Prevalence Report

Threat Landscape Report - January 2009 Edition

The following statistics are compiled from Fortinet's FortiGate network security appliances and intelligence systems for the period December 21st, 2008 - January 20th, 2009.

Exploits and Intrusion Prevention

Top 10 Exploitations

Top 10 exploitation attempts detected for this period, ranked by vulnerability traffic. Percentage indicates the portion of activity the vulnerability accounted for out of all attacks reported in this edition. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from low to critical. Critical issues are outlined in bold:

Rank	Vulnerability	Percentage	Severity
1	Trojan.Storm.Worm.Krackin.Detection	44.1	High
2	Danmec.Asprox.SQL.Injection	5.3	High
3	MS.SQL.Server.Insert.Statements.Privilege.Elevation	3.8	High
4	MS.Network.Share.Provider.Unchecked.Buffer.DoS	3.6	High
5	MS.IIS.Web.Application.SourceCode.Disclosure	2.9	Medium
6	TCP.PORT0	2.7	Low
7	SSLv3.SessionID.Overflow	2.4	High
8	HTTP.Server.Localhost.Request.Source.Code.Disclosure	1.5	High
9	MS.DCERPC.NETAPI32.Buffer.Overflow	1.3	Critical
10	MS.SMB.DCERPC.SRVSVC.PathCanonicalize.Overflow	1.0	High

New Vulnerability Coverage

There were a total of 43 vulnerabilities added to FortiGuard IPS coverage this period.
Of these added vulnerabilities, 13 were reported to be actively exploited (30.2%).

Figure 1 breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

For more information, observe the detailed reports for this period at:

Intrusion Prevention - Service Update History

Figure 1: New vulnerability coverage for this edition, categorized by severity

Malware Today

Top 10 Variants

Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

Rank	Malware Variant	Percentage	Top 100 Shift
1	Spy/OnLineGames	8.8	+2
2	W32/Netsky!similar	8.2	-
3	W32/Virut.A	7.4	+3
4	HTML/Iframe.DN!tr.dldr	7.1	+1
5	HTML/Iframe_CID!exploit	6.9	-1
6	W32/Dropper.VEM!tr	5.4	+94
7	W32/MyTob.BH.fam@mm	3.7	+3
8	W32/Small.AACQ!tr.dldr	2.6	-1
9	W32/MyTob.AQ@mm	2.1	+6
10	W32/Basine.C!tr.dldr	1.9	-2

Figure 2: Activity curve for top five malware variants

Regions & Volume

Top 5 regions for this period, ranked by distinct malware volume reported. Distinct malware volume indicates the amount of unique virus names (variants) that has been detected in the given regions, as opposed to total malware volume, which indicates the accumulated amount of all reported incidents. Six month trends are also given up to the last calendar day of the most recently completed month. Figures 3a-3c below show these statistics:

Figure 3a: Top 5 regions by distinct malware volume

Figure 3b: Six month trend for total malware volume

Figure 3c: Six month trend for unique malware volume

For more information on daily activity per region, please visit our Virus World Map.

Spam and Email Threats

Spam Rate

The global spam rate is shown on a daily basis for this edition's given period. Spam rate indicates the accumulated emails which have been tagged as spam, in comparison to total email traffic. Statistics are graphed for business working days, and shown in Figure 4 below:

Figure 4: Spam rate compared to global email

Top 3 In The Wild

Top three email threats observed for this period. Top e-mails have been filtered to highlight diverse campaigns by removing duplicates and unsolicited advertisements. This helps focus on scams and malicious intent; the resulting list is ranked by Figures 5a-c below illustrate the most popular message tactics used during recent spam campaigns:

Figure 5a: Spam campaign #1

Figure 5b: Spam campaign #2

Figure 5c: Spam campaign #3

Crawling The Web

Web Traffic

The following list breaks down the percentage of activity blocked for selected Web categories throughout this period. Percentage indicates how much activity was accounted for out of the four selected categories. Figure 6 shows a different scope, comparing only threat traffic: Malware, spyware, and phishing. The percentage shown in Figure 6 below indicates how much activity was accounted for out of these three threat categories.

FortiGuard Category	Percentage
Pornography	68.3
Malware	19.3
Spyware	8.6
Phishing	3.8

Figure 6: Threat traffic volume break-down

Activity Recap

Last period we saw a large increase in activity for online gaming trojans with Spy/OnLineGames - it had jumped over 75 positions in our antivirus Top 100. This period, frequent activity continued to be recorded as Spy/OnLineGames claimed first place with 8.8% of detected malware activity. Not to be alone, this online gaming trojan detection was accompanied by a friend this period: W32/Dropper.VEM!tr. W32/Dropper.VEM, yet another online gaming trojan, achieved a similar performance that Spy/OnLineGames did last period, jumping 94 spots in the ranks to land in sixth position. While online gaming trojans have been generating waves of activity since early 2008, recent activity has increased notably - further solidifying our 2009 forecasts of malicious activity in this area. Total malware volume for December 2008 deflated to July 2008 levels, marking the end of a six month wave of activity spearheaded by rogue security spyware mainly in September 2008.

This does not mean we are out of the water; as an example, a relatively new botnet is making headlines, known as Waledac. Figure 5a shows one email campaign that was used in connection with this malware. The social engineering aspect of the campaign was focused on Barack Obama, and was very simple. It supplied a link to a url (that included Obama's name) which, when visited, appeared to be the official Barack Obama campaign site. Obviously, it was not - this was purely part of the social engineering hook. The mail body (see Figure 5a) contained various blocks of small text followed by a link, such as "Obama is not ready to be a president", and "Barack Obama has gone". The email subjects also varied widely, some of them included "What is going on with our Country?", "It is unbelievable!", and "Have you heard these news?". The linked site hosted an executable, that when downloaded, turned out to be a variant of Waledac (detected by Fortinet as W32/MalPackKrypt.A!tr). This should be yet another reminder that, while the campaigns and social engineering twists are very dynamic, core protection against this remains the same: proper webfiltering, antivirus, intrusion prevention and antispam will go a long way thwarting such an attack.

Spam rates have clawed their way back to levels consistent before the November 2008 McColo ISP takedown, which temporarily reduced global spam rates. Other notable emails this period (Figures 5b/5c) included diploma schemes that go hand-in-hand with the economic crisis (note Figure 5b's "New salary structure" subject). While there are some legitimate diploma / education services available online, quite often these schemes lead to the same result: a diploma which bears (false) credentials that will be inevitably disregarded.

Exploitation of the MS08-067 security bulletin (detected by Fortinet IPS as "MS.DCERPC.NETAPI32.Buffer.Overflow") surged towards the end of December 2008 and continued throughout January 2009, landing in ninth position in this period's Top 10 Exploitations list. For more information, please see the official FortiGuard advisory. The highest recorded exploit activity for this vulnerability was on January 14th, 2009. The FortiGuard Global Security Research Team is monitoring this activity closely. While malicious activity remains high for this vulnerability, adequate security measures such as patch management and having a valid IPS solution in place is recommended. The number of active exploits for new vulnerabilities rose to 30.2 percent this period, up from 26.2 percent last period.

Solutions

Customers who use Fortinet’s FortiGuard Subscription Services should already be protected against the threats outlined in this report. Threat activity is compiled by Fortinet's FortiGuard Global Security Research Team using data gathered from its intelligence systems and FortiGate™ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products.