MessageLabs Intelligence: August 2007 Storm botnet serves-up a diet of fast-flux spam

Transcription

1 Be certain MessageLabs Intelligence: August 2007 Storm botnet serves-up a diet of fast-flux spam Introduction Welcome to the August 2007 edition of the MessageLabs Intelligence monthly report. This report provides the latest threat trends and statistics to keep you informed regarding the ongoing fight against viruses, spam and other unwelcome content. Top line results of this report include: Spam 74.0% in August (an increase of 3% since July) Viruses One in s in August contained malware (a decrease of 0.14% since July) Phishing One in s comprised a phishing attack (a fall of 0.32% since July) Invitation to join the Storm botnet In recent weeks MessageLabs has observed a large increase in s that ostensibly contain links to virtual postcards, and other rouses such as invitations to download beta software, or view videos on the popular YouTube site; however, these are actually being sent from the large Storm botnet, now estimated to comprise around 1.8 million computers worldwide. This culminated in an attack on the 15th August which comprised of approximately 600,000 s in 24 hours. Although the body text and subject lines keep changing, the s always consist of simple text or HTML including a single link to an IP address. That IP address refers to another infected machine within the botnet, which subsequently redirects to a backend server in an attempt to infect the victim with a copy of the Storm trojan code. Each attack seems to utilize a number of different templates for each theme, with the target addresses generating relatively few delivery failures. This indicates that most of the addresses are genuine and have almost certainly been harvested from other infected computers within the botnet. In the case of the Storm s, the backend server automatically re-encodes the malware it is serving-up every half hour to make signaturing difficult for traditional anti-virus vendors, using a technique known as server-side polymorphism. There is no malicious code contained within the itself and the links are constantly changing. Given that any one of the machines in the botnet can perform the redirection, there are around 1.8 million possible permutations. One interesting self-protection mechanism of the botnet is that it monitors the IP addresses of computers that download the trojan code, and if it sees the same addresses downloading multiple copies too many times then it launches a distributed denial of service (DDoS) attack at the addresses. Although it has sometimes been dubbed Storm Worm, it is not technically a worm. It is not a virus in the traditional sense either, and it doesn t use any exploit in order to achieve its goal. Fundamentally, it is a trojan with the purpose of creating a massive botnet through which the Storm writers can send spam in large volumes. Storm has also been called Zhelatin, Peacomm and Nuwar, as well as some other names. MessageLabs 2007

2 Here is an example of a recent mail sent from the Storm botnet: The location of the command & control servers used to manipulate the botnet are safeguarded behind a rapidly changing dynamic DNS technique known as fast-flux, a similar method to the bullet-proof hosting schemes that spammers have often used in the past, making it difficult to locate and take-down their hosting sites and their mail servers. A typical command & control mechanism relies on the availability of key IRC servers that are used to communicate with the bots. If these servers are disrupted then control of the botnet is lost. In effect, the controllers of some of the larger botnets like Storm and Warezov are now using fast-flux techniques. The DNS record of each of the command & control servers is redirected to a number of different IP addresses, sometimes hundreds or thousands of different addresses are used. Each DNS record is created with short Time-To-Live (TTL) entries, and it may be seen from the example below that the TTL is set to a very low number, representing the number of seconds each record should be cached by anyone requesting the address. This prevents the record from being cached for too long and ensures that queries to resolve the IP address of the domain will return a different address as often as possible. Fast-flux also relies on the DNS records for these hosts changing as often as possible, building redundancy into the botnet infrastructure. Hence the address (A) records returned for each request often point to compromized hosts within the botnet itself and are changed every few minutes. In some scenarios the Name Server (NS) records for the DNS servers hosting the domain are also changed frequently, making it almost impossible to distrupt the botnet using traditional practices. 2

3 The example below shows a typical fast-flux domain: $ wildcard.malaga-53.com a ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;wildcard.malaga-53.com. IN A ;; ANSWER SECTION: wildcard.malaga-53.com. 180 IN A wildcard.malaga-53.com. 180 IN A wildcard.malaga-53.com. 180 IN A wildcard.malaga-53.com. 180 IN A wildcard.malaga-53.com. 180 IN A Low TTL All Dynamic Hosts Often the A records don t actually point directly to the destination site, rather they may lead to a bot that subsequently redirects the victim elsewhere, acting as a proxy for the traffic to the actual destination. Here is another example of an sent via the Storm botnet:

