Threatscape Report - August 2009 Edition

The following statistics are compiled from Fortinet's FortiGate network security appliances and intelligence systems for the period July 21st - August 20th, 2009.

Exploits and Intrusion Prevention

Top 10 Exploitations & Regions

Top 10 exploitation attempts detected for this period, ranked by vulnerability traffic. Percentage indicates the portion of activity the vulnerability accounted for out of all attacks reported in this edition. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from low to critical. Critical issues are outlined in bold:

Rank	Vulnerability	Percentage	Severity
1	MS.DCERPC.NETAPI32.Buffer.Overflow	13.3	Critical
2	HTTP.URI.Overflow	9.0	Critical
3	MS.SMB.DCERPC.SRVSVC.PathCanonicalize.Overflow	5.9	High
4	MS.Windows.ASN.1.Bitstring.Overflow	3.9	High
5	FTP.USER.Command.Overflow	2.3	High
6	MS.IE.HTML.Attribute.Buffer.Overflow	1.5	High
7	PNG.Image.Integer.Overflow	1.4	Critical
8	FTP.Bounce.Attack	1.3	High
9	HTTP.Host.Header.Buffer.Overflow	1.1	Medium
10	Danmec.Asprox.SQL.Injection	1.0	High

Figure 1a: Top 5 regions by detected exploit attempts

New Vulnerability Coverage

There were a total of 168 vulnerabilities added to FortiGuard IPS coverage this period.
Of these added vulnerabilities, 60 were reported to be actively exploited (35.7%).

Figure 1b breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

For more information, observe the detailed reports for this period at:

Intrusion Prevention - Service Update History

Figure 1b: New vulnerability coverage for this edition, categorized by severity

Malware Today

Top 10 Variants

Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

Rank	Malware Variant	Percentage	Top 100 Shift
1	W32/OnlineGames.BBR!tr	29.0	-
2	HTML/Agent.E!tr	24.6	new
3	W32/Kryptik.E!tr	5.8	new
4	W32/Virut.A	2.9	-2
5	JS/PackRedir.A!tr.dldr	2.6	-2
6	HTML/Iframe.DN!tr.dldr	2.2	-1
7	Adware/AdClicker	2.2	-
8	W32/Netsky!similar	1.7	-2
9	HTML/Iframe_CID!exploit	1.5	-1
10	HTML/Agent.Q!tr	1.3	new

Figure 2: Activity curve for top five malware variants

Regions & Volume

Top 5 regions for this period, ranked by distinct malware volume reported. Distinct malware volume indicates the amount of unique virus names (variants) that has been detected in the given regions, as opposed to total malware volume, which indicates the accumulated amount of all reported incidents. Total and unique malware volume trends for the last six reporting periods are also given. Figures 3a-3c below show these statistics:

Figure 3a: Top 5 regions by distinct malware volume

Figure 3b: Six period trend for total malware volume

Figure 3c: Six period trend for unique malware volume

For more information on daily activity per region, please visit our Virus World Map.

Spam and Email Threats

Spam Rate & Regions

The global spam rate is shown on a daily basis for this edition's given period. Spam rate indicates the accumulated emails which have been tagged as spam, in comparison to total email traffic. Top 5 spam regions are ranked by received spam in comparison to global spam volume. Statistics are graphed for business working days, and shown in Figures 4a-4b below:

Figure 4a: Spam rate compared to global email

Figure 4b: Top 5 spam regions by received spam

Top 3 In The Wild

Top three email threats observed for this period. Top e-mails have been filtered to highlight diverse campaigns by removing duplicates and unsolicited advertisements. This helps focus on scams and malicious intent; the resulting list is ranked by Figures 5a-c below illustrate the most popular message tactics used during recent spam campaigns:

