Fortinet Reviews Malicious Code Activity In October 2006
This month, the Fortinet Research team uncovers new threats and dissects cybercrooks' intentions, delivering insights on the freshest scams around.
This month's highlights:
- Stration: Tricking its Way to the Top
- MySpace Gives Way to "Their" Space
- VolksBanken Phish: Taking a Hold of Germany
October, by the numbers:
Top 10 threats caught by Fortinet's FortiGate security appliances in October 2006:
Rank Name % 1 Adware/BetterInternet 6.32% 2 HTML/Volksbanken!phish 6.31% 3 W32/Netsky.P@mm 6.01% 4 HTML/Iframe_CID!exploit 5.15% 5 W32/Bagle.DY@mm 4.55% 6 W32/BagleZip.GL@mm 3.28% 7 W32/Stration.DS@mm 3.23% 8 W32/Grew.A!worm 2.89% 9 W32/WMF!exploit 2.86% 10 W32/Istbar.PK!tr.dldr 2.94%
This month, a few new faces in the Top 10 threats created a big change in the world of Malware. The three new Stration variants specifically hit hard -- Stration.DR, Stration.DT and Stration.DS, which is still making its way up the Top 10. Mass mailers account for 44 percent of this month's threats. The Stration variants alone account for 16 percent of these mass mailer threats. On the other side, phishing has dramatically increased by 45 percent with the outburst of HTML/VolksBanken!phish, discovered in late September.
The detections are demonstrated in the following diagram:
Fig 1: Malware Distribution for October 2006
Looking at the statistics on these four new threats, one could easily say that the Internet has been getting even more dangerous:
Fig. 2: Stration vs Volksbanken Phish
Stration: Tricking its Way to the Top
The internet has been a hotbed of danger since its inception. In terms of specific threats, the eye-catching Adware/BetterInternet scam has been around since 2004. The adware, as we all know, takes advantage of innocent internet browsers and generates a demographic push of invasive advertisements. This threat has been riding high on top threat lists ever since it was discovered - and shows no evidence of giving up.
On the contrary of Adware/BetterInternet, the mass mailer W32/Netsky also popped up in 2004. The threat forces its way into email boxes with an executable attachment that executes and harvests for email addresses so it could continue to propagate. "Netsky has always been a bit like interest on a credit card; if you don't rid your debt all at once, the interest payments will cause you to lose more money in the end," said Bryan Lu, virus researcher for Fortinet. For that reason, security vendors have had to take a tough stand against all variations of Netsky.
After a couple of years of come-and-go threats, a third that seems to be determined to stick around seems to have surfaced. Stration, which Fortinet first reported on in September , has only been circulating for three months. However, as we can see below, its detection rate is comparable to that of both BetterInternet and Netsky, and in some cases its rate of detection is even higher. Stration is a trickster by default, as its long-term motive is still a bit of a mystery. Each time a user gets fooled into opening an email attachment, that person's infected computer can send an average of 10 e-mails per round. For example, when Stration.DT was first discovered on Oct. 26, it was detected only in the U.S. and there were less than 10 detections; now, only five days later, there have been detections in up to 100 countries, according to Lu.
Fig 3: Stration, Netsky and BetterInternet
MySpace Gives Way to "Their" Space
Earlier this month, a social engineering rider hit the road by spamming e-mails claiming to be from Myspace.com administrators. A recent blog from a well-known U.S. journalist claims that 1/3 of the U.S. population is registered for MySpace. If this statistic is accurate, imagine what percentage of the world's population is on MySpace. Now take that a step further, and consider the wealth of opportunity exists for hackers - they are certainly considering it when they develop these social engineering threats.
With this latest attack, the spam email floods mailboxes with the hope of attracting one of these millions of MySpace users. It lures people in by enticing them to download full albums for only $2 - a steal compared to other paid music services - and the hackers then own banking information.
"Once the gang gets your financial information, your space is now their space; or more accurately, your money is their money" said Lu. "In cases like these, often times hackers make use of baking information by ordering products online and having them delivered to countries where there is no law in place to prosecute them. The only reliable protection from such threats is a strong network defense - and user education about social engineering."
Fig 4: MySpace Music Phishing Site
Although Fortinet reported this threat on, and has been protecting its users from this site since September 2006, the phishing site is still up. Also interesting to note, according to Lu, is that the phishing site has not been updated at all, as the same "Top Downloads" and "Best Sellers" that were on the site in early October are still up. This shows that the social engineers have been successful in driving new floods of MySpace users into their traps.
VolksBanken Phish: Taking a Hold of Germany
VolksBanken!phish , which originated in Germany, is going back to its roots. Earlier this month, 50 percent of these detections were found in Germany, with the remainder tracked in the U.S. Now, just a few weeks later, more than 80 percent of the detections have been found in Germany.
Fig 5: VolksBanken Phish October 2006
"As we know, phishing sites are everywhere," said Lu. "However, hackers are becoming smarter in the way that they target certain demographics so that their threats might bear more fruit."
The phishing threat is received through email with an embedded image portraying a message for the Volksbanken client to click the link in order to update information in online banking. As Fortinet reported when this threat was first detected, it at one pointed has surpassed the infamous W32/Netsky mass mailer. The threat also leverages a "white on white" text approach, though with a slightly dark text, to try and bypass spam blocking technologies.