April Threat Landscape Report: Waledac, Online Gaming and Virut

Our April 2009 Threat Landscape Report is now available, recapping a month of threat activity from exploits and malware, to spam. Here are some key movements from the report along with comments:

Waledac is one of the most active malware families to be on the lookout for. This period, we saw a fifth campaign hit since the beginning of this year, serving up malicious variants disguised as SMS spying software. With frequent campaigns, heavy server side polymorphism, binaries packed with fluctuating seed lists (portions of its network), and peer to peer HTTP communication through fast fluxed zombies, it is no wonder this malicious network has been so resilient. Waledac, like many blended threats, is multi-functional with the ability to receive and spew custom spam templates, launch denial of service attacks, and download further components. It was also spotted on Conficker’s network, which, in concert with its own various campaigns, has further helped this family gain momentum.

Four new variants landed in our malware top 10 this period, two of them online gaming trojans. Next to Virut, the three most prevalent threats were gaming trojans with a fourth variant narrowly missing a ranking in our top 10. Collectively, these threats formed a significant portion of our detected activity. The lucrative marketplace created through online gaming certainly has attracted cyber crime with haste, as we have reported over the past year. Real money trading (RMT) is now an estimated $2 billion USD annual market, that is surrounded by illegitimate practices, fueled by threats like the ones you see present in third and fourth position in our malware top ten this period.

W32/Virut.A is still king of the hill in our malware top 10, claiming first position for the second month in a row, building on a year-long run within the top ten. This virulent file infector has a rather consistent daily activity rate, similar to mass mailers – indeed this could be due to self-distribution via mass mailers through its hybrid effect. As we anticipated, no significant activity occurred with Conficker.C on the much hyped April 1st date: however, soon after Conficker.C’s newly established peer to peer network became active.

Exploit activity with MS.DCERPC.NETAPI32.Buffer.Overflow (MS08-067) picked up once again during the first week of April, returning to February levels after a significant drop in March. The drop was due to Conficker.C variants ceasing exploit activity, while the subsequent increase can be linked to several factors outside of Conficker. Most notably, a different malware family was observed to exploit the same vulnerability during this period. This is not too surprising, as vulnerabilities are very much a shared resource that are leveraged for years after disclosure. Over 31% of new vulnerabilities this period (96 in total) were reported to be actively exploited: 36 of the new vulnerabilities were rated as ‘Critical’, marking a year high, up from 30 last period.