FortiGuard Center
Threat Research and Response
Prevalence Report
Threat Landscape Report - June 2010 EditionThe following statistics are compiled from Fortinet's FortiGate network security appliances and intelligence systems for the period May 21st - June 20th, 2010.
Exploits and Intrusion PreventionTop 10 Attacks & RegionsThe top 10 attack attempts detected for this period follow, ranked by the number of valid attack cases reported. Valid attack cases are defined as threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of the accumulated daily incidents reported during this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Critical issues are outlined in bold. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the attack's debut in the Top 100. Figure 1a shows a daily record of attack cases reported for this period's Top 5 attacks. Figure 1b below shows the Top 5 regions attacked in comparison to total attack cases reported this period.
New Vulnerability Coverage
Malware Today
Regions & VolumeTop 5 regions for this period, ranked by distinct malware volume reported. Distinct malware volume indicates the amount of unique virus names (variants) that has been detected in the given regions, as opposed to total malware volume, which indicates the accumulated amount of all reported incidents. Total and distinct malware volume trends for the last six reporting periods are also given. Figures 3a-3c below show these statistics:
For more information on daily activity per region, please visit our Virus World Map. Spam and Email Threats
Top 3 In The WildTop three email threats observed for this period. Top e-mails have been filtered to highlight diverse campaigns by removing duplicates and unsolicited advertisements. This helps focus on scams and malicious intent; the resulting list is ranked by Figures 5a-c below illustrate the most popular message tactics used during recent spam campaigns:
Crawling The WebThreat Traffic & GrowthThe following list breaks down the percentage of activity blocked for selected Web categories throughout this period. Percentage indicates how much activity was accounted for out of the four selected categories. Figure 6a shows a different scope, comparing only threat traffic: Malware, spyware, and phishing. The percentage shown in Figure 6a below indicates how much activity was accounted for out of these three threat categories. Figure 6b highlights the growth (or reduction) of selected web threat activity when compared period over period:
Activity RecapWhile there were plenty of new variations of malware that entered our top ten listing this report, many of them belonged to the Sasfis botnet. Sasfis, which has been battling in terms of volume with the Pushdo botnet recently, was very active this month. We observed Sasfis loading a spambot component which was heavily used to send out binary copies of itself in an aggressive seeding campaign. Sasfis' socially engineered emails lay in two distinct themes, one with fake UPS Invoice attachments (filename: "UPS_Invoice_{date}.zip"), and the other disguised as a fees statement (filename: "fees_2009_2010.zip"). Much like the Pushdo and Bredolab botnets, Sasfis is a loader - the spambot agent is just one of multiple (in our observations, typically four or five) components downloaded. After being relatively quiet this period, as of writing the Pushdo botnet has jumped out of the bushes with a direct ambush against an investment website, using a global DDoS attack. Indeed, Pushdo still has power left in its ranks - the website is currently unresponsive. Digesting this, it becomes apparent that it is business as usual for these malicious networks as they launch routine seeding campaigns to build on their infection base. As we have seen in the past, and continue to see today, the operators behind these loaders are not shy and will use their power on demand with no remorse. This typically happens in waves with individual attacks / spam campaigns launched. Speaking of attacks in waves, as seen in Figure 1a, on June 7th we saw a hit-and-run attack for CVE-2010-0249 (we detect this as MS.IE.Event.Invalid.Pointer.Memory.Corruption). This attack first surfaced (in terms of visibility) in January 2010, used in the infamous Aurora attacks to plant spy trojans on targeted, major corporations. The attack has since laid low, last present in our top 10 in February's report. This is another example of how vulnerabilities are still targeted months (years even) after they are patched, and yet another reminder to keep patch management practices in place with a valid IPS solution to guard against both new and old attacks. As seen in Figure 2, we covered over 200 new vulnerabilities this period, nearly double compared to last report. This means that more and more software vulnerabilities continue to be disclosed, ultimately available to hackers for malicious use. FortiGuard Labs discovered four vulnerabilities through Flash and Excel: these vulnerabilities were disclosed and patched this period. For more information see our advisories for Adobe and Microsoft. By discovering these vulnerabilities in advance (before a patch is available), FortiGuard can provide proactive detection through IPS. For malware, the only detection that topped the aforementioned botnet binaries was JS/Redir.BK - obfuscated javascript code which had a surge of activity on June 12th and 13th. The javascript code redirected users to various (legitimate) domains hosting an injected HTML page named "z.htm". In our observations, the javascript code was circulated through an HTML attachment in spam emails using various themes. In one attack (Figure 5b), the HTML containing the malicious javascript code was attached as the file "open.htm" in an e-mail urging the user to update their MS Outlook client. Interestingly, we saw the exact same e-mail also circulating with a FakeAV binary attachment, once again proving that spam templates are often recycled for various attacks. Figure 5a shows an email socially engineered for the FIFA World Cup, in a "bad news" email that had the same malicious javascript attached through a file named "news.html". Finally, Figure 5c shows yet another variation on the javascript attack using Facebook passwords as a theme - with the malicious HTML file attached as "facebook_newpass.html". There is no doubt that javascript is one of the most popular languages used today for attacks. It is used in a growing amount of poisoned document attacks (PDF), particularly with heap-spray based techniques. It's also used to launch exploits, and it is popular as a browser redirector to malicious sites, since the javascript code can be obfuscated and appear to be more complex than traditional IFrame based attacks from the past. While it is not always feasible to disable javascript, consider policies based around the usage / execution of scripts; especially for document files. Of course, we recommend antivirus for mitigation against such javascript based attacks at all layers (web, email, etc). SolutionsCustomers who use Fortinet’s FortiGuard Subscription Services should already be protected against the threats outlined in this report. Threat activity is compiled by Fortinet's FortiGuard Labs using data gathered from its intelligence systems and FortiGate™ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. |
