FortiGuard Center

The State of Malware Today - June 2007



This month's highlights:

June, by the numbers

Top 10 threats caught by Fortinet's FortiGate security appliances in June 2007: 
	Rank        Malware                    Percentage
	 1           W32/Dialer.PZ!tr           13.43%
	 2           W32/Bagle.DY@mm            10.05%
	 3           W32/Netsky.P@mm             7.11%
	 4           HTML/Iframe_CID!exploit     5.90%
	 5           W32/ANI07.A!exploit         3.52%
	 6           W32/Grew.A!worm             3.50%
	 7           W32/Bagle.GT@mm             2.43%
	 8           W32/Sober.AA@mm             1.98%
	 9           W32/Stration.JQ@mm          1.89%
	10           W32/Sality.Q                1.75%

This month's Top 10 malware primarily consists of the same familiar faces, with only a few new visitors:
  • Dialer.PZ continues to reign supreme over other mass mailers this month, with the Bagle.DY and Netsky.P mass-mailers continuing to hold second and third respectively.
  • The Top 10 remains fairly consistent, with Grew.A, Bagle.GT, Sober.AA, Stration.JQ and ANI07.A keeping similar relative positions.
  • New to the top ten is Sality.Q coming in at the bottom to fill the void left by the departure of the BankFraud.E phishing attack from the Top 10.
  • ANI07.A, an exploit in an animated cursor, is notable this month since the vulnerability was patched and it is the only exploit on the list that is not a worm nor related to a worm. For an exploit such as ANI07.A to top the chart, malicious attackers have been making use of popular web sites (such as social networking sites, blog sites, and photo hosting sites) to upload a specially crafted animator cursor that can run a buffer overflow on a vulnerable machine. In turn, this can run arbitrary code and be used as a springboard for other malicious activities.

W32/Dialer.PZ!tr Packing for a Cruel Summer


Once again, the bot-embedded dialer takes the reigns, besting W32/Bagle.DY@mm and Netsky.P@mm. Last month we discussed the life cycle of W32/Dialer.PZ!tr which spanned from dynamic design, assembly line manufacturing and intelligent statistic reporting to geographic deployment strategics and payload. W32/Dialer.PZ!tr kicked off June exactly where it left off last month, streaming primarily across Mexico and the USA at a torrential pace thanks to the continued aggressive distribution campaign (see Figure 1). These seasoned malware creators seem to have been inspired by the prospects of an infectious North American summer, and as a result have been busy packing. Rest assured, they are not packing their bags to leave for a summer vacation -- they have merely wrapped up their malicious creation in a package which they hope will not be inspected, by the cyber sentries, while trying to cross over virtual borders.

Derek Manky, Fortinet security research engineer, reported that the malware creators had changed a component in their assembly line process by packing W32/Dialer.PZ!tr with a new variation of the popular run-time packer UPX. The first recorded sample stamped by the malware creators using this new packer was created on June 21st 2007, more precisely at 5:35 p.m. -- just in time for the Summer Solstice. Since then, it has been out with the old and in with the new as the previous packages have completely stopped being assembled and distributed. It is clear that the malware creators have taken steps to refine and protect their product. Now over two months in the wild, showcasing an increasing trend of volume, it can be assumed that the distributors desire to maintain operations throughout the summer. With this in mind, as well as the dynamic design and potential for future expansion as explained in last month's roundup, there is a good chance we will not see the sun set on this dialer in the near future.


Figure 1: W32/Dialer.PZ!tr activity for June 2007

Diminishing Email Worm


While Trojans, spyware, exploits, worms (IM, Linux, Mobile, Win32) and scripts continue to pose a threat to Internet users, the number of in-the-wild email worms (or mass mailers) appears to have been diminishing by five percent each month since the beginning of this year. This decreasing pattern was also seen in the number of detections (see Figure 2 below showing the month-by-month detection statistics of each type of malware). As can be observed, some of the malware types have shown similar declining patterns but nothing like the 25 percent decrease with email worms.


Figure 2: Malware Type detection per month


According to Bryan Lu, project manager for the Fortinet Global Security Research Team, a few of the possible reasons why the email worm is diminishing include:

  • Malicious attackers have shifted their medium. With targeted attacks seemingly on the rise, one attack to a corporate network is perhaps equivalent to 1,000 home-users.
  • Increased end-user awareness. As more people become aware of the threat, they are more likely not to get into the social networking aspect of the malicious email (such as "Attached is the executive document for your references. Here is the password: 2045."). Since most email worms are designed to entice the users to open the executable attachment, the only thought left to ponder is "should I open this attachment or not."
  • Companies have increased their budget on deploying threat mitigation solutions to protect their investment. The increase in deployed threat mitigation solutions reduces the attack surface.

Instant Messages or Instant Threats?


Earlier this month, a vulnerability in Yahoo! Messenger's WebCam ActiveX control was discovered. Using this vulnerability, a malicious attacker can create a specially crafted HTML page with a script to activate and cause the WebCam ActiveX control to overflow the buffer. Since its discovery date, there were very few incidents of this exploit. This small incident is most likely backed by the small percentage of Yahoo! Messenger users compared to MSN Messenger. This threat is currently detected with intrusion prevention as “Yahoo.Messenger.Webcam.Upload.Viewer.ActiveX.Buffer.Overflow” and with antivirus as “JS/Yahoo.A!exploit.”

Moving forward on the instant messenger threats, one particular IM worm has stood out since March. With less than 10 variations of IM worms in the wild, compared to several hundred variations of email worms, the Mytob.FJ has shown considerable activity. Most IM worms are below a thousand detections each per month, but as can be seen with Figure 3 below, Mytob.FJ differs:


Figure 3: Detection Statistics of Mytob.FJ