Threat Research

September 2009 Threat Landscape : Bredolab/ZBot recruit zombies; zero-days and money mules active

By Derek Manky | September 24, 2009

Our monthly Threat Landscape report is out for September, discussing many threats including Bredolabs, Scareware, and ZBot. For distribution through email, Bredolabs chose fake invoices from DHL/UPS, while ZBot disguised malicious links (all under the European Union ccTLD "EU") as a tax scare from the IRS. Of course, no report would be complete without highlighting email scams and breaking vulnerabilities, as summarized below:

The Bredolab botnet continued aggressively this period with the rise of W32/Bredo.G, which began on September 17th and continues past September 20th as of writing. This variant is part of the Bredolab family, a trojan downloader which has been notoriously linked to rogue security software. Such fraudulent software has become ubiquitous, diverse through multitudes of labels and spread by many people, through many measures. Some recent examples of scareware distribution include an IRC bot pushing download commands (blog post here), various black hat SEO campaigns (blog post here), automated Twitter accounts, and malicious advertisements (NYTimes announcement here). Another such example lies with a variant of Bredolab in Figure 5c, a mass mailing campaign that utilizes a tried-but-true tactic: fake invoices, this one supposedly from DHL. The latest wave of these attacks began on August 31st: opening any of these attachments will enlist your machine into a network of zombies within the Bredolab/Gumblar botnet. This botnet first emerged in early 2009, and has also been known to seed attacks through PDF and SWF (Adobe Reader/Flash) files from compromised websites. FortiGuard detects these attacks as JS/PackRedir.A!tr, and JS/Redir.MR!tr. JS/PackRedir.A has been in our top five detected viruses since June 2009, indicating the prevalence of such attacks.

September marks one year since we first saw an explosion of scareware hit cyberspace, in then-record volume. Indeed, one year later we are still seeing the continued distribution of scareware through a variety of options available to cyber criminals. No doubt this has been a profitable model that still, and will continue to, find innovative ways to exploit end users. It It is likely that these attacks will only diminish once scareware becomes too high profile and easily recongizable to end-users as a scam, similar to the decreasing click-through rates today with spam. However, this will in turn lead to further attacks as cyber criminals explore ways in which they can exploit an end user's pocketbook: perhaps more forceful ways, such as ransomware. Ransomware attacks encrypt documents and other personal information, with decryption available as a service -- for a not-so-reasonable fee, of course.

During this period we saw the disclosure of two unpatched, remote code execution vulnerabilities from Microsoft: IIS FTP Service (CVE-2009-3023) and Server Message Block (SMB2, CVE-2009-3103). As of writing, we have detected low but steadily increasing exploit activity of the latter. We have continued to see an increase in exploit activity for Adobe Reader / Flash (CVE-2009-1862) this period. Our team continues to closely monitor all breaking threats, including these aforementioned critical vulnerabilities. There is an interim fix available from Microsoft for the SMB2 flaw. FortiGuard IPS blocks exploit attempts in advance, especially important for zero-days -- when no patches are readily available to deploy.

ZBot, the do-it-yourself botnet, was seen distributed through a mass mailing attack, disguised as a tax scare through the IRS. ZBot has become a widespread issue due to the availability of its crimeware kit, Zeus. In August 2009 we detected record activity levels for some ZBot variants after some notable surges in June 2009. Of course, these emails were not from the IRS -- easily identified by the link. The link text includes the email recipient's name as an identifier, an effort to enhance the legitimacy of the link. An age-old trick is deployed within the link, using (a legitimate domain) as a subdomain that resolves to a malicious server. These attacks started on September 9th, and continue as of writing. More interestingly, all domains we observed in the attack were registered under the ccTLD "EU" (European Union), using various registrars including Namebay SAM and Ascio Technologies Inc. The registrars seem to be responsive, as many of the domains have been taken down -- verified by a quick search on EURid. Despite the takedown process, the domains are being frequently registered in what seems to be automated fashion: all domains contain 6 seemingly random alphanumeric characters. Registrar-level filtering against such automated attacks would be a good step towards proactive mitigation. As an example, all domains followed this format: "", where x is frequently changed/registered. As in many cases, a quick look at such a link can prevent infection of a nasty trojan set to steal your credentials.

gshipagcFigure 1: Financial Assistant at Global Shipping Agency

Further highlighting innovative scams, we saw yet another money mule recruitment scheme in the form of "Global Shipping Agency". The linked website looks very professional, with a template ripped from a legitimate site (see image above). The job position advertised in the email was for a "Customer Service Financial Assistant". From the job responsibilities on the website (highlighted in red above): "Professionally processes customer payments, using his bank account ( or bank account set up especially for the company needs).". Why, it seems that all that is required is a high school diploma as well. Please, be very wary of any such get rich quick schemes -- especially when it involves accepting/forwarding payments from your bank account. These scams come in many flavors -- we discussed one last report with "Honeywell International". We even saw continued spam from Stration, a mass mailer that was in its prime back in 2007. The mail comes with the subject "Mail server report", with an attachment "" claiming to be an update for worm elimination -- nothing more than a copy of the worm itself.

Virut and Online Gaming trojans remain very prevalent as has been the case all year. While total detected malware dropped in volume this period, the unique count of variants (distinct pieces of malicious code) held a high built from previous months. Our global detected spam rate this period was at its highest at the end of the reporting cycle, aided by the campaigns mentioned above. New to our regional spam list was the Netherlands, landing in 5th position for overall received spam volume. MS.DCERPC.NETAPI32.Buffer.Overflow, best known as Conficker/MS08-067 remained at the top of our detected exploit list, while exploitation of newly covered vulnerabilities remained high (42.6%). The amount of detected exploits that target new vulnerabilities has been creeping higher since May 2009, indicating more attacks and proof of concept code being developed for fresh vulnerabilities.

Join the Discussion