The State of Malware Today - December 2006

This month’s highlights:

December, by the numbers:

Top 10 threats caught by Fortinet’s FortiGate security appliances in December 2006:

Rank  	Name                            
 1	HTML/BankFraud.E!phish		15%
 2	HTML/Volksbanken!phish		15%
 3	W32/Netsky.P@mm			 6%
 4	HTML/BankFraud.OD!phish		 6%
 5	HTML/Iframe_CID!exploit		 5%
 6	W32/Bagle.GT@mm			 4%
 7	W32/Stration.DS@mm		 4%
 8	W32/Bagle.DY@mm			 3%
 9	W32/Grew.A!worm			 2%
10	W32/Istbar.PK!tr.dldr		 2%


December’s top 10 is filled with eight distinguished old timers, specifically the BankFraud, Grew.A, Netsky and Stration. On the contrary, a new entrant to this month is Bagle.GT, a remarkable mass-mailer discovered on Dec. 3. Amid 70 percent of the detections seen in Korea this month, this threat concludes either an epidemic on that area or the source of the threat. Interestingly, compared to Netsky.P which uses an iframe-exploit to automatically execute the attachment, Bagle is noted to use an image with the password in order to open the attachment pretending that it is intentionally given to that recipient. (see figure 2)


Figure 1: Bagle.GT and Netsky.P


Figure 2: Sample email of Bagle.GT

Matrix Overload

Malware continuously threaten the internet mainly for the sole purpose of financial gain. Nevertheless, during the season of giving gifts, this month proves that while a percentage of the computer users are on a holiday, the detected threats on the user-intervention side went down by 20 percent - instant messaging worm, macro virus, mass-mailer, network worm, spyware and Trojan.

In spite of this, the number of detected threats almost reaches to 50 million with 30 percent from Phishing emails. Moreover, the phishing emails have doubled for the past three months. Knowingly, the internet is now crowded with mass-mailer and phishing emails, but the not-so-recognizable file-infector virus has been gaining some momentum while everyone is busy clearing up their email inboxes. The increase in file-infector viruses lately is quite alarming as due to the real motives behind the threat. One of the suspected motives is the gain for supremacy on who can deliver the best crafted virus.


Spam moves to MySpace

Last month, our monthly roundup addressed MySpace credentials phishing (see The Phisher Worm Scavenges MySpace ) . We suggested that the scavenged addresses could then be used for email spamming campaigns.

Seemingly, subsequent spam can also directly target MySpace accounts themselves.

Because spam emails have become so common in our mailboxes, they have been losing some of their impact, thus it is actually not surprising that spammers are looking for new ways to catch people’s attention.

Enter MySpace, with more than 106 million accounts (as of September 2006). Owners of active accounts often check out new "comments" left by their friends.

Comments are messages left by people who either requested or approved friendship with you, i.e., by someone relatively known or trusted. Each comment is directly displayed on the recipient’s page and can be seen by all visitors browsing the profile (unless comment approval is requested).

MySpace comments are therefore a perfect new medium for spammers to reach people.

However, spamming MySpace accounts is way more difficult than spamming mailboxes:

  • you must be someone’s friend to send him/her a message, involving manual steps to build a friend network;
  • each comment can be tracked back in case of abuse, resulting in banning.

Then, the most straightforward way to spam over MySpace is to steal existing accounts and post from there.

We have spotted this technique "in the wild" on several accounts. It is sometimes very obvious, as can be seen on the screenshot below:


fig 1. Obvious MySpace spam comment

But spammers may also step forward masked. The next screenshot shows an ad posted by a "friend" of the band who owns the account, enticing the reader to "click here", only to get redirected to an adult site (third comment):


fig 2. The third comment is a spam

A closer look at the spam comment reveals that it makes heavy use of social engineering:
1. Note how the message mimics the actual MySpace layout: a catchy picture plus the "online now" indicator right below (meaning there’s someone behind the screen). This indicator is a copy of MySpace’s one (which normally sits below the sender’s image, on the left of the comment).
2. Delight yourself with the cunning comment. Social engineering artists have long understood that lust and vanity are very exploitable human flaws... This is a perfect demonstration.


fig 3. Social Engineering, advanced course

We have verified the senders to be real accounts, not dedicated to advertising (they are personal profiles). Both are German, which probably means they were phished during an attack targeted at .de emails. Stolen credentials were then used to post spam comments to the accounts’ friends, including highly visited profiles:


fig 4. Spammed profiles


To Phish or not to Phish, that is the question

It has being widely heard that only user awareness could, if not put an end to, at least mitigate phishing. Among the various advice lines commonly found is "Never go to your online bank site from a link, type in the URL in your browser’s address bar instead". Although this would not save you from a Pharming attack, this is actually a very good piece of advice. However, some online banks are not willing to do much to back it up:


fig 5: Smells Phish?

This seems to be a notification email from SunTrust Mortgage, but we quickly notice all the links lead not to suntrustmortgage.com, but to the same login page on carenet.fnfismd.com, which would trigger the "phish attempt" red flag in any educated user’s mind.

Well, actually... it is not. It happens to be a legit notification email from SunTrust.

We received this email from a customer asking whether it was a phish or not. We were about to reply affirmatively and to blacklist the linked website for obvious reasons:

  • it entices the recipient to log in its online bank account from several identical links within the email
  • the URL looks like a phish (an unknown domain name followed by folders with the bank’s name inside)
  • the login page mimics the bank’s graphic identity


fig 6: Left: suspicious login page. Right: the real suntrustmortage.com.

However, we looked for the legit suntrustmortage.com’s login page, to compare it with the one linked from the email: we clicked on the "logon to my account" button... and were redirected to carenet.fnfismd.com! The same URL as in the email, meaning it wasn’t a phish; it was confirmed later by the SunTrust customer service.