Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Fortinet June 2010 Threat Landscape Report – Sasfis Botnet, Obfuscated JavaScript Attacks & More

With the month not quite complete, Fortinet, in an effort to get the results out before the distractions of a holiday weekend in the U.S., today revealed its

With the month not quite complete, Fortinet, in an effort to get the results out before the distractions of a holiday weekend in the U.S., today revealed its Threat Landscape report for June 2010.

June 2010 Threat Report

The month of June showed new variations of the Sasfis botnet entering the Top malware 10 list along with the re-emergence of older threats. Sasfis, which has been competing with the Pushdo botnet in terms of sheer volume, was very active this month.

“We observed Sasfis loading a spambot component, which was heavily used to send out binary copies of itself in an aggressive seeding campaign,” said Derek Manky, project manager, cyber security and threat research, Fortinet. “The Sasfis socially-engineered emails typically had two themes; one looked like a fake UPS Invoice attachment, and the other was disguised as a fees statement. Much like the Pushdo and Bredolab botnets, Sasfis is a loader – the spambot agent is just one of multiple components downloaded.” 

In June, Fortinet discovered the re-emergence of a hit-and-run attack with an Internet Explorer HTML Object Memory Corruption Vulnerability (known as CVE-2010-0249 at Microsoft and MS.IE.Event.Invalid.Pointer.Memory.Corruption at Fortinet). This attack first surfaced in January 2010 and used in the infamous Aurora attacks to plant spy trojans within targeted, major corporations. The attack has since subsided, last appearing in FortiGuard’s top 10 in February’s Threat Landscape report.

Additional threat activities for the month of June include:

200 New Vulnerabilities: FortiGuard Labs covered more than 200 new vulnerabilities this period, nearly double from last report. 

Flash and Excel Vulnerabilities: Four Flash and Excel vulnerabilities were disclosed and patched this period.

Malicious Javascript Code: In terms of malware, the only detection that topped the aforementioned botnet binaries was JS/Redir.BK – obfuscated JavaScript code, which had a surge of activity on June 12 and June 13. The JavaScript code redirected users to various legitimate domains hosting an injected HTML page named “z.htm.”

Advertisement. Scroll to continue reading.

Top 10 Attacks for June 2010

Rank Vulnerability Percentage Severity Shift
1 Java.Deployment.Toolkit.Launch.Method.Access 60.2 Critical
2 MS.IE.Userdata.Behavior.Code.Execution 17.2 Critical
3 MS.DCERPC.NETAPI32.Buffer.Overflow 12.8 Critical
4 Gumblar.Botnet 6.7 Critical
5 MS.IE.Event.Invalid.Pointer.Memory.Corruption 5.1 Critical +13
6 Apache.Expect.Header.XSS 4.2 Medium +1
7 FTP.USER.Command.Overflow 3.7 High +1
8 AWStats.Rawlog.Plugin.Logfile.Parameter.Input.Validation 3.4 High -2
9 SMTP.Auth.Buffer.Overflow 3.3 Critical
10 MS.IE.Deleted.DOM.Object.Access.Memory.Corruption 3.3 Critical +4

FortiGuard observed JavaScript code was circulated through an HTML attachment in spam emails using various themes. In one attack, the HTML containing the malicious JavaScript code was attached as the file “open.htm” in an e-mail urging the user to update their MS Outlook client. The exact same e-mail also circulated with a FakeAV binary attachment, once again proving that spam templates are often recycled for various attacks. In another example, a “bad news” email socially engineered for the FIFA World Cup, had the same malicious JavaScript attached through a file named “news.html.”

Top 5 Attacks in June 2010

“There is no doubt that JavaScript is one of the most popular languages used today for attacks,” Manky continued. “It is used in a growing number of poisoned document attacks (PDF), particularly with heap-spray based techniques. It’s also used to launch exploits, and it is popular as a browser redirector to malicious sites, since the JavaScript code can be obfuscated and appear to be more complex than traditional IFrame based attacks from the past.”

Fortinet’s monthly threat report is compiled from threat statistics and trends for June based on data collected from the company’s FortiGate network security appliances and intelligence systems in located around the world.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.