The State of Malware Today - September 2006Fortinet Reviews Malicious Code Activity In September 2006 This month, the Fortinet Research team uncovers new threats and dissects cybercrooks’ intentions, delivering insights on the freshest scams around. This month’s highlights: September, by the numbers: Top 10 threats caught by Fortinet’s FortiGate security appliances in September 2006: Rank Name 1 Adware/BetterInternet 4.61% 2 W32/Netsky.P@mm 4.53% 3 HTML/Iframe_CID!exploit 3.82% 4 W32/Bagle.DY@mm 2.97% 5 W32/Grew.A!worm 2.64% 6 W32/WMF!exploit 2.58% 7 W32/BagleZip.GL@mm 2.40% 8 W32/Istbar.PK!tr.dldr 1.83% 9 W32/BagleZip.GM@mm 1.50% 10 W32/Bagz.E@mm 1.24% This month, classical figure bears an oddity: while the new Microsoft Explorer 0-day exploit, W32/MS06.XMLNS (aka MS06-055 or just VML exploit, because the flaw lies in the way Microsoft Windows processes Vector Markup Language), has been making news all month, it is the old W32/WMF!exploit (aka MS05-053) that suddenly enters the top 10. Examination of W32/WMF!exploit activity evolution in September reveals irregularly spaced yet very sharp and distinct peaks, indicating probable manually triggered seedings. The volume is impressive, since as we can see on the graphics below, it sometimes even surpassed the remnant activity of the historic Netsky.P – which we traditionally take as a benchmark to evaluate a modern threat impact. 
Fig. 1: W32/WMF!exploit vs. Netsky W32/WMF!exploit is a generic detection that blocks malicious images regardless the payload they carry, hence it is hard to understand the underlying goal of such large scale seedings. As of writing, the Fortinet Threat Response Team is investigating the case. Stration: The Worm with the Plan While overplayed lines such as “long gone are the days of world-wide outbreaks and mass-mailer carnages” have been heard often these last few months, September was truly deluged by the storm of variants that the authors of Stration unleashed on the internet. And, precisely, Stration is a mass-mailer, according to Guillaume Lovet, Fortinet threat response team leader for EMEA. Since the end of August, no less than 58 variants of Stration were spotted by the Fortinet Threat Response Team: that makes an average of two new variants a day! In September only, 35 variants were spotted in the wild. Most of them held a very low prevalence, and most of the activity originated from three specific variants: W32/Stration.T@mm (19 percent of all Stration activity this month), W32/Stration.AC@mm (23 percent) and W32/Stration.AT@mm (27 percent). As a matter of fact, such is the case with most storms of variants, all were seeded in a hit-and-run fashion: authors slightly modify the source, compile it, submit the binary to online (or home-brewed) cross-scanners, and tweak the binary until it goes undetected by all AV vendors. They then seed it, and the outbreak dies by itself when AV updates with proper detection patterns are issued and applied by regular users: time to iterate to the next variant. While this classical scheme has been heavily used in the past by MyTob and other bot-loaded mass-mailers, allowing bot herders to fine tune the size of their botnet (not too small, but not too big either so as not to attract too much attention to their herd of cash-cows), the strategy of Stration authors is different. Each variant does what a typical mass-mailer does (that is, harvest e-mail addresses on the infected box and mail itself to those), and downloads additional code from the web. It appeared that in most cases, this “additional code” was that one of the next variant. According to Lovet, upon each variant iteration, Stration authors used the previously infected pool of computers to seed the next variant, hence creating a build-up effect, as it can be easily observed on the following figure, where we plotted activity of the three main variants: 
Fig 2: Stration building-up Having started with relatively low volumes, the Stration infected network is patiently growing bigger, and its impact may soon reach that one of our traditional benchmark: 
Fig 3: Stration vs Netsky Now, the goal pursued by the gang behind Stration is, as of writing, unknown. How long is going to last the building phase? What will happen when that building phase is over? Will they use the network to launch a large scale attack? Or “just” plant spyware/adware/banker Trojans in each single infected machine? If that is their ultimate goal, why wait? It would have been easy to fetch both the code of the next variant and a good load of stealth Trojans. Perhaps they were thinking about keeping the infected machines as lean as possible, to not slow down the seeding processes? Fortinet Threat Response Team is closely monitoring the situation. As a matter of course, AV detection patterns for each known variant are live on Fortinet FortiGate appliances, and locations where Stration variants fetch (or will fetch) their updates are blacklisted by the FortiGate’s Web content filtering module as a preventive measure. On a final note, it is interesting to note that propagation e-mails sent out by Stration, use a social engineering strategy close to what we referred to as “a perversion of user awareness campaigns” in a previous roundup: — Mail server report. Our firewall determined the e-mails containing worm copies are being sent from your computer. Nowadays it happens from many computers, because this is a new virus type (Network Worms). Using the new bug in the Windows, these viruses infect the computer unnoticeably. After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses Please install updates for worm elimination and your computer restoring. Best regards, Customers support service — The awkward English may raise a smile or two, but it is worrying to see how user awareness campaigns, which are often thought of the only really effective solution against virus infections and phishing, are being used to manipulate potential victims by vxers and phishers alike. The VML exploit: Window Dressing or just Smoke and Mirrors? As we pointed in first paragraph above, the so called “zero-day” VML flaw, officially nicknamed MS06-055, got tremendous media attention this month. For those who missed it, this is essentially a flaw in Internet Explorer’s handling of some obscure XML tags that can be embedded in Web pages, potentially leading to full-compromise of the host machine. Translation: anyone visiting a malicious webpage could get silently infected by loads of Trojans, Spyware, Adware, Keyloggers and the like. This triggered a sort of panic move within the security community, which foresaw heaps of malicious Web sites popping up (technically, the strategy of exploiters being to redirect unfortunate users from “lure” sites to central “agent” sites serving the malicious code, via an invisible IFrame on the lure site) and being heavily advertised by large-scale spamming campaigns, driving millions of users to the culprits trap. While Microsoft would stick to official statements claiming that the threat prevalence was minor, a group of famous Security Researchers nicknamed ZERT (for Zero-day Emergency Response Team) released an unofficial patch. This, and the media momentum finally pushed Microsoft into releasing a special patch out of its traditional monthly release cycle. With W32/MS06.XMLNS!exploit accounting for about 0.008 percent of the global malicious activity since it was unveiled on Sept. 19, one can indeed deem its impact as “low”—not to say “very very low”. Does such a miserable prevalence have to do with the fact that users were particularly cautious and avoided malicious sites like the plague? Unlikely. Was it because no one is using Internet Explorer anymore (other browsers were immune to the attack)? All browser market shares study prove otherwise. Was it because the situation had been widely exaggerated and over hyped? To a certain extent, probably. But nothing proves that if MS official patch release hadn’t been advanced, it wouldn’t have got a lot worse. Preventing is always better than healing. Especially in the case of say, rootkitted banking Trojans reporting stolen American online banking credentials to servers located in Korea, belonging to an Ukrainian gang living in Lithuania, and paid with virtual money sitting on offshore accounts in Saint-Kits & Nevis, Lovet said. |
