You are here

Fortinet July Threat Landscape Report Shows Sasfis Botnet Variants Multiplying and Focusing on Spam Delivery

Stuxnet Attack Still Under Investigation While Awaiting Microsoft Patch

SUNNYVALE, Calif., August 2, 2010 - Fortinet® (NASDAQ: FTNT) - a leading network security provider and a worldwide leader of unified threat management (UTM) solutions today announced its July 2010 Threat Landscape report, which showed that eight Sasfis botnet variants have landed in the companys top 10 malware listing this period. This is an increasingly common occurrence, as developers continue to roll out updated copies of their creations. Earlier this year, the Sasfis botnet was dedicated to downloading and executing software (primarily fake antivirus) on infected systems. This period, Sasfis was observed downloading updated spamming modules. Typical Sasfis spam examples include fake UPS invoices and Facebook photo links.

ÏSpam bots continue to diversify, sending a variety of spam themes on a frequent basis, said Derek Manky, project manager, cyber security and threat research, Fortinet. ÏThis month we observed various socially engineered emails that came with HTML attachments. These attachments further contained obfuscated javascript which would redirect users to malicious sites. The diversity of these spam campaigns and their targets shows how botnets continue to evolve to serve the needs of their underground customers.

Stuxnet Attack
This months Stuxnet attack (read our FAQ here), reiterates the importance of quickly patching security holes as fixes become available and having a broad intrusion prevention system (IPS) in place. Even with proper patch management, all it takes is one zero-day vulnerability to be exploited (even in low volume) to potentially cause a significant impact. While the Stuxnet attack is still under investigation, the fact that a trojan associated with the exploit was seemingly developed to target industrial control systems underscores this point. This is also a good example of how little interaction is required by the end user to become infected. The Stuxnet exploit attacked a Windows Shell vulnerability (CVE-2010-2568). To launch its attack, a user simply opened a folder.

ÏWe saw a similar attack method with PDF files through JBIG2 image streams and Windows shell extensions back in February 2009 (CVE-2009-0658), where simply browsing a folder could trigger an infection, Manky continued. ÏFortinet detects the vulnerability associated with the Stuxnet attack as 'MS.Windows.Shell.LNK.Code.Execution,' and generically detects the exploited .LNK payload with antivirus as 'W32/ShellLink.a!exploit.CVE20102568'. As of writing, there are workarounds but no official patch has been released from Microsoft.

Windows Help Center Vulnerability Exploited
On June 5, vulnerability within the Windows Help and Support Center that could allow remote code execution was publicly disclosed. Like Stuxnet, this is yet another example of a zero-day vulnerability successfully attacked before a patch is made available. We witnessed attacks on the vulnerability as early as June 11th before Microsoft issued a patch for CVE-2010-1855 on July 13th. The attacks that occurred through Websites were made more potent because they were launched through the HCP protocol handler, which is used by all browsers. In many cases Websites that serve exploits will try to fingerprint browsers and launch attack code tailored to those browsers.

FortiGuard Labs compiled threat statistics and trends for July based on data collected from FortiGate network security appliances and intelligence systems in production worldwide. Customers who use Fortinets FortiGuard Subscription Services should already be protected against the threats outlined in this report.

To read the full July Threat Landscape report which includes the top threat rankings in each category, please visit: http://www.fortiguard.com/report/roundup_july_2010.html. For ongoing threat research, bookmark the FortiGuard Center or add it to your SS feed. Additional discussion on security technologies and threat analysis can be found at the Fortinet Security Blog at http://blog.fortinet.com. To learn more about FortiGuard Subscription Services, visit http://www.fortinet.com/products/fortiguard.html.

FortiGuard Subscription Services offer broad security solutions including antivirus, intrusion prevention, Web content filtering and anti-spam capabilities. These services help protect against threats on both application and network layers. FortiGuard Services are updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and zero-day protection from new and emerging threats. For customers with a subscription to FortiGuard, these updates are delivered to all FortiGate, FortiMail™ and FortiClient™ products.

About Fortinet(www.fortinet.com)

Fortinet (NASDAQ: FTNT) is a worldwide provider of network security appliances and the market leader in unified threat management (UTM). Our products and subscription services provide broad, integrated and high-performance protection against dynamic security threats while simplifying the IT security infrastructure. Our customers include enterprises, service providers and government entities worldwide, including the majority of the 2009 Fortune Global 100. Fortinet's flagship FortiGate product delivers ASIC-accelerated performance and integrates multiple layers of security designed to help protect against application and network threats. Fortinet's broad product line goes beyond UTM to help secure the extended enterprise - from endpoints, to the perimeter and the core, including databases and applications. Fortinet is headquartered in Sunnyvale, Calif., with offices around the world.

Copyright © 2010 Fortinet, Inc. All rights reserved. The symbols ® and ™ denote respectively federally registered trademarks and unregistered trademarks of Fortinet, Inc., its subsidiaries and affiliates. Fortinet's trademarks include, but are not limited to, the following: Fortinet, FortiGate, FortiGuard, FortiManager, FortiMail, FortiClient, FortiCare, FortiAnalyzer, Fortieporter, FortiOS, FortiASIC, FortiWiFi, FortiSwitch, FortiVoIP, FortiBIOS, FortiLog, Fortiesponse, FortiCarrier, FortiScan, FortiAP, FortiDB and FortiWeb. Other trademarks belong to their respective owners. Fortinet has not independently verified statements or certifications herein attributed to third parties, such as statements attributed to IDC, and Fortinet does not independently endorse such statements. This news release may contain forward-looking statements, such as statements regarding trends of adoption by large enterprises and the ongoing adoption by MSSPs, carriers and small to medium businesses, that involve risks and uncertainties that could cause actual results to differ. isks and uncertainties include, among others, changes in market dynamics, changes in demand for UTM and other solutions, the introduction of new competitive solutions, economic risks and uncertainties, execution risks and uncertainties related, for example, to new product introductions and innovations, and other risk factors set forth from time to time in our filings with the SEC, copies of which are available free of charge at the SECs website at www.sec.gov or upon request from Fortinets investor relations department. If the risks or uncertainties materialize or the assumptions prove incorrect, results may differ materially from those expressed or implied by such forward-looking statements and assumptions. All statements other than statements of historical fact are statements that could be deemed forward-looking statements. Fortinet assumes no obligation to update any forward-looking statements in the event actual results differ, and does not intend to update these forward-looking statements.

CALL NOW! 1-866-868-3678


We were looking to simplify network management and wanted a robust and consolidated security solution so that we didn't have to have multiple people managing the network. The Fortinet solution is allowing us enterprise-level security that is easy to use and meets our growing needs.

Jason Francia
Senior Network Administrator
Community Health Resources