Threat Research

June 2010 Threat Report: World cup meets malicious javascript, Sasfis seeding

By Derek Manky | June 28, 2010

While there were plenty of new variations of malware that entered our top ten listing this report, many of them belonged to the Sasfis botnet. Sasfis, which has been battling in terms of volume with the Pushdo botnet recently, was very active this month. We observed Sasfis loading a spambot component which was heavily used to send out binary copies of itself in an aggressive seeding campaign. Sasfis' socially engineered emails lay in two distinct themes, one with fake UPS Invoice attachments (filename: "UPS_Invoice_{date}.zip"), and the other disguised as a fees statement (filename: ""). Much like the Pushdo and Bredolab botnets, Sasfis is a loader - the spambot agent is just one of multiple (in our observations, typically four or five) components downloaded.

After being relatively quiet this period, as of writing the Pushdo botnet has jumped out of the bushes with a direct ambush against an investment website, using a global DDoS attack. Indeed, Pushdo still has power left in its ranks - the website is currently unresponsive. Digesting this, it becomes apparent that it is business as usual for these malicious networks as they launch routine seeding campaigns to build on their infection base. As we have seen in the past, and continue to see today, the operators behind these loaders are not shy and will use their power on demand with no remorse. This typically happens in waves with individual attacks / spam campaigns launched.

Speaking of attacks in waves, on June 7th we saw a hit-and-run attack for CVE-2010-0249 (we detect this as MS.IE.Event.Invalid.Pointer.Memory.Corruption). This attack first surfaced (in terms of visibility) in January 2010, used in the infamous Aurora attacks to plant spy trojans on targeted, major corporations. The attack has since laid low, last present in our top 10 in February's report. This is another example of how vulnerabilities are still targeted months (years even) after they are patched, and yet another reminder to keep patch management practices in place with a valid IPS solution to guard against both new and old attacks. We covered over 200 new vulnerabilities this period, nearly double compared to last report. This means that more and more software vulnerabilities continue to be disclosed, ultimately available to hackers for malicious use. FortiGuard Labs discovered four vulnerabilities through Flash and Excel: these vulnerabilities were disclosed and patched this period. For more information see our advisories for Adobe and Microsoft. By discovering these vulnerabilities in advance (before a patch is available), FortiGuard can provide proactive detection through IPS.

For malware, the only detection that topped the aforementioned botnet binaries was JS/Redir.BK - obfuscated javascript code which had a surge of activity on June 12th and 13th. The javascript code redirected users to various (legitimate) domains hosting an injected HTML page named "z.htm". In our observations, the javascript code was circulated through an HTML attachment in spam emails using various themes. In one attack, the HTML containing the malicious javascript code was attached as the file "open.htm" in an e-mail urging the user to update their MS Outlook client. Interestingly, we saw the exact same e-mail also circulating with a FakeAV binary attachment, once again proving that spam templates are often recycled for various attacks. Another prevalent email observed was socially engineered for the FIFA World Cup, in a "bad news" email that had the same malicious javascript attached through a file named "news.html". There was yet another variation on the javascript attack using Facebook passwords as a theme - with the malicious HTML file attached as "facebook_newpass.html".

There is no doubt that javascript is one of the most popular languages used today for attacks. It is used in a growing amount of poisoned document attacks (PDF), particularly with heap-spray based techniques. It's also used to launch exploits, and it is popular as a browser redirector to malicious sites, since the javascript code can be obfuscated and appear to be more complex than traditional IFrame based attacks from the past. While it is not always feasible to disable javascript, consider policies based around the usage / execution of scripts; especially for document files. Of course, we recommend antivirus for mitigation against such javascript based attacks at all layers (web, email, etc).

Join the Discussion