4 Global Trends & Content Analysis MessageLabs Anti-Spam and Anti-Virus Services focus on identifying and averting unwanted communications originating from new and unknown bad sources that are addressed to valid recipients. Skeptic Anti-Spam Protection: In August 2007, the global ratio of spam in traffic from new and unknown bad sources, for which the recipient addresses were deemed valid, was 74.0% (1 in s), an increase of 3.0% on the previous month. Over the first half of 2007 there has been a strong trend showing an increase in the volume of spam, especially in recent months. Assuming this trend will continue, MessageLabs is expecting an increase of between 45% and 55% in spam volumes during September 2007, resulting in a rise of 2-3% in the overall spam-to-mail ratio. Historically, September is a prime month for spam spikes with MessageLabs noting a large increase in the volume of spam traffic during September 2006, especially targeting the Education sector. In recent weeks, the number of spam events has remained fairly static, with a few notable exceptions which consisted largely of 1 or 2 large spam runs on a scale able to affect the monthly average traffic more noticeably, mostly comprising of Casino spam and Wristwatch spam. Spam rate 74.0% Current Trend Outlook % 90% 80% 70% 60% Peak: July % Six Month Avg. 73.6% Last Month 71.0% % The spam rate of 74.0% is actually lower than the true spam figure since MessageLabs Traffic Management enables control of the amount of bandwidth given to absolutely known bad-sources of spam and then throttles those connections, slowing them down to a crawl. To the spammer, it appears they are talking to a very slow modem. In turn, this makes it incredibly painful for spammers attempting to send spam to MessageLabs clients as Traffic Management effectively pushes the spam back to the spammers networks and slows down the ability to send lots of spam. Consequently, many such connections eventually time-out or move on to softer targets. If we look at the amount of spam hitting MessageLabs honey-pots, which are unprotected by comparison, this figure would be much closer to 83.7%, an increase of 0.4% since July. This is largely due to the Traffic Management controls which are able to identify and stop a greater proportion of known spam from known bad sources. For further information, please refer to the section on Traffic Management later in this report. Skeptic Anti-Virus and Trojan Protection: The global ratio of -borne viruses in traffic from new and previously unknown bad sources destined for valid recipients, was 1 in s (1.24%) in August, a decrease of 0.14% since last month. Virus rate 1 in 80.4 Current Trend Outlook 23 1 in in 0 1 in 20 1 in 40 1 in 60 1 in 80 1 in 100 Peak: Apr 04 1 in 10.4 Six Month Avg. 1 in Last Month 1 in in in 140 4

