April 2010 Threat Landscape: Patched MS Zero-Day Still Active, Demand for Money Mules

Our latest Threat Landscape Report is up, and for the second time in a row, MS.IE.Userdata.Behavior.Code.Execution (CVE-2010-0806) remained our second-most detected malicious network activity. Thankfully, this was patched out of band by Microsoft on March 30th via MS10-018. However, we detected the most significant in-the-wild activity for this threat prior to the patch – when the vulnerability remained in its zero-day state (a window of at least 21 days). In fact, as of writing, one of the malicious domains attacking this vulnerability still remains active, serving exploit code. We observed one attack to install the infamous spy-trojan Gh0st RAT, a full-functioned remote administration tool that can also stream webcam video and audio feeds. FortiGuard Labs also disclosed four vulnerabilities that we reported to Adobe and Microsoft for Visio and Reader / Acrobat products. Patches were issued for these this month, please see our bulletins (FGA-2010-17, FGA-2010-18) for more information. Be careful out there, and remember to keep all your software — especially web browsers and operating system specific — up to date with available patches, on top of a intrusion prevention system.

While the Gumblar botnet led the way, Sasfis botnet activity also increased this report, landing in fourth spot for detected malicious network activity (Figure 1a). This was further backed by two Sasfis botnet binaries in our antivirus Top 10 listing. Sasfis, much like Bredolab, is a botnet loader which simply reports statistics and retrieves/executes files upon check-in. Unlike its counterpart Bredolab, however, Sasfis is a bit newer and does not employ any encryption (all communications are sent through HTTP unencrypted). Nonetheless, it remains aggressive in spreading and typically loads banking trojans among other malicious files. For more information on Sasfis, please see our technical analysis here. Detected virus activity this month primarily belonged to Scareware and Ransomware. This is no surprise, as Scareware has been consistently prevalent since September 2008, with Ransomware making headway in 2010; thanks to incentives from affiliate-backed programs that pay out when victims purchase the fake products.

We continue to observe the Cutwail spambot, which has been active for years, send various spam campaigns for its customers. The spam sent by Cutwail this month typically included malicious links to eCard zip binaries, or emails with the binaries themselves attached. This period we saw three spam campaigns which all share one purpose, advertised from two companies (“us-consalt.com” and “web-projects-us.com”) using very similar techniques / templates. Under the hood, they are money mule recruitment campaigns. Money mules are essentially money laundering vehicles utilized by cyber criminals to handle and transfer illicit funds: the mule will receive a commission for doing the transfer. These transfers are done in batches, typically <= $10,000 USD. Money mule positions are typically crafted as legitimate sounding jobs, such as account receivable positions. Here is another example of such a campaign from our December 2009 Threat Landscape Report. As cyber criminals expand their horizons and make more cash, there has been a direct increase for demand of money mules. On top of our 2010 predictions (the rise of Ransomware) has already become a reality. We are clearly seeing more movement on another one (more money mule positions available) as more campaigns like these emerge. Remember, if something seems too good to be true, it generally is. To underscore this note, please see our recent analysis on the Anatomy of an Inland Revenue Phishing Expedition.