Detection Rates for Malware in the Wild

Yet another Early Warning Security Event System has been made available to the public, earlier this month. The Malware Threat Center is currently generating automated tracking reports in the following sections :

- Most Aggressive Malware Attack Source and Filters
- Most Effective Malware-Related Snort Signatures
- Most Prolific BotNet Command and Control Servers and Filters
- Most Observed Malware-Related DNS Names
- Most Effective Antivirus Tools Against New Malware Binaries
- Most Aggressively Spreading Malware Binaries

I was particularly interested in the rankings in the "Most Effective Antivirus Tools Against New Malware Binaries" section, especially its emphasis on malware that's currently in the wild. Furthermore, to prove my point, you can see the top 10 list of Anti virus vendors as it were on the 20th, and the top 10 list of anti virus vendors as it were yesterday? Can you find the differences? Grisoft, Avira, Secure Computing and Quick Heal remain on the same
positions, whereas the rest of the vendors are in a different rank, although on the 20th they were exposed to 1030 binaries only, and on the 29th to 1759.

So what? In respect to signatures based malware scanning, every vendor has its 15 minutes of fame, however, as I pointed out two years ago :

"Avoid the signatures hype and start rethinking the concept of malware on demand, open source malware, and the growing trend of malicious software to disable an anti virus scanner, or its ability to actually obtain the latest signatures available."

What has changed? The DIY nature of malware building, the managed undetected binaries as a service coming with the purchase of proprietary malware tools, the fact that malware is tested against all the anti virus vendors and the most popular personal firewalls before it starts participating in a campaign, and is also getting benchmarked and optimized against the objectives set for its lifecycle. Moreover, with malware authors waging tactical warfare on the vendors infrastructure by supplying more malware variants than then can timely analyze, this tactical warfare on behalf of the malicious parties is only going to get more efficient.

Fake Directory Listings Acquiring Traffic to Serve Malware

Malicious parties are known to deliver what the unsuspecting and unaware end user is searching for, by persistently innovating at the infection vector level in order to serve malware or redirect to live exploit URLs in an internal ecosystem that not even a search engine's crawlers would bother crawling. What's the trick in here? Using image files as bites to malware binaries, and acquiring traffic by generating fake directory indexes with hundreds of thousands of popular or segment specific keywords in the filenames, while attempting to trick the impulsive leecher by forcing a direct loading of anything malicious? Creative, at least according to someone who's released such a fake directory listing, and is what looks like planning to come up with an automated approach for doing this.

Inside a non-malicious download.php file :

$file = "sexy.gif"; header("Content-type: application/force-download"); header("Content-Transfer-Encoding: Binary"); header("Content-Disposition: attachment; filename=\"".basename($file)."\""); readfile("$file"); ?>

Spammers, phishers, malware authors, and of course, black hat search engine optimizers, are known to have been using technique for enforcing downloads, loading live exploit URls, or plain simple redirection to a place where the malicious magic happens.

A fake directory listing of images, where the images themselves load image files of the icon to make themselves look like images - trying saying this again, and consider this attack tactic as SEO 1.0, where the 2.0 stage has long embraced GUIs and all-in-one anti-doorway detection techniques for blackhat SEO-ers to take advantage of.

Response Rate for an IM Malware Attack

Remember the MSN Spamming Bot in action? Consider this screenshot not just as a real-example of IM spamming in action, but also, pay attention to the response rate with the number of messages sent, and response in the form of new malware infected hosts joining an IRC channel. Keeping it Simple Stupid to directly spam the binary locations is still surprisingly working, taking Stormy Wormy's last several campaigns, but with the recent spamming of live exploit URls and malware using Google ads as redirector, for instance :

- google.com/pagead/iclk?sa=l&ai=dhobOez&num=57486&adurl=http://mpharm.hr/video_233.php
- google.com/pagead/iclk?sa=l&ai=YQdWjxe&num=81899&adurl=http://www.1-pltnicka.sk/lib_vid.php
- google.com/pagead/iclk?sa=l&ai=MKRCVFW&adurl=//bestsslscripts.com/goog/online-casino-gambling.html
- google.com/pagead/iclk?sa=l&ai=Hydrocodone&num=001&adurl=http://hydrocodone.7-site.info

the response rate for the campaign can change in a minute. Go through a related post on "Statistics from a Malware Embedded Attack" taking another perspective into consideration.