The State of Malware Today - September 2005

Fortinet Reviews Malicious Code Activity During September 2005

This month's highlights:

• Bagle/Mitglieder - The Most Significant Threat in September
• Rise of Spyware - Top Ten Threats in September Highlight a Striking Trend
• Phishing Attempts Take Advantage of Hurricane Katrina
• Most Unique Outbreak for the Past Several Months
• Trojan Masquerading as Security Patch Install Update from Microsoft

September, by the numbers:

Top 10 countries reporting infections in September 2005:

Bagle/Mitglieder - The Most Significant Threat in September

The week starting on Monday, September 19, essentially consisted of an absolute Mitglieder (aka "Bagle downloader") Trojan frenzy, with several variants hitting the scene every day. As Trojans, Mitglieders don't replicate by themselves. They were mostly sent out very aggressively with the intent for users to download a copy of Bagle - and appear to have been sent more aggressively than any Trojan previously.

According to Fortinet Threat Response Team Leader - EMEA, Guillaume Lovet, "The high frequency of new variant releases, which correspond to slight modifications in the code before packing, may indicate that authors tried to challenge antivirus vendors - much like MyTob authors did back in May of this year. This obviously failed, as most vendors responded quickly with generic signatures - and above all because to my knowledge, Bagle copies haven't ever been available for download. Proof is that the first Bagle variant to appear in Fortinet's virus activity top 100 list is down around 50th place, with less than 1% of the global activity."

For more information on Bagle/Mitglieder, please visit the related advisory in Fortinet's FortiGuard Center: Bagle.CJ

Rise of Spyware - Top Ten Threats in September Highlight a Striking Trend

Whereas, historically, Fortinet's monthly top 10 threats list has been a list of the most active mass-mailing worms, nearly half of September's top 10 threats are not worms. In addition to HTML/Ebay-phish and Adware/180Solutions, the September top 10 threats list now features two additional spyware threats: ZangoSA, a so called "browser helper object," which spies on users' browsing habits, and the one year old Download/Px, a shady installer, which silently downloads and runs an impressive list of spyware.

How can simple spyware, which unlike worms do NOT replicate (let alone embed a mass-mailing engine), kick several well-implanted mass-mailers such as Zafis or MyTobs out of the top 10?

Let's consider the three main ways to get infected by spyware:

• 1. A user visits a malicious Webpage with an unpatched browser (usually following a link in a malicious email)
• 2. A user clicks the attachment in a malicious email
• 3. A resident virus is instructed to install spyware on the infected host

Phishing Attempts Take Advantage of Hurricane Katrina

Unfortunately, as more proof that greed sometimes doesn't stop before suffering, numerous phishing attempts taking advantage of Hurricane Katrina related events were reported in September. These phishing emails urge users to log into malicious Websites posing as charities and prompting users to donate relief funds. This follows the numerous scams that made use of other major catastrophes such as the Tsunami or the London Underground attacks, and precedes those, which will most likely appear in regards to Hurricane Rita's related events (several domain names have been registered already, such as "HURRICANE-RITA-RELIEF.net" or "RITA-DONATIONS.com").

According to Fortinet Threat Response Team Leader - EMEA, Guillaume Lovet, "It's sad to say, but experience proves that whenever an important event is hitting the news, and the more it generates commiseration and donations, the more phishing attempts pop up in response - so be cautious. Additionally, to secure against phishing sites, Fortinet highly recommends using a Web filtering service that blacklists malicious sites used for phishing attacks, in addition to a complete security strategy for Internet gateways and host systems."

US-CERT strongly recommends that all users reference the Federal Emergency Management Agency (FEMA) Website for a list of legitimate charities to securely donate to their charity of choice. http://www.fema.gov/news/newsrelease.fema?id=18473

Most Unique Outbreak for the Past Several Months

September quite possibly could have produced the most unique outbreak of the past few months. Emails in German, mimicking the eBay look and feel and claiming to originate from ebay.de, were heavily spammed with an attached file named "Ebay rechnung.pdf.exe." While the "click the attachment" social engineering payload was everything but original, the file was a lot more surprising. Either the file was a small non-malicious application implementing a very basic cipher/decipher operation (Caesar's cipher...), or it was a downloader (W32/Agent.UF-dldr) that would first retrieve a text file containing the following data:

jvvr8--ig***-`caiwr,gzg
jvvr8--hmntcf,***,gzg
jvvr8--qkvc`mp,amo-***-20,gzg
jvvr8--qxc`cfcnokic***mpi-q{q,vzv
jvvr8--uuu,`qcvpclq,***-nmeq-3nm,gzg

This data looks like URLs encoded by a simple shift-cipher, and indeed, it is. Using the small application mentioned above, this data translates to the below locations where the malware would download copies of a P2P Worm called W32/Goldun.A-net (as a second step in its infection process.):

http://keraker.hu/***.exe
http://jolvad.hu/***.exe
http://sitabor.com/***/***/***.exe
http://szabadalmikamara.hu/***/***.txt
http://www.bsatrans.com/***/***/***.exe

According to Fortinet Threat Response Team Leader - EMEA, Guillaume Lovet, "The benefits of downloading a file, which in turn contains a list of locations (vs. reaching those locations directly) are unclear. Most likely, the authors thought that since the file was meaningless plain text, Web hosting companies hosting it would not take it offline, despite complaints from threat researchers. That way, sites hosting the actual malware could be shut down - authors would just relocate samples elsewhere and change the ciphered locations list."

User Trojan Masquerading as Security Patch Install Update from Microsoft

Malicious emails claiming to be from Microsoft, and urging users to install the attached security patch - which is actually a casual Trojan - continue to be distributed in September. This time around it's called W32/Zapchast.F-tr, and follows in the footsteps of many other threats that thrived on the same type of social engineering: W32/Swen.A, W32/Sober.D, W32/Dumaru, W32/MyDoom.AD and W32/Pandem.B to name a few.

About Fortinet (www.fortinet.com)

Fortinet is the confirmed leader of the Unified Threat Management market. The company's award-winning FortiGate™ series of ASIC-accelerated multi-threat security systems, winner of the 2004 Security Product of the Year Award from Network Computing Magazine and the 2003 Networking Industry Awards Firewall Product of the Year, are the new generation of real-time network protection systems. They detect and eliminate the most damaging, content-based threats from e-mail and Web traffic such as viruses, worms, intrusions, inappropriate Web content and more in real time - without degrading network performance. FortiGate systems are the only security products that are certified five times over by the ICSA (antivirus, firewall, IPSec, SSL, NIDS), and deliver a full range of network-level and application-level services in integrated, easily managed platforms. Named to the Red Herring Top 100 Private Companies, Fortinet is privately held and based in Sunnyvale, California.