The following statistics are compiled from Fortinet's FortiGate network security appliances and intelligence systems for the period January 21st - February 20th, 2011.

Table of Contents:

FortiGuard Labs

Exploits and Intrusion Prevention

Top 10 Attacks & Regions

The top 10 attack attempts detected for this period follow, ranked by the number of valid attack cases reported. Valid attack cases are defined as threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of the accumulated daily incidents reported during this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Critical issues are outlined in bold. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the attack's debut in the Top 100. Figure 1a shows a daily record of attack cases reported for this period's Top 5 attacks. Figure 1b below shows the Top 5 regions attacked in comparison to total attack cases reported this period.
RankVulnerabilityPercentageSeverityTop 100 Shift

Figure 1a: Daily attack case activity for top 5 attacks

Figure 1b: Top 5 regions by number of attack cases

New Vulnerability Coverage

There were a total of 81 vulnerabilities added to FortiGuard IPS coverage this period.
Of these added vulnerabilities, 30 were reported to be actively exploited (37.0%).

Figure 1c breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

For more information, observe the detailed reports for this period at:

Figure 1c: New vulnerability coverage for this edition, categorized by severity

Malware Today

Top 10 Variants

Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

RankMalware VariantPercentageTop 100 Shift

Figure 2: Activity curve for top five malware variants

Regions & Volume

Top 5 regions for this period, ranked by distinct malware volume reported. Distinct malware volume indicates the amount of unique virus names (variants) that has been detected in the given regions, as opposed to total malware volume, which indicates the accumulated amount of all reported incidents. Total and distinct malware volume trends for the last six reporting periods are also given. Figures 3a-3b below show these statistics:

Figure 3a: Top 5 regions by distinct malware volume

Figure 3b: Six period trend for distinct malware volume

For more information on daily activity per region, please visit our Virus World Map.

Spam and Email Threats

Spam Rate & Regions

The global spam rate is shown on a daily basis for this edition's given period. Spam rate indicates the accumulated emails which have been tagged as spam, in comparison to total email traffic. Top 5 spam regions are ranked by received spam in comparison to global spam volume. Statistics are graphed for business working days, and shown in Figures 4a-4b below:

Figure 4a: Spam rate compared to global email

Figure 4b: Top 5 spam regions by received spam

Top 3 In The Wild

Top three email threats observed for this period. Top e-mails have been filtered to highlight diverse campaigns by removing duplicates and unsolicited advertisements. This helps focus on scams and malicious intent; the resulting list is ranked by Figures 5a-c below illustrate the most popular message tactics used during recent spam campaigns:

Figure 5a: Spam campaign #1

Figure 5b: Spam campaign #2

Figure 5c: Spam campaign #3

Crawling The Web

Threat Traffic & Growth

The following list breaks down the percentage of activity blocked for selected Web categories throughout this period. Percentage indicates how much activity was accounted for out of the four selected categories. Figure 6a shows a different scope, comparing only threat traffic: Malware, spyware, and phishing. The percentage shown in Figure 6a below indicates how much activity was accounted for out of these three threat categories. Figure 6b highlights the growth (or reduction) of selected web threat activity when compared period over period:

Web Threat CategoryPercentage

Figure 6a: Threat traffic volume break-down

Figure 6b: Threat traffic growth by period

Activity Recap

FortiGuard Labs worked with Cisco (FGA-2011-03), Adobe (FGA-2011-06) and Microsoft (FGA-2011-04) to address and disclose five zero-day vulnerabilities in their products this month. We've been following this responsible disclosure process for years, totaling over 125 zero-day vulnerability discoveries - most of them critical severity, leading to potential remote code execution. The idea of course is to discover, protect against and report software security holes before black hat hackers find and exploit them. For the most part, this works - however, it is not perfect. Sometimes hackers can discover and attack an issue that has already been reported, but not yet fixed by a vendor. We saw this happen with a MS Office Web Component vulnerability back in 2009 (FortiGuard Advisory here). The larger issue is that hackers today still have success attacking vulnerabilities that have been patched, usually for some time. Make sure you have all your patches up to date, and a valid IPS solution in place to help guard against these cases. Speaking of zero-days, Microsoft issued a security advisory late January on an information disclosure vulnerability with IE and MHTML - you can find our FortiGuard advisory here. As of writing, this still remains zero-day - and although no patch is yet available, FortiGuard released the IPS signature "MS.Windows.MHTML.XSS" on February 1st to help mitigate this threat.

There was a new detection in our malware top 10 listing this report, under the name 'Data/SpyeyeCon.fam'. This signature detects encrypted configuration files sent by the SpyEye botnet, which contain updated parameters / tasks so that the botnet may continue day to day operations. SpyEye has been in the spotlight recently as the successor of the Zeus botnet, no doubt incredibly popular crimeware used by many criminal organizations across the globe. Zeus developers made an effort to avoid detection on their configuration files a while back by prepending a junk 20-byte header before the configuration file's data structures. Last year we saw a mobile component of Zeus (Zitmo) emerge. Recently, Zitmo.B has resurfaced with both a Symbian and Windows Mobile version. Likely, we'll see similar ongoing activity by the SpyEye group, like routine obfuscation of their data / command & control transmissions. FortiGuard Labs routinely monitors botnets to stay on top of the latest developments by bots such as SpyEye. For more information on SpyEye and its communication routines, please read our recent blog post by Fortinet's Doug Macdonald. SpyEye developers are also hard at work making their product more efficient in terms of management and automation - the ATS (Automatic Transfer System) feature is one such feature.

In recent reports, we have highlighted flavors of money mule recruitment campaign emails. There appears to be ongoing demand for money mules - Figures 5a and 5b highlight two new emails circulating this month attempting to lure victims into fraudulent jobs, laundering ill-gotten funds. Indeed, after all these years email threats have not dropped off the radar as phishing is very much an active game among attackers. Figure 5c shows a financial phishing email we observed in the labs this month. The email employs a scare tactic, saying that the account has been in violation of policies. In a scenario like this, think twice and attempt to verify the sender of such a note; contact your financial institution directly. Note the highlighted link that points to a rogue domain, not belonging to the financial institution. Always observe such traits before clicking on links. In this case, clicking the link would direct the victim to a landing site located at a data center in Bangkok. This landing site would then redirect the user to a server in China, which proxied content from the legitimate financial site - intercepting login credentials along the way. Of course, once these credentials are obtained it becomes very easy for criminals to launder stolen funds through the likes of anonymous transferring services and money mules.


Customers who use Fortinet's FortiGuard Subscription Services should already be protected against the threats outlined in this report with the appropriate configuration parameters in place. Threat activity is compiled by Fortinet's FortiGuard Labs using data gathered from its intelligence systems and FortiGate™ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products.