by RSS Derek Manky  |  Jul 01, 2009  |  Filed in: Security Research

There was quite a bit of movement on the threat landscape this period, which I have summarized below. For more detail, our June 2009 Threat Landscape report can be found on Fortinet's FortiGuard Center.

Web threat traffic in general rose significantly, with a noticeable difference in Malware and Phishing. Looking at period over period growth from last report, Phishing and Malware web traffic growth was at the highest yet, both posting significant gains. These gains represent more volume directed towards malicious sites, an ongoing trend as we continue to pave the way into the next generation of online services and threats. In tune with an increase of web-borne malware, total malware detections have also been steadily increasing. While total malware detections have been increasing since March 2009, distinct volume (unique pieces of malicious code) detection remains relatively flat. Cyber criminals have been enjoying success by driving mass amounts of traffic to their threats, aided by a large online community utilizing a vast amount of vulnerable services.

For the first time in a while, Netsky has been knocked out of our Malware Top 10 list. Two of the main threat drivers we have seen this year, Online Gaming Trojans and Virut, remain very active with Online Gaming Trojans in first and tenth position this report. W32/Virut.A, though falling two positions, held a strong fourth place amongst a barrage of Zbot activity. Two Zbot variants, W32/Zbot.M and W32/Zbot.V landed in second and third position respectively. Zbot, a very widespread and prevalent keylogging / data siphoning trojan, was particularly active this month distributing its payload through fake eCard mail. The largest surge of Zbot activity occurred on June 2nd and June 12th, with W32/Zbot.M and W32/Zbot.V each going on two-day runs. Interestingly, JS/PackRedir.A moved up thirty-six positions to land in fifth place in our Malware Top 10 list. This obfuscated javascript redirects unfortunate visitors to further malicious sites that host malicious components through PDF and SWF files. This underscores the popularity of obfuscated attacks, whether it be through binary packers or script obfuscators - and also helps contribute to the aforementioned growth in web-borne Malware attacks.

Building off a year high active exploitation rate of 46.4% last report, 62 of 108 reported vulnerabilities this period had exploits launched against them. Over half of new reported vulnerabilities this period have been attacked, with a 57.4% active exploitation rate. This is certainly a disturbing trend: exploits typically are not easy to write, and take considerable time and effort - unless you have resources at your disposal. With more attacks being launched against vulnerabilities, shown through a very high active exploitation rate, users need to be extra cautious on where they direct their web browsers. Many attacks are launched through this vector; remember to apply patches to guard against attacks like poisoned documents.

Spam rates remained consistent in June, with no direct effect following an applaudable take-down of 3FN/Pricewert, another alleged spam-centric network. Last November, after the infamous McColo went down, we saw quite a dip in spam rates that took more than two months to recover. France took top spot for regional received spam, with Canada and Spain respectively entering in fourth and fifth position. The Canadian Pharmacy gang and other campaigns are frequently using simple HTM file attachments to hook users. The HTM files generally contain this content form:

by RSS Derek Manky  |  Jul 01, 2009  |  Filed in: Security Research