Rise of Ransomware driven by Bredolab and Pushdo Botnets
Ransomware threats dominate the latest Fortinet March 2010 Threatscape report, with nine of the detections in the malware top ten list resulting in either scareware or ransomware infesting victims’ PC.
Fortinet observed the primary drivers behind these threats to be two of the most notorious botnet ‘loaders’ — Bredolab and Pushdo. Another finding is the ‘aggressive’ entrance of a new zero-day threat in FortiGuard’s top ten attack list, MS.IE.Userdata.Behavior.Code.Execution, which accounted for 25 per cent of the detected activity last month (March), the company reports.
Key threat activities for the month of March 2010 include:
- SMS-based Ransomware High Activity: A new ransomware threat – W32/DigiPog.EP – appeared in Fortinet’s top ten malware list. DigiPog is an SMS blocker using Russian language, locking out a system and aggressively killing-off popular applications like Internet Explorer and FireFox, until an appropriate code is entered into a field provided to the user. To obtain the code, a user must send a SMS message to the provided number, receiving a code in return. Upon execution, DigiPog registers the user’s MAC address with its server. It is the first time that SMS-based ransomware enters Fortinet’s top ten list, showing that the rise of ransomware is well on its way.
- Botnets - the competition gets tough: While the infamous Bredolab and Pushdo botnets can be identified behind the strong ransomware activity this month, a challenger has been particularly active this month: Sasfis, another botnet loader, moved up eight positions in Fortinet’s Top 100 attack list, landing just behind Gumblar and Conficker network activity in the fifth position. Sasfis is just the latest example of simplified botnets, which are used heavily for malicious business services (the so-called ‘crime as a service’).
- Zero-day attack forces in: A new zero-day threat aggressively entered FortiGuard’s top ten attack list: MS.IE.Userdata.Behavior.Code.Execution (CVE-2010-0806, FortiGuard Advisory 2010-14).
This exploit triggers a vulnerability in Internet Explorer, making remote code execution through a drive-by download (no user interaction required) possible. Accounting for one fourth of the detected activity in March, this exploit was ranked number two in our top ten attacks for March, and remains very active, predominantly in Japan, Korea, and the US.