Threatscape Report - September 2009 Edition

The following statistics are compiled from Fortinet's FortiGate network security appliances and intelligence systems for the period August 21st - September 20th, 2009.

Exploits and Intrusion Prevention

Top 10 Exploitations & Regions

Top 10 exploitation attempts detected for this period, ranked by vulnerability traffic. Percentage indicates the portion of activity the vulnerability accounted for out of all attacks reported in this edition. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from low to critical. Critical issues are outlined in bold:

Rank	Vulnerability	Percentage	Severity
1	MS.DCERPC.NETAPI32.Buffer.Overflow	13.1	Critical
2	HTTP.URI.Overflow	11.8	Critical
3	MS.SMB.DCERPC.SRVSVC.PathCanonicalize.Overflow	5.3	High
4	MS.Windows.ASN.1.Bitstring.Overflow	4.2	High
5	FTP.Bounce.Attack	1.7	High
6	PNG.Image.Integer.Overflow	1.6	Critical
7	Trojan.Storm.Worm.HTTP.DoS	1.6	Low
8	IKE.Exchange.DoS.Version	1.4	Low
9	NaviCOPA.URI.Buffer.Overflow	1.1	High
10	MS.Excel.Malformed.OBJECT.Type.File.Code.Execution	1.1	High

Figure 1a: Top 5 regions by detected exploit attempts

New Vulnerability Coverage

There were a total of 108 vulnerabilities added to FortiGuard IPS coverage this period.
Of these added vulnerabilities, 46 were reported to be actively exploited (42.6%).

Figure 1b breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

For more information, observe the detailed reports for this period at:

Intrusion Prevention - Service Update History

Figure 1b: New vulnerability coverage for this edition, categorized by severity

Malware Today

Top 10 Variants

Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

Rank	Malware Variant	Percentage	Top 100 Shift
1	W32/OnlineGames.BBR!tr	29.4	-
2	W32/Bredo.G!tr	12.8	new
3	JS/PackRedir.A!tr.dldr	3.7	+2
4	HTML/Iframe.DN!tr.dldr	3.6	+2
5	Adware/AdClicker	3.1	+2
6	W32/Virut.A	2.9	-2
7	W32/Netsky!similar	2.7	+1
8	HTML/Iframe_CID!exploit	2.3	+1
9	W32/OnlineGames.DRP!tr.pws	2.0	+3
10	W32/OnlineGames.EEX!tr	1.7	+12

Figure 2: Activity curve for top five malware variants

Regions & Volume

Top 5 regions for this period, ranked by distinct malware volume reported. Distinct malware volume indicates the amount of unique virus names (variants) that has been detected in the given regions, as opposed to total malware volume, which indicates the accumulated amount of all reported incidents. Total and distinct malware volume trends for the last six reporting periods are also given. Figures 3a-3c below show these statistics:

Figure 3a: Top 5 regions by distinct malware volume

Figure 3b: Six period trend for total malware volume

Figure 3c: Six period trend for distinct malware volume

For more information on daily activity per region, please visit our Virus World Map.

Spam and Email Threats

Spam Rate & Regions

The global spam rate is shown on a daily basis for this edition's given period. Spam rate indicates the accumulated emails which have been tagged as spam, in comparison to total email traffic. Top 5 spam regions are ranked by received spam in comparison to global spam volume. Statistics are graphed for business working days, and shown in Figures 4a-4b below:

Figure 4a: Spam rate compared to global email

Figure 4b: Top 5 spam regions by received spam

Top 3 In The Wild

Top three email threats observed for this period. Top e-mails have been filtered to highlight diverse campaigns by removing duplicates and unsolicited advertisements. This helps focus on scams and malicious intent; the resulting list is ranked by Figures 5a-c below illustrate the most popular message tactics used during recent spam campaigns:

Figure 5a: Spam campaign #1

Figure 5b: Spam campaign #2

Figure 5c: Spam campaign #3

Crawling The Web

Threat Traffic & Growth

The following list breaks down the percentage of activity blocked for selected Web categories throughout this period. Percentage indicates how much activity was accounted for out of the four selected categories. Figure 6a shows a different scope, comparing only threat traffic: Malware, spyware, and phishing. The percentage shown in Figure 6a below indicates how much activity was accounted for out of these three threat categories. Figure 6b highlights the growth (or reduction) of selected web threat activity when compared period over period:

Web Threat Category	Percentage
Pornography	57.0
Malware	33.3
Spyware	5.3
Phishing	4.4

