|
Archive for the ‘Malware Estimates’ Category
Thursday, December 31st, 2009
Just before we pop corks at the arrival of 2010 and the passing of 2009, let’s take a quick look at the second half of 2009.
Across the U.S. the ThreatFire community saw huge numbers of FakeAv variants disappointingly being run on systems, the Vundo ad-popping trojan appearing all over desktops, and Koobface worming its way across social networks. In India, the Sality virus/downloader and varieties of bots attempted to infect systems — when ThreatFire’s community’s statistics are extrapolated out to the 40 million likely computers in that country, we can estimate that millions of Indian systems were attacked by this virus. In China, we saw gaming password stealing worms continue to spread out across the country, most likely distributed through usb sticks and other removable drives. Hot topics consistently led to blackhat SEO and phony codecs. Socially engineered bulk email schemes delivered attachments that dropped password stealing Zbot and Bredolab downloaders, users were easily convinced that they received invoices from delivery services or social networks were updating their systems. The Conficker hype grew exponentially and is all too slowly whimpering away, while the Waledac threat mutated and began to dry up altogether.
Our PC Tools ThreatFire team finished the year with a bang. The award winning PC Tools’ Internet Security Suite and its ThreatFire Behavioral Intelligence component topped all other suites as champion in the lengthiest, most comprehensive, real-world dynamic-testing malware blocking competition to date. It’s exciting to see AMTSO dynamic testing best practices being adopted and used to better drive testing and scenarios that best evaluate malware attacks that most computer users really can encounter on a daily basis. Nice testing effort and results indeed.
As 2010 arrives, we hope that existing and new ThreatFire/Behavior Guard users around the world look forward to fewer of these threats being realized on their own systems and another year of confidence in their information driven world.
Posted in AMTSO, Bot, Bredolab, Crimeware, FakeAlert, Koobface, Malware Estimates, Password stealing, Rogueware, Sality, Social Engineering, Vundo, Waledac, ZBot | No Comments »
Tuesday, March 17th, 2009
While Adobe Reader users were urged to upgrade their software in one of our previous posts, Foxit Reader, another free pdf viewer, needs to be actively upgraded as well.
Users should be aware that the same distributors of Adobe Reader attacks are also attacking Foxit Reader, and retrieving the same downloader components via exploitation.
Any new exploitation data would look like this…
Adobe Reader v9 less than 1%
Foxit Reader v2 less than 1%
Adobe Reader v8 48%
Adobe Reader v7 50%
The newest Foxit Reader upgrades can be found here.
Posted in Exploit, Malware Estimates | No Comments »
Wednesday, March 11th, 2009
Pdf readers are commonly used, and so far this year, they have been a highly abused third party plugin. Tens of thousands of malcrafted pdf exploits have been prevented from running by ThreatFire on our community systems so far this year. This information is being presented to encourage our users to upgrade their pdf reader software to the latest version and remind them of the versions available.
Usually, attackers deliver these malcrafted pdf files via malicious websites serving up links to malcrafted pdf files and sometimes send spam with malcrafted pdf email attachments. Even if you do not regularly open pdf files within your browser or open email attachments containing pdf files, if you have installed Adobe Reader, please take a minute to visit the web site and upgrade the software to the latest version.
Here is the variety of attacked Adobe Acrobat Reader versions targeted this year (as of the very beginning of March) and their percent of the pie (rounded numbers here):
Reader v9 less than 1%
Reader v8 48%
Reader v7 50%
This list does not mean that Acrobat Reader 7 is the most vulnerable of the versions. As a matter of fact, the top five subversion info, in order of highest number of incidents, is 8.1.0.137, 7.0.8.218, 7.0.0.0, 7.0.5.172, 8.0.0.456. However, it may tell us that the highest number of users that install ThreatFire continue to use one of the version 7 products and seeing it attacked. If you are using any of the Adobe Reader versions, please upgrade to the latest at their web site.
Some of the most common payloads for the exploits’ shellcode are downloaders. Unfortunately, that leaves the explanation a bit hazy, because by definition, a downloader simply pulls down more software and “loads” it. Well, from our vantage point, most commonly the downloaders fetch and install FakeAV software, otherwise called rogueware. One example that we discussed last year was an Antivirus 360 downloader, which seemed to replace the Antivirus 2009 attacks. Current examples are sites delivering downloaders like hxxp:(slashslash)f-o-r(dot)ms(slash)xrun.tmp We also see a number of banking/identity password stealers delivered via malcrafted pdf files, with Zbot leading the charge, followed by a variety of Hupigon stealers and FakeAV. This morning, we witnessed v9 exploited on multiple users’ desktops by malcrafted pdf files with the shellcode downloading a gaming password stealer from hxxp:(slashslash)202(dot)67(dot)215(dot)110(slash)caonimabi.exe. This link is live and serving malware — DO NOT download and run it. And on a more recent trend, malcrafted pdf files will download more exploit code. For example, malcrafted pdf files generated by the LuckySploit exploit pack will pull down more javascript served at 72(dot)233(dot)79(dot)18(slash)prn(slash), and wreck more havok, installing a rootkit to hide more downloaders installed on the victim system.
So what techniques are employed most frequently in the shellcode?
The shellcode is generally around 215 bytes long, following a lengthy nop sled. UrlDownloadToFile, ShellExecute and WinExec are the most commonly implemented api calls in the malicious pdf based shellcode that we’ve examined.
If you have installed pdf reader software on your system, no matter how often you think that you use them, please be sure to upgrade. It’s useful stuff so it’s ubiquitous, and become a common target of commodity exploit kits.
Posted in Commodity Kit, Exploit, Incident, Malware Estimates, Vulnerability | 1 Comment »
|
|
|
|
