Story image

Fortinet Threatscape Report Shows Botnets Battling for Digital Real Estate

Fortinet® (NASDAQ: FTNT) - a leading network security provider and worldwide leader of unified threat management (UTM) solutions – today announced its April 2010 Threatscape report, which showed high activity from the Gumblar and Sasfis botnets.

While Gumblar remained in the No. 1 position in Fortinet’s Top 10 Network Attacks list, the Sasfis botnet had two of its executables appear in Fortinet’s Antivirus Top 10 listing. Like Bredolab, Sasfis is a botnet loader that reports statistics, and retrieves/executes files upon check-in. However, Sasfis differs by being newer, and does not employ encryption for communications. Sasfis continues to spread aggressively, and is typically used to load banking trojans onto unsuspecting people’s computers.

Additional key threat activities for the month of April include:

• Microsoft Vulnerabilities: The Internet Explorer vulnerability MS.IE.Userdata.Behavior.Code.Execution (CVE-2010-0806) was the second-most detected malicious network activity for the second report in a row. While in its zero-day state, Fortinet observed attacks on this vulnerability that installed the infamous Gh0st RAT spy-trojan, a fully-functioning remote administration tool that also streams Webcam video and audio feeds.

FortiGuard Labs also discovered two new memory corruption vulnerabilities in Microsoft Office Visio that allow a remote attacker to compromise a system through a malicious document. The vulnerabilities are triggered when opening and rendering a Visio file. A remote attacker could craft a malicious document that exploits either one of these vulnerabilities, allowing them to compromise a system.

• Adobe Acrobat vulnerabilities: Fortinet’s FortiGuard Labs discovered two new memory corruption vulnerabilities in Adobe Reader / Acrobat, which allow a remote attacker to compromise a system through a malicious document. The vulnerabilities are triggered when opening and rendering a PDF document. A remote attacker could craft a malicious document which exploits either one of these vulnerabilities, allowing them to compromise a system.

• Ransomware and Scareware still top virus detection: This is no surprise, as Scareware has been consistently prevalent since September 2008. Ransomware, on the other hand, began making headway in 2010 due to incentives from affiliate-backed programs that pay out when victims purchase the fake products.

• Cutwail spambot leveraged for money mule recruitment: Fortinet continues to observe the Cutwail spambot, which has been active for years, send various spam campaigns on behalf of its customers. The spam sent by Cutwail this month typically included malicious links to eCard binaries, or emails with the binaries themselves attached. There were various money mule recruitment themes observed in spam emails in April, showing a growing demand for jobs on the black market.

“Money mules are essentially money laundering vehicles used by cyber criminals to handle and transfer illicit funds,” said Derek Manky, project manager, cyber security and threat research, Fortinet. “The mule receives a commission for doing the transfer. These transfers are typically done in batches of $10,000 USD or less. Money mule positions are, more times than not, crafted as legitimate sounding jobs, such as accounts receivable positions. If something seems too good to be true, it generally is.”

An example money mule campaign can be found here: http://www.fortiguard.com/pics/threatscape1209/image-05b.png

FortiGuard Labs compiled threat statistics and trends for April based on data collected from FortiGate® network security appliances and intelligence systems in production worldwide. Customers who use Fortinet’s FortiGuard Subscription Services should already be protected against the threats outlined in this report.

To read the full April Threatscape report which includes the top threat rankings in each category, please visit: http://www.fortiguard.com/report/roundup_april_2010.html. For ongoing threat research, bookmark the FortiGuard Center (http://www.fortiguardcenter.com/) or add it to your RSS feed by going to http://www.fortinet.com/FortiGuardCenter/rss/index.html.

Additional discussion on security technologies and threat analysis can be found at the Fortinet Security Blog at http://blog.fortinet.com. To learn more about FortiGuard Subscription Services, visit http://www.fortinet.com/products/fortiguard.html.

FortiGuard Subscription Services offer broad security solutions including antivirus, intrusion prevention, Web content filtering and anti-spam capabilities. These services help enable protection against threats on both application and network layers. FortiGuard Services are updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and zero-day protection from new and emerging threats. For customers with a subscription to FortiGuard, these updates are delivered to all FortiGate, FortiMail™ and FortiClient™ products.

About Fortinet (www.fortinet.com)

Fortinet (NASDAQ: FTNT) is a worldwide provider of network security appliances and the market leader in unified threat management (UTM). Our products and subscription services provide broad, integrated and high-performance protection against dynamic security threats while simplifying the IT security infrastructure. Our customers include enterprises, service providers and government entities worldwide, including the majority of the 2009 Fortune Global 100. Fortinet's flagship FortiGate product delivers ASIC-accelerated performance and integrates multiple layers of security designed to help protect against application and network threats. Fortinet's broad product line goes beyond UTM to help secure the extended enterprise - from endpoints, to the perimeter and the core, including databases and applications. Fortinet is headquartered in Sunnyvale, Calif., with offices around the world.

###Copyright © 2010 Fortinet, Inc. All rights reserved. The symbols ® and ™ denote respectively federally registered trademarks and unregistered trademarks of Fortinet, Inc., its subsidiaries and affiliates. Fortinet's trademarks include, but are not limited to, the following: Fortinet, FortiGate, FortiGuard, FortiManager, FortiMail, FortiClient, FortiCare, FortiAnalyser, FortiReporter, FortiOS, FortiASIC, FortiWiFi, FortiSwitch, FortiVoIP, FortiBIOS, FortiLog, FortiResponse, FortiCarrier, FortiScan, FortiDB and FortiWeb. Other trademarks belong to their respective owners. Fortinet has not independently verified statements or certifications herein attributed to third parties and Fortinet does not independently endorse such statements. This news release contains forward-looking statements that involve uncertainties and assumptions. If the uncertainties materialize or the assumptions prove incorrect, results may differ materially from those expressed or implied by such forward-looking statements and assumptions. All statements other than statements of historical fact are statements that could be deemed forward-looking statements, including but not limited to any statements related to expected trends in cybercriminal activity. These trends are difficult to predict and any stated expectations regarding these trends may not ultimately be correct. Fortinet assumes no obligation to update any forward-looking statements, and does not intend to update these forward-looking statements.

Media contact:Sebastian Rice+61 2 9571 1330seb@silverspan.com