Prevalence Report

Threat Landscape Report - January 2010 Edition

The following statistics are compiled from Fortinet's FortiGate network security appliances and intelligence systems for the period December 21st, 2009 - January 20th, 2010.

Exploits and Intrusion Prevention

Top 10 Attacks & Regions

Top 10 attack attempts detected for this period follows, ranked by the number of valid attack cases reported. Valid attack cases consist only of threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of the accumulated daily incidents reported during this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Critical issues are outlined in bold. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the attack's debut in the Top 100. Figure 1a shows a daily record of attack cases reported for this period's Top 5 attacks. Figure 1b below shows the Top 5 regions attacked in comparison to total attack cases reported this period.

Rank	Vulnerability	Percentage	Severity	Top 100 Shift
1	Gumblar.Botnet	31.3	Critical	new
2	MS.DCERPC.NETAPI32.Buffer.Overflow	24.3	Critical	-1
3	Waledac.Botnet	7.6	Critical	-1
4	MS.IE.Event.Invalid.Pointer.Memory.Corruption	7.4	Critical	new
5	Adobe.Products.SWF.Remote.Code.Execution	6.9	Critical	+6
6	MS.IE7.Deleted.DOM.Object.Access.Memory.Corruption	6.5	Critical	-
7	FTP.USER.Command.Overflow	6.1	High	-3
8	Apache.Expect.Header.XSS	6.0	Medium	-
9	Adobe.Reader.Printf.Buffer.Overflow	5.8	Critical	+10
10	AWStats.Rawlog.Plugin.Logfile.Parameter.Input.Validation	5.8	High	-7

Figure 1a: Daily attack case activity for top 5 attacks

Figure 1b: Top 5 regions by number of attack cases

New Vulnerability Coverage

There were a total of 150 vulnerabilities added to FortiGuard IPS coverage this period.
Of these added vulnerabilities, 34 were reported to be actively exploited (22.7%).

Figure 1c breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

For more information, observe the detailed reports for this period at:

Intrusion Prevention - Service Update History

Figure 1c: New vulnerability coverage for this edition, categorized by severity

Malware Today

Top 10 Variants

Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

Rank	Malware Variant	Percentage	Top 100 Shift
1	W32/PackBredolab.C!tr	25.8	-
2	W32/PackBredolab.D!tr	14.7	new
3	W32/AutoRun.BBC!worm	12.7	new
4	JS/PackRedir.A!tr.dldr	3.4	-2
5	HTML/Iframe.DN!tr.dldr	3.3	-1
6	W32/Buzus.CVCZ!tr	2.1	new
7	W32/Netsky!similar	1.6	-1
8	HTML/Iframe_CID!exploit	1.5	-1
9	W32/Bredo.A	1.2	+21
10	W32/Mydoom.N@mm	1.1	+1

Figure 2: Activity curve for top five malware variants

Regions & Volume

Top 5 regions for this period, ranked by distinct malware volume reported. Distinct malware volume indicates the amount of unique virus names (variants) that has been detected in the given regions, as opposed to total malware volume, which indicates the accumulated amount of all reported incidents. Total and distinct malware volume trends for the last six reporting periods are also given. Figures 3a-3c below show these statistics:

Figure 3a: Top 5 regions by distinct malware volume

Figure 3b: Six period trend for total malware volume

Figure 3c: Six period trend for distinct malware volume

For more information on daily activity per region, please visit our Virus World Map.

Spam and Email Threats

Spam Rate & Regions

The global spam rate is shown on a daily basis for this edition's given period. Spam rate indicates the accumulated emails which have been tagged as spam, in comparison to total email traffic. Top 5 spam regions are ranked by received spam in comparison to global spam volume. Statistics are graphed for business working days, and shown in Figures 4a-4b below:

Figure 4a: Spam rate compared to global email

Figure 4b: Top 5 spam regions by received spam

Top 3 In The Wild

Top three email threats observed for this period. Top e-mails have been filtered to highlight diverse campaigns by removing duplicates and unsolicited advertisements. This helps focus on scams and malicious intent; the resulting list is ranked by Figures 5a-c below illustrate the most popular message tactics used during recent spam campaigns:

Figure 5a: Spam campaign #1

Figure 5b: Spam campaign #2

Figure 5c: Spam campaign #3

Crawling The Web

Threat Traffic & Growth

The following list breaks down the percentage of activity blocked for selected Web categories throughout this period. Percentage indicates how much activity was accounted for out of the four selected categories. Figure 6a shows a different scope, comparing only threat traffic: Malware, spyware, and phishing. The percentage shown in Figure 6a below indicates how much activity was accounted for out of these three threat categories. Figure 6b highlights the growth (or reduction) of selected web threat activity when compared period over period:

