Prevalence Report

Threat Landscape Report - March 2010 Edition

The following statistics are compiled from Fortinet's FortiGate network security appliances and intelligence systems for the period February 21st - March 20th, 2010.

Exploits and Intrusion Prevention

Top 10 Attacks & Regions

The top 10 attack attempts detected for this period follow, ranked by the number of valid attack cases reported. Valid attack cases are defined as threats we have listed as a Threat Outbreak on our FortiGuard Center (RSS feed here). Percentage indicates the portion of activity for which the attack accounted out of the accumulated daily incidents reported during this period. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from medium to critical. Critical issues are outlined in bold. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the attack's debut in the Top 100. Figure 1a shows a daily record of attack cases reported for this period's Top 5 attacks. Figure 1b below shows the Top 5 regions attacked in comparison to total attack cases reported this period.

Rank	Vulnerability	Percentage	Severity	Top 100 Shift
1	Gumblar.Botnet	35.7	Critical	-
2	MS.IE.Userdata.Behavior.Code.Execution	24.7	Critical	new
3	MS.DCERPC.NETAPI32.Buffer.Overflow	18.7	Critical	-1
4	MS.IE.Event.Invalid.Pointer.Memory.Corruption	9.7	Critical	-1
5	Sasfis.Botnet	8.2	High	+8
6	FTP.USER.Command.Overflow	5.4	High	-
7	AWStats.Rawlog.Plugin.Logfile.Parameter.Input.Validation	5.2	High	-
8	Apache.Expect.Header.XSS	4.5	Medium	-
9	SMTP.Auth.Buffer.Overflow	3.4	Critical	+10
10	MS.Content.Management.Server.Code.Execution	3.3	Critical	-1

Figure 1a: Daily attack case activity for top 5 attacks

Figure 1b: Top 5 regions by number of attack cases

New Vulnerability Coverage

There were a total of 99 vulnerabilities added to FortiGuard IPS coverage this period.
Of these added vulnerabilities, 31 were reported to be actively exploited (31.3%).

Figure 1c breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

For more information, observe the detailed reports for this period at:

Intrusion Prevention - Service Update History

Figure 1c: New vulnerability coverage for this edition, categorized by severity

Malware Today

Top 10 Variants

Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

Rank	Malware Variant	Percentage	Top 100 Shift
1	W32/PackAgent.A!tr.dldr	11.8	new
2	W32/FraudPack.fam!tr	11.3	new
3	W32/PackAntiEm.A!tr	10.8	+5
4	W32/Fakealert.TUJ!tr	4.5	new
5	W32/Agent.24C7!tr.dldr	4.0	new
6	W32/PackBredolab.E!tr	3.2	new
7	W32/Fakealert.GIJ!tr	2.7	new
8	HTML/Iframe.DN!tr.dldr	2.6	-2
9	W32/DigiPog.EP!tr	2.5	new
10	W32/FraudLoad.TDV!tr	2.5	new

Figure 2: Activity curve for top five malware variants

Regions & Volume

Top 5 regions for this period, ranked by distinct malware volume reported. Distinct malware volume indicates the amount of unique virus names (variants) that has been detected in the given regions, as opposed to total malware volume, which indicates the accumulated amount of all reported incidents. Total and distinct malware volume trends for the last six reporting periods are also given. Figures 3a-3c below show these statistics:

Figure 3a: Top 5 regions by distinct malware volume

Figure 3b: Six period trend for total malware volume

Figure 3c: Six period trend for distinct malware volume

For more information on daily activity per region, please visit our Virus World Map.

Spam and Email Threats

Spam Rate & Regions

The global spam rate is shown on a daily basis for this edition's given period. Spam rate indicates the accumulated emails which have been tagged as spam, in comparison to total email traffic. Top 5 spam regions are ranked by received spam in comparison to global spam volume. Statistics are graphed for business working days, and shown in Figures 4a-4b below:

Figure 4a: Spam rate compared to global email

Figure 4b: Top 5 spam regions by received spam

Top 3 In The Wild

Top three email threats observed for this period. Top e-mails have been filtered to highlight diverse campaigns by removing duplicates and unsolicited advertisements. This helps focus on scams and malicious intent; the resulting list is ranked by Figures 5a-c below illustrate the most popular message tactics used during recent spam campaigns:

Figure 5a: Spam campaign #1

Figure 5b: Spam campaign #2

Figure 5c: Spam campaign #3

Crawling The Web

Threat Traffic & Growth

The following list breaks down the percentage of activity blocked for selected Web categories throughout this period. Percentage indicates how much activity was accounted for out of the four selected categories. Figure 6a shows a different scope, comparing only threat traffic: Malware, spyware, and phishing. The percentage shown in Figure 6a below indicates how much activity was accounted for out of these three threat categories. Figure 6b highlights the growth (or reduction) of selected web threat activity when compared period over period:

Web Threat Category	Percentage
Pornography	68.4
Malware	27.0
Spyware	4.5
Phishing	0.2

