FortiGuard Center
Threat Research and Response
Prevalence Report
Threat Landscape Report - December 2008 EditionThe following statistics are compiled from Fortinet's FortiGate network security appliances and intelligence systems for the period November 21st - December 20th, 2008.
Top 10 Exploitations Top 10 exploitation attempts detected for this period, ranked by vulnerability traffic. Percentage indicates the portion of activity the vulnerability accounted for out of all attacks reported in this edition. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from low to critical. Critical issues are outlined in bold: Rank Vulnerability Percentage Severity 1 Trojan.Storm.Worm.Krackin.Detection 59.5 High 2 MS.IIS.Web.Application.SourceCode.Disclosure 2.5 Medium 3 Danmec.Asprox.SQL.Injection 2.0 High 4 TCP.PORT0 1.8 Low 5 SSLv3.SessionID.Overflow 1.6 High 6 MS.Exchange.Mail.Calender.Buffer.Overflow 0.8 High 7 MS.Network.Share.Provider.Unchecked.Buffer.DoS 0.8 High 8 MS.IE.HTML.Attribute.Buffer.Overflow 0.8 High 9 MS.SQL.Server.Insert.Statements.Privilege.Elevation 0.7 High 10 MS.SMB.DCERPC.SRVSVC.PathCanonicalize.Overflow 0.6 High New Vulnerability Coverage
Top 10 Variants Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:
Regions & Volume Top 5 regions for this period, ranked by distinct malware volume reported. Distinct malware volume indicates the amount of unique virus names (variants) that has been detected in the given regions, as opposed to total malware volume, which indicates the accumulated amount of all reported incidents. Six month trends are also given up to the last calendar day of the most recently completed month. Figures 3a-3c below show these statistics:
For more information on daily activity per region, please visit our Virus World Map. Circulating Spam Spam Rate The global spam rate is shown on a daily basis for this edition's given period. Spam rate indicates the accumulated emails which have been tagged as spam, in comparison to total email traffic. Statistics are graphed for business working days, and shown in Figure 4 below:  Figure 4: Spam rate compared to global email Top 3 In The Wild Top three spam e-mails observed for this period. Top e-mails have been filtered to highlight diverse campaigns by removing duplicates and unsolicited advertisements. This helps focus on scams and malicious intent; the resulting list is ranked by Figures 5a-c below illustrate the most popular message tactics used during recent spam campaigns:
Crawling The Web Web Traffic The following list breaks down the percentage of activity blocked for selected Web categories throughout this period. Percentage indicates how much activity was accounted for out of the four selected categories. Figure 6 shows a different scope, comparing only threat traffic: Malware, spyware, and phishing. The percentage shown in Figure 6 below indicates how much activity was accounted for out of these three threat categories.
Activity Recap Several changes on the threat landscape were observed over this period. One such notable change is a shift in malware trends - our top 10 showed variants which had significantly increased in positioning / activity from last report). Our top spot this month was occupied by W32/Zbot.GXN, a keylogger / banking trojan. The trend in online gaming trojans also continues, as frequent activity places Spy/OnlineGames in third position. Online gaming trojans have been steadily increasing since April 2008, and we forecast no stop to this as we progress into 2009. This is primarily due to the growing popularity and number of online games, combined with real-world value for their virtual assets. Market places in these virtual worlds are setting up shop worldwide. It should be noted that such online gaming trojans should be seen as a threat to all users, including corporations - not just gamers. Any trojan sitting on a machine has effectively compromised security and should be considered a threat. The rogue security software ("scareware") run that hit cyberspace hard in September 2008 has been sharply declining since. This campaign showed up in unprecedented numbers for such a short period of time. The net effect flooded the threat landscape, greatly inflating malware volume. In turn this created a very high profile nature, drawing many eyes, and spawning several legal battles. While the problem has not completely gone away, the drop in activity from the apex seen in September can temporarily be seen as yet another win for the security space, in co-ordination with law enforcement. In terms of malware volume, we have observed a shift from these pay-as-you-go scareware scams to keylogging and information siphoning. Following in hot pursuit of the rogue security software run, the keylogging family of W32/Goldun was also introduced in the month of September 2008, and has consistently made its way into our top ten during October and November 2008, while tailing off this period. This keylogging family utilized a rootkit, which is becoming more popular due to availability and the necessity for stealth; especially when it comes to data siphoning. During this whirlwind of activity between keyloggers and scareware throughout the last six months, W32/Virut.A has managed to consistently rank in our top 10. Malware, spyware, and phishing related website traffic remained steady from last report. Global spam rates were significantly on the increase (Figure 4), rising over ten percent from November's sub-forty percent levels. Spam levels have continued to increase into 2009, as spam spewing botnets get back on track for the new year. While this was predicted (as the McColo shake-up was seen to be only a temporary solution), we look forward to more such enforcement in 2009. It took nearly a month for spam levels to claw back after plummeting when the San Jose-based ISP went offline. If an aggressive pace is set forth in 2009 to shut down such hosting farms, long strides will be made towards shutting this door. In 2008, multiple occurances of spam being posted on Web 2.0 platforms (ie: social networking) was observed. This trend has already continued into 2009, and will certainly gain further momentum. For circulating spam this month, it is interesting to note that the same UPS spam campaign seen back in August/September 2008 (see Fortinet's War of the Rogues analysis, Figure 2) is still in action. The purported UPS email that circulated for this period (named in Figure 5b as United Postal Service) contains a malicious payload, and has a slightly modified social engineering campaign. On top of arousing the recipient's curiousity (for package pickup / invoice viewing), the email also states that a fee will be applied if action is not taken quickly. Yet another scare tactic being employed here. Figure 5c is courtesy of the Canadian Pharmacy gang, and uses an interesting spam template that leverages the spiraling housing market (mostly in the USA) combined with the financial crisis. It promises a solution to people who have high payments and low home values, a social engineering technique that would prove to be more effective in times like these. The link ultimately leads to a typical Canadian Pharmacy site, pushing fraudulent pharmaceuticals. Recently, the Canadian Pharmacy gang has been using current events and news headlines in their spam to dupe victims more effectively. Solutions Customers who use Fortinet’s FortiGuard Subscription Services should already be protected against the threats outlined in this report. Threat activity is compiled by Fortinet's FortiGuard Global Security Research Team using data gathered from its intelligence systems and FortiGate™ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. |
