The following statistics are compiled from Fortinet's FortiGate network security appliances and intelligence systems for the period November 21st - December 20th, 2010.
The top 10 attack attempts detected for this period follow, ranked by the number of valid attack cases reported. Valid attack cases are defined as threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of the accumulated daily incidents reported during this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Critical issues are outlined in bold. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the attack's debut in the Top 100. Figure 1a shows a daily record of attack cases reported for this period's Top 5 attacks. Figure 1b below shows the Top 5 regions attacked in comparison to total attack cases reported this period.
Malware Today
Top 5 regions for this period, ranked by distinct malware volume reported. Distinct malware volume indicates the amount of unique virus names (variants) that has been detected in the given regions, as opposed to total malware volume, which indicates the accumulated amount of all reported incidents. Total and distinct malware volume trends for the last six reporting periods are also given. Figures 3a-3b below show these statistics:
For more information on daily activity per region, please visit our Virus World Map.
Spam and Email Threats
Top three email threats observed for this period. Top e-mails have been filtered to highlight diverse campaigns by removing duplicates and unsolicited advertisements. This helps focus on scams and malicious intent; the resulting list is ranked by Figures 5a-c below illustrate the most popular message tactics used during recent spam campaigns:
The following list breaks down the percentage of activity blocked for selected Web categories throughout this period. Percentage indicates how much activity was accounted for out of the four selected categories. Figure 6a shows a different scope, comparing only threat traffic: Malware, spyware, and phishing. The percentage shown in Figure 6a below indicates how much activity was accounted for out of these three threat categories. Figure 6b highlights the growth (or reduction) of selected web threat activity when compared period over period:
As we enter the holiday season, spam rates continue to drop after a sharp decline following Bredolab's takedown in October/November 2010. Figure 4a outlines global spam rates throughout December, on average 7% lower than November and about 19% lower than the peak before Bredolab's takedown in October. This is welcoming news, since we have seen a noticeable impact that has lasted for two months now. Spam rates decline simply because the volume of spam declines, mostly in part to spam spewing botnets and mass mailers. This should not create a false sense of security, however; there are still plenty of threats lurking around via email today. Cleverly engineered spam mail with malicious attachments/intentions can be much more damaging than non-effective spam by the masses. We have previously mentioned the ongoing demand for money mules to transfer ill gotten funds, and have often featured such recruitment emails in our monthly reports. This month was particularly interesting, as there were a wide variety of campaigns that targeted different regions. Figure 5b shows such an e-mail - sent to a Hong Kong (.hk) address - seeking "local representatives" for Singapore, Hong Kong, Taiwan, Thailand, and the Philippines who have "reasonably long relations history with local banks". Figure 5c shows another e-mail targeting Australian (.au) addresses for an "online sales administrator" position. The contact addresses for these campaigns were linked to the same operator. In fact we saw several other campaigns using a variety of contact domain names, including: cv-eur.com, asia-sitezen.com, and australia-resume.com. All three were registered to a Russian contact using the same registrar, and all contact addresses for worldwide recruitment used Google mail hosting. This is an excellent example of how cyber criminals are diversifying the distribution of their funds, using banks and mules in various regions.
Apart from money mule emails, we also saw the Buzus trojan being distributed through mass emails posed as Hallmark e-cards just in time for the holiday season. Figure 5a shows an example of the attack campaign email. Once this attachment is opened, a system will begin sending out more mail like this - and will be infected with the Hiloti botnet. This is no coincidence, as Hiloti botnet traffic was #2 on our Top 10 Attack list this report. We have seen Hiloti distributed through many different botnets - this is because Hiloti employs a pay-per-install affiliate program. In other words, they will pay botnet operators to install their own botnet. This, of course, allows them to grow their botnet quicker by outsourcing. Hiloti is particularly innovative, as it uses DNS as a communication channel to watermark its report information to its servers. This is done to evade detection, since it appears like normal, legitimate DNS traffic. You can read more about Hiloti here.
There were three arbitrary code execution vulnerability discoveries made by FortiGuard Labs this report in Microsoft and Apple products. FGA-2010-65 describes a MS Windows Kernel vulnerability which may allow execution in privileged (Ring0) context. FGA-2010-64 is yet another DLL loading vulnerability which affects multiple products within the Windows 7 operating system. FGA-2010-62 outlines an integer overflow vulnerability in Apple Quicktime, which can lead to potential infection by simply viewing a specially crafted Quicktime movie file. FortiGuard Labs continues to discover software vulnerabilities on an ongoing basis, reporting them responsibly to vendors so that these security holes can be closed for end users. For most of these discoveries, we will roll out our own IPS protection in advance based on our proof of concept and research. Patch management and FortiGuard IPS helps protect against software vulnerabilities like these proactively.
