Threat Research

July 2009 Threat Landscape : Active zero-days, Yxes upgrades, Web threats continue to grow

By Derek Manky | July 27, 2009

Many threat trends have continued as we head into August 2009. I have highlighted notable items below from our July 2009 Threat Landscape report, which can be found on Fortinet's FortiGuard Center.

Mobile threat development continues: In July we saw the emergence of SymbOS/Yxes.E and SymbOS/Yxes.F, the latest updated variants of Yxes that we first reported on in February. For further details, check out this blog post that is well worth the read: in particular, Yxes' served up dynamic content via JSP indeed shows the beginning steps as to how cyber criminals are addressing a market that is largely fragmented due to multiple platforms. This is important, because malicious binaries are often written for a single target (ie: Windows, OS/X). On traditional desktops, these targets are limited: however, in the mobile market, they are growing and diversifying. Thus, dynamically addressing which malware packages to serve up, as Yxes has done, is a technique which helps alleviate this issue and hints of what is to come in this area in the near future.

Virut posts record levels while online gaming trojans flood cyberspace: W32/OnlineGames.BBR maintained and built heavily from its first place position last report - accounting for 43 percent of total detected malware activity. This latest attack saw much of its volume from July 5th onward, with a peak of activity on July 8th. This campaign continues, and comes in very frequent activity on a daily basis. Besides that, the regular faces of W32/Virut.A and JS/PackRedir built on their activity from our last report period. In fact, detected activity for W32/Virut.A this period climbed to record levels, underscoring the fact that this behemoth has become a dominant threat - particularily in Asia. New to this report's top ten is W32/FakeAlert.EI - another rogue antivirus ("scareware") trojan. Scareware fraud continues to be vastly popular in the digital underground, now quite diversified since we first reported on heavy attack waves nearly one year ago in August 2008.

Two in the wild exploits were making waves this period: One is the highly discussed MS ActiveX Video control (CVE-2008-0015, FortiGuard Advisory here) first patched on July 14th by Microsoft through MS09-032. Exploit activity for this vulnerability was frequent throughout the month, but remained relatively low, with most prevalent activity detected in Korea, China and Japan. As of writing, the second mentioned vulnerability, MS Office Web Components (CVE-2009-1136, FortiGuard Advisory here) remains unpatched / zero-day, also with relatively low detection rates with leading activity in China, India and Japan. Nonetheless, it should be reminded that any successful exploit can cause significant damage; exploits against the latter (zero-days) tend to be more successful since patches are not readily available. FortiGuard IPS detects and blocks malicious activity against both of these attacks as mentioned in their respected advisories above. The FortiGuard Global Security Research team first spotted public exploit code for this second mentioned vulnerability on July 11th and immediately reported the findings.

Canadian Pharmacy assaults google groups, tinypic: This month, we witnessed a flood of eCard spam continuing from last month, using various techniques - a majority of them ultimately leading victims to Canadian Pharmacy's domains. These domains, automatically registered by combining two dictionary words as described in our January 2008 write-up, continue to be registered well over two years since the process began. Canadian Pharmacy's success, fueled by an affiliate sponsorship model, invites many cyber criminals to advertise the fraudulent pharmaceuticals and drive traffic to the aforementioned domains on their behalf. The net result lands rather large chunks of change in both the Canadian Pharmacy gang and affiliates' pockets. This period, the eCard spam primarily used direct links, Google Groups and the photo sharing service Tinypic.

While the automatic redirection used by the Google Groups campaign is not new, Tinypic is quite interesting as it serves as another example of how spam continues to reach out to emerging platforms. While traditional spam has not ceased to exist through email, we have predicted and reported on many spam attacks through new "Web 2.0" platforms such as social networking sites. To help evade detection, cyber criminals have used services such as Tinyurl in the past to obfuscate their malicious URLs. Tinypic is a similar, recent example of how legitimate service providers are commonly used nowadays to piggyback malicious resources. Regardless of the image, or what the link appears to be, always observe where any hyperlink will actually take you and exercise due care. Finally, the Waledac gang was at it once again with another typical spam campaign, this time on July 4th just in time for the USA's Independence Day. In terms of overall activity, spam rates continue to hold at high levels, while Japan jumped ahead of the USA into 2nd position for spam volume this period.

Join the Discussion