FortiGuard Center
Threat Research and Response
Prevalence Report
Threat Landscape Report - November 2008 EditionThe following statistics are compiled from Fortinet's FortiGate network security appliances and intelligence systems for the period October 21st - November 20th, 2008.
Top 10 Exploitations Top 10 exploitation attempts detected for this period, ranked by vulnerability traffic. Percentage indicates the portion of activity the vulnerability accounted for out of all attacks reported in this edition. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from low to critical. Critical issues are outlined in bold: Rank Vulnerability Percentage Severity 1 Trojan.Storm.Worm.Krackin.Detection 36.9 High 2 Worm.Slammer 23.2 High 3 IE.IFRAME.BufferOverflow.I 0.5 High 4 MS.IIS.Web.Application.SourceCode.Disclosure 0.4 Medium 5 MS.Exchange.Mail.Calender.Buffer.Overflow 0.4 High 6 TCP.PORT0 0.3 Low 7 MS.IE.HTML.Attribute.Buffer.Overflow 0.3 High 8 MS.GDIPlus.JPEG.Buffer.Overflow 0.3 Critical 9 SSH.Client.Buffer.Overflow 0.3 High 10 Mambo.Function.Path.Validation 0.3 Medium New Vulnerability Coverage
Top 10 Variants Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:
Regions & Volume Top 5 regions for this period, ranked by distinct malware volume reported. Distinct malware volume indicates the amount of unique virus names (variants) that has been detected in the given regions, as opposed to total malware volume, which indicates the accumulated amount of all reported incidents. Six month trends are also given up to the last calendar day of the most recently completed month. Figures 3a-3c below show these statistics:
For more information on daily activity per region, please visit our Virus World Map. Circulating Spam Spam Rate The global spam rate is shown on a daily basis for this edition's given period. Spam rate indicates the accumulated emails which have been tagged as spam, in comparison to total email traffic. Statistics are graphed for business working days, and shown in Figure 4 below:  Figure 4: Spam rate compared to global email Top 3 In The Wild Top three spam e-mails observed for this period. Top e-mails have been filtered to highlight diverse campaigns by removing duplicates and unsolicited advertisements. This helps focus on scams and malicious intent; the resulting list is ranked by Figures 5a-c below illustrate the most popular message tactics used during recent spam campaigns:
Crawling The Web Web Traffic The following list breaks down the percentage of activity blocked for selected Web categories throughout this period. Percentage indicates how much activity was accounted for out of the four selected categories. Figure 6 shows a different scope, comparing only threat traffic: Malware, spyware, and phishing. The percentage shown in Figure 6 below indicates how much activity was accounted for out of these three threat categories.
Activity Recap There were various changes in the threat report worth noting this period. In our last report, we discussed how malware volume has been on the rise since July 2008 - bloated largely thanks to rogue security software distributed at an aggressive pace. A drop in total malware volume was recorded during October (figure 3b) in response to a decrease in this "scareware" distribution. Looking at our figures for this distribution, rogue security trojans accounted for approximately 65 percent of total malware reported in September 2008. That number dropped to 30 percent in October 2008, and is on pace to be significantly less by the end of November 2008. As a result, the influence this scareware has on the threat landscape is quite visible (figure 3b). For November this period, total malware volume has deflated in comparison to October, forecasting a two-month decline from September's apex. While rogue security trojan W32/FakeAlert.D!tr.dldr easily took top spot in our top 10 (accounting for 16.8 percent of total activity), activity was short lived as it dropped off the radar by October 25, 2008 (figure 2). Looking at this figure, we can see the fall of scareware followed by the rise of the Goldun family which accounted for three positions in our top five. This family of keyloggers has been persistently making its way into our top 10 since September 2008, and will likely be here to stay as we enter the holiday season. Both of these mentioned families use different rootkits that conceal activity and kill processes that may thwart operations (such as antivirus software). The most dramatic shift on the threat report came from our spam statistics (figure 4). A sharp drop in activity can clearly be seen on November 12, as spam rates fell to nearly a third of total global email. The drop is largely thanks to the recent take down of an ISP (McColo) which was hosting command and control centers for spam spewing botnets. While spam rates have already begun to rise as these botnets recover, this action certainly shook the threat landscape and was well welcomed in the fight against cyber crime. Spam is still leveraged by cyber criminals as a vehicle to distribute their tainted goods, as can be seen in figures 5a-5c. All three e-mails contained malicious attachments, using different social engineering tactics (the most convincing being figure 5c). All three of these campaigns were used to distribute the Goldun family - that is to say the variant W32/Goldun.RW (number 3 in our top ten) was found as an attachment in all three e-mails. The interesting part here is that top spot rogue security trojan W32/FakeAlert.D was also found as an attachment in one of figure 5b's e-mails. The same simple social engineering lure (which is not too convincing since it refers to Mrs. Jolie as 'him'), the same subject, different malware families. This shared spam vehicle (read: botnet) by both campaigns certainly helped boost the variants into our malware top 5. This is an excellent example of how today's underground infrastructure is used by various campaigns / organisations as an engine; another likely indicator of services such as spam spewing botnets being rented out for use. Malware levels declined after McColo's takedown, most notably with fake security & scareware (figure 2). Scare tactics have been quite effective recently, both in the form of scareware and spam alerts such as the one seen in figure 5c. This e-mail intends to alarm the user that they have been monitored, and are under suspension due to illegal activities. Naturally, end-users' curiosity will be piqued as they open the attachment that contains details of these accusations - ultimately ending in infection, warned Fortinet security researcher Derek Manky. Always be cautious of attachments, and verify the integrity of the message before proceeding. On the web, the most notable increase came from malware as it accounted for 21 percent of categorized threat activities. This was up from 14.5 percent last report and will likely see more activity in the coming months due to a favored trend of web-borne infections. Finally, active exploitation of new vulnerabilities for this period (figure 1) was also on the rise increasing from 27 percent last report to 31 percent (25 out of 81 vulnerabilities). More critical vulnerabilities were added this period in comparison to last; another reminder to keep all of software and browsers up to date with the latest available patches. Solutions Customers who use Fortinet’s FortiGuard Subscription Services should already be protected against the threats outlined in this report. Threat activity is compiled by Fortinet's FortiGuard Global Security Research Team using data gathered from its intelligence systems and FortiGate™ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. |
