The following statistics are compiled from Fortinet's FortiGate network security appliances and intelligence systems for the period April 21st - May 20th, 2010.
The top 10 attack attempts detected for this period follow, ranked by the number of valid attack cases reported. Valid attack cases are defined as threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of the accumulated daily incidents reported during this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Critical issues are outlined in bold. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the attack's debut in the Top 100. Figure 1a shows a daily record of attack cases reported for this period's Top 5 attacks. Figure 1b below shows the Top 5 regions attacked in comparison to total attack cases reported this period.
Malware Today
Top 5 regions for this period, ranked by distinct malware volume reported. Distinct malware volume indicates the amount of unique virus names (variants) that has been detected in the given regions, as opposed to total malware volume, which indicates the accumulated amount of all reported incidents. Total and distinct malware volume trends for the last six reporting periods are also given. Figures 3a-3c below show these statistics:
For more information on daily activity per region, please visit our Virus World Map.
Spam and Email Threats
Top three email threats observed for this period. Top e-mails have been filtered to highlight diverse campaigns by removing duplicates and unsolicited advertisements. This helps focus on scams and malicious intent; the resulting list is ranked by Figures 5a-c below illustrate the most popular message tactics used during recent spam campaigns:
The following list breaks down the percentage of activity blocked for selected Web categories throughout this period. Percentage indicates how much activity was accounted for out of the four selected categories. Figure 6a shows a different scope, comparing only threat traffic: Malware, spyware, and phishing. The percentage shown in Figure 6a below indicates how much activity was accounted for out of these three threat categories. Figure 6b highlights the growth (or reduction) of selected web threat activity when compared period over period:
Over the past year we have frequently discussed the rise of PDF-based attacks via exploits that attack software vulnerabilities, and drop malware when a malicious document is being read. These documents are favored in targeted attack scenarios, since documents go hand-in-hand with social engineering. However, in late April 2010 we saw a new PDF exploit being circulated in high volume through an ongoing spam campaign. The vulnerability, first blogged about by Mr. Didier Stevens on March 29, 2010, is CVE-2010-1240 and the malicious documents now exploiting this are detected by Fortinet as PDF/Pidief.BV!exploit. Though no patch exists, Adobe has recommended mitigation strategies on their blog. On top of this, we recommend security such as intrusion prevention and antivirus for mitigation. Figure 2 shows attack activity for PDF/Pidief.BV, which ranked #2 for overall malware activity this report. This vulnerability is a bit unique when it comes to PDF attacks, since it requires user interaction (they need to click on the "Open" button when prompted by a dialog box). Unfortunately, users tend to be click-happy when it comes to such dialog boxes; please be careful to read such messages when they appear! In the case of PDF/Pidief.BV, clicking open will first execute some VBScript and then drop a malicious botnet loader binary, compromising the system. For detailed information on this specific PDF attack, please view our FortiGuard virus encyclopedia entry.
On topic with spam campaigns, Figures 5a-c show three prevalent attacks through traditional e-mail. The campaigns shown in both Figure 5a and 5c use totally different social engineering tactics, yet link to the same setup.zip file distributing the Sasfis botnet through Google Groups (highlighted in red for Figure 5c). Interestingly, the "settings for your mailbox have changed" theme for Figure 5a was also used in the PDF/Pidief.BV attack described above, which shows the breadth of malware that spambots such as Cutwail continue to pump out for their customers. Figure 5b shows a different spam attack, using a similar theme (eCards). As always, please be wary when following links, even ones such as Google Groups that may appear to be legitimate. Google has been actively removing such malicious pages.
Botnet activity remained strong this report, with Gumblar and Sasfis present in both our Top 10 Attack and Top 10 Malware list. Though the main players such as Pushdo, Cutwail, and Sasfis remain in the game, newer botnets continue to emerge and cause hazards. We first saw the CMultiLoader botnet in the wild on April 8th, 2010. A variant of this botnet, W32/CMultiLoader.A, landed in 6th spot in our Top 10 Malware list this report. The Katusha botnet just missed our Top 10 list this report, ranking #11. These are examples of up and coming botnets that are making waves. Fortinet detects the Katusha sample as W32/Katusha.1824!tr. Total detected malware volume for this report has remained fairly consistent since the beginning of the year, though distinct detection (Figure 3c) continues to rise. This indicates more variations of malware circulating in cyber space as malware creators continue to pack, encrypt and morph their malicious binaries.
