The State of Malware Today - December 2007This month's highlights:
Top 10 threats caught by Fortinet's FortiGate security appliances in December 2007. Entries in bold are new to the top ten this month: Rank Malware Percentage 1 W32/Netsky!similar 11.05 2 HTML/Iframe_CID!exploit 8.47 3 W32/MyTob.FR@mm 3.40 4 W32/Lovgate.X2@mm 2.90 5 W32/ANI07.A!exploit 2.82 6 W32/Bagle.DY@mm 2.57 7 W32/Zafi.D@mm 2.20 8 W32/Istbar.PK!tr.dldr 1.93 9 Adware/Bdsearch 1.83 10 Adware/TCent 1.80December brought in four new entries to our top ten, most of them wrapped in spam and delivered under the mail tree. Here are the highlights of this holiday season:
Threat and Spam Wrap-Up, 2008 Predictions I. Threat Landscape This year, malicious webpages have become a major vector of infection. Needless to say, they have an obvious advantage over traditional vectors of infections such as email: they do not require any user interaction. Users only need to visit a malicious page with a vulnerable browser to become infected ("drive-by install" scenario). Statistics extracted from live MPack servers in May 2007, in one of the noisiest (but perhaps not largest...) mass-injection attacks this year, show that the Infection Rate (IR) is over 12% (i.e.: 12% of users visiting the malicious page are successfully infected). This comes while MPack did not even embed any exploit addressing unpatched browser vulnerabilities. Driving traffic to malicious web-servers is done either via mass-compromising (usually, this is achieved by hacking into a web-hosting company server), via search engine results poisoning (usually, this is achieved by interlinking a massive amount of key-words filled pages that react differently to Google-bots and regular users, delivering malicious contents to the later ones), or via a combination of both (example: http://tacit.livejournal.com/226180.html) In conclusion, if we compare the IR of drive-by installs (12%+) to the Click-Through Rate achieved by social engineering artists to get a user to click on an infected attachment in an email (one out of several tens of thousands); and we add in the fact that web-traffic is a scarcely scanned vector as compared to e-mail, which is heavily scanned by security products, we understand that malicious web-pages will quickly take a bigger place in the threat landscape in 2008 and beyond. Some believe it is actually already the case: it's stated in the ENISA's position paper on botnets that malicious webpages account for 60% of all bot-related infections (see http://www.enisa.europa.eu/pages/02_01_press_2007_11_27_botnets.html). Our pieces of advice:
II. Spam landscape The spam landscape is also evolving. The Web 2.0 concept is characterized by the fact that our data are moving away from the traditional desktop towards online applications. So is spam. Today, because users are so used to seeing spam in their mailboxes, and because of the generalization of anti-spam solutions which are now ubiquitous, the Click-Through Rate (CTR) for email-based spam has fallen to dramatic low levels (sometimes as low as 1 out of several millions emails sent). Therefore, while email-based spam won't become extinct in any near future, spam on other supports has started to flourish. In 2007, spam runs were spotted on myspace, youtube, and popular blogs (for more information, please refer to the white paper entitled "Menace 2 the wires: advances in the business models of cyber criminals" presented by Guillaume Lovet at the 2007 Virus Bulletin Conference). As a matter of fact, every web support allowing for user-input display, which is one of the main traits defining Web 2.0, is a potential target, and is therefore expected to be invaded by spam. Merry Christmas: Fluxing All The Way As forewarned in our previous malware report , the cyber criminals were out in full force throughout the busy season of December. The Grinch was the name, pinching pockets of unsuspecting consumers was the game. Online consumers were flocking to their computers in a joyous holiday spending mood as online shopping sales reached record numbers. Meanwhile, cyber criminals were taking advantage of this busy online season and employing any scheme, complete with social engineering that they could to ruin the festive spirit. For the Storm gang, all was silent until the night before Christmas. As predicted, the social engineering storm leveraged the holiday spirits with a "Merry Christmas" spam just before Christmas day. Links were sent out to the website http://merrychristmas{removed}.com, which featured scantily clad women enticing the user to follow a link which would ultimately lead to the Storm infection. The aforementioned domain is involved in an active fast flux network, which uses mechanics similar to the fast flux network described in more details below. Since then, the Fortinet Global Threat Response team has monitored a new wave of spam from Storm that capitalizes on New Year's celebrations, using links that point to a server side polymorphic executable of Storm. This also uses a Storm domain involved in a fast flux network. In fact, since then two additional fast flux Storm networks have emerged with greeting card themes in the domain names themselves. Pharmacy Phishers were also out in the depth of December, sending out Christmas and New Years cheers from their illegitimate websites. Social engineering and a professional looking website hosted throughout a double fast flux botnet meant that more consumers were at risk of being scammed when attempting to purchase pharmaceuticals online. Blogs and spammed mail containing holiday themes were sent out with links pointing to the pharmacy's botnet army. Throughout December, the Fortinet Global Security Research team has monitored fast flux networks belonging to a pharmacy scam using the name "Canadian Pharmacy". Throughout these networks, over 7,700 zombies world wide have been discovered to host the pharmacy's website operations, using thousands of domains. Elaborate spam and a carefully crafted corporate image enhance their social engineering hook. A detailed, in-depth look at the Canadian Pharmacy operation can be read here from Fortinet. Disclaimer: Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing. About Fortinet ( www.fortinet.com ): Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California. |
