Threat Research

January 2011: Many new vulnerabilities exploited, spam takes another hit

By Derek Manky | January 26, 2011

The first threat report of 2011 is up, you can find the full report on our FortiGuard Center. Below is a recap of events:

There was a sharp incline in exploit activity for new vulnerabilities this period: we detected attempted exploit activity on 61% of new vulnerabilities covered by FortiGuard Labs. Typically this rate falls between 30-40%. Nearly 1/2 of those vulnerabilities rated as 'Critical' (remote code execution) were attacked. As an ongoing reminder, it is imperative to help secure systems against such exploitation by keeping all software up to date with the latest patches, as well as having a valid IPS solution in place to help protect against exploit code. FortiGuard Labs discovered and reported three zero-day vulnerabilities in the last month to Microsoft and Adobe. For an overview of all outstanding zero-day vulnerabilities, please refer to our Upcoming Advisory page. Signatures are created in advance for such zero-day vulnerabilities whenever it is possible. Microsoft issued a zero-day advisory on December 22nd, 2010, that outlines an in-the-wild exploit against Internet Explorer (CVE-2010-3971). As of writing this vulnerability still remains in a zero-day state. FortiGuard IPS detects this threat as ''MS.IE.CSS.Self.Reference.Remote.Code.Execution" - for more information, see our advisory here.

Three notable top malware detections this report were with Feebs, Buzus and Virut. These are not new threats, yet they remain quite persistent and active. Feebs is a mass mailer that uses Javascript to infect systems: the mail will contain a password protected archive, along with the information in the mail body. Buzus continues to be active in the spam scene, sending infected attachments of itself using a variety of spam campaigns linked to Twitter, Facebook, Google, Hallmark and Hi5. They're clearly putting more effort into their social engineering tactics by leveraging well known names. As always, be wary opening any file attachments - Buzus is quite large, usually over 500 kilobytes in size. Two Virut variants surfaced this report, and as of writing, still receive commands from Virut controllers to download and execute malware. Virut.U uses an updated IRC channel and encrypts all traffic to this IRC channel, while Virut.A continues to connect to the IRC server '' unencrypted. Both variants are using port 65520 for connection. We have written multiple times about Virut, it has been around a long time indeed - since May 13, 2006. It has consistently been in our Top 10 and Top 100 lists ever since. Virut is a rigid file infector that contains a bot component, making it very difficult to clean since it spreads to thousands upon thousands of files on a system once it hits. FortiGuard Labs observed Virut downloading other botnets (VBCF) - meaning an infected system would soon have multiple pieces of malware in place. Virut is one of the most persistent botnets we see today, since it is tough to remove from an infected system, uses a public IRC domain (has not been taken offline during its four-year run), and has hybrid spreading capabilities.

From December 27th, 2010, to January 10th, 2011, we saw another significant decline in global spam rates (about 20%). We reported on a large drop back in November 2010, due to a Bredolab botnet being taken offline. Spam rates began to climb back to their regular form by mid-December, however. This time it looks like Rustock was to thank for the decline - the botnet dedicated this time slot to generating cash through affiliate-based business models in lieu of spam campaigns. Spam rates have started to rise again after Rustock received commands to recommence its spam routines. In both the cases of Bredolab and Rustock, we saw a notable impact on global spam rates - Bredolab dropping spam rates roughly 12%, and Rustock roughly 20%, indeed showing the impact a single botnet can have on spam worldwide.

Join the Discussion