Figure 6a: Threat traffic volume break-down

Figure 6b: Threat traffic growth by period

Activity Recap

Riding off the coat tails of a hot February, ransomware threats dominated our Top 10 malware list this report. Every single detection in our list, with the exception of HTML/Iframe.DN, resulted in either scareware or ransomware infesting the victim's PC. The "Total Security" ransomware threat observed to be spread by the Cutwail botnet last period was prevalent once again, while another Ransomware threat - W32/DigiPog.EP - surfaced as well this month. DigiPog is an SMS blocker using Russian language, locking out a system and aggressively killing off popular applications like Internet Explorer and FireFox until an appropriate code is entered into a field provided to the user. To obtain the code, a user must send a SMS message to the provided number, receiving a code in return. This SMS blocker advertises the Russian site "active-acs.com." Upon execution, DigiPog registers the user's MAC address with its server. While SMS-based ransomware threats aren't particularly new, it is the first time one has landed in our Top 10 list, and provides further proof that the rise of ransomware is well on its way. We observed the primary drivers behind these threats to be two of the most notorious botnet "loaders" -- Bredolab and Pushdo.

These two botnets have demonstrated quite clearly that they have the horsepower required to deliver threats such as Ransomware for multiple customers, no doubt cashing in along the way. Scareware has previously been the number one threat downloaded by Bredolab/Pushdo; however, we are now seeing a shift towards ransomware as cyber criminals continue to develop ransom models. Challenging Bredolab and Pushdo this month is Sasfis, yet another Botnet loader. For more information on Sasfis, please refer to our analysis here. We detected Sasfis C&C network communication in much higher volume this report, up 8 positions in our Top 100 attack list from last period, landing just behind Gumblar & Conficker network activity. Sasfis is just the latest example of simplified botnets ("loaders") which are used heavily for malicious business services (crime as a service); it is more than likely that we will see more competition on this front this year.

Speaking of exploits and botnets, be sure to stay tuned to BlackHat Europe 2010 for two presentations delivered by FortiGuard Labs - click here for more info. As more security mechanisms are put in place in the fight against cyber crime in general, innovative ways continue to defeat them. This period, a new zero-day threat aggressively entered our Top 10 attack list: MS.IE.Userdata.Behavior.Code.Execution (CVE-2010-0806, FortiGuard Advisory 2010-14). As of writing, the threat remains a zero-day and very potent, given the fact that it accounted for 1/4 of our detected activity this report. Most of our detected activity for this hot exploit was in Japan, Korea and the U.S. This exploit triggers a vulnerability in Internet Explorer, making remote code execution through a drive-by download (no user interaction required) possible. Indeed, we have seen this already in the wild -- dropping malicious binaries on compromised systems. We also saw CVE-2010-0188 (blog post here), a stack overflow exploit on Adobe PDF, which successfully (and reliably) bypasses DEP (Data Execution Prevention), which is enabled "permanently" in Adobe Reader 9. As a result, vulnerability and exploit reports continue to roll in as detailed in our New Vulnerability Coverage (Figure 1c). Are all of your patches in place? FortiGuard Labs continues to discover zero-day vulnerabilities and responsibly report them to vendors before they are discovered and used for malicious purposes. As a result, our intrusion prevention services will help not only with known vulnerabilities if you are not up to date with your patches, but also zero-days including ones we have discovered. For a list of such zero-days, please refer to our "Upcoming Advisories" page on our FortiGuard Center.

On the mobile malware scene, Yxes continues to make waves more than a year after its first appearance. Indeed, the authors have been revamping this threat ever since. Have a look at our blog post on the latest variant, which demonstrates a version timeline. Yxes.H reaches out to remote web servers, which use Java Server Pages to both redirect smart phones and serve up mobile malware. It seems as though Yxes' authors have been debugging their creation, an ongoing trend with malware in general. We have observed this with Webwail as well, and often see binaries complete with full debugging symbols.

Spam continues to roll in waves, through traditional SMTP but also through Web mail via our newly discovered Webwail engine. Popular spam campaigns this report included Bredolab seeding through typical eCards and Amazon parcel tracking services (Figures 5a/5c), on top of spam spreading through Yahoo Groups. Figure 5b shows an e-mail sent out through Yahoo Groups by a spammer who has invited the target to join the group. Upon joining the group, the target will see multiple messages posted with links. Those links are shortened using "doiop.com." This is clearly an automated process, as each group name consists of 6 random alphanumeric characters with a similar random 17-byte description. By using services such as Yahoo Groups and link obfuscators, cyber criminals aim to make their attacks more effective against antispam and webfiltering. We continue to monitor these attacks and guard against them in real-time.

Solutions

Customers who use Fortinet’s FortiGuard Subscription Services should already be protected against the threats outlined in this report. Threat activity is compiled by Fortinet's FortiGuard Labs using data gathered from its intelligence systems and FortiGate™ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products.