Prevalence Report

Threat Landscape Report - February 2009 Edition

The following statistics are compiled from Fortinet's FortiGate network security appliances and intelligence systems for the period January 21st - February 20th, 2009.

Exploits and Intrusion Prevention

Top 10 Exploitations & Regions

Top 10 exploitation attempts detected for this period, ranked by vulnerability traffic. Percentage indicates the portion of activity the vulnerability accounted for out of all attacks reported in this edition. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from low to critical. Critical issues are outlined in bold:

Rank	Vulnerability	Percentage	Severity
1	Trojan.Storm.Worm.Krackin.Detection	62.7	High
2	MS.IIS.Web.Application.SourceCode.Disclosure	3.0	Medium
3	SSLv3.SessionID.Overflow	2.2	High
4	MS.DCERPC.NETAPI32.Buffer.Overflow	2.0	Critical
5	MS.Exchange.Mail.Calender.Buffer.Overflow	1.5	High
6	SSH.Client.Buffer.Overflow	1.2	High
7	MS.SMB.DCERPC.SRVSVC.PathCanonicalize.Overflow	1.2	High
8	MS.IE.HTML.Attribute.Buffer.Overflow	1.1	High
9	MS.Windows.NAT.Helper.DNS.Query.DoS	0.9	High
10	Squid.NTLM.Authentication.Buffer.Overflow	0.5	Critical

Figure 1a: Top 5 regions by detected exploit attempts

New Vulnerability Coverage

There were a total of 117 vulnerabilities added to FortiGuard IPS coverage this period.
Of these added vulnerabilities, 30 were reported to be actively exploited (25.6%).

Figure 1b breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

For more information, observe the detailed reports for this period at:

Intrusion Prevention - Service Update History

Figure 1b: New vulnerability coverage for this edition, categorized by severity

Malware Today

Top 10 Variants

Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

Rank	Malware Variant	Percentage	Top 100 Shift
1	W32/Netsky!similar	9.3	+1
2	W32/Virut.A	7.8	+1
3	HTML/Iframe_CID!exploit	7.8	+2
4	HTML/Iframe.DN!tr.dldr	6.3	-
5	Spy/OnLineGames	6.0	-4
6	W32/MyTob.fam@mm	3.5	+5
7	W32/MyTob.BH.fam@mm	2.5	-
8	W32/PWS.Y!tr	2.2	+29
9	W32/Basine.C!tr.dldr	2.1	+1
10	W32/MyTob.AQ@mm	2.0	-1

Figure 2: Activity curve for top five malware variants

Regions & Volume

Top 5 regions for this period, ranked by distinct malware volume reported. Distinct malware volume indicates the amount of unique virus names (variants) that has been detected in the given regions, as opposed to total malware volume, which indicates the accumulated amount of all reported incidents. Total and unique malware volume trends for the last six reporting periods are also given. Figures 3a-3c below show these statistics:

Figure 3a: Top 5 regions by distinct malware volume

Figure 3b: Six period trend for total malware volume

Figure 3c: Six period trend for unique malware volume

For more information on daily activity per region, please visit our Virus World Map.

Spam and Email Threats

Spam Rate & Regions

The global spam rate is shown on a daily basis for this edition's given period. Spam rate indicates the accumulated emails which have been tagged as spam, in comparison to total email traffic. Top 5 spam regions are ranked by received spam in comparison to global spam volume. Statistics are graphed for business working days, and shown in Figures 4a-4b below:

Figure 4a: Spam rate compared to global email

Figure 4b: Top 5 spam regions by received spam

Top 3 In The Wild

Top three email threats observed for this period. Top e-mails have been filtered to highlight diverse campaigns by removing duplicates and unsolicited advertisements. This helps focus on scams and malicious intent; the resulting list is ranked by Figures 5a-c below illustrate the most popular message tactics used during recent spam campaigns:

Figure 5a: Spam campaign #1

Figure 5b: Spam campaign #2

Figure 5c: Spam campaign #3

Crawling The Web

Web Traffic & Growth

The following list breaks down the percentage of activity blocked for selected Web categories throughout this period. Percentage indicates how much activity was accounted for out of the four selected categories. Figure 6a shows a different scope, comparing only threat traffic: Malware, spyware, and phishing. The percentage shown in Figure 6a below indicates how much activity was accounted for out of these three threat categories. Figure 6b highlights the growth (or reduction) of selected web threat activity when compared period over period:

FortiGuard Category	Percentage
Pornography	68.5
Malware	20.8
Spyware	8.6
Phishing	2.2

