Fortinet July Threat Landscape Report Shows Sasfis Botnet Variants Multiplying

Fortineta announced its July 2010 Threat Landscape report, which showed that eight Sasfis botnet variants have landed in the company’s top 10 malware listing this period. This is an increasingly common occurrence, as developers continue to roll out updated copies of their creations. Earlier this year, the Sasfis botnet was dedicated to downloading and executing software (primarily fake antivirus) on infected systems. This period, Sasfis was observed downloading updated spamming modules. Typical Sasfis spam examples include fake UPS invoices and Facebook photo links. 

Stuxnet Attack
This month’s Stuxnet attack (read our FAQ here), reiterates the importance of quickly patching security holes as fixes become available and having a broad intrusion prevention system (IPS) in place. Even with proper patch management, all it takes is one zero-day vulnerability to be exploited (even in low volume) to potentially cause a significant impact. While the Stuxnet attack is still under investigation, the fact that a trojan associated with the exploit was seemingly developed to target industrial control systems underscores this point. This is also a good example of how little interaction is required by the end user to become infected. The Stuxnet exploit attacked a Windows Shell vulnerability (CVE-2010-2568). To launch its attack, a user simply opened a folder. 

Windows Help Center Vulnerability Exploited
On June