- Category: March - April 2010
For those who think that spam is no longer a problem, think again, Fortinet’s February 2010 Threatscape report showed strong spam activity, with one particular campaign accounting for more than half of the total volume of malware detected this period.
In just a two-day run, HTML/Goldun.AXT, dominated spam and overall threat levels, nearing record numbers, and contributed to the explosion of ransomware. There were also a number of other varying spam campaigns that helped to elevate ransomware on the radar this period, distributing a variant known as ‘Security Tool.’ Apart from these high spam rates, overall active exploits of new vulnerabilities also remained high with 39 percent of new vulnerabilities detected in the wild.
Key threat activities for the month of February include:
Ransomware’s Reality: Turning Fortinet’s 2010 prediction into fact, the spread of ransomware became a reality this period with high activity through a variety of spam campaigns. Most notable was the number one chart-topping malware variant, HTML/Goldun.AXT, which works by disseminating a binary malware file that downloads the ransomware “Security Tool” and, once executed, locks up applications until a cleansing tool is purchased to restore the computer. While this example accounts for the majority of activity detected this period, the Security Tool ransomware was also distributed through SEO attacks as well.
The HTML/Goldun campaign brings a new ransomware tactic to the table and ups the ante for monetary gains, but the campaign in and of itself isn’t new as the first waves were seen in late 2008, alongside the first flood of scareware that hit cyberspace. This is a great example of how tried and true attack techniques / social engineering can be recycled into future attacks, and how layered security really helps mitigate against these variants. For example, spam detection in this case can help mitigate against old and current attacks being used with new virus binaries: as another layer, antivirus helps guard against the malicious binaries even if the spam campaigns change.
In this report, Fortinet witnessed multiple, varying spam campaigns for Security Tool. So, who is behind these attack campaigns? The engine driving these record-breaking spam runs is none other than Cutwail (a botnet spam engine). Some of the more prevalent spam campaigns driven by Cutwail distribute scareware / ransomware; it is popular because of the high amounts of profits available to cyber criminals. Cutwail has grown says Fortinet, because it has proven to be effective and successful with its scareware campaigns. Cutwail will also spam out botnet binaries ("seeding campaigns") and other advertisements, which indicates Cutwail is likely hired out as a spamming service (Crime as a Service) for multiple cyber criminals. Thus, it is likely not just one individual and/or group behind these campaigns. With record levels and Cutwail operating in parallel with Webwail - its web spamming counterpart - there's no doubt we will see much more troublesome activity from this pair in the future.
Job Vacancies -- Cutwail Hired: Spam this period came in different shapes and sizes, but one thing is for sure: it came in record numbers. The culprit behind the mass distribution came from once again, Cutwail
Buzus and Botnets Go Berserk: While ransomware took the prize in this period’s Threatscape report, the Buzus spam Trojan and various botnets, including the infamous Bredolab, Gumbler and Sasfis, still created a stir across Fortinet’s Top 10 Malware list. One new-comer to the top 10 attack list was the Sun Java vulnerability (CVE-2009-3867), which is triggered through a malicious Java Applet by visiting a malicious website, proving that the platform is, once again, a quick and easy target for such campaigns.
“What we observed this month is that while spamming campaigns may change over time and methods of execution reworked a bit, the tried and true techniques that have proven successful in the past continue to thrive,” notes Derek Manky, project manager, cyber security and threat research, Fortinet. “Spam will continue to come in new flavors, with either old binaries under a different package or a new binary code under a similar guise; and new tools, like crime-as-a-service, will continue to support the growing distribution. This gives us another reason to support a layered security approach as an imperative for getting in front of the next wave.”
By Shanti Anne Morais