Malware Family Integration Across Botnets at Higher-Than-Normal Volumes. Bredolab Botnet Still Alive
There has been a significant increase in the number of collaborative attacks that make use of well-timed and carefully crafted targeted techniques, according to Symantec’s February 2011 MessageLabs Intelligence Report which was released today. As February began, the attacks increased in number and multiple malware families were used aggressively to conduct simultaneous attacks via propagation techniques, signaling the likelihood of a common origin for these infected emails.
Interestingly, Symantec notes that the malicious code used in the different waves of attack also shared some common techniques. It seems these ongoing attacks alternate between what historically have been different malware families. For example, one day would be dedicated to propagating mainly Zeus (aka. Zbot) variants, while another day was dedicated to distributing SpyEye variants. Not long ago, when SpyEye was installed, it sometimes contained a “Kill Zeus” capability. Interestingly, the two sides seem to have changed course. Towards the end of October 2010, the bot code developers of SpyEye and Zeus bots showed signs of a merger as reported by Brian Krebs. By February 10, these attacks had multiplied further and were being propagated simultaneously with each malware family using its own polymorphic packer to further evade traditional antivirus detection.
In February, 1 in 290.1 emails (0.345%) was malicious making February among the most prolific time periods both in terms of simultaneous attacks and malware family integration across Zeus (aka Zbot), Bredolab and SpyEye. The report also notes that in February, there were at least 40 variants of malware associated with the Bredolab Trojan, accounting for at least 10.3 percent of email-borne malware coming through MessageLabs. These latest findings reveal that contrary to recent beliefs, Bredolab is not dead and techniques previously associated with Bredolab malware have now become more common among other major malware families.
“It seems these ongoing attacks alternate between what historically have been different malware families,” said MessageLabs Intelligence Senior Analyst, Paul Wood. “For example, one day would be dedicated to propagating mainly Zeus (aka Zbot) variants, while another day was dedicated to distributing SpyEye variants. By February 10, these attacks had multiplied further and were being propagated simultaneously with each malware family using its own polymorphic packer to further evade traditional antivirus detection.”
Although the vast majority of attacks were related to Zeus and SpyEye, many of the attacks share commonalities with the well-known Bredolab Trojan, indicating some of the features associated with Bredolab were being used by Zeus and SpyEye. All of these attacks made use of a ZIP archive attachment that contained an executable comprising the malware code. In February, 1.5% of malware blocked comprised ZIP archive attachments and further analysis revealed that 79.2% of this was connected with the latest wave of Bredolab, Zeus and SpyEye attacks.
“During the first two weeks of February, MessageLabs Intelligence identified at least four different polymorphic engines in use by these server-side packers being used to change the code structure of the Zeus, Bredolab and SpyEye malware and to increase the number of variants of each,” Wood said. “Considering the technical difficulty of maintaining this number of polymorphic engines and that each evolves quickly to generate such a large number of variants across these three families, this is one of the first times that MessageLabs Intelligence has identified malware collaborating on a technical level to this degree and volume.”
Over the past year, malicious executable files have increased in frequency along with PDF files, the most popular file format for malware distribution.
PDFs now account for a larger proportion of document file types used as attack vectors. In 2009, approximately, 52.6 percent of targeted attacks used PDF exploits, compared with 65 percent in 2010, an increase of 12.4 percent. Despite a downturn this month, if the trend were to continue as it has over the past year, 76 percent of targeted malware could be used for PDF-based attacks by mid-2011.
“PDF-based targeted attacks are here to stay, and are predicted to worsen as malware authors continue to innovate in the delivery, construction and obfuscation of the techniques necessary for this type of malware,” Wood said.
Other Report Highlights:
Spam: In February 2011, the global ratio of spam in email traffic from new and previously unknown bad sources was 81.3 percent (1 in 1.23 emails), an increase of 2.7 percentage points since January.
Viruses: The global ratio of email-borne viruses in email traffic from new and previously unknown bad sources was one in 290.1 emails (0.345 percent) in February, an increase of .07 percentage points since January. In February, 63.5 percent of email-borne malware contained links to malicious websites, a decrease of 1.6 percentage points since January.
Endpoint Threats: Threats against endpoint devices such as laptops, PCs and servers may penetrate an organization in a number of ways, including drive-by attacks from compromised websites, Trojan horses and worms that spread by copying themselves to removable drives. Analysis of the most frequently blocked malware for the last month revealed that the Sality.AE virus was the most prevalent. Sality.AE spreads by infecting executable files and attempts to download potentially malicious files from the Internet.
Phishing: In February, phishing activity was 1 in 216.7 emails (0.462 percent), an increase of 0.22 percentage points since January. Web security: Analysis of web security activity shows that 38.9 percent of malicious domains blocked were new in February, a decrease of 2.2 percentage points since January. Additionally, 20.3 percent of all web-based malware blocked was new in February, a decrease of 2.2 percentage points since last month. MessageLabs Intelligence also identified an average of 4,098 new web sites per day harboring malware and other potentially unwanted programs such as spyware and adware, a decrease of 13.7 percent since January.
Geographical Trends:
• China became the most spammed in February with a spam rate of 86.2 percent.
• In the US and Canada, 81.4 percent of email was spam. Spam levels in the UK were 81.1 percent.
• In The Netherlands, spam accounted for 82.2 percent of email traffic, while spam levels reached 81.2 percent in Germany, 81.7 percent in Denmark and 81.0 percent in Australia.
• Spam levels in Hong Kong reached 82.8 percent and 80.4 percent in Singapore. Spam levels in Japan were 78.5 percent. In South Africa, spam accounted for 81.6 percent of email traffic.
• South Africa remained the most targeted by email-borne malware with 1 in 81.8 emails blocked as malicious in February.
• In the UK, 1 in 139.0 emails contained malware. In the US virus levels were 1 in 713.6 and 1 in 328.8 for Canada. In Germany, virus levels reached 1 in 393.1, 1 in 451.1 in Denmark and 1 in 910.4 for The Netherlands.
• In Australia, 1 in 365.8 emails were malicious and, 1 in 455.3 for Hong Kong, for Japan it was 1 in 1,331.0 compared with 1 in 828.9 for Singapore and 1 in 457.0 for China. Vertical Trends:
• In February, the most spammed industry sector with a spam rate of 84.3 percent continued to be the Automotive sector.
• Spam levels for the Education sector were 82.6 percent, 81.7 percent for the Chemical & Pharmaceutical sector, 81.4 percent for IT Services, 80.8 percent for Retail, 80.1 percent for Public Sector and 80.2 percent for Finance.
• In February, Government/Public Sector remained the most targeted industry for malware with 1 in 41.1 emails being blocked as malicious.
• Virus levels for the Chemical & Pharmaceutical sector were 1 in 458.3, 1 in 394.4 for the IT Services sector, 1 in 514.3 for Retail, 1 in 137.2 for Education and 1 in 436.9 for Finance.
The February 2011 MessageLabs Intelligence Report provides greater detail on all of the trends and figures noted above, as well as more detailed geographical and vertical trends. The full report is available here.
