The State of Malware Today - March 2007This month's highlights: March, by the numbers: Top 10 threats caught by Fortinet's FortiGate security appliances in March 2007: Rank Malware % 1 W32/Netsky.P@mm 4.62 2 W32/Bagle.DY@mm 4.44 3 HTML/Iframe_CID!exploit 3.93 4 W32/Grew.A!worm 2.87 5 W32/Bagle.GT@mm 2.47 6 HTML/BankFraud.BGU!phish 2.23 7 W32/Sality.Q 1.93 8 W32/Istbar.PK!tr.dldr 1.63 9 W32/Everda!tr 1.56 10 Adware/Solutions180 1.31 This month there have been a couple of new entrants into the top ten threat list.
In phishing, a new bank has been added to the long list of financial
institutions targeted by phishers. A wide-spread phishing attempt against
Branch Banking and Trust Company (BB&T) has generated almost 1 million
hits over two days. The attempts against other financial institutions have
subsided for the time being. Rank Malware % 21 HTML/Volksbanken!phish 0.7 25 HTML/BankFraud.E!phish 0.51 32 HTML/BankFraud.OD!phish 0.42 The Top 10 threats list welcomed back the 180Solutions Adware, perhaps timed with the start of the spring break -- a time when more home users could spend time on social networking sites that are chock full of online ads. This Adware almost tripled the detection in the U.S. and the same rate seen in Canada and Mexico. According to Bryan Lu, FortiGuard project manager and researcher, web advertisers continue to use adware to track people’s browsing activities. There is a direct correlation between the increase in browsing activities and statistics on types of links followed and the revenue generated for web advertisers.
Also on the list this month
is an odd duck in the top ten, a rootkit. The Everda rootkit is used to
hide file and registry information by patching the kernel service descriptor
table. As with any emerging rootkit technology, Everda can cause issues with
host based antivirus or antispyware software, since rootkits are harder to
detect once installed.
The big three mass-mailers,
Netsky, Bagle and Mytob, continue to batter the cyber community in an effort
to claim more victims. As always, each wave contains new variants of these
mass-mailers.
Phisher Worm 2.0 Back in November, the Fortinet Global Security Research Team discovered a phisher worm that was scouring the ultra-popular community and networking site, MySpace.com. The idea behind the phisher worm was rather simple, and a nice taste test of what new threats a Web 2.0 enabled site could unwittingly promote.Basically, the phisher worm would pop up in MySpace users' mailboxes, in the form of a message; the message text would entice the user to then click on a link pointing to a seemingly funny video. As a matter of course, the link directed novice users to a phishing site mimicking the MySpace login page, rather than to the advertised video. Anyone entering his or her credentials into that rogue login page, hoping to see the video next, would have their account details stolen, and then those credentials would be used for spamming purposes, as detailed in December's report. But that was not all: a server-side program on the rogue server would also then distribute the initial message (carrying the rogue link) to all the contacts of the freshly phished user, hence effectively propagating the Phisher Worm throughout the community. This month, the Fortinet Global Security Research Team discovered a new instance of the phisher worm, resorting to a tremendously enhanced propagation strategy, and playing a pretty cunning mind trick to improve its phishing ratio. Let us detail its modus operandi... According to Guillaume Lovet, threat research team manager, infected profiles look normal at first sight, but cautiously observing the address in the browser's status bar reveals an anomaly: while this address normally changes as the mouse pointer navigates over different links, in this instance it constantly remains the same, wherever in the page the mouse cursor is. This can be observed on Figure 1 below (the status bar was highlighted in red):  Fig 1: Infected Profile - The whole page points to the same link Though this is a surprising behavior, a look at the link the page is pointing to reveals that it resides on myspace.com. Can we conclude that it cannot be a phishing attempt? Certainly not: the link is a redirector. Upon clicking on it, Myspace.com redirects users to the url passed as the "redirect" argument (extreme right in the status bar on Fig 1 above). Let us do what the malicious set up wants us to do and follow the link:  Fig. 2: Rogue Server Phishing Page Unsurprisingly, we ended up on a fake login page sitting on a rogue server. The domain name is particularly interesting, attempting to trick the targeted user's mind into thinking he's on a genuine myspace.com page: vvvvw.nrryspace.com Or, when inserting spaces between characters: v v v v w . n r r y s p a c e . c o m The cyber thieves cunningly used four "v" instead of two "w" in "www" in order to get the targeted user's eye accustomed to a larger font, and increase the chances that the combination of "n", "r", and "r" mentally looks like a large "m". This domain was registered on January 19th, 2007. No contact info is directly available since the culprit registered it via an anonymizing service. Of course, whoever enters his credentials in that phishing page will find his account infected in the same way as the one on Figure 1 above. Granted, the culprits now detain the credentials of the targeted users, one may still wonder how the hackers behind this scheme made the whole page clickable. The answer can be found in the HTML source of the infected page, which contain the following tags in the "about me" section:  Essentially, these tags display an image which size is 950x1000 pixels (hence covering the whole page!), and which source is a transparent gif sitting at http://x.myspace.com/images/clear.gif... The image is, you guessed it, clickable, and sends users to nrryspace.com via a Myspace.com open redirector. In a nutshell: hackers (or rather, the program sitting on the rogue server) cover the page of infected users with a clickable transparent image, in order to attempt to infect more users (who will in turn infect more users - this is a worm). Injecting this malicious code is made possible because MySpace allows users to embed HTML in various parts of their pages. This is a Web 2.0-ish feature, and partly why MySpace became so popular. For it resorts to a blend of malicious strategies, including tricky user-provided HTML, phishing, automation, redirectors and mind tricks, this threat may effectively be called a best-of-breed piece of malicious set-up. It is worth noting that the notion of "malware" is out-driven there, since one bit of the malicious code sits in the form of malevolent HTML on the infected users page, while the other bits (the phishing page and the engine in charge of posting the malicious HTML to the phished users page) sit on the rogue server, and that part of the threat lays in the domain name registration phase. This phisher worm potentially has a bigger impact than the one we have previously described, for the phishing page is accessible not only by "friends" of the infected users, but by anyone visiting a public profile. Although the rogue site detailed above is currently down, users should still remain cautious while surfing and clicking social networking sites, as the hackers may be leveraging trusted Web 2.0 sites to connect to other rogue sites. |
