The following statistics are compiled from Fortinet's FortiGate network security appliances and intelligence systems for the period November 21st - December 20th, 2009.
Top 10 attack attempts detected for this period follows, ranked by the number of valid attack cases reported. Valid attack cases consist only of threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of the accumulated daily incidents reported during this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Critical issues are outlined in bold. Figure 1a shows a daily record of attack cases reported for this period's Top 5 attacks. Figure 1b below shows the Top 5 regions attacked in comparison to total attack cases reported this period.
Malware Today
Top 5 regions for this period, ranked by distinct malware volume reported. Distinct malware volume indicates the amount of unique virus names (variants) that has been detected in the given regions, as opposed to total malware volume, which indicates the accumulated amount of all reported incidents. Total and distinct malware volume trends for the last six reporting periods are also given. Figures 3a-3c below show these statistics:
For more information on daily activity per region, please visit our Virus World Map.
Spam and Email Threats
Top three email threats observed for this period. Top e-mails have been filtered to highlight diverse campaigns by removing duplicates and unsolicited advertisements. This helps focus on scams and malicious intent; the resulting list is ranked by Figures 5a-c below illustrate the most popular message tactics used during recent spam campaigns:
The following list breaks down the percentage of activity blocked for selected Web categories throughout this period. Percentage indicates how much activity was accounted for out of the four selected categories. Figure 6a shows a different scope, comparing only threat traffic: Malware, spyware, and phishing. The percentage shown in Figure 6a below indicates how much activity was accounted for out of these three threat categories. Figure 6b highlights the growth (or reduction) of selected web threat activity when compared period over period:
Overall malware volume returned to pre-October levels this period (Figure 3b), after two months of record activity driven by ZBot, Bredolab and Pushdo/Cutwail. Nonetheless, the Bredolab loader returned to top spot with a vengeance this period, accounting for a whopping 66.5% of total detected malware activity. Figure 2 has been scaled to highlight other prevalent threat activity, as Bredolab's threat curve over a span of several days completely dwarfed others. Again, as we have seen time and time again these attack campaigns typically do not last longer than a couple of days, but can return quickly in mass volume. The seeding engines (largely the Cutwail spamming trojan) behind Bredolab certainly have a lot of horsepower as we have observed over recent months - so much that a single Bredolab seeding campaign can manipulate threat landscape volume like a puppet on strings. Of course, sheer volume is not everything and such a drop should not create a false sense of security. In fact, Figure 3c shows a rise in distinct malware, meaning more unique pieces of malicious code. ZBot attacks continue over the holiday season through the busiest time of year for online shopping - and likely online banking.
ZBot campaigns have leveraged this opportunity as can be observed in Figure 5c -- an email which claims fraudulent activity was detected on the user's Visa card, providing a link to review the transaction in question. While the link appears to be legitimate ("statements.visa.com"), a quick review of the e-mail source can reveal the true link as highlighted in red at the bottom of the image. Following this link would ultimately lead to a host serving up a malicious ZBot binary by using exploits for a drive-by download attack. There was no shortage of bank phishes during the shopping season; Figure 5a shows such a phish for Discover Bank. No theft would be complete without the means to move the funds; Figure 5b shows yet another money mule recruitment campaign, offering a job for a "mystery shopper" which ultimately involves the recipient receiving money orders and transferring funds. Candidates for this job must be aware that their daily activity would require committing a criminal offense.
Exploitation of MS08-067 (made infamous by the Conficker worm) remains our most active attack, with Waledac botnet traffic being the second this period as listed in our Top 10 Attack list. December was a busy time for zero-days and vulnerabilities - we covered 147 new vulnerabilities and detected nearly 1/3 of those to be actively attacked (Figure 1c). In December, FortiGuard Labs disclosed ten zero-day vulnerabilities that discovered and responsibly reported to the associated vendors: Microsoft (Indeo Codec & MS Project), Adobe and Cisco. On top of this, hackers continued to find ways to exploit zero-day attacks: CVE-2009-4324 (advisory here) was one observed through Adobe Reader/Acrobat and Javascript - an increasingly common attack vector. Current workarounds include utilizing the Javascript Blacklist Framework or simply disabling Javascript functionality. Another zero-day was addressed by Microsoft (Internet Explorer - advisory here) through MS09-072 on December 8th; as always, users should keep their software up to date when patches are released. FortiGuard Labs continues to discover new vulnerabilities and work with partner programs to develop advanced zero-day protection to mitigate threats such as these.
