The following statistics are compiled from Fortinet's FortiGate network security appliances and intelligence systems for the period January 21st - February 20th, 2010.
The top 10 attack attempts detected for this period follow, ranked by the number of valid attack cases reported. Valid attack cases are defined as threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of the accumulated daily incidents reported during this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Critical issues are outlined in bold. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the attack's debut in the Top 100. Figure 1a shows a daily record of attack cases reported for this period's Top 5 attacks. Figure 1b below shows the Top 5 regions attacked in comparison to total attack cases reported this period.
Malware Today
Top 5 regions for this period, ranked by distinct malware volume reported. Distinct malware volume indicates the amount of unique virus names (variants) that has been detected in the given regions, as opposed to total malware volume, which indicates the accumulated amount of all reported incidents. Total and distinct malware volume trends for the last six reporting periods are also given. Figures 3a-3c below show these statistics:
For more information on daily activity per region, please visit our Virus World Map.
Spam and Email Threats
Top three email threats observed for this period. Top e-mails have been filtered to highlight diverse campaigns by removing duplicates and unsolicited advertisements. This helps focus on scams and malicious intent; the resulting list is ranked by Figures 5a-c below illustrate the most popular message tactics used during recent spam campaigns:
The following list breaks down the percentage of activity blocked for selected Web categories throughout this period. Percentage indicates how much activity was accounted for out of the four selected categories. Figure 6a shows a different scope, comparing only threat traffic: Malware, spyware, and phishing. The percentage shown in Figure 6a below indicates how much activity was accounted for out of these three threat categories. Figure 6b highlights the growth (or reduction) of selected web threat activity when compared period over period:
There were many flavors of threats observed during this period, though most were overshadowed by a campaign that accounted for more than half of our total malware detection - in just two days. Figure 2 shows the massive spam run that we observed on February 8th and 9th, detected as HTML/Goldun.AXT, our number one threat in this report. Over these two days the daily detected volume for these malicious emails was very close to record levels. This spam campaign delivered a malware binary using the filename "report.zip" which, when executed, would download rogue antivirus software. In fact, this malware downloaded the ransomware "Security Tool" - an upgraded version of "Total Security," a scareware suite that ran rampant in 2009. Once executed, Security Tool will actually lock out applications and force the user into buying a cleansing tool that will restore the use of their computer. If this is not done, no applications, other than Internet Explorer (required to visit their payment portal), can be launched. One of our 2010 threat predictions was the rise of ransomware - it seems as though this has now become a harsh reality, given the flood of volume we witnessed with this one particular ransomware campaign. And this is just one example - we have seen Security Tool distributed through SEO attacks and beyond.
Figure 5a shows the email that was used for the HTML/Goldun.AXT campaign. It may look familiar, because we have seen this campaign quite some time ago in late 2008, during the first large flood of scareware that hit cyberspace. Here is the example email outlined in our November 2008 Threat Landscape Report. At that time, the very same spam template was delivering the Goldun trojan; now, this spam is used to spread the FakeAV downloader that installs the Security Tool ransomware. This is a great example of how tried and true attack techniques / social engineering can be recycled into future attacks, and how layered security really helps mitigate against these variants. For example, spam detection in this case can help mitigate against old and current attacks being used with new virus binaries: as another layer, antivirus helps guard against the malicious binaries even if the spam campaigns change. In this report, we witnessed multiple, varying spam campaigns for Security Tool. Figures 5b and 5c show two of these. So, who is behind these attack campaigns? We know that the engine driving these record-breaking spam runs is none other than Cutwail (see our in-depth analysis here for more info on this spam botnet). Some of the more prevalent spam campaigns driven by Cutwail distribute scareware / ransomware; it is popular because of the high amounts of profits available to cyber criminals. We have seen Cutwail grow because it has proven to be effective and successful with its scareware campaigns. Cutwail will also spam out botnet binaries ("seeding campaigns") and other advertisements, which indicates Cutwail is likely hired out as a spamming service (Crime as a Service) for multiple cyber criminals. Thus, it is likely not just one individual and/or group behind these campaigns. With record levels and Cutwail operating in parallel with Webwail - its web spamming counterpart - there's no doubt we will see much more troublesome activity from this pair in the future.
