The State of Malware - September 2008 EditionThis edition's highlights:
The following malware statistics are based on threats caught by Fortinet's FortiGate security appliances for the period August 21st - September 20th, 2008. Top Ten Variants Top ten malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100: Rank Malware Variant Percentage Top 100 Shift 1 W32/Inject.GZW!tr.bdr 38.1 new 2 W32/Inject.GZV!tr.bdr 6.7 new 3 W32/Multidr.JD!tr 4.3 -2 4 W32/Delf.BFC!tr.dldr 3.6 new 5 W32/Netsky!similar 2.2 -2 6 W32/Goldun.AXT!tr.spy 2.1 new 7 W32/Virut.A 2.0 -2 8 HTML/Iframe_CID!exploit 2.0 +1 9 W32/Dloadr.BQY!tr 2.0 new 10 W32/Crypt.MV!tr 1.6 newThere was a vast change in this report's threatscape, highlighted by a run of many new variants:
Malware variants' activity for this edition has been grouped into families and sorted as shown below. Percentage indicates the portion of activity accumulated by the family out of all threats reported in this edition. Top 10 shifts indicate positional changes compared to last edition's Top 10 ranking, with "new" highlighting the malware family's debut in the top ten: Rank Malware Family Percentage Top 10 Shift 1 RogueSecurity 61.5 new 2 Netsky 3.5 -1 3 Goldun 3.5 new 4 Virut 2.5 - 5 OnlineGames 2.0 -3The rogue security application family (RogueSecurity) was added this month, and the accumulated results for all of its variants was astounding: 61.5% of total reported malware belonged to the RogueSecurity family. The sheer volume for the top four variants this period no doubt contributed to a good part of this figure, with many other variants filling in the rest. Two main rogue applications composed this family (see our rogue analysis for more details): AntiVirus XP 2008 took the cake with 55.5% of the 61.5% reported family activity, while XP Security Center accounted for the remaining 6.0%. Activity recap There was a vast change in the threatscape this period, highlighted by the arrival of new variants in our top ten. Last report, we showed the influx of activity associated with W32/Multidr.JD towards the end of the period. This activity continued throughout the beginning of this period, shifting to W32/Delf.BFC before moving on to other variants. While this activity was concerning enough, the cyber criminals behind this campaign decided to kick it up a notch. Halfway through the reported period, already heavy rogue security activity exploded: W32/Inject.GZW began flooding cyberspace in volumes we have not previously reported. Figure 1 below shows this surge of activity overshadowing W32/Netsky:  Figure 1: Top six variant activity for this report period, fueled by rogue security trojans Back in January/February of 2007, Storm made a couple of single day runs with comparable activity. This has not occurred since, and the biggest difference here is the accumulated volume: W32/Inject.GZW maintained these extreme levels for at least six days, not to mention the other variants. All of the variants shown in Figure 1 above were associated to the rogue security application AntiVirus XP 2008. This campaign has been ongoing for a while, and has recently been underscored by this flood of activity. All servers observed hosting web content for this product were using a limited fast flux model: a small sample of IP's were being switched out on a frequent basis, noticed Fortinet security researcher Derek Manky. These hosts all ran the popular Nginx web server, and supported other rogue products such as AntiMalware 2009 through virtual domains. While these rogue applications were certainly the focus of this period, other malware should not go unnoticed. W32/Virut.A remains very consistent and prevalent. In addition, a new keylogger popped up onto the radar, most of the activity associated to W32/Goldun.AXT. Figure 2 below shows activity for this new family, as well as accumulated activity for the RogueSecurity and Netsky family:  Figure 2: Family activity for this report, dominated by RogueSecurity Fortinet's FortiGuard Global Security Research Team will continue to monitor these emerging trends and threats. Users should prepare for another month of activity from the RogueSecurity family, and always be aware of these scams. Solutions Customers who use Fortinet’s FortiGuard Subscription Services should already be protected against the threats outlined in this report. Threat activity is compiled by Fortinet's FortiGuard Global Security Research Team using data gathered from its intelligence systems and FortiGate™ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. |
