Threatscape Report - April 2009 Edition

The following statistics are compiled from Fortinet's FortiGate network security appliances and intelligence systems for the period March 21st - April 20th, 2009.

Exploits and Intrusion Prevention

Top 10 Exploitations & Regions

Top 10 exploitation attempts detected for this period, ranked by vulnerability traffic. Percentage indicates the portion of activity the vulnerability accounted for out of all attacks reported in this edition. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from low to critical. Critical issues are outlined in bold:

Rank	Vulnerability	Percentage	Severity
1	SSLv3.SessionID.Overflow	9.3	High
2	SMS.SQL.Server.Empty.Password	8.4	High
3	MS.DCERPC.NETAPI32.Buffer.Overflow	5.5	Critical
4	MS.SMB.DCERPC.SRVSVC.PathCanonicalize.Overflow	4.6	High
5	MS.IE.HTML.Attribute.Buffer.Overflow	4.0	High
6	MS.Windows.NAT.Helper.DNS.Query.DoS	3.7	High
7	MS.Windows.ASN.1.Bitstring.Overflow	1.4	High
8	FTP.Bounce.Attack	1.2	High
9	LPD.Command.Buffer.Overflow	1.0	High
10	Oracle.sys.pbsde.init.Buffer.Overflow	0.9	Medium

Figure 1a: Top 5 regions by detected exploit attempts

New Vulnerability Coverage

There were a total of 96 vulnerabilities added to FortiGuard IPS coverage this period.
Of these added vulnerabilities, 30 were reported to be actively exploited (31.3%).

Figure 1b breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

For more information, observe the detailed reports for this period at:

Intrusion Prevention - Service Update History

Figure 1b: New vulnerability coverage for this edition, categorized by severity

Malware Today

Top 10 Variants

Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

Rank	Malware Variant	Percentage	Top 100 Shift
1	W32/Virut.A	8.2	-
2	W32/Dropper.PTD!tr	6.2	new
3	W32/OnlineGames.MIG!tr.pws	5.7	new
4	Spy/OnLineGames	5.6	+1
5	W32/Agent.JNR!tr	4.8	new
6	HTML/Iframe.DN!tr.dldr	4.8	-3
7	W32/Netsky!similar	4.2	-5
8	HTML/Iframe_CID!exploit	3.8	-4
9	Adware/AdClicker	3.0	new
10	W32/MyTob.fam@mm	2.8	-3

Figure 2: Activity curve for top five malware variants

Regions & Volume

Top 5 regions for this period, ranked by distinct malware volume reported. Distinct malware volume indicates the amount of unique virus names (variants) that has been detected in the given regions, as opposed to total malware volume, which indicates the accumulated amount of all reported incidents. Total and unique malware volume trends for the last six reporting periods are also given. Figures 3a-3c below show these statistics:

Figure 3a: Top 5 regions by distinct malware volume

Figure 3b: Six period trend for total malware volume

Figure 3c: Six period trend for unique malware volume

For more information on daily activity per region, please visit our Virus World Map.

Spam and Email Threats

Spam Rate & Regions

The global spam rate is shown on a daily basis for this edition's given period. Spam rate indicates the accumulated emails which have been tagged as spam, in comparison to total email traffic. Top 5 spam regions are ranked by received spam in comparison to global spam volume. Statistics are graphed for business working days, and shown in Figures 4a-4b below:

Figure 4a: Spam rate compared to global email

Figure 4b: Top 5 spam regions by received spam

Top 3 In The Wild

Top three email threats observed for this period. Top e-mails have been filtered to highlight diverse campaigns by removing duplicates and unsolicited advertisements. This helps focus on scams and malicious intent; the resulting list is ranked by Figures 5a-c below illustrate the most popular message tactics used during recent spam campaigns:

