Threatscape Report - March 2009 Edition

The following statistics are compiled from Fortinet's FortiGate network security appliances and intelligence systems for the period February 21st - March 20th, 2009.

Exploits and Intrusion Prevention

Top 10 Exploitations & Regions

Top 10 exploitation attempts detected for this period, ranked by vulnerability traffic. Percentage indicates the portion of activity the vulnerability accounted for out of all attacks reported in this edition. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from low to critical. Critical issues are outlined in bold:

Rank	Vulnerability	Percentage	Severity
1	Trojan.Storm.Worm.Krackin.Detection	62.6	High
2	SSLv3.SessionID.Overflow	3.1	High
3	Oracle.sys.pbsde.init.Buffer.Overflow	2.2	Medium
4	MS.DCERPC.NETAPI32.Buffer.Overflow	2.0	Critical
5	MS.IIS.Web.Application.SourceCode.Disclosure	2.0	Medium
6	MS.Exchange.Mail.Calender.Buffer.Overflow	1.6	High
7	MS.IE.HTML.Attribute.Buffer.Overflow	1.3	High
8	MS.SMB.DCERPC.SRVSVC.PathCanonicalize.Overflow	1.3	High
9	MS.Windows.NAT.Helper.DNS.Query.DoS	1.0	High
10	MS.CMM.ICC.Profile.Buffer.Overflow	0.8	High

Figure 1a: Top 5 regions by detected exploit attempts

New Vulnerability Coverage

There were a total of 85 vulnerabilities added to FortiGuard IPS coverage this period.
Of these added vulnerabilities, 14 were reported to be actively exploited (16.5%).

Figure 1b breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

For more information, observe the detailed reports for this period at:

Intrusion Prevention - Service Update History

Figure 1b: New vulnerability coverage for this edition, categorized by severity

Malware Today

Top 10 Variants

Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

Rank	Malware Variant	Percentage	Top 100 Shift
1	W32/Virut.A	9.2	+1
2	W32/Netsky!similar	8.3	-1
3	HTML/Iframe.DN!tr.dldr	7.9	+1
4	HTML/Iframe_CID!exploit	7.5	-1
5	Spy/OnLineGames	6.6	-
6	W32/MyTob.FR@mm	3.1	+7
7	W32/MyTob.fam@mm	2.6	-1
8	W32/Delf.AYO!tr	2.5	+8
9	Adware/Bdsearch	1.9	+10
10	W32/Basine.C!tr.dldr	1.6	-1

Figure 2: Activity curve for top five malware variants

Regions & Volume

Top 5 regions for this period, ranked by distinct malware volume reported. Distinct malware volume indicates the amount of unique virus names (variants) that has been detected in the given regions, as opposed to total malware volume, which indicates the accumulated amount of all reported incidents. Total and unique malware volume trends for the last six reporting periods are also given. Figures 3a-3c below show these statistics:

Figure 3a: Top 5 regions by distinct malware volume

Figure 3b: Six period trend for total malware volume

Figure 3c: Six period trend for unique malware volume

For more information on daily activity per region, please visit our Virus World Map.

Spam and Email Threats

Spam Rate & Regions

The global spam rate is shown on a daily basis for this edition's given period. Spam rate indicates the accumulated emails which have been tagged as spam, in comparison to total email traffic. Top 5 spam regions are ranked by received spam in comparison to global spam volume. Statistics are graphed for business working days, and shown in Figures 4a-4b below:

Figure 4a: Spam rate compared to global email

Figure 4b: Top 5 spam regions by received spam

Top 3 In The Wild

Top three email threats observed for this period. Top e-mails have been filtered to highlight diverse campaigns by removing duplicates and unsolicited advertisements. This helps focus on scams and malicious intent; the resulting list is ranked by Figures 5a-c below illustrate the most popular message tactics used during recent spam campaigns:

Figure 5a: Spam campaign #1

Figure 5b: Spam campaign #2

Figure 5c: Spam campaign #3

Crawling The Web

Web Traffic & Growth

The following list breaks down the percentage of activity blocked for selected Web categories throughout this period. Percentage indicates how much activity was accounted for out of the four selected categories. Figure 6a shows a different scope, comparing only threat traffic: Malware, spyware, and phishing. The percentage shown in Figure 6a below indicates how much activity was accounted for out of these three threat categories. Figure 6b highlights the growth (or reduction) of selected web threat activity when compared period over period:

FortiGuard Category	Percentage
Pornography	65.2
Malware	24.4
Spyware	8.7
Phishing	1.7

