The following statistics are compiled from Fortinet's FortiGate network security appliances and intelligence systems for the period October 21st - November 20th, 2010.
The top 10 attack attempts detected for this period follow, ranked by the number of valid attack cases reported. Valid attack cases are defined as threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of the accumulated daily incidents reported during this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Critical issues are outlined in bold. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the attack's debut in the Top 100. Figure 1a shows a daily record of attack cases reported for this period's Top 5 attacks. Figure 1b below shows the Top 5 regions attacked in comparison to total attack cases reported this period.
Malware Today
Top 5 regions for this period, ranked by distinct malware volume reported. Distinct malware volume indicates the amount of unique virus names (variants) that has been detected in the given regions, as opposed to total malware volume, which indicates the accumulated amount of all reported incidents. Total and distinct malware volume trends for the last six reporting periods are also given. Figures 3a-3c below show these statistics:
For more information on daily activity per region, please visit our Virus World Map.
Spam and Email Threats
Top three email threats observed for this period. Top e-mails have been filtered to highlight diverse campaigns by removing duplicates and unsolicited advertisements. This helps focus on scams and malicious intent; the resulting list is ranked by Figures 5a-c below illustrate the most popular message tactics used during recent spam campaigns:
The following list breaks down the percentage of activity blocked for selected Web categories throughout this period. Percentage indicates how much activity was accounted for out of the four selected categories. Figure 6a shows a different scope, comparing only threat traffic: Malware, spyware, and phishing. The percentage shown in Figure 6a below indicates how much activity was accounted for out of these three threat categories. Figure 6b highlights the growth (or reduction) of selected web threat activity when compared period over period:
As we move towards the end of the year, activity on the Threat Landscape certainly has not slowed down. 2010 has been a tremendously successful year when it comes to the fight against cyber crime, in particular botnets. Botnet takedowns this year include Mariposa/Butterfly, Pushdo/Cutwail, Zeus/ZBot, Bredolab, and in November: Koobface. At FortiGuard Labs, we continue to observe threat activity from all of these botnets despite efforts to dismantle them. This is simply because other operators have picked up the ball; source code and kits (crimeware) are readily available and as a result, criminals can establish their own botnet using popular code like Zeus/Bredolab. Nonetheless, there is evidence that prosecution does work - even though new operations continue to arise. Zeus development seemed to feel the heat spawned from the many recent arrests in a large-scale Zeus network, and have hopped onto the SpyEye development team. SpyEye continues to be developed - see our blog post here. The most recent impact we have seen was with the Bredolab takedown at the end of October. Figure 4a shows a large drop in spam (12 percent) after October 25th: the day Dutch authorities dismantled a large Bredolab network by taking over 140 servers offline. Bredolab was often used to load spam engines like Cutwail to send affiliate-based spam (ie: fraudulent pharmaceuticals). The scale of this Bredolab botnet was large indeed to have such an impact on spam levels, as they dropped as much as 26 percent a week after.
Koobface, a botnet nefarious for spamming social media sites like Facebook, was taken offline on November 14th when UK ISP Coreix took down 3 "mothership" servers. Koobface uses intermediary servers (proxies) to communicate with these mothership servers through HTTP port 80. We confirmed that on November 14th, when the primary servers were taken offline, the intermediary servers failed to proxy content - effectively crippling the botnet. Unfortunately, we saw communication restored five days later on November 19th. This is likely because Koobface contains an FTP harvesting module: operators may use stolen FTP credentials to hijack web servers for intermediary/proxy use. By reconfiguring their intermediary servers to new "mothership" servers, the operators seemingly regained control of their botnet.