5 In August the number of s that contained links to malicious code increased by 19%, from 0.5% in July to 19.5%. This means that the proportion of virus activity relating to s that do not contain a malicious attachment, but do contain a link to a site hosting malicious code has increased. This is largely due to the increase in activity around the StormWorm botnet, where the s are crafted to appear as links to virtual postcard sites, but that really contain links to the StormWorm trojan. Phishing: August showed a fall of 0.32% in the proportion of phishing attacks compared with the previous month. One in (0.58%) s comprised some form of phishing attack. Phishing 1 in Current Trend Outlook 23 1 in in 0 1 in in in in in 500 Peak: Jan 07 1 in 93.3 Six Month Avg. 1 in 220 Last Month 1 in in 600 When judged as a proportion of all -borne threats such as viruses and trojans, the quantity of phishing s has fallen by 18.5% since the previous month, now accounting for 46.3% of malicious traffic intercepted in August. Skeptic Web Security Services Version 2.0: MessageLabs Web Security Services version 2.0, built on MessageLabs proprietary technology using Skeptic, enables MessageLabs to take the very latest threat and reputation information from other protocols, such as , and apply that knowledge to web traffic. Web Security Services (Version 2.0) Activity: Policy-Based Filtering Web Viruses and Trojans Potentially Unwanted Programs Advertisements & Popups 45.08% Unclassified 14.88% Streaming Media 10.62% Personals & Dating 5.87% Adult/Sexually Explicit 3.47% Web-based 3.44% Downloads 2.75% Gambling 2.32% Photo Searches 2.15% Chat 1.98% New Malware.n 26.45% Suspicious IFrame.b 12.05% NetSniff 6.12% PWS-LegMir 4.88% VBS/Psyme 4.79% New Malware.aq 4.55% Tool-TFTPD % JS/Downloader-AUD 2.12% Trojan-Downloader.VBS.Small.co 2.05% WinFixer 1.96% PUP-SaveNow 54.35% PUP-GAIN 43.93% PUP-Mirar 0.55% PUP-HotBar 0.41% PUP-ZangoSA 0.33% PUP-WebHancer 0.13% PUP-CoolBar 0.05% PUP-ISTBar 0.05% PUP-HotBar.dr 0.03% PUP-BDSearch 0.03% It can be seen from the chart above that Advertisements & Popups (45.08%) is the most common trigger for policybased filtering applied by MessageLabs for its business clients. This represents a decrease of 4.26% on the previous month. Further analysis shows that 10.8% of the malware intercepted was new in August. Further analysis of the policy-based traffic shows that for small-medium sized businesses (SMB), an average of 21.8 attempted connections per user per month were blocked for Streaming Media sites, compared with 13.5 for largersized organizations. Social networking sites, such as MySpace and Facebook were also attracting a lot of attention this month, classified within Personals & Dating. SMBs were blocking around 5.8 attempted visits per user per month, compared with 6.7 attempts per user per month for larger businesses. Adult-orientated content also poses a greater risk to SMBs as around 6.2 attempted connection per user per month were blocked, compared with 1.1 for larger businesses. For example, in an organization with 100 employees, 620 attempts 5

6 may be expected to be blocked in one month, compared with around 1,100 for a company with 1,000 employess. The Unclassified category identifies new and previously uncategorized sites that potentially need to be prohibited. The Unclassified category affords more confidence when defining new rules. This means that newly detected malicious sites are handled more appropriately until categorized, thereby safeguarding against domain kiting sites which appear and disappear within a 24 to 48 hour timeframe. Such sites may be used for disreputable purposes, such as hosting phishing and spam sites, disseminating information-stealing trojans and other fraudulent activities. MessageLabs found that 78.7% of web viruses and 88.4% of spyware intercepted were classified in the Unclassified category, suggesting that the majority of these interceptions were hosted on web sites that were previously unknown and uncategorized. An average of 1,772 new malicious sites were identified and blocked each day during August. An increase of 783 per day since July. Geographical Breakdown: Based on Targeted Countries Monthly Analysis: By analyzing the geographical dispersal of traffic where possible, MessageLabs compiles data that shows the impact and vulnerability rates of spam and viruses specific to geographies. The charts below reflect impact and ratios for August Spam rate by geography Top 5 Israel 70.7% Hong Kong 64.8% Germany 58.5% United States 58.0% France 51.4% Lowest India Japan 29.5% 23.1% The most significant rise in spam levels was experienced in Israel with an increase of 9.9% in August, closely followed by France with 9.5% and Spain with 9.2%. The top five countries affected in July remains unchanged in August. The majority of countries received an increase in spam, with only Japan and Sweden having a slight decrease in levels of 1.5% and 0.9% respectively. Virus rate by geography Top 5 India 1 in 27.8 Switzerland 1 in 39.2 Germany 1 in 41.5 United Arab Emirates 1 in 42.1 Austria 1 in 45.5 Lowest Sweden Netherlands 1 in in

