Those old Microsoft vulnerabilities you read about are still being targeted successfully by hackers. According to research from Fortinet, it's not just the latest exploits your IT admins and users have to be concerned with.
When it comes to cyber-crime, it's not always about test
driving the newest brand of malware on the road. Sometimes, it's about Old
Betsy, the reliable piece of malware that will get you from point A to point B
- the final location being a compromised computer.
Research in Fortinet's June Threat Report underscores this
point, even as it shows the number of new exploits continued to rise. Out of
108 newly reported vulnerabilities during this period, 62 were reported to be
actively exploited, which represents an all-time high of 57.4 percent.
Still, a look at the company's top 10 exploits shows some of
the most attacked vulnerabilities have been around for years. There's a buffer
overflow vulnerability affecting the Windows Messenger Service that goes back
to 2003; a bug in Microsoft NAT Helper that dates back to 2006, and so on. As
vulnerabilities age, their profile becomes higher and they make their way into
script kiddies, noted Derek Manky, threat researcher at Fortinet.
"Of course, the most high profile attack worth mentioning is
still -MS.DCERPC.NETAPI32.Buffer.Overflow', aka MS08-067, made notorious by
Conficker," he said. "This critical vulnerability still receives much attack
traffic due to Conficker's success with this security hole, with the likes of
copy-cat worms and other attacks taking advantage of the same issue."
This falls in line with research from companies such as
Microsoft, Secunia and Qualys, which has shown that users are often not up-to-date
with the latest patches.
When it comes to malware, the proliferation of malware kits
has allowed some well-known pieces of malicious software to thrive. While the
traditionally resilient Netsky worm was knocked out of Fortinet's list of Top
10 malware, variants of the ZBot Trojan grabbed second and third place. ZBot
was recently linked to a campaign that stole FTP credentials
leading companies, including Symantec, McAfee and Amazon.
The ZBot variants on Fortinet's list were in high volume for
a short period of time, as can be seen here
"This is very typical, since to launch such attacks often
various botnets and increasingly other attack vehicles - think harvested
accounts, social worms, etc. - are rented out on an hourly or daily basis,"
Manky said. "So, this hit-and-run fashion is much different than a single
campaign or botnet such as Virut...many of these attacks are launched through
traditional malicious links, and Websites hosting the campaign's freshly built
binaries. Once these are taken down (domains, etc.), a new campaign will be
In terms of location, the top five regions of the world ranked
by distinct malware volume are as follows: United States, with 40.57
percent; Japan, at 35.61 percent; Taiwan, with 34.44 percent; China, with 27.74
percent; and India at 19.25 percent. France and the United States lead the way
as far as spam received compared to global spam volume, with 17.11 percent and
12.11 percent, respectively.
There was some good news for security researchers last month
when rogue ISP 3FN was shutdown, but like reports from Google and MX Logic,
Fortinet found the results were short-lived.
"We saw a larger
effect after McColo's take-down partly because it was hosting C&C to
Srizbi," Manky noted. "There was an active effort to keep this spam botnet from
re-connecting to its C&C servers as rendezvous domains generated by its
zombies were registered (sink-holes) by white hats, thus keeping the threat at
bay for a little longer until they eventually regained control and issued
updates. To my knowledge, this didn't happen with 3FN's associated threats,
which were associated with different groups."
Though shut down, 3FN might not have had the effect some
expected, actions like that do have an impact, Manky said.
"The more take-downs like this we achieve, certainly the
more milestones we will reach," he added. "However, cyber-criminals will
constantly be on the run...there needs to be much more happening in parallel with
these take-downs to really pull up beside the black hats in the arms race that
we are knee-deep in today."