Finally, exploit activity for MS.IE.Userdata.Behavior.Code.Execution (CVE-2010-0806) continued to be strong, but paled in comparison to Java.Deployment.Toolkit.Launch.Method.Access (CVE-2010-1423) which accounted for over 60% of total attack case activity this report. This vulnerability can allow remote code execution through an ActiveX control: Oracle has released Java Runtime Environment 1.6.0_20 (JRE 6 Update 20) which seems to address this vulnerability. Apart from the USA and Japan, a majority of activity on this exploit was detected in Turkey, Mexico and India. MS.IE.Userdata.Behavior.Code.Execution, exploited in drive-by-fashion through Internet Explorer was patched by Microsoft through MS10-018 on March 30, 2010. Once again, ensure all of your patches are up to date, along with a valid security solution such as intrusion prevention / antivirus to mitigate prevalent threats such as this.
Customers who use Fortinet’s FortiGuard Subscription Services should already be protected against the threats outlined in this report. Threat activity is compiled by Fortinet's FortiGuard Labs using data gathered from its intelligence systems and FortiGate™ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products.
Table of Contents:
|
 FortiGuard Labs |
Exploits and Intrusion Prevention
Top 10 Attacks & Regions
The top 10 attack attempts detected for this period follow, ranked by the number of valid attack cases reported. Valid attack cases are defined as threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of the accumulated daily incidents reported during this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Critical issues are outlined in bold. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the attack's debut in the Top 100. Figure 1a shows a daily record of attack cases reported for this period's Top 5 attacks. Figure 1b below shows the Top 5 regions attacked in comparison to total attack cases reported this period.
| Rank | Vulnerability | Percentage | Severity | Top 100 Shift |
|---|---|---|---|---|
| 1 | Java.Deployment.Toolkit.Launch.Method.Access | 62.5 | Critical | new |
| 2 | MS.IE.Userdata.Behavior.Code.Execution | 16.3 | Critical | - |
| 3 | MS.DCERPC.NETAPI32.Buffer.Overflow | 12.5 | Critical | - |
| 4 | Gumblar.Botnet | 11.8 | Critical | -3 |
| 5 | Sasfis.Botnet | 4.2 | High | -1 |
| 6 | AWStats.Rawlog.Plugin.Logfile.Parameter.Input.Validation | 3.6 | High | - |
| 7 | Apache.Expect.Header.XSS | 3.6 | Medium | - |
| 8 | FTP.USER.Command.Overflow | 3.5 | High | -3 |
| 9 | SMTP.Auth.Buffer.Overflow | 3.2 | Critical | -1 |
| 10 | MS.Content.Management.Server.Code.Execution | 1.8 | Critical | -1 |
 Figure 1a: Daily attack case activity for top 5 attacks |
 Figure 1b: Top 5 regions by number of attack cases |
New Vulnerability Coverage
|
There were a total of 102 vulnerabilities added to FortiGuard IPS coverage this period.
Of these added vulnerabilities, 33 were reported to be actively exploited (32.4%). Figure 1c breaks down added vulnerabilities by severity, coverage and active exploitation in the wild. For more information, observe the detailed reports for this period at: |
 Figure 1c: New vulnerability coverage for this edition, categorized by severity |
Malware Today
Top 10 Variants
Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:
|
 Figure 2: Activity curve for top five malware variants |
Regions & Volume
Top 5 regions for this period, ranked by distinct malware volume reported. Distinct malware volume indicates the amount of unique virus names (variants) that has been detected in the given regions, as opposed to total malware volume, which indicates the accumulated amount of all reported incidents. Total and distinct malware volume trends for the last six reporting periods are also given. Figures 3a-3c below show these statistics:
 Figure 3a: Top 5 regions by distinct malware volume |
 Figure 3b: Six period trend for total malware volume |
 Figure 3c: Six period trend for distinct malware volume |
For more information on daily activity per region, please visit our Virus World Map.
