The State of Malware Today - November 2005
|
Fortinet Reviews Malicious Code Activity During November 2005
This month's highlights:
November, by the numbers: Top 10 threats caught by Fortinet's FortiGate security appliances in November, 2005:
Top 10 countries reporting infections in November 2005:
This Month's Most Striking Trend: The Return of Sober This month's most striking trend is of course the return of Sober, which, with one variant (which is caught by Fortinet as W32/Sober.AD-mm, and corresponds to CME-681) skyrocketed in the charts. Truly, no malware has produced such a staggering outbreak this year. Although the monthly top 10 ranks it first, accounting for 24% of November's activity, it does not do it justice. To really understand how brutal Sober's outbreak was, one must look at the daily evolution of the viral situation:
Figure 1 - Fortinet's FortiGate security appliance statistics for November 2005
According to Fortinet Threat Response Team Leader - EMEA, Guillaume Lovet, "As it can be seen on Figure 1, W32/Sober.AD-mm was unleashed on November 21st. Within a few hours, it reached our highest impact level, and soon accounted for three times the activity of all MyTob variants aggregated!" Another interesting trend according to Figure 1 is the rise of Adware/BetterInternet, which seems to have been seeded aggressively since November 15th, going as far as reaching a higher impact than the "historic" Netsky.P - drawn here as a reference, since it had been dominating the top 10 list for the past 1.5 years until this month.
IM Threats Continue Steady Growth November showed a continued steady growth in the emerging segment of instant messaging (IM) threats. While these did not achieve the peaks comparable to Sober or MyTob, there were many new variants discovered targeting MSN, AOL and IRC networks. The most prominent IM threat of the month was a worm, identified by Fortinet as W32/Aimbot.AT-bdr, which spread through AOL Instant Messenger, downloaded adware and installed a rootkit on infected computers. According to Fortinet Manager of Malicious Code Research, Nick Bilogorskiy, "As the companies behind large IM networks (Yahoo, MSN, AIM) begin efforts to make their protocols interoperable, the potential arises whereby a virus written for one network can jump to another instantly, thus increasing the already rapid spreading speed of IM viruses and their potential damage." Bilogorskiy continued, "Recent IM security acquisitions of Omnipod by MessageLabs and Frontbridge by Microsoft demonstrate that security vendors are looking to cash in on the corporate concerns regarding IM security by providing an extension to their services." War of the Worlds: MyTob vs. Sober This month highlights an interesting difference in virus authors' strategies. As we can see in Figure 1, the MyTob variants' activity follows a relatively flat line, with punctual outbreaks, which are usually very fragmented (and sometimes called a "rain", "flood" or "wave" of variants) among several variants. According to Fortinet Threat Response Team Leader - EMEA, Guillaume Lovet, "This highlights the MyTob variants authors' strategy: they want a fine tuned control of the outbreak's impact, a constant number of active infected systems to serve in their botnets, and as little advertisement as possible for their malware - obviously to avoid attracting the FBI's attention on their illegal, money motivated activities." Lovet continued, "On the other hand, the Sober outbreak was brutal, sudden, and ultra-large in size. The success of course had nothing to do with the efficiency of Sober's mailer engine (written in Visual Basic), and little to do with the social engineering strategy it used (the messages posed as an inquiry from the FBI/CIA), and a lot to do with the fact that they were aggressively seeded. Needless to say being stealth was obviously not the main preoccupation for Sober authors." Now, in terms of functionality, what is the main difference between Sober and MyTob, and how can it be related to the seeding strategies? The short answer is 3 letters long: bot. Sober, unlike MyTob, is one of the very few mass-mailers that do not embed a bot, and consequently is not meant to create a financially "juicy" botnet. This probably explains the radically different approaches in malware distribution taken by Sober and MyTob, but says little about the Sober authors' motivations. If not financial, as it seems, they could very well be political. As a matter of fact, an older variant, Sober.Q, was mass-mailing neo-nazi propaganda some months ago. Finally, one interesting feature of Sober - already present in previous variants - is its ability to resort to NTP servers (picked among a hardcoded list) to synchronize its actions. Through reverse engineering, this month's variant shows that it was set to download files from hardcoded locations on precise dates. Fortinet's Antivirus Team is thoroughly monitoring those locations. Sony's DRM: Most People Now Have an Idea of What a Rootkit Is A few words about Sony's Digital Rights Management (DRM) case have to be said, since it has been all over the news for several weeks, and keeps alimenting forum discussions. According to Fortinet Threat Response Team Leader - EMEA, Guillaume Lovet, "The DRM system, present on various records distributed by Sony, installs a rootkit on customers' computers to better control the number of allowed backups for the CD tracks. This dangerously lowers customers' system security by hiding from users all files and processes starting with '$sys$' (without the quotes). Soon, Trojans making use of that nice feature, such as W32/Brepibot!tr, appeared in the wild. Their low number suggests that they may be merely a proof of concept - in which case, they accomplished their goal: proving how disrespectful and dangerous this DRM policy is toward Sony's own customers." Two additional factors made matters even worse:
As various companies and organizations are studying the possibilities to sue Sony, it seems that the industry giant continues to face significant fallout from this issue. AVAR 2005 - The Dark Days Ahead On November 17th and 18th, the Association for anti Virus Asia Researchers (AVAR) 2005 conference took place in Tianjin, China. AVAR 2005 strongly highlighted the central role played by botnets as the main vector for all sources of profit - should it be spam, phish, spyware, adware, DDoS blackmail, etc. - for those hackers who became cybercriminals in today's malware climate. Another trend pointed out at AVAR 2005 was the non-replicative nature of most malware created today. This can easily be related to the first point above: Now that botnets are well implanted, cybercriminals can use them to distribute their profitable malware. According to Fortinet Threat Response Team Leader - EMEA, Guillaume Lovet, "Security experts at the conference stressed that nowadays, large outbreaks are not mainstream anymore - because the main motive for cybercriminals is money. Indeed, to make a reasonable profit without getting too much attention from the police, a few thousand infections is far better than a few million. A couple of days later, the Sober outbreak occurred, but far from invalidating this theory as one may think at first, it confirms it, as our "Sober vs. MyTob" analysis above points out." Regarding future trends and expected threats, two words were repeatedly heard: Smartphones and terrorists. Smartphones present roughly the same characteristics as personal computers, in terms of "virusability" - the main difference lies in the current volume of devices. Although Smartphone volume is still very low as compared to the number of personal PCs, it is expected to grow rapidly. This, of course, will undeniably provide cybercriminals with a huge reserve of potential targets. As for terrorists, Sober's outbreak this month proved that a worldwide outbreak is still possible, and that this was related to cybercriminals' strategies. But what will happen when terrorists decide to write a worm aimed at taking down the Internet resources of a specific country - or the whole Internet? Additionally, some studies have showed that as little as a couple dozen zombies are enough to take down any specific website with a DDoS - and some botnets feature millions of zombies. |
