The following statistics are compiled from Fortinet's FortiGate network security appliances and intelligence systems for the period August 21st - September 20th, 2010.
The top 10 attack attempts detected for this period follow, ranked by the number of valid attack cases reported. Valid attack cases are defined as threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of the accumulated daily incidents reported during this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Critical issues are outlined in bold. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the attack's debut in the Top 100. Figure 1a shows a daily record of attack cases reported for this period's Top 5 attacks. Figure 1b below shows the Top 5 regions attacked in comparison to total attack cases reported this period.
Malware Today
Top 5 regions for this period, ranked by distinct malware volume reported. Distinct malware volume indicates the amount of unique virus names (variants) that has been detected in the given regions, as opposed to total malware volume, which indicates the accumulated amount of all reported incidents. Total and distinct malware volume trends for the last six reporting periods are also given. Figures 3a-3c below show these statistics:
For more information on daily activity per region, please visit our Virus World Map.
Spam and Email Threats
Top three email threats observed for this period. Top e-mails have been filtered to highlight diverse campaigns by removing duplicates and unsolicited advertisements. This helps focus on scams and malicious intent; the resulting list is ranked by Figures 5a-c below illustrate the most popular message tactics used during recent spam campaigns:
The following list breaks down the percentage of activity blocked for selected Web categories throughout this period. Percentage indicates how much activity was accounted for out of the four selected categories. Figure 6a shows a different scope, comparing only threat traffic: Malware, spyware, and phishing. The percentage shown in Figure 6a below indicates how much activity was accounted for out of these three threat categories. Figure 6b highlights the growth (or reduction) of selected web threat activity when compared period over period:
Several new threats developed this report period. Over 40 percent of our newly covered vulnerabilities were exploited / attacked this report (Figure 1c), a notable jump from previous months. There was some small shuffling in our top 10 attack list, with the exception of 'FreeType.CFF.Jailbreak.Apple.Device.Buffer.Overflow' which jumped into fourth position this report. The vulnerability (CVE-2010-2972) is being used to jailbreak Apple iPhones through PDF files. The problem lies in the Compact Font Format, which is supported in popular document formats such as PDF. Of course, the interesting aspect of this attack is that it is often used intentionally to jailbreak devices. However, as with any vulnerability, a scenario could exist where an attacker could jailbreak a phone for malicious purposes.
Two vulnerabilities were patched for Apple Quicktime on September 15th, one of which was discovered by FortiGuard Labs (FGA-2010-46). The other vulnerability (CVE-2010-1818) was a critical issue that bypassed DEP and ASLR protection technologies using Quicktime, disclosed on August 30th. There are in-the-wild flash samples trying to exploit this vulnerability. A Metasploit module was also developed on August 31st. The vulnerability was exploited in a zero-day state for over two weeks: patches can be found here in Quicktime 7.6.8. As of writing, Microsoft has also issued security advisories for two zero-day vulnerabilities: please follow our corresponding FortiGuard Advisories (FGA-2010-47, FGA-2010-48) for developments. Two zero-day Adobe vulnerabilities were also reported, with corresponding FortiGuard Advisories (FGA-2010-43, FGA-2010-45).
Botnets continued to be hot on the malware scene, Sasfis being one of the major detections. The top three detections in our malware list this report indicate packed, malicious samples - most of which relate to Sasfis. On September 14th there was a surge in Sasfis activity (see Figure 2) - thanks to the Asprox spambot. Asprox (see FortiGuard's Whitepaper here for background info) has been around for some time, but has been quite silent over the past year. One of our systems tracking Sasfis showed that the botnet downloaded an Asprox spam module on September 14th for a seeding campaign. The emails contained zipped executable attachments, disguised as fax copies. This attachment was a copy of Sasfis, which would in turn download Asprox to send more spam on the freshly infected machine. A sample email can be seen in Figure 5c. Asprox downloads encrypted spam templates through HTTP, under the filename "COMMON.BIN".
One variant we analyzed from our third detection (W32/Katusha.MK!tr) downloaded a sniffer module which scans traffic on TCP ports 21, 25 and 110 (FTP, SMTP and POP3). Traffic on these ports would be processed by the module into encrypted data sets, and sent via HTTP POST to a command and control server located in Europe. Stolen FTP credentials can be quite valuable, often used to hijack web servers - for example overwriting content with injected IFRAMEs that redirect users to malicious pages. We also observed this hot variant to download the TotalSecurity Ransomware suite, keeping this dangerous infection high on the radar.
