The State of Malware - February 2008 EditionThis month's highlights: Malware by the numbers Top 10 threats caught by Fortinet's FortiGate security appliances for the period ending February 2008. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100: Rank Malware Variant Percentage Top 100 Shift 1 W32/Netsky!similar 12.0 - 2 HTML/Iframe_CID!exploit 8.0 - 3 W32/Small.FQS!tr.dldr 4.5 - 4 Adware/Agent 3.8 +4 5 W32/Grew.A!worm 3.0 +8 6 W32/Pushdo!tr 3.3 new 7 W32/MyDoom.N@mm 2.6 new 8 W32/Bagle.DY@mm 2.3 +1 9 W32/MyTob.fam@mm 2.2 +10 10 W32/MyTob.FR@mm 2.1 -5This month primarily showed shuffling of positions, while also introducing two malware families to the Top Ten:
Family Matters We have frequently reported on activity from MyTob, MyDoom and Pushdo variants in the past. While portions of these families have surfaced in our reports in the form of dominant variants, there is a bigger picture to be painted in terms of family activity. Other active and well-known families which are showcased in our top ten include the infamous Netsky, Bagle and Storm. The first spike of Pushdo shown in Figure 1 below was a mass mailing campaign with the malignant Pushdo executable attached as a zip archive. Simple social engineering was used, as the body of the email enticed the user to open the zip file attachment (commonly named "video.zip") which claimed to be a pornographic video with varying male and female celebrities. This was a twist from the e-card Pushdo activity we reported on in our last roundup. Pushdo's second run happened on February 17th-18th, but was not quite as prominent as the aforementioned first. While Pushdo spread with aggression on two defined dates, MyTob and MyDoom both exhibited consistency throughout the period with drops in activity on the weekend -- something not too surprising for mass mailers. This pattern also remains consistent with both Bagle and Netsky. Figure 1 below shows a clear picture of family activity, with all variants grouped into their appropriate malware families:  Figure 1: Family activity for Bagle, MyDoom, MyTob, Netsky, and Pushdo The activity seen for MyTob this month is linked to the self-proclaimed Hellbot gang through the unique identifier "H-E-L-L-B-O-T-P-O-L-Y-M-O-R-P-H" embedded in the MyTob.FR malware (as seen in this edition's Top Ten). Hellbot is a trojan dropped by MyTob, a trojan which has family roots with RBot thanks to source code being widely available to the public. MyTob.FR was dropping this trojan and executing it as the file "hellmsn.exe", launched by the process "taskgmr.exe". Several copies of the MyTob.FR variant were also spread around the PC to increase execution with enticing filenames such as "funny_pic.exe", in typical MyTob fashion. In addition, MyTob.FR will try to kill running antivirus processes -- users of Fortinet's FortiClient are not affected by this. Figure 2 below shows the composition of this period's threatscape, comparing the volume of main malware families for this edition:  Figure 2: Family volume for the period ending February 2008 MyTob activity this period was more than Pushdo, Bagle, Storm, Grew, and even its predecessor MyDoom. Second only to Netsky's 19 percent activity share, MyTob accounted for 12 percent of this period's total detection, observed Fortinet security research engineer Derek Manky. The threat's success in activity is no doubt backed by the fact that they were able to obtain an already proven infection routine through MyDoom/RBot. By tailoring this code into the creation which is now controlled by the Hellbot gang, MyTob has managed to supercede much of MyDoom as is clearly shown in Figure 1 and Figure 2 above. Below is a ranking of these families after the variants have been grouped, merged with our original top ten: Rank Malware Family Percentage 1 Netsky 18.6 2 MyTob 12.2 3 HTML/Iframe_CID!exploit 8.0 4 Pushdo 5.0 5 Storm 4.9 6 MyDoom 4.7 7 Bagle 3.9 8 Agent 3.8 9 Grew 3.4 10 W32/Istbar.PK!tr.dldr 2.1As you can see in the above table, family matters. Grew, fifth place in our original top ten, now becomes ninth. MyTob and Pushdo both surpass Storm from its original third place ranking. Disclaimer: Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing. About Fortinet ( www.fortinet.com ): Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California. |
