August 2009 Threat Landscape: ZBot detected in record levels, fresh vulnerabilities consistently attacked

Total detected malware volume continued a climbing trend this period, posting the highest levels detected to date this year. On top of this steep incline, highlighted since March 2009, the amount of distinct variants (malicious pieces of code) has also continued to gradually increase. Several malware attack waves were evident this period, most notably on the 24th of July when a huge surge of ZBot activity occurred through HTML/Agent.E!tr. In fact, this particular campaign posted record detection levels for a single-day run, surpassing that of the Sober worm in January 2006, the Storm worm in January 2007, and rogue security software in September 2008. The variant flooded on July 24th was HTML/Agent.E: in fact a ZBot variant attached in a MIME sample (email). This email seeding campaign once again – as we reported in June this year – used a simple eCard social engineering hook. While record activity was detected that day, it was not quite enough to gain first position in our malware top 10, as the online gaming trojan W32/OnlineGames.BBR continued to hold first place for now the third consecutive month. Another ZBot variant made our top 10 this month: W32/Kryptik.E. Bredolab (a trojan detected as W32/Bredloab.AI!tr and HTML/Agent.Q!tr) continued to be distributed through DHL invoice email campaigns. Fake package deliveries, with purported invoice attachments, continue to be a favored hook that we have seen for well over a year now. DHL, FedEx and UPS are names that have all been used by attackers in an attempt to lure potential victims in.

Apart from these two spam campaigns which carried dangerous attachments, we saw considerable volume with a classic moneymule scheme in the form of a (fake) job advertisement for Honeywell International. While the text is for the most part professionally formed, the scam plays on a legitimate name in order to entice victims looking for some easy cash. Reading further, the job description in “Accounts Receivable” involves forwarding 90% of funds to a branch office, whilst keeping 10% of the remaining funds to yourself as commission. In reality, cyber criminals often need a way to transfer money, and the moneymule is a favored way to do so. Global spam rates remained relatively consistent this period, and regional activity was smoothed with the USA, Japan and France accounting for a similar share. New to the regional spam volume this period was Israel, coming in fifth place for received spam volume this report. Phishing was the web threat category which experienced the highest growth in volume compared to last period.

In another ongoing trend which we have frequently discussed, new software vulnerabilities continue to be disclosed and exploited at a growing pace. This period, a whopping 168 new vulnerabilities were covered, 60 of which were detected to be attacked in the wild – a formidable exploit rate of 35%. This is up from 27 of 89 new vulnerabilites reported to be attacked last report (30%). Most concerning this month is that a large portion of these attacked vulnerabilities are rated as critical; often indicating the possibility of remote code execution. In other words, an easy way for an attacker to infiltrate your system(s). On August 11th, we released an advisory for a vulnerability in Microsoft Office Web Components (MS09-043) which we have detected consistent exploit activity in the wild for. For more information about this vulnerability, please read our blog post. This period, we have also detected consistent attacks in the wild against Adobe Reader / Flash (APSA09-03). Our official advisory can be found here, including detection of trojans dropped through these attacks. Be sure to patch your systems, as we continue to detect ongoing attacks.