The State of Malware Today - January 2008

This month's highlights:

January, by the numbers
Pushing infectious eCards
Weathering a year-long Storm

January, by the numbers

Top 10 threats caught by Fortinet's FortiGate security appliances in January 2008. Entries in bold are new to the top ten this month:

Rank     Malware                          Percentage   

1        W32/Netsky!similar               10.91
2        HTML/Iframe_CID!exploit          7.91
3        W32/Small.FQS!tr.dldr            5.87
4        W32/Pushu.BYC!tr                 2.83
5        W32/MyTob.FR@mm                  2.53
6        W32/Pushdo.DGH!tr                2.53
7        W32/MalFormedani.C               2.49
8        Adware/Agent                     2.47
9        W32/Bagle.DY@mm                  2.24
10       W32/MyTob.BH.fam@mm              2.09

January rings in the new year with new entries surfacing to our top ten, replacing many from December:

Tainted love: Small.FQS (aka Storm) launches a Valentines Day campaign, claiming a solid third place in our top ten all in just one day
Aware of Adware: Agent takes over the eighth position, creating much activity toward the end of the month as last month's Bdsearch and TCent fall off the chart
Trojans Pushu.BYC and Pushdo.DGH (both belonging to the Pushdo family) push aggressive, high volumes of "eCards" in January
MyTob++: Another MyTob variant joins the top ten this month, as the mass mailing family of MyTob picks up steam

Pushing infectious eCards

An age old trick does not warrant extinction it would seem, as the powers behind the Pushdo Trojan jumped into full swing during January handing out eCards to all. This is a tactic that we have seen time and time again. While Storm had gone phishing and was busy sending out Valentine's notes, Pushdo stepped up to the plate and made several efforts to distribute itself, masked as an eCard attachment. The social engineering scheme used in the emails (see Figures 1a/1b below) were quite simple and proclaimed that an eCard had been sent -- advising recipients to check the attachment. Yes, all users should be indeed checking their attachments; however, they should also be checking for malware, and not executing any deliveries inside.

Figure 1a: Pushu.BYC attached, posing as an "eCard" attachment

Figure 1b: Pushdo.DGH attached as an "eCard", with similarities to Pushu.BYC

As you can see they were a little behind when using the message "Merry Christmas!", clearly sent with a "better late than never" mentality. Figure 1a shows this message with a time-stamp of January 13, 2008. The two variants of Pushdo (much the same as shown in the above figures) combined to form January's threatscape (see Figure 2 below) alongside Storm. If a user is fooled into executing the attachment, Windows will temporarily display a "please wait" icon as Pushdo begins its infection routine, chewing up system resources. This includes contacting a control server via HTTP to obtain data and dropping a rootkit that will hide the process when viewing running system processes. In both variants, a connection is also established to the control sever on TCP port 2581 to await further instruction. It should be noted that most legitimate eCards come in the form of a link to the eCard-hosting site using a unique ID and that they do not come as attachments. As a friendly reminder, before following any links sent by a third party, we highly recommend that users "think before they link" and carefully examine the location to which they are about to travel.

Figure 2: Pushdo, Storm and Agent activity since late December 2007

Observing Figure 2 above, we can see that Storm gained its top ten ranking in a single day during a Valentines day campaign on January 16th. This was done in much the same fashion one year ago during its birth -- although on a lesser scale, statistically speaking in terms of volume.

Weathering a year-long Storm

Since when do zombies have hearts? There was more than one storm brewing in January, with multiple attacks seen throughout the month. The most noticeable of these was a full-hearted bombardment of spam pointing to a zombie belonging to the Storm botnet. These premature emails arrived mid-January, flooding the inboxes of what they hoped to be unsuspecting recipients. Storm was at it again leveraging Valentines day to work its way into the hearts (aka operating systems) of personal computers worldwide. The initial emails sent out by the Storm network were very simple, containing a link using an IP address which ultimately lead to Storm infection. Once following the link, the user would be lead via HTTP to a page using a themed click-me, a social engineering tactic (see Figure 3 below) for which Storm has become notorious.

Figure 3: "Your infection should begin shortly": Embracing Storm

It is interesting to note that whomever launched this campaign was using a direct IP address to point to the Web site's malicious launchpad and not a domain name. Storm is a diverse botnet which uses fast flux methodologies (see our analysis on Canadian Pharmacy for fast flux examples). The IP may have been an experiment or merely slapped in to get the job done, further highlighting the hit-and-run nature of this attack. Either way, it did not leverage Storm's mesh network by using several fast flux domains -- something witnessed in the past. The campaign was most likely intended to be effective within a short time-frame, shown by the large volume observed on a single day.

Apart from this campaign, there was plenty of additional activity from the Storm botnet this month. The activity was quite diverse, which further reinforces the suggestion that the botnet is being rented out for other operations. One of these operations observed was phishing -- a first for Storm, as posted in our advisory here. "With a robust mesh network, a strong engine and scores of zombies, the botnet has become prime real estate in the digital underground," observed Derek Manky, security research engineer for the FortiGuard Global Security Research Team.

Our team will continue to monitor activity from these and emerging threats, while providing consumers with the latest protection and insight.

Disclaimer:

Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing.

About Fortinet ( www.fortinet.com ):

Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California.