Malware monetization settles into four main vectors

Fortinet’s FortiGuard threat landscape research for the period of October 1 to  December 31, 2012 identified Simda.B, FakeAlert.D, Ransom.BE78 and Zbot.ANQ as the Big Four in terms of monetization approaches.

Simda.B is a sophisticated malware that poses as a Flash update in order to trick users into granting their full installation rights. Once installed, the malware steals the user's passwords, allowing cybercriminals to infiltrate a victim's email and social networking accounts to spread spam or malware, access website administrative accounts for hosting malicious sites and siphon money from online payment system accounts.

FakeAlert.D is no less crafty. The fake anti-virus malware notifies users via a convincing-looking pop-up window that their computer has been infected with viruses, and that, for a fee, the fake anti-virus software will remove the viruses from the victim's computer.

The Ransom.BE78 ransomware bug prevents users from accessing their personal data. Typically the infection either prevents a user's machine from booting or encrypts data on the victim's machine and then demands payment for the key to decrypt it, Fortinet explained.

The Zbot.ANQ Trojan is the client-side component of a version of the infamous Zeus crime kit. It intercepts a user's online bank login attempts and then uses social engineering to trick them into installing a mobile component of the malware on their smartphones. Once the mobile element is in place, cybercriminals can then intercept bank confirmation SMS messages and subsequently transfer funds to a money mule's account.

"While methods of monetizing malware have evolved over the years, cybercriminals today seem to be more open and confrontational in their demands for money — for faster returns," said Guillaume Lovet, senior manager of FortiGuard Labs' Threat Response Team, in a statement. "Now it's not just about silently swiping passwords, it's also about bullying infected users into paying.”

Adding insult to mobile injury, FortiGuard also detected a surge in the distribution of the Android Plankton ad kit. Plankton serves unwanted advertisements in the user's status bar, tracks the user's International Mobile Equipment Identity (IMEI) number and drops icons on the device's desktop. However, in a twist, the firm found that there appears to be arise of ad kits that are directly inspired by Plankton and have approached the same elevated activity level Plankton was operating at three months ago – while Plankton itself is dropping off.

"The ad kits we've monitored suggest that Plankton's authors are trying to dodge detection,” said Lovet. “Either that, or competing ad kit developers are trying to take a piece of the lucrative adware cake. Either way, the level of activity we're seeing with ad kits today suggests that Android users are highly targeted and thus should be especially vigilant when downloading apps to their smartphones.”

Meanwhile, in the third quarter of 2012, FortiGuard Labs detected high activity levels of ZmEu, a tool that was developed by Romanian hackers to scan web servers running vulnerable versions of the mySQL administration software (phpMyAdmin) in order to take control of those servers. Since September, the activity level has risen a full nine times before finally leveling off in December, FortiGuard said.

"This activity spike suggests a heightened interest by hacktivist groups to facilitate various protests and activist movements around the world,” said Lovet. “We expect such scanning activity to remain high as hacktivists pursue an ever-increasing number of causes and publicize their successes.”

What’s hot on Infosecurity Magazine?