Fraudload.OR, which frequently disguises itself as fake antivirus software, though it also has the ability to download other trojans and malware to an infected user's system, accounted for more than one-third of new malware infections during the month.
“The virus typically spreads through botnets. The reason it is so popular is that it is fake antivirus software….It is a proven business model that continues to work. They make a lot of money off of it”, Derek Manky, senior security strategist at Fortinet, told Infosecurity.
Law enforcement has been cracking down on fake antivirus software, though. The US district attorney recently froze $15 million in bank accounts belonging to a fake antivirus operator, according to Fortinet.
Also topping the Fortinet attack charts last month was MS.IE.CSS.Self.Reference.Remote.Code.Execution. This vulnerability affects Internet Explorer 8 and earlier versions and is triggered by viewing a webpage that hosts a malicious CSS style sheet.
“If you don’t have the latest version of Internet Explorer, all it takes is to go to a website that attacks this particular vulnerability. This is drive-by download. As soon as you go to a malicious webite, it would attack this vulnerability and start sending attack code to the system. This is the way hackers work to penetrate and get inside systems”, Manky said.
The June report detected a rise spam after a three month decline in spam volumes following the takedown of some major botnets. Spam rates were down as much as 15% for the three months before they began to rise again on June 17, according to the report.
“Overall year-over-year the spam rates are down”, Manky related. “About mid-June we saw the spam rates jump again….The good news is that rates are lower than they were a year ago. The bad news is we are seeing an increase because new threats are making headway and gaining some traction”, he added.
The latest botnet is called TDL version 4. “This is pretty nasty. It’s a rootkit infector. It digs itself into your operating system. So it has kernel level privileges. Basically it has full blown control over your whole system. A lot of infections don’t have that….This can access anything it wants to. It can hide activities. It can kill processes and send out stolen information”, Manky explained. The TLD4 botnet is able to infect the latest versions of operating systems, such as Windows 7, as well as 64-bit versions of Windows, he added.
At the same time, there have been aggressive efforts by US authorities to takedown major botnets, such as Coreflood and Rustock. “Because of that proactive response – this is really a cyberwar with the criminals – we have seen some success with the rates dropping a bit”, Manky said.