itb-nz logo
Story image

Sasfis Botnet variants multiplying according to latest Fortinet report

03 Aug 2010

Fortinet® (NASDAQ: FTNT) – a leading network security provider and a worldwide leader of unified threat management (UTM) solutions – today announced its July 2010 Threat Landscape report, which showed that eight Sasfis botnet variants have landed in the company’s top 10 malware listing this period. This is an increasingly common occurrence, as developers continue to roll out updated copies of their creations.

Earlier this year, the Sasfis botnet was dedicated to downloading and executing software (primarily fake antivirus) on infected systems. This period, Sasfis was observed downloading updated spamming modules. Typical Sasfis spam examples include fake invoices from courier firm UPS, and Facebook photo links.

“Spam bots continue to diversify, sending a variety of spam themes on a frequent basis,” said Derek Manky, project manager, cyber security and threat research, Fortinet. “This month we observed various socially engineered emails that came with HTML attachments. These attachments further contained obfuscated javascript which would redirect users to malicious sites. The diversity of these spam campaigns and their targets shows how botnets continue to evolve to serve the needs of their underground customers.”

Stuxnet Attack

This month’s Stuxnet attack (read our FAQ here), reiterates the importance of quickly patching security holes as fixes become available and having a broad intrusion prevention system (IPS) in place. Even with proper patch management, all it takes is one zero-day vulnerability to be exploited (even in low volume) to potentially cause a significant impact.

While the Stuxnet attack is still under investigation, the fact that a trojan associated with the exploit was seemingly developed to target industrial control systems underscores this point. This is also a good example of how little interaction is required by the end user to become infected. The Stuxnet exploit attacked a Windows Shell vulnerability (CVE-2010-2568). To launch its attack, a user simply opened a folder.

“We saw a similar attack method with PDF files through JBIG2 image streams and Windows shell extensions back in February 2009 (CVE-2009-0658), where simply browsing a folder could trigger an infection,” Manky continued. “Fortinet detects the vulnerability associated with the Stuxnet attack as 'MS.Windows.Shell.LNK.Code.Execution,' and generically detects the exploited ‘.LNK’ payload with antivirus as 'W32/ShellLink.a!exploit.CVE20102568'. As of writing, there are workarounds but no official patch has been released from Microsoft.”

Windows Help Center Vulnerability Exploited

On June 5, vulnerability within the Windows Help and Support Center that could allow remote code execution was publicly disclosed. Like Stuxnet, this is yet another example of a zero-day vulnerability successfully attacked before a patch is made available. We witnessed attacks on the vulnerability as early as June 11th before Microsoft issued a patch for CVE-2010-1855 on July 13th. The attacks that occurred through websites were made more potent because they were launched through the HCP protocol handler, which is used by all browsers. In many cases Websites that serve exploits will try to fingerprint browsers and launch attack code tailored to those browsers.

FortiGuard Labs compiled threat statistics and trends for July based on data collected from FortiGate® network security appliances and intelligence systems in production worldwide. Customers who use Fortinet’s FortiGuard Subscription Services should already be protected against the threats outlined in this report.

To read the full July Threat Landscape report which includes the top threat rankings in each category, please visit: http://www.fortiguard.com/report/roundup_july_2010.html. For ongoing threat research, bookmark the FortiGuard Center or add it to your RSS feed. Additional discussion on security technologies and threat analysis can be found at the Fortinet Security Blog at http://blog.fortinet.com. To learn more about FortiGuard Subscription Services, visit http://www.fortinet.com/products/fortiguard.html.

FortiGuard Subscription Services offer broad security solutions including antivirus, intrusion prevention, Web content filtering and anti-spam capabilities. These services help protect against threats on both application and network layers. FortiGuard Services are updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and zero-day protection from new and emerging threats. For customers with a subscription to FortiGuard, these updates are delivered to all FortiGate, FortiMail™ and FortiClient™ products.

About Fortinet (www.fortinet.com)

Fortinet (NASDAQ: FTNT) is a worldwide provider of network security appliances and a market leader in unified threat management (UTM). Our products and subscription services provide broad, integrated and high-performance protection against dynamic security threats while simplifying the IT security infrastructure. Our customers include enterprises, service providers and government entities worldwide, including the majority of the 2009 Fortune Global 100. Fortinet's flagship FortiGate product delivers ASIC-accelerated performance and integrates multiple layers of security designed to help protect against application and network threats. Fortinet's broad product line goes beyond UTM to help secure the extended enterprise - from endpoints, to the perimeter and the core, including databases and applications. Fortinet is headquartered in Sunnyvale, Calif., with offices around the world.

###

Copyright © 2010 Fortinet, Inc. All rights reserved. The symbols ® and ™ denote respectively federally registered trademarks and unregistered trademarks of Fortinet, Inc., its subsidiaries and affiliates. Fortinet's trademarks include, but are not limited to, the following: Fortinet, FortiGate, FortiGuard, FortiManager, FortiMail, FortiClient, FortiCare, FortiAnalyser, FortiReporter, FortiOS, FortiASIC, FortiWiFi, FortiSwitch, FortiVoIP, FortiBIOS, FortiLog, FortiResponse, FortiCarrier, FortiScan, FortiDB and FortiWeb. Other trademarks belong to their respective owners. Fortinet has not independently verified statements or certifications herein attributed to third parties and Fortinet does not independently endorse such statements. This news release may contain forward-looking statements that involve uncertainties and assumptions. If the uncertainties materialize or the assumptions prove incorrect, results may differ materially from those expressed or implied by such forward-looking statements and assumptions. All statements other than statements of historical fact are statements that could be deemed forward-looking statements, including but not limited to, any statements related to expected trends in cybercriminal activity. These trends are difficult to predict and any stated expectations regarding these trends may not ultimately be correct. Fortinet assumes no obligation to update any forward-looking statements, and does not intend to update these forward-looking statements.

FTNT-O

Media contact

Sebastian Rice,

+61 2 9571 1330

seb@silverspan.com

Story image
A/NZ construction industry recognises opportunity for innovation following COVID-19
Australia and New Zealand (A/NZ) construction companies are leading the regional COVID-19 recovery, with 30% prepared for the new normal.More
Story image
Interview: It’s time to rename MDM to Modern Device Management
Mobile device management is no longer about being tied to physical devices - in fact, IT administrators shouldn’t even need to go near them.More
Story image
Workday grows retail footprint with Zumiez
With Workday, Zumiez will have the ability to plan, execute, and analyse and gain a deeper understanding of the business to help it manage through the changing business landscape.More
Story image
How organisations can extract value from IT investments with Living Systems
Technology is everywhere, but value is not. Twelve months after the first pandemic-related lockdowns began, many organisations have discovered that they’re just not getting the return on investment they expected. Why?More
Story image
Modern device management – enterprise-grade endpoint security for home workers
To support and empower employees, organisations need enterprise-grade security that reaches beyond the confines of the workplace.More
Story image
MDM In 2021 – It’s time to switch to modern management
Mobile device management has been redefined as ‘modern device management’, and Microsoft’s Intune is now becoming the clear category leader. It is achieving widespread global adoption as part of Microsoft 365’s success, with 35% global MDM market adoption expected in 2021 and over 50% in 2022. More