2010: The Perfect Storm
The large spike of activity we observed from September to November 2009 was a familiar trend to one from 2008. As you can see here, we saw a similar trend in 2008 during the first large wave of Scareware that hit cyber space. Scareware was also a major component detected during this wave in 2009, though overall volume had significantly increased to record levels over 2008. So, what do we know? We know that Scareware has flourished over this time frame, not at all shaken by any take-down attempts: affiliate programs continue to make and pay out money. In December 2009, the Internet Crime Complaint Center (IC3) issued an alert that said the FBI is aware of an estimated loss (due to Scareware fraud) in excess of $150 million USD. In 2008, a hacker by the name of NeoN posted affiliate program details showing earnings of top affiliates in excess of $150,000 USD in one month for one individual. High profile botnets continue to stay alive - Conficker, Waledac, Pushdo/Cutwail, Virut, Bredolab and of course multiple Zeus/ZBot networks. To stay alive and effective, some are beginning to enhance their malicious code and communications (see our Pushdo analysis here) - a ZBot attack was recently observed to leverage database services in the cloud (Amazon RDS). The end result is a widespread, robust and healthy infrastructure available to cyber criminals leading into 2010.
With more digital convergence undoubtedly to occur in 2010 (for example, the US Government backing digital health records and Asia's e-Government initiative), there will be a wealth of opportunity for cyber crime. There is certainly no shortage of targets from governments and enterprise to end users and thriving social networks. There is also no shortage of infrastructure available to deliver attacks - as outlined above, malicious networks are firmly in place for use in addition to a growing array of legitimate services which can be leveraged. Finally, there is no shortage of vehicles through which to execute attacks. In 2009, we saw frequent exploitation of document formats (DOC, PDF, XLS) with many zero-days discovered and attacked in the wild. Crime services and crimeware continue to evolve and adapt, adding to the array of tools and techniques available to cyber criminals and their recruits. For example, CAPTCHAs are becoming less and less effective due to crime services leveraged by botnets like Koobface. For some more examples, refer to our blog post on adaptive crime services. With strong seeding engines in place as observed with Pushdo & Bredolab, already rampant Scareware can now quickly shift to Ransomware in high volume - leaving a potentially damaging trail in place. Digesting all of this, it becomes apparent that we are in for a wild ride in 2010 -- all the elements are in place for a perfect storm in cyberspace.
Customers who use Fortinet’s FortiGuard Subscription Services should already be protected against the threats outlined in this report. Threat activity is compiled by Fortinet's FortiGuard Labs using data gathered from its intelligence systems and FortiGate™ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products.
Table of Contents:
|
 FortiGuard Labs |
Exploits and Intrusion Prevention
Top 10 Attacks & Regions
Top 10 attack attempts detected for this period follows, ranked by the number of valid attack cases reported. Valid attack cases consist only of threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of the accumulated daily incidents reported during this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Critical issues are outlined in bold. Figure 1a shows a daily record of attack cases reported for this period's Top 5 attacks. Figure 1b below shows the Top 5 regions attacked in comparison to total attack cases reported this period.
| Rank | Vulnerability | Percentage | Severity |
|---|---|---|---|
| 1 | MS.DCERPC.NETAPI32.Buffer.Overflow | 55.6 | Critical |
| 2 | Waledac.Botnet | 8.2 | Critical |
| 3 | AWStats.Rawlog.Plugin.Logfile.Parameter.Input.Validation | 6.1 | High |
| 4 | FTP.USER.Command.Overflow | 4.6 | High |
| 5 | MS.Windows.LSASS.Buffer.Overflow | 4.5 | High |
| 6 | MS.IE7.Deleted.DOM.Object.Access.Memory.Corruption | 3.7 | Critical |
| 7 | SMTP.Auth.Buffer.Overflow | 3.1 | Critical |
| 8 | Apache.Expect.Header.XSS | 2.5 | Medium |
| 9 | Apache.MyFaces.Tomahawk.JSF.Framework.XSS | 2.4 | Medium |
| 10 | FTP.Command.REST.Overflow | 2.3 | High |
 Figure 1a: Daily attack case activity for top 5 attacks |
 Figure 1b: Top 5 regions by number of attack cases |
New Vulnerability Coverage
|
There were a total of 157 vulnerabilities added to FortiGuard IPS coverage this period.
