The State of Malware Today - November 2006
|
This month’s highlights: November, by the numbers: Top 10 threats caught by Fortinet’s FortiGate security appliances in November 2006: Rank Name % 1 HTML/Volksbanken!phish 8.92 2 HTML/BankFraud.E!phish 6.84 3 W32/Netsky.P@mm 2.89 4 Adware/BetterInternet 2.6 5 HTML/Iframe_CID!exploit 2.56 6 W32/Stration.DU@mm 2.22 7 W32/Bagle.DY@mm 2.05 8 W32/Stration.DS@mm 1.75 9 W32/Grew.A!worm 1.75 10 HTML/BankFraud.OD!phish 1.68 November’s top 10 offers a neat picture of the current malware situation: Massive phish runs, Netsky.P@mm refusing to die, Adware/BetterInternet representing the Botnet-supported Adware family (see our previous study here ), and two old-schoolers: Bagle and Grew. As a matter of course, however, the rock star of the month is, again, Stration. Stration, Next episode: Runs and Variants Indeed, the worm with the plan has kept alimenting discussions in the AV world (and in the security-oriented world, in general). So, the “plan” was really… to make some bucks (sigh of un-surprise). Some Stration variants indeed downloaded spam-oriented Trojans, and started to relay medical spam (Viagra and the like…) in high volumes. Here is our monthly Stration top 10:
1 W32/Stration.DU@mm 42.2079 of all Strations this month 2 W32/Stration.DS@mm 33.2702 3 W32/Stration.GK@mm 7.8586 4 W32/Stration.FR@mm 3.7544 5 W32/Stration.FN!tr 3.3115 6 W32/Stration.BS@mm 2.3891 7 W32/Stration.EV!tr 1.9967 8 W32/Stration.FF@mm 1.1812 9 W32/Stration.EV@mm 1.0843 10 W32/Stration!tr.dldr 0.5021 No less than 70 active variants were seen this month by Fortinet’s monitoring structure. This number, however is hard to define. Indeed, it highly varies among vendors and tremendously depends on the “generic-ness” of their respective signatures. According to Guillaume Lovet, threat response team leader for EMEA, Stration is most likely generated by a polymorphic engine (although it does NOT carry this engine, therefore it does not morph upon every replication), so rather than variants, we may talk about “runs”. Better than words, a graphic should help clear the case:
About eight runs are observable on this figure, symbolized by sharp peaks. Each run, for Stration authors, consists in making a new copy of Stration available on one or several of its “update urls” (that is to say, urls where previous variants are trying to download additional components). Then, during six to 48 hours, a new “repacked” version of the malware is released there, every hour. It takes one or more detection pattern (aka signature) to catch all those variants, hence the “Russian dolls” visual effect sometimes produced by the colored peeks of figure 1. As an example, here are the logs of one of our monitoring tools, following the evolution of a Stration run, making the one hour repack time obvious:
Mon Nov 27 16:38:15 2006 : A new file with md5 sum a024e87212218a4a89fb44ade3eb1d9d was uploaded but is already caught as W32/Stration.DS@mm Other vendors may need more or less signatures than that to catch a whole run, once again highlighting the challenge that exists in devising the number of variants (and their names). A last interesting fact that can be observed on figure 1 is that the two patterns engineered to catch the runs of Nov. 1 and Nov. 2, called W32/Stration.DU@mm and W32/Stration.DS@mm, later caught the most part of Nov. 26/27 and Nov. 20 runs, respectively. In pure bragging terms, this means that for those two last runs, Fortinet’s response time was 0 day, 0 hour, 0 minute, 0 second. The Phisher Worm scavenges MySpace
Hackers have once again created an exact replica of a MySpace log-in page in order to track personal user details. All users have to do is click on a seemingly innocuous bulletin (figure 2 above) that a trusted friend posts requesting that they check out a hilarious video, and voila, they find themselves asked to log in again by “MySpace” – something that happens all the time on the site due to bugs. The only clue is the URL, but the graphics, the revolving ads, and so on, are exactly the same as the real MySpace login page (see figure 3 below).
The modus operandi of these hackers is largely unknown; however, we can make a pretty good guess about the following:
So, what we have is a creeping phish (a phish that spreads automatically, using worm-like features) harvesting thousands to millions of MySpace accounts. As a matter of course, we immediately blacklisted this site through the web content filtering feature of our FortiGate systems, so all of our users were protected from accessing this site. Vocal phish revealed Earlier this month, some of our honeypots received the following email: Subject: CreditCardDebtFree Overnight X-Mailer: Microsoft Outlook Express 6.00.2800.1158 Our attorneys have discovered a loop hole in the banking laws. Using this discovery we have been successful at totally eliminating peoples CreditCardDebt with out them paying another dime. We GuaranteeThat we can do this for you. Contact us at: Inquiries: (314) 414-4* Then, to the amazement of the Frenchmen, Rob shot into the air fifty feet or so, from which elevation he overlooked a pretty garden in the rear of the President’s mansion. The place was protected from ordinary intrusion by high walls, but Rob descended within the enclosure and walked up to a man who was writing at a small table placed under the spreading branches of a large tree The trailing text (after the phone number) is, of course, just meant to fool the antispam cognitive filters. This obviously looks like a scam, and to be more precise, a phishing attempt directing the potential victims not to a rogue site, but to a voice box (this has often been hyped as “vishing”). Although similar attempts have been reported in the past, for the sake of the experiment, we recorded that one. You may download the .mp3 here and listen to the four-minute conning speech. The voice of the “lady” is particularly irritating, but it is safe to do so, as it is not going to infect your ears (although we did not go as far as testing for the presence of subliminal messages). In a nutshell, it asks to leave your name, number, and email address if you want to magically wipe out your credit card debts. The message goes as far as demanding ALL contact phone numbers, stating that they cannot help the consumers without a phone number and that emails will not be returned. If a number is left, we can safely assume that the consumer will receive a call back asking for more financial details, potentially to avoid any email tracing. This scam is particularly obnoxious in the sense that it targets people with significant debts, hence sometimes already in despair, who are most likely to make this sort of call. In the future, it may become a necessity to blacklist such VoIP boxes at the gateway level, as we do with phishing sites. |
