This month’s highlights:
November, by the numbers:
Top 10 threats caught by Fortinet’s FortiGate security appliances in November 2006:
Rank Name % 1 HTML/Volksbanken!phish 8.92 2 HTML/BankFraud.E!phish 6.84 3 W32/Netsky.P@mm 2.89 4 Adware/BetterInternet 2.6 5 HTML/Iframe_CID!exploit 2.56 6 W32/Stration.DU@mm 2.22 7 W32/Bagle.DY@mm 2.05 8 W32/Stration.DS@mm 1.75 9 W32/Grew.A!worm 1.75 10 HTML/BankFraud.OD!phish 1.68
November’s top 10 offers a neat picture of the current malware situation: Massive phish runs, Netsky.P@mm refusing to die, Adware/BetterInternet representing the Botnet-supported Adware family (see our previous study here ), and two old-schoolers: Bagle and Grew.
As a matter of course, however, the rock star of the month is, again, Stration.
Stration, Next episode: Runs and Variants
Indeed, the worm with the plan has kept alimenting discussions in the AV world (and in the security-oriented world, in general). So, the “plan” was really… to make some bucks (sigh of un-surprise). Some Stration variants indeed downloaded spam-oriented Trojans, and started to relay medical spam (Viagra and the like…) in high volumes.
Here is our monthly Stration top 10:
1 W32/Stration.DU@mm 42.2079 of all Strations this month 2 W32/Stration.DS@mm 33.2702 3 W32/Stration.GK@mm 7.8586 4 W32/Stration.FR@mm 3.7544 5 W32/Stration.FN!tr 3.3115 6 W32/Stration.BS@mm 2.3891 7 W32/Stration.EV!tr 1.9967 8 W32/Stration.FF@mm 1.1812 9 W32/Stration.EV@mm 1.0843 10 W32/Stration!tr.dldr 0.5021
No less than 70 active variants were seen this month by Fortinet’s monitoring structure. This number, however is hard to define. Indeed, it highly varies among vendors and tremendously depends on the “generic-ness” of their respective signatures.
According to Guillaume Lovet, threat response team leader for EMEA, Stration is most likely generated by a polymorphic engine (although it does NOT carry this engine, therefore it does not morph upon every replication), so rather than variants, we may talk about “runs”. Better than words, a graphic should help clear the case:
figure 1: Stration runs
About eight runs are observable on this figure, symbolized by sharp peaks. Each run, for Stration authors, consists in making a new copy of Stration available on one or several of its “update urls” (that is to say, urls where previous variants are trying to download additional components). Then, during six to 48 hours, a new “repacked” version of the malware is released there, every hour.
It takes one or more detection pattern (aka signature) to catch all those variants, hence the “Russian dolls” visual effect sometimes produced by the colored peeks of figure 1.
As an example, here are the logs of one of our monitoring tools, following the evolution of a Stration run, making the one hour repack time obvious:
Mon Nov 27 16:38:15 2006 : A new file with md5 sum a024e87212218a4a89fb44ade3eb1d9d was uploaded but is already caught as W32/Stration.DS@mm
Mon Nov 27 17:40:34 2006 : A new file with md5 sum e10a630cbdb7d86e1478ea4275fbd62f was uploaded but is already caught as W32/Stration.DS@mm
Mon Nov 27 20:47:18 2006 : A new file with md5 sum 5c82b19225f0569e5be70683b084d7dd was uploaded but is already caught as W32/Stration.DS@mm
Mon Nov 27 21:39:54 2006 : A new file with md5 sum 05a26ccd8680c30addb8952ab2ab9bd2 was uploaded but is already caught as W32/Stration.DS@mm
Mon Nov 27 22:41:13 2006 : A new file with md5 sum 93d5a951b8e2b8bacbd73807f90acb3b was uploaded but is already caught as W32/Stration.DS@mm
Mon Nov 27 23:42:25 2006 : A new file with md5 sum 82f2719505aeb49526d0912533ec7f88 was uploaded but is already caught as W32/Stration.DS@mm
Tue Nov 28 00:43:54 2006 : A new file with md5 sum f8b57e1ece3a60e3fb3ada7e17b0eadc was uploaded but is already caught as W32/Stration.DS@mm
Tue Nov 28 01:45:15 2006 : A new file with md5 sum 49bfc71411e05b5855c0ecc4c506640c was uploaded but is already caught as W32/Stration.DS@mm
Tue Nov 28 02:46:26 2006 : A new file with md5 sum f3b8027f971ec8d28a3a6930e8ef5e7e was uploaded but is already caught as W32/Stration.DS@mm
Tue Nov 28 03:47:33 2006 : A new file with md5 sum 81b5893352a392b35913ee71d932fa7b was uploaded but is already caught as W32/Stration.DS@mm
Tue Nov 28 04:40:09 2006 : A new file with md5 sum fd3e7f4d99231d9853321b4b32187358 was uploaded but is already caught as W32/Stration.DS@mm
Tue Nov 28 05:41:24 2006 : A new file with md5 sum f1d3dbec4836ae4bc69df05bc95d0077 was uploaded but is already caught as W32/Stration.DS@mm
Tue Nov 28 06:42:31 2006 : A new file with md5 sum 234a44c5a79c82339658c314d28ea9cf was uploaded but is already caught as W32/Stration.DS@mm
Other vendors may need more or less signatures than that to catch a whole run, once again highlighting the challenge that exists in devising the number of variants (and their names).
