The report contains what appears to be significant changes. The report includes mention of the FakeAv scams that have plaqued users over the past couple of years. Another friend just brought in a laptop screaming “Your system is infected!” yesterday, most likely due to a banner ad drive-by. At this point, it’s hard to believe that the fraud is not occuring on a large enough scale to quantify the criminal activity.

The report provides list of the most common complaints that the IC3 received in 2009, including spam, identity theft, credit card fraud, and computer damage, all things that an additional layer of protection like ThreatFire effectively helps protect your system against.

Complaints of internet crime, including spam and fraud, should be filed here, in addition to making other appropriate contacts. They can’t report on what is not filed.

The past year showed massive numbers of malware being run on systems across the globe. Behind the malware was an active malware marketplace, often with forums full of services for hire, advice on distributing and maintaining crimeware, and devious ways to hire money-mules.

There is more than meets the eye to these services. Much of the activity was not being discussed in these public forums or was as front and center in the media as the Conficker circus. While bot activity is not new to the party, a recently published study “SBotMiner: Large Scale Search Bot Detection“ brings in the year with a fresh start on identifying and quantifying malicious search bot traffic. The activity is under-studied and significant: the “miner” identified that almost 4% of all query traffic is bot-related (which represents at least hundreds of millions of search queries every couple of months), and that seems to be only the tip of the iceberg. The traffic was collected in Feb and April 2009, the search engine is not specified (google, yahoo!, live, altavista, ask, etc.) and that selection may have impacted the studies’ volumes and results. It is suggested that Live search results were used, so results most likely are much larger when the other engines are considered. The study also includes more forms of bot-based attacker-related traffic, instead of exclusively examining click fraud related bot queries and activity.

The discussion and findings included:

“More importantly, detecting bot-generated search traffic has profound implications for the ongoing arms race of network security. While many bot queries from individual hosts may be legitimate (e.g., academic crawling of specific Web pages), a significant fraction of bot search traffic is associated with malicious attacks at different phases. In addition to the well known click-fraud attacks that can be commonly observed in query logs, attackers also use search engines to find Web sites with vulnerabilities, to harvest email addresses for spamming, or to search well-known blacklists.”

“Attackers are leveraging search engines for exploiting vulnerabilities of Web sites. SBotMiner Identifies 88K searchbot groups searching for various PHP scripts and ASP scripts.”

“Using the entire datasets, SBotMiner detects 8,678 groups searching for PHP scripts in Feb and 79,337 such groups in April; 64 groups searching for ASP scripts in Feb and 301 groups in April. These searches spread all over the world.”

“Initial evidence shows that many of them might be associated with various forms of malicious activities such as phishing attacks, searching for vulnerabilities and spamming targets, or checking blacklists. Interestingly, attacks from different countries and regions do exhibit distinct characteristics, and search bots from countries with high bandwidth Internet access are more likely to be aggressive in submitting more queries.”

“We used sampled query logs collected in two different months and identified 700K bot groups with more than 123 million pageviews involved. The percentage of bot traffic is non-trivial — accounting for 3.8% of total traffic”  

So how might this effect you, dear reader? Well, 2010 already brings with it more publicly available information on the methods being used to harvest information about you, the blackhat Seo that these groups are increasingly relying on and the means in which these groups attempt to identify vulnerable servers to attack and use, in turn, to attack your system. It’s a fine read with some fresh information and an enjoyable way to settle into the New Year.

The first, larger waves we saw in February targeted German users, protected within the ThreatFire community from the menace. As more european banks and countries were hit, we continued to monitor for more of a global presence, as the malware package becomes even more popular among multinational banking cyberthieves. Distribution servers have been appearing on American providers’ networks, the next logical step is to find American banks targeted as well. We will be monitoring the situation closely.

The stealer is being spread by attacking the usual client side vulnerabilities in browsers and third party plugins.

