The state of malware – August 2008 edition

Fortinet announced the top 10 most reported high-risk threats for August 2008. Malware W32/Multidr.JD!tr and HTML/Agent.HFZ!phish, disguised as security software AntiVirus XP 2008 and XP Security Center, claimed the top two positions in Fortinet’s Top 10 with nearly 20 percent of the month’s activities.

W32/Multidr.JD was especially prolific with a one-day attack in late August that dislodged pesky mass mailer Netsky from its persistent No. 1 position. HTML/Agent.HFZ!phish arrived in users’ in-boxes as a purported UPS email with rogue XP Security Center attached, claiming to be an important document.

Following are the Top Ten individual threats and Top Five threat families in August. Top 100 shifts indicate positional changes compared to July’s Top 100 ranking, with “new” representing the malware’s debut in the Top 100.

Top Ten Individual Threats

Top Five Families

There was plenty of activity this month with heavy activity coming from new and emerging faces. Last edition, we talked about traffic generators and discussed JS/Redirector.CA. Activity in this area has continued through HTML/Iframe.DN and JS/Iframe.DR with the latter moving up one position. Since Web-borne attacks are frequent on today’s threatscape and often involve hijacking and redirecting traffic through such Iframes, we will likely see this trend continue. Quite often traffic is redirected to websites serving exploits using ready-made kits (MPack, GPack, etc.). The combination of such generators and exploit kits make an attack effective, and this should highlight the importance to keep all software (especially Web browsers) up to date with the latest patches.

In October of 2007, we discussed the HTML/Iframe_CID exploit and the domination it has had throughout the years. This is largely in thanks to the success of Netsky.P, which utilizes this exploit. Nearly a year later, HTML/Iframe_CID is still very active showing up in ninth position this edition. Although on the rise again compared to last edition, volume (again linked to Netsky.P) for this exploit has steadily dropped over time as predicted in our October 2007 report. Current activity shows roughly one fourth of the reported volume in October 2007. For seven straight months now, W32/Virut.A has shown heavy and consistent activity by ranking within the top five variants. The file infector still managed to hold this trend, bumped down a couple of ranks thanks to tremendous activity with W32/Multidr.JD and HTML/Agent.HFZ. Finally, not seen in the official top ten, Spy/OnLineGames ranked a solid eleventh place as significant malicious activity targeted at the Online Gaming community continues. Turkey, the USA and China, in respective order, were the regions of heaviest activity. Figure 1 below shows the activity curve for several variants in this edition:

The most dominant activity this edition lay in first and second place, both tied to rogue security applications, observed Fortinet security researcher Derek Manky. In one day alone, W32/Multidr.JD managed to capture first place for the entire period. Not since February 2007 when the infamous Storm botnet (Tibs) emerged has such an intense campaign been observed. The two rogue security applications mentioned in our top ten, XP Security Center and AntiVirus XP 2008, are linked to W32/Multidr.JD, W32/Agent.HKR, HTML/Agent.HFZ and W32/Agent.HFZ. While similar, XP Security Center (W32/Agent.HKR and Agent.HFZ) was active mostly in the USA, Japan and Canada, whereas, AntiVirus XP 2008 showed activity in the USA, Lithuania and Mexico. Interestingly, two very similar social engineering campaigns involving programs posing as word documents (used with XP Security Center) share similar geographics. The seeding campaign of the emerging W32/Agent.KG showed the most activity in Japan, Canada and the USA. HTML/Agent.HFZ (XP Security Center) was using a UPS phishing email late July 2008. Figure 2 below shows activity with these variants: