Fortinet released its August 2010 Threat Landscape report showing some interesting changes and shifts from previous months, with an interesting trend in “Do-It-Yourself” Botnet Kits gaining momentum and becoming a serious threat.
A highly detected infection in August came from variants of ZeuS/ZBot, mainly as a result of do-it-yourself ZBot botnet kits that provide malware creators the tools required to build and administer a their own botnet. These botnet kits are by no means new to the market, but have gained serious momentum recently. The botnet kits even include an easy to use control panel application to maintain/update the botnet, and to retrieve the captured information. A configurable builder tool allows the author to create the executables that will be used to infect victim’s computers.
These ZeuS/ZBot trojans are typically spread via spam and black hat SEO poisoning, appearing to come from legitimate sources, asking recipients to click on a link which installs the malware and then sits silently, waiting for users to enter in their credentials to particular sites such as an online banking site. As SecurityWeek noted earlier this month, ZeuS variants had been discovered that target U.S. military personnel.
In addition to the ZeuS/ZBot threat, another notable attack in Auguest was the Windows Help Center vulnerability, which made it to the top position in Fortinet’s Top 10 attack list. The attack (CVE-2010-1885) experienced an exceptionally large spike in activity earlier in August. Exploitation of this attack can be rather potent since the vulnerability is NOT Web browser-specific.
Additionally, Fortinet research showed ransomware variant TotalSecurity making its biggest comeback since March. Ransomware is malware, usually disguised in fake anti-virus software, that locks out applications and data from a user’s PC and then demands ransom for restored access. TotalSecurity loader (W32/FakeAlert.LU) was the no. 1 malware detected this month by Fortinet’s FortiGuard Labs.
“One indicator we observed this month was that the Ransomware application had gone server-side polymorphic, which means that the loader will connect to a single server and request a single file, but the code changes on an hourly basis in order to avoid detection,” said Derek Manky, project manager, cyber security and threat research, Fortinet. “This is a technique typically seen with botnets, such as Waledac, and has been picked up by the developers of TotalSecurity. This is another example of how relying purely on antivirus is not a silver-bullet approach to protecting systems from infection.”
FortiGuard Labs compiled threat statistics and trends for August based on data collected from FortiGate network security appliances and intelligence systems in production worldwide.