This month's highlights:
November, by the numbers
Top 10 threats caught by Fortinet's FortiGate security appliances in November 2007. Entries in bold are new to the top ten this month:
Rank Malware Percentage 1 W32/Netsky!similar 10.87 2 HTML/Iframe_CID!exploit 8.21 3 HTML/Clicker.AC!tr 6.60 4 W32/ANI07.A!exploit 5.14 5 W32/Stration.JQ@mm 3.11 6 W32/MyTob.CJ@mm 2.42 7 W32/Bagle.DY@mm 2.25 8 W32/Grew.A!worm 2.09 9 Adware/TCent 1.86 10 Adware/Bdsearch 1.71
November brought in some new faces to the bottom of our top ten, while some old names emerge and continue to hold steady in our top ten:
- "Ad-tension": Adware TCent and Bdsearch reach our top ten for the first time, while the pop-up-block bypassing trojan Clicker.AC strengthens from October
- Stration.JQ bursts back on the scene as November comes to a close, absent from our top ten since June
- The Netsky, MyTob and Bagle mass mailers keep on pace, and remain a strong threat as discussed in last month's malware report
Enter holiday season 2007
During November, we saw an increase in malevolent online advertising via adware not only through TCent and Bdsearch, but Clicker.AC as well - just in time to be home for the holidays. As malware creators try to distribute their work as effectively as possible, security mechanisms help stop these. The amount of unwanted pop-up advertisements that bombard users as they surf web sites prompted browsers (and security vendors) to implement pop-up blocking technology so that these would never be displayed. Clicker.AC has code which is specifically designed to bypass this pop-up blocking technology. This is one of the latest trends in what is becoming the blend between malware and grayware. Of course, a red flag should immediately be triggered for any user who has pop-up blocking enabled and still receives a pop-up ad. Fortinet anti-virus will detect and block this adware before it attempts to exploit the various pop-up blocking techniques. Due to its sheer volume, we saw sharp fluctuation of activity with Clicker.AC throughout November, much more so than the adware TCent and Bdsearch. This is most likely because there is a more determined effort to utilize Clicker.AC due to its market value: after bypassing pop-up blocks, it has the capability to display any adware it wishes. Although it can be seen with others in a non-dramatic fashion, Clicker.AC and Netsky visually demonstrate drops in activity on the weekend as corporate boxes are shut down (seen as valleys in between the peaks in Figure 1).
Figure 1: November shows adware on the run while Stration.JQ bursts end of month
Figure 2: Clicker.AC documents the malicious intent it has
With the rise of adware displayed in our top ten through November, we are likely to see such efforts continue as we enter into the even busier commerce window of December. Also apparent, notably by the sharp escalation towards the end of November, is Stration.JQ. The mass mailer Stration has been around for a while, making the headlines in 2006. It has been lying low on our radar since it dropped off the bottom of our top ten back in June this year, and now has come into full swing once again as we enter the holiday season - using yet again another social engineering scheme. It is clear that its creators are confident in this plan, and are now making a solid effort to seed Stration.JQ. The mails received from Stration contain three components. The first component (see Figure 3 below) is in the email body itself, a simple social engineering blurb which informs the user that instructions were sent for personal account access and authorization, requiring to save the module (attached as an executable file) on the computer for record.
Figure 3: Stration.JQ attached as access.exe, complemented by a social engineering text and PDF document
The email relies on the user's curiosity, and leverages it through the file attachment, which supposedly is an access module but is in fact Stration.JQ in disguise. As a front, to enhance legitimacy (claiming to come from Bank Trust Corp), a PDF document is also attached. Its contents seem to be random and revolve around financial figures. These figures relate to an invoice, fee analysis, etc. Figure 4 below shows one of these samples in the form of an invoice:
Figure 4: Stration's attached PDF with random financial figures intended to enhance the legitimacy of the mass mail
Of course, with any bit of common thought, one would be able to deem this suspicious, especially considering the mailing address of "XYZ Consulting". Nevertheless, a simple glance will entice most users to check out the "authorization module", attached in this case as access.exe, thinking a simple investigation would not hurt. Unfortunately, it does since any user opening the "authorization module" will turn his/her computer over to Stration.
With this in mind, it is essential that, as we enter what is for many the biggest holiday season of the year, users should be on full guard for all avenues of attack and fraud, especially those of social engineering schemes. Since its inception in January, using a heavy seeding campaign blended with mass mail touting headlines of storms in Europe (see our January malware report), the Storm botnet has gained a stronghold of zombie PC's and continues to evolve. While new tricks arise, they still do utilize the same popular event content to rouse users' interest, since the events themselves are legitimate. They recently demonstrated this on Halloween, with their dancing skeleton spam. Sent out mails containing links to a malicious website were themed around Halloween - a legitimate event used to cloak any malicious intent. This most likely will happen again as we enter the busy holiday season, in one form or another. It also seems that with this latest push of Stration, the gang behind it refuses to lay down their arms to the Storm worm.
'Tis the season to be wary
Queue the music and prepare to deck the firewalls with rules of caution. As we end November, we are ramping up for the holiday season of December which should prove to be an active month. Stores across the globe have already began to line their shelves with holiday wares in an effort to kick start the holiday season, which creates a similar mentality online. Trigger-happy fingers will certainly be on the uprise this year as people flock to the cyber markets, more than likely in record volumes. Fortinet security research engineer Derek Manky suspects the same fingers will be ready at bay for any unsolicited emails crafted to intrigue the interest of unsuspecting end users.
The serious damage that these attacks can cause needs to be emphasized, and sadly is not until it occurs to an individual - or even worse, a corporation. This was recently demonstrated in September when a database at Salesforce.com (thus all their major customer data) was compromised, all because of a targeted phish towards the corporation. The transition from this reactive understanding to a proactive one can be smooth and painless. By understanding the implications of these attacks, thus being aware, and maintaining an alert mentality while online, users (and ultimately corporations) will significantly reduce the risk of such attacks. Once this becomes more common place, it will not take long for the primitive phase of social engineering security to evolve to one that is more mature.
Adding more safeguards such as OS/browser security patches, anti-virus, anti-spam and web filtering (or better yet deploying a UTM system) will further mitigate threats and are essential to users' security. This in turn will close doors to cyber criminals and narrow attack avenues, allowing end users to be further educated on newer, sophisticated attacks, which are emerging. More of an effort is being made to make malicious sources appear to be trustworthy. This has been done in the past by hacking legitimate site content to host malicious code. In November, many trusted (and high traffic) sites were discovered to "host" flash advertisements injected with encrypted redirects, forcing users to visit other sites once the ad was displayed. In fact, it was DoubleClick's DART advertising program (used by these many sites) that was targeted by malware creators, which lead to the content being displayed from many legitimate sites. DoubleClick is currently working on a filtering system to avoid this problem in the future. This further emphasizes the need for threat awareness, not only from the end user perspective, but also for corporations and their affiliates.
