The State of Malware Today - July 2007
Top 10 threats caught by Fortinet's FortiGate security appliances in July 2007:
Rank Malware Percentage
1. W32/Netsky.P@mm 9.52%
2. HTML/Iframe_CID!exploit 8.42%
3. W32/Bagle.DY@mm 4.71%
4. W32/Dialer.PZ!tr 3.62%
5. W32/Grew.A!worm 3.09%
6. W32/ANI07.A!exploit 2.88%
7. W32/Netsky!similar 2.66%
8. W32/Bagle.GT@mm 2.53%
9. W32/Sober.AA@mm 2.30%
10. W32/Virut.fam 2.27%
Trends spotted in this month's Top 10 malware include:
- An increase in the breadth of detection caused a lowering of the Top 10 percentages overall.
- Last month, Netsky.P was catching up to, but now has surpassed by Bagle.DY, just about doubling its performance.
- ANI07.A is still holding on, despite a patch being released, which means it is either still effective or it is not being sufficiently cleaned off of public Web sites.
- The email based Iframe_CID exploit has moved higher than normal, perhaps owing some of it's success to Netsky.P's mass mailer component and its own recent rise in activity.
Let's face it, postcards are out, e-cards are in. Cheaper, uglier, effortless to send, and above all, perfectly fit to carry the modern, digital anthrax: computer viruses. XXIth century in a nutshell.
As a matter of fact, for the last several years virus writers have been resorting to rogue e-cards -- posing as legitimate ones from well-known sites -- to spread and seed their malware, around holidays (such as Christmas or Valentine's Day) every year. According to Guillaume Lovet, manager for the FortiGuard Global Security Research Team, this summer, the "Storm Worm" (aka W32/Tibs) crew decided to broaden their infamous peer-to-peer botnet via this well-known strategy. Their e-cards have been rough, simple and barely implemented any social engineering strategy at all:
Figure 1: A social engineering speech that almost clearly says "click me to get infected"
As it is often the case in such situations, the gang did compensate such a low-quality social engineering work by a heavily aggressive seeding. Waves of e-cards seemed to literally flood users' mailboxes on an almost daily basis, as can be observed in figure 3 below:
Figure 2: Your daily fix of e-card
As can be seen on Figure 2, rather than embedding a virus straight away inside the malicious email, the gang decided to load it with a link pointing back to zombie machines of the P2P botnet (in clear text: possibly your own box), running a lightweight HTTP server, ready to distribute the piece of malware to whomever may ask.
This is most likely not done in an effort to gracefully reduce the load on mail servers around the world, but rather to bypass antivirus filters. Although this strategy is anything but new (Bagle used to implement it more than three years ago), it probably still has its share of efficiency. Indeed, HTTP traffic is less likely to be filtered than SMTP traffic: for constraints are bigger (on-the-fly, real-time scanning versus scanning mails tranquilly sitting on a server, before they get delivered), HTTP antivirus filters are far less ubiquitous than email AV scanning is. This may change with the rise of UTM appliances, Lovet said.
Actually, the only innovation in that whole malicious e-card storm lies in the following fact: should you, by mistake or intentionally, request the index page rather than paste the full malicious link inside your browser (or click on it, in case you enable HTML in your mail client), the Web server (which, according to Lovet, happily vampirizes the resources of the infected box it silently sits in) would serve you with a load of malicious javascripts. Deemed JS/Agent.KD and variants, these javascripts attempt classical browser exploitation techniques, in order to ram more Trojans up your hard drive. Trendy.
Indeed, a look back at recent events like, say, the MPack "drive-by-install" case, where malicious IFrames silently redirected hundreds of thousands of visitors of legitimate -- but hacked -- websites to a page full of malicious scripts, seems to highlight browser exploitation as the new "big thing" among virus writers. Figures tend to confirm this: Since January, the impact of exploits in malicious activity has almost doubled, to reach 5 percent of the global malware activity in July.
Furthermore, since it appeared three months ago, detection patterns aiming at blocking the infamous ANI exploit (MS07-017) has been producing enough hits to maintain it steadily in our malware top 10. Contrary to old, historic mass-mailers such as Netsky.P, whose activity heavily varies along the week (practically divided by two on the week-ends, when old infected corporate boxes are shut down), W32/ANI07.A!exploit produces a steady and solid activity along the month, as can be seen on Figure 4. This essentially means that malicious sites serving this exploit are being actively browsed, while most of old worms activity is ineffective and radiates from abandoned machines.
Figure 3: Old Skool worm Vs New Skool browser exploit
The slight shift toward browser exploitation partly lies in the fact that it bypasses any form of user interaction (besides dragging him/her to the malicious page, which is fairly easy when the page in question sits on a trusted site that was hacked in), hence rendering user education useless (some may argue that it has always been the case, but we're coming from a mere "they'll never learn" to a more refined "they'll never need it" here). But that is not all: while we are entering the Web 2.0 era, most of our data and applications are shifting from the desktop to online places. The web browser is our gateway to those, and therefore becomes absolutely centric; some even compare browsers to the next Operating Systems core (when OSes will run online, that is).
With that in mind, it's not surprising that Web browsers are becoming targets of choice for malware writers, and cyber criminals using the aforemetioned writers' off-the-shelf tools (as a reminder, MPack is sold for $700 on Web forums).
Now, how much trust do you have in your own browser? How much is it exploitable? If you run an outdated Internet Explorer, the answer is: outrageously, and it could be too late for you anyways without a massive overhaul. If, on the other hand, you run a perfectly up-to-date Opera on Linux, the answer is: barely -- not to say not at all. For all the cases in between, placing efficient network-based antivirus filters between you (or your users) and the Internet will certainly help: surfing clean pipes cannot be bad.
|
