The following statistics are compiled from Fortinet's FortiGate network security appliances and intelligence systems for the period September 21st - October 20th, 2008.
Exploits and Intrusion Prevention
Top 10 Exploitations
Top 10 exploitation attempts detected for this period, ranked by vulnerability traffic. Percentage indicates the portion of activity the vulnerability accounted for out of all attacks reported in this edition. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from low to critical. Critical issues are outlined in bold:
New Vulnerability Coverage
Malware Today
Top 10 Variants
Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:
Regions & Volume
Top 5 regions for this period, ranked by distinct malware volume reported. Distinct malware volume indicates the amount of unique virus names (variants) that has been detected in the given regions, as opposed to total malware volume, which indicates the accumulated amount of all reported incidents. Six month trends are also given up to the last calendar day of the most recently completed month. Figures 3a-3c below show these statistics:
For more information on daily activity per region, please visit our Virus World Map.
Circulating Spam
Spam Rate
The global spam rate is shown on a daily basis for this edition's given period. Spam rate indicates the accumulated emails which have been tagged as spam, in comparison to total email traffic. Statistics are graphed for business working days, and shown in Figure 4 below:
Figure 4: Spam rate compared to global email
Top 3 In The Wild
Top 3 spam e-mails observed for this period, ranked by reported volume. Figures 5a-c below illustrate the most popular message tactics used during recent spam campaigns:
Crawling The Web
Web Threat Traffic
Selected Web categories for this period, ranked by traffic volume. Percentage indicates the web traffic volume the respective category accounted for throughout this period, compared to total web traffic categorized. Figure 6 below shows the distribution of malware, spyware, and phishing traffic for this period to reflect the distribution of web threats.
Activity Recap
This month we break out an exciting new format to reflect on a vast threat landscape that is continuously shifting. In antivirus, the top 10 prevalent variants were almost purely related to rogue security software (aka "scareware"). Only W32/Goldun.AZL, W32/Netsky and W32/Virut managed to stay in the list despite strong activity from rogue security malware. W32/Netsky came in at 9th position, barely clinging onto a seemingly infinite reign in our top 10. W32/Virut.A continues to have a surprisingly strong grip, landing in a top six position for eight consecutive months despite all of the rogue activity. The threat landscape is changing, triggered by a dramatic shift last month thanks to rogue variants that continue to plague cyberspace. Fortinet security researcher Derek Manky observed this in last month's War of the Rogues analysis. This shift is highlighted in Figure 3b, as total malware volume has been on the rise since July 2008 after a long and steady fall in activity. While malware volume has recently been on a sharp rise, the number of detected variants in the wild (Figure 3c) has declined. This means we are seeing more aggressive seeding for these variants, in part to the reasons mentioned above.
In the ancient world of spam, one still needs to exercise extreme caution when browsing his or her inbox. Take Figure 5b for example, our second most circulated spam seen in this edition. The email employs fear mongering at its best, using perhaps one of the hottest current topics (the financial crisis) in order to lure the victim into clicking on a link in the promise of a better future. On top of unsolicited commercial emails (spam), what may seem like an innocent email can take you to a malicious place; this is exactly the cautious mentality that should be in place when opening electronic mail. We always recommend to "think before you link" as there are many scams, exploits and pieces of malware lurking around the corner.
Of 66 vulnerabilities added this edition, 18 of them, or roughly 27 percent, were reported to be actively exploited. Old exploits are still commonly used to launch attacks, leveraging holes in software that people have not bothered to patch up on their machines. While this is bad enough, even fresh ones are being actively pursued. This should serve as a reminder that updating all software with patches on a daily basis is an essential practice to thwarting threats, layered with a trusted intrusion prevention system.
Solutions
Customers who use Fortinet’s FortiGuard Subscription Services should already be protected against the threats outlined in this report. Threat activity is compiled by Fortinet's FortiGuard Global Security Research Team using data gathered from its intelligence systems and FortiGate™ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products.
Table of Contents:
|
 FortiGuard Global Threat Research |
Top 10 Exploitations
Top 10 exploitation attempts detected for this period, ranked by vulnerability traffic. Percentage indicates the portion of activity the vulnerability accounted for out of all attacks reported in this edition. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from low to critical. Critical issues are outlined in bold:
Rank Vulnerability Percentage Severity 1 Trojan.Storm.Worm.Krackin.Detection 39.7 High 2 Worm.Slammer 34.6 High 3 PhpInclude.Worm.B 5.5 High 4 invalid_length 1.7 Low 5 TCP.Bad.Flags 1.1 Critical 6 SSH.Brute.Forcer 1.0 Low 7 invalid_encoding 0.8 Low 8 large_fragsize 0.8 High 9 Danmec.Asprox.SQL.Injection 0.7 High 10 chunk_overflow 0.4 Critical
New Vulnerability Coverage
|
There were a total of 66 vulnerabilities added to FortiGuard IPS coverage this period.
