Threatscape Report - October 2009 Edition

The following statistics are compiled from Fortinet's FortiGate network security appliances and intelligence systems for the period September 21st - October 20th, 2009.

Exploits and Intrusion Prevention

Top 10 Exploitations & Regions

Top 10 exploitation attempts detected for this period follows, ranked by the number of valid attack cases reported. Valid attack cases consist only of threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of all cases reported this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Figure 1a below shows the Top 5 regions attacked in comparison to total attack cases reported this period. Critical issues are outlined in bold.

Rank	Vulnerability	Percentage	Severity
1	MS.DCERPC.NETAPI32.Buffer.Overflow	29.0	Critical
2	FTP.USER.Command.Overflow	24.4	High
3	MS.IE7.Deleted.DOM.Object.Access.Memory.Corruption	21.3	Critical
4	Adobe.Products.SWF.Remote.Code.Execution	8.4	Critical
5	Apache.Expect.Header.XSS	8.1	Medium
6	AWStats.Rawlog.Plugin.Logfile.Parameter.Input.Validation	7.6	High
7	MS.Content.Management.Server.Code.Execution	6.7	Critical
8	RoundCube.Webmail.Pregreplace.Code.Execution	5.3	High
9	MS.DirectX.MsVidCtl.ActiveX.Control.Access	3.2	Critical
10	Apache.MyFaces.Tomahawk.JSF.Framework.XSS	3.0	Medium

Figure 1a: Top 5 regions by number of attack cases

New Vulnerability Coverage

There were a total of 104 vulnerabilities added to FortiGuard IPS coverage this period.
Of these added vulnerabilities, 29 were reported to be actively exploited (27.9%).

Figure 1b breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

For more information, observe the detailed reports for this period at:

Intrusion Prevention - Service Update History

Figure 1b: New vulnerability coverage for this edition, categorized by severity

Malware Today

Top 10 Variants

Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

Rank	Malware Variant	Percentage	Top 100 Shift
1	W32/PackSpam.A!worm	20.1	new
2	W32/Agent.LGE!tr	16.9	new
3	W32/Bredolab.X!tr	11.4	new
4	W32/Bredo.G!tr	8.2	-2
5	W32/FakeAlert.SYY!tr.dldr	7.9	new
6	W32/Krap.AD!tr	6.6	new
7	W32/OnlineGames.BBR!tr	3.8	-6
8	W32/FraudLoad.WSUT!tr.dldr	1.7	new
9	W32/Agent.FM!tr	1.6	new
10	W32/OnlineGames.BWA!tr.pws	1.2	new

Figure 2: Activity curve for top five malware variants

Regions & Volume

Top 5 regions for this period, ranked by distinct malware volume reported. Distinct malware volume indicates the amount of unique virus names (variants) that has been detected in the given regions, as opposed to total malware volume, which indicates the accumulated amount of all reported incidents. Total and distinct malware volume trends for the last six reporting periods are also given. Figures 3a-3c below show these statistics:

Figure 3a: Top 5 regions by distinct malware volume

Figure 3b: Six period trend for total malware volume

Figure 3c: Six period trend for distinct malware volume

For more information on daily activity per region, please visit our Virus World Map.

Spam and Email Threats

Spam Rate & Regions

The global spam rate is shown on a daily basis for this edition's given period. Spam rate indicates the accumulated emails which have been tagged as spam, in comparison to total email traffic. Top 5 spam regions are ranked by received spam in comparison to global spam volume. Statistics are graphed for business working days, and shown in Figures 4a-4b below:

Figure 4a: Spam rate compared to global email

Figure 4b: Top 5 spam regions by received spam

Top 3 In The Wild

Top three email threats observed for this period. Top e-mails have been filtered to highlight diverse campaigns by removing duplicates and unsolicited advertisements. This helps focus on scams and malicious intent; the resulting list is ranked by Figures 5a-c below illustrate the most popular message tactics used during recent spam campaigns:

Figure 5a: Spam campaign #1

Figure 5b: Spam campaign #2

Figure 5c: Spam campaign #3

Crawling The Web

Threat Traffic & Growth

The following list breaks down the percentage of activity blocked for selected Web categories throughout this period. Percentage indicates how much activity was accounted for out of the four selected categories. Figure 6a shows a different scope, comparing only threat traffic: Malware, spyware, and phishing. The percentage shown in Figure 6a below indicates how much activity was accounted for out of these three threat categories. Figure 6b highlights the growth (or reduction) of selected web threat activity when compared period over period:

Web Threat Category	Percentage
Pornography	60.2
Malware	30.5
Spyware	5.3
Phishing	4.1

Figure 6a: Threat traffic volume break-down

Figure 6b: Threat traffic growth by period

Activity Recap

We hit some milestones this period, with total detected malware volume being at its highest in more than a year. While this volume has been generally increasing over the past six months, it surged significantly towards the end of September leading through October. In fact, detected volume this period was more than four times that of the last report. As can be observed in Figure 2 and in our Malware Top 10, the main contributors were rogue security downloaders. The malware variants W32/Agent.LGE and W32/Bredo.G both set single-day detection records as well, surpassing our previous record set by HTML/Agent.E (a ZBot e-card campaign) in August 2009.

A Flood of Scareware
These milestones were all the result of a complete onslaught of rogue security software. In our last recap, we observed the fact that it was the one-year anniversary from an initial explosion of such fake software ("scareware") in September 2008. Indeed, just one month in from this anniversary we have now witnessed the worst scareware attacks yet. While it's likely coincidence that the peaks of these attacks have come just before Halloween, the danger cannot be ignored. These attacks are coming fast, hard and frequently. In fact, one may even say it is a pandemic: all of our detection data indicates that these attacks are prevalent worldwide. In addition, there is a wide array of campaigns from botnets, tainted advertisements to SEO attacks. Going back to our malware top 10, seven of ten listed detections all point back to scareware. Online gaming trojans were the only variants to stay in our top 10, as both Netsky and Virut succumbed to the floodwaters of scareware. To put it to scale, this was the first time Virut, the stubborn and nasty file infector, was pushed out of our top 10 in a year and a half. While Virut still remains an active threat, its prevalency was simply nowhere near as high as rogue security software this month. Look out for this, however, as Virut has hybrid capabilities (can spread through other infections) and may indeed piggyback on high-profile scareware campaigns in the future.

As of writing, all of the scareware variants were actively downloading the same fake security suite, "AntiVirus Pro 2010," which employs a bogus scan engine to scare users into buying a fake solution for their falsely reported problems. The main product used in the high profile scareware attacks of September 2008 was "AntiVirus XP 2008." In December 2008, a US federal court froze the assets of businesses operating out of Kiev, Ukraine - accusing them of selling such false security products following a complaint from the FTC. It would appear as though this was not enough to stop scareware from continuing to plague cyberspace, with record activity levels being posted to date. This is mainly because of the lucrative amount of money available to participants in these schemes, funded on commision by affiliate programs, which gives participants a good incentive to hop on board.

Bredolab
While all of the scareware related variants we detected this month linked to the same fake product (and affiliate program), the attacks may be broken down into two frameworks: scareware downloaders and Bredolab, a trojan downloader. Our two main detections for Bredolab this report were W32/Bredo.G (#3) and W32/Bredolab.X (#4). Bredolab has been very actively involved with scareware. The Bredolab framework connects up to its network to seek the latest components it should download. This month, we observed Bredolab downloading AntiVirus Pro 2010 installers. These installers actually used the same framework as the scareware downloaders mentioned below ("Security Framework"). On top of this, we also found ZBot - a notorious keylogger / information stealer - being downloaded through the Bredolab/AntiVirus Pro 2010 chain. For more information on Zeus and ZBot, please read our analysis here. Bredolab is just one player linked to ZBot - both of which have very high detection rates. Thus, Bredolab becomes a dangerous threat -- on infection, you now have an information-siphoning trojan and a nasty scareware product, both linking up to different remote control sites. This is an excellent example of the many components often involved with modern threats, and why layered security is the best approach to thwarting such threats.

Scareware Framework
Our top 10 detections this report for the scareware downloaders are as follows: W32/PackSpam.A (#1), W32/Agent.LGE (#2), W32/FakeAlert.SYY (#5), W32/Krap.AD (#6), and W32/FraudLoad.WSUT (#8). These all used the same framework to connect to freshly registered domains and download AntiVirus 2010 installers. We observed several executables used in attacks this month that contain this framework, with varying sizes from 14-290 kilobytes. The 290 kilobyte version actually contained the AntiVirus 2010 product within, eliminating the need to download from a remote server in case access was blocked - a fallback mechanism. The domains differed in each executable, hard-coded and frequently updated with new copies. This is very similar to what we observed with Waledac. Therefore, new campaigns will use new executables which point to freshly registered domains. This all seems to be part of an automation process, as the domains are all between 19 and 21 alphanumeric characters using the ".com" top level domain. An affiliate identifier (also hard-coded) is passed through an HTTP request to these domains, which resolve to a server that will send the latest copy of scareware for that affiliate.

Links to Spam
All three images shown in Figures 5a, 5b, and 5c link to scareware. The first campaign, Figure 5a, in fact belongs to Bredolab. The Bredolab variants we observed this report ranged between 20-60 kilobytes in size and all had MS Excel icons in their resource section (displayed to the user as the typical green X). The other two campaigns used different tactics, but very similar executables, both about 44 kilobytes in size. These had a cell phone icon in their resource section. Figure 5a has W32/Bredolab.X (#3) attached, whereas Figure 5b has W32/FakeAlert.SYY (#5) attached. So while Bredolab was using DHL invoices as a social engineering hook, scareware affiliates were using fake Conficker.B infections (Figure 5b) and UPS invoices (Figure 5c).

Affiliate programs that pay out cash to distributors (affiliates) once a victim has purchased fraudulent software continue to exist, and have no doubt acted as a catalyst to this increase in activity: for an affiliate, it is quick, easy cash. The fake antivirus software creators typically charge between $40 - $50 USD to purchase a full version of their product. In one such case, 4.5 million orders were observed over a period of 11 months (approximately $180 million USD charged). With the holiday season fast approaching, information stealers and banking trojans such as ZBot are in perfect position to grab cash from unsuspecting victims. To avoid becoming such a victim, a layered security solution is recommended to block attacks from multiple levels. Further, follow simple steps such as identifying the sender before clicking links / attachments from e-mails, blogs, or social networking sites. Remember, that PDF and document files can get you infected as well!

Solutions

Customers who use Fortinet’s FortiGuard Subscription Services should already be protected against the threats outlined in this report. Threat activity is compiled by Fortinet's FortiGuard Labs using data gathered from its intelligence systems and FortiGate™ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products.