Figure 5a: Spam campaign #1

Figure 5b: Spam campaign #2

Figure 5c: Spam campaign #3

Crawling The Web

Web Traffic & Growth

The following list breaks down the percentage of activity blocked for selected Web categories throughout this period. Percentage indicates how much activity was accounted for out of the four selected categories. Figure 6a shows a different scope, comparing only threat traffic: Malware, spyware, and phishing. The percentage shown in Figure 6a below indicates how much activity was accounted for out of these three threat categories. Figure 6b highlights the growth (or reduction) of selected web threat activity when compared period over period:

FortiGuard Category	Percentage
Pornography	71.3
Malware	18.9
Spyware	8.2
Phishing	1.6

Figure 6a: Threat traffic volume break-down

Figure 6b: Threat traffic growth by period

Activity Recap

After three months of shifting variants within our malware Top 10, there was considerable action to report about this period. Four new variants entered the picture, while W32/Virut.A maintained its dominance in first position for the second straight month. Amongst the new variants were online gaming and adware threats. In fact, three entries in our malware top 10 (ranked #2 through #4) were linked to online gaming trojans - a fourth trojan just missed our list as it was ranked in eleventh position. Needless to say, these threats have formed a significant portion of malware activity. The lucrative marketplace created through online gaming certainly has attracted cyber crime with haste, as we have reported over the past year. Real money trading (RMT) is now an estimated $2 billion USD annual market, that is surrounded by illegitimate practices, fueled by threats like the ones you see present in third and fourth position in our malware top ten this period.

For distinct malware volume this period, China leap-frogged over Japan and the USA (Figure 3a) with a 44.86% global share, up from 24.17% last period. This is partly thanks to the increased presence of the aforementioned gaming threats: these have a heavy influence in Asia, following market share as we reported one year ago. As a world wide whole (Figures 3b/3c), both total and distinct malware volume increased this period marking the highest levels we have detected this year.

While Conficker.C sat idle on the much anticipated April 1st time-bomb date incorporated into its code, its peer to peer network became active the week after when new code was injected. Prior to this, we saw a considerable drop in MS08-067 exploit activity since the latest Conficker.C variant had stopped attacking this vulnerability. However, new code exploiting this now infamous security hole surfaced through both Conficker and another malware family. As a result, exploit activity for MS08-067 has once again picked up towards the end of April. Our detection for this exploit, MS.DCERPC.NETAPI32.Buffer.Overflow, landed in third position in our top 10 exploitation list. This combination of activity is likely to continue occurring, especially as new threats are created that hope to piggyback on the success of Conficker's first attack vehicle.

The Waledac gang was at it once again, hosting yet another campaign serving up its variants disguised as SMS mobile spying software. Figure 5a shows a sample of their simple, malicious email spewed out from their botnet. This is turning out to be a monthly event, as it is the fifth major campaign we have witnessed with Waledac this year. Once again, they ripped off a legitimate website's template to enhance their social engineering effect. Nothing new there, as we saw this copy-paste practice with their previous 'Couponizer' theme and Obama campaign. This is one network to watch out for, since it is very active and employs heavy server side polymorphism. Ensure you have an effective antivirus and webfiltering solution in place. Waledac is built on an effective peer to peer network of proxies, that use HTTP communication and a variety of domains built on fast flux. In other words, they aren't going away any time soon - especially considering Waledac variants were recently spotted on Conficker's massive network of zombies.

Other notable spam this month include a nigerian 419 scam social engineered to be from Hong Kong (Figure 5b), and a template rip-off from Men's Health magazine courtesy of the Canadian Pharmacy gang (Figure 5c). All of the links in the latter e-mail lead to the Canadian Pharmacy network, and certainly not Men's Health. Yet another attempt to leverage a legitimate name, be careful out there. Web threat traffic generally increased this period, with Phishing sites growing more than Spyware (Figure 6b).

Solutions

Customers who use Fortinet’s FortiGuard Subscription Services should already be protected against the threats outlined in this report. Threat activity is compiled by Fortinet's FortiGuard Global Security Research Team using data gathered from its intelligence systems and FortiGate™ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products.