As we conclude 2010, there was certainly no lack of activity on the threat scene. Perhaps most visible was the recent Wikileaks DDoS attack against various entities that were attributed to cripple Wikileaks.org operations. DDoS attacks are inherently old, and simply aim to cripple resources such as web servers - typically by overloading them with too many requests. To accomplish this, many DDoS attacks are launched by botnets - either rented out or commanded at will by their operators. In fact, there are DDoS services offered for hire on various underground forums. The interesting part about the Wikileaks campaign was that the main engine used to launch the DDoS, the Low Orbit Ion Cannon, was in effect a voluntary botnet. It's available on Sourceforge, allowing anyone to configure the software to join cyber protest campaigns like Wikileaks' Operation Payback. Regardless of the motivation, DDoS attacks have, can and will occur. Fortinet detects the Low Orbit Ion Cannon DDoS tool as "HackerTool/MSIL_Loic" - you will need to have grayware detection enabled. Some defense strategies are also offered on our blog.
Customers who use Fortinet's FortiGuard Subscription Services should already be protected against the threats outlined in this report with the appropriate configuration parameters in place. Threat activity is compiled by Fortinet's FortiGuard Labs using data gathered from its intelligence systems and FortiGateā¢ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products.
Table of Contents:
|
 FortiGuard Labs |
Exploits and Intrusion Prevention
Top 10 Attacks & Regions
The top 10 attack attempts detected for this period follow, ranked by the number of valid attack cases reported. Valid attack cases are defined as threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of the accumulated daily incidents reported during this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Critical issues are outlined in bold. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the attack's debut in the Top 100. Figure 1a shows a daily record of attack cases reported for this period's Top 5 attacks. Figure 1b below shows the Top 5 regions attacked in comparison to total attack cases reported this period.
| Rank | Vulnerability | Percentage | Severity | Top 100 Shift |
|---|---|---|---|---|
| 1 | MS.DCERPC.NETAPI32.Buffer.Overflow | 47.5 | critical | - |
| 2 | Hiloti.Botnet | 14.3 | high | new |
| 3 | MS.IE.Userdata.Behavior.Code.Execution | 9.6 | critical | -1 |
| 4 | AWStats.Rawlog.Plugin.Logfile.Parameter.Input.Validation | 8.7 | high | +2 |
| 5 | MS.Windows.LSASS.Buffer.Overflow | 6.7 | high | - |
| 6 | FTP.USER.Command.Overflow | 6.3 | high | -2 |
| 7 | Apache.Expect.Header.XSS | 6.2 | medium | - |
| 8 | Sasfis.Botnet | 4.3 | high | -5 |
| 9 | FreeType.CFF.Jailbreak.Apple.Device.Buffer.Overflow | 2.4 | high | - |
| 10 | MS.Content.Management.Server.Code.Execution | 2.4 | critical | -2 |
 Figure 1a: Daily attack case activity for top 5 attacks |
 Figure 1b: Top 5 regions by number of attack cases |
New Vulnerability Coverage
|
There were a total of 111 vulnerabilities added to FortiGuard IPS coverage this period.
Of these added vulnerabilities, 46 were reported to be actively exploited (41.4%). Figure 1c breaks down added vulnerabilities by severity, coverage and active exploitation in the wild. For more information, observe the detailed reports for this period at: |
 Figure 1c: New vulnerability coverage for this edition, categorized by severity |
Malware Today
Top 10 Variants
Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:
|
 Figure 2: Activity curve for top five malware variants |
Regions & Volume
Top 5 regions for this period, ranked by distinct malware volume reported. Distinct malware volume indicates the amount of unique virus names (variants) that has been detected in the given regions, as opposed to total malware volume, which indicates the accumulated amount of all reported incidents. Total and distinct malware volume trends for the last six reporting periods are also given. Figures 3a-3b below show these statistics:
 Figure 3a: Top 5 regions by distinct malware volume |
 Figure 3b: Six period trend for distinct malware volume |
For more information on daily activity per region, please visit our Virus World Map.