Of these added vulnerabilities, 46 were reported to be actively exploited (29.3%). Figure 1c breaks down added vulnerabilities by severity, coverage and active exploitation in the wild. For more information, observe the detailed reports for this period at: |
 Figure 1c: New vulnerability coverage for this edition, categorized by severity |
Malware Today
Top 10 Variants
Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:
|
 Figure 2: Activity curve for top five malware variants |
Regions & Volume
Top 5 regions for this period, ranked by distinct malware volume reported. Distinct malware volume indicates the amount of unique virus names (variants) that has been detected in the given regions, as opposed to total malware volume, which indicates the accumulated amount of all reported incidents. Total and distinct malware volume trends for the last six reporting periods are also given. Figures 3a-3c below show these statistics:
 Figure 3a: Top 5 regions by distinct malware volume |
 Figure 3b: Six period trend for total malware volume |
 Figure 3c: Six period trend for distinct malware volume |
For more information on daily activity per region, please visit our Virus World Map.
Spam and Email Threats
Spam Rate & Regions
The global spam rate is shown on a daily basis for this edition's given period. Spam rate indicates the accumulated emails which have been tagged as spam, in comparison to total email traffic. Top 5 spam regions are ranked by received spam in comparison to global spam volume. Statistics are graphed for business working days, and shown in Figures 4a-4b below:
 Figure 4a: Spam rate compared to global email |
 Figure 4b: Top 5 spam regions by received spam |
Top 3 In The Wild
Top three email threats observed for this period. Top e-mails have been filtered to highlight diverse campaigns by removing duplicates and unsolicited advertisements. This helps focus on scams and malicious intent; the resulting list is ranked by Figures 5a-c below illustrate the most popular message tactics used during recent spam campaigns:
 Figure 5a: Spam campaign #1 |
 Figure 5b: Spam campaign #2 |
 Figure 5c: Spam campaign #3 |
Crawling The Web
Threat Traffic & Growth
The following list breaks down the percentage of activity blocked for selected Web categories throughout this period. Percentage indicates how much activity was accounted for out of the four selected categories. Figure 6a shows a different scope, comparing only threat traffic: Malware, spyware, and phishing. The percentage shown in Figure 6a below indicates how much activity was accounted for out of these three threat categories. Figure 6b highlights the growth (or reduction) of selected web threat activity when compared period over period:
|
 Figure 6a: Threat traffic volume break-down |
 Figure 6b: Threat traffic growth by period |
Activity Recap
Overall malware volume returned to pre-October levels this period (Figure 3b), after two months of record activity driven by ZBot, Bredolab and Pushdo/Cutwail. Nonetheless, the Bredolab loader returned to top spot with a vengeance this period, accounting for a whopping 66.5% of total detected malware activity. Figure 2 has been scaled to highlight other prevalent threat activity, as Bredolab's threat curve over a span of several days completely dwarfed others. Again, as we have seen time and time again these attack campaigns typically do not last longer than a couple of days, but can return quickly in mass volume. The seeding engines (largely the Cutwail spamming trojan) behind Bredolab certainly have a lot of horsepower as we have observed over recent months - so much that a single Bredolab seeding campaign can manipulate threat landscape volume like a puppet on strings. Of course, sheer volume is not everything and such a drop should not create a false sense of security. In fact, Figure 3c shows a rise in distinct malware, meaning more unique pieces of malicious code. ZBot attacks continue over the holiday season through the busiest time of year for online shopping - and likely online banking.