7 Although India still remains the most affected country for virus activity, the levels of attack decreased by 1.69% in August, the most significant decrease of all countries. The greatest increase across all geographies in August occurred in Spain, where activity rose by 0.09%. Further details may be found in the appendices at the end of this report. Vertical Industry Breakdown Monthly Analysis: By analyzing the market distribution of traffic where possible, MessageLabs compiles data that shows the impact and vulnerability rates of spam and viruses specific to major industry sectors. The charts below reflect impacts and ratios for August Spam rate by vertical Virus rate by vertical Agriculture 66.9% Education 1 in 42.6 Telecoms 64.6% Chem/Pharm 1 in 46.4 Top 5 Education Manufacturing 58.1% 57.0% Top 5 Retail Wholesale 1 in in 62.1 Marketing/Media 53.1% Accom/Catering 1 in 63.7 Lowest Building/Cons Finance 31.7% 30.5% Lowest Telecoms Agriculture 1 in in The greatest increase in spam activity across all industry sectors during August was observed in the Telecoms vertical, where spam rose by 22.3% since July and repositioned this vertical as the second most spammed sector. All other verticals in the top five received an increase in spam of between 0.1% and 4.3%. The largest decrease was noted for the Business Support Services vertical, which fell by 6.2%. Education moves to the top of the table in August despite a fall in virus activity of 0.18%. The greatest rise in virus activity during August occurred in the Accommodation & Catering vertical, where levels increased by 0.22% since July. The greatest decrease noted was for the Chemical & Pharmaceutical sector, where levels fell by 0.54%. Further details may be found in the appendices at the end of this report. 7

8 Traffic Management (Protocol Level) Traffic Management continues to reduce the overall message volume through techniques operating at the protocol level. Unwanted senders are identified and connections to the mail server are slowed using features embedded in the TCP protocol. Incoming volumes of known spam are significantly slowed, while legitimate is expedited. In August, MessageLabs processed an average of 2.32 billion SMTP connections per day, at a rate of 1.3 messages per connection; of which 86.4% were throttled back as a result of traffic management protocol controls for traffic that was unequivocally malicious or unwanted. The remainder of these connections is subsequently processed by MessageLabs Connection Management controls and Skeptic. Connection Management Connection Management is particularly effective in stopping directory harvest, brute force and denial of service attacks, where unwanted senders send high volumes of messages to force spam into an organization or disrupt business communications. Connection Management works at the SMTP level using techniques that verify legitimate connections to the mail server. It is comprised of the following: SMTP Validation: Identifies unwanted originating from known spam-and virus-sending sources, where the source can unequivocally be identified as an open proxy or a botnet, and rejects the connection accordingly. In August, an average of 49.2% of inbound messages was intercepted from botnets and other known malicious sources and rejected as a consequence. Registered User Address Validation: Reduces the overall volume of s for registered domains by discarding connections for which the recipients are identified as invalid or non-existent. In August, an average of 5.2% of recipient addresses was identified as invalid. These were attempted directory attacks on domains that were prevented as a result. Summary The table below details the current impact of traffic and connection management techniques on unwanted volume being measured by MessageLabs Intelligence. Without these additional multiple layers of defense, spam traffic destined for MessageLabs clients in August would otherwise account for around 83.7% of global traffic, an increase of 0.3% on the previous month. Traffic Management SMTP Validation User Validation Region (protocol control) (behaviour analysis ) (directory attacks) USA 87.9% 49.2% 4.7% UK 85.3% 41.4% 4.9% Europe 82.7% 40.6% 7.2% Asia Pacific 69.9% 42.3% 0.7% Worldwide 86.4% 49.2% 5.2% Effects of Traffic Management Techniques MessageLabs is a leading provider of integrated messaging and web security services, with over 15,000 clients ranging from small business to the Fortune 500 located in more than 80 countries. MessageLabs provides a range of managed security services to protect, control, encrypt and archive communications across , Web and Instant Messaging. These services are delivered by MessageLabs globally distributed infrastructure and supported 24/7 by security experts. This provides a convenient and cost-effective solution for managing and reducing risk and providing certainty in the exchange of business information. For more information, please visit For further information on MessageLabs Intelligence, please visit and register to receive regular alerts and reports. NB: All figures mentioned in this report were correct at the time of going to press. 8