Two other emails are highlighted this report in addition to Sasfis/Asprox spam campaign. Figure 5a shows a spoofed NewEgg sales invoice, with links that point to an HTML page on a compromised web server. As of writing, the HTML page has been taken offline. Figure 5b shows a technique that we have discussed before, but seems to be coming up more frequently. The email contains an attachment that is supposedly an invoice for a flooring project. The attachment is actually an HTML file, which contains obfuscated javascript. This should be an immediate red flag when observing such emails.
Customers who use Fortinet's FortiGuard Subscription Services should already be protected against the threats outlined in this report. Threat activity is compiled by Fortinet's FortiGuard Labs using data gathered from its intelligence systems and FortiGateā¢ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products.
Table of Contents:
|
 FortiGuard Labs |
Exploits and Intrusion Prevention
Top 10 Attacks & Regions
The top 10 attack attempts detected for this period follow, ranked by the number of valid attack cases reported. Valid attack cases are defined as threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of the accumulated daily incidents reported during this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Critical issues are outlined in bold. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the attack's debut in the Top 100. Figure 1a shows a daily record of attack cases reported for this period's Top 5 attacks. Figure 1b below shows the Top 5 regions attacked in comparison to total attack cases reported this period.
| Rank | Vulnerability | Percentage | Severity | Top 100 Shift |
|---|---|---|---|---|
| 1 | MS.DCERPC.NETAPI32.Buffer.Overflow | 27.3 | critical | +1 |
| 2 | SMTP.Auth.Buffer.Overflow | 16.4 | critical | 2 |
| 3 | MS.IE.Userdata.Behavior.Code.Execution | 16.1 | critical | - |
| 4 | FreeType.CFF.Jailbreak.Apple.Device | 10.4 | high | new |
| 5 | MS.Windows.Help.Center.Protocol.Malformed.Escape.Sequence | 10.3 | critical | -4 |
| 6 | FTP.USER.Command.Overflow | 7.7 | high | -1 |
| 7 | AWStats.Rawlog.Plugin.Logfile.Parameter.Input.Validation | 7.7 | high | -1 |
| 8 | Apache.Expect.Header.XSS | 7.3 | medium | -1 |
| 9 | Sasfis.Botnet | 6.2 | high | - |
| 10 | MS.Windows.LSASS.Buffer.Overflow | 4.4 | high | 1 |
 Figure 1a: Daily attack case activity for top 5 attacks |
 Figure 1b: Top 5 regions by number of attack cases |
New Vulnerability Coverage
|
There were a total of 62 vulnerabilities added to FortiGuard IPS coverage this period.
Of these added vulnerabilities, 26 were reported to be actively exploited (41.9%). Figure 1c breaks down added vulnerabilities by severity, coverage and active exploitation in the wild. For more information, observe the detailed reports for this period at: |
 Figure 1c: New vulnerability coverage for this edition, categorized by severity |
Malware Today
Top 10 Variants
Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:
|
 Figure 2: Activity curve for top five malware variants |
Regions & Volume
Top 5 regions for this period, ranked by distinct malware volume reported. Distinct malware volume indicates the amount of unique virus names (variants) that has been detected in the given regions, as opposed to total malware volume, which indicates the accumulated amount of all reported incidents. Total and distinct malware volume trends for the last six reporting periods are also given. Figures 3a-3c below show these statistics:
 Figure 3a: Top 5 regions by distinct malware volume |
 Figure 3b: Six period trend for total malware volume |
 Figure 3c: Six period trend for distinct malware volume |
For more information on daily activity per region, please visit our Virus World Map.
