Prevalence Report

Threat Landscape Report - April 2010 Edition

The following statistics are compiled from Fortinet's FortiGate network security appliances and intelligence systems for the period March 21st - April 20th, 2010.

Exploits and Intrusion Prevention

Top 10 Attacks & Regions

The top 10 attack attempts detected for this period follow, ranked by the number of valid attack cases reported. Valid attack cases are defined as threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of the accumulated daily incidents reported during this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Critical issues are outlined in bold. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the attack's debut in the Top 100. Figure 1a shows a daily record of attack cases reported for this period's Top 5 attacks. Figure 1b below shows the Top 5 regions attacked in comparison to total attack cases reported this period.

Rank	Vulnerability	Percentage	Severity	Top 100 Shift
1	Gumblar.Botnet	42.8	Critical	-
2	MS.IE.Userdata.Behavior.Code.Execution	22.2	Critical	-
3	MS.DCERPC.NETAPI32.Buffer.Overflow	21.5	Critical	-
4	Sasfis.Botnet	7.2	High	+1
5	FTP.USER.Command.Overflow	5.9	High	+1
6	AWStats.Rawlog.Plugin.Logfile.Parameter.Input.Validation	5.5	High	+1
7	Apache.Expect.Header.XSS	5.3	Medium	+1
8	SMTP.Auth.Buffer.Overflow	3.3	Critical	+1
9	MS.Content.Management.Server.Code.Execution	3.1	Critical	+1
10	Crystal.Reports.Path.Traversal	3.0	Critical	new

Figure 1a: Daily attack case activity for top 5 attacks

Figure 1b: Top 5 regions by number of attack cases

New Vulnerability Coverage

There were a total of 108 vulnerabilities added to FortiGuard IPS coverage this period.
Of these added vulnerabilities, 30 were reported to be actively exploited (27.8%).

Figure 1c breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

For more information, observe the detailed reports for this period at:

Intrusion Prevention - Service Update History

Figure 1c: New vulnerability coverage for this edition, categorized by severity

Malware Today

Top 10 Variants

Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

Rank	Malware Variant	Percentage	Top 100 Shift
1	W32/FraudPack.fam!tr	28.7	+1
2	W32/Fakealert.TUI!tr	8.2	new
3	W32/Sasfis.E259!tr	5.6	new
4	HTML/Iframe.DN!tr.dldr	4.8	+4
5	W32/FraudLoad.T!tr	3.9	new
6	W32/AutoRun.BBC!worm	3.3	+5
7	W32/Agent.DA7E!tr	2.1	new
8	W32/FakeAV.MOZ!tr	2.0	new
9	W32/FakeAV.BW!tr	1.9	new
10	W32/Sasfis.477C!tr	1.6	new

Figure 2: Activity curve for top five malware variants

Regions & Volume

Top 5 regions for this period, ranked by distinct malware volume reported. Distinct malware volume indicates the amount of unique virus names (variants) that has been detected in the given regions, as opposed to total malware volume, which indicates the accumulated amount of all reported incidents. Total and distinct malware volume trends for the last six reporting periods are also given. Figures 3a-3c below show these statistics:

Figure 3a: Top 5 regions by distinct malware volume

Figure 3b: Six period trend for total malware volume

Figure 3c: Six period trend for distinct malware volume

For more information on daily activity per region, please visit our Virus World Map.

Spam and Email Threats

Spam Rate & Regions

The global spam rate is shown on a daily basis for this edition's given period. Spam rate indicates the accumulated emails which have been tagged as spam, in comparison to total email traffic. Top 5 spam regions are ranked by received spam in comparison to global spam volume. Statistics are graphed for business working days, and shown in Figures 4a-4b below:

Figure 4a: Spam rate compared to global email

Figure 4b: Top 5 spam regions by received spam

Top 3 In The Wild

Top three email threats observed for this period. Top e-mails have been filtered to highlight diverse campaigns by removing duplicates and unsolicited advertisements. This helps focus on scams and malicious intent; the resulting list is ranked by Figures 5a-c below illustrate the most popular message tactics used during recent spam campaigns:

