This month's highlights:
- October, by the numbers
- Mass mailers and exploits wield plenty of tricks, yield no treats
- The shelf life of an exploit
- On the economics of phisher worms
October, by the numbers
Top 10 threats caught by Fortinet's FortiGate security appliances in October 2007. Entries in bold are new to the Top 10 this month:
Rank Malware Percentage 1 HTML/Iframe_CID!exploit 7.83 2 W32/Netsky!similar 6.07 3 Adware/CashOn 6.01 4 W32/Netsky.P@mm 5.54 5 HTML/Clicker.AC!tr 4.58 6 W32/ANI07.A!exploit 4.30 7 HTML/Obscured!exploit 3.88 8 W32/Bagle.DY@mm 3.78 9 W32/Grew.A!worm 2.99 10 W32/MyTob.CJ@mm 2.74
During the month of October, we've seen some new faces appear in the top ten, creating more activity than during the month of September, which had shown little fluctuation. Regarding the three new entries, there are a few observations to be made:
- CashOn claims a narrow third place, remaining prevalent with, once again, 99.70% of its activity sourced from Korea MyTob.CJ (also known as MyDoom) surges past fifty-four seedy candidates, surfacing in tenth position, up from last month's sixty-fifth spot due to an eight-fold volume increase from September
- Clicker.AC joins our top ten in fifth position, doubling in volume from last month with high spikes of activity towards the end of October
- Netsky.P still on the radar: Netsky.P and Netsky!similar (inclusive of Netsky.P detection) combined account for the highest volume this month, representing 11.61% of reported activity
- Attack vectors remain open for business: Iframe_CID, ANI07.A, and Obscured exploits are stirred, part of our top ten for the third month in a row
Mass mailers and exploits wield plenty of tricks, yield no treats
Perhaps in a twisted Halloween spirit, the guys wearing black hats seem to want to hog all the goodies for themselves - a scary proposition considering the success they seem to be enjoying. There was a lot of activity on the mass mailing front this month in comparison to last month, with higher activity from Netsky shown through Netsky.P and Netsky!similar in our top ten. Bagle.DY remained unshaken and steady, holding its eighth position. The Netsky!similar generic detection is inclusive of Netsky.P, and most volume reported this month for Netsky!similar is indeed that of Netsky.P. The accumulated volume of Netsky represented by these two has increased by 17.03% in comparison to last month's, while Bagle.DY was on the uprise with an additional 13.46% reported volume this month. As if an increase of these mailers were not enough, the MyTob.CJ variant made a significant splash, exhibiting over eight times the activity it had in September, ending October on a high note after mild activity during the middle of the month as shown below in Figure 1.
Figure 1: Mass mailer activity for the month of October 2007
By establishing a top ten position and surpassing Bagle.DY in some periods, the MyTob.CJ variant was clearly added as a third major mass mailing source this month. Currently on the uprise, it looks like MyTob.CJ will remain in strong position along with Netsky.P and Bagle.DY as we enter November. As can be observed in Figure 1, almost half way through the month there was an inverse effect between Netsky.P and Netsky!similar. As previously stated, this is simply due to the fact that Netsky!similar is inclusive of Netsky.P variants and should be regarded as such. Collectively, they both dominate Figure 1's skyline (see W32/Netsky.P (Accumulated)). In June this year, we discussed the trend of mass mailers diminishing each month throughout 2007. The harsh reality is that even though we are seeing a general decrease of these mailers, they still account for a large portion of our top ten and remain prevalent with monthly activity. Furthermore, there are always windows of high risk opening when spikes of distribution occur, as demonstrated this month with MyTob.CJ.
The shelf life of an exploit
After discussing the impact of mass mailing this month, let's now look at the exploits, which have remained in our top ten for the last three months. As with the previously discussed mass mailers, there are three exploits which have been making waves. While Iframe_CID has been dominant in the wild for years, and ANI07.A for several months, Obscured is relatively new to the scene. It is in the last three months that these three have consistently appeared on our radar.
