FortiGuard Center

The State of Malware Today - September 2007



This month's highlights:

September, by the numbers


Top 10 threats caught by Fortinet's FortiGate security appliances in September 2007: 
Rank        Malware                            Percentage

1            Adware/CashOn                     13.86
2            W32/Netsky.P@mm                    9.85
3            HTML/Iframe_CID!exploit            7.30
4            W32/ANI07.A!exploit                5.04
5            HTML/Obscured!exploit              5.02
6            W32/Dialer.PZ!tr                   2.55
7            W32/Grew.A!worm                    2.49
8            W32/Bagle.DY@mm                    2.30
9            W32/Virut.fam                      2.06
10           W32/Dloader.K!tr                   1.98

This month, the script kiddies have gone back to school, but we have seen no different activity from the usual and emerging threats observed throughout the summer. So, no new strains or variants, but some notable points worth mentioning this month:
  • CashOn leaps to the top rank ahead from last month's fourth place: The adware toolbar plugin has churned last month's wake into consuming waves as reported volume nearly doubles in size compared to August.
  • Total monthly malware volume has cooled down by 7.87% since August as Fall rolls in.
  • Obscured!Exploit continues to expand in volume at a reduced pace, and remains in the top ten for the second consecutive month with activity up nearly 10% since August.

CashOn cheques further into the Korean market


Let's have a closer look into the adware toolbar CashOn. September proved to be a month of marketing as it would seem there was a significant push to, once again, seed Korea with the browser hi-jacking plugin. As observed in Figure 1, the trend of peaks and valleys discussed in our August roundup can still be observed throughout September, with 99.80% of CashOn's total volume being reported in Korea. Although it is interesting to notice that the adware activity has tapered off during the last week of the month.


Figure 1: CashOn activity for the month of September 2007



Distribution peaks can be seen primarily on Mondays and Wednesdays this month, with an emphasis on the former. The dominant seeding of CashOn suggests that there may have been more players behind this distribution campaign, possibly foreshadowing the surface of another related variant/strain (most likely based in Korea as well). There has been consistent, phenomenal growth with CashOn: since its recorded inception in May 2007, the e-commerce driven browser plugin has wreaked havoc, plaguing Korean cyberspace by surging to extraordinary activity levels, noted Fortinet security research engineer Derek Manky. In a span of merely two months, activity has increased nearly ten fold, achieving a 90% growth rate as can be observed in Figure 2a below. Figure 2b displays prominent distribution spikes of activity that have been happening on a daily basis since May 2007. The tremendous daily growth observed during this relatively short timeframe highlights the evolution of the malignant technological engine behind CashOn's money train.


Figure 2a: CashOn reported volume on a monthly basis, starting from May 1st, 2007




Figure 2b: CashOn reported volume on a daily basis, starting from May 1st, 2007



As suggested by the heavy seeding, there are most likely many layers of players in this market. The CashOn website resides in a Korean (.kr) top level domain, and acts as a gateway to various other shopping networks also based in Korea. As a mean to feed the seed, a first visit to CashOn's website shows various networks which are neatly displayed with an overall network price-indexing delta. As seen in Figure 3, some of these networks are selected to showcase common, low ticket items (approximately $3-$20 USD) for millions of hungry eyes - guided largely by the CashOn toolbar plugin. The shopping network links all target a Korean locale, and of course maintain stateful information so that the shopping gateway site - CashOn - gets all credit that is due. One can assume that this business model has been based on a specific target audience due to the financial outlook of a thriving e-commerce market, riddled with adware. In order to make profits from this market, there is a need for exposure, which requires an effective (not to mention devious) seeding strategy. Given the above figures 2a/2b, this strategy has been clearly refactored over time in an effort to optimize returns on any dirty investments which were made. Due to the significant emerging activity and related affiliates present on the displayed web site, one can be assured that this operation is of substantial scale and not the result of a basement e-commerce startup.


Figure 3: Initial content displayed to CashOn's main index gateway




Figure 4: A search query executed with the CashOn toolbar - the installed plugin is highlighted in red



These affordable wares displayed in Figure 3 are basic items, mostly clothing. This is typical advertising, and one that works perfectly for CashOn as it grabs the viewers' attention and capitalizes on various areas of choice (in this case the shopping networks shown above in Figure 3). It does not take much imagination to estimate the potential stash harvested in this cash cow, which seems to refuse to leave Korea for greener pastures, to coin a phrase.