A last interesting fact that can be observed on figure 1 is that the two patterns engineered to catch the runs of Nov. 1 and Nov. 2, called W32/Stration.DU@mm and W32/Stration.DS@mm, later caught the most part of Nov. 26/27 and Nov. 20 runs, respectively.
In pure bragging terms, this means that for those two last runs, Fortinet’s response time was 0 day, 0 hour, 0 minute, 0 second.
The Phisher Worm scavenges MySpace
figure 2: rogue bulletin
Hackers have once again created an exact replica of a MySpace log-in page in order to track personal user details. All users have to do is click on a seemingly innocuous bulletin (figure 2 above) that a trusted friend posts requesting that they check out a hilarious video, and voila, they find themselves asked to log in again by “MySpace” – something that happens all the time on the site due to bugs. The only clue is the URL, but the graphics, the revolving ads, and so on, are exactly the same as the real MySpace login page (see figure 3 below).
figure 3: rogue site mimicking myspace login page
The modus operandi of these hackers is largely unknown; however, we can make a pretty good guess about the following:
- First, we do know that each time a user logs into the mirror site, the bulletin is automatically reposted to all of the victim’s friends, and that is how it spreads. Considering that the average MySpace user has between 100-500 friends – that’s a huge growth rate considering how often people log into the site. (This is similar to an earlier Yahoo IM phish.)
- It’s rumored that 1/3 of the U.S. population alone uses MySpace, and now even record labels, television and movie studios, celebrities and even politicians are leveraging the social network site to promote their identities, projects or causes. What happens if that kind of information falls into the hands of the wrong person? (Remember Paris Hilton’s Sidekick)
- Once someone logs into the replica site their personal email addresses and passwords are captured. Active email addresses are very valuable to hackers, as they can leverage them to propagate more threats through spam. If you connect the dots, a follow up attack through personal email could lead a user to his or her financial institution site. Since many people often use the same passwords for many sites on the web (which, of course, they should not do), this opens quite a potential quagmire.
- Finally, in addition to using those email addresses for generalized threats, the hackers will now have a roster of millions of active MySpace user emails for more targeted threats, such as the rogue music site that Fortinet wrote about last month that DOES steal financial information.
So, what we have is a creeping phish (a phish that spreads automatically, using worm-like features) harvesting thousands to millions of MySpace accounts. As a matter of course, we immediately blacklisted this site through the web content filtering feature of our FortiGate systems, so all of our users were protected from accessing this site.
Vocal phish revealed
Earlier this month, some of our honeypots received the following email:
Subject: CreditCardDebtFree Overnight X-Mailer: Microsoft Outlook Express 6.00.2800.1158
Our attorneys have discovered a loop hole in the banking laws. Using this discovery we have been successful at totally eliminating peoples CreditCardDebt with out them paying another dime. We GuaranteeThat we can do this for you.
Contact us at: Inquiries: (314) 414-4*
Then, to the amazement of the Frenchmen, Rob shot into the air fifty feet or so, from which elevation he overlooked a pretty garden in the rear of the President’s mansion. The place was protected from ordinary intrusion by high walls, but Rob descended within the enclosure and walked up to a man who was writing at a small table placed under the spreading branches of a large tree
The trailing text (after the phone number) is, of course, just meant to fool the antispam cognitive filters.
This obviously looks like a scam, and to be more precise, a phishing attempt directing the potential victims not to a rogue site, but to a voice box (this has often been hyped as “vishing”). Although similar attempts have been reported in the past, for the sake of the experiment, we recorded that one.
You may download the .mp3 here and listen to the four-minute conning speech. The voice of the “lady” is particularly irritating, but it is safe to do so, as it is not going to infect your ears (although we did not go as far as testing for the presence of subliminal messages).
In a nutshell, it asks to leave your name, number, and email address if you want to magically wipe out your credit card debts. The message goes as far as demanding ALL contact phone numbers, stating that they cannot help the consumers without a phone number and that emails will not be returned. If a number is left, we can safely assume that the consumer will receive a call back asking for more financial details, potentially to avoid any email tracing.
This scam is particularly obnoxious in the sense that it targets people with significant debts, hence sometimes already in despair, who are most likely to make this sort of call.
In the future, it may become a necessity to blacklist such VoIP boxes at the gateway level, as we do with phishing sites.