Spam and Email Threats
Spam Rate & Regions
The global spam rate is shown on a daily basis for this edition's given period. Spam rate indicates the accumulated emails which have been tagged as spam, in comparison to total email traffic. Top 5 spam regions are ranked by received spam in comparison to global spam volume. Statistics are graphed for business working days, and shown in Figures 4a-4b below:
 Figure 4a: Spam rate compared to global email |
 Figure 4b: Top 5 spam regions by received spam |
Top 3 In The Wild
Top three email threats observed for this period. Top e-mails have been filtered to highlight diverse campaigns by removing duplicates and unsolicited advertisements. This helps focus on scams and malicious intent; the resulting list is ranked by Figures 5a-c below illustrate the most popular message tactics used during recent spam campaigns:
 Figure 5a: Spam campaign #1 |
 Figure 5b: Spam campaign #2 |
 Figure 5c: Spam campaign #3 |
Crawling The Web
Threat Traffic & Growth
The following list breaks down the percentage of activity blocked for selected Web categories throughout this period. Percentage indicates how much activity was accounted for out of the four selected categories. Figure 6a shows a different scope, comparing only threat traffic: Malware, spyware, and phishing. The percentage shown in Figure 6a below indicates how much activity was accounted for out of these three threat categories. Figure 6b highlights the growth (or reduction) of selected web threat activity when compared period over period:
|
 Figure 6a: Threat traffic volume break-down |
 Figure 6b: Threat traffic growth by period |
Activity Recap
Several new threats developed this report period. Over 40 percent of our newly covered vulnerabilities were exploited / attacked this report (Figure 1c), a notable jump from previous months. There was some small shuffling in our top 10 attack list, with the exception of 'FreeType.CFF.Jailbreak.Apple.Device.Buffer.Overflow' which jumped into fourth position this report. The vulnerability (CVE-2010-2972) is being used to jailbreak Apple iPhones through PDF files. The problem lies in the Compact Font Format, which is supported in popular document formats such as PDF. Of course, the interesting aspect of this attack is that it is often used intentionally to jailbreak devices. However, as with any vulnerability, a scenario could exist where an attacker could jailbreak a phone for malicious purposes.
Two vulnerabilities were patched for Apple Quicktime on September 15th, one of which was discovered by FortiGuard Labs (FGA-2010-46). The other vulnerability (CVE-2010-1818) was a critical issue that bypassed DEP and ASLR protection technologies using Quicktime, disclosed on August 30th. There are in-the-wild flash samples trying to exploit this vulnerability. A Metasploit module was also developed on August 31st. The vulnerability was exploited in a zero-day state for over two weeks: patches can be found here in Quicktime 7.6.8. As of writing, Microsoft has also issued security advisories for two zero-day vulnerabilities: please follow our corresponding FortiGuard Advisories (FGA-2010-47, FGA-2010-48) for developments. Two zero-day Adobe vulnerabilities were also reported, with corresponding FortiGuard Advisories (FGA-2010-43, FGA-2010-45).
Botnets continued to be hot on the malware scene, Sasfis being one of the major detections. The top three detections in our malware list this report indicate packed, malicious samples - most of which relate to Sasfis. On September 14th there was a surge in Sasfis activity (see Figure 2) - thanks to the Asprox spambot. Asprox (see FortiGuard's Whitepaper here for background info) has been around for some time, but has been quite silent over the past year. One of our systems tracking Sasfis showed that the botnet downloaded an Asprox spam module on September 14th for a seeding campaign. The emails contained zipped executable attachments, disguised as fax copies. This attachment was a copy of Sasfis, which would in turn download Asprox to send more spam on the freshly infected machine. A sample email can be seen in Figure 5c. Asprox downloads encrypted spam templates through HTTP, under the filename "COMMON.BIN".
One variant we analyzed from our third detection (W32/Katusha.MK!tr) downloaded a sniffer module which scans traffic on TCP ports 21, 25 and 110 (FTP, SMTP and POP3). Traffic on these ports would be processed by the module into encrypted data sets, and sent via HTTP POST to a command and control server located in Europe. Stolen FTP credentials can be quite valuable, often used to hijack web servers - for example overwriting content with injected IFRAMEs that redirect users to malicious pages. We also observed this hot variant to download the TotalSecurity Ransomware suite, keeping this dangerous infection high on the radar.
Two other emails are highlighted this report in addition to Sasfis/Asprox spam campaign. Figure 5a shows a spoofed NewEgg sales invoice, with links that point to an HTML page on a compromised web server. As of writing, the HTML page has been taken offline. Figure 5b shows a technique that we have discussed before, but seems to be coming up more frequently. The email contains an attachment that is supposedly an invoice for a flooring project. The attachment is actually an HTML file, which contains obfuscated javascript. This should be an immediate red flag when observing such emails.
Solutions
Customers who use Fortinet's FortiGuard Subscription Services should already be protected against the threats outlined in this report. Threat activity is compiled by Fortinet's FortiGuard Labs using data gathered from its intelligence systems and FortiGateā¢ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products.
