This month's highlights:

• Virus activity
• On Adware: a BetterInternet - twice a week!
• February's paradox: Phishing
• The future is now

February, by the numbers:

1	Adware/BetterInternet	10.61%
2	W32/Netsky!similar	8.71%
3	W32/Bagle.DW-mm	8.14%
4	W32/Grew.A!wm	8.05%
5	W32/Bagle.DY-mm	7.52%
6	HTML/Iframe_CID!exploit	6.65%
7	W32/MyTob.fam-mm	2.20%
8	Adware/ZangoSA	1.92%
9	W32/Mytob!similar	1.71%
10	W32/MyDoom.M-mm	1.63%

1	W32/Bagle.DW-mm	8.14 %
2	W32/Bagle.DY-mm	7.52 %
3	W32/Bagle.FJ-mm	1.25 %
4	W32/Bagle.DX-mm	1.25 %
5	W32/Bagle.DZ-mm	1.12 %

Top 10 countries reporting infections in February 2006:

1	United States of America	20.84%
2	Korea, Republic of	8.26%
3	India	7.25%
4	Philippines	5.45%
5	Japan	5.34%
6	Mexico	4.62%
7	Taiwan	4.51%
8	China	3.84%
9	Thailand	3.19%
10	Malaysia	2.91%

Virus Activity

For the very first time, this month's most prevalent threat is an Adware: Adware/BetterInternet accounted for 10% of the total threat activity in February. Since all previous top threats were mass-mailers, Adware/BetterInternet is also the first non-replicative threat to top our charts.

This is certainly impressive and highlights a concerning trend in an Internet connected world where users are overwhelmed with advertisements and spam. It also leads us to conclude that Adware is a growing issue and is beginning to account for a more significant portion of malware activity. And, the strategy pursued by mass-mailing threats has evolved. This is perhaps best illustrated by the fact that while the most prevalent variant of Bagle this month accounted for only 8% of the global activity, all new Bagle variants seen this month accounted for 20% of the global activity.

Bagle: the Valentine's fragmentation bomb

A closer look at the activity of four new Bagle variants over February in Figure 1 (below) reveals the authors strategy: a typical "fragmentation bomb" infection scheme, where authors opt for several reduced and consecutive outbreaks spanning over the whole month rather than one big outbreak. This increases the success rate measured by the number of effected targets and avoids attracting too much media and police crime unit attention.

Figure 1: Top Bagle variants in February 2006

Figure 2 (below), which compares the peaks of February Bagle outbreaks with the peak of non-monetary motivated threat, such as last year's Sober, leads us to conclude that the virus writer took a more cautious yet strategic approach: small-scale outbreaks. Such "hit and run" operations result in remnant activity more or less evenly distributed among a high number of variants. A perfect example would be MyTob, with more than 250 variants, each accounting for a small slice of its aggregated 17% share of the threat activity pie.

Figure 2: Bagle vs Sober

Now, what is in Bagle? The classic features that have made it successful for two years are:

Basic social engineering - in the traditional "your document is attached" style. (with a nice Valentine's poem this month!). This is a mass-mailing engine avoiding AV and security related e-mail addresses and, above all, a powerful counter-measure engine, which literally turns your computer into a sitting duck. AV processes are killed, security is lowered in every possible way, firewalls are disabled, and updates rendered impossible.

Files are then downloaded from a hard-coded list of locations. The strategy is clearly to:

1. Disable defenses
2. Install updates and/or typical spyware/adware .

Interestingly, one of this month's Bagle variants embedded the following poem into its code (which is never displayed):

"In a difficult world
In a nameless time
I want to survive
So, you will be mine!!
-- Bagle Author, 29.04.04, Germany."

I'm not sure whether he's talking to a lady, or to his victim's secure online payment accounts...what do you think?

On Adware: a BetterInternet - twice a week!

Although fragmented attacks have to be taken into account when evaluating Adware impact, this month's top 10's first place obtained by Adware/BetterInternet does represent a growing trend. Figure 3 (below) shows that today, even though the global Adware activity isn't as high as that of mass-mailing worms (mm), it is already above and beyond that of Trojans (tr):

Figure 3: Mass-mailers and trojans vs Adware

However, the impact of various adware attacks is not evenly distributed. BetterInternet accounted for nearly 70% of all spotted adware-related samples, as shown on Figure 4 below:

Figure 4: Top Adware threats

Beyond BetterInternet's domination, there is a striking pattern in the figure: Tremendously sharp peaks of activity appear on every Monday and Thursday of the month. This was also the case in January. To draw a refined hypothesis on the reasons for such a peculiar figure, it is worth taking a moment to look closer at BetterInternet.

