FortiGuard Center

The State of Malware Today - April 2007

This month's highlights:

April, by the numbers:

Top 10 threats caught by Fortinet's FortiGate security appliances in April 2007: 

Rank    Malware                        	%
 1   	HTML/BankFraud.E!phish           10.68
 2   	HTML/Phishbank.BGU!phish         5.57
 3   	W32/Stration.JQ@mm               2.28
 4   	W32/Bagle.DY@mm                  2.01
 5   	W32/Netsky.P@mm                  1.95
 6   	HTML/Iframe_CID!exploit          1.67
 7   	W32/Grew.A!worm                  1.17 
 8   	Adware/Solutions180              1.03
 9   	W32/Bagle.GT@mm                  1
10  	W32/ANI07.A!exploit              0.94

This month's top 10 is particularly interesting, raising no less than four remarkable points:

  • Phishing is back: while last month, detections of HTML/Volksbanken!phish dropped down to the 21st place, BankFraud.E ranking 25th and BankFraud.OD 32nd, April is witnessing the return of phish detections at the top, with BankFraud.E and Phishbank.BGU generic detections totaling more than 16% of global hits on FortiGate appliances worldwide. Overall, phishing detections have increased by 13.72% (from 3.72% to 17.44% of all detections) since last month.

  • Adware/Solutions180 revival is confirmed: 10th last month, the infamous piece of adware is now ranking 8th. A look at figure 1 below, however, clearly shows an absence of activity peaks, which are characteristic of the use of large botnets for spyware/adware planting, as we demonstrated in a previous report.


    Figure 1: Adware/Solutions180 activity curve is reasonably steady

    This figure has to be compared to the activity curve of the late, botnet-powered Adware/BetterInternet, as pictured in February 2006 on figure 2 below:



    Figure 2: Adware/BetterInternet activity curve exhibits peaks of installation on every Monday and Thursday of the Month


  • Stration upsurge: A Stration variant, W32/Stration.JQ@mm was seeded so heavily this month that it took over the 3rd place in our top 10. A look at its activity evolution along the month, below, shows that the majority of detection hits were gathered on a single (black) day: April 19th.

    Figure 3: Stration variant of the Month

  • Last, but not least: W32/ANI07.A!exploit closes our top 10 this month. The infamous flaw (aka MS07-017) has been steadily exploited along the Month, and overall represents 1% of April's global malware activity, which is a tremendously high score for a mainly web-based exploit. Thinking that some users outthere are still surfing the web unpatched is chilling indeed.

Up the skirt, under the radar

An interesting email hit our honeypots this month, surfing on the wave of all the media fuss around yet another pop superstar paparazzi-ed while obviously lacking any underpants attire. Viewed in your typical email client, the email looked like this (minus the blurred parts):



Figure 5: Guess who's who


That is to say, a simple image (which had been in numerous celebrity gossip blogs earlier). Notice that clicking on the image leads you to a suspicious site. Up to that point, we are in presence of some Social Engineering 101: celebrity gossip and nude action are two ingredients for a generally very effective social engineering brew aiming at bringing people where you want them to go (in that case, to a pornographic site registration page). The email html source, however is more interesting, as shown on figure 6 below:



Figure 6: Up-source


Essentially, spammers behind this dangerous operation (children may run into a mailbox containing this, should it be an adult's mailbox or their own), deeply embedded the image link into decoy text, in order to stay under the antispam filters' radar. Text is taken from newsgroup and public internet forums, ranging from photography forums to computer newsgroups, in different languages, in an attempt to give a truly "human" touch to the mail produced (at least to the eyes of the antispam Bayesian filters). Now, in order to conceal the decoy text-parts to the eyes of targeted users and avoid distracting their attention from the picture, they are embedded in HTML comments or "style" tags.

According to Guillaume Lovet, Fortinet Global Security Research Team manager, this strategy, though undeniably interesting, has several flaws. First of all, an intelligent antispam system will not feed its Bayesian filters with text that is obviously not displayed in user interfaces (HTML comments and style parameters typically aren't). Further, computing the non-displayed content to diplayed content would result in obtaining an unusually high value, leaving few doubts about the true "spammish" nature of the email... Finer filters may even notice that few people write emails containing more than 3,000 characters, and mixing different languages.

On the total opposite side of Ockham's razor, we also captured a small quantity of these "pump and dump" stock spams:




Figure 7: Light is right


The mail body is minimalist, to say the least. Likely, those spammers made the bet that given that cognitive filters today are mainly trained at stopping image-based spam armored with heavy decoy text content, such short messages would look utterly human to their cognitive components, during an, albeit short, exploitable window of opportunity. An interesting approach.


Cheap polymorphism and high stakes

This month, the Tibs virus (a.k.a. "the Storm Worm") went to a new stage; after occupying the front stage since its noisy apparition on the malware scene a few months ago, the server-side polymorphic virus has started to make use of an old - and seemingly forgotten until then - social engineering strategy: it arrives attached to malicious emails in the form of a password-protected - thus encrypted - zip archive. The email's body, of course, contains a social-engineering speech characteristic to previous variants of Tibs ("your account is sending infected emails, blah blah, please run this to clean things up. Best Regards, Your Dear Admin"), plus a picture containing the password for the protected attached archive, so that AV filters cannot parse the password and use it to extract the archive and scan the contents.

As we mentioned above, this is nothing new, for early versions of Bagle used to resort to the same trick some three years ago. But back then, the goal was merely to re-use an old variant without actually modifying it while still having it going through signature based AV filters for a little while. According to Lovet, that strategy naturally faded out when we entered the packers era, for repacking an old variant served the same goal without the hassle to bundle images and complex social engineering speeches.

So, why does it surface again all of a sudden? Our guess is that Tibs authors, who heavily resorted to server-side polymorphism before, realized they could use this strategy to implement some very cheap (to achieve) and very effective server-side polymorphism: Only one variant is used throughout the whole process, and instead of being tweaked and repacked with various undergound packers that most of the AV industry flag as suspicious (not to say simply block without caring about the packed content), it is just regularly re-zipped with a different password, hence producing totally different archives on a regular basis. Of course, automating these archives extraction is made particularly difficult to AV filters by embedding the password in an image.

Those password-protected archived variants, which we are detecting as W32/PkTibs.fam!tr, made up for 45% of all Tibs detections this month, mainly due to one punctual seeding operation that occured on April 11th, as it can be seen on figure 8 below:



Figure 8: PkTibs vs Tibs