The following statistics are compiled from Fortinet's FortiGate network security appliances and intelligence systems for the period July 21st - August 20th, 2010.
The top 10 attack attempts detected for this period follow, ranked by the number of valid attack cases reported. Valid attack cases are defined as threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of the accumulated daily incidents reported during this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Critical issues are outlined in bold. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the attack's debut in the Top 100. Figure 1a shows a daily record of attack cases reported for this period's Top 5 attacks. Figure 1b below shows the Top 5 regions attacked in comparison to total attack cases reported this period.
Malware Today
Top 5 regions for this period, ranked by distinct malware volume reported. Distinct malware volume indicates the amount of unique virus names (variants) that has been detected in the given regions, as opposed to total malware volume, which indicates the accumulated amount of all reported incidents. Total and distinct malware volume trends for the last six reporting periods are also given. Figures 3a-3c below show these statistics:
For more information on daily activity per region, please visit our Virus World Map.
Spam and Email Threats
Top three email threats observed for this period. Top e-mails have been filtered to highlight diverse campaigns by removing duplicates and unsolicited advertisements. This helps focus on scams and malicious intent; the resulting list is ranked by Figures 5a-c below illustrate the most popular message tactics used during recent spam campaigns:
The following list breaks down the percentage of activity blocked for selected Web categories throughout this period. Percentage indicates how much activity was accounted for out of the four selected categories. Figure 6a shows a different scope, comparing only threat traffic: Malware, spyware, and phishing. The percentage shown in Figure 6a below indicates how much activity was accounted for out of these three threat categories. Figure 6b highlights the growth (or reduction) of selected web threat activity when compared period over period:
In March 2010, we saw some elevated activity for Ransomware: malware which locks out applications and data from a users PC demanding ransom before restoring access. TotalSecurity was one such ransomware variant circulating then, and has been quite prevalent again this report. This infection has been in business for at least eight months, and appears to be still going strong. Our #1 malware detection this report was a TotalSecurity loader (W32/FakeAlert.LU) which was most active on August 8. Once executed, this "product" will gain control of the infected machine and lock out applications. When a user tries to launch any application (except for a web browser), a dialog box will pop up informing the user that the particular application they are trying to launch is infected and cannot execute. Of course, this is the whole ploy - the user is allowed to open the product page (through HTTP), where they may purchase a cleaning solution to reverse the TotalSecurity ransomware infection.
The developers of this ransomware are indeed hard at work creating code to keep their business alive. One indicator we observed this report was that the ransomware application had gone server-side polymorphic. This technique is typically seen with botnets (such as Waledac), and has been picked up by the developers of TotalSecurity. Initial infections typically start with an e-mail (Figures 5a, 5b) that have an attachment. As you can see from our highlighted spam e-mails, the templates and social engineering techniques are quite different yet contain the same ransomware loader. Once the loader is executed, it will connect to a server to download the ransomware product. This is where server-side polymorphism kicks in: the loader will connect to the same server and request the same file, yet download different code as it changes on an hourly basis. The ransomware product and function is the same, yet the code changes in an effort to avoid detection. This is an example of how relying purely on antivirus is not a silver-bullet approach to protecting systems from infection - since it's the same website / URI, web content filtering can also assist in identifying the malicious site's intent, while antispam can help flag the infectious e-mails in the first place.
The other notable infection floating around this month was ZBot, a do-it-yourself botnet kit that likely needs no introduction due to its high profile nature. Most of the ZBot variants we detect are different in nature, since they can each be configured to run their own botnets and target any information they desire. As an example this month, ZBot variants were noted to target US Military personnel. For more information on Zeus/ZBot, see our descriptive write-up here. Since it's such a popular underground product, Zeus/ZBot continues to be developed in new versions with new features for future malicious use.
As previously mentioned, two of our highlighted spam campaigns were linked to malware prevalent in our top 10 listings. Figures 5a and 5b show two emails claiming to have document attachments. In fact, they are zip archives with executables inside - clicking either one will lead to ransomware infection. A third infectious e-mail dug up a news headline over a year old about the Air France 447 crash that claimed hundreds of lives off the coast of Brazil. The e-mail claimed to have new photos of this crash - again, an attached zip file with an executable inside. These properties should be immediate red-flags to any user when opening such e-mails.
