Threat Research

October 2009 Threat Landscape: An epidemic of Scareware, Bredolab and ZBot

By Derek Manky | October 28, 2009

Our October 2009 Threat Landscape Report has been posted, and it highlights some significant movement on the threat landscape. As always, be cautious out there - this month's report underscores the dangerous state of cyberspace (see "Danger, Danger" below).

We hit some milestones this period, with total detected malware volume being at its highest in more than a year. While this volume has been generally increasing over the past six months, it surged significantly towards the end of September leading through October. In fact, detected volume this period was more than four times that of last report. As can be observed in Figure 2 and in our Malware Top 10, the main contributors were all rogue security downloaders. The malware variants W32/Agent.LGE and W32/Bredo.G both set single-day detection records as well, surpassing our previous record set by HTML/Agent.E (a ZBot e-card campaign) in August 2009.

A Flood of Scareware This was all the result of a complete onslaught of rogue security software. In our last recap, we observed the fact that it was the one-year anniversary from an initial explosion of such fake software ("scareware") in September 2008. Indeed, just one month in from this anniversary we have now witnessed the worst scareware attacks yet. While it's likely coincidence that the peaks of these attacks have come just before Halloween, the danger cannot be ignored. These attacks are coming fast, hard, and frequently. In fact, one may even say it is a pandemic: all of our detection data indicates that these attacks are prevalent world wide. Not to mention the array of campaigns from botnets, tainted advertisements and SEO attacks. Going back to our malware top 10, seven of ten listed detections all point back to scareware. Online gaming trojans were the only variants to stay in our top 10, as both Netsky and Virut succumbed to the floodwaters of scareware. To put it to scale, this was the first time Virut, the stubborn and nasty file infector, was pushed out of our top 10 in a year and a half. While Virut still remains an active threat, its prevalency was simply nowhere near as high as rogue security software this month. Look out for this though, as Virut has hybrid capabilities (can spread through other infections) and may indeed piggyback on high-profile scareware campaigns in the future.

As of writing, all of the scareware variants were actively downloading the same fake security suite, "AntiVirus Pro 2010", which employs a bogus scan engine to scare users into buying a fake solution for their falsely reported problems. The main product used in the high profile scareware attacks of September 2008 was "AntiVirus XP 2008". In December 2008, a US federal court froze the assets of businesses operating out of Kiev, Ukraine - accusing them of selling such false security products, following a complaint from the FTC. It would appear as though this was not enough to stop scareware from continuing to plague cyberspace, with record activity levels being posted to date. This is mainly because of the lucrative amount of money available to participants in these schemes, funded on commision by affiliate programs - meaning many participants are tempted to hop on board.

Danger, Danger These attacks are very dangerous for several reasons. First, there is the obvious fraud aspect: buy into any of these programs, and you will be left with a worthless product and a lighter wallet. Second, all attacks we have witnessed over the past year, especially those this month, are linked to downloaders. This means on initial infection, the downloader will contact a remote server to obtain malicious payload. Since it's a remote server, the content can be dynamic and provide updated copies or further components. Essentially, once a machine is compromised there is no limit to the amount of damage a cyber criminal may do. Third, scareware continues to become more sophisticated while evolving to new targets. Last report, we indicated a potential shift to ransomware from scareware. Indeed, it seem as though this is already happening. While it has not yet happened in large scale, the event could be waiting on the horizon and could happen with haste. The detected scareware variants in our malware top 10 are essentially just downloaders, which exhibited the same behavior when executed: downloading the actual scareware components from remote servers. These components have even been bots, connecting a machine infected with scareware to a botnet. Add destructive techniques (ransomware) and an established infection base into the equation, and this threat becomes quite potent indeed. While all of the scareware related variants we detected this month indeed link to the same fake product (and affiliate program), the attacks may be broken down into two frameworks: scareware downloaders and Bredolab.

Bredolab Our two main detections for Bredolab this report were W32/Bredo.G (#3) and W32/Bredolab.X (#4). Bredolab is classified as a trojan downloader, and has been very actively involved with scareware. The Bredolab framework connects up to its network to seek the latest components it should download. This month, we observed Bredolab downloading AntiVirus Pro 2010 installers. These installers actually used the same framework as the scareware downloaders mentioned below. On top of this, we also found ZBot - a notorious keylogger / information stealer - being downloaded through the Bredolab/AntiVirus Pro 2010 chain. For more information on Zeus and ZBot, please read our analysis here. Bredolab is just one player linked to ZBot - both of which have very high detection rates. Thus, Bredolab becomes a dangerous threat -- on infection, you now have an information-siphoning trojan and a nasty scareware product, both linking up to different remote control sites. This is an excellent example of the many components often involved with modern threats, and why layered security is the best approach to thwarting such threats.

Scareware Framework Our top 10 detections this report for the scareware downloaders are as follows: W32/PackSpam.A (#1), W32/Agent.LGE (#2), W32/FakeAlert.SYY (#5), W32/Krap.AD (#6), and W32/FraudLoad.WSUT (#8). These all used the same framework to connect to freshly registered domains and download AntiVirus 2010 installers. We observed several executables used in attacks this month that contain this framework, with varying sizes from 14-290 kilobytes. The 290 kilobyte version actually contained the AntiVirus 2010 product within, eliminating the need to download from a remote server in case access was blocked - a fallback mechanism. The domains differed in each executable, hard-coded and frequently updated with new copies - this is very similar to what we observed with Waledac. Therefore, new campaigns will use new executables which point to freshly registered domains. This all seems to be part of an automation process, as the domains are all between 19 and 21 alphanumeric characters using the ".com" top level domain. An affiliate identifier (also hard-coded) is passed through an HTTP request to these domains, which resolve to a server that will send the latest copy of scareware for that affiliate.

Links to Spam All three spam campaigns featured in this report link to scareware - fake DHL/UPS invoices, and Conficker.B false alarms. One campaign belongs to Bredolab. The Bredolab variants we observed this report ranged between 20-60 kilobytes in size, and all had MS Excel icons in their resource section (displayed to the user as the typical green X). The other two campaigns used different tactics, but very similar executables, both about 44 kilobytes in size. These had a cell phone icon in their resource section. So while Bredolab was using DHL invoices as a social engineering hook, scareware affiliates were using fake Conficker.B infections and UPS invoices.

Bredolab Spam #1

Bredloab - W32/Bredolab.X!tr

_ _

Bredolab Spam #2

Scareware downloader - W32/FakeAlert.SYY!tr: Conficker.B scare

_ _

Bredolab Spam #3

Scareware downloader - W32/FraudLoad.DFN!tr: Fake UPS invoice, FedEx tracking number

_ _

Affiliate programs that pay out cash to distributors (affiliates) once a victim has purchased fraudulent software continue to exist, and have no doubt acted as a catalyst to this increase in activity: for an affiliate, it is quick, easy cash. The fake antivirus software creators typically charge between $40 - $50 USD to purchase a full version of their product: in one such case, 4.5 million orders were observed over a period of 11 months (approximately $180 million USD charged). With the holiday season fast approaching, information stealers and banking trojans such as ZBot are in perfect position to grab cash from unsuspecting victims. To avoid becoming such a victim, a layered security solution is recommended to block attacks from multiple levels. Further, follow simple steps such as identifying the sender before clicking links / attachments from e-mails, blogs, or social networking sites. Remember, that PDF and document files can get you infected as well!

Join the Discussion