Most of our malware top 10 detections this report were malware that was packed by a custom packer. Thus, several malware families can fall within these generic detections: this is becoming very common as more and more malware developers turn to packers and packing services ("crypters") to avoid antivirus detection. As we have seen over the past several months, one of the most prominent pieces of malware we observed this report was Sasfis - a simple botnet which operates over standard HTTP on port 80. This activity is reflected in our top 10 attack list, with Sasfis command and control detections ranking 3rd on our list. Botnets ubiquitously use common protocols today to communicate with their operators, in an effort to blend in with normal network activity. As an example, FortiGuard Labs recently discovered the Hiloti botnet was using legitimate DNS queries to report download/installation ("loading") information to servers.
Other discoveries by FortiGuard labs include four disclosed vulnerabilities in Adobe Shockwave (FGA-2010-54), Adobe Flash (FGA-2010-56), Microsoft Office Powerpoint (FGA-2010-58), and Apple Quicktime (FGA-2010-61). All four zero-day discoveries were critical, remote execution vulnerabilities. This period, a total of 146 new vulnerabilities were covered - 61 of which were actively exploited in the wild (over 40%). A zero-day vulnerability is still being exploited in the wild for Microsoft Internet Explorer (FGA-2010-55) as of writing. New and old vulnerabilities will continue to be exploited, so remember to keep all of your patches up to date. Further, a valid IPS solution can help mitigate attacks against both known vulnerabilities and zero-days. With the use of communication through common protocols, application control is becoming more important to identify malicious activity on the application level (such as botnet communication).
Regardless of activity between Zeus and SpyEye, legacy Zeus attacks will still continue to occur. Figure 5a shows such an attack that was circulating through email this period, socially engineered to be a tax notice from the federal government: the real link is highlighted in red. On October 10th, Spamit.com - a large affiliate program for pharmaceutical based spam - was taken offline. While this is to be applauded, the reality is that more affiliate programs exist and we continue to see lots of spam in circulation. Figure 5b is nothing terribly new - it shows an example of one of many templates for pharmacy spam. The interesting part here was that the link sent out pointed to a URL shortener that is offered as a secure service. Cyber criminals are quite brash, and will try to land their code on the most legitimate, trusted websites or services. It is important to observe the link you are about to click on, but when it is legitimate, it is equally important to have antivirus and intrusion prevention deployed to inspect all traffic once landing on the site. With the upcoming shopping season on our doorstep, remember that attacks like Zeus/SpyEye can inject content into the browser (to phish for credit cards, etc), and steal credentials through browser forms - even for secure sessions like HTTPS. For more tips on safe online shopping, please see our blog post here.
Customers who use Fortinet's FortiGuard Subscription Services should already be protected against the threats outlined in this report with the appropriate configuration parameters in place. Threat activity is compiled by Fortinet's FortiGuard Labs using data gathered from its intelligence systems and FortiGateā¢ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products.
Table of Contents:
|
 FortiGuard Labs |
Exploits and Intrusion Prevention
Top 10 Attacks & Regions
The top 10 attack attempts detected for this period follow, ranked by the number of valid attack cases reported. Valid attack cases are defined as threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of the accumulated daily incidents reported during this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Critical issues are outlined in bold. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the attack's debut in the Top 100. Figure 1a shows a daily record of attack cases reported for this period's Top 5 attacks. Figure 1b below shows the Top 5 regions attacked in comparison to total attack cases reported this period.
| Rank | Vulnerability | Percentage | Severity | Top 100 Shift |
|---|---|---|---|---|
| 1 | MS.DCERPC.NETAPI32.Buffer.Overflow | 43.0 | critical | - |
| 2 | MS.IE.Userdata.Behavior.Code.Execution | 21.0 | critical | +1 |
| 3 | Sasfis.Botnet | 9.3 | high | +1 |
| 4 | FTP.USER.Command.Overflow | 8.4 | high | +4 |
| 5 | MS.Windows.LSASS.Buffer.Overflow | 7.5 | high | +1 |
| 6 | AWStats.Rawlog.Plugin.Logfile.Parameter.Input.Validation | 7.3 | high | +1 |
| 7 | Apache.Expect.Header.XSS | 6.6 | medium | -2 |
| 8 | MS.Content.Management.Server.Code.Execution | 3.2 | critical | - |
| 9 | FreeType.CFF.Jailbreak.Apple.Device.Buffer.Overflow | 2.9 | high | - |
| 10 | SMTP.Auth.Buffer.Overflow | 2.7 | critical | +4 |
 Figure 1a: Daily attack case activity for top 5 attacks |
 Figure 1b: Top 5 regions by number of attack cases |
New Vulnerability Coverage
|
There were a total of 146 vulnerabilities added to FortiGuard IPS coverage this period.
