Threat Research

February Threat Landscape - Exploits, Conficker, Waledac and Sexy View

By Derek Manky | February 27, 2009

With February's Threat Landscape Report out, it's time to highlight some of the most interesting movement happening from late January 2009 to now:

New vulnerabilities (NVC) were up nearly three fold, with 117 posted in comparison to 43 from January's edition; 25.6% of these new vulnerabilities were detected to be actively exploited. Two new high-profile zero-day exploits (CVE-2009-0238 and CVE-2009-0658) affecting MS Excel (XLS) and Adobe Reader (PDF) have since been disclosed. Given these facts, and Conficker's success, there is no better time than now to underscore patch management and effective security to battle these threats.

Conficker is still running strong. Our systems showed exploitation of the well known MS08-067 vulnerability displayed the highest recorded activity to date on February 14th, 2009. As of writing, volume levels are still quite high; a new variant has been discovered in the wild that allows malicious payload transfers through a backdoor port opened on an infected machine - without relying on the domain generation algorithm. Since the algorithm that generates the list of domains Conficker contacts to download code has been reversed/put in the spotlight, this latest functionality can be seen as a counter move by Conficker's authors.

Waledac, a relatively new botnet in town, went on a long run using a Valentine's Day campaign to dupe users into downloading a malicious executable which was, to no surprise, a copy of the Waledac trojan. The campaign used a variety of domain/sub domain names, safe-haven registrars, and fast flux. As a result, the domains are still resolving to malicious servers hosting the sites and executables. Sadly, this proves how durable and effective such campaigns can still be using not-so-new methodologies such as fast flux. As of writing, the campaign is still alive but is using a different theme dubbed as the 'Couponizer'. This social engineering hook offers online "coupons" to the victim. One thing we noticed with Waledac is that, aside from coming in the usual shifting variants (server side polymorphic), the served malicious executable's filename shifted frequently as well. Names such as 'reader.exe', 'start.exe', and 'lovekit.exe' were used.

Movement on the mobile front: After new variants of Flocker surfaced in January, targeting accounts with Indonesian operators, we reported on Yxes.A in February -- the latest and greatest SymbianOS threat -- aka "Sexy View". While mobile threats are certainly low profile in terms of prevalence (compared to non-mobile threats), this is an area to keep a close eye on. The biggest threat posed by SymbOS/Yxes.A is its ground-breaking propagation function; with the capability to spread through SMS by providing malicious URLs, a bridge is created from mobile telecommunications to the the Internet as we know it. In turn, this opens up a range of possibilities, effectively allowing the authors more control over their creation. With more control and functionality added, Yxes.A proved that we may not be far away from a mobile botnet.

Spam levels remained consistent after crawling back from a sharp decrease late 2008 thanks, largely in part, to the McColo take-down in November 2008. Phishing and scam emails are popular as ever in play with the economic crisis, as our spam traps harvested loan and job scams showing up in localized languages to various regions.

Join the Discussion