The State of Malware Today - August 2006
|
Fortinet Reviews Malicious Code Activity In August 2006 This month, the Fortinet Research team uncovers new threats and dissects cybercrooks’ intentions, delivering insights on the freshest scams around. This month’s highlights: August, by the numbers: Top 10 threats caught by Fortinet’s FortiGate security appliances in August 2006:
Virus-wise, August has not been a busy month, as the global virus activity lowered down to spectacular levels of quietness, following July’s trend. Symptomatically, all along August, the number of "hot" updates (i.e. detection patterns that cannot wait for the regular daily update to be released) pushed by Fortinet’s Threat Response Team could be counted on the fingers of a single hand. Whereas May or June saw rates of hot updates approaching one per day on average. The constant reduction of the number of big outbreaks (due to the ever-growing will of virus writers to stay low under the radar) that we have been noticing for more than a year cannot account for such a difference. This leads us to the following conclusions: 1. It seems that malware authors are on vacation right now - and they did not bring their laptops to the beach, along with their swimsuits. 2. Malware authors are mostly located in the northern hemisphere (those in the southern hemisphere are not on vacations, and should they go to the beach in swimsuits, they’d end up frozen). A closer look at the global malware activity allows us to highlight another typical summer-like figure:
W32/Netsky.P@mm +--------+--------+--------+
| Month | Rank | % |
+--------+--------+--------+
| May | 1 | 11.13 |
| June | 1 | 11.53 |
| July | 1 | 10.42 |
| August | 3 | 7.56 |
+--------+--------+--------+
W32/Grew.A!worm +--------+--------+--------+
| Month | Rank | % |
+--------+--------+--------+
| May | 3 | 9.15 |
| June | 4 | 8.18 |
| July | 4 | 6.32 |
| August | 6 | 5.01 |
+--------+--------+--------+
W32/Bagle.DY@mm +--------+--------+--------+
| Month | Rank | % |
+--------+--------+--------+
| May | 4 | 8.97 |
| June | 3 | 9.08 |
| July | 3 | 6.92 |
| August | 5 | 6.08 |
+--------+--------+--------+
Activity of historic worms which do not outbreak anymore (also called the worm remanence), is going down during summer. Why? People with outdated infected machines - which are responsible for most of this activity - go to the beach, too, and turn off their computers. For a while, spammers have been facing a dilemma: For a spam campaign to succeed, bulk emails must be sent in tremendously high volumes. But at the same time, the more an email is sent, and the more it is likely to be "learned" by antispam cognitive filters. To solve the problem, in an attempt to make spam emails look always the same to users and different from one another to spam-filters (hence disabling the learning process of cognitive filters), spammers are appending "hidden" randomly generated, sentences to their bulk material, according to Julien Lemaitre, virus analyst at Fortinet. There are various ways to achieve trailing "anti-antispam" text invisibility, but one of the most popular currently seems to be the "white on white" strategy: Spam emails are sent in HTML format, background is set to "white", and trailing text to "white" as well. Trailing garbage can easily be observed by highlighting it with the mouse, as shown below:
Highlighting the white text at the bottom displays the trailing anti-antispam load:
It has to be noted that spammers not only infringe laws and ethics about unsolicited commercial emails, but possibly some copyrights as well, since the trailing text is often made of book excerpts, according to Guillaume Lovet, Fortinet’s threat intelligence and response team leader for EMEA. As a matter of fact, this strategy is not quite new, but this month, it ramped up to unprecedented proportions: since June, the volume of emails using this strategy (should it be for phishing or spamming purpose) caught by our appliances has more than doubled; if those were to be included in the malware top ten, they would top it hands down, totaling 23 percent of the global activity. While mom and dad are away on summer vacations, it seems they’ve left little junior at home with the password to the computer. This month we saw a resurgence of old-school mass mailing activity that some might say would come from young, novice hackers. Yet while its heritage is simple and understated, it is sadly still very effective. According to Bryan Lu, virus researcher for Fortinet, end users are falling prey to email attacks using the basic statement, "Mail transaction failed." The subject merely reads, "Status." Some might say, "curiosity is last layer of defense that sets a computer user from getting infected." Corporate users, especially, are falling victim to mass mailings claming failed delivery due to the urgency of production and customer service matters. The graph below shows how one company dealt with W32/Stration.C@mm when one user became interested in opening the attachment of a similar-looking undelivered email:
W32/Stration.C@mm is a level two mass-mailer virus that downloads a Trojan detected as W32/Agent.WC!tr. This same Trojan is used by another variant of Stration, W32/Stration.I@mm. A second company detected 1,800 strains of this latest variant. Fifty percent of these emails were opened and executed, thus downloading the Trojan.
Overall, even with the slow summer, hackers are still finding a way to do their dirty work on the machines of many users who did not escape to the coast. |