9 Appendices Appendix I: Spam Rate by Geography (August 2007) August July Change Australia 36.9% 33.1% 3.8% Austria 45.0% 42.1% 2.9% Belgium 51.4% 42.9% 8.5% Canada 50.3% 41.4% 8.9% China 50.4% 49.8% 0.6% France 58.0% 48.5% 9.5% Germany 58.5% 54.9% 3.6% Hong Kong 64.8% 59.7% 5.1% India 32.9% 27.7% 5.2% Ireland 50.0% 45.0% 5.0% Israel 70.7% 60.8% 9.9% Italy 36.7% 30.8% 5.9% Japan 23.1% 24.6% -1.5% Netherlands 33.6% 32.4% 1.2% Singapore 44.0% 37.7% 6.3% Spain 41.3% 32.1% 9.2% Sweden 29.5% 30.4% -0.9% Switzerland 43.1% 37.9% 5.2% United Arab Emirates 38.2% 35.2% 3.0% United Kingdom 41.4% 39.8% 1.6% United States 50.5% 50.5% 0.0% 9

10 Appendix II: Virus Rate by Geography (August 2007) August July Change Australia 0.54% 0.74% -0.20% Austria 2.20% 2.21% -0.01% Belgium 0.51% 0.48% 0.03% Canada 1.41% 1.39% 0.02% China 1.65% 2.26% -0.61% France 1.79% 1.89% -0.10% Germany 2.41% 2.90% -0.49% Hong Kong 2.15% 2.70% -0.55% India 3.60% 5.29% -1.69% Ireland 1.28% 1.71% -0.43% Israel 1.30% 1.30% 0.00% Italy 1.83% 1.87% -0.04% Japan 0.90% 0.83% 0.07% Netherlands 0.13% 0.51% -0.38% Singapore 2.00% 2.17% -0.17% Spain 1.26% 1.17% 0.09% Sweden 0.26% 0.25% 0.01% Switzerland 2.55% 3.11% -0.56% United Arab Emirates 2.38% 3.12% -0.74% United Kingdom 1.14% 1.26% -0.12% United States 1.18% 1.51% -0.33% 10

11 Appendix III: Spam Rate by Vertical (August 2007) August July Change Accom/Catering 41.4% 38.1% 3.3% Agriculture 66.9% 66.8% 0.1% Building/Cons 31.7% 31.6% 0.1% Business Support Services 36.7% 42.9% -6.2% Chem/Pharm 47.8% 42.5% 5.3% Education 58.1% 53.8% 4.3% Estate Agents 34.1% 31.8% 2.3% Finance 30.5% 29.3% 1.2% General Services 41.7% 34.3% 7.4% Gov/Public Sector 39.1% 39.9% -0.8% Health Care 45.7% 49.1% -3.4% IT Services 49.8% 48.7% 1.1% Manufacturing 57.0% 57.1% -0.1% Marketing/Media 53.1% 50.9% 2.2% Mineral/Fuel 38.0% 38.9% -0.9% Non-Profit 46.1% 44.2% 1.9% Prof Services 43.7% 41.0% 2.7% Recreation 39.2% 37.9% 1.3% Retail 42.8% 42.2% 0.6% Telecoms 64.6% 42.3% 22.3% Transport /Util 40.8% 39.0% 1.8% Wholesale 51.4% 46.3% 5.1% 11

12 Appendix IV: Virus Rate by Vertical (August 2007) August July Change Accom/Catering 1.57% 1.35% 0.22% Agriculture 0.27% 0.33% -0.06% Building/Cons 0.82% 0.82% 0.00% Business Support Services 0.58% 0.50% 0.08% Chem/Pharm 2.16% 2.70% -0.54% Education 2.35% 2.53% -0.18% Estate Agents 1.09% 0.99% 0.10% Finance 0.88% 0.88% 0.00% General Services 0.77% 0.96% -0.19% Gov/Public Sector 0.97% 0.83% 0.14% Health Care 1.06% 1.25% -0.19% IT Services 1.33% 1.58% -0.25% Manufacturing 1.29% 1.47% -0.18% Marketing/Media 1.19% 1.43% -0.24% Mineral/Fuel 1.16% 1.33% -0.17% Non-Profit 1.05% 1.04% 0.01% Prof Services 1.53% 1.70% -0.17% Recreation 0.90% 1.04% -0.14% Retail 1.72% 1.95% -0.23% Telecoms 0.41% 0.29% 0.12% Transport /Util 1.01% 1.20% -0.19% Wholesale 1.61% 1.62% -0.01% 12