The attacks on the recent Windows Help Center vulnerability continued, propelling this threat to pole position in our top 10 attack list. The attack (CVE-2010-1885) is detected by FortiGuard Labs as 'MS.Windows.Help.Center.Protocol.Malformed.Escape.Sequence'. Figure 1a shows that there was an exceptionally large spike in activity on this vulnerability on August 8th and 9th. As mentioned last report, exploitation of this attack can be rather potent since the vulnerability is not web browser specific.
Customers who use Fortinet's FortiGuard Subscription Services should already be protected against the threats outlined in this report. Threat activity is compiled by Fortinet's FortiGuard Labs using data gathered from its intelligence systems and FortiGateâ„¢ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products.
Table of Contents:
|
 FortiGuard Labs |
Exploits and Intrusion Prevention
Top 10 Attacks & Regions
The top 10 attack attempts detected for this period follow, ranked by the number of valid attack cases reported. Valid attack cases are defined as threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of the accumulated daily incidents reported during this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Critical issues are outlined in bold. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the attack's debut in the Top 100. Figure 1a shows a daily record of attack cases reported for this period's Top 5 attacks. Figure 1b below shows the Top 5 regions attacked in comparison to total attack cases reported this period.
| Rank | Vulnerability | Percentage | Severity | Top 100 Shift |
|---|---|---|---|---|
| 1 | MS.Windows.Help.Center.Protocol.Malformed.Escape.Sequence | 30.4 | Critical | +3 |
| 2 | MS.DCERPC.NETAPI32.Buffer.Overflow | 24.6 | Critical | +1 |
| 3 | MS.IE.Userdata.Behavior.Code.Execution | 20.9 | Critical | -1 |
| 4 | SMTP.Auth.Buffer.Overflow | 10.0 | Critical | +1 |
| 5 | FTP.USER.Command.Overflow | 6.8 | High | +3 |
| 6 | AWStats.Rawlog.Plugin.Logfile.Parameter.Input.Validation | 6.5 | High | +3 |
| 7 | Apache.Expect.Header.XSS | 6.5 | Medium | -1 |
| 8 | MS.Content.Management.Server.Code.Execution | 4.6 | Critical | +4 |
| 9 | Sasfis.Botnet | 3.9 | High | +2 |
| 10 | MS.Windows.LSASS.Buffer.Overflow | 2.6 | High | +7 |
 Figure 1a: Daily attack case activity for top 5 attacks |
 Figure 1b: Top 5 regions by number of attack cases |
New Vulnerability Coverage
|
There were a total of 114 vulnerabilities added to FortiGuard IPS coverage this period.
Of these added vulnerabilities, 28 were reported to be actively exploited (24.6%). Figure 1c breaks down added vulnerabilities by severity, coverage and active exploitation in the wild. For more information, observe the detailed reports for this period at: |
 Figure 1c: New vulnerability coverage for this edition, categorized by severity |
Malware Today
Top 10 Variants
Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:
|
 Figure 2: Activity curve for top five malware variants |
Regions & Volume
Top 5 regions for this period, ranked by distinct malware volume reported. Distinct malware volume indicates the amount of unique virus names (variants) that has been detected in the given regions, as opposed to total malware volume, which indicates the accumulated amount of all reported incidents. Total and distinct malware volume trends for the last six reporting periods are also given. Figures 3a-3c below show these statistics:
 Figure 3a: Top 5 regions by distinct malware volume |
 Figure 3b: Six period trend for total malware volume |
 Figure 3c: Six period trend for distinct malware volume |
For more information on daily activity per region, please visit our Virus World Map.