BetterInternet - now officially called BestOffers - is a typical "behavioral marketing" company. The key role of which is to provide a central point of meeting for three essential audiences: advertisers, partners, and users. Philosophically, there is nothing wrong with such a concept. Users may choose to install free software with the drawback of having advertisements displayed from time to time rather than ad-free expansive software (much like when one is watching TV shows on freely available channels). Advertisers are ready to pay for having their ads displayed in such software, which are in turn distributed by partners, who are paid by BetterInternet based on the number of installations originating from them.

This "partner" component is the rotten part of the fruit. It is public knowledge in the botnet community that the main source of revenue for Botnet herders today comes from adware/spyware installations they initiate on their herd of compromised computers, which yields "partner" payment from Adware companies. Now as a matter of course, most adware companies clearly state on their websites how ethical and honest partners must be in order to take part in their partner programs. For instance, BetterInternet has the following guideline page for partners: http://www.bestoffersnetworks.com/partners/guidelines.php

Despite guidelines like this, when looking at Figure 4, the regularity of peaks, both in "height" and frequency indicates that some Botnet owner somewhere initiated a massive installation procedure of the adware each Monday and Thursday in February. In between those days, the adware component is most likely wiped off the infected computer, so that next install generates the same impact again.

The question is: Are adware companies with a partner program really abused by Botnet herders? Or do they passively allow this activity because in the end the only victims are really users, while everyone else in the loop profits from the situation?

February's paradox: Phishing

Though phishing attacks increased in sophistication this month - with, for instance, the apparition of the first phishing site to make use of an SSL certificate - the global phishing activity dropped from 3% of the total threat activity in January to 0.5% in February. This is largely due to a significant drop in the volume of phishing threats targeting Ebay.

The future is now

It is interesting to note that this month, several of the "Future Trends" predictions outlined in "Fortinet Reviews Malware Activity in 2005" became real. These include:

• A new instance of a "moderately" focused attack, with two new variants of W32/Brepibot!bdr. While previous outbreaks targeted universities, this month's attack targeted various companies, including AV companies. The virus counts were kept very low (less than 0.003% of the global activity).

• The First MacOS worms, called OSX/Leap.A!worm and OSX/Inqtana.A!worm. These attacks are still in proof of concept stage, carrying non-destructive and non-profit oriented payloads, and the moderate share of MacOS systems didn't allow for a significant outbreak. Though, it denotes a diversification of virus authors' skills, which could be a concern should they target more widely-used universal platforms such as .NET or Java.

• The first "crossover" virus, able to leap from Microsoft Windows PocketPC systems to Desktop Windows systems. Discovered by mobileav.org, this is something Fortinet began anticipating back in March 2005, when commwarrior first appeared. Below is an excerpt from our "Fortinet Reviews Malware Activity in March 2005" report: "The next step we can expect is a hybrid virus that is able to spread via both MMS and mail, since smartphones usually have integrated e-mail clients. Further, as the border between computers and phones is becoming thinner and thinner, it makes sense to expect the emergence of malwares that are able to get across it (java anyone?), spreading indifferently from phones to computers or vice-versa. Such a cross platform worm with mass mailing and mass MMS-ing capabilities would surely cause havoc at some point..."

• One of the first profit-oriented mobile threats (called Redbrowser.A), which conducts premium number calls abuse. We have been saying for a while that such threats are soon expected to become mainstream, given the huge financial potential behind them, and we saw evidence of this in February.

• Cyberterrorist strikes: February also saw a large number of .dk sites being defaced, in retaliation for the controversial cartoons of the Muslim's Prophet recently published in the Danish press. Although the message left by the defacers was at times very threatening, the damage done was in fact minor - merely erasing the index page of the victims' websites. However, this indicates that the Internet can simultaneously serve as both an outlet for political, ideological and propagandist actions as well as a perfect vector for attack, as was the case last year with Sober.