February 2010 Threat Landscape: Ransomware Rampant, Fueled by Cutwail

There were many flavors of threats observed during this period, though most were overshadowed by a campaign that accounted for more than half of our total malware detection (detected as HTML/Goldun.AXT) – in just two days. Over these two days the daily detected volume for these malicious emails was very close to record levels. This spam campaign delivered a malware binary using the filename “report.zip” which, when executed, would download rogue antivirus software. In fact, this malware downloaded the ransomware “Security Tool” – an upgraded version of “Total Security,” a scareware suite that ran rampant in 2009. Once executed, Security Tool will actually lock out applications and force the user into buying a cleansing tool that will restore the use of their computer. If this is not done, no applications, other than Internet Explorer (required to visit their payment portal), can be launched. One of our 2010 threat predictions was the rise of ransomware – it seems as though this has now become a harsh reality, given the flood of volume we witnessed with this one particular ransomware campaign. And this is just one example – we have seen Security Tool distributed through SEO attacks and beyond.

The email used for the HTML/Goldun.AXT campaign may look familiar, because we have seen this campaign quite some time ago in late 2008, during the first large flood of scareware that hit cyberspace. Here is the example email outlined in our November 2008 Threat Landscape Report. At that time, the very same spam template was delivering the Goldun trojan; now, this spam is used to spread the FakeAV downloader that installs the Security Tool ransomware. This is a great example of how tried and true attack techniques / social engineering can be recycled into future attacks, and how layered security really helps mitigate against these variants. For example, spam detection in this case can help mitigate against old and current attacks being used with new virus binaries: as another layer, antivirus helps guard against the malicious binaries even if the spam campaigns change. In this report, we witnessed multiple, varying spam campaigns for Security Tool. So, who is behind these attack campaigns? We know that the engine driving these record-breaking spam runs is none other than Cutwail (see our in-depth analysis here for more info on this spam botnet). Some of the more prevalent spam campaigns driven by Cutwail distribute scareware / ransomware; it is popular because of the high amounts of profits available to cyber criminals. We have seen Cutwail grow because it has proven to be effective and successful with its scareware campaigns. Cutwail will also spam out botnet binaries (”seeding campaigns”) and other advertisements, which indicates Cutwail is likely hired out as a spamming service (Crime as a Service) for multiple cyber criminals. Thus, it is likely not just one individual and/or group behind these campaigns. With record levels and Cutwail operating in parallel with Webwail – its web spamming counterpart – there’s no doubt we will see much more troublesome activity from this pair in the future.

Apart from ransomware, our malware top 10 this period was riddled with many other active threats including, in second place, the Buzus spam trojan, followed in respective order by the Bredolab, Gumblar and Sasfis botnets. This is further emphasized in our attack top ten list, with Gumblar.Botnet traffic taking position as our number one detected malicious network chatter. While these threats remain the main players, many individual botnets still thrive such as Kneber – discussed here in our blog. Perhaps most interesting in our attack list is the addition of the fifth-ranked attack, Sun.Java.HsbParser.GetSoundBank.Stack.Buffer.Overflow (CVE-2009-3867), a vulnerability in Sun Java which can be triggered through a malicious Java Applet by visiting a malicious website. We have confirmed that the majority of these detections come from Metasploit setups, no doubt a favorite attack platform for a quick-and-easy campaign. Overall, active exploits for new vulnerabilities remained high this period, with 39% of newly covered vulnerabilities being attacked in the wild (Figure 1c). Apart from these, zero-days continue to be an issue: we saw the release of two out-of-band patches by Adobe (Feb 11 and Feb 16), as well as a breaking zero-day for Oracle. As we always remind, stay up to date with patches when they are released, while keeping mitigating solutions in place such as antivirus and intrusion prevention.