|
Archive for the ‘Malware Estimates’ Category
Tuesday, March 17th, 2009
While Adobe Reader users were urged to upgrade their software in one of our previous posts, Foxit Reader, another free pdf viewer, needs to be actively upgraded as well.
Users should be aware that the same distributors of Adobe Reader attacks are also attacking Foxit Reader, and retrieving the same downloader components via exploitation.
Any new exploitation data would look like this…
Adobe Reader v9 less than 1%
Foxit Reader v2 less than 1%
Adobe Reader v8 48%
Adobe Reader v7 50%
The newest Foxit Reader upgrades can be found here.
Posted in Exploit, Malware Estimates | No Comments »
Wednesday, March 11th, 2009
Pdf readers are commonly used, and so far this year, they have been a highly abused third party plugin. Tens of thousands of malcrafted pdf exploits have been prevented from running by ThreatFire on our community systems so far this year. This information is being presented to encourage our users to upgrade their pdf reader software to the latest version and remind them of the versions available.
Usually, attackers deliver these malcrafted pdf files via malicious websites serving up links to malcrafted pdf files and sometimes send spam with malcrafted pdf email attachments. Even if you do not regularly open pdf files within your browser or open email attachments containing pdf files, if you have installed Adobe Reader, please take a minute to visit the web site and upgrade the software to the latest version.
Here is the variety of attacked Adobe Acrobat Reader versions targeted this year (as of the very beginning of March) and their percent of the pie (rounded numbers here):
Reader v9 less than 1%
Reader v8 48%
Reader v7 50%
This list does not mean that Acrobat Reader 7 is the most vulnerable of the versions. As a matter of fact, the top five subversion info, in order of highest number of incidents, is 8.1.0.137, 7.0.8.218, 7.0.0.0, 7.0.5.172, 8.0.0.456. However, it may tell us that the highest number of users that install ThreatFire continue to use one of the version 7 products and seeing it attacked. If you are using any of the Adobe Reader versions, please upgrade to the latest at their web site.
Some of the most common payloads for the exploits’ shellcode are downloaders. Unfortunately, that leaves the explanation a bit hazy, because by definition, a downloader simply pulls down more software and “loads” it. Well, from our vantage point, most commonly the downloaders fetch and install FakeAV software, otherwise called rogueware. One example that we discussed last year was an Antivirus 360 downloader, which seemed to replace the Antivirus 2009 attacks. Current examples are sites delivering downloaders like hxxp:(slashslash)f-o-r(dot)ms(slash)xrun.tmp We also see a number of banking/identity password stealers delivered via malcrafted pdf files, with Zbot leading the charge, followed by a variety of Hupigon stealers and FakeAV. This morning, we witnessed v9 exploited on multiple users’ desktops by malcrafted pdf files with the shellcode downloading a gaming password stealer from hxxp:(slashslash)202(dot)67(dot)215(dot)110(slash)caonimabi.exe. This link is live and serving malware — DO NOT download and run it. And on a more recent trend, malcrafted pdf files will download more exploit code. For example, malcrafted pdf files generated by the LuckySploit exploit pack will pull down more javascript served at 72(dot)233(dot)79(dot)18(slash)prn(slash), and wreck more havok, installing a rootkit to hide more downloaders installed on the victim system.
So what techniques are employed most frequently in the shellcode?
The shellcode is generally around 215 bytes long, following a lengthy nop sled. UrlDownloadToFile, ShellExecute and WinExec are the most commonly implemented api calls in the malicious pdf based shellcode that we’ve examined.
If you have installed pdf reader software on your system, no matter how often you think that you use them, please be sure to upgrade. It’s useful stuff so it’s ubiquitous, and become a common target of commodity exploit kits.
Posted in Commodity Kit, Exploit, Incident, Malware Estimates, Vulnerability | 1 Comment »
Monday, March 9th, 2009
Spam operations are progressing indeed. Dancho Danchev recently posted insightful images into an active managed spam service.
So, it may be interesting to catch up on estimating some recent numbers for the ongoing Waledac spam operation. This afternoon’s Waledac spam blasts contained the usual content for this campaign:
1. Discount offer-related subject lines related to and links to ripped coupon themed pages serving up malicious executables
2. Pharma-related subject lines and links to pharmaceutical sites (screenshots above and below)
Subject lines and message content for category 1 (hyperlinks mangled intentionally):
Subject: “I sent you useful thing”
Message:
You probably wish to save your money, look at this
hxxp:(slashslash)greatcouponclub(dot)com(slash)discounts.php
Subject: “Latest sales news and coupons”
I want to suggest this page to you hxxp:(slashslash)thecoupondiscount(dot)com(slash)sales.php
Subject: “We can go through the crisis with it”
It’ll be interesting for you hxxp:(slashslash)greatcouponclub(dot)com(slash)couponslist.php
Subject: “A good way to save money is to use these coupons”
New list with coupons in your city hxxp:(slashslash)greatsalesgroup(dot)com(slash)salelist.php
Subject: “All my friends have already used it”
I sent you useful listing hxxp:(slashslash)smartsalesgroup(dot)com(slash)couponslist.php
Subject: “I’ve already used these coupons”
Cool! You can save your money hxxp:(slashslash)greatsalestax(dor)com(slash)list.php
Subject lines and content for category 2, the pharma spam:
Subject: Get the most of your life!
Helloween sale hxxp:(slashslash)agreeslick(dot)com
Subject: Stimulate better growth
Make your body real TNT, exploding near girls with passion and desire.
hxxp:(slashslash)bestplaceapts(dot)at
Let’s assume that the botnet currently is 30,000-40,000 hosts, with ~30,000 spambots sending out messages every second. Because of fantastic efforts like spamhaus, and the fact that various free mail hosting services have tightened up the sources of email senders that they accept email from, let’s assume that each bot can successfully deliver approximately 1.7 messages per second. With 30,000 bots, that comes to 51,000 messages per second, at a rate of 3,060,000 spam successfully sent every minute (that’s from the bot to the destination smtp server).
Now let’s estimate that 10% of that mail arrives in the users’ inboxes (due to filters and scanners of all sorts). That’s still 306,000 messages getting to users’ inboxes. And 1% of that group may actually buy something or fall for a malicious link? Would it be overestimating to guess that ~3,000 users visit a malicious couponizer page or a phony online pharmaceutical link from a single minute of Waledac spamming?
What does your math look like?
Posted in Malware Estimates, Spam, Spamhaus, Waledac | No Comments »
|
|
|
|