The exposure of exploits such as Iframe_CID will expand with time. In turn, antivirus firms have more time to analyze the "tools of the trade", so to speak, and provide an adequate detection for the exploit. Vendors will usually issue a security patch for the product that the exploit targets within a short timeframe, however it will take a while to propagate that patch to the wide end-user audience, all interconnected through the Internet. Many new PC's are being bought by end-users, who get connected in a plug-and-play fashion to the Internet. Those PC's may be instantly compromised if proper antivirus definitions are not applied immediately. It is after this timeframe, when adequate detection exists on many machines with antivirus support (shipped with stock definitions that provide these detections), and service packs / security patches have been globally spread that the shelf life heads towards expiration. Thus, virus writers will throw the aged exploit off of their shelf of malware in favor for newer exploit flavours. These exploits differ from a virus that can be distributed in many shapes and disguises, using new evasion techniques that allow them to obtain a longer, if not eternal life. Due to this limiting factor, the value of these exploits on the cybercrime market is no doubt high.
So, how long is the shelf life of one of these exploits? There are many factors which determine this, as previously mentioned - any change in these factors could endure or reduce this shelf life. We will use the popular Iframe_CID as an example, which in these statistics refers to a single virus utilizing the Iframe exploit and not the Iframe exploit as a whole. The Fortinet Global Security Research Team statistics show first recorded activity of such malware in August of 2005. The highest activity level ever observed was just one month after, in September of 2005. At the end of last month, activity was at only 22.89% of its highest volume recorded two years ago and even lower levels this October as it keeps diminishing. Actually, using this example, there is a steady decline in activity nearly every month since September of 2005 (a portion of this, the 2007 annum may be seen in Figure 2 below). Given the figures observed in such timeframe, in another half a year it should be reduced to insignificant activity. Interestingly, as exhibited in Figure 2, you can see that as the emerging exploits rise, the once dominant exploit plunders. Not only is this an indication of an aging exploit, it also portrays the act of malware writers tossing out the rotting exploit and utilizing the fresh ones. Thus, we can say that the shelf life of this particular example was about two years - not a concrete number by any means, but a generalization of this example. Even though this example leads our top ten in terms of volume, the new exploits shown below in Figure 2 are being favored, exhibiting growth and being used more frequently as they look to overtake the aging one quite soon. It suffices to say that this does not mean the exploit is no longer a threat - the threat still actively exists as clearly indicated, and must be secured by all possible means.
Figure 2: Exploit activity by month for the year of 2007 to the end of last month
As shown in Figure 2, Obscured is the freshest out of the three in terms of shelf life and is showing a sharp rise in activity - this was outlined in last month's report as well. We may not see it or ANI07.A reach volume as high as Iframe_CID in its prime, although we will most likely see it surpass ANI07.A as it ages.
Many people are digging deep to uncover new exploits to flip for profit, financially motivated by cybercriminals, who will shell out serious cash. With more motivation to discover attack vectors, we are witnessing the rise of new exploits - we also continue to experience threatening activity from the mass mailing department, cautioned Fortinet security research engineer Derek Manky. The best treat any user can reward themselves with, especially in this Halloween season, is to heed this caveat by only viewing emails and opening links/attachments with a whitelist mentality - that is ones which are expected and deemed to be trusted after a bit of thought. Also, they can reduce the risk of being compromised through the aforementioned exploits by ensuring they have applied all of the latest operating system, browser, and application security updates. Finally, they should have antivirus scanning in place as an essential safeguard to mitigate these threats.
On the economics of phisher worms
When confronted to a Social Networking Site Worm (aka Phisher Worm), whose intent is clearly to harvest as many social networking site (such as MySpace) accounts as possible, some users are left wondering: "But what is the freaking point" ? As a matter of fact, if the information sitting in the hidden parts of myspace accounts (example: in Inbox) may sometimes be of some use for industrial spies, blackmailers or child predators, most of the time the underlying goal is simply to make money via spraying spam over social networking sites, a strategy that could fairly be buzzified "Spam 2.0". This has been demonstrated a while ago by Fortinet's Global Security Research Team in a post deemed "Spam Moves to MySpace", "Spam Moves to MySpace", and the economics behind it were addressed by Guillaume Lovet in his presentation at the VirusBulletin conference 2007 in Vienna. Here is an excerpt of the paper, presenting an economic simulation of the Spam 2.0 business model:
For a business-minded cybercriminal, what is the point gathering thousands of myspace account credentials?
