Fortinet March Threatscape report shows domination of ransomware and troublesome zero-day

Fortinet observed the primary drivers behind these threats to be two of the most notorious botnet "loaders" — Bredolab and Pushdo. Another important finding is the aggressive entrance of a new zero-day threat in FortiGuard's top ten attack list, MS.IE.Userdata.Behavior.Code.Execution, which accounted for 25% of the detected activity last month.

Key threat activities for the month of March include:

• SMS-based Ransomware High Activity: A new ransomware threat - W32/DigiPog.EP - appeared in Fortinet's top ten malware list. DigiPog is an SMS blocker using Russian language, locking out a system and aggressively killing off popular applications like Internet Explorer and FireFox until an appropriate code is entered into a field provided to the user. To obtain the code, a user must send a SMS message to the provided number, receiving a code in return. Upon execution, DigiPog registers the user's MAC address with its server. It is the first time that SMS-based ransomware enters Fortinet's top ten list, showing that the rise of ransomware is well on its way.

• Botnets - the competition gets tough: While the infamous Bredolab and Pushdo botnets can be identified behind the strong ransomware activity this month, a challenger has been particularly active this month. Sasfis, another botnet loader, moved up eight positions in our Top 100 attack list from last month, landing just behind Gumblar & Conficker network activity in the fifth position. Sasfis is just the latest example of simplified botnets, which are used heavily for malicious business services (crime as a service).

• Zero-day attack forces in: A new zero-day threat aggressively entered FortiGuard's top ten attack list: MS.IE.Userdata.Behavior.Code.Execution (CVE-2010-0806, FortiGuard Advisory 2010-14). This exploit triggers a vulnerability in Internet Explorer, making remote code execution through a drive-by download (no user interaction required) possible. Accounting for one fourth of the detected activity in March, this exploit was ranked number two in our top ten attacks last month and remains very active, predominantly in Japan, Korea and the U.S.

"As we predicted for 2010, cybercriminals are clearly pursuing new ways to lure consumers and threaten the enterprise at large. Troublesome zero-day exploits continue to attack popular client-side software, while methods such as ransomware and crime as a service help them increase their reach and make their attacks more effective against end users," said Derek Manky, Project Manager, Cyber Security and Threat Research, Fortinet.

"With cybercrime techniques getting more sophisticated every day, it is critical to educate users on the importance of having the right security software and patches in place. Robust security services and safe practice can help protect consumers and organizations against known vulnerabilities, but also unknown ones such as zero-day threats," he added.

FortiGuard Labs compiled threat statistics and trends for March based on data collected from FortiGate network security appliances and intelligence systems in production worldwide. Customers who use Fortinet's FortiGuard Subscription Services should already be protected against the threats outlined in this report.

FortiGuard Subscription Services offer broad security solutions including antivirus, intrusion prevention, Web content filtering and anti-spam capabilities. These services help enable protection against threats on both application and network layers. FortiGuard Services are updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and zero-day protection from new and emerging threats. For customers with a subscription to FortiGuard, these updates are delivered to all FortiGate, FortiMail and FortiClient products.