The State of Malware Today - March 2006Fortinet Reviews Malicious Code Activity In March 2006 This month's highlights:
March, by the numbers: Top 10 threats caught by Fortinet's FortiGate security appliances in March 2006:
Top 5 new threats appearing in March 2006:
Top 10 countries reporting infections in March 2006:
Virus Activity: Netsky, Dead or Alive? This month's top 10 threats outline new trends on the virus scene that have been progressively growing for several months. Netsky is back on top more than two years after it was discovered. At first thought, this could be perceived as the resurgence of an old dormant virus taking over the scene again, in a raging blow against the bot-loaded worms of today. Guillaume Lovet, Fortinet's threat intelligence and response team leader, has bad news for admirers of old-school worms. "That's not the case," he said. "Netsky is dead. What we see topping the charts is just some residual activity, irradiating from long forgotten machines that were infected back in the outbreak days." The only reason for that top 10 reconquista is that today's worms, carrying their lucrative bots, tend to adopt a lower and lower profileto avoid attracting cybercops' attention. The trend is corroborated by this month figures, as the global activity of mass-mailing worms decreased by nearly 9 percent from February to March.
On importance of Social Engineering: News from a Valentine's couple The presence in the top 10 of Bagle.EG, a threat discovered in mid-February, while most other February Bagle variants disappeared in the charts abyss, is certainly food for thought. Indeed, the biggest Bagle outbreak of February was Bagle.DW, but the following figure shows that despite its aggressive seeding, the rate of infection was pretty low:
Figure 1: Top Bagle variants in March 2006 Bagle.DW activity dives to null while Bagle.EG shows some remnants, indicating that a significant number of users did 'click on the attachment.' As one might have already guessed, the essential difference between Bagle.DW and Bagle.EG lays in their social engineering moves: While .DW used typical 'Ok. Your document is attached' lines, .EG took advantage of the date specificity (Valentine's Day), 'heavily resorting to hearts, cheesy poems and bright colors'. The internet is even 'Better' this month Last month , we developed the Adware/Betterinternet topic, demonstrating how Bot Herder(s) makes good money via massive installation of the infamous adware on his Bots cattle, every Monday and Thursday. This month figures not only confirm our presumptions, but also highlight something new:
Installation peaks can be observed on every Monday and Thursday of the month, but since the 15th, on every Wednesday as well. The tremendously flat aspect of the curve from Wednesdays to Thursdays further demonstrates that the target installation 'material' (infected machines) is rigorously the same from one day to the other.
Advances in Phishing: the art of deception Months pass and the Phishing concern keeps growing. While the raw volume of Phishes was steady from February to March, several innovations were witnessed this month by our Threat Response Team: Rock-phish kits The so-called 'rock-phish' kit saves Phishers space and time: One single 'physical' site with multiple DNS names now holds a multitude of Phishing pages, covering a broad range of different banks. Such kits are easily identified by the pattern of their URL: http://[domain name]/r1/[letter]. Where the letter varies it indicates which fake banking site is displayed ' it is usually the first letter of the targeted bank name. An image is worth a thousand words, so here is a typical rock-phish kit in action:
However, this strategy has a drawback, since multiple domain names must be registered (all resolving to the phishing site hosting the rock-phish kit). One cunning Phisher out there found an 'elegant' solution:
Notice the domain name and the stunning number of banks 'implemented.' (above left). This domain has been taken down, which is twice as fortunate, since the stolen data was also stored on the server in a somewhat public fashion (above right). Reward/Refund phishes An interesting social engineering strategy that dramatically boosts a Phish success rate is the Reward/Refund lure. The recipe is simple: attract the fish with a $20 bill hanging on your hook and keep your eyes on the sink. For example, see the fake Chase Reward survey screenshot below:
According to Nick Bilogorskiy, Fortinet's manager of malicious code research, "This strategy has been extensively coupled with IRS Phishes this month, in a scam where the phishing email is purporting to be from the IRS." The message requests banking credentials in order to refund victims with a fistful of dollars, following a mistake on the IRS' side. Fake address bar It is widely known that thoroughly checking the validity of a (presumed) banking site address in a browser's address bar is an effective means to avoid being hooked like a vulgar fish. For a while, Phishers have looked for means to circumvent this architectural security, which lead to the Pharming attacks that we witnessed last year. However, as undetectable as a Pharming scheme can be for the targeted users, it is tremendously difficult to set up for the average Phisher (it involves hacking into an authoritative DNS server). Someone obviously found a less effort-consuming solution (though way cheaper): The pop-up with integrated fake address bar. The following sequence shows it in action:
Above on the left, is the the initial page that 'phished' users are driven to. Clicking the link opens the pop-up window above on the right. Notice that in Firefox, with 'open pop-ups in new tabs' option enabled, the 'real' address of the pop-up page is displayed in the address bar. After a little while, the pop-up contents turn into:
Looks somewhat cheap, but it works well. When 419 scams meet Phish So-called '419 scams,' named after the relevant section of the Criminal Code of Nigeria, are scam emails purporting to be from 'someone' in distress in a country at war (often Nigeria). That 'someone' always claims to have an enormous amount of money to get out of the country. Of course, that person offers a significant percentage of that sum (which can reach several million dollars) to whoever may help him or her transfer it via a personal bank account. People falling into that scam soon find themselves having to pay more and more 'service fees' and taxes for the transfer which is being repeatedly delayed ' forever. Advanced 419 scams involve talks on the phone with the victim and go as far as inviting them to the country mentioned above, where they are physically bullied. This month a new breed of threat was reported which combines 419 and Phishing in a horrid scam where victims are asked to open a 'free' account on an online bank linked in the 419 email; as a matter of course, this link leads to a fake banking site. Soon the appealing sum mentioned in the email appears on the online account the targeted user just opened. The victim now just has to transfer the sum to his or her real, legitimate bank account. This, of course, is never going to happen, but classical service fees will be requested to be wired to an 'intermediary bank'. This is perhaps the most subtle and scariest piece of social engineering advance we have seen for a while.
Ransomware is back: the Cryzip case. Last year, back in May, a Trojan called W32/GPcoder-tr introduced online extortion, targeting random, average users: this Trojan would encrypt files on the infected user's hard drive with a proprietary algorithm and ransom the decryption key. This month, a similar Trojan appeared, this time using zip encryption libraries to get the job done: W32/Cryzip!tr. This case has been more or less extensively covered by various sites, thus we will focus on the points of particular interest:
|