Spam and Email Threats
Spam Rate & Regions
The global spam rate is shown on a daily basis for this edition's given period. Spam rate indicates the accumulated emails which have been tagged as spam, in comparison to total email traffic. Top 5 spam regions are ranked by received spam in comparison to global spam volume. Statistics are graphed for business working days, and shown in Figures 4a-4b below:
 Figure 4a: Spam rate compared to global email |
 Figure 4b: Top 5 spam regions by received spam |
Top 3 In The Wild
Top three email threats observed for this period. Top e-mails have been filtered to highlight diverse campaigns by removing duplicates and unsolicited advertisements. This helps focus on scams and malicious intent; the resulting list is ranked by Figures 5a-c below illustrate the most popular message tactics used during recent spam campaigns:
 Figure 5a: Spam campaign #1 |
 Figure 5b: Spam campaign #2 |
 Figure 5c: Spam campaign #3 |
Crawling The Web
Threat Traffic & Growth
The following list breaks down the percentage of activity blocked for selected Web categories throughout this period. Percentage indicates how much activity was accounted for out of the four selected categories. Figure 6a shows a different scope, comparing only threat traffic: Malware, spyware, and phishing. The percentage shown in Figure 6a below indicates how much activity was accounted for out of these three threat categories. Figure 6b highlights the growth (or reduction) of selected web threat activity when compared period over period:
|
 Figure 6a: Threat traffic volume break-down |
 Figure 6b: Threat traffic growth by period |
Activity Recap
In March 2010, we saw some elevated activity for Ransomware: malware which locks out applications and data from a users PC demanding ransom before restoring access. TotalSecurity was one such ransomware variant circulating then, and has been quite prevalent again this report. This infection has been in business for at least eight months, and appears to be still going strong. Our #1 malware detection this report was a TotalSecurity loader (W32/FakeAlert.LU) which was most active on August 8. Once executed, this "product" will gain control of the infected machine and lock out applications. When a user tries to launch any application (except for a web browser), a dialog box will pop up informing the user that the particular application they are trying to launch is infected and cannot execute. Of course, this is the whole ploy - the user is allowed to open the product page (through HTTP), where they may purchase a cleaning solution to reverse the TotalSecurity ransomware infection.
The developers of this ransomware are indeed hard at work creating code to keep their business alive. One indicator we observed this report was that the ransomware application had gone server-side polymorphic. This technique is typically seen with botnets (such as Waledac), and has been picked up by the developers of TotalSecurity. Initial infections typically start with an e-mail (Figures 5a, 5b) that have an attachment. As you can see from our highlighted spam e-mails, the templates and social engineering techniques are quite different yet contain the same ransomware loader. Once the loader is executed, it will connect to a server to download the ransomware product. This is where server-side polymorphism kicks in: the loader will connect to the same server and request the same file, yet download different code as it changes on an hourly basis. The ransomware product and function is the same, yet the code changes in an effort to avoid detection. This is an example of how relying purely on antivirus is not a silver-bullet approach to protecting systems from infection - since it's the same website / URI, web content filtering can also assist in identifying the malicious site's intent, while antispam can help flag the infectious e-mails in the first place.
The other notable infection floating around this month was ZBot, a do-it-yourself botnet kit that likely needs no introduction due to its high profile nature. Most of the ZBot variants we detect are different in nature, since they can each be configured to run their own botnets and target any information they desire. As an example this month, ZBot variants were noted to target US Military personnel. For more information on Zeus/ZBot, see our descriptive write-up here. Since it's such a popular underground product, Zeus/ZBot continues to be developed in new versions with new features for future malicious use.
As previously mentioned, two of our highlighted spam campaigns were linked to malware prevalent in our top 10 listings. Figures 5a and 5b show two emails claiming to have document attachments. In fact, they are zip archives with executables inside - clicking either one will lead to ransomware infection. A third infectious e-mail dug up a news headline over a year old about the Air France 447 crash that claimed hundreds of lives off the coast of Brazil. The e-mail claimed to have new photos of this crash - again, an attached zip file with an executable inside. These properties should be immediate red-flags to any user when opening such e-mails.
The attacks on the recent Windows Help Center vulnerability continued, propelling this threat to pole position in our top 10 attack list. The attack (CVE-2010-1885) is detected by FortiGuard Labs as 'MS.Windows.Help.Center.Protocol.Malformed.Escape.Sequence'. Figure 1a shows that there was an exceptionally large spike in activity on this vulnerability on August 8th and 9th. As mentioned last report, exploitation of this attack can be rather potent since the vulnerability is not web browser specific.
Solutions
Customers who use Fortinet's FortiGuard Subscription Services should already be protected against the threats outlined in this report. Threat activity is compiled by Fortinet's FortiGuard Labs using data gathered from its intelligence systems and FortiGateâ„¢ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products.
