Prevalence Report

The State of Malware - July 2008 Edition



This edition's highlights: Malware by the numbers

The following malware statistics are based on threats caught by Fortinet's FortiGate security appliances for the period June 21st - July 20th, 2008.

Top Ten Variants

Top ten malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100: 
Rank     Malware Variant                  Percentage  Top 100 Shift
1        W32/Netsky!similar               10.39          -
2        W32/Virut.A                      7.03           +1
3        Pushdo!tr                        6.01           new
4        W32/Agent.TPF!tr.dldr            4.78           new
5        HTML/Iframe.DN!tr.dldr           4.51           +3
6        W32/MyTob.FR@mm                  3.75           +3
7        JS/Iframe.DR                     3.6            new
8        W32/OnLineGames.fam!tr.pws       3.53           -4
9        W32/Mdrop.BTV!tr                 2.7            new
10       JS/Redirector.CA!tr              2.32           new
Some variants are back in numbers, while many new faces come into play this edition:
  • Virut.A continues its impressive run with increased activity and lands in second place, keeping its six-month placement in the top five
  • Pushdo is back on the radar this month after briefly dropping in activity
  • Two new Javascript variants, Iframe.DR and Redirector.CA, take hold of seventh and 10th positions, respectively
  • Heavy online gaming trojan activity continues in Taiwan and Japan through OnLineGames.fam!tr.pws
Top Five Families

Malware variants' activity for this edition has been grouped into families and sorted as shown below. Percentage indicates the portion of activity accumulated by the family out of all threats reported in this edition. Top 10 shifts indicate positional changes compared to last edition's Top 10 ranking, with "new" highlighting the malware family's debut in the top ten: 
Rank     Malware Family                    Percentage  Top 10 Shift
1        OnlineGames                       18.8            -
2        Netsky                            16.7            -
3        MyTob                              9.9            -
4        Virut                              7.8            -
5        Pushdo                             6.1            +6
There wasn't much shifting this month in terms of positioning, although there are a couple of points to note. The OnlineGames family, highlighted by its account stealing trojan capabilities, still holds first place yet drops in activity over 15 percent compared to last edition. Pushdo makes its way back into the top five after briefly dropping in activity last report.

Activity recap

This edition brought in some new faces, two of them being javascript samples. Looking at our top ten, we see three samples which are dedicated to traffic generation (Iframe.DN, Iframe.DR, and Redirector.CA). This is not surprising at all: cyber criminals are constantly trying to drive traffic to sites in the most efficient way possible. IFrames are typically injected into a Web site (ie: SQL injection) as tags meant to redirect an end user's browser to a (usually) malicious source. A lot of the time, there is financial motivation behind this: in the digital underground, traffic means money. Figure 1 below shows the activity curve for these three traffic generators:


Figure 1: Traffic directors for our July 2008 edition


While Iframe.DN shows a steady activity curve, Redirector.CA made its way into the top ten with two bursts of activity. Iframe.DR, on the other hand, only began activity half way through this edition and is still showing prevalence. Let's have a look at Redirector.CA and the behavior it exhibited this edition. The javascript sample contains functions to decrypt strings and URL addresses while randomizing this output to the end user. The sample generates a blog, with some comments thrown in to give it a genuine look. What looks to be the initial post is actually dynamic: each time the page is loaded, different links and subject headers are presented. Figure 2 below shows a snapshot of the generated page in question:


Figure 2: JS/Redirector.CA!tr at work, randomizing affiliate links


The links (blocked in red) are dynamic, and change each time the page is refreshed. The one thing that remains static is the insurance theme, as all links seemingly point to insurance sites. Clicking on the link does not directly take you to the promised site. Once clicked, a series of hops occur. Two servers (both located in the USA with this sample) are visited, both running Nginx 0.5.37, accessing a PHP page with a unique query ID (the randomized link that the user clicked on). These two servers then end up hopping the user's browser to a third server running Apache. This third server (also in the USA) in turn redirects the user to the actual insurance page, passing in a unique affiliate identifier. The user's browser is redirected through HTTP 302 response codes, which points the browser to a new URL. This seems to be a campaign designed to generate traffic to affiliate marketing programs, passing through intermediate tracking servers. As can be seen in Figure 1 above, the two bursts of activity show this campaign in action: servers are infected with this code, and then cleaned up.

Apart from this, familiar names still filled the top ten charts this edition: Pushdo, MyTob and Virut. There was a new name in the mix, Mdrop.BTV, which actually appears to be yet another variant of Pushdo. The rhythmic activity spike of these two further confirms this (see Figure 3, red and white curves). While Pushdo goes on weekly aggressive mailing campaigns, MyTob and Virut seem to be more consistent curves at lower volume. Figure 3 below shows this:


Figure 3: The usual faces still posing a threat in the wild


The fact of the matter is, all of these remain in our top ten and are prevalent, thus highlighting a concern to anybody with an internet connection. Thankfully, these threats are blocked already. With the recent DNS vulnerability disclosure, and strong activity with traffic redirectors, all users should pay close attention to where they are traveling. Think before clicking that link, observe domain names and ensure all latest patches are in place to guard against system compromise.

Solutions

Customers who use Fortinet’s FortiGuard Subscription Services are already protected against the threats outlined in this report. Threat activity is compiled by Fortinet's FortiGuard Global Security Research Team using data gathered from its intelligence systems and FortiGate™ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products.