Spam and Email Threats
Spam Rate & Regions
The global spam rate is shown on a daily basis for this edition's given period. Spam rate indicates the accumulated emails which have been tagged as spam, in comparison to total email traffic. Top 5 spam regions are ranked by received spam in comparison to global spam volume. Statistics are graphed for business working days, and shown in Figures 4a-4b below:
 Figure 4a: Spam rate compared to global email |
 Figure 4b: Top 5 spam regions by received spam |
Top 3 In The Wild
Top three email threats observed for this period. Top e-mails have been filtered to highlight diverse campaigns by removing duplicates and unsolicited advertisements. This helps focus on scams and malicious intent; the resulting list is ranked by Figures 5a-c below illustrate the most popular message tactics used during recent spam campaigns:
 Figure 5a: Spam campaign #1 |
 Figure 5b: Spam campaign #2 |
 Figure 5c: Spam campaign #3 |
Crawling The Web
Threat Traffic & Growth
The following list breaks down the percentage of activity blocked for selected Web categories throughout this period. Percentage indicates how much activity was accounted for out of the four selected categories. Figure 6a shows a different scope, comparing only threat traffic: Malware, spyware, and phishing. The percentage shown in Figure 6a below indicates how much activity was accounted for out of these three threat categories. Figure 6b highlights the growth (or reduction) of selected web threat activity when compared period over period:
|
 Figure 6a: Threat traffic volume break-down |
 Figure 6b: Threat traffic growth by period |
Activity Recap
Over the past year we have frequently discussed the rise of PDF-based attacks via exploits that attack software vulnerabilities, and drop malware when a malicious document is being read. These documents are favored in targeted attack scenarios, since documents go hand-in-hand with social engineering. However, in late April 2010 we saw a new PDF exploit being circulated in high volume through an ongoing spam campaign. The vulnerability, first blogged about by Mr. Didier Stevens on March 29, 2010, is CVE-2010-1240 and the malicious documents now exploiting this are detected by Fortinet as PDF/Pidief.BV!exploit. Though no patch exists, Adobe has recommended mitigation strategies on their blog. On top of this, we recommend security such as intrusion prevention and antivirus for mitigation. Figure 2 shows attack activity for PDF/Pidief.BV, which ranked #2 for overall malware activity this report. This vulnerability is a bit unique when it comes to PDF attacks, since it requires user interaction (they need to click on the "Open" button when prompted by a dialog box). Unfortunately, users tend to be click-happy when it comes to such dialog boxes; please be careful to read such messages when they appear! In the case of PDF/Pidief.BV, clicking open will first execute some VBScript and then drop a malicious botnet loader binary, compromising the system. For detailed information on this specific PDF attack, please view our FortiGuard virus encyclopedia entry.
On topic with spam campaigns, Figures 5a-c show three prevalent attacks through traditional e-mail. The campaigns shown in both Figure 5a and 5c use totally different social engineering tactics, yet link to the same setup.zip file distributing the Sasfis botnet through Google Groups (highlighted in red for Figure 5c). Interestingly, the "settings for your mailbox have changed" theme for Figure 5a was also used in the PDF/Pidief.BV attack described above, which shows the breadth of malware that spambots such as Cutwail continue to pump out for their customers. Figure 5b shows a different spam attack, using a similar theme (eCards). As always, please be wary when following links, even ones such as Google Groups that may appear to be legitimate. Google has been actively removing such malicious pages.
Botnet activity remained strong this report, with Gumblar and Sasfis present in both our Top 10 Attack and Top 10 Malware list. Though the main players such as Pushdo, Cutwail, and Sasfis remain in the game, newer botnets continue to emerge and cause hazards. We first saw the CMultiLoader botnet in the wild on April 8th, 2010. A variant of this botnet, W32/CMultiLoader.A, landed in 6th spot in our Top 10 Malware list this report. The Katusha botnet just missed our Top 10 list this report, ranking #11. These are examples of up and coming botnets that are making waves. Fortinet detects the Katusha sample as W32/Katusha.1824!tr. Total detected malware volume for this report has remained fairly consistent since the beginning of the year, though distinct detection (Figure 3c) continues to rise. This indicates more variations of malware circulating in cyber space as malware creators continue to pack, encrypt and morph their malicious binaries.
Finally, exploit activity for MS.IE.Userdata.Behavior.Code.Execution (CVE-2010-0806) continued to be strong, but paled in comparison to Java.Deployment.Toolkit.Launch.Method.Access (CVE-2010-1423) which accounted for over 60% of total attack case activity this report. This vulnerability can allow remote code execution through an ActiveX control: Oracle has released Java Runtime Environment 1.6.0_20 (JRE 6 Update 20) which seems to address this vulnerability. Apart from the USA and Japan, a majority of activity on this exploit was detected in Turkey, Mexico and India. MS.IE.Userdata.Behavior.Code.Execution, exploited in drive-by-fashion through Internet Explorer was patched by Microsoft through MS10-018 on March 30, 2010. Once again, ensure all of your patches are up to date, along with a valid security solution such as intrusion prevention / antivirus to mitigate prevalent threats such as this.
Solutions
Customers who use Fortinet’s FortiGuard Subscription Services should already be protected against the threats outlined in this report. Threat activity is compiled by Fortinet's FortiGuard Labs using data gathered from its intelligence systems and FortiGate™ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products.
