When it comes to cyber-crime, it’s not always about test driving the newest brand of malware on the road. Sometimes, it’s about Old Betsy, the reliable piece of malware that will get you from point A to point B – the final location being a compromised computer.
Research in Fortinet’s June Threat Report underscores this point, even as it shows the number of new exploits continued to rise. Out of 108 newly reported vulnerabilities during this period, 62 were reported to be actively exploited, which represents an all-time high of 57.4 percent.
Still, a look at the company’s top 10 exploits shows some of the most attacked vulnerabilities have been around for years. There’s a buffer overflow vulnerability affecting the Windows Messenger Service that goes back to 2003; a bug in Microsoft NAT Helper that dates back to 2006, and so on. As vulnerabilities age, their profile becomes higher and they make their way into script kiddies, noted Derek Manky, threat researcher at Fortinet.
“Of course, the most high profile attack worth mentioning is still -MS.DCERPC.NETAPI32.Buffer.Overflow’, aka MS08-067, made notorious by Conficker,” he said. “This critical vulnerability still receives much attack traffic due to Conficker’s success with this security hole, with the likes of copy-cat worms and other attacks taking advantage of the same issue.”
This falls in line with research from companies such as Microsoft, Secunia and Qualys, which has shown that users are often not up-to-date with the latest patches.
When it comes to malware, the proliferation of malware kits has allowed some well-known pieces of malicious software to thrive. While the traditionally resilient Netsky worm was knocked out of Fortinet’s list of Top 10 malware, variants of the ZBot Trojan grabbed second and third place. ZBot was recently linked to a campaign that stole FTP credentials from several leading companies, including Symantec, McAfee and Amazon.
The ZBot variants on Fortinet’s list were in high volume for a short period of time, as can be seen here.
“This is very typical, since to launch such attacks often various botnets and increasingly other attack vehicles – think harvested accounts, social worms, etc. – are rented out on an hourly or daily basis,” Manky said. “So, this hit-and-run fashion is much different than a single campaign or botnet such as Virut…many of these attacks are launched through traditional malicious links, and Websites hosting the campaign’s freshly built binaries. Once these are taken down (domains, etc.), a new campaign will be launched.”
In terms of location, the top five regions of the world ranked by distinct malware volume are as follows: United States, with 40.57 percent; Japan, at 35.61 percent; Taiwan, with 34.44 percent; China, with 27.74 percent; and India at 19.25 percent. France and the United States lead the way as far as spam received compared to global spam volume, with 17.11 percent and 12.11 percent, respectively.
There was some good news for security researchers last month when rogue ISP 3FN was shutdown, but like reports from Google and MX Logic, Fortinet found the results were short-lived.
“We saw a larger effect after McColo’s take-down partly because it was hosting C&C to Srizbi,” Manky noted. “There was an active effort to keep this spam botnet from re-connecting to its C&C servers as rendezvous domains generated by its zombies were registered (sink-holes) by white hats, thus keeping the threat at bay for a little longer until they eventually regained control and issued updates. To my knowledge, this didn’t happen with 3FN’s associated threats, which were associated with different groups.”
Though shut down, 3FN might not have had the effect some expected, actions like that do have an impact, Manky said.
“The more take-downs like this we achieve, certainly the more milestones we will reach,” he added. “However, cyber-criminals will constantly be on the run…there needs to be much more happening in parallel with these take-downs to really pull up beside the black hats in the arms race that we are knee-deep in today.”