SpyEye botnet activity surges

Fortinet announced its February 2011 Threat Landscape report, which details five zero-day vulnerabilities found in Cisco (FGA-2011-03), Adobe (FGA-2011-06) and Microsoft (FGA-2011-04) products.

Microsoft also issued a zero-day security advisory regarding an information disclosure vulnerability with Internet Explorer and MHTML, making it possible under certain conditions for attackers to inject a client-side script in the response of a Web request run in the context of the victim’s Internet Explorer.

The script could spoof content, disclose information or take any action that the user could take on the affected Web site on behalf of the targeted user.

SpyEye botnet activity surges

The SpyEye Botnet entered the Threat Landscape Report’s Top 10 Malware listing for the first time this month, signaling a possible shift of criminal organizations around the world that had previously employed the Zeus botnet.

Historically, Zeus developers have made efforts to avoid detection and analysis on their configuration files by prepending garbage (red herrings) before data structures.

Last year, FortiGuard Labs analyzed an emerging mobile component of Zeus, known as Zitmo and recently noted that Zitmo.B has resurfaced with both a Symbian and Windows Mobile version that was actively in the wild.

“We’re likely to see similar ongoing activity by the SpyEye group, such as routine obfuscation of their data and command and control transmissions,” said Derek Manky, senior security strategist at Fortinet. “SpyEye developers are also working to make their product more efficient in terms of management and automation, which is evidenced by the bot’s new Automatic Transfer System.”

New credit card phishing email

A new credit card phishing email employs a scare tactic that says the account has been “in violation of policies.” In the example discovered, the highlighted link pointed to a rogue domain that did not belong to the card vendor – however, streamed authentic content from card vendor’s site.

“Always observe these types of traits before clicking on links,” Manky said. “In this case, clicking the link would direct the victim to a landing site located at a datacenter in Bangkok. This landing site would then redirect the user to a server in China, which borrowed content from the legitimate credit card site using a proxy. This man-in-the-middle setup allowed the attackers to easily intercept login credentials along the way.”

Once these credentials are obtained, it becomes very easy for criminals to launder stolen funds through the likes of anonymous transferring services and money mules.

Don't miss