January 2010 Threat Landscape : Aurora comes to light, Botnets shine, Christmas greetings from Buzus
Detected malware volume this period returned to levels before October 2009, when a large surge of Scareware hit cyberspace - no doubt fueled by other prominent threats such as Bredolab. While activity levels have dropped, Bredolab continued its reign this period with variants in the top two spots - together accounting for over 40% of total detected malware volume. This activity continued to happen in large spikes for generally a period of just one day as Bredolab seeded. Even worse, Bredolab is gearing up with a new web mailing engine that will allow it to spam through accounts such as Hotmail and GMail. This will allow an already established threat to seed (distribute itself, and other malicious bits) even more effectively. Distinct malware volume doubled from last report after holding a steady but slowly increasing trend for the past year. We detected more unique pieces of malicious code this period than ever before, most dominantly in the USA. Though the USA had significantly more unique attacks, Japan was number one this period when it came to pure detected volume -- most notably with Bredolab. Threats such as Zeus/ZBot are distributed as kits, easily recycled into new code/attacks - which contributes to a rise in the unique pieces of malicious code and attacks in cyberspace. This will likely continue to increase, as this trend has held true for well over a year.
New to the malware top ten this report was Buzus, offering some competition to Bredolab. Buzus had two variants present in our listing, in sixth and third position (detected as W32/AutoRun.BBC!worm). Unlike Bredolab, which seeds on-demand in campaigns, Buzus continuously spreads in mass mail fashion through its own SMTP engine. We saw Buzus seeding through a purported Christmas greeting card from 123greetings.com, attached as a zip file typically over 300KB. Buzus isn't brand new -- it has been around since 2008. In 2009, we observed it being downloaded through a bot via IRC commands. However, its appearance in our top ten indicates it has enjoyed success over those years.
by.ru zelnet.ru unl.pl evonet.ro h12.ru com.ru 50webs.com
There were also plain IP addresses. The use of free web hosting for malicious links is a favorite trend that is likely to continue due to the availability of such services (see above), and the fact that private domains may become harder to register. Customised bots such as Bredolab/Webwail can be programmed to automatically register such domains. In December 2009 the CNNIC introduced tougher policies which requires paper-based registration forms for domain registration, hindering cyber criminals from registering many new Chinese top level domains for their attacks. It will be interesting to see how other ccTLD authorities and ICANN follows. The other spam run used a different social engineering tactic. The email, a series of conversations talking about gambling techniques, appears to accidently land in a users inbox. The conversation talks of an algorithm to win quick cash through online gambling -- the social engineering tactic here is to intrigue the user thinking they stumbled upon this "secret" email, follow the link and start gambling to win cash. The website pushes an executable we detect as "Misc/CasOnline".