The State of Malware Today - February 2007This month's highlights: February, by the numbers: Top 10 threats caught by Fortinet's FortiGate security appliances in February 2007: 1 HTML/BankFraud.E!phish 7.97 2 HTML/Volksbanken!phish 6.96 3 HTML/BankFraud.OD!phish 3.91 4 W32/Tibs.gen 3.91 5 W32/Netsky.P@mm 2.61 6 HTML/Iframe_CID!exploit 2.32 7 W32/Zhelatin.DE@mm 2.31 8 W32/Bagle.GT@mm 1.77 9 W32/Grew.A!worm 1.24 10 W32/Sality.Q 1.03 For a change, this month’s top 10 exhibits some stability, in line with January . The first places are still firmly occupied by our phish detection, but as we detailed in January , the alert reader has noticed that a certain amount of spam accounts for those phish detections. As surprising as it may seem, that is not the case, however, for HTML/Volksbanken!phish; indeed, while BankFraud.OD and Bankfraud.E are typically "loose" detections catching obfuscated content aimed at fooling Bayesian filters regardless the content itself, HTML/Volksbanken!phish is a detection pattern strictly dedicated to stopping phish emails targeting the German "Volk" bank. That considered, the volume and the steadiness of this phishing operation is absolutely impressive, as it can observed on figure 1 below. The phishers have probably long disappeared into cyberspace, without even taking care of stopping the mailing engines running on the infected computers they control. As for Tibs (aka the Storm Worm ), it continues to severely hit the world mailboxes (or at least, the unprotected ones) in successive waves. No less than 36 different variants were seen active this month, albeit a single one (corresponding to the Feb. 8 run, see figure 1 below) accounted for nearly 60 percent of all Tibs-related detections.
The Tibs run that occurred on the Feb. 8 might seem impressive, but if one compares it to Netsky.P remnant activity (which stays constant over time and can be used as a good benchmark to evaluate the impact of malware runs), it appears that it’s a tad less high than Jan. 19 run (as can be seen on that figure . For the sake of the calculus, if top runs of Tibs diminish each month at this same pace (about 10 percent each month) its activity will get down to Netsky.P’s one in about 22 months. Spam: Fighting a Losing Battle? Maybe not... The overwhelming prevalence of Stration (aka Warezov) and Tibs (aka Storm Worm) is not without consequences. A very observable one is an increase in the volume of spam emails, that has been occurring since the end of 2006. Indeed, Stration and Tibs are purely meant to create large-sized botnets, more or less centralized (Stration’s net consists in syndicated smaller traditional IRC botnets while Tibs implement a peer-to-peer botnet - see last roundup for more details), used to generate and relay spam (stocks, drugs, porn, etc.). Therefore, reducing the number of infected machines would effectively tackle the spam problem (at least, in the proportions it has taken today). The problem is, the number of infected machines, on the contrary, is growing everyday. The reasons for that are multi-fold, but the consequence is that we are left trying to cope with massive amounts of spam. This brings the following question: what can antispam filters do? I can hear sarcastic lines such as "considering the current contents of my mailbox, apparently nothing" raising, however, the problem is complex and the battle not lost... First of all, we must consider the following fact: most if not all spam emails today try to obfuscate their actual content in heading or trailing text excerpted from online books (often, the bible), in order to fool Bayesian filters. Figure 2 below shows an example of porn-related spam:
Due to its explicit nature, the text attempting to entice the user to reach the spam site has been blurred, for the sake of our young readers. Nonetheless, the heading and trailing texts can be observed (this is not always the case - see "the white on white technique" ) Not only is the actual spam text embedded into heading or/and trailing texts, but it is also obfuscated further, as a second stage. This can be done at a purely textual level (for instance, in the blurred content in figure 2 above, "Dark-haired beauty" is spelled "Dark Huaired Bxeauty") or by making a jpeg or gif image of it. An interesting, and somewhat new example of such an image, is displayed on figure 3 below:
In this instance of image-based spam, the heavy graphical noise added to the image obviously serves another purpose than simply scrambling the file checksum (changing one single pixel would have been enough for that); it does seem like those spammers are afraid that spam-filters run some character recognition routines to extract the textual content from the image. Given the very professional nature of spammers (the spam "industry" drains billions of USD each year), the fact that spammers start to obfuscate the semantic content of their bulk emails to a point it has become barely intelligible for the end-user may raise the two points below: 1. When semantic content (ie, the actual "spamish" text) can be extracted from the mail, antispam filters do work. 2. In the challenge that consists in obfuscating semantic content in such a manner that a machine cannot extract it while it still makes sense to a human, spammers are losing ground. Point two should not be too surprising: indeed, while the human brain connections and structure are stable (and they have been stable for about 30,000 years), artificial intelligence progresses at a relatively fast pace. As a final note on the topic, content analysis is not the only means to block spam. Indeed analyzing the envelope rather than the content of the letters is a strategy frequently implemented in antispam filtering systems. For instance, it may consist in confronting the incoming IP address to real time block lists or reputation systems. Although such approaches are often purely reactive, hence leaving opportunity windows opened for rogue IP addresses to diffuse their spam, it can also help reducing the amount of bulk mails reaching end users boxes. |
