The State of Malware Today - August 2005

Fortinet Reviews Malicious Code Activity During August 2005

This month's highlights:


August, by the numbers:

Top 10 threats caught by Fortinet's FortiGate security appliances in August 2005:

1 W32/Netsky.P-mm 13%
2 W32/MyTob.EK-mm 3%
3 W32/Zafi.B-mm 3%
4 W32/Zafi.D-mm 3%
5 HTML/Ebay-phish 2%
6 W32/MyTob.fam-mm 2%
7 Possible_MyTob.G 2%
8 Possible_Netsky.P 2%
9 W32/Mitglieder.CD.gen-tr 2%
10 Adware/180Solutions 2%

Top 10 countries reporting infections in August 2005:

1 United States of America 17%
2 Korea, Republic of 9%
3 Taiwan, Province of China 8%
4 Chile 6%
5 China 6%
6 Mexico 5%
7 Japan 4%
8 India 4%
9 Thailand 3%
10 Italy 3%


Zotob/MS05-039 flaw - the most significant threat in August

The big hit for this month is obviously Zotob, which, with his fellow worms (Bozori, IRCBot, RBot, Lebreat) exploiting since August 14th the now famous Microsoft PnP MS05-039 flaw, spread all over the news faster than over the Internet itself. Indeed, their aggregated prevalence has never really got over 1% of the global virus activity, because of two major mitigating factors in MS05-039:

  1. It only affects Windows 2000 unpatched machines. Last week Microsoft announced there is a similar flaw in Windows XP too, whereby worms are likely going to exploit Windows XP as well in the near future. However, this Windows XP exploit is not yet confirmed.
  2. The PnP service goes through port 445. Since this port is used for "network neighborhood" connections, it is typically firewalled on the gateway of corporate networks and Internet Service Providers (ISPs).

According to Fortinet Threat Response Team Leader - France, Guillaume Lovet, "Zotob spread all over the news faster than over the Internet itself, and two facts helped hype the buzz. First of all, Zotob infected the media networks of CNN, ABC and the New York Times. Seemingly, it could have got in by plugging laptops into these networks, hence bypassing firewalls and infecting unprotected Windows 2000 boxes from the inside."

Lovet continued, "Secondly, the exploit-oriented nature of Zotob's propagation, which does not require any user interaction, and the fact it appeared "in the wild" less than a week after Microsoft released a patch for the PnP vulnerability, tremendously reminded us of the MsBlaster (Aug 2003) and Sasser (Apr 2004) threats, which caused a reasonable amount of havoc in their time."

Fortinet's Threat Research team noted a true evolution in the motives of authors behind the three infamous mass-mailing worms:

  1. MsBlaster was merely a subtle hint ( "bill gates, stop making money and fix your software" ) paired with a grandiose love poem ("Love you San")
  2. Sasser's writer admitted he created this worm to generate some work for his mother, who worked at a computer security firm
  3. Zotob embeds a bot similar to the one in MyTob, clearly aimed at generating profit, through the rental of the Botnet created for criminal activities (spamming, hosting illegal content, performing ddos...)

Some versions of the Bozori and IRCBot mass-mailing worms attempted to kill Zotob, which is reminiscent of last year's "Virus War" involving Netsky, MyDoom, and Bagle.

Finally, two suspected authors of Zotob and Mytob worms were arrested last week by Moroccan and Turkish authorities.

More information can be found within Fortinet's related advisory: Zotob Advisory


Zero Day Exploit - Msdds.dll

On Aug 17th, FrSIRT released a zero day exploit affecting Microsoft's COM object in Msdds.dll, which potentially leads to a full compromise of victims' computers. Although there are mitigating factors (not all configurations are vulnerable), Fortinet's Threat Response team believes that some worms might resort to this flaw to propagate. More information can be found within Fortinet's related advisory: Msdds Advisory


Web Controlled Botnet - W32/Dumador.DH-tr

Early this month, Fortinet's Threat Response team spotted what seemed to be a typical spyware program with keylogging abilities. Upon analysis, it appeared that this malware was not only a reasonably featured Trojan, but also a spam relay in which instances were organized in a botnet, controlled through a simple and publicly available Web interface. This user-friendly interface would allow anyone knowing its location to perform various actions on all the infected computers at once, which are constantly polling the Web server for a command sequence file.

According to Fortinet Threat Response Team Leader - France, Guillaume Lovet, "The botnet concept is not new, however the ease of use provided by the Web interface with W32/Dumador.DH-tr is somewhat scary. This 'all HTTP' system also has a tremendous advantage over IRC based botnets because while IRC ports are usually firewalled, which prevents bots to "phone home", the HTTP traffic goes through in most cases. In Dumador's case, remote control is still possible even when a 'cache' proxy is enforcing HTTP traffic only out of the corporate network."

If you're feeling brave, you can view some images of the botnet's web interface here, here and here.


eBay mimic - rise of the phish continues

Among our top regular threats HTML/Ebay-phish, the phishing threat that mimics eBay's Website, rose to the 5th most prevalent threat caught this month. Because of HTML/Ebay-phish, phishing attempts reached 3% of total fraudulent and virus-related activity - an unprecedented score.

Detected since July 2005, emails that include HTML/Ebay-phish usually urge users to log into eBay's site, to either confirm or update their profile (e.g. deleting inactive accounts, maintenance, etc.). The links point to a fake "eBay login" Web page hosted on a rogue server which collects the stolen credentials. Since the malicious page perfectly mimics the real one on www.ebay.com, unaware users might not notice the fishy URL in their browser's address bar, and disclose their login/password info.


User protection against Zotob and other evolving threats

In light of the Zotob mass-mailing worm, where the malware was brought in by infected laptops, deploying antivirus/firewall technology at the network edge is not always sufficient. Network security appliances paired with user education, consistent update policies and desktop antivirus software is nowadays mandatory to avoid being trapped by mobile vectors of intrusion (laptops, USB keys, PDAs etc.)

Fortinet's Manager of Antivirus Research Nick Bilogorskiy advises, "To be safe from the emerging lightning-fast network worms, spreading quicker than antivirus patterns are distributed, networks also require proactive methods of threat protection - such as behavioral analysis or well-honed heuristics. Only such methods allow for blocking of new undetected threats, truly providing zero-day protection."


About Fortinet (www.fortinet.com)

Fortinet is the confirmed leader of the Unified Threat Management market. The company's award-winning FortiGateā„¢ series of ASIC-accelerated multi-threat security systems, winner of the 2004 Security Product of the Year Award from Network Computing Magazine and the 2003 Networking Industry Awards Firewall Product of the Year, are the new generation of real-time network protection systems. They detect and eliminate the most damaging, content-based threats from e-mail and Web traffic such as viruses, worms, intrusions, inappropriate Web content and more in real time - without degrading network performance. FortiGate systems are the only security products that are certified five times over by the ICSA (antivirus, firewall, IPSec, SSL, NIDS), and deliver a full range of network-level and application-level services in integrated, easily managed platforms. Named to the Red Herring Top 100 Private Companies, Fortinet is privately held and based in Sunnyvale, California.