Of these added vulnerabilities, 61 were reported to be actively exploited (41.8%). Figure 1c breaks down added vulnerabilities by severity, coverage and active exploitation in the wild. For more information, observe the detailed reports for this period at: |
 Figure 1c: New vulnerability coverage for this edition, categorized by severity |
Malware Today
Top 10 Variants
Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:
|
 Figure 2: Activity curve for top five malware variants |
Regions & Volume
Top 5 regions for this period, ranked by distinct malware volume reported. Distinct malware volume indicates the amount of unique virus names (variants) that has been detected in the given regions, as opposed to total malware volume, which indicates the accumulated amount of all reported incidents. Total and distinct malware volume trends for the last six reporting periods are also given. Figures 3a-3c below show these statistics:
 Figure 3a: Top 5 regions by distinct malware volume |
 Figure 3b: Six period trend for total malware volume |
 Figure 3c: Six period trend for distinct malware volume |
For more information on daily activity per region, please visit our Virus World Map.
Spam and Email Threats
Spam Rate & Regions
The global spam rate is shown on a daily basis for this edition's given period. Spam rate indicates the accumulated emails which have been tagged as spam, in comparison to total email traffic. Top 5 spam regions are ranked by received spam in comparison to global spam volume. Statistics are graphed for business working days, and shown in Figures 4a-4b below:
 Figure 4a: Spam rate compared to global email |
 Figure 4b: Top 5 spam regions by received spam |
Top 3 In The Wild
Top three email threats observed for this period. Top e-mails have been filtered to highlight diverse campaigns by removing duplicates and unsolicited advertisements. This helps focus on scams and malicious intent; the resulting list is ranked by Figures 5a-c below illustrate the most popular message tactics used during recent spam campaigns:
 Figure 5a: Spam campaign #1 |
 Figure 5b: Spam campaign #2 |
 Figure 5c: Spam campaign #3 |
Crawling The Web
Threat Traffic & Growth
The following list breaks down the percentage of activity blocked for selected Web categories throughout this period. Percentage indicates how much activity was accounted for out of the four selected categories. Figure 6a shows a different scope, comparing only threat traffic: Malware, spyware, and phishing. The percentage shown in Figure 6a below indicates how much activity was accounted for out of these three threat categories. Figure 6b highlights the growth (or reduction) of selected web threat activity when compared period over period:
|
 Figure 6a: Threat traffic volume break-down |
 Figure 6b: Threat traffic growth by period |
Activity Recap
As we move towards the end of the year, activity on the Threat Landscape certainly has not slowed down. 2010 has been a tremendously successful year when it comes to the fight against cyber crime, in particular botnets. Botnet takedowns this year include Mariposa/Butterfly, Pushdo/Cutwail, Zeus/ZBot, Bredolab, and in November: Koobface. At FortiGuard Labs, we continue to observe threat activity from all of these botnets despite efforts to dismantle them. This is simply because other operators have picked up the ball; source code and kits (crimeware) are readily available and as a result, criminals can establish their own botnet using popular code like Zeus/Bredolab. Nonetheless, there is evidence that prosecution does work - even though new operations continue to arise. Zeus development seemed to feel the heat spawned from the many recent arrests in a large-scale Zeus network, and have hopped onto the SpyEye development team. SpyEye continues to be developed - see our blog post here. The most recent impact we have seen was with the Bredolab takedown at the end of October. Figure 4a shows a large drop in spam (12 percent) after October 25th: the day Dutch authorities dismantled a large Bredolab network by taking over 140 servers offline. Bredolab was often used to load spam engines like Cutwail to send affiliate-based spam (ie: fraudulent pharmaceuticals). The scale of this Bredolab botnet was large indeed to have such an impact on spam levels, as they dropped as much as 26 percent a week after.