Apart from ransomware, our malware top 10 this period was riddled with many other active threats including, in second place, the Buzus spam trojan, followed in respective order by the Bredolab, Gumblar and Sasfis botnets. This is further emphasized in our attack top ten list, with Gumblar.Botnet traffic taking position as our number one detected malicious network chatter. While these threats remain the main players, many individual botnets still thrive such as Kneber - discussed here in our blog. Perhaps most interesting in our attack list is the addition of the fifth-ranked attack, Sun.Java.HsbParser.GetSoundBank.Stack.Buffer.Overflow (CVE-2009-3867), a vulnerability in Sun Java which can be triggered through a malicious Java Applet by visiting a malicious website. We have confirmed that the majority of these detections come from Metasploit setups, no doubt a favorite attack platform for a quick-and-easy campaign. Overall, active exploits for new vulnerabilities remained high this period, with 39% of newly covered vulnerabilities being attacked in the wild (Figure 1c). Apart from these, zero-days continue to be an issue: we saw the release of two out-of-band patches by Adobe (Feb 11 and Feb 16), as well as a breaking zero-day for Oracle. As we always remind, stay up to date with patches when they are released, while keeping mitigating solutions in place such as antivirus and intrusion prevention.
Customers who use Fortinet’s FortiGuard Subscription Services should already be protected against the threats outlined in this report. Threat activity is compiled by Fortinet's FortiGuard Labs using data gathered from its intelligence systems and FortiGate™ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products.
Table of Contents:
|
 FortiGuard Labs |
Exploits and Intrusion Prevention
Top 10 Attacks & Regions
The top 10 attack attempts detected for this period follow, ranked by the number of valid attack cases reported. Valid attack cases are defined as threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of the accumulated daily incidents reported during this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Critical issues are outlined in bold. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the attack's debut in the Top 100. Figure 1a shows a daily record of attack cases reported for this period's Top 5 attacks. Figure 1b below shows the Top 5 regions attacked in comparison to total attack cases reported this period.
| Rank | Vulnerability | Percentage | Severity | Top 100 Shift |
|---|---|---|---|---|
| 1 | Gumblar.Botnet | 26.5 | Critical | - |
| 2 | MS.DCERPC.NETAPI32.Buffer.Overflow | 22.8 | Critical | - |
| 3 | MS.IE.Event.Invalid.Pointer.Memory.Corruption | 15.3 | Critical | +1 |
| 4 | Waledac.Botnet | 9.0 | Critical | -1 |
| 5 | Sun.Java.HsbParser.GetSoundBank.Stack.Buffer.Overflow | 8.0 | Critical | new |
| 6 | FTP.USER.Command.Overflow | 6.6 | High | +1 |
| 7 | AWStats.Rawlog.Plugin.Logfile.Parameter.Input.Validation | 6.0 | High | +3 |
| 8 | Apache.Expect.Header.XSS | 5.6 | Medium | - |
| 9 | MS.Content.Management.Server.Code.Execution | 4.7 | Critical | +3 |
| 10 | RoundCube.Webmail.Pregreplace.Code.Execution | 4.1 | High | +3 |
 Figure 1a: Daily attack case activity for top 5 attacks |
 Figure 1b: Top 5 regions by number of attack cases |
New Vulnerability Coverage
|
There were a total of 117 vulnerabilities added to FortiGuard IPS coverage this period.
Of these added vulnerabilities, 45 were reported to be actively exploited (38.5%). Figure 1c breaks down added vulnerabilities by severity, coverage and active exploitation in the wild. For more information, observe the detailed reports for this period at: |
 Figure 1c: New vulnerability coverage for this edition, categorized by severity |
Malware Today
Top 10 Variants
Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:
|
 Figure 2: Activity curve for top five malware variants |
Regions & Volume
Top 5 regions for this period, ranked by distinct malware volume reported. Distinct malware volume indicates the amount of unique virus names (variants) that has been detected in the given regions, as opposed to total malware volume, which indicates the accumulated amount of all reported incidents. Total and distinct malware volume trends for the last six reporting periods are also given. Figures 3a-3c below show these statistics:
 Figure 3a: Top 5 regions by distinct malware volume |
 Figure 3b: Six period trend for total malware volume |
 Figure 3c: Six period trend for distinct malware volume |
For more information on daily activity per region, please visit our Virus World Map.
