The State of Malware Today - October 2005
|
Fortinet Reviews Malicious Code Activity During October 2005
This month's highlights:
October, by the numbers: Most Reported Malware in October, 2005:
Top 10 countries:
MyTob.NA and MyTob.MY - The Most Successful Outbreaks in a While In October, Fortinet observed the MyTob mass-mailing virus variants were pervasive outbreaks. Fortinet tracked the direct entry of MyTob.NA as the third most prevalent threat with 3% of the global virus activity. This highlights the success met by this mass-mailing virus outbreak, along with one of its close siblings, MyTob.MY, which accounted for 2% of the global virus activity. Fortinet also found that for the second half of October (both threats appeared around the 15th), both MyTob variants accounted for more than 10% of the global virus activity, marking MyTob to be the most successful outbreak in awhile. To understand the reasons MyTob was so successful, let's go back to the basics. Three factors which mark an outbreak's success are the following:
In the case of MyTob, the outbreak's success obviously lies in point 3 above. For an example, let's have a look at email samples sent by MyTob.NA and MyTob.MY received by hypothetical user john.doe@fortinet.com:
************************************************** Dear user john.doe, It has come to our attention that your Fortinet User Profile ( x ) records are out of date. For further details see the attached document.
Thank you for using Fortinet!
+++ Attachment: No Virus (Clean)
******************************* Dear Fortinet Member, Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service. If you choose to ignore our request, you leave us no choice but to cancel your membership.
Virtually yours,
+++ Attachment: No Virus found
****************************** Dear user john.doe, You have successfully updated the password of your Fortinet account. If you did not authorize this change or if you need assistance with your account, please contact Fortinet customer service at: register@fortinet.com
Thank you for using Fortinet!
******************************* For more information on the MyTob variants, please visit Fortinet's related advisory within its FortiGuard Center as follows: http://www.fortiguardcenter.com/mytob_advisory2.html MyTob variants appeared to be raining in October, with more than 20 variants or minor variants hitting the scene this month. We have observed similar "storms" (with MyTob or other malware) in the past, and all seem to have the same purpose: increasing the opportunity window (per point 1 above) by fragmenting it. According to Fortinet Threat Response Team Leader - EMEA, Guillaume Lovet, "Indeed, malware authors are aware that once detection is out for their critter, the outbreak is virtually over. In order to build a large pool of infected computers (i.e., a botnet), they therefore start to seed a repacked, undetected variant with similar functionalities as soon as the previous one is being caught by antivirus definitions. The global opportunity window for such an attack is then the sum of the windows of each variant."
Sober.R: "Your Polymorph Powers are Weak, Old Man" This month has seen another approach to "opportunity window" enlargement, with Sober.R. Rather than going for a variant storm, its authors chose to go for a polymorphic code, in order to make the threat analysts' task more difficult and delay the definitions release. However, the weak polymorph scheme, with the first 8921 bytes being static and the rest being random appended garbage, resulted in a spectacular failure of the outbreak. Since it appeared in the wild, Sober.R has accounted for far less than 1% of the global virus activity. This, however, raises a concern: what if malware authors start to again strive into complex and highly polymorphic engines development, as they did back in the old DOS days? According to Fortinet Threat Response Team Leader - EMEA, Guillaume Lovet, "32 bit emulators haven't reached an acceptable level of performance to be effectively used in detecting that type of code, hence, antivirus vendors will have to resort to their ability to see through obfuscation layers. This can be done, of course, but in some cases it's pretty tricky; as a consequence, a malware implementing an advanced polymorphic/metamorphic engine may benefit from a particularly wide opportunity window. If coupled with an effective spreading routine, the resulting outbreak could be quite spectacular." Botnets & Spyware: Money Makes the World Go Round September statistics indicated a significant rise in spyware activity. This trend was confirmed in October. Most malware threats that appear today can be split into two categories: bots and spyware. Bots take aim at increasing the number of computers controlled by cybercriminals (botnets). Spyware threats are usually seeded by the botnets to make money for the cybercriminals. More and more virus writers and botnet owners are realizing that distribution of spyware is a very lucrative and simple activity.
Below is a screenshot of a typical thread one may find in underground forums:
"Zombie networks," controlled remotely by cybercriminals, have become today's most serious threat. According to Fortinet Manager of Malicious Code Research, Nick Bilogorskiy, "Botnets are used to seed new worms, send spam and phishing email, steal confidential data and user identities and plant spyware. In October, spam activity decreased as more Internet Service Providers (ISPs) are now blocking port 25 to prevent "zombies" from relaying spam, so it's only logical that "bot herders" will direct their botnets (which sometimes reach the size of 1.5 million PCs) to more fruitful activities. Expect spyware distribution to become the primary money-maker for bot owners, followed closely by stealing online banking information." Large botnets can shut down any online business through a denial-of-service attack, so blackmailing online banks, payment service agencies and online auction sites could also prove effective. In addition to downloading spyware to already infected, enslaved machines, some worms are starting to directly embed spyware features within their code - and this seems to be only the beginning. To protect against such malware, a comprehensive security approach that includes proactive detection through heuristics technology as well as fast signature updates for reactive protection is recommended. Good disinfection tools also go a long way towards minimizing the damage caused by an outbreak. |