Figure 6a: Threat traffic volume break-down

Figure 6b: Threat traffic growth by period

Activity Recap

There are some new items featured in Fortinet's threat report, which will be discussed throughout this recap. Six month malware volume trends (Figures 3b/3c) are now grouped by period rather than month. Regional activity is now displayed for both antispam and IPS in Figures 1a/4b; individual growth rates for selected Web traffic categories are now shown in Figure 6b. Regional indicators for detected intrusion attempts this edition show India leading the pack (Figure 1a), accounting for over one quarter of detected global activity. For new vulnerability coverage, the active exploit rate was down to 25.6% from 30.2% last period. However, the number of newly reported vulnerabilities increased nearly three-fold with 117 this period, in comparison to 43 last period. Conficker, exploiting the well known MS08-067 vulnerability, is still running wild: the highest recorded activity to date was on February 14th, 2009, nearly four months since a patch has been available. New zero-days with the potential to become high profile surfaced in February, exploitation of old vulnerabilities (as in the case of MS08-067) remains very prevalent, while newly reported vulnerabilities are on the rise. Amidst a dwindling economy, there is certainly no shortage of material for cyber criminals to leverage. This should serve as a stark reminder to employ firm patch management guidelines along with a valid IPS solution to help block this threat vector which is very active indeed.

Malware activity stayed fairly similar to last report - no new variants were introduced into the Top 10 for the second straight month. W32/Virut.A, securing second place this edition, has managed to stay extremely persistent in our Top 10 since early 2008. Online gaming threats through Spy/OnLineGames dropped from first place last period, but still remain very active. The most significant jump was with W32/PWS.Y, a variant of the Zapchast trojan family, landing in eighth spot. Perhaps the most intriguing malware campaign this edition was Waledac, which spread using a vast array of variants through a Valentine's day theme. First detected in January, Waledac's campaign ran strong throughout February, primarily using its mass mailing engine. The mail, seen in Figure 5a, was simple - entice the user into following a link to an eCard for Valentine's Day. Upon visiting the site, a link would be presented to the user in which he/she would seemingly download the card, which of course was a malicious executable (Waledac). The campaign, which is still active as of writing after evading take-down for over a month, uses fast flux and a variety of domains and sub-domains. The administrators of the malicious site frequently change the downloaded executable's filename, using names such as "love.exe", "lovekit.exe", etc. Since Valentines day, they have changed the theme of their site to offer online coupons, branded as the 'Couponizer'. Another interesing piece of malware popped up on the other side of the spectrum, this time in the mobile realm. Fortinet reported on SymbOS/Yxes.A in February, a new mobile worm that propagates through SMS and malicious HTTP links. Read our advisory here for more details.

Spam rates peaked around 55%, down a bit from last period but nowhere near the lows we saw in late 2008. This is now the second period in which spam rates have shown stable volumes of the past, certainly not a welcome fact as we battle the latest spam spewing botnets. Figure 4b shows the USA as the heaviest spammed region, with Canada landing in 5th spot, accounting for 5.3% of global spam activity. Apart from Waledac's eCard spam campaign, scam emails riding on the economic crisis continue to roll in. Figure 5b shows an email offering to reduce credit card debt, and provides a link to a suspected phishing site (now inactive). This is certainly a tactic which has spread across the globe: Figure 5c, in German, features a subject line which translates in English to "Need a job?". The body of the email, also in German, offers a job position as a Finance Manager, whose duty is to process transactions of valued customers - mainly handling the transfer of funds. The email claims that they (the employer) will send details for these transfers, and that the salary of the position is $2,000 monthly, with a commission of 5% of the total value of each transfer. This is a classic money mule position, and certainly highlights the danger of victims falling prey to such schemes during a recessional climate; as legitimate jobs are cut, illegitimate ones are created in this context, notes Derek Manky, Project Manager, Cyber Security & Threat Research for Fortinet.

Selected Web traffic remained mostly consistent with last period's figures, while all categories showed a negative growth rate for this period ending February, 2009 (Figure 6b). This is the second period featuring such a reduction, since the busy holiday season where these categories grew significantly in activity throughout November/December 2008. Not surprisingly, Phishing led the pack in terms of period over period growth for December 2008, when credit card numbers were sure to be flying around in high volume. Apart from the selected threats shown in Figures 6a/6b, it should be noted that a valid web filtering solution will also help block access to malicious sites controlled by campaigns such as Waledac's (Figure 5a).

Solutions

Customers who use Fortinet’s FortiGuard Subscription Services should already be protected against the threats outlined in this report. Threat activity is compiled by Fortinet's FortiGuard Global Security Research Team using data gathered from its intelligence systems and FortiGate™ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products.