Figure 5a: Spam campaign #1

Figure 5b: Spam campaign #2

Figure 5c: Spam campaign #3

Crawling The Web

Threat Traffic & Growth

The following list breaks down the percentage of activity blocked for selected Web categories throughout this period. Percentage indicates how much activity was accounted for out of the four selected categories. Figure 6a shows a different scope, comparing only threat traffic: Malware, spyware, and phishing. The percentage shown in Figure 6a below indicates how much activity was accounted for out of these three threat categories. Figure 6b highlights the growth (or reduction) of selected web threat activity when compared period over period:

Web Threat Category	Percentage
Pornography	49.8
Phishing	23.6
Malware	22.7
Spyware	3.8

Figure 6a: Threat traffic volume break-down

Figure 6b: Threat traffic growth by period

Activity Recap

For the second report in a row, MS.IE.Userdata.Behavior.Code.Execution (CVE-2010-0806) remained our second-most detected malicious network activity. Thankfully, this was patched out of band by Microsoft on March 30th via MS10-018. However, we detected the most significant in-the-wild activity for this threat prior to the patch - when the vulnerability remained in its zero-day state (a window of at least 21 days). In fact, as of writing, one of the malicious domains attacking this vulnerability still remains active, serving exploit code. We observed one attack to install the infamous spy-trojan Gh0st RAT, a full-functioned remote administration tool that can also stream webcam video and audio feeds. FortiGuard Labs also disclosed four vulnerabilities that we reported to Adobe and Microsoft for Visio and Reader / Acrobat products. Patches were issued for these this month, please see our bulletins (FGA-2010-17, FGA-2010-18) for more information. Be careful out there, and remember to keep all your software -- especially web browsers and operating system specific -- up to date with available patches, on top of a intrusion prevention system.

While the Gumblar botnet led the way, Sasfis botnet activity also increased this report, landing in fourth spot for detected malicious network activity (Figure 1a). This was further backed by two Sasfis botnet binaries in our antivirus Top 10 listing. Sasfis, much like Bredolab, is a botnet loader which simply reports statistics and retrieves/executes files upon check-in. Unlike its counterpart Bredolab, however, Sasfis is a bit newer and does not employ any encryption (all communications are sent through HTTP unencrypted). Nonetheless, it remains aggressive in spreading and typically loads banking trojans among other malicious files. For more information on Sasfis, please see our technical analysis here. Detected virus activity this month primarily belonged to Scareware and Ransomware. This is no surprise, as Scareware has been consistently prevalent since September 2008, with Ransomware making headway in 2010; thanks to incentives from affiliate-backed programs that pay out when victims purchase the fake products.

We continue to observe the Cutwail spambot, which has been active for years, send various spam campaigns for its customers. The spam sent by Cutwail this month typically included malicious links to eCard zip binaries, or emails with the binaries themselves attached. Figures 5a-5c highlight three spam campaigns which all share one purpose. As you can see, two companies are advertised ("us-consalt.com" and "web-projects-us.com") using very similar techniques / templates. Under the hood, they are money mule recruitment campaigns. Money mules are essentially money laundering vehicles utilized by cyber criminals to handle and transfer illicit funds: the mule will receive a commission for doing the transfer. These transfers are done in batches, typically less than or equal to $10,000 USD. Money mule positions are typically crafted as legitimate sounding jobs, such as account receivable positions. Here is another example of such a campaign from our December 2009 Threat Landscape Report. As cyber criminals expand their horizons and make more cash, there has been a direct increase for demand of money mules. On top of our 2010 predictions (the rise of Ransomware) has already become a reality. We are clearly seeing more movement on another one (more money mule positions available) as more campaigns like these emerge. Remember, if something seems too good to be true, it generally is. To underscore this note, please see our recent analysis on the Anatomy of an Inland Revenue Phishing Expedition.

Solutions

Customers who use Fortinet's FortiGuard Subscription Services should already be protected against the threats outlined in this report. Threat activity is compiled by Fortinet's FortiGuard Labs using data gathered from its intelligence systems and FortiGate� multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products.