November 2009 Threat Landscape: Pushdo/Cutwail king, Sasfis emerges, iPhone under fire

We have put up our November 2009 Threat Landscape Report, which shows movement amongst annual malware records set for 2009.  Malware continued to be distributed in peak volume this period, building off a charge that began in September 2009. Last report, Bredolab and Scareware were the main occupants in our malware top 10 listing — and were setting records in terms of daily detected volume. Now, a battle of the bots has ensued with Pushdo / Cutwail firmly taking the reigns. In latest developments, we observed a Pushdo variant attempting to remove “grpconv.exe” – a binary associated with Bredolab. Malicious code has been discovered in the past to remove other threats (Netsky vs. MyDoom, Storm vs. Stration). The Pushdo botnet is known to download the Cutwail trojan, among other components. Two variants of the Cutwail trojan accounted for over 30% of total malware activity this report, ranked #1 and #2 in our top ten listings. Cutwail did this in tremendous volume, smashing the daily records set by Bredolab & Scareware last report (nearly double). This activity was a large contributor to the sharp rise in total volume we have observed over the last three months.

The Cutwail seeding campaigns were largely observed during the first week of November, which used simple social engineering tactics: emails using the subject “Hello Darling”, with Cutwail attached as “photos.zip”. Other campaigns included UPS/DHL invoices, similar to Bredolab. Once installed, Cutwail will mass mail new spam templates it has received. In November, we observed templates advertising pirated software for sale, typically between $60 and $230 USD. Cutwail is also known to frequently send pharmacy spam such as Canadian Pharmacy, profitable just like Scareware due to affiliate programs with high payouts.

ZBot and Scareware remained highly active next to Pushdo / Cutwail. ZBot spam campaigns continued to take different approaches: one being a two-stage attack which first phishes for Facebook credentials, then attempts to install a malicious ZBot binary. Another was targeting Verizon Wireless customers, attempting to get recipients to install a “tool” which is in fact ZBot. In addition to this, at least three distinct spam campaigns were observed to seed a new trojan downloader (also known as “Loaders”) – Sasfis. Sasfis detection was very high this period, with variants landing in our malware top 10, ranked #3 and #10. The three observed campaigns used the subjects ‘Payment request from’, ‘Mailbox has been deactivated’ and ‘Facebook updated account agreement’ – all with “.zip” attachments containing the trojan. This loader reports to its controller through HTTP by posting information such as a unique bot identifier (similar to Bredolab), and will then await instruction to download updates and further malicious components. We continue to monitor this prevalent threat.

In terms of reported attack cases, Adobe.Products.SWF.Remote.Code.Execution moved into third place this month while MS08-067, notoriously exploited by Conficker, remained in first. Flash and actionscript are constantly targeted to exploit systems, with innovations being leveraged such as Flash run-time packers. New developments on the threat landscape this period include an out-of-band patch for Adobe Shockwave (APSB09-16), a zero-day vulnerability with Internet Explorer (CVE-2009-3762), a Windows 7 DoS, and a new worm targeting jailbroken iPhones. November has been very active for iPhones with 4 new attacks exploiting a misconfiguration of OpenSSH on jailbroken devices: malware targeting Dutch iPhones for ransom ($7 USD), a tool stealing SMS and contacts (HackerTool/iPhoneStealer), a worm changing the background image and another one trying to steal banking credentials (iPhoneOS/Eeki). These are all areas in which threats will likely continue to develop, so be safe out there – keep all software up to date, employ a valid intrusion prevention system to guard against vulnerabilities and zero-days, and if you own a jailbroken iPhone, change the root password now.

FortiGuard Labs continues to monitor threats to provide up to date detection, while actively discovering zero-day flaws to provide true zero-day protection.

Additional thanks to Fortinet’s Kyle Yang and Axelle Apvrille for their contributions to the report.