Figure 5a: Spam campaign #1

Figure 5b: Spam campaign #2

Figure 5c: Spam campaign #3

Crawling The Web

Threat Traffic & Growth

The following list breaks down the percentage of activity blocked for selected Web categories throughout this period. Percentage indicates how much activity was accounted for out of the four selected categories. Figure 6a shows a different scope, comparing only threat traffic: Malware, spyware, and phishing. The percentage shown in Figure 6a below indicates how much activity was accounted for out of these three threat categories. Figure 6b highlights the growth (or reduction) of selected web threat activity when compared period over period:

Web Threat Category	Percentage
Pornography	57.0
Malware	33.3
Spyware	5.3
Phishing	4.4

Figure 6a: Threat traffic volume break-down

Figure 6b: Threat traffic growth by period

Activity Recap

Total detected malware volume continued a climbing trend this period, as can be observed with Figure 3b. On top of this steep incline, highlighted since March 2009, the amount of distinct variants (malicious pieces of code) has also continued to gradually increase as shown in Figure 3c. Several malware attack waves were evident this period, most notably on the 24th of July when a huge surge of ZBot activity occurred. In fact, this particular campaign posted record detection levels for a single-day run, surpassing that of the Sober worm in January 2006, the Storm worm in January 2007, and rogue security software in September 2008. The variant flooded on this day, as seen in Figure 2, was HTML/Agent.E: in fact a ZBot variant attached in a MIME sample (email). This email seeding campaign once again - as we reported in June this year - used a simple eCard social engineering hook. Figure 5a shows the described email with the attached ZBot variant, detected as HTML/Agent.E. While record activity was detected that day, it was not quite enough to gain first position in our malware top 10, as the online gaming trojan W32/OnlineGames.BBR continued to hold first place for now the third consecutive month. Another ZBot variant made our top 10 this month: W32/Kryptik.E. Adware continued to be distributed through DHL invoice campaigns, as can be observed with the Bredolab trojan (detected as W32/Bredolab.AI!tr and HTML/Agent.Q!tr) in Figure 5c.

Apart from these two spam campaigns which carried dangerous attachments, Figure 5b shows a classic money mule scheme in the form of a (fake) job advertisement for Honeywell International. While the text is for the most part professionally formed, the scam plays on a legitimate name in order to entice victims looking for some easy cash. Reading further, and as highlighted in red in Figure 5b, the job description in "Accounts Receivable" involves forwarding 90% of funds to a branch office, whilst keeping 10 percent of the remaining funds to yourself as commission. In reality, cyber criminals often need a way to transfer money, and the moneymule is a favored way to do so. Global spam rates remained relatively consistent this period, and regional activity was smoothed with the USA, Japan and France accounting for a similar share. New to the regional spam volume this period was Israel, as can be seen in Figure 4b. Phishing was the web threat category which experienced the highest growth in volume compared to last period (Figure 6b).

In another ongoing trend which we have frequently discussed, new software vulnerabilities continue to be disclosed and exploited at a growing pace. This period, a whopping 168 new vulnerabilities were covered, 60 of which were detected to be attacked in the wild - a formidable exploit rate of 35%. This is up from 27 of 89 new vulnerabilites reported to be attacked last report (30%). Most concerning this month, as Figure 1b shows, is that a large portion of these attacked vulnerabilities are rated as critical; often indicating the possibility of remote code execution. In other words, an easy way for an attacker to infiltrate your system(s). On August 11th, we released an advisory for a vulnerability in Microsoft Office Web Components (MS09-043) which we have detected consistent exploit activity in the wild for. For more information about this vulnerability, please read our blog post. This period, we have also detected consistent attacks in the wild against Adobe Reader / Flash (APSA09-03). Our official advisory can be found here, including detection of trojans dropped through these attacks. Be sure to patch your systems, as we continue to detect ongoing attacks.

Solutions

Customers who use Fortinet’s FortiGuard Subscription Services should already be protected against the threats outlined in this report. Threat activity is compiled by Fortinet's FortiGuard Global Security Research Team using data gathered from its intelligence systems and FortiGate™ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products.