Spam and Email Threats
Spam Rate & Regions
The global spam rate is shown on a daily basis for this edition's given period. Spam rate indicates the accumulated emails which have been tagged as spam, in comparison to total email traffic. Top 5 spam regions are ranked by received spam in comparison to global spam volume. Statistics are graphed for business working days, and shown in Figures 4a-4b below:
 Figure 4a: Spam rate compared to global email |
 Figure 4b: Top 5 spam regions by received spam |
Top 3 In The Wild
Top three email threats observed for this period. Top e-mails have been filtered to highlight diverse campaigns by removing duplicates and unsolicited advertisements. This helps focus on scams and malicious intent; the resulting list is ranked by Figures 5a-c below illustrate the most popular message tactics used during recent spam campaigns:
 Figure 5a: Spam campaign #1 |
 Figure 5b: Spam campaign #2 |
 Figure 5c: Spam campaign #3 |
Crawling The Web
Threat Traffic & Growth
The following list breaks down the percentage of activity blocked for selected Web categories throughout this period. Percentage indicates how much activity was accounted for out of the four selected categories. Figure 6a shows a different scope, comparing only threat traffic: Malware, spyware, and phishing. The percentage shown in Figure 6a below indicates how much activity was accounted for out of these three threat categories. Figure 6b highlights the growth (or reduction) of selected web threat activity when compared period over period:
|
 Figure 6a: Threat traffic volume break-down |
 Figure 6b: Threat traffic growth by period |
Activity Recap
As we enter the holiday season, spam rates continue to drop after a sharp decline following Bredolab's takedown in October/November 2010. Figure 4a outlines global spam rates throughout December, on average 7% lower than November and about 19% lower than the peak before Bredolab's takedown in October. This is welcoming news, since we have seen a noticeable impact that has lasted for two months now. Spam rates decline simply because the volume of spam declines, mostly in part to spam spewing botnets and mass mailers. This should not create a false sense of security, however; there are still plenty of threats lurking around via email today. Cleverly engineered spam mail with malicious attachments/intentions can be much more damaging than non-effective spam by the masses. We have previously mentioned the ongoing demand for money mules to transfer ill gotten funds, and have often featured such recruitment emails in our monthly reports. This month was particularly interesting, as there were a wide variety of campaigns that targeted different regions. Figure 5b shows such an e-mail - sent to a Hong Kong (.hk) address - seeking "local representatives" for Singapore, Hong Kong, Taiwan, Thailand, and the Philippines who have "reasonably long relations history with local banks". Figure 5c shows another e-mail targeting Australian (.au) addresses for an "online sales administrator" position. The contact addresses for these campaigns were linked to the same operator. In fact we saw several other campaigns using a variety of contact domain names, including: cv-eur.com, asia-sitezen.com, and australia-resume.com. All three were registered to a Russian contact using the same registrar, and all contact addresses for worldwide recruitment used Google mail hosting. This is an excellent example of how cyber criminals are diversifying the distribution of their funds, using banks and mules in various regions.
Apart from money mule emails, we also saw the Buzus trojan being distributed through mass emails posed as Hallmark e-cards just in time for the holiday season. Figure 5a shows an example of the attack campaign email. Once this attachment is opened, a system will begin sending out more mail like this - and will be infected with the Hiloti botnet. This is no coincidence, as Hiloti botnet traffic was #2 on our Top 10 Attack list this report. We have seen Hiloti distributed through many different botnets - this is because Hiloti employs a pay-per-install affiliate program. In other words, they will pay botnet operators to install their own botnet. This, of course, allows them to grow their botnet quicker by outsourcing. Hiloti is particularly innovative, as it uses DNS as a communication channel to watermark its report information to its servers. This is done to evade detection, since it appears like normal, legitimate DNS traffic. You can read more about Hiloti here.
There were three arbitrary code execution vulnerability discoveries made by FortiGuard Labs this report in Microsoft and Apple products. FGA-2010-65 describes a MS Windows Kernel vulnerability which may allow execution in privileged (Ring0) context. FGA-2010-64 is yet another DLL loading vulnerability which affects multiple products within the Windows 7 operating system. FGA-2010-62 outlines an integer overflow vulnerability in Apple Quicktime, which can lead to potential infection by simply viewing a specially crafted Quicktime movie file. FortiGuard Labs continues to discover software vulnerabilities on an ongoing basis, reporting them responsibly to vendors so that these security holes can be closed for end users. For most of these discoveries, we will roll out our own IPS protection in advance based on our proof of concept and research. Patch management and FortiGuard IPS helps protect against software vulnerabilities like these proactively.
As we conclude 2010, there was certainly no lack of activity on the threat scene. Perhaps most visible was the recent Wikileaks DDoS attack against various entities that were attributed to cripple Wikileaks.org operations. DDoS attacks are inherently old, and simply aim to cripple resources such as web servers - typically by overloading them with too many requests. To accomplish this, many DDoS attacks are launched by botnets - either rented out or commanded at will by their operators. In fact, there are DDoS services offered for hire on various underground forums. The interesting part about the Wikileaks campaign was that the main engine used to launch the DDoS, the Low Orbit Ion Cannon, was in effect a voluntary botnet. It's available on Sourceforge, allowing anyone to configure the software to join cyber protest campaigns like Wikileaks' Operation Payback. Regardless of the motivation, DDoS attacks have, can and will occur. Fortinet detects the Low Orbit Ion Cannon DDoS tool as "HackerTool/MSIL_Loic" - you will need to have grayware detection enabled. Some defense strategies are also offered on our blog.
Solutions
Customers who use Fortinet's FortiGuard Subscription Services should already be protected against the threats outlined in this report with the appropriate configuration parameters in place. Threat activity is compiled by Fortinet's FortiGuard Labs using data gathered from its intelligence systems and FortiGateā¢ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products.
