by RSS Derek Manky  |  Jan 27, 2010  |  Filed in: Security Research

There was no shortage of threat news this month, most notably with the highly publicized attacks - codenamed "Aurora" - on select corporations, including Google. The official CVE identifier for this attack was CVE-2010-0249, with Fortinet's detection being "MS.IE.Event.Invalid.Pointer.Memory.Corruption". For more information, please see our advisory and blog post. Details on these attacks through a zero-day Internet Explorer flaw came out in mid-late January: in just a couple of days, this detection rocketed into fourth place in our top ten attack listing for the entire month - in close company with Waledac and Gumblar/Bredolab C&C detections. Gumblar, which has often been observed to drop the Bredolab loader, typically starts an infection through malicious websites hosting obfuscated javascript code. MS08-067 exploit traffic (used by Conficker) remains in second position, meaning our top three attack detections are related to botnet propagation and C&C traffic. Our top six detected attacks are rated as 'Critical', typically associated with remote code execution. On top of this, another Adobe Reader PDF exploit (Adobe.Reader.Printf.Buffer.Overflow) climbed into our top ten listing. There are many PDF exploits active in the wild, most of which use malicious javascript code. Adobe software, like Microsoft, is a popular target for attackers - stay up to date with the latest bulletins (see Fortinet's here from January 19th, 2010).There is definitely much malicious network traffic out there, so it should be yet another (continuous) reminder to keep your patches up to date and monitor/guard against malicious traffic with a valid IPS solution.

Detected malware volume this period returned to levels before October 2009, when a large surge of Scareware hit cyberspace - no doubt fueled by other prominent threats such as Bredolab. While activity levels have dropped, Bredolab continued its reign this period with variants in the top two spots - together accounting for over 40% of total detected malware volume. This activity continued to happen in large spikes for generally a period of just one day as Bredolab seeded. Even worse, Bredolab is gearing up with a new web mailing engine that will allow it to spam through accounts such as Hotmail and GMail. This will allow an already established threat to seed (distribute itself, and other malicious bits) even more effectively. Distinct malware volume doubled from last report after holding a steady but slowly increasing trend for the past year. We detected more unique pieces of malicious code this period than ever before, most dominantly in the USA. Though the USA had significantly more unique attacks, Japan was number one this period when it came to pure detected volume -- most notably with Bredolab. Threats such as Zeus/ZBot are distributed as kits, easily recycled into new code/attacks - which contributes to a rise in the unique pieces of malicious code and attacks in cyberspace. This will likely continue to increase, as this trend has held true for well over a year.

New to the malware top ten this report was Buzus, offering some competition to Bredolab. Buzus had two variants present in our listing, in sixth and third position (detected as W32/AutoRun.BBC!worm). Unlike Bredolab, which seeds on-demand in campaigns, Buzus continuously spreads in mass mail fashion through its own SMTP engine. We saw Buzus seeding through a purported Christmas greeting card from, attached as a zip file typically over 300KB. Buzus isn't brand new -- it has been around since 2008. In 2009, we observed it being downloaded through a bot via IRC commands. However, its appearance in our top ten indicates it has enjoyed success over those years.

Apart from Buzus spam, we noticed two other interesting campaigns. One came in the form of a simple message with a link, always with the subject "It's you?". This spam run began on December 1st, and continues as of writing. The links changed frequently, each leading to a site that redirected the browser to a second domain - most of which were ".cn" top level domains. Some of the first domains also included obfuscated javascript code - another popular tactic used by a frequent visitor to our top ten: "JS/PackRedir.A!tr.dldr". The first domain included in the spam emails were mostly free web hosting service providers, here is a list of the ones we observed to be used:

There were also plain IP addresses. The use of free web hosting for malicious links is a favorite trend that is likely to continue due to the availability of such services (see above), and the fact that private domains may become harder to register. Customised bots such as Bredolab/Webwail can be programmed to automatically register such domains. In December 2009 the CNNIC introduced tougher policies which requires paper-based registration forms for domain registration, hindering cyber criminals from registering many new Chinese top level domains for their attacks. It will be interesting to see how other ccTLD authorities and ICANN follows. The other spam run used a different social engineering tactic. The email, a series of conversations talking about gambling techniques, appears to accidently land in a users inbox. The conversation talks of an algorithm to win quick cash through online gambling -- the social engineering tactic here is to intrigue the user thinking they stumbled upon this "secret" email, follow the link and start gambling to win cash. The website pushes an executable we detect as "Misc/CasOnline".

by RSS Derek Manky  |  Jan 27, 2010  |  Filed in: Security Research