The State of Malware - August 2008 EditionThis edition's highlights:
The following malware statistics are based on threats caught by Fortinet's FortiGate security appliances for the period July 21st - August 20th, 2008. Top Ten Variants Top ten malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100: Rank Malware Variant Percentage Top 100 Shift 1 W32/Multidr.JD!tr 10.02 new 2 HTML/Agent.HFZ!phish 8.15 new 3 W32/Netsky!similar 5.95 -2 4 JS/Agent.WMA!tr.dldr 5.9 new 5 W32/Virut.A 4.65 -3 6 JS/Iframe.DR 4.19 +1 7 W32/Agent.KG!tr 3.36 new 8 HTML/Iframe.DN!tr.dldr 2.59 -3 9 HTML/Iframe_CID!exploit 2.12 +17 10 W32/Agent.HKR!tr 1.98 newMany new variants exploded onto the scene this month, a majority of them trojan downloaders:
Malware variants' activity for this edition has been grouped into families and sorted as shown below. Percentage indicates the portion of activity accumulated by the family out of all threats reported in this edition. Top 10 shifts indicate positional changes compared to last edition's Top 10 ranking, with "new" highlighting the malware family's debut in the top ten: Rank Malware Family Percentage Top 10 Shift 1 Netsky 9.5 +1 2 OnlineGames 7.7 -1 3 MyTob 5.8 - 4 Virut 5.4 - 5 Pushdo 3.0 -There was not much movement in terms of family activity this edition, with only Netsky and OnlineGames swapping positions. While no individual variant of OnlineGames was present in our top ten variants, collectively this family of online gaming trojans remains strong. Activity recap There was plenty of activity this month with heavy activity coming from new and emerging faces. Last edition, we talked about traffic generators and discussed JS/Redirector.CA. Activity in this area has continued through HTML/Iframe.DN and JS/Iframe.DR with the latter moving up one position. Since Web-borne attacks are frequent on today's threatscape and often involve hijacking and redirecting traffic through such Iframes, we will likely see this trend continue. Quite often traffic is redirected to websites serving exploits using ready-made kits (MPack, GPack, etc.). The combination of such generators and exploit kits make an attack effective, and this should highlight the importance to keep all software (especially Web browsers) up to date with the latest patches. In October of 2007, we discussed the HTML/Iframe_CID exploit and the domination it has had throughout the years. This is largely in thanks to the success of Netsky.P, which utilizes this exploit. Nearly a year later, HTML/Iframe_CID is still very active showing up in ninth position this edition. Although on the rise again compared to last edition, volume (again linked to Netsky.P) for this exploit has steadily dropped over time as predicted in our October 2007 report. Current activity shows roughly one fourth of the reported volume in October 2007. For seven straight months now, W32/Virut.A has shown heavy and consistent activity by ranking within the top five variants. The file infector still managed to hold this trend, bumped down a couple of ranks thanks to tremendous activity with W32/Multidr.JD and HTML/Agent.HFZ. Finally, not seen in the official top ten, Spy/OnLineGames ranked a solid eleventh place as significant malicious activity targeted at the Online Gaming community continues. Turkey, the USA and China, in respective order, were the regions of heaviest activity. Figure 1 below shows the activity curve for several variants in this edition:  Figure 1: Iframes and trojan downloaders vs. W32/Virut.A The most dominant activity this edition lay in first and second place, both tied to rogue security applications, observed Fortinet security researcher Derek Manky. In one day alone, W32/Multidr.JD managed to capture first place for the entire period. Not since February 2007 when the infamous Storm botnet (Tibs) emerged has such an intense campaign been observed. The two rogue security applications mentioned in our top ten, XP Security Center and AntiVirus XP 2008, are linked to W32/Multidr.JD, W32/Agent.HKR, HTML/Agent.HFZ and W32/Agent.HFZ. While similar, XP Security Center (W32/Agent.HKR and Agent.HFZ) was active mostly in the USA, Japan and Canada, whereas, AntiVirus XP 2008 showed activity in the USA, Lithuania and Mexico. Interestingly, two very similar social engineering campaigns involving programs posing as word documents (used with XP Security Center) share similar geographics. The seeding campaign of the emerging W32/Agent.KG showed the most activity in Japan, Canada and the USA. HTML/Agent.HFZ (XP Security Center) was using a UPS phishing email late July 2008. Figure 2 below shows activity with these variants:  Figure 2: Rogue security application activity, along with emerging W32/Agent.KG For a detailed report on this activity and the related rogue security applications, please see Fortinet's "War Of The Rogues" analysis. Solutions Customers who use Fortinet’s FortiGuard Subscription Services should already be protected against the threats outlined in this report. Threat activity is compiled by Fortinet's FortiGuard Global Security Research Team using data gathered from its intelligence systems and FortiGate™ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. |