Brontok is a mass mailing worm that isn’t mentioned all that often anymore, being out-amplified by sensations like Conficker/Downadup/Kido, but its many variants continue to show up all over the world. For the past month, our ThreatFire users in Mexico and Brazil have been most protected from these Brontok variants, being run and ThreatFire-prevented on desktops in high numbers.
The compromised hosts used to be abused as DDoS bots, attacking sites around the world in what was unconfirmed as hacktivism or blackmailing attempts. Now, however, the worm travels without a head in the sunniest tropics — the major provider (unwittingly at the time) hosting Brontok’s configuration files have long ago taken down Brontok-accessed command-and-control server accounts.

The FTC’s complaint from December calls this stuff scareware, also called “rogueware”. It’s amazing how many users really fell for and continue to fall for this stuff, and then cannot get their money back. According to the complaint:
“Unaware of the Defendants’ trickery, more than one million consumers have purchased the Defendants’ software products to cure their computers of the non-existent problems “detected” by the Defendants’ fake scans…
Although some consumers later realize they have been defrauded by Defendants and attempt to seek refunds, Defendants routinely delay, obstruct and refuse to honor such requests.”

A recent perusal through prices offered various services shows that a user can obtain a private spambot kit for just under $5000, an exploit kit for another ~$400 complete with the newest pdf, flash, and browser exploits (Internet Explorer, Firefox, and Opera covered here), subscribe to an AV-detection/evasion service for under $100/month, and subscribe to an email address harvesting service that boasts almost a billion verified private addresses all for a low price of under $100 per 1 million sorted addresses. These marketplaces are currently very active.
The technologies being peddled are slowly adapting as the defenses in the field change, with promises of multi-platform effectiveness (XP, Vista, etc) in feature lists and pro-active/heuristic detection functionality addressed by evasion services.
Based on a walk through the market like this one, it’s easy to predict that client side attacks, delivering spambots and DdoSbots will continue with high levels of activity, regardless of the recession.

Please take a minute to update your third party plugins. The latest Adobe Reader can be found at the Adobe web site.

A visit to this page results in multiple client side exploits, delivered by multiple redirected web pages, which TF prevents. ThreatFire also stops the attacking executable file as Trojan.Waledac.

The attackers make it obvious what web site they are attempting to mimic in their social engineering scheme. The entire HTML header for the attacking web page on the malicious site was ripped directly from 123greetings.com, a popular ecard site. Here is some of the header from the malicious web page:
Title: New Year Cards, Free New Year eCards, Greeting Cards
meta name =”keywords” content=”new year cards,free new year ecards,greeting cards,greetings,wishes for the new year,free e cards for new year,christmas and new year wishes,free new year greetings,free ecards for new year”
meta name=”description” content=”2009 is here! Fill your heart with new hopes, reach out for new opportunities and celebrate the New Year! Reach out to your friends, family,…”

Keep in mind that the legitimate www.123greetings.com site appears to send out ecards as Flash videos, and not as “postcard.exe” files.

Update (1/5/2008): Waledac variant card.exe continues to be distributed — we’re seeing hxxp://direct christmas gift.com as an offending server up and running with the same card store front.

We’ve been seeing more reports and ThreatFire preventions of the malware delivered along with a somewhat common email-based social engineering scheme. The Zbot variant is attached to an official sounding warning from the worldwide delivery group UPS. The file currently in circulation has a name somewhat like “Exl6512721.ZIP”, and the contents of the email looks something like this text:

“Sorry, we were not able to deliver postal package you sent on November the 25th in time because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office.
If you do not receive package in ten days you will have to pay 36$ per day.

Your UPS Support Team “

The Zbot variant attempts to steal banking information and passwords from unsuspecting users, and this one sends the information off to a waiting server in russia. Fortunately, at this time, the servers are down.
You can see here that ThreatExpert now decodes the config files delivered with this nastiness. The post includes a list of financial institutions commonly being targeted.

As always, exercise caution when opening unusual emails and especially when opening attachments.