This month's highlights: Malware by the numbers

The following malware statistics are based on threats caught by Fortinet's FortiGate security appliances for the period February 21st - March 20th, 2008.

Top Ten Variants

Top ten malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100:
Rank     Malware Variant                  Percentage  Top 100 Shift
1        W32/Pushdo.EV!tr.dldr             13.5         new
2        W32/Netsky!similar                 9.5          -1
3        HTML/Iframe_CID!exploit            6.5          -1
4        W32/Virut.A                        4.3         +29
5        W32/MyTob.BH.fam@mm                1.9          +7
6        W32/MyTob.FR@mm                    1.9          +4
7        W32/Bagle.DY@mm                    1.7          +1
8        W32/Mydoom.N@mm                    1.6          -1
9        W32/MyTob.fam@mm                   1.5           -
10       W32/Istbar.PK!tr.dldr              1.5          +1
This edition, two variants stand out with large surges in activity. The other variants remained in the rat race to unseat Netsky:
  • Pushdo.EV activity soars to easily claim top spot, launching attacks every Sunday while gaining strength
  • The parasitic infector Virut.A launches into fourth position from its 29th place in the last edition of this report, establishing Command & Control
  • MyTob and MyDoom continue consistent activity with four variants present in our top ten
Top Five Families

Malware variant activity for this edition has been grouped into family and sorted with the major families listed below. Percentage indicates the portion of activity accumulated by the family out of all threats reported in this edition. Top 10 shifts indicate positional changes compared to last edition's Top 10 ranking, with "new" highlighting the malware family's debut in the top ten:
Rank     Malware Family                    Percentage  Top 10 Shift
1        Netsky                            14.5            -
2        Pushdo                            13.7           +1
3        MyTob                              9.5           -1
4        Virut                              4.7           +6
5        MyDoom                             3.6            -
When it comes to family, Netsky remains king of the hill. But for how long? Pushdo settled into a narrow second place this edition, nearly edging out infamous Netsky in prevalence. Virut jumped into fourth place thanks to heavy activity from Virut.A. MyTob and MyDoom family activity had lower rates than reported in last month's edition, yet still remain prevalent threats.

Threat Prevalence

Prevalent malware types for this edition have been ranked below. Percentage indicates the portion of categorized activity out of all threat types reported in this edition.
Rank     Malware Type                      Percentage
1        Mass Mailer                       39.0  
2        Trojan                            32.2
3        Exploit                            7.5
4        Spyware                            5.0
5        Mobile                             0.3
Mass mailers continue to be a favorite seeding mechanism for attacks, despite falls in click-through rates and increasingly sophisticated spam filtering. Trojan downloaders, usually affiliated with botnets, are increasingly common as well. Blended threats could potentially be classified in multiple categories, however we try to count them once, under the most serious component it contains.

Pushdo gaining ground

In January, we showed a run in which Pushdo had been using several variants. Two months later, Pushdo continues its run and seems to be gaining momentum, this time using only one variant. The impressive run occurred over the span of a month, with the vast majority of activity occurring every Sunday. Up to their old tricks, the gang behind Pushdo still chooses to use simple social engineering ploys to entice a user into giving his or her PC to the Pushdo botnet. In January it was a late Christmas eCard run, now they are piggybacking on a well-known name to enhance their success. The message claims that an animated card has been attached from a random female name, containing nude photographs. The card attachment purports to be from Adult FriendFinder, a site which claims to have over 20 million members. The latest tactic used by Pushdo.EV can be seen below in Figure 1:


Figure 1: Pushdo.EV leveraging Adult FriendFinder


It is important to again stress on the fact that eCards are typically not attachments, and that a user should never open such attachments from unsolicited emails. Typical errors such as the spelling mistake in "Helo" and differences in the Subject / Footer (footer reads: Adult Sex Finder) should further arise suspicion. Affiliate programs are common with such networks, but in this case, no links are provided to Adult FriendFinder. They are merely using the branded name for leverage in an effort to capitalize on a very large member base.

Once opening the attachment, Pushdo.EV will cycle through various IP's in an attempt to establish an HTTP session where it will download a rootkit component. There are several IP's Pushdo.EV attempts to connect to in order to download this component, most of them based in Houston, Texas, and Tampa, Fla. The rootkit component consists of a driver that is loaded by a "svchost.exe" process which is hidden from task manager's process enumeration to reduce chances of process termination. This component then serves two main purposes. The first task is to cycle through various hard-coded (ultimately dynamic, since the component is downloaded remotely by Pushdo.EV) SMTP servers which may be used for mass mailing further copies. The second task is to establish a connection to a Command & Control server, using port 2581. The component has mass mailing capabilities, and it appears that the engine is used on demand as can be observed in Figure 2 below:


Figure 2: Distribution Strategies, Pushdo and Virut


With some moderate activity the day before and after, the dominant spikes displayed by Pushdo.EV occur each and every Sunday, spanning over four weeks. This activity is up nearly twofold from January, signifying the increasing threat and power harnessed by the Pushdo botnet, noted Fortinet security research engineer Derek Manky. Virut.A generated much of its activity consistently over the four week span. Virut.A attempts to run as a legitimate process on first glance, executing with names such as "spooIsv.exe", "logon.exe" and "winlogon.exe". Once executed, Virut.A will attempt to establish contact with several C&C servers using ports 1863, 5190, 10324, and 65520. It is also a parasitic file infector, attaching copies of itself to other executables while it remains resident in memory - further spreading the virus on the end user's local PC.

Disclaimer:

Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing.

About Fortinet ( www.fortinet.com ):

Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California.