FortiGuard Center
Threat Research and Response
Prevalence Report
The State of Malware - May 2008 EditionThis edition's highlights:
The following malware statistics are based on threats caught by Fortinet's FortiGate security appliances for the period April 21st - May 20th, 2008. Top Ten Variants Top ten malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100: Rank Malware Variant Percentage Top 100 Shift 1 W32/Netsky!similar 8.18 - 2 Adware/Vapsup 8.17 +42 3 HTML/Iframe_CID!exploit 6.25 - 4 W32/Virut.A 5.05 +1 5 W32/Pushu.EV@mm 3.49 new 6 W32/OnLineGamesEncPK.fam!tr.pws 2.35 - 7 HTML/Iframe.DN!tr.dldr 1.99 +7 8 W32/MyTob.BH.fam@mm 1.99 - 9 W32/OnLineGames.ADRE!tr.pws 1.72 new 10 W32/Zafi.E@mm 1.65 +8While looking at this edition's top ten list, there are some notable points to highlight:
Malware variants' activity for this edition has been grouped into families and sorted as shown below. Percentage indicates the portion of activity accumulated by the family out of all threats reported in this edition. Top 10 shifts indicate positional changes compared to last edition's Top 10 ranking, with "new" highlighting the malware family's debut in the top ten: Rank Malware Family Percentage Top 10 Shift 1 Netsky 14.0 - 2 MyTob 8.0 - 3 Virut 5.5 +1 4 Pushdo 3.7 +1 5 MyDoom 2.5 +1The main point to note with family activity this month is a reduced level with Cutwail (see our last report ), bumping up Virut, Pushdo, and MyDoom. For the second month in a row, MyTob remains in a strong second position and refuses to fade. Activity recap As described in our last threat report, online gaming Trojan activity remains consistent with OnLineGamesEncPK.fam remaining in sixth position and generating a majority of its activity from Taiwan. The new variant OnLineGames.ADRE surfaced this edition, with dominant activity in China just as OnLineGames.SIN did last edition. More impressive is the file infector, Virut.A, still showing heavy activity ranking fourth this edition - placing it in the top five for three consecutive months. On top of its file infecting capability (something not frequently seen nowadays), Virut.A will establish a connection to an IRC Command & Control channel to await further instructions from a remote attacker / bot herder. Iframe.DN flew onto the radar this edition thanks to what looks like an SQL injection campaign. At least two sites were verified, one of them being a high profile entertainment site with a server based in Seoul, Korea. This site has since been cleaned and no longer carries the malicious Iframe, however, as you can see in Figure 1 below, the campaign still continues through other sites:  Figure 1: Vapsup, Iframe.DN and Zafi.E activity this edition with Vapsup The malicious frame contained in Iframe.DN pointed to various servers on the same class C subnet, also residing behind an Internet Service Provider in Seoul, Korea. The link pointed to a file named "help.htm" on these servers, which no longer exists as they have been cleaned up as well. The servers appear to be hosting legitimate web content, and were most likely compromised to host the aforementioned file in conjunction with the campaign. As you can see with Figure 1 above, Iframe.DN drops in activity during the weekend while exhibiting peaks during week days. Zafi.E activity interleaves with Iframe.DN, and acts as a mass mailer while having capabilities to attack antivirus software (killing processes). Fortinet protects against this threat. The obvious threat in Figure 1 is Vapsup, soaring high above with a majority of its activity between April 29th and May 10th, tapering off towards the end of this activity report. Heads up for Vapsup This adware is particularly nasty because of all the other components involved in its bag of tricks. Mainly everything involved comes in the form of rogue antivirus scanners. Vapsup arrives packed with Nullsoft's Scriptable Install System. Upon execution, several components are dropped onto the host system, including four dynamic link library (DLL) files. One of these DLL files is a search toolbar plugin, while another is a browser helper object (BHO). Browser helper objects are plugins for Web browsers which have the capability to control navigation, thus hijacking the browser. Figure 2 below shows the first said toolbar plugin highlighted in red, with the BHO at work hijacking navigation.  Figure 2: Vapsup's Browser Helper Object component at work, with Toolbar component highlighted in red When attempting to navigate to any page, the BHO will intervene and display the social engineering hook shown in Figure 2 above. Of course, this message will always display regardless of security settings on the victims machine. More tricks are played if you choose to click on "Continue to this website", as dialog boxes (OK/Cancel) appear to reconfirm the users intent. To try to hook users in, the dialog question is swapped randomly so that clicking on OK does not always reflect the user's intent. For instance, the first question will be "Continue browsing unprotected?" while the next time you click it will ask "Do you want real time protection?"; clicking OK has two different effects on these questions, a clear cut attempt at further trickery. The other two DLL files are added to the Windows "ShellServiceObjectDelayLoad" registry key, which means they are automatically executed by the main Windows shell (explorer.exe) upon startup. Further, the explorer shell is respawned with these DLL files upon execution of Vapsup which makes it immediately resident in process memory.  Figure 3: "Click here to get full advanced real-time protection and continue browsing" If you do follow the recommended "protection" in Figure 2 or the mentioned dialog boxes, the product shown in Figure 3 above will be displayed. What makes this even worse is the previously mentioned memory resident DLL's: even if the user does not use the browser, a pop up will be displayed for the product "AntiVirus 2008 Pro" showing a fake scan in progress. It is interesting to note that the domain used for this rogue scanner resolves to the same server as the product shown in Figure 3 - a server located in Russia. As if this is not enough, Vapsup will eventually hijack the user's desktop to show the active wallpaper in Figure 4 below:  Figure 4: Vapsup ultimately leading to a desktop hijack through further downloads/installs Using Windows Active Desktop, a link "Download Privacy Protection Software Now" is loaded on the desktop. Following the link leads to the same "AntiVirus 2008 Pro" product displayed through the previously mentioned pop-up. Part of the message is correct - your privacy (not to mention sanity) is indeed in danger, thanks to infection of Vapsup. Also note the downloaded component "Error Cleaner, Privacy Protector, Spyware & Malware Protection" icons which have been placed on the users desktop unwillingly. This is just the beginning, as shortly a frenzy of pop-ups through Internet Explorer will be displayed as shown in Figure 5 below:  Figure 5: A mess of rogue scanners and affiliates These rogue scanner sites can also be used to push further malware such as Trojans. It should be noted that for every one of these products, an affiliate ID is passed in so that the referrer (adware) can be tracked for payouts. In the first case shown in Figure 3, the affiliate ID passed in is "Browser Blocker" which is obviously the given name for the BHO behaviour shown in Figure 2. Affiliate programs and payouts are a driving factor behind adware such as Vapsup. Judging from the threat prevalence indicated by Vapsup activity over the last two months, those payouts would be exceptionally large, noted Derek Manky, Security researcher for the FortiGuard Global Security Research Team. All domains for the rogue scanners were hosted in various locations using different affiliate templates, suggesting that more than one entity was involved with the affiliate payouts. Most of these domains resolved to servers running Nginx, the popular Russian developed web server frequently used with botnets. The domains were also mostly registered through the same USA based registrar, and used "PrivacyProtect.org" - a service that fills out anonymous registrant information during the domain creation process. Solutions Customers who use Fortinet’s FortiGuard Subscription Services are already protected against the threats outlined in this report. Threat activity is compiled by Fortinet's FortiGuard Global Security Research Team using data gathered from its intelligence systems and FortiGate™ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. |