Our April 2009 Threat Landscape Report is now available, recapping a month of threat activity from exploits and malware, to spam. Here are some key movements from the report along with comments:

Waledac is one of the most active malware families to be on the lookout for. This period, we saw a fifth campaign hit since the beginning of this year, serving up malicious variants disguised as SMS spying software. With frequent campaigns, heavy server side polymorphism, binaries packed with fluctuating seed lists (portions of its network), and peer to peer HTTP communication through fast fluxed zombies, it is no wonder this malicious network has been so resilient. Waledac, like many blended threats, is multi-functional with the ability to receive and spew custom spam templates, launch denial of service attacks, and download further components. It was also spotted on Conficker’s network, which, in concert with its own various campaigns, has further helped this family gain momentum.

Four new variants landed in our malware top 10 this period, two of them online gaming trojans. Next to Virut, the three most prevalent threats were gaming trojans with a fourth variant narrowly missing a ranking in our top 10. Collectively, these threats formed a significant portion of our detected activity. The lucrative marketplace created through online gaming certainly has attracted cyber crime with haste, as we have reported over the past year. Real money trading (RMT) is now an estimated $2 billion USD annual market, that is surrounded by illegitimate practices, fueled by threats like the ones you see present in third and fourth position in our malware top ten this period.

W32/Virut.A is still king of the hill in our malware top 10, claiming first position for the second month in a row, building on a year-long run within the top ten. This virulent file infector has a rather consistent daily activity rate, similar to mass mailers – indeed this could be due to self-distribution via mass mailers through its hybrid effect. As we anticipated, no significant activity occurred with Conficker.C on the much hyped April 1st date: however, soon after Conficker.C’s newly established peer to peer network became active.

Exploit activity with MS.DCERPC.NETAPI32.Buffer.Overflow (MS08-067) picked up once again during the first week of April, returning to February levels after a significant drop in March. The drop was due to Conficker.C variants ceasing exploit activity, while the subsequent increase can be linked to several factors outside of Conficker. Most notably, a different malware family was observed to exploit the same vulnerability during this period. This is not too surprising, as vulnerabilities are very much a shared resource that are leveraged for years after disclosure. Over 31% of new vulnerabilities this period (96 in total) were reported to be actively exploited: 36 of the new vulnerabilities were rated as ‘Critical’, marking a year high, up from 30 last period.

With February’s Threat Landscape Report out, it’s time to highlight some of the most interesting movement happening from late January 2009 to now:

New vulnerabilities (NVC) were up nearly three fold, with 117 posted in comparison to 43 from January’s edition; 25.6% of these new vulnerabilities were detected to be actively exploited. Two new high-profile zero-day exploits (CVE-2009-0238 and CVE-2009-0658) affecting MS Excel (XLS) and Adobe Reader (PDF) have since been disclosed. Given these facts, and Conficker’s success, there is no better time than now to underscore patch management and effective security to battle these threats.

Conficker is still running strong. Our systems showed exploitation of the well known MS08-067 vulnerability displayed the highest recorded activity to date on February 14th, 2009. As of writing, volume levels are still quite high; a new variant has been discovered in the wild that allows malicious payload transfers through a backdoor port opened on an infected machine – without relying on the domain generation algorithm. Since the algorithm that generates the list of domains Conficker contacts to download code has been reversed/put in the spotlight, this latest functionality can be seen as a counter move by Conficker’s authors.

Waledac, a relatively new botnet in town, went on a long run using a Valentine’s Day campaign to dupe users into downloading a malicious executable which was, to no surprise, a copy of the Waledac trojan. The campaign used a variety of domain/sub domain names, safe-haven registrars, and fast flux. As a result, the domains are still resolving to malicious servers hosting the sites and executables. Sadly, this proves how durable and effective such campaigns can still be using not-so-new methodologies such as fast flux. As of writing, the campaign is still alive but is using a different theme dubbed as the ‘Couponizer’. This social engineering hook offers online “coupons” to the victim. One thing we noticed with Waledac is that, aside from coming in the usual shifting variants (server side polymorphic), the served malicious executable’s filename shifted frequently as well. Names such as ‘reader.exe’, ‘start.exe’, and ‘lovekit.exe’ were used.

Movement on the mobile front: After new variants of Flocker surfaced in January, targeting accounts with Indonesian operators, we reported on Yxes.A in February — the latest and greatest SymbianOS threat — aka “Sexy View”. While mobile threats are certainly low profile in terms of prevalence (compared to non-mobile threats), this is an area to keep a close eye on. The biggest threat posed by SymbOS/Yxes.A is its ground-breaking propagation function; with the capability to spread through SMS by providing malicious URLs, a bridge is created from mobile telecommunications to the the Internet as we know it. In turn, this opens up a range of possibilities, effectively allowing the authors more control over their creation. With more control and functionality added, Yxes.A proved that we may not be far away from a mobile botnet.

Spam levels remained consistent after crawling back from a sharp decrease late 2008 thanks, largely in part, to the McColo take-down in November 2008.  Phishing and scam emails are popular as ever in play with the economic crisis, as our spam traps harvested loan and job scams showing up in localized languages to various regions.