Prevalence Report

The State of Malware - April 2008 Edition

This edition's highlights:

Malware by the numbers

Top Ten Variants
Top Five Families

Activity recap
Online gaming trojans heat up in Asia

Malware by the numbers

The following malware statistics are based on threats caught by Fortinet's FortiGate security appliances for the period March 21st - April 20th, 2008.

Top Ten Variants

Top ten malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100:

Rank     Malware Variant                  Percentage  Top 100 Shift
1        W32/Netsky!similar               8.6             +1
2        W32/Mutant.CV!tr.dldr            7.2            new
3        HTML/Iframe_CID!exploit          6.0              -
4        W32/Pushdo.EV!tr.dldr            5.6             -3
5        W32/Virut.A                      5.6             +4
6        W32/OnLineGamesEncPK.fam!tr.pws  4.1            +15
7        W32/OnLineGames.SIN!tr.pws       2.6            +31
8        W32/MyTob.BH.fam@mm              2.2             -3
9        W32/Small.FQS!tr.dldr            2.0             +7
10       W32/MyTob.FR@mm                  1.5             -4

With consistent activity from the familiar faces, there was a new theme to this malware edition:

Two online gaming trojans blast their way into sixth and seventh place as a result of heavy activity in Asia
The Cutwail variant Mutant.CV solidifies its second position with the launch of a campaign on April fools
Pushdo, Virut and MyTob maintain consistent activity and remain prevalent threats

Top Five Families

Malware variant activity for this edition has been grouped into family and sorted with the major families listed below. Percentage indicates the portion of activity accumulated by the family out of all threats reported in this edition. Top 10 shifts indicate positional changes compared to last edition's Top 10 ranking, with "new" highlighting the malware family's debut in the top ten:

Rank     Malware Family                    Percentage  Top 10 Shift
1        Netsky                            13.8             -
2        MyTob                              8.5            +1
3        Cutwail                            7.2           new
4        Virut                              6.0             -
5        Pushdo                             5.9            -3

Family activity on the threatscape with Netsky/MyTob has slightly deflated when compared to last edition. However, MyTob still remains a prevalent threat, claiming second spot this edition by climbing up a rank. The mass mailing family of Cutwail (aka Pandex/Mutant) has claimed third place, showing heavy activity. Cutwail is known to be a downloaded component of the Pushdo botnet, which still continues a vibrant campaign positioned in fifth place of all malware family activity.

Activity recap

Similar to Pushdo's mass mailing distribution campaign we wrote about in our last edition, Mutant.CV was seen spreading in April through screen saver attachments. This malware presents the same enticing nature as Pushdo (celebrities and pornographic material). The attachment is a small zip archive, containing an executable with a ".scr" extension. The fingerprint is noticeably smaller, being roughly 11 kilobytes uncompressed. Figure 1 below shows an email infected with Mutant.CV making the rounds in April 2008:

Figure 1: Mutant.CV posing to be pornographic screen savers

When looking at activity for this edition, we can see that identical mass mailing engine traits exist between Mutant.CV and Pushdo, presenting distinct peaks and valleys. Most of the activity for this variant picked up at the beginning of April. In contrast, activity for the two online gaming trojans present in our top ten was more or less consistent on a daily basis. This can be seen from start to finish of the indicated time period in Figure 2 below:

Figure 2: Mutant.CV, OnLineGames.SIN and OnLineGamesEncPK.fam activity for this edition

Online gaming trojans heat up in Asia

In this edition, trojans have shown a surge in activity as result of the growing popularity of online gaming. These trojans are designed to harvest passwords and account credentials for popular games which are played online. Accounts are routinely sold for cold hard cash. Online gaming has no doubt become a huge, growing market, estimated in 2007 to represent between 3.5 and 4.5 billion Euro^[1]. Asia is clearly no exception to this trend; a recent report^[2] states that Asia currently accounts for 50% of worldwide online gaming revenue. This large market is becoming a popular place for cyber crime considering its large user base. As a general rule, high profile sites are being used from malware distribution to 'spamvertisement' because of the prospects of a broad user base. The same concept applies to online gaming and we are witnessing an increase in activity in this area. The revenue forecast for the online gaming market is prosperous, thus the likelihood of such trojans disappearing anytime soon is next to nil. Flashy advertisements are common in this industry. Such advertisements and themes would prove to be excellent hooks for future social engineering ploys from malware infection to phishing schemes. Spam is now appearing on social networking sites - will it make its way to virtual communities in the online gaming world?