Koobface, a botnet nefarious for spamming social media sites like Facebook, was taken offline on November 14th when UK ISP Coreix took down 3 "mothership" servers. Koobface uses intermediary servers (proxies) to communicate with these mothership servers through HTTP port 80. We confirmed that on November 14th, when the primary servers were taken offline, the intermediary servers failed to proxy content - effectively crippling the botnet. Unfortunately, we saw communication restored five days later on November 19th. This is likely because Koobface contains an FTP harvesting module: operators may use stolen FTP credentials to hijack web servers for intermediary/proxy use. By reconfiguring their intermediary servers to new "mothership" servers, the operators seemingly regained control of their botnet.
Most of our malware top 10 detections this report were malware that was packed by a custom packer. Thus, several malware families can fall within these generic detections: this is becoming very common as more and more malware developers turn to packers and packing services ("crypters") to avoid antivirus detection. As we have seen over the past several months, one of the most prominent pieces of malware we observed this report was Sasfis - a simple botnet which operates over standard HTTP on port 80. This activity is reflected in our top 10 attack list, with Sasfis command and control detections ranking 3rd on our list. Botnets ubiquitously use common protocols today to communicate with their operators, in an effort to blend in with normal network activity. As an example, FortiGuard Labs recently discovered the Hiloti botnet was using legitimate DNS queries to report download/installation ("loading") information to servers.
Other discoveries by FortiGuard labs include four disclosed vulnerabilities in Adobe Shockwave (FGA-2010-54), Adobe Flash (FGA-2010-56), Microsoft Office Powerpoint (FGA-2010-58), and Apple Quicktime (FGA-2010-61). All four zero-day discoveries were critical, remote execution vulnerabilities. This period, a total of 146 new vulnerabilities were covered - 61 of which were actively exploited in the wild (over 40%). A zero-day vulnerability is still being exploited in the wild for Microsoft Internet Explorer (FGA-2010-55) as of writing. New and old vulnerabilities will continue to be exploited, so remember to keep all of your patches up to date. Further, a valid IPS solution can help mitigate attacks against both known vulnerabilities and zero-days. With the use of communication through common protocols, application control is becoming more important to identify malicious activity on the application level (such as botnet communication).
Regardless of activity between Zeus and SpyEye, legacy Zeus attacks will still continue to occur. Figure 5a shows such an attack that was circulating through email this period, socially engineered to be a tax notice from the federal government: the real link is highlighted in red. On October 10th, Spamit.com - a large affiliate program for pharmaceutical based spam - was taken offline. While this is to be applauded, the reality is that more affiliate programs exist and we continue to see lots of spam in circulation. Figure 5b is nothing terribly new - it shows an example of one of many templates for pharmacy spam. The interesting part here was that the link sent out pointed to a URL shortener that is offered as a secure service. Cyber criminals are quite brash, and will try to land their code on the most legitimate, trusted websites or services. It is important to observe the link you are about to click on, but when it is legitimate, it is equally important to have antivirus and intrusion prevention deployed to inspect all traffic once landing on the site. With the upcoming shopping season on our doorstep, remember that attacks like Zeus/SpyEye can inject content into the browser (to phish for credit cards, etc), and steal credentials through browser forms - even for secure sessions like HTTPS. For more tips on safe online shopping, please see our blog post here.
Solutions
Customers who use Fortinet's FortiGuard Subscription Services should already be protected against the threats outlined in this report with the appropriate configuration parameters in place. Threat activity is compiled by Fortinet's FortiGuard Labs using data gathered from its intelligence systems and FortiGateā¢ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products.
