backdoor.

Of particular technical interest are the Flashback trojans, which include a routine to abort itself if an active virtualization environment is found on the machine. According to the Labs analysts, this behavior is “a common anti-research technique used within the Windows ecosystem, but not yet so in Mac's. It appears that Mac malware authors are anticipating that researchers will begin to use virtualized environments during analysis, and are taking steps to hamper such efforts.”

While we have seen more threats on the Mac platform this year than at any time prior, overall it appears that the most recent run of malware have been ‘testing the waters’, as these threats mostly used attack strategies, techniques or even code that have previously proven successful on other platforms.

No threats on this platform have successfully monetized their operations so far, with the possible exception of DevilRobber.A, which took the most direct money-making route by using infected computers to mine the digital Bitcoin currency.


Steve Jobs passes away

The death of Apple founder and former CEO Steve Jobs in 2011 presents a challenge for Apple, as it must now find a way to continue its incredible record of innovations without the charismatic figurehead many saw as both its driving force and ultimate arbiter. 

As on countless previous occasions when a celebrity passed away, the event triggered a wave of spam and SEO poisoning attacks capitalizing on users looking for news.



In 2011, tablets became firmly established as a must-have item for businesses and schools as well as personal use, which in turn has driven interest in both the consumer device and application development for it. Apple’s iOS blazed the trail in this field and still holds the title of the most sought after platform, for users and developers alike (iPad 2 currently claims 68.3% of the global market)[2].

That lead is predicted to hold through most of next year, and most likely even the year beyond, though the December 2011 launch of the highly anticipated Android 4.0 OS version (Ice Cream Sandwich or ICS) is likely to drive more shifts in market share in 2012

The new Android OS release promises to solve or mitigate a range of concerns that has so far stymied app development for tablets using that platform. If the new release proves popular with users , Android would finally become a compelling alternative for app developers, who have thus far mostly preferred to work within Apple’s more streamlined development environment.

Other competitors in the tablet OS space have been struggling to keep up with the two giants and have had hard year, with HP’s webOS ending 2011 in limbo as all related hardware development is halted, Microsoft’s Windows 7 yet to gain significant traction and Blackberry’s Playbook essentially taking a distant third place in the competition for market share. Looking forward to 2012, the development of Windows 8 and its new, ‘Metro’ UI for tablets is the only new entrant into this market.

Despite the significant growth in tablet usage, a malware targeting this device type has not yet been discovered. Though standard online or browser-based attacks– phishing, spam, click-jacking, social networking worms, etc – are still viable, these are not actually tablet-specific.


Shifts in the mobile market

2011 also saw Android emerge as the most popular smartphone platform, with 52.5% of the global market at the end of Q3, followed by Symbian (16.9%) and iOS (15%)[3].  The rapid change in market share between the mobile platforms is also closely tied with another phenomenon – growth in smartphone ownership, particularly outside developed markets such as the United States and Europe.  

Even though changes in market share currently favor Android, major developments expected in 2012 may tip the scales again. Most significant among these changes is Nokia’s partnership with Microsoft to put Windows Phone 7 as the native OS on its smartphones. It therefore seems likely users will migrate from Symbian to either one of the current competitors or to Windows Phone 7, leading to more shifting in market share.

Following the announcement of the partnership, and the sharp drop of interest in Symbian app development that resulted, the eventual demise of Symbian seems likely and of course with it, Symbian malware, which have traditionally been the most numerous mobile threats. Whether a drop in malware activity on Symbian simply means more malicious attention being transferred to iOS or Android – or even to Windows Phone 7 – remains to be seen.


Mobile malware development

Growth in smartphone ownership has been particularly strong in Russia and China, and in the last two years, we have seen growth in mobile threats specifically targeted to users in these two markets, including premium-SMS trojans, spyware and grayware (apps that skirt the boundaries of legitimate usage).

Mobile developments in these two countries is particularly significant because a number of circumstances specific to Russia and China – including, among other factors, huge domestic audiences, relatively strong levels of technical expertise and uneven law enforcement – have made them ‘development hotbeds’ for mobile malware.

The most prevalent mobile threat we’ve seen targeting users in these two markets have dealt with premium-SMS trojans. In most cases, these threats have exploited country-specific or even network-specific issues in order to monetize their operations. As such, these threats have been strongly localized and have had little impact on users beyond their borders or network coverage areas. 

It is however a likely possibility that an enterprising criminal will eventually develop and distribute a ‘kit’ or utility program that would allow attackers outside these countries to run similar operations, targeted to users in their own geographical region.

Though not an absolute certainty, such a development has strong historic precedence, as we’ve already seen a number of other attack patterns (spam floods, Distributed Denial of Service attacks, worm outbreaks, etc) similarly evolve from a manually-run operation requiring technical expertise into automated attacks launched using a simple kit that requires minimal skill.



1. StatCounter: Windows 7 overtakes XP globally for first time in October; http://gs.statcounter.com/press

2. IDC: Media Tablet and eReader Markets Beat Second Quarter Targets, Forecast Increased for 2011, According to IDC;

3. Gartner: Gartner Says Sales of Mobile Devices Grew 5.6 Percent in Third Quarter of 2011; Smartphone Sales Increased 42 Percent; http://www.gartner.com/it/page.jsp?id=1848514

4. Mikey Campbell, Apple Insider: OS X Lion growth stagnates at 16% Mac market share;

5. Chris Smith, Apple Insider; Mac OS X install base grows to over 6% worldwide, 13% in the US;


On Labs Youtube channel:

Wrapup on Case Stuxnet