The State of Malware Today - January 2007This month's highlights: January, by the numbers: Top 10 threats caught by Fortinet's FortiGate security appliances in January 2007: Rank Name 1 HTML/BankFraud.E!phish 10.67 2 HTML/Volksbanken!phish 8.81 3 HTML/BankFraud.OD!phish 3.68 4 W32/BAI!tr.dldr 3.42 5 W32/Netsky.P@mm 2.75 6 W32/Bagle.GT@mm 2.72 7 HTML/Iframe_CID!exploit 2.23 8 W32/Stration.JQ@mm 1.47 9 W32/Bagle.DY@mm 1.26 10 W32/Grew.A!worm 0.96 This month top 10 confirms the trend initiated in October 2006 when Volksbanken Phish took a hold of Germany, with phishing detections ineluctably conquering the top 10's top places. This could sound surprising at first, given the "hit-and-run" nature of phishing operations, which usually consist in heavy mailing during a short amount of time (usually less than 12 hours). This creates a tremendous peak of activity, but does not gather enough hits along the whole month to make it to the monthly top 10, unlike, say, good old Netsky.P, which always features a good monthly position thanks to its steady remnant activity. So how come phishing detections occupy the three first spots this month? A quick look at sample emails caught by such detection patterns gives the answer: Spammers use similar strategies as phishers to bypass filters. For instance, the well known white on white technique, and other tricky methods are still used to fool mail filters because they make sense to users' eyes. As a matter of course, the collusion between spammers and phishers, both in terms of interests (your money) and organization is not to be demonstrated anymore, but what is interesting here is the side effect it produces: Spam e-mails trigger a significant amount of phish detections. (virus) Writers in the Storm According to Guillaume Lovet, threat research manager for EMEA, it has not always been the case in the past (due to frequent over-hyping of eye-catching but merely prevalent threats), but this month, one could say that the main media-wise trend is well reflected by the top 10. Indeed, W32/BAI!tr.dldr, an instance of the infamous "Storm Worm" is the first non-phishy/spammy threat.Totalizing a bigger number of hits than Netsky.P itself along the month is surely impressive, but it has been achieved various times in the past years (by Stration, Sober or Grew, to name a few). What is totally new, and absolutely impressive is that it did so in one single run, on January 19th:
Figure 1 above clearly shows the steady activity curve of our designated benchmark, Netsky.P, pierced by the steep peak of "the Storm worm". This is, without any doubt, the most aggressive seeding observed during these past two years. In comparison, the new variant of Stration, Stration.JQ, seeded this month look like a minor outbreak - and by the way, went through almost unnoticed by the medias and the security community - although it showed peeks of activity during which its activity was twice Netsky.P's one:
The social engineering strategy used by "the Storm worm" has been utterly basic, but proven: it consisted in timing the initial mass-mailing operation (or "seeding") with a news event. Indeed, Lovet said, as Europe was subject to violent storms, the worm's authors decided to release their piece of malware by the means of e-mails which subjects would often be "230 dead as storm batters Europe", and carrying an attachment named Full Story.exe, or Video.exe, among other similar evocative names. The term "Storm" was therefore particularly adapted to coin the malware, while "worm" is highly debatable since it is really a Trojan. Indeed, besides sending one to three emails carrying corrupted files, what it does is essentially drop additional components, sometimes after having downloaded them. To make a long story short: it does not spread by itself yet, and the infected machines are turned into bots, with the ability to relay spam e-mails and to receive updates from a list of "peer bots". This last feature makes Storm the first mainstream threat to implement the Peer-to-Peer botnet strategy. The advantage is obvious: Non-centric command and command channels makes the botnet more robust and resilient, unlike classical botnets for which closing the central Command and Control channel effectively shuts down the whole botnet. There is, however, a drawback: someone with the ability to reverse engineer the P2P protocol and in possession of a sample bot could very well use the botnet for his own purpose. And perhaps steal it definitively by commanding each bot to replace themselves with instances of typical bots, reporting to a central C&C channel, such as an IRC server owned by the hijacker. Back in 2004, we had the "Virus War" Netsky v. Bagle v. MyDoom. Will we have a botnet war in 2007? Past the initial, monstrous seeding, there has been daily smaller runs, that we caught under various names depending on the component (Tibs, Agent, Small...) as can be seen on Fig 3 below:
At this point, the malware authors probably use these smaller runs to fine-tune the size of their botnet. New variants are seeded via mail, but also injected into the P2P botnet via http. Each new run lasts several hours, and the seeded files are "server-side polymorphic", that is to say the servers spawn new minor variants at an elevated pace. This can be observed on this snippet of one of our monitoring tools output, watching a Storm worm seed point: 2007-01-24 15:04:46: Fetched file 4192b03d1e687321593b08f062f70286 (W32/Tibs.KB!tr) 2007-01-24 15:18:58: Fetched file 588602df1f6f6eebae6bd08450744fab (W32/Tibs.KB!tr) 2007-01-24 15:34:59: Fetched file a6261d474a02c3b6a5dac8b5cb48c78c (W32/Tibs.KB!tr) 2007-01-24 15:51:07: Fetched file b351d0589cf1cda53f44ae993c8bc812 (W32/Tibs.KB!tr) [...] 2007-01-25 02:33:34: Fetched file a0434a62ca269581aeccd7885d2de9fb (W32/Tibs.KB!tr) 2007-01-25 02:59:45: Fetched file 57e9428277a9e234483eb7d7ae6d60da (W32/Tibs.KB!tr) 2007-01-25 03:24:46: Fetched file 53445868771ba9f967a35ecf2bbb22fd (W32/Tibs.KB!tr) 2007-01-25 03:51:07: Fetched file 53445868771ba9f967a35ecf2bbb22fd (W32/Tibs.KB!tr) 2007-01-25 04:21:40: Fetched file 53445868771ba9f967a35ecf2bbb22fd (W32/Tibs.KB!tr) ...etc... Files are designated by their MD5 sums, that is to say a 32 characters hexadecimal number unique to each file. As one can see, the file keeps changing every 10 minutes or so, during 12 hours (from 2007-01-24 15:04:46 to 2007-01-25 02:59:45) after which the MD5 remains constant: the run is over, the authors are preparing the next big variant. This is server-side polymorphism. The Missing Link Since December, our acute readers might have noticed a missing link in our virus top 10: Adware/BetterInternet. This piece of annoying adware used to head the top 10 in early 2006 and stayed up here all along the year, thanks to the large botnet feeding it, as we detailed it in a previous roundup . Its activity, however, suddenly stopped in December 2006. Several hypotheses can be evoked; maybe the bot herder was caught-or just thought he made enough money and moved on. Or, perhaps the "Targeted Marketing" (read "Adware") company tremendously tightened its policies regarding its affiliates, and stopped paying Botnet herders for installing its Adware piece on infected machines. No, just kidding. |
