Threat Research

December 2010: Mule recruitments diversify, Hiloti spreads with postcards

By Derek Manky | January 06, 2011

The last threat report for 2010 is up on our FortiGuard Center. Below is a recap from the report:

As we enter the holiday season, spam rates continue to drop after a sharp decline following Bredolab's takedown in October/November 2010. Global spam rates throughout December were, on average 7% lower than November and about 19% lower than the peak before Bredolab's takedown in October. This is welcoming news, since we have seen a noticeable impact that has lasted for two months now. Spam rates decline simply because the volume of spam declines, mostly in part to spam spewing botnets and mass mailers. This should not create a false sense of security, however; there are still plenty of threats lurking around via email today. Cleverly engineered spam mail with malicious attachments/intentions can be much more damaging than non-effective spam by the masses. We have previously mentioned the ongoing demand for money mules to transfer ill gotten funds, and have often featured such recruitment emails in our monthly reports. This month was particularly interesting, as there were a wide variety of campaigns that targeted different regions. One e-mail - sent to a Hong Kong (.hk) address - seeked "local representatives" for Singapore, Hong Kong, Taiwan, Thailand, and the Philippines who have "reasonably long relations history with local banks". Another email targeted Australian (.au) addresses for an "online sales administrator" position. The contact addresses for these campaigns were linked to the same operator. In fact we saw several other campaigns using a variety of contact domain names, including:,, and All three were registered to a Russian contact using the same registrar, and all contact addresses for worldwide recruitment used Google mail hosting. This is an excellent example of how cyber criminals are diversifying the distribution of their funds, using banks and mules in various regions.

Apart from money mule emails, we also saw the Buzus trojan being distributed through mass emails posed as Hallmark e-cards just in time for the holiday season. Once this attachment is opened, a system will begin sending out more mail like this - and will be infected with the Hiloti botnet. This is no coincidence, as Hiloti botnet traffic was #2 on our Top 10 Attack list this report. We have seen Hiloti distributed through many different botnets - this is because Hiloti employs a pay-per-install affiliate program. In other words, they will pay botnet operators to install their own botnet. This, of course, allows them to grow their botnet quicker by outsourcing. Hiloti is particularly innovative, as it uses DNS as a communication channel to watermark its report information to its servers. This is done to evade detection, since it appears like normal, legitimate DNS traffic. You can read more about Hiloti here.

There were three arbitrary code execution vulnerability discoveries made by FortiGuard Labs this report in Microsoft and Apple products. FGA-2010-65 describes a MS Windows Kernel vulnerability which may allow execution in privileged (Ring0) context. FGA-2010-64 is yet another DLL loading vulnerability which affects multiple products within the Windows 7 operating system. FGA-2010-62 outlines an integer overflow vulnerability in Apple Quicktime, which can lead to potential infection by simply viewing a specially crafted Quicktime movie file. FortiGuard Labs continues to discover software vulnerabilities on an ongoing basis, reporting them responsibly to vendors so that these security holes can be closed for end users. For most of these discoveries, we will roll out our own IPS protection in advance based on our proof of concept and research. Patch management and FortiGuard IPS helps protect against software vulnerabilities like these proactively.

As we conclude 2010, there was certainly no lack of activity on the threat scene. Perhaps most visible was the recent Wikileaks DDoS attack against various entities that were attributed to cripple operations. DDoS attacks are inherently old, and simply aim to cripple resources such as web servers - typically by overloading them with too many requests. To accomplish this, many DDoS attacks are launched by botnets - either rented out or commanded at will by their operators. In fact, there are DDoS services offered for hire on various underground forums. The interesting part about the Wikileaks campaign was that the main engine used to launch the DDoS, the Low Orbit Ion Cannon, was in effect a voluntary botnet. It's available on Sourceforge, allowing anyone to configure the software to join cyber protest campaigns like Wikileaks' Operation Payback. Regardless of the motivation, DDoS attacks have, can and will occur. Fortinet detects the Low Orbit Ion Cannon DDoS tool as "HackerTool/MSIL_Loic" - you will need to have grayware detection enabled. Some defense strategies are also offered on our blog.

Join the Discussion