Fortinet Reviews Malicious Code Activity In March 2006
This month's highlights:
- Virus Activity: Netsky, Dead or Alive?
- On importance of Social Engineering: News from a Valentine's couple
- The internet is even 'Better' this month
- Advances in Phishing: the art of deception
- Ransomware is back: the Cryzip case
March, by the numbers:
Top 10 threats caught by Fortinet's FortiGate security appliances in March 2006:|
1
|
W32/Netsky!similar | 11.26% |
|
2
|
Adware/BetterInternet | 10.01% |
|
3
|
HTML/Iframe_CID!exploit | 8.38% |
|
4
|
W32/Grew.A!wm | 7.71% |
|
5
|
W32/Bagle.DY-mm | 5.12% |
|
6
|
HTA/Sitex.A-tr | 2.99% |
|
7
|
W32/MyTob.fam-mm | 2.62% |
|
8
|
W32/Mytob!similar | 2.19% |
|
9
|
W32/Bagle.EG!mm | 1.81% |
|
10
|
Adware/ZangoSA | 1.75% |
Top 5 new threats appearing in March 2006:
|
1
|
W32/Bagle.fam-mm!Sality | 0.93% |
|
2
|
W32/Bagle.EK!mm | 0.45% |
|
3
|
HTML/BankFraud.E!phish | 0.31% |
|
4
|
W32/Bagle.FO!mm | 0.29% |
|
5
|
W32/Sality.I | 0.23% |
Top 10 countries reporting infections in March 2006:
1 |
United States of America | 19.21% |
2 |
Korea, Republic of | 9.14% |
3 |
Taiwan | 8.52% |
4 |
India | 5.83% |
5 |
Japan | 5.76% |
|
6
|
China | 4.93% |
|
7
|
Mexico | 4.12% |
|
8
|
Thailand | 3.47% |
|
9
|
Malaysia | 3.00% |
|
10
|
Sweden | 2.80% |
Virus Activity: Netsky, Dead or Alive?
This month's top 10 threats outline new trends on the virus scene that have been progressively growing for several months. Netsky is back on top more than two years after it was discovered. At first thought, this could be perceived as the resurgence of an old dormant virus taking over the scene again, in a raging blow against the bot-loaded worms of today. Guillaume Lovet, Fortinet's threat intelligence and response team leader, has bad news for admirers of old-school worms.
"That's not the case," he said. "Netsky is dead. What we see topping the charts is just some residual activity, irradiating from long forgotten machines that were infected back in the outbreak days."
The only reason for that top 10 reconquista is that today's worms, carrying their lucrative bots, tend to adopt a lower and lower profileto avoid attracting cybercops' attention. The trend is corroborated by this month figures, as the global activity of mass-mailing worms decreased by nearly 9 percent from February to March.
On importance of Social Engineering: News from a Valentine's couple
The presence in the top 10 of Bagle.EG, a threat discovered in mid-February, while most other February Bagle variants disappeared in the charts abyss, is certainly food for thought. Indeed, the biggest Bagle outbreak of February was Bagle.DW, but the following figure shows that despite its aggressive seeding, the rate of infection was pretty low:
Figure 1: Top Bagle variants in March 2006
Bagle.DW activity dives to null while Bagle.EG shows some remnants, indicating that a significant number of users did 'click on the attachment.' As one might have already guessed, the essential difference between Bagle.DW and Bagle.EG lays in their social engineering moves: While .DW used typical 'Ok. Your document is attached' lines, .EG took advantage of the date specificity (Valentine's Day), 'heavily resorting to hearts, cheesy poems and bright colors'.
The internet is even 'Better' this month
Last month , we developed the Adware/Betterinternet topic, demonstrating how Bot Herder(s) makes good money via massive installation of the infamous adware on his Bots cattle, every Monday and Thursday. This month figures not only confirm our presumptions, but also highlight something new:
Installation peaks can be observed on every Monday and Thursday of the month, but since the 15th, on every Wednesday as well. The tremendously flat aspect of the curve from Wednesdays to Thursdays further demonstrates that the target installation 'material' (infected machines) is rigorously the same from one day to the other.