Of these added vulnerabilities, 18 were reported to be actively exploited. Figure 1 breaks down added vulnerabilities by severity, coverage and active exploitation in the wild. For more information, observe the detailed reports for this period at: |
 Figure 1: New vulnerability coverage for this edition, categorized by severity |
Top 10 Variants
Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:
Rank Malware Variant Percentage Top 100 Shift 1 W32/Agent.AGGP!tr.dldr 23.6 new 2 W32/FakeAlert.D!tr.dldr 10.6 new 3 W32/Inject.GZW!tr.bdr 9.4 -2 4 W32/Autorun.PNL!worm 4.7 new 5 W32/Agent.XGG!tr 4.1 new 6 W32/Virut.A 3.2 +1 7 W32/Goldun.AZL!tr.spy 3.0 new 8 W32/FakeAlert.D!tr 2.9 new 9 W32/Netsky!similar 2.7 -4 10 W32/Agent.AHVM!tr.dldr 2.4 new |
 Figure 2: Activity curve for top five malware variants |
Regions & Volume
Top 5 regions for this period, ranked by distinct malware volume reported. Distinct malware volume indicates the amount of unique virus names (variants) that has been detected in the given regions, as opposed to total malware volume, which indicates the accumulated amount of all reported incidents. Six month trends are also given up to the last calendar day of the most recently completed month. Figures 3a-3c below show these statistics:
 Figure 3a: Top 5 regions by distinct malware volume |
 Figure 3b: Six month trend for total malware volume |
 Figure 3c: Six month trend for unique malware volume |
For more information on daily activity per region, please visit our Virus World Map.
Circulating Spam
Spam Rate
The global spam rate is shown on a daily basis for this edition's given period. Spam rate indicates the accumulated emails which have been tagged as spam, in comparison to total email traffic. Statistics are graphed for business working days, and shown in Figure 4 below:
Figure 4: Spam rate compared to global email
Top 3 In The Wild
Top 3 spam e-mails observed for this period, ranked by reported volume. Figures 5a-c below illustrate the most popular message tactics used during recent spam campaigns:
 Figure 5a: Most circulated spam |
 Figure 5b: 2nd most circulated spam |
 Figure 5c: 3rd most circulated spam |
Crawling The Web
Web Threat Traffic
Selected Web categories for this period, ranked by traffic volume. Percentage indicates the web traffic volume the respective category accounted for throughout this period, compared to total web traffic categorized. Figure 6 below shows the distribution of malware, spyware, and phishing traffic for this period to reflect the distribution of web threats.
FortiGuard Category Percentage Pornography 71.3 Malware 14.5 Spyware 10.8 Phishing 3.5 |
 Figure 6: Threat traffic volume break-down |
Activity Recap
This month we break out an exciting new format to reflect on a vast threat landscape that is continuously shifting. In antivirus, the top 10 prevalent variants were almost purely related to rogue security software (aka "scareware"). Only W32/Goldun.AZL, W32/Netsky and W32/Virut managed to stay in the list despite strong activity from rogue security malware. W32/Netsky came in at 9th position, barely clinging onto a seemingly infinite reign in our top 10. W32/Virut.A continues to have a surprisingly strong grip, landing in a top six position for eight consecutive months despite all of the rogue activity. The threat landscape is changing, triggered by a dramatic shift last month thanks to rogue variants that continue to plague cyberspace. Fortinet security researcher Derek Manky observed this in last month's War of the Rogues analysis. This shift is highlighted in Figure 3b, as total malware volume has been on the rise since July 2008 after a long and steady fall in activity. While malware volume has recently been on a sharp rise, the number of detected variants in the wild (Figure 3c) has declined. This means we are seeing more aggressive seeding for these variants, in part to the reasons mentioned above.
In the ancient world of spam, one still needs to exercise extreme caution when browsing his or her inbox. Take Figure 5b for example, our second most circulated spam seen in this edition. The email employs fear mongering at its best, using perhaps one of the hottest current topics (the financial crisis) in order to lure the victim into clicking on a link in the promise of a better future. On top of unsolicited commercial emails (spam), what may seem like an innocent email can take you to a malicious place; this is exactly the cautious mentality that should be in place when opening electronic mail. We always recommend to "think before you link" as there are many scams, exploits and pieces of malware lurking around the corner.
Of 66 vulnerabilities added this edition, 18 of them, or roughly 27 percent, were reported to be actively exploited. Old exploits are still commonly used to launch attacks, leveraging holes in software that people have not bothered to patch up on their machines. While this is bad enough, even fresh ones are being actively pursued. This should serve as a reminder that updating all software with patches on a daily basis is an essential practice to thwarting threats, layered with a trusted intrusion prevention system.
Solutions
Customers who use Fortinet’s FortiGuard Subscription Services should already be protected against the threats outlined in this report. Threat activity is compiled by Fortinet's FortiGuard Global Security Research Team using data gathered from its intelligence systems and FortiGate™ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products.
