FortiGuard Center
Threat Research and Response
Prevalence Report
Threat Landscape Report - July 2010 EditionThe following statistics are compiled from Fortinet's FortiGate network security appliances and intelligence systems for the period June 21st - July 20th, 2010.
Exploits and Intrusion PreventionTop 10 Attacks & RegionsThe top 10 attack attempts detected for this period follow, ranked by the number of valid attack cases reported. Valid attack cases are defined as threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of the accumulated daily incidents reported during this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Critical issues are outlined in bold. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the attack's debut in the Top 100. Figure 1a shows a daily record of attack cases reported for this period's Top 5 attacks. Figure 1b below shows the Top 5 regions attacked in comparison to total attack cases reported this period.
New Vulnerability Coverage
Malware Today
Regions & VolumeTop 5 regions for this period, ranked by distinct malware volume reported. Distinct malware volume indicates the amount of unique virus names (variants) that has been detected in the given regions, as opposed to total malware volume, which indicates the accumulated amount of all reported incidents. Total and distinct malware volume trends for the last six reporting periods are also given. Figures 3a-3c below show these statistics:
For more information on daily activity per region, please visit our Virus World Map. Spam and Email Threats
Top 3 In The WildTop three email threats observed for this period. Top e-mails have been filtered to highlight diverse campaigns by removing duplicates and unsolicited advertisements. This helps focus on scams and malicious intent; the resulting list is ranked by Figures 5a-c below illustrate the most popular message tactics used during recent spam campaigns:
Crawling The WebThreat Traffic & GrowthThe following list breaks down the percentage of activity blocked for selected Web categories throughout this period. Percentage indicates how much activity was accounted for out of the four selected categories. Figure 6a shows a different scope, comparing only threat traffic: Malware, spyware, and phishing. The percentage shown in Figure 6a below indicates how much activity was accounted for out of these three threat categories. Figure 6b highlights the growth (or reduction) of selected web threat activity when compared period over period:
Activity RecapGlobal detected malware volume continued its rise from last report, reaching levels observed earlier in the year (Figure 3b). One major contributor to this was the Sasfis botnet, as it continued its strong run. Eight Sasfis variants landed in our Top 10 Malware listing this report. In fact, nine out of ten of our top malware detections listed this period were new variants of similar malware families. This is a common occurrence, as developers and their very own creations continue to roll out updated copies of themselves. Earlier in the year, the Sasfis botnet was dedicated to downloading and executing software (primarily FakeAV) on infected systems. This period, we observed Sasfis to heavily spam as it downloaded updated spamming modules. Typical examples of spam from Sasfis include fake UPS invoices and Facebook photo links. Spam bots such as Cutwail continue to diversify, sending a variety of spam themes on a frequent basis. One spam email we observed from Pushdo (Figure 5c) was a phish for Amazon.com. This is a classic phish, easily detected by hovering over the link and observing (highlighted in red in the image) where you are really going. Prevalent spam campaigns this report varied from phishes, to attached HTMLs that redirected users to malicious sites, to emails with malicious attachments themselves. The diversity of these spam campaigns, and their targets, shows how botnets continue to serve the needs of their underground customers. Figures 5a and 5b show two emails that use money transfers as social engineering. In both cases, HTML files were attached that contained malicious, obfuscated javascript. When executed, end users would be redirected to malicious sites. Over 30% of our newly covered vulnerabilities continued to be exploited, an ongoing trend that we have witnessed for well over a year. There were a total of 91 new vulnerabilities added this period, showing that hackers continue to exploit a large number of known security holes. Figure 1c breaks down these vulnerabilities by severity, the majority of them being rated 'High'. This gives an idea of scope, severity and in the-wild-activity. In itself, this reflects the importance of quickly patching security holes as fixes become available - on top of having IPS detection. Even with proper patch management in place, all it takes is one zero-day vulnerability to be exploited (even in low volume) to potentially cause a significant impact. For an example in July, look no further than the Stuxnet attacks (read our FAQ here). While the attack is under investigation, the fact that a trojan associated with the exploit was seemingly developed to target industrial control systems underscores this point. Further, this is also a good example of how little interaction is required by the end user to become infected. The Stuxnet exploit attacked a Windows Shell vulnerability (CVE-2010-2568) to launch its attack by simply opening a folder (thus viewing an icon). If you can remember, we saw a similar attack method with PDF files through JBIG2 image streams and Windows shell extensions back in 2009 (CVE-2009-0658): simply browsing a folder could trigger infection. Fortinet detects the vulnerability associated with the Stuxnet attack as 'MS.Windows.Shell.LNK.Code.Execution', and generically detects the exploited ".LNK" payload with antivirus as 'W32/ShellLink.a!exploit.CVE20102568'. As of writing, there are workarounds but no official patch released from Microsoft. 'MS.Windows.Help.Center.Protocol.Malformed.Escape.Sequence' was attacked in a zero-day state before Microsoft rolled out a patch for Windows Help Center (CVE-2010-1855) on July 13th. The vulnerability was publicly disclosed on June 5th, and we observed attacks happening as of June 11th. Attacks continued on a frequent basis this period, landing the attack in fourth position on our top 10 attack list. The attacks occurred through websites, however were a bit more potent considering they were not restricted to a single web browser (since they were launched through the HCP protocol handler used by all browsers). In many cases websites that serve exploits will try to fingerprint browsers and launch attack code tailored to those browsers. Like Stuxnet, this is yet another example of a zero-day vulnerability successfully attacked before a patch is made available. SolutionsCustomers who use Fortinet’s FortiGuard Subscription Services should already be protected against the threats outlined in this report. Threat activity is compiled by Fortinet's FortiGuard Labs using data gathered from its intelligence systems and FortiGate™ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. |