Figure 6a: Threat traffic volume break-down

Figure 6b: Threat traffic growth by period

Activity Recap

For the third straight period, no new malware variants have gone on breakout runs to land in our top ten position. The most significant increases in activity were with W32/MyTob.FR, W32/Delf.AYO and Adware/Bdsearch. However, the most notable variant is the one reigning in pole position: W32/Virut.A. Virut.A has consistently been in our top ten, frequently in our top five, for one year solid now. This edition, it has taken over Netsky and finally landed in our top spot; the first time any Virut variant has managed to do so, observed Derek Manky, Project Manager, Cyber Security & Threat Research for Fortinet. Indeed, a possible contributor to Virut's achievement may be its hybrid nature - for further details, read here. W32/Basine.C has now appeared in our malware listing for four consecutive months, nearly five as it ranked a formidable 11th position in November, 2008. This trojan downloader appears to be very similar to W32/Delf.AYO; they both open up a file filled with random garbage called 'Message' with notepad, a notable characteristic of the MyDoom family. While these two variants appear to have different behaviour, it is another example of how modern malware / blended threats are built on existing infrastructure: MyDoom source code has been available for some time, and certainly has been recompiled into other malicious code. Of course, there are plenty of other examples: tools, such as exploit kits, are often sold as resource packs to would-be-hackers. Both Basine.C and Delf.AYO were observed to be propagated through the same e-mail campaign, as seen in Figure 5c in the left-most window. They arrive purporting to be an e-Card through a file attachment named "postcard.zip".

The other mail shown in the right-most window of Figure 5c highlights yet another example of infrastructure use. As you can see, both mails are very similar as they both leverage a legitimate name (Hallmark) to enhance their social engineering attack. While Basine/Delf were actually attached to the first mail, the second mail uses a different approach through links pointing to an executable on a compromised server, also disguised as an e-Card. The second mail campaign was distributing variants of the Zapchast family. These campaigns were likely pushed out through the same botnet, or at the very least used the same base template for their spam. Basine.C/Delf.AYO were visible on execution through the notepad message, while this postcard campaign with Zapchast was visible through an image popping up of Mt. Rainier (seen also in the bottom right of Figure 5c - a famous landmark in Washington state, USA). Other notable spam campaigns this period include Figure 5a, serving up an attached ZBot trojan disguised as an e-Ticket from Delta Airlines. Figure 5b shows an increasing trend: Location Based Services. While this is a general term that is making its way into the mobile market, localized attack strategies have certainly been on the rise. Typically this is done through geoIP services, for example, malware may exhibit different behavior based off what region it is in - variants of Conficker download geoIP information. Figure 5b is in fact linked to the Canadian Pharmacy gang, targeted to Japanese viewers, providing the usual link to one of its entities through a large pool of domains / IP's. The second example of such a localized attack came from Waledac this period, as spam was customized for the recipients. The email campaign from Waledac featured a link to sites with fake Reuters headlines, citing explosions in certain regions, those regions being close in proximity to the recipient. Of course those sites were also hosting Waledac variants for download. This method certainly helps achieve a higher level of social engineering. Always be aware of what links you will follow when you click, especially with such unsolicited mail.

Conficker activity remains strong, with the MS08-067 exploit leveraged by Conficker maintaining its 4th place rank in our Top 10 exploitation list this period. A new Conficker variant has surfaced, detected by Fortinet as W32/Conficker.C!worm. Notable changes include the domain generation algorithm, which has been expanded to generate 50,000 domains from which 500 are queried on a less frequent basis. A new time bomb has been included: April 1st, 2009. Once this time bomb hits, Conficker will start actively querying the aforementioned domains. On top of attempting to kill security processes, it also blocks web traffic to certain domains, including Fortinet. Additionally, it will block security updates such as Windows updater - effectively killing a good portion of patch management practices. Thus, it is a stark reminder to employ an aggressive patch management strategy on top of a valid, layered security solution to mitigate such malware. We are continuing to monitor this threat. Another noticeable exploit that surfaced in our Top 10 exploit list this period sits in third position: a buffer overflow with Oracle. This exploit hints at SQL injection attacks, another indication that such attacks continue to be quite prevalent.

China moved into 5th spot in terms of regional exploit activity (Figure 1a), while Taiwan did the same in terms of regional malware activity (Figure 3a). Web threat traffic saw an increase with malware, up to 24.4% this period from 20.8% last period. Finally, global spam rates dropped slightly yet remain at a consistent level - this is nothing to cheer about. While rates may not be in excess, the sophistication and danger of spam continues to climb; localized attacks are an example of this.

Solutions

Customers who use Fortinet’s FortiGuard Subscription Services should already be protected against the threats outlined in this report. Threat activity is compiled by Fortinet's FortiGuard Global Security Research Team using data gathered from its intelligence systems and FortiGate™ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products.