The State of Malware Today - August 2007
This month's highlights:
- August, by the numbers
- Korea in the spotlight - Dloader.K!tr and CashOn
- Web Traffic: Rush Hour
- Confusion 2.0, or how to counter-educate users
August, by the numbers
Top 10 threats caught by Fortinet's FortiGate security appliances in August 2007:
Rank Malware Percentage 1 W32/Dloader.K!tr 10.17 % 2 W32/Netsky.P@mm 9.53 % 3 HTML/Iframe_CID!exploit 7.84 % 4 Adware/CashOn 6.68 % 5 W32/Dialer.PZ!tr 4.29 % 6 W32/ANI07.A!exploit 4.00 % 7 HTML/Obscured!exploit 3.70 % 8 W32/Grew.A!worm 3.42 % 9 W32/Bagle.DY@mm 3.28 % 10 W32/Virut.fam 2.88 %
In review, we have several newcomers who have established notable positions in this August's top ten:
- Dloader.K!tr (aka Small) rockets to the top of the list, ahead of Netsky.P, with over 89% of volume observed in Korea.
- Cashing in with CashOn: The adware installed via a toolbar plugin for a Korean website seems to be indeed generating a lot of business.
- Obscured!Exploit is starting to gain momentum, and made it to the top ten for the first time - its activity has increased by 20% since July 2007, and by 75% since June 2007.
There are also some names which have shown persistence, remaining prevalent throughout August:
- Dialer.PZ remains active, targeting the same geographic locales as discussed in Fortinet's May Malware Report; production waves are still consistent although volume has dropped significantly (around 80%) in comparison to May.
- As detailed in last month's report, ANI07.A refuses to slip and holds a strong grip on its top ten position.
Korea in the spotlight - Dloader.K!tr and CashOn
Two of our top ten entries this month are of particular interest not only due to their high volume, but also from their locales. In fact, on further investigation, Both Dloader.K!tr and CashOn show a dominant position by coming from no other country than Korea. Figures 1a/1b, shown below, compare the distributions based on geographies.
Figure 1a: Dloader.K!tr reported volume for August 2007, categorized by country (Korea and Other)
Figure 1b: CashOn reported volume for August 2007, categorized by country (Korea and Other)
Dloader.K!tr displays large spikes of activity, which is characteristic of a large botnet-driven install. The strong fluctuation of hits occurs in Korea, as can be observed in the graphs shown above. Interestingly, the minor part of its activity (outside of Korea, deemed as Other) does not show as much fluctuation as the major part does, suggesting that the source of this distribution campaign resides in Korea itself. There has been a tremendous increase in activity for Dloader.K!tr since last month, growing at a rate of over 82% and reaching nearly 1.25 million hits. At this rate, and with the highest volume coming at the end of the month, we will certainly be hearing more about this malware in September. Also growing furiously in Korea this month was CashOn (not to mention the victims' tempers), the toolbar plugin based adware. It too displayed an increase of 80% in activity, reaching over three quarters of a million hits. As noted by Fortinet security research engineer Derek Manky, the geographies and the activity rate growths seem to be consistent between the two seem threats. Is this merely a coincidence, or is there more to this than meets the eye?
An interesting trend shown with CashOn is that throughout the first half of the month, activity was in Korea only and remained consistent as there were no distribution spikes. Then, CashOn catched on and in two days propelled four-fold in volume in Korea, while starting global activity. There may have been a need to drive distribution at a more aggressive pace, and perhaps an effort was made to try another or an additional method to spread the adware at haste. Could Dloader.K!tr possibly be one of those mediums? Comparing the spikes between Dloader.K!tr and CashOn towards the end of August, there is definitely a parallel trend between distribution spikes seemingly on Mondays and Thursdays of the month. Again, in both cases, we are entering another peak as Thursday approaches. There are many questions that are raised, and there will be more to come on these emerging entries - stay tuned for September's malware report.
Web Traffic: Rush Hour
Online advertising has become ubiquitous. Sites providing content or functionality for free, from search engines to pornographic galleries, are loaded with ads which are part of their core business model. But today, ads/spam can be abundantly found in less expected places, such as comment sections of blogs, community sites, forums, etc. In the end, very few sites do escape the ad tsunami.
