In today’s threat landscape, distributing malware and developing malware are two different worlds. Both require a different set of skills in order to work and in order to achieve their separate goals.
For example, in my blog post Get gamed and rue the day..., I described a bot-controlled worm in which the code fragment suggested that it belonged to an offensive development called “Andromeda”. This story about the Gamarue worm is a good example of the differences between the distribution and the development of malware.
As a worm, Gamarue has the ability to spread through local network drives (The strange case of Gamarue propagation has the latest information about how it spreads). However, despite this ability, this threat was actually first discovered as a payload that had been delivered through an attack via a social networking site. During an attack, a user’s browser is redirected to a malicious server that performs multiple browser-based exploit attacks.
We generally think it is malware development that requires the greater level of technical skill and sophistication - but it is worth noting that malware distribution plays an equally important role in determining the success of an attack. For cybercriminals, like the perpetrators of the Gamarue worm, it is distribution that determines and even maximizes a malware’s profitability (for example, pay-per-install monetization).
The latest Microsoft Security Intelligence Report (SIRv14), reveals that the Blacole exploit kit was the most commonly detected exploit family in the second half of 2012. The term "exploit kit" refers to a malicious toolkit, packaged in such a way as to simplify or make it easy for anyone to carry out an attack. The high prevalence of Blacole correlates to all the vulnerabilities it uses to gain entry to an operating system.
Take note - Blacole is just one of a number of exploit kits being used. Other kits include Exploit:JS/Coolex.A, the “Cool” exploit kit, and Exploit:JS/DonxRef.A, the “Gong Da” exploit kit, just to name two.
And the story doesn’t end there. Malware such as the Gamarue family wouldn’t be able to spread to millions of machines without directing victims to Exploit servers (used for drive-by download attacks) – and the fastest way to get this victim traffic is through leveraging the web to create a distribution vector.
The main idea behind malware distribution is to steal legitimate or trusted traffic. One way to do this is for an attacker to find a vulnerability or weakness within a web server and plant a small, seemingly benign code. This code allows an attacker to control and hijack some of that server’s legitimate traffic. The detection we use to for such an attack, Trojan:JS/IframeRef, has become the most common detection. This trojan actually refers to a mass iframe injection attack, and signatures are added as-encountered on a daily basis.
Additionally, some Trojan:JS/IframeRef detections may also refer to an actual malicious domain that can be delivered through email and social networking sites.
The “Home and enterprise threats” section of the SIRv14 provides an interesting insight into the different ways attackers target both enterprise and home users. What’s interesting here is that Trojan:JS/IframeRef is in the number one spot in the list of top-10 families detected on domain-joined computers (these are computers in the enterprise environment that belong to an Active Directory Domain Service domain).
A specific variant detection, to which most of these findings are attributed, was first introduced in April last year. It was found to be associated with malicious traffic redirections and forwarding to deliberately-generated typo-squatted domains. This kind of behavior is often associated with criminal activities that frequently register hundreds, if not thousands of short-lived or disposable domains that are commonly observed in scam sites, spam and phishing emails. Overall, this detection intends to warn of untrusted traffic, which can also be leveraged for drive-by-download attacks (for example, 0-day threats).
In January this year, two specific Trojan:JS/IframeRef detections were moved into a new family name, and are now referred to as Trojan:JS/Seedabutor.A and Trojan:JS/Seedabutor.B. By renaming these specific IframeRef variants to Seedabutor, we will be able to track specific strains with more granular detail. This contributes to our research to better serve you with protection against infection vector from the web.
It’s best to consider having multiple protections enabled. Web browser protection, such as the Internet Explorer SmartScreen Filter provides additional help.
SmartScreen Filter helps combat these threats with a set of sophisticated tools:
Anti-phishing protection—to screen threats from imposter websites seeking to acquire personal information such as user names, passwords, and billing data
Application Reputation—to remove all unnecessary warnings for well-known files, and show severe warnings for high-risk downloads
Anti-malware protection—to help prevent potentially harmful software from infiltrating your computer.
There is more information about browser security on our Enterprise Security Best Practices page.
Our increasing reliance on the Internet and our interconnectivity can be targeted by attackers looking to syphon traffic to distribute malware. These threats constantly challenge our understanding, and the latest Microsoft Security Intelligence Report offers valuable insight.
Methusela Cebrian Ferrer