Actually, spam emails have become so common in our mailboxes that their click-through rate fell down to unimpressive values, sometimes as low as 1 click out of 100,000 e-mails sent; spammers therefore tend to look for new spam supports.
Enters MySpace, with more than 106 million accounts (as of September 2006), each account bearing a "comments" section. Comments are messages left by "friends" (i.e. people who either requested or approved friendship with you). Each comment is directly displayed on the recipient’s main page and can be seen by all visitors browsing the profile (unless comment approval is requested).
MySpace comments are therefore an appealing new medium for spammers. However, spamming MySpace accounts is way more difficult than spamming mailboxes:
- One must be someone’s friend to send him/her a message, involving manual steps to build a friend network;
- Each comment can be tracked back in case of abuse, resulting in banning.
Therefore, the most straightforward way to spray spam all over MySpace is.... to steal existing accounts (or hijack active user sessions) and post on behalf of the impersonated users.
Figure 3 below shows an ad posted by a "friend" of this account, posing as a legitimate comment and enticing the reader to "click here" - which of course, in this case, gets redirected to an adult site (third comment):
Figure 3: The third comment is a spam
A closer look at the spam-ish comment, on Figure 4 below, reveals that it makes heavy use of social engineering:
- Note how the message mimics the actual MySpace layout: a catchy picture plus the "online now" indicator right below (meaning there is someone behind the screen). This indicator is a copy of MySpace’s one (which normally sits below the sender’s image, on the left of the comment).
- Please delight yourself with the cunning comment. Social engineering artists have long understood that lust and vanity are very exploitable human flaws... This is a perfect demonstration.
Figure 4: Social Engineering, advanced course
Now, whenever someone clicks on that link, the spammer gets rewarded by the adult site. Depending on the affiliate program, the rates per click vary significantly, but if we consider that $0.01 per click is the minimum possible rate on most programs, and that certain Google AdWords cost up to $80 per click to advertisers[1], it is reasonable to assume a rate of $0.05 per click for your average porn site - although some adult-related affiliate programs generally advertise higher rates. As a side note, business-wise, it makes sense for a site to spend $0.10 per click if its conversion ratio (i.e. the percentage of visitors actually buying something) is 1% and its average profit per-buy is $30.
As an example, let us consider a spammer who, thanks to a Social Worm, silently "owns" a mere 6,000 accounts. It is generally accepted that on average, users have about 75 friends on social networking sites (that is to say, an owned account can post comments similar as the spam depicted on Figure 4 to 75 accounts)[2]. However, since friend lists may overlap let us assume that this pool of 6,000 accounts allows the spammer to reach 60,000 individual accounts. MySpace having close to 1.5 billion page views per day[3] and probably about 50 million active users[4], the average number of page views per account per day is 30.
Thus:
- The 60,000 ads posted will be viewed 1,800,000 times, daily
- Assuming a click-through rate of 5% (that is to say out of 100 persons viewing the page, 5 will click on the spam comment - which is probably far under reality, given the particularly refined social engineering speech and the profile of MySpace surfers), this leads us to 90,000 daily clicks
- 90,000 daily clicks means a raw profit of $4,500, daily, assuming a rather low reward of $0.05 per click
- This corresponds to $135,000, monthly
[1] http://www.cwire.org/highest-paying-search-terms/
[2] Harris Interactive poll: "Friendship in the Age of Social Networking Websites"
[3] http://www.comscore.com/press/release.asp?press=1145
[4] http://forevergeek.com/articles/debunking_the_myspace_myth_of_100_millio...