It goes without saying that the reason behind this phenomenon is money; however, the scale of it is not always well understood. Indeed, today, one single click on one of the most valued google AdWords (usually, "loan", "insurance quote" and the like) costs the word's highest bidder close to $70. This example involving the most valued ads served by the search engine giant illustrates very well the current situation: for website owners, huge amounts of money can be made with ad programs. And the more traffic a website generates, the higher the profits are.
In such a context, methods to drive traffic to one's site are, unsurprisingly, sometimes ethically questionable - not to say plainly illegal. Fortinet Global Research Team ran into such a borderline site this month. The site poses as a "MSN messenger scanner": it prompts the user to enter his/her messenger login and password, and promises to use that information to determine whether other messenger contacts have blocked or deleted the user from their contact list. Like all similar fashioned tools, this is of course a lure. However, the announced side effect (renaming the user handle to the website URL, in order to "promote it" in exchange of the service) does happen.
Figure 2: Typical lure. Note the ads above, and on the right side
Interestingly, the site claims that it does not store users' login / pass information. Perhaps they really don't, perhaps they do. The main point here is that, in order to drive traffic to their website, they resort to a typical social "Worm-like" strategy: By replacing the handle of users they deceived with the site's URL, they aim at driving these users' contacts to the site too, who, after being renamed, will in turn attract more users. Users equal traffic, and traffic equals money. It's as simple as that.
Figure 3: Is your info safe?
As often in such cases, the term and conditions section is used as some sort of universal umbrella backup, in case a deceived user would attempt court action: "[the site] will not be responsible for the incorrect, innapropriate or illegal use of and the lack of veracity, integrity, updating and accuracy of the information that its Internet pages contain or the results provided by them".
It is worth noting that, if such ID-theft schemes share common characteristics with phishing schemes, they differ from them on one fundamental point: they don't consist in tricking the victim into believing they are somewhere they actually aren't (usually, a legitimate bank site), but rather into believing they will get a service they actually won't. Effectively, this difference yields two points:
1. Because there is no actual infringement, and thanks to their unique terms and conditions, service-luring sites are more robust than phishing sites, and less likely to be shut down. While a typical phishing site has an online life expectancy of about three days, the service-luring site addressed above was registered three months ago, and translated into 20 languages already.
2. While it is difficult to come up with a simple and effective set of rules (let alone a single gold rule) that, if followed, would prevent any potential victim to fall for a phishing scam, a gold rule to avoid becoming the victim of a service luring enabled ID-theft scheme is easy to verbalize: "Never give out any login credentials to an online service, regardless of the reason for the request".
Figure 4: The page, including the graphics and images, exists in 20 different languages. This is the Japanese version.
Confusion 2.0, or how to counter-educate users
Unfortunately, lately the robustness of this gold rule has been questioned, not by service-luring sites but by supposedly important, respectable sites behaving like your average illiterate scammer. Take facebook.com. With its multi-million users base and its US top college founders, Facebook is undeniably one of the social networking site heavyweights, and, as such, tends to be trusted a priori by its users and by everyone else. Now, what happens when one registers a new Facebook account?
Figure 5: All Your Accounts Are Belong To Us
The website prompts the user to give email address and password information to get registered on Facebook. Not only this maneuver is similar to the one used by service-luring sites, but it counter-educates users, enticing them to give information they should not give and that could be misused. Honestly, would you give your house keys to the salesperson who sold you a mobile phone, so that he can go check into your agenda to see if contacts can be added to your new phone while you are not there?
As for the "Facebook won't email anyone without your permission" statement, it does seem to be the case in light of quick testing, but it would require extensive testing to verify this on the long run. Similarly, the "we won't store your email or password" assertion is basically impossible to prove (right or wrong), thus one's could doubt it. And even if the intent behind storing this information is not inherently bad, such a database could always fall into wrong hands. It should be remembered that the majority of stolen credit card numbers traded over IRC daily come from hacked e-store databases.
In the short run, similarly to the service-luring site example described above, the aim is to recruit new members to increase the site traffic, thus its value. Indeed, after finding the "friends" in your mail contacts that are already registered on Facebook, as announced in the form depicted in Figure 5, another window pops up:
Figure 6: Recruiting process
The checkboxes are checked by default, and it takes just one click on the "invite to join" button to get all your contacts invited to the social networking site. In a nutshell: the traffic ramping strategy employed by Facebook (and others) is just one click away from service-luring scam sites. There is of course one major difference: contrary to the latter, they do provide a service. Yet, to our minds, while it perfectly justifies the ads, providing a free service shouldn't justify to counter-educate and manipulate users.
