Across the U.S. the ThreatFire community saw huge numbers of FakeAv variants disappointingly being run on systems, the Vundo ad-popping trojan appearing all over desktops, and Koobface worming its way across social networks. In India, the Sality virus/downloader and varieties of bots attempted to infect systems — when ThreatFire’s community’s statistics are extrapolated out to the 40 million likely computers in that country, we can estimate that  millions of Indian systems were attacked by this virus. In China, we saw gaming password stealing worms continue to spread out across the country, most likely distributed through usb sticks and other removable drives. Hot topics consistently led to blackhat SEO and phony codecs. Socially engineered bulk email schemes delivered attachments that dropped password stealing Zbot and Bredolab downloaders, users were easily convinced that they received invoices from delivery services or social networks were updating their systems. The Conficker hype grew exponentially and is all too slowly whimpering away, while the Waledac threat mutated and began to dry up altogether.

Our PC Tools ThreatFire team finished the year with a bang. The award winning PC Tools’ Internet Security Suite and its ThreatFire Behavioral Intelligence component topped all other suites as champion in the lengthiest, most comprehensive, real-world dynamic-testing malware blocking competition to date. It’s exciting to see AMTSO dynamic testing best practices being adopted and used to better drive testing and scenarios that best evaluate malware attacks that most computer users really can encounter on a daily basis. Nice testing effort and results indeed.

As 2010 arrives, we hope that existing and new ThreatFire/Behavior Guard users around the world look forward to fewer of these threats being realized on their own systems and another year of confidence in their information driven world.

Users should be aware that the same distributors of Adobe Reader attacks are also attacking Foxit Reader, and retrieving the same downloader components via exploitation.

Any new exploitation data would look like this…
Adobe Reader v9 less than 1%
Foxit Reader v2 less than 1%
Adobe Reader v8 48%
Adobe Reader v7 50%

The newest Foxit Reader upgrades can be found here.

Usually, attackers deliver these malcrafted pdf files via malicious websites serving up links to malcrafted pdf files and sometimes send spam with malcrafted pdf email attachments. Even if you do not regularly open pdf files within your browser or open email attachments containing pdf files, if you have installed Adobe Reader, please take a minute to visit the web site and upgrade the software to the latest version.

Here is the variety of attacked Adobe Acrobat Reader versions targeted this year (as of the very beginning of March) and their percent of the pie (rounded numbers here):

Reader v9 less than 1%
Reader v8 48%
Reader v7 50%

So, it may be interesting to catch up on estimating some recent numbers for the ongoing Waledac spam operation. This afternoon’s Waledac spam blasts contained the usual content for this campaign:
1. Discount offer-related subject lines related to and links to ripped coupon themed pages serving up malicious executables
2. Pharma-related subject lines and links to pharmaceutical sites (screenshots above and below)

Subject lines and message content for category 1 (hyperlinks mangled intentionally):
Subject: “I sent you useful thing”
Message:
You probably wish to save your money, look at this
hxxp:(slashslash)greatcouponclub(dot)com(slash)discounts.php

Subject: “Latest sales news and coupons”
I want to suggest this page to you hxxp:(slashslash)thecoupondiscount(dot)com(slash)sales.php

Subject: “We can go through the crisis with it”
It’ll be interesting for you hxxp:(slashslash)greatcouponclub(dot)com(slash)couponslist.php

Subject: “A good way to save money is to use these coupons”
New list with coupons in your city hxxp:(slashslash)greatsalesgroup(dot)com(slash)salelist.php

Subject: “All my friends have already used it”
I sent you useful listing hxxp:(slashslash)smartsalesgroup(dot)com(slash)couponslist.php

Subject: “I’ve already used these coupons”
Cool! You can save your money hxxp:(slashslash)greatsalestax(dor)com(slash)list.php

Subject lines and content for category 2, the pharma spam:
Subject: Get the most of your life!
Helloween sale hxxp:(slashslash)agreeslick(dot)com

Subject: Stimulate better growth
Make your body real TNT, exploding near girls with passion and desire.
hxxp:(slashslash)bestplaceapts(dot)at

Let’s assume that the botnet currently is 30,000-40,000 hosts, with ~30,000 spambots sending out messages every second. Because of fantastic efforts like spamhaus, and the fact that various free mail hosting services have tightened up the sources of email senders that they accept email from, let’s assume that each bot can successfully deliver approximately 1.7 messages per second. With 30,000 bots, that comes to 51,000 messages per second, at a rate of 3,060,000 spam successfully sent every minute (that’s from the bot to the destination smtp server).
Now let’s estimate that 10% of that mail arrives in the users’ inboxes (due to filters and scanners of all sorts). That’s still 306,000 messages getting to users’ inboxes. And 1% of that group may actually buy something or fall for a malicious link? Would it be overestimating to guess that ~3,000 users visit a malicious couponizer page or a phony online pharmaceutical link from a single minute of Waledac spamming?

What does your math look like?

Currently, the service is set up to host 30 customer sites, and since November, the group has taken on a measly seven. For this market, that is not much momentum. At 50 bucks a month for hosting, the group is taking on a petty 350 U.S. dollars for the service. The global recession seems to be hitting every market.

Her first post, “Tunnel Vision“, criticized Microsoft’s claims of insight into the volumes of malware actually running on user systems. She points out that Microsoft asserts ‘Zlob is among the most common type of Trojan downloaded onto Windows machines.” The assertion was based on data collected by Microsoft’s Malicious Software Removal Tool (MSRT). But the MSRT is only programmed to see 111 (as of today’s date) malware families.’
Microsoft frequently implies grand claims of their own strong perpective into (here comes my oh-so-favorite marketing term) the “malware landscape”, based on the reported findings of this MSRT tool, simply because it runs on 400 million systems. She contradicts their ability to make these MSRT-based claims with her own estimates of the tool’s effectiveness:
‘”In other words, Zlob is not “among the most common type of Trojan downloaded onto Windows machines”. Instead, Zlob is among the most common malware detected by the MSRT, which currently detects only about 5% of active malware families.’

On yesterday’s “The Numbers Behind Detection“, she updates that number by extrapolating numbers from a recent straightforward, informative and respectable post from McAfee, humorously shouting “and I say we are detecting between 400,000 and 10,000,000 malware!“:
‘That makes my comments in Tunnel Vision even more pertinent as it effectively drops the MSRT detection percentage from 5% of all families to .03%.’
Tunnel vision? The MSRT tool may be very beneficial to the Windows community at large, but the sight that tool provides is more myopic than anything. Put some glasses on it and send it to class!

On a daily basis, the ThreatFire community provides us with some insight into not only what malware users really are running on their desktops (and not just showing up in their inbox, a P2P directory, or downloaded and not run), but the unfortunate volumes of malware that go undetected by AV scanners when first released into the wild. Even time-worn and sophisticated scanners developed by talented groups have a difficult time detecting and keeping up with the volumes, the changing nature, and the evasive techniques of today’s “cash is king malware” while not bogging down users’ systems. It is often difficult to best classify these changing samples as well for these burdened groups. Keeping on top of those volumes to make sweeping claims about percentages takes a keen vision indeed.