The State of Malware Today - January 2006
|
Fortinet Reviews Malicious Code Activity In January 2006
This month's highlights: January, by the numbers: Top 10 threats caught by Fortinet's FortiGate security appliances in January 2006:
Top 10 countries reporting infections in January 2006:
Fortinet Statistics - January 2006
"It's worth mentioning that after a careful analysis of the code, we do not believe Sober will ever go back to a spreading phase," said Guillaume Lovet, Threat Response Team Leader at Fortinet. "However the worm's authors - who have extensively proved that they were able to produce tremendously large outbreaks in the past - could very well seed new variants of the infamous 'propaganda' worm.". Another interesting figure this month was the BetterInternet adware activity profile. As this is not a worm, its activity is solely due to manual downloads and seedings. The figure above shows peeks of activity on the 12th, 16th, 19th, 23rd and 26th. This is a result of the fact that the crew behind that adware seeds it via a script scheduled to run on every Mondays and Thursdays. This month's figures clearly show a rise in the Grew worm (aka Kama Sutra, Nyxem, MyWife, Kasper...), which appeared on Monday the 16th . Within two days, this worm, which has a high media profile, reached its highest peak of activity. According to Julien Lemaitre, virus analyst at Fortinet, "The brand new Grew worm, is, by and large, what we could call an old-fashioned threat. With its aggressive seeding and its highly destructive payload, it really looks like a legacy from the early days, when virus authors would write malware for fun or glory, and not for making bucks." "Within several days, Grew indeed infected hundreds of thousands of computer systems all over the world. Its payload is not set to spy on the infected users. It does not embed a bot, a proxy or a backdoor, nor does it display ads. Instead, it is set to damage files with the specific extensions on the infected computer, on the 3rd of every month" Lovet added. The vulnerable file extensions are:
In a nutshel, its harm, which consists of timed payload and non-mercantile motives, goes against the grain. The only two large outbreaks we have seen in months are two worms (Sober and Grew) in which their underlying motive is not to generate profit. "This is consistent with our thought that cybercriminals wanting to make money adopt a 'low-profile' attitude, and try to make as little fuss as possible," continued Lemaitre. "The fact that various bot herders and phishers were arrested lately clearly indicates that high financial damage and/or media coverage almost always lead straight to court." This month saw many variants of the Feebs worm emerging - on average, almost one per day. Although none of them got anywhere near the prevalence of a top worm such as Grew or other elders like Netsky and MyTob, Feebs has many interesting aspects. Among other features (rootkit, P2P propagation, reporting via icq, on-the-fly injection into emails sent by the infected user), this worm uses Javascript as its propagation vector. The worm body lays in an encoded string of a Javascript embedded into an .hta document. Whenever it runs, the Javascript decrypts the worm body, and executes it. The .hta document is then regenerated and mass-mailed by the worm engine. This yields two main issues:
However it would not be much of a challenge to make those scripts truly polymorphic. "The bottom line is that it could become a serious challenge to AV companies relying on pattern based signatures and binary emulators, whenever someone starts to seed it aggressively along with implementing some advanced polymorphism in the Javascript generation," concluded Lovet. |