Advances in Phishing: the art of deception
Months pass and the Phishing concern keeps growing. While the raw volume of Phishes was steady from February to March, several innovations were witnessed this month by our Threat Response Team:
Rock-phish kits
The so-called 'rock-phish' kit saves Phishers space and time: One single 'physical' site with multiple DNS names now holds a multitude of Phishing pages, covering a broad range of different banks. Such kits are easily identified by the pattern of their URL: http://[domain name]/r1/[letter]. Where the letter varies it indicates which fake banking site is displayed ' it is usually the first letter of the targeted bank name. An image is worth a thousand words, so here is a typical rock-phish kit in action:
However, this strategy has a drawback, since multiple domain names must be registered (all resolving to the phishing site hosting the rock-phish kit). One cunning Phisher out there found an 'elegant' solution:
Notice the domain name and the stunning number of banks 'implemented.' (above left). This domain has been taken down, which is twice as fortunate, since the stolen data was also stored on the server in a somewhat public fashion (above right).
Reward/Refund phishes
An interesting social engineering strategy that dramatically boosts a Phish success rate is the Reward/Refund lure. The recipe is simple: attract the fish with a $20 bill hanging on your hook and keep your eyes on the sink. For example, see the fake Chase Reward survey screenshot below:
According to Nick Bilogorskiy, Fortinet's manager of malicious code research, "This strategy has been extensively coupled with IRS Phishes this month, in a scam where the phishing email is purporting to be from the IRS." The message requests banking credentials in order to refund victims with a fistful of dollars, following a mistake on the IRS' side.
Fake address bar
It is widely known that thoroughly checking the validity of a (presumed) banking site address in a browser's address bar is an effective means to avoid being hooked like a vulgar fish. For a while, Phishers have looked for means to circumvent this architectural security, which lead to the Pharming attacks that we witnessed last year. However, as undetectable as a Pharming scheme can be for the targeted users, it is tremendously difficult to set up for the average Phisher (it involves hacking into an authoritative DNS server). Someone obviously found a less effort-consuming solution (though way cheaper): The pop-up with integrated fake address bar. The following sequence shows it in action:
Above on the left, is the the initial page that 'phished' users are driven to. Clicking the link opens the pop-up window above on the right. Notice that in Firefox, with 'open pop-ups in new tabs' option enabled, the 'real' address of the pop-up page is displayed in the address bar. After a little while, the pop-up contents turn into:
Looks somewhat cheap, but it works well.
When 419 scams meet Phish
So-called '419 scams,' named after the relevant section of the Criminal Code of Nigeria, are scam emails purporting to be from 'someone' in distress in a country at war (often Nigeria). That 'someone' always claims to have an enormous amount of money to get out of the country. Of course, that person offers a significant percentage of that sum (which can reach several million dollars) to whoever may help him or her transfer it via a personal bank account. People falling into that scam soon find themselves having to pay more and more 'service fees' and taxes for the transfer which is being repeatedly delayed ' forever. Advanced 419 scams involve talks on the phone with the victim and go as far as inviting them to the country mentioned above, where they are physically bullied.
This month a new breed of threat was reported which combines 419 and Phishing in a horrid scam where victims are asked to open a 'free' account on an online bank linked in the 419 email; as a matter of course, this link leads to a fake banking site. Soon the appealing sum mentioned in the email appears on the online account the targeted user just opened. The victim now just has to transfer the sum to his or her real, legitimate bank account. This, of course, is never going to happen, but classical service fees will be requested to be wired to an 'intermediary bank'.
This is perhaps the most subtle and scariest piece of social engineering advance we have seen for a while.
Ransomware is back: the Cryzip case.
Last year, back in May, a Trojan called W32/GPcoder-tr introduced online extortion, targeting random, average users: this Trojan would encrypt files on the infected user's hard drive with a proprietary algorithm and ransom the decryption key. This month, a similar Trojan appeared, this time using zip encryption libraries to get the job done: W32/Cryzip!tr. This case has been more or less extensively covered by various sites, thus we will focus on the points of particular interest:
- The Trojan leaves a full-blown HOWTO with detailed instructions for the victim to pay (via e-gold
accounts). It features a particularly funny warning:
'4. Passphrase ' this is the most important piece of information connected to any e-gold account. We can not stress enough how important it is that your passphrase is kept safe and secure.'
Indeed, don't take any chances with your security; otherwise other culprits may steal your gold before we do.
- The Trojan was downloaded from machines infected by a minor variant of Bagle, compiled for that purpose and seeded in very low numbers. The site serving the Cryzip binary would only respond to a specific User Agent string (meaning one would not be able to download it via a classical browser), hence reducing the risk to 'get caught' and extending its online life span.
- The password for the zip encryption is hardcoded in the
malware, which posed an essential problem to authors: How
to hide it? They chose to not encrypt it, but to use the very
common string:'C:\Program Files\Microsoft Visual Studio\VC98'
Although this would prevent anyone just extracting strings from the malware to figure the password out, reverse engineering is prompt to reveal the trick.