ZBot campaigns have leveraged this opportunity as can be observed in Figure 5c -- an email which claims fraudulent activity was detected on the user's Visa card, providing a link to review the transaction in question. While the link appears to be legitimate ("statements.visa.com"), a quick review of the e-mail source can reveal the true link as highlighted in red at the bottom of the image. Following this link would ultimately lead to a host serving up a malicious ZBot binary by using exploits for a drive-by download attack. There was no shortage of bank phishes during the shopping season; Figure 5a shows such a phish for Discover Bank. No theft would be complete without the means to move the funds; Figure 5b shows yet another money mule recruitment campaign, offering a job for a "mystery shopper" which ultimately involves the recipient receiving money orders and transferring funds. Candidates for this job must be aware that their daily activity would require committing a criminal offense.
Exploitation of MS08-067 (made infamous by the Conficker worm) remains our most active attack, with Waledac botnet traffic being the second this period as listed in our Top 10 Attack list. December was a busy time for zero-days and vulnerabilities - we covered 147 new vulnerabilities and detected nearly 1/3 of those to be actively attacked (Figure 1c). In December, FortiGuard Labs disclosed ten zero-day vulnerabilities that discovered and responsibly reported to the associated vendors: Microsoft (Indeo Codec & MS Project), Adobe and Cisco. On top of this, hackers continued to find ways to exploit zero-day attacks: CVE-2009-4324 (advisory here) was one observed through Adobe Reader/Acrobat and Javascript - an increasingly common attack vector. Current workarounds include utilizing the Javascript Blacklist Framework or simply disabling Javascript functionality. Another zero-day was addressed by Microsoft (Internet Explorer - advisory here) through MS09-072 on December 8th; as always, users should keep their software up to date when patches are released. FortiGuard Labs continues to discover new vulnerabilities and work with partner programs to develop advanced zero-day protection to mitigate threats such as these.
2010: The Perfect Storm
The large spike of activity we observed from September to November 2009 was a familiar trend to one from 2008. As you can see here, we saw a similar trend in 2008 during the first large wave of Scareware that hit cyber space. Scareware was also a major component detected during this wave in 2009, though overall volume had significantly increased to record levels over 2008. So, what do we know? We know that Scareware has flourished over this time frame, not at all shaken by any take-down attempts: affiliate programs continue to make and pay out money. In December 2009, the Internet Crime Complaint Center (IC3) issued an alert that said the FBI is aware of an estimated loss (due to Scareware fraud) in excess of $150 million USD. In 2008, a hacker by the name of NeoN posted affiliate program details showing earnings of top affiliates in excess of $150,000 USD in one month for one individual. High profile botnets continue to stay alive - Conficker, Waledac, Pushdo/Cutwail, Virut, Bredolab and of course multiple Zeus/ZBot networks. To stay alive and effective, some are beginning to enhance their malicious code and communications (see our Pushdo analysis here) - a ZBot attack was recently observed to leverage database services in the cloud (Amazon RDS). The end result is a widespread, robust and healthy infrastructure available to cyber criminals leading into 2010.
With more digital convergence undoubtedly to occur in 2010 (for example, the US Government backing digital health records and Asia's e-Government initiative), there will be a wealth of opportunity for cyber crime. There is certainly no shortage of targets from governments and enterprise to end users and thriving social networks. There is also no shortage of infrastructure available to deliver attacks - as outlined above, malicious networks are firmly in place for use in addition to a growing array of legitimate services which can be leveraged. Finally, there is no shortage of vehicles through which to execute attacks. In 2009, we saw frequent exploitation of document formats (DOC, PDF, XLS) with many zero-days discovered and attacked in the wild. Crime services and crimeware continue to evolve and adapt, adding to the array of tools and techniques available to cyber criminals and their recruits. For example, CAPTCHAs are becoming less and less effective due to crime services leveraged by botnets like Koobface. For some more examples, refer to our blog post on adaptive crime services. With strong seeding engines in place as observed with Pushdo & Bredolab, already rampant Scareware can now quickly shift to Ransomware in high volume - leaving a potentially damaging trail in place. Digesting all of this, it becomes apparent that we are in for a wild ride in 2010 -- all the elements are in place for a perfect storm in cyberspace.
Solutions
Customers who use Fortinet’s FortiGuard Subscription Services should already be protected against the threats outlined in this report. Threat activity is compiled by Fortinet's FortiGuard Labs using data gathered from its intelligence systems and FortiGate™ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products.
