The State of Malware Today - May 2005

The State of Malware Today

Fortinet Reviews Malicious Code Activity During May 2005

This month's highlights.

  • Decrease in number of new mass-mailers and Trojans detected, but percentage of new Bots detected increases - again
  • Resurgence of MyTob variants
  • Appearance of the first 'political' mass-mailer - Sober.Q

Virus Prevalence in May

This month Fortinet reports a 20% decrease in the virus prevalence compared to the month of April. Of the new malicious codes detected by Fortinet in May 2005, approximately 33% were Trojans (including backdoors), 33% were network worms (worms which propagate through the network via exploits, networks shares and Instant Messengers), and 2% were mass-mailing worms. Once again Bots accounted for the highest percentage of newly detected codes, representing some 41%.

Changes in trends in newly-detected codes since April May statistics show a further 3% decrease in the number of Trojans detected (following the 20% decrease observed from March-April). This brings the overall percentage of Trojans detected in May to pre-February levels. The percentage of new mass-mailing worms fell to a mere 2%, representing the lowest level recorded since the beginning of the year. New variants of known Bots (such as RBot, SdBot, AgoBot...) have been appearing at a constant pace for two months now, representing 41% of all newly discovered threats in May - a further 6% increase since April.

It is interesting to note that the prevalence of these threats in the wild is inversely proportional to the number of distinct threats - that although mass-mailing worms represent only 2% of the new threats (there are few variants, compared to Bots), they are the most prevalent, representing over 90% of the actual sightings of malicious code reported around the world. This can be attributed to the fact that Trojans and Bots are usually spammed out, but do not spread themselves, unlike worms that actually spread rapidly, causing outbreaks and major headaches for network administrators.

Once again the majority of malicious code eliminated by Fortinet FortiGate antivirus firewalls was in the USA (23%), whilst Korea and Mexico share the second place far behind, each with some 8% of blocked threats.

Significant threats discovered in May:

MyTob resurgence In addition to the notorious Sober.P outbreak, May also witnessed a serious MyTob resurgence: Over 30 variants and minor variants have appeared throughout the month - including MyTob.DV, spotted on 26th May (final day of this month's data collection). Like its predecessors, this one has the ability to spread via mass-mailing of email addresses harvested from the infected host - with its own SMTP engine. And unsurprisingly, it also contains advanced Bot features that simply turn the infected host into a Zombie, ready to connect to its IRC master and receive orders. This IRC server is still the same as it was months ago.

Guillaume Lovet, team leader EMEA Threat Response Team, Fortinet says, "This raises the question as to why firewalls have not been configured to block this rogue server and end the threat definitively. The answer is straightforward: Because it is constantly moving. This is an example of Malware authors taking advantage of an essential feature of the Internet - the DNS service. Whereas the server name is always the same, the actual Internet Address (IP address) that is registered with that name often changes. Zombies (new and old ones) only need to query the DNS service to find out the master's current address. The large number of variants is most likely a strategy of the authors to minimize the impact of antivirus systems on propagation. When a new variant emerges, the antivirus industry may have to create new detection patterns, which leaves a window of opportunity for the malware to spread unaffected."

The payload of MyTob itself features numerous tactics to circumvent antivirus systems. These include blocking access to update sites, stopping potential antivirus processes, killing code and behaviour analysis processes (such as network sniffers, debuggers, etc...). Unfortunately these efforts are not vain, and seem to be driven by financial motivation - it is even possible that the malware authors have been contracted to create this code.

Sober.P - high rate of propagation - then goes dormant As mentioned in Fortinets last virus round up, the beginning of May was marked by significant number of reported sightings of Sober.P, a mass-mailer with its cunning social engineering strategy. It adapted the message language to the target domain, and timed its attack with the opening of ticket sales for the FIFA World Cup. So virulent was its propagation that it reached the number one position of Fortinet's top ten reported viruses within 24 hours.

However, Sober.P became "dormant" on May 10th, stopping its mass-mailing activities. A careful analysis showed that it went into what can be termed as an "update mode", whereby it tried to download updates from various web hosting sites.

Sober.Q - the first political mass-mailer Sober.Q appeared in the wild during the weekend of May 14th - 15th. It is probably the most original mass-mailer seen in a while. Instead of trying to infect systems, it sent a large amount of political propaganda emails, some of which carried (or pointed to) Nazi-oriented content. Its significant prevalence was solely due to the fact that it was downloaded and installed by Sober.P - i.e it was seeded by Sober.P This highlights a new dramatically effective potential use for mass-mailers. Not only can they seed lucrative Botnets, but they are also able to serve as massive propaganda vectors. It now seems that Sober.Q has stopped its activity (as of May 26th), and switched to dormant mode again.

Sober's stealth update As mentioned above, Sober.P (and later on, Sober.Q) went in update mode at a given date. Usually, such a strategy has limited success as it is very easy for virus analysts to find out where the malware is about to download its updates, and to either warn or block (or both) the target location. But the author of Sober went one step further. To prevent the above from happening, Sober took the following measures:
1. It does not rely on the internal system date as a reference for its calendar. Instead, it queries a hard-coded list of Network Time Protocol (NTP) servers over the Internet, which are official online "clock" services.
2. It makes it difficult to predict the next download locations, by building the actual URLs from the current date, via a complex algorithm. Only the domain part of the URLs is hard-coded...
3. ...But such domains are those of public web-hosting companies, hence blocking the whole domains on firewalls is simply not an option.

Advice to computer users remains the same. Guillaume Lovet says, "Always ensure that latest virus protection, and operating system security updates are deployed - and do not click on attachments. The nature of threats reported this month really demonstrates the advantage of integrated security solutions, like Fortinet's FortiGate antivirus firewall system. For example, antivirus software may protect networks against Sober.P, but unless there is also an anti-spam solution in place, it will not protect against the spam from Sober.Q; or from becoming infected by a new network worm using known vulnerabilities to spread (as is always the case), again unless you have an additional Intrusion Prevention System (IPS)."

For more information on latest security threats, see Fortinet's FortiGuard centre: http://www.fortiguardcenter.com/av.html

About Fortinet (www.fortinet.com)
Fortinet is the pioneer and leader of the Unified Threat Management market. The company's award-winning FortiGate series of ASIC-accelerated antivirus firewalls, winner of the 2004 Security Product of the Year Award from Network Computing Magazine and the 2003 Networking Industry Awards Firewall Product of the Year, are the new generation of real-time network protection systems. They detect and eliminate the most damaging, content-based threats from e-mail and Web traffic such as viruses, worms, intrusions, inappropriate Web content and more in real time - without degrading network performance. FortiGate systems are the only security products that are quadruple-certified by the ICSA (antivirus, firewall, IPSec, NIDS), and deliver a full range of network-level and application-level services in integrated, easily managed platforms. Named to the Red Herring Top 100 Private Companies, Fortinet is privately held and based in Sunnyvale, California.