Spam and Email Threats
Spam Rate & Regions
The global spam rate is shown on a daily basis for this edition's given period. Spam rate indicates the accumulated emails which have been tagged as spam, in comparison to total email traffic. Top 5 spam regions are ranked by received spam in comparison to global spam volume. Statistics are graphed for business working days, and shown in Figures 4a-4b below:
 Figure 4a: Spam rate compared to global email |
 Figure 4b: Top 5 spam regions by received spam |
Top 3 In The Wild
Top three email threats observed for this period. Top e-mails have been filtered to highlight diverse campaigns by removing duplicates and unsolicited advertisements. This helps focus on scams and malicious intent; the resulting list is ranked by Figures 5a-c below illustrate the most popular message tactics used during recent spam campaigns:
 Figure 5a: Spam campaign #1 |
 Figure 5b: Spam campaign #2 |
 Figure 5c: Spam campaign #3 |
Crawling The Web
Threat Traffic & Growth
The following list breaks down the percentage of activity blocked for selected Web categories throughout this period. Percentage indicates how much activity was accounted for out of the four selected categories. Figure 6a shows a different scope, comparing only threat traffic: Malware, spyware, and phishing. The percentage shown in Figure 6a below indicates how much activity was accounted for out of these three threat categories. Figure 6b highlights the growth (or reduction) of selected web threat activity when compared period over period:
|
 Figure 6a: Threat traffic volume break-down |
 Figure 6b: Threat traffic growth by period |
Activity Recap
There were many flavors of threats observed during this period, though most were overshadowed by a campaign that accounted for more than half of our total malware detection - in just two days. Figure 2 shows the massive spam run that we observed on February 8th and 9th, detected as HTML/Goldun.AXT, our number one threat in this report. Over these two days the daily detected volume for these malicious emails was very close to record levels. This spam campaign delivered a malware binary using the filename "report.zip" which, when executed, would download rogue antivirus software. In fact, this malware downloaded the ransomware "Security Tool" - an upgraded version of "Total Security," a scareware suite that ran rampant in 2009. Once executed, Security Tool will actually lock out applications and force the user into buying a cleansing tool that will restore the use of their computer. If this is not done, no applications, other than Internet Explorer (required to visit their payment portal), can be launched. One of our 2010 threat predictions was the rise of ransomware - it seems as though this has now become a harsh reality, given the flood of volume we witnessed with this one particular ransomware campaign. And this is just one example - we have seen Security Tool distributed through SEO attacks and beyond.
Figure 5a shows the email that was used for the HTML/Goldun.AXT campaign. It may look familiar, because we have seen this campaign quite some time ago in late 2008, during the first large flood of scareware that hit cyberspace. Here is the example email outlined in our November 2008 Threat Landscape Report. At that time, the very same spam template was delivering the Goldun trojan; now, this spam is used to spread the FakeAV downloader that installs the Security Tool ransomware. This is a great example of how tried and true attack techniques / social engineering can be recycled into future attacks, and how layered security really helps mitigate against these variants. For example, spam detection in this case can help mitigate against old and current attacks being used with new virus binaries: as another layer, antivirus helps guard against the malicious binaries even if the spam campaigns change. In this report, we witnessed multiple, varying spam campaigns for Security Tool. Figures 5b and 5c show two of these. So, who is behind these attack campaigns? We know that the engine driving these record-breaking spam runs is none other than Cutwail (see our in-depth analysis here for more info on this spam botnet). Some of the more prevalent spam campaigns driven by Cutwail distribute scareware / ransomware; it is popular because of the high amounts of profits available to cyber criminals. We have seen Cutwail grow because it has proven to be effective and successful with its scareware campaigns. Cutwail will also spam out botnet binaries ("seeding campaigns") and other advertisements, which indicates Cutwail is likely hired out as a spamming service (Crime as a Service) for multiple cyber criminals. Thus, it is likely not just one individual and/or group behind these campaigns. With record levels and Cutwail operating in parallel with Webwail - its web spamming counterpart - there's no doubt we will see much more troublesome activity from this pair in the future.
Apart from ransomware, our malware top 10 this period was riddled with many other active threats including, in second place, the Buzus spam trojan, followed in respective order by the Bredolab, Gumblar and Sasfis botnets. This is further emphasized in our attack top ten list, with Gumblar.Botnet traffic taking position as our number one detected malicious network chatter. While these threats remain the main players, many individual botnets still thrive such as Kneber - discussed here in our blog. Perhaps most interesting in our attack list is the addition of the fifth-ranked attack, Sun.Java.HsbParser.GetSoundBank.Stack.Buffer.Overflow (CVE-2009-3867), a vulnerability in Sun Java which can be triggered through a malicious Java Applet by visiting a malicious website. We have confirmed that the majority of these detections come from Metasploit setups, no doubt a favorite attack platform for a quick-and-easy campaign. Overall, active exploits for new vulnerabilities remained high this period, with 39% of newly covered vulnerabilities being attacked in the wild (Figure 1c). Apart from these, zero-days continue to be an issue: we saw the release of two out-of-band patches by Adobe (Feb 11 and Feb 16), as well as a breaking zero-day for Oracle. As we always remind, stay up to date with patches when they are released, while keeping mitigating solutions in place such as antivirus and intrusion prevention.
Solutions
Customers who use Fortinet’s FortiGuard Subscription Services should already be protected against the threats outlined in this report. Threat activity is compiled by Fortinet's FortiGuard Labs using data gathered from its intelligence systems and FortiGate™ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products.