It seems to be a recurring theme of global scale. No matter in which area you reside, similar ploys are put into place when it comes to luring unsuspecting victims into executing malicious code. Much like Pushdo / Cutwail, mass emails circulating in Asia carrying payload of OnLineGamesEncPK.fam use the same theme. The unique nature of that specific attack is that it is a localized one, targeted towards an Asian audience using the traditional Chinese language. Figure 3a below shows a fresh email circulated in April 2008, which carries this payload:

Figure 3a: OnLineGamesEncPK.fam using localized social engineering tactics in the traditional Chinese language

The subject of this email suggests to the recipient to take a look at a girl, who is supposed to be the sender's wife^[3]. The text body is rather odd, describing a woman in Chinese. It is mostly used to intrigue curiosity so that the end user will open the attachment, which presumably contains pictures. Of course, executing the attachment will result in an infection of OnLineGamesEncPK.fam if the user does not have adequate anti-virus protection. The subject and body of the campaign used in April seems to be slightly different from the one we saw in the past two months. Previously, this trojan used a social engineering hook leveraging celebrities and provocative photos. The subject was "2008 Ya Tou Hot Photos", with the body stating "2008 Ya Tou Super Hot Photos, can't believe. Hei Se Hui Ya Tou Hot Photos, Hurry Up"^[3]. Hei Se Hui is a popular entertainment show in Taiwan on 'Channel V', and Ya Tou is a Taiwanese actress. Figure 3b below shows this:

Figure 3b: Previous campaigns with OnLineGamesEncPK.fam using similar localized social engineering ploys

This certainly was an attack which generated a lot of activity as shown in our top ten this edition. Localization tactics were employed in an attack concentrated in Taiwan by using traditional Chinese language, as well as Taiwanese female celebrity pictures in the execution hook, observed Fortinet security researcher Derek Manky. A vast majority of the activity observed for OnLineGamesEncPK.fam was in Taiwan, with Japan a distant second as seen in Figure 4a below:

Figure 4a: This edition's geographic activity for OnLineGamesEncPK.fam

The other prevalent gaming trojan was OnLineGames.SIN, which launched ahead 31 spots in our Top 100 ranking from last edition. This variant had dominant activity in China, followed by Japan and Hong Kong in distant second and third respectively. Figure 4b below shows this trend:

Figure 4b: This edition's geographic activity this edition for OnLineGames.SIN

The attachments displayed with OnLineGamesEncPK.fam arrive in a zip archive, containing a self-extracting executable. When this executable is launched, files get dropped into a temporary folder. The first dropped file is another self-extracting PE executable, which will in turn will drop and execute another PE file compressed with an unidentified run-time packer. This second file then launches a command shell which drops and executes a batch file. Interestingly, the batch file was observed to change the system date to April 28, 2008. After all this occurs, the parent executable in the original zip archive will then drop part of its payload: a JPG image file. This is then displayed to the user and produces the image seen below in Figure 5:

Figure 5: Can I interest you in an online gaming trojan infection?

The obvious point here is to show the user what he/she was promised to get: pictures. Of course, this is just a bait to reduce suspicion - the malicious code has executed in the background and OnLineGamesEncPK.fam infection has occurred.

OnLineGames.SIN, on the other hand, is typically distributed as an executable packed with the run-time compressor UPack. Not a new concept at all, but run-time packers are still used frequently with most malware today in an effort to avoid anti-virus detection. This variant will drop an executable in the main Windows directory and register it to run at startup. The variant will also drop a DLL (Dynamic Link Library) and inject into explorer process memory.

To summarize, both variants show significantly higher activity than in last edition, highlighting the increasing prevalence of online gaming trojans. Taiwan and China were areas that displayed concentrated activity, while Japan showed common interest between the two discussed variants.

References:

[1] Statistics originate from InfoCom's report: FTTX EXPERIENCES AND STRATEGIES

[2] http://www.pr-inside.com/asia-generates-half-of-the-world-r493052.htm

[3] Translation provided by Kyle Yang at Fortinet

Disclaimer:

Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing.

About Fortinet ( www.fortinet.com ):

Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California.