May 2009 Threat Landscape Report: Virut upgrades, Gaming trojans expand, Threats swell

There was much activity to recap on our May 2009 Threat Landscape report, now available through Fortinet’s FortiGuard Center. During this month-long period from late April to May, there were many items to highlight:

Threats were on the increase in all areas, with a flurry of activity coming from malware. Last report we discussed the consistent activity from Virut and online gaming trojans, as well as the real money trading business in which cybercriminals flock: gold farming, account harvesting, etc. There were three gaming trojan variants present then, with W32/Dropper.PTD leading the pack in second position just behind W32/Virut.A. This report W32/Dropper.PTD accounted for a whopping 34.5% of total detected malware activity, easily claiming the top of our charts. This variant is an online gaming trojan which was recently observed to sniff credentials from targeted servers linked to “Zhu Xian”, a popular MMORPG developed by Perfect World. First developed with a 2007 launch in China, the game has since expanded to markets in Malaysia, Singapore, Vietnam and Thailand (2008) with licensing agreements. Cybercriminals have indeed followed this market movement: our intelligence systems indicated a heavy activity rate in China this period for W32/Dropper.PTD, with Thailand (one of the expanded regions) positioned right behind in second place. A closed beta test was just announced for “Zhu Xian” in North America, with a planned release under the name “Jade Dynasty”. A similar threat movement may hit North America in the near future as such popular games from Asia (where online gaming threats are currently the most prevalent) expand to growing North American markets.

Not only did W32/Virut.A continue its strong activity we have witnessed over the past year, a new and improved variant, W32/Virut.E also shot up into tenth position in our top ten this period. Virut is a parasitic file infector, that contains botnet capabilities and has been seen to infect and spread through other worms. W32/Virut.E exhibits much the same behaviour as the ‘A’ variant, but is refactored to be more efficient and robust. Watch out for this as Virut, with its hybrid capabilities, can come in many shapes, through many vectors. Meanwhile, Waledac continued to build their malicious network, as one of the many variants belonging to this family showed up in our malware top 10.

China maintained its lead in detected malware activity over the USA for two consecutive periods, helped by online gaming threats; overall, malware volume increased +66% from last report while distinct variants stayed virtually the same with a +1% increase. For period over period web threat growth, Pornography declined -31% from last report while both Malware and Spyware categories were on the rise (19% and 7% respectively) – see Figure 6b in our report. One of the higher profile web attacks this month was Gumblar, which used JS/Redir.MR to hit drive-by download points (first served on the domain Gumblar.cn) that served up malicious PDF and SWF files. This, combined with the rise in exploits we witnessed this period, are an important reminder to keep all of your software patched and up to date to help thwart such attacks.

New vulnerabilities and active exploits were at their highest reported rates so far this year. Out of 140 newly covered vulnerabilities this period, 46.4% were reported to be actively exploited, well up from last report (31.3%). The most active exploit overall this period was the notorious MS08-067 vulnerability, first made infamous through Conficker. This exploit (MS.DCERPC.NETAPI32.Buffer.Overflow), which targets a vulnerability in Microsoft’s Server service through RPC, has climbed its way to the top of our ranks because of its success: Conficker was first to incorporate this, and recently other malware has been following suit, such as the Neeris worm.

Spam levels were highest at the beginning of May, but have generally increased overall from last report. The Canadian Pharmacy gang has been more aggressive with their location based services, as many spam mails containing links to their sites were spotted localized in German. We previously showed a similar example for Canadian Pharmacy in Russian. They are currently pushing TamiFlu as one of their main “products”, hoping to draw potential victims to their wares from current events and the recent swine flu.