Threat Research

November 2010: Bredolab, Spam drop - Koobface regains control

By Derek Manky | November 24, 2010

Below is an activity recap from our November 2010 Threat Report.

As we move towards the end of the year, activity on the Threat Landscape certainly has not slowed down. 2010 has been a tremendously successful year when it comes to the fight against cyber crime, in particular botnets. Botnet takedowns this year include Mariposa/Butterfly, Pushdo/Cutwail, Zeus/ZBot, Bredolab, and in November: Koobface. At FortiGuard Labs, we continue to observe threat activity from all of these botnets despite efforts to dismantle them. This is simply because other operators have picked up the ball; source code and kits (crimeware) are readily available and as a result, criminals can establish their own botnet using popular code like Zeus/Bredolab. Nonetheless, there is evidence that prosecution does work - even though new operations continue to arise. Zeus development seemed to feel the heat spawned from the many recent arrests in a large-scale Zeus network, and have hopped onto the SpyEye development team. SpyEye continues to be developed - see our blog post here. The most recent impact we have seen was with the Bredolab takedown at the end of October. We saw a large drop in spam (12 percent) after October 25th: the day Dutch authorities dismantled a large Bredolab network by taking over 140 servers offline. Bredolab was often used to load spam engines like Cutwail to send affiliate-based spam (ie: fraudulent pharmaceuticals). The scale of this Bredolab botnet was large indeed to have such an impact on spam levels, as they dropped as much as 26 percent a week after.

Koobface, a botnet nefarious for spamming social media sites like Facebook, was taken offline on November 14th when UK ISP Coreix took down 3 "mothership" servers. Koobface uses intermediary servers (proxies) to communicate with these mothership servers through HTTP port 80. We confirmed that on November 14th, when the primary servers were taken offline, the intermediary servers failed to proxy content - effectively crippling the botnet. Unfortunately, we saw communication restored five days later on November 19th. This is likely because Koobface contains an FTP harvesting module: operators may use stolen FTP credentials to hijack web servers for intermediary/proxy use. By reconfiguring their intermediary servers to new "mothership" servers, the operators seemingly regained control of their botnet.

Most of our malware top 10 detections this report were malware that was packed by a custom packer. Thus, several malware families can fall within these generic detections: this is becoming very common as more and more malware developers turn to packers and packing services ("crypters") to avoid antivirus detection. As we have seen over the past several months, one of the most prominent pieces of malware we observed this report was Sasfis - a simple botnet which operates over standard HTTP on port 80. This activity is reflected in our top 10 attack list, with Sasfis command and control detections ranking 3rd on our list. Botnets ubiquitously use common protocols today to communicate with their operators, in an effort to blend in with normal network activity. As an example, FortiGuard Labs recently discovered the Hiloti botnet was using legitimate DNS queries to report download/installation ("loading") information to servers.

Other discoveries by FortiGuard labs include four disclosed vulnerabilities in Adobe Shockwave (FGA-2010-54), Adobe Flash (FGA-2010-56), Microsoft Office Powerpoint (FGA-2010-58), and Apple Quicktime (FGA-2010-61). All four zero-day discoveries were critical, remote execution vulnerabilities. This period, a total of 146 new vulnerabilities were covered - 61 of which were actively exploited in the wild (over 40%). A zero-day vulnerability is still being exploited in the wild for Microsoft Internet Explorer (FGA-2010-55) as of writing. New and old vulnerabilities will continue to be exploited, so remember to keep all of your patches up to date. Further, a valid IPS solution can help mitigate attacks against both known vulnerabilities and zero-days. With the use of communication through common protocols, application control is becoming more important to identify malicious activity on the application level (such as botnet communication).

Regardless of activity between Zeus and SpyEye, legacy Zeus attacks will still continue to occur. On October 10th, - a large affiliate program for pharmaceutical based spam - was taken offline. While this is to be applauded, the reality is that more affiliate programs exist and we continue to see lots of spam in circulation. One observed pharmacy spam mail had a link that pointed to a URL shortener that is offered as a secure service. Cyber criminals are quite brash, and will try to land their code on the most legitimate, trusted websites or services. It is important to observe the link you are about to click on, but when it is legitimate, it is equally important to have antivirus and intrusion prevention deployed to inspect all traffic once landing on the site. With the upcoming shopping season on our doorstep, remember that attacks like Zeus/SpyEye can inject content into the browser (to phish for credit cards, etc), and steal credentials through browser forms - even for secure sessions like HTTPS. For more tips on safe online shopping, please see our blog post here.

Join the Discussion