Web Threat Category	Percentage
Pornography	63.2
Malware	29.3
Spyware	7.2
Phishing	0.3

Figure 6a: Threat traffic volume break-down

Figure 6b: Threat traffic growth by period

Activity Recap

There was no shortage of threat news this month, most notably with the highly publicized attacks - codenamed "Aurora" - on select corporations, including Google. The official CVE identifier for this attack was CVE-2010-0249, with Fortinet's detection being "MS.IE.Event.Invalid.Pointer.Memory.Corruption." For more information, please see our advisory and blog post. Details on these attacks through a zero-day Internet Explorer flaw came out in mid-late January. In just a couple of days, this detection rocketed into fourth place on our top ten attack listing for the entire month - in close company with Waledac and Gumblar/Bredolab C&C detections. Gumblar, which has often been observed to drop the Bredolab loader, typically starts an infection through malicious websites hosting obfuscated javascript code. MS08-067 exploit traffic (used by Conficker) remains in second position, meaning our top three attack detections are related to botnet propagation and C&C traffic. Our top six detected attacks are rated as 'Critical,' typically associated with remote code execution. On top of this, another Adobe Reader PDF exploit (Adobe.Reader.Printf.Buffer.Overflow) climbed into our top ten listing. There are many PDF exploits active in the wild, most of which use malicious javascript code. Adobe software, like Microsoft, is a popular target for attackers - so it is important to stay up to date with the latest bulletins (see Fortinet's from January 19th, 2010). There is definitely much malicious network traffic out there, so it should be yet another (constant) reminder to keep your patches up to date and monitor/guard against malicious traffic with a valid IPS solution.

Detected malware volume this period returned to levels before October 2009, when a large surge of Scareware hit cyberspace - no doubt fueled by other prominent threats such as Bredolab. While activity levels have dropped, Bredolab continued its reign this period with variants in the top two spots - together accounting for more than 40% of total detected malware volume. As can be seen in Figure 2, this activity continued to happen in large spikes for generally a period of just one day as Bredolab seeded. Even worse, Bredolab is gearing up with a new web mailing engine that will allow it to spam through accounts such as Hotmail and GMail. This will allow an already established threat to seed (distribute itself and other malicious bits) even more effectively. Distinct malware volume doubled from the last report after holding a steady but slowly increasing trend for the past year (Figure 3c). We detected more unique pieces of malicious code this period than ever before, most dominantly in the USA (Figure 3a). Though the U.S. had significantly more unique attacks, Japan was number one this period when it came to pure detected volume -- most notably with Bredolab. Threats such as Zeus/ZBot are distributed as kits, easily recycled into new code/attacks - which contributes to a rise in the unique pieces of malicious code and attacks in cyberspace. This will likely continue to increase, as this trend has held true for well over a year.

New to the malware top ten this report was Buzus, offering some competition to Bredolab. Buzus had two variants present in our listing, in sixth and third position (detected as W32/AutoRun.BBC!worm). Unlike Bredolab, which seeds on demand in campaigns, Buzus spreads in mass mail fashion through its own SMTP engine -- as demonstrated in a continuous wave of activity in Figure 2. We saw Buzus seeding through a purported Christmas greeting card from 123greetings.com, attached as a zip file typically over 300KB (Figure 5a). Buzus isn't brand new; it's been around since 2008. In 2009, we observed it being downloaded through a bot via IRC commands. However, its appearance in our top ten indicates it has been busy over the years as it builds towards success.

Apart from Buzus spam, we noticed two other interesting campaigns. One came in the form of a simple message with a link, always with the subject "It's you?" (Figure 5b). This spam run began on December 1st and continues as of writing. The links changed frequently, each leading to a site that redirected the browser to a second domain - most of which were ".cn" top level domains. Some of the first domains also included obfuscated javascript code - another popular tactic used by a frequent visitor to our top ten: "JS/PackRedir.A!tr.dldr." The first domain included in the spam emails were mostly free web hosting service providers. Here is a list of the ones we observed to be used:

by.ru

zelnet.ru

unl.pl

evonet.ro

h12.ru

com.ru

50webs.com

The other spam run (Figure 5c) used a different social engineering tactic. The email, a series of conversations talking about gambling techniques, appears to accidentally land in the user's inbox. The conversation talks of an algorithm to win quick cash through online gambling -- the social engineering tactic here is to trick the user into thinking they stumbled upon this "secret" email, enticing them to follow the link and start gambling to win cash. The website pushes an executable we detect as "Misc/CasOnline."

Solutions

Customers who use Fortinet’s FortiGuard Subscription Services should already be protected against the threats outlined in this report. Threat activity is compiled by Fortinet's FortiGuard Labs using data gathered from its intelligence systems and FortiGate™ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products.