|
Description Last Updated
-
Note that encyclopedia descriptions are updated periodically, and impact levels adjusted according to the latest data. However, as fast as events can occur, a threat may rapidly become widespread or quickly die off in prevalence before a description's next update occurs.
- Date Discovered
The date a virus is first discovered subjectivemay be difficult to precisely identify inasmuch as it may be relative to other antivirus software vendors. When applying a date of discovery, Fortinet will always attempt to present the date closest to when it discovers a threat.
- First Detected in FortiGate DB Version
At any point in time, Fortinet may provide antivirus and NIDS database updates for up to three FortiOS (Fortinet Operating System) versions. Up until the end of its life, each FortiOS version will in turn support the most recently available antivirus database update. Based on the FortiOS your unit has installed, "First Detected in FortiGate DB Version" will convey to a FortiGate user the minimum antivirus database update required to detect a virus.
- Impact Level
At the time of the writing of each description, the categories - damage, prevalence, how widespread a threat is, its vector, the number of possible targets, and potential rate of infection/spread - are taken into account when assigning an averaged impact level.
According to this scale, the greater the impact of a threat, the greater the threat's impact level. Explained elsewhere in this document are various examples of how a threat might receive a particular level of impact.
- Length
Known threats sometimes have definite sizes associated with the arriving file(s). When a threat has a definite static file size, that size is always given in the description. If a threat does not have the same static file size, an encyclopedia description may indicate the size of the threat varies. "Varies" indicates that, while a threat may not vary in appearance or internal functional code, it varies in file size. "Variable" indicates the file size changes because the threat is (for example) polymorphic. In this case, the appearance, the internal functional code of the threat, and its size are variable.
- Class
Threats fall into various classes or major categories. These categories include Apple Macintosh virus, Application, Attack, Backdoor, Batch file virus, Boot virus, Exploit, File virus, Linux virus, Macro virus, Multipartite or Tripartite virus, Script virus, Trojan horse, Worm or File virus/Worm hybrid.
- Affects
Which operating system(s) does this threat affect? Most viruses will affect more than one operating system. For example, most 32-bit viruses will function under MS Windows 98, Me, 2000, NT and XP. Others threats may not function at all under any Microsoft operating system because the threat is native to Linux.
- Known Alias(es)
Not all antivirus vendors will call the same threat by the same name. Sometimes differences are minimal, sometimes the names are very different. Whenever possible, Fortinet will also list the name or names by which other antivirus products identify threats.
Impact Level
- Impact level
includes zoo viruses and exploits (i.e. those threats that are not found on actual systems and are not being actively reported by individuals or antivirus vendors) or any ineffective threat that is flawed and therefore will not effectively spread. This level may also apply to viruses reported to Fortinet researchers with a very low frequency (for example, when only one report of a virus arrives to Fortinet).
- Impact level
Threats reported to Fortinet researchers as spreading receive an impact level of 2. These threats use known-efficient infection vectors (i.e. internet-borne viruses, network-aware and P2P worms), and are designed to spread or distribute themselves massively.
- Impact level
Threats reported as spreading and attaining a measurable degree of prevalence receive an impact level of 3. Such threats are not, however, currently at outbreak level at the time of writing of the description.
- Impact level
Threats that have already become widespread (but may now dying off) receive an impact level of 4. Threats falling in to this category may no longer fall in outbreak' category, but are still very much in the wild.
- Impact level
This type of threat has usually been discovered within the last 24-48 hours. Due to several of the aforementioned characteristic considerations (mass mailer, etc), this threat is quickly becoming or has already become extremely widespread.
Level of Impact -- Considerations
Attackers test your computer's operating system and underlying application software for weaknesses and attempt to exploit them in order to gain access to your system. The options of attackers are limited only by their abilities and level of access to the system.
Computer viruses exploit certain functions of operating system and application software in ways that allow them to spread to other computers. While most simply attach themselves to executable files playing the part of nothing more than a form of digital graffiti, there are viruses capable of erasing or modifying programs and data, or transmitting password lists and other confidential bits of information.
Some of the most successful viruses in years past have attempted to keep themselves hidden from visual observation. The intention of this concealment was to allow for the virus to spread itself to many systems before the inevitable detection.
In more recent years, the modus operandi of virus writers has been to write viruses that spread themselves at an extremely fast rate. They do appear to care whether it is detected or not, but rather seem to rely on the possibility that it will fully saturate computers connected to the Internet with copies of itself.
At the time of the writing of each description, each category stated below - damage, prevalence, how widespread the threat is, its vector, the number of possible targets, and potential rate of infection/spread - is taken into account when assigning an averaged impact level to the threat.
According to this scale, the greater the impact of a threat, the greater the threat's impact level. Threats are rated on a scale of 1-5, as described below. Also explained below are various examples of how a threat might receive its level of impact.
Damage
-
Each threat varies in degree and type of damage inflicted. Viruses such as Form or W32/HLLP.Hantaner modify executable code in a predictable manner. There are others, such as nearly any variant found within the VBS/LoveLetter-mm family, that completely overwrite a file with its own code, making recovery possible only from backup. Some hackers expose your customer-base credit card database while others have nothing more than a quick look around.
In some instances damage from an attack is reversible. In other instances the damage is not reversible.
Prevalence
How often a threat is identified as being found in the wild by Fortinet antivirus researchers, and other antivirus research professionals in the community. Manually initiated attacks are far less prevalent compared to the number of automated infections a single computer virus can produce. Prevalence ratings for manually initiated attacks are therefore scaled accordingly.
The higher the prevalence, the greater the chance that you will encounter the virus.
Widespread
How widespread is the threat?If a threat is able to propagate at a fast enough rate (i.e. it has a high prevalence) then it is also likely to become widespread.
Common today is the rapid achievement of an Internet-wide outbreak. When a threat becomes widespread quickly it is very difficult to then completely stomp out its existence -- even over time. For just as with wildfire, as one flare is being put down, another will almost certainly pop up to take its place.
When looking at a description, note the threat may be on its way to becoming widespread, or it may have already reached its height and is now dying off.
Prevalence vs. a threat that is Widespread
A threat may have a high prevalence, but that does not always indicate that it is widespread. In other words, you may find the threat existing within the walls of your domain on a daily basis. Even one instance of a virus may begin yet again a cycle resulting in hundreds of infections. In such as case, the virus has a high prevalence.
However, this does not mean that it is widespread. For example, the threat may exist only in one region of the world, because it has a language dependency. A good example of such a virus is WM/TWNO.A:Tw.
Vector of infection
What is the vector of infection?" How common and efficient the vector is have bearing on the classification?
Email is a good example of an efficient vector of infection. Many people have email. Internet-borne mass-mailer virus/worms exploit the open services and natural abilities of email applications to spread themselves. Email is thus a vector of infection.
W32/Bady.C (Code Red II -- a virus/intrusion hybrid) relies on a flaw in a specific version of Microsoft IIS to propagate. At the time of its initial outbreak, there were a huge number of computers running the flawed version of IIS. For the Code Red exploit, IIS was a highly efficient vector.
Threats like Nimda exploit multiple vectors of infection simultaneously. This increases the odds that at least one of their methods of transmission will be successful in finding its way to the next computer.
Another vector of infection is by means of web content. Just as with email attachments, URLS can link to download infected files which, when launched by the user, may automatically execute and cause infection. In addition, the HTTP protocol is feature rich, and can carry executable content (Java Script, etc.) that can execute without requiring any action by the user after a web link is accessed. Simply clicking on a malicious link can load a virus, worm or trojan that can execute without further user action. Thus, while the fastest spreading techniques will often use email or some other mechanism to spread, web traffic provides a very efficient means for launching an attack, enabling the threat to get a foothold in the user's environment and then spread via other means.
A large population of susceptible targets along with the proper method of vectoring the threat to the objective will give the threat a greater chance of becoming widespread.
Potential rate of infection/spread:
Taking into account whether the scope of the threat is limited (i.e. the threat's impact clearly falls below level 2, as described below), and whether this is a known or unknown factor at the time of the writing of the description, is the spread of the threat slow or fast?
Number of potential targets
A threat may have an efficient method of self-propagation, but if there are no computers to travel to, it probably won't become very successful -- that is if success is to be judged in terms of how widespread it becomes. The threat has to find the next computer to attack.
This outbreakdatum is an estimate made at the time of outbreak. Complete accuracy cannot be assured, but is greatly enhanced by past experiences with the threat itself, or similar threat types.
Popularity
Popularity profiles the global adoption of an application. Applications are classified to be either popular, or not popular, based on how widespread the general public and customers have adopted it. FortiGuard worldwide intelligence systems are used in combination with real-time public data derived from demand to classify the popularity of an application.
Risk
The risk level of an application defines the potential security risk of a particular application. While almost any application may have the possibility of being host to an attack vector, the risk level provides an estimate of the likelihood of a threat taking place. To gauge this, several factors are considered such as known vulnerabilities, their various risk levels, and frequency over a relevant period of time.
Technology
Technology describes the way an application was designed to function and communicate - its structure. As examples, applications may use peer-to-peer communication, Web browsers and Web technology, or primarily be based on a client-server architecture. The category of the application will further define how the technology is used.
Threat Level Indicators
Vulnerabilities
The vulnerabilities threat indicator measures the outbreak of new intrusion-type threats over a 14-day trend with the indicator levels weighted based on severity. For new intrusions and vulnerabilities, the FortiGuard Global Threat Research Team assigns a severity level of 1 (low), 2 (medium), 8 (high), and 40 (critical). Threats are confirmed by analysis and shared with the Vulnerability Watch organization to identify and eliminate false positives.
Normal indicates that combined severity level of detected intrusions is one. Even at the normal level, organizations without an Intrusion Prevention System (IPS) are at an extreme risk of compromise.
Elevated indicates that the combined severity level is between 2 and 8 inclusive.
High indicates that the combined severity level is between 9 and 39 inclusive.
Severe indicates that the combined severity level is 40 or greater. Five threats with a severity of high are equivalent to one threat with a severity of critical.
For all IPS threat levels, network security administrator should review the list of recent threats and protection signatures to evaluate the impact on their systems and platforms.
Virus, Spyware, and other Malware Threats
The antivirus threat indicator measures the outbreak of new threats (virus, spyware, and other malware) with a composite average that includes a 14-day, 5-day, and 3-day trend. Previously identified threats protected against by new signature updates are excluded from the measurement. Threats are verified by the FortiGuard Global Threat Research Team.
Normal indicates that less than one percent of sampled devices have experienced an active outbreak of a new malware event. Even at the normal level, existing and prior malware threats are a significant problem and firewall with antivirus/antispyware systems are needed to protect organizations.
Elevated indicates that two to 10 percent of sampled devices have experienced an active outbreak of a new malware event.
High indicates that 11 to 50 percent of sampled devices have experienced an active outbreak of a new malware event. Network security administrators should review the list of recent threats to evaluate if their operating systems and platforms are affected and confirm their AV signatures are up to date.
Severe indicates that more than 50 percent of sampled devices have experienced an active outbreak of a new malware event. In addition to reviewing the list of recent threats, network security administrators should strongly consider sending end-user communications reminding end-users of good security practices related to email and Web browsing, plus encouraging full system scans using end-point security such as FortiClient.
Spam
The Spam threat level indicator measures both the rising/falling trend and the impact of spam volume detection compared to a running average (median) for the prior 10 weeks. This indicator reports on amount of spam rising or falling and it's spread across sampled Fortinet systems. Network security managers can use the threat indicator to help evaluate whether stricter controls should be deployed. The threat levels are:
Normal indicates that spam levels are remaining constant and antispam controls are necessary to manage the flow of unwanted bulk emails into an organization. Without an antispam system in place, organizations and their end-users will face productivity losses as valuable personnel time and network resources are consumed dealing with spam messages.
Elevated indicates that 50 percent or less of sampled devices have experienced an increase of 55 percent or less compared to the running average. Network security administrators will notice a surge in spam detections.
High indicates that between that 51 to 100 percent of sampled devices have experienced an increase in spam detection of between 56 and 65 percent. Network security administrators should confirm that they are running the latest threat signature package and should consider deploying heuristic filtering.
Severe also indicates that 51 to 100 percent of the sampled devices have experienced an increase in spam detection and the increase has been more 85 percent or more. Network security administrators should strongly consider deploying heuristic filtering. This should be coupled with end-user communication training users on how to manage email marked as spam.
|