Figure 6a: Threat traffic volume break-down

Figure 6b: Threat traffic growth by period

Activity Recap

Most notable in our Virus Top 10 this period was the rise of W32/Bredo.G, which began on September 17th and continued past September 20th as of this writing. This variant is part of the Bredolab family, a trojan downloader which has been notoriously linked to rogue security software. Such fraudulent software has become ubiquitous due to its constantly morphing identities on the same core product and broad distribution by the strong affiliate network. Some recent examples of rogue security, or scareware, distribution include an IRC bot pushing download commands (blog post here), various black hat SEO campaigns (blog post here), automated Twitter accounts, and malicious advertisements (NYTimes announcement here). Another such example lies with a variant of Bredolab in Figure 5c, a mass mailing campaign that utilizes a tried-but-true tactic: fake invoices, this one supposedly from DHL. The latest wave of these attacks began on August 31st; opening any of these attachments will enlist the user's machine into a network of zombies within the Bredolab/Gumblar botnet. This botnet first emerged in early 2009 and has also been known to seed attacks through PDF and SWF (Adobe Reader/Flash) files from compromised websites. FortiGuard detects these attacks as JS/PackRedir.A!tr, and JS/Redir.MR!tr. JS/PackRedir.A has been in our top five detected viruses since June 2009, indicating the prevalence of such attacks.

September marks the one-year anniversary since we saw the initial explosion of scareware hitting cyberspace in, what was then, record volume. Indeed, one year later, we are still seeing the continued distribution of scareware through a variety of options available to cyber criminals. No doubt this has been a profitable model that still, and will continue to, find innovative ways to exploit end users. It is likely that these attacks will only diminish once scareware becomes too high profile and easily recongizable to end-users as a scam, similar to the decreasing click-through rates today with spam. However, this will in turn lead to more and different strategies for attack as cyber criminals explore more innovative ways to exploit end-users' pocketbooks, and perhaps in even more forceful ways, such as ransomware. Ransomware attacks work by encrypting documents and other personal information, then offer decryption as a service for, of course, a not-so-reasonable fee.

Further highlighting innovative scams, Figure 5a shows yet another money mule recruitment scheme in the form of "Global Shipping Agency." The linked website looks very professional, with a template ripped from a legitimate site. Highlighted in red (Figure 5a) is the job position: "Customer Service Financial Assistant." From the job responsibilities on the website: "Professionally processes customer payments, using his bank account (or bank account set up especially for the company needs)." End-users should be very wary of any such get-rich-quick schemes -- especially when it involves accepting/forwarding payments from their own bank account. These scams come in many flavors; we discussed one in the last report with "Honeywell International." Another notable mass mailing attack we saw this period was a tax scare through the IRS (Figure 5b) distributing ZBot trojan/keylogger variants. ZBot has become a widespread issue due to the availability of its crimeware kit, Zeus. In August 2009, we detected record activity levels for some ZBot variants after notable surges in June 2009. Of course, these emails were not from the IRS, easily identified by the link, which is highlighted in red (Figure 5b). The link text includes the email recipient's name as an identifier. An age-old trick is deployed within the link, using irs.gov (a legitimate domain) as a subdomain that resolves to a malicious server. These attacks started on September 9th and continue as of this writing. More interestingly, all domains observed in the attack were registered under the ccTLD "EU" (European Union), using various registrars including Namebay SAM and Ascio Technologies Inc. However, the registrars seem to be responsive, as many of the domains have been taken down, verified by a quick search on EURid. Despite the take-down process, these fraudulent domains are being frequently registered in what seems to be an automated fashion as all domains contain six seemingly random alphanumeric characters. As an example, the domains followed this format: "www.irs.gov.xxxxxx.eu", where x is frequently changed/registered. As in many cases, a quick look at such a link can prevent infection of a nasty trojan set to steal end-users' credentials.

During this period, we saw the disclosure of two unpatched remote-code execution vulnerabilities from Microsoft: IIS FTP Service (CVE-2009-3023) and Server Message Block (SMB2, CVE-2009-3103). As of writing, we have detected low but steadily increasing exploit activity from the latter. We have also continued to see an increase in exploit activity in this period for Adobe Reader / Flash (CVE-2009-1862). The FortiGuard team continues to closely monitor all breaking threats, including these aforementioned critical vulnerabilities. There is an interim fix available from Microsoft for the SMB2 flaw. FortiGuard IPS blocks exploit attempts in advance, especially important for zero-days when no patches are readily available to deploy.

Virut and Online Gaming trojans remain very prevalent as has been the case all year. While total detected malware dropped in volume this period (Figure 3b), the unique count of variants (distinct pieces of malicious code - Figure 3c) showed continuous increase from previous months. Our global detected spam rate this period was at its highest at the end of the reporting cycle (Figure 4a), aided by the campaigns mentioned above. New to the picture in Figure 4b was the Netherlands, landing in 5th position for overall received spam volume. MS.DCERPC.NETAPI32.Buffer.Overflow, best known as Conficker/MS08-067, remained at the top of our detected exploit list, while exploitation of newly covered vulnerabilities also remained high (42.6%). The amount of detected exploits that target new vulnerabilities has been creeping higher since May 2009, indicating more attacks and proof-of-concept code being developed for fresh vulnerabilities.

Solutions

Customers who use Fortinet’s FortiGuard Subscription Services should already be protected against the threats outlined in this report. Threat activity is compiled by Fortinet's FortiGuard Global Security Research Team using data gathered from its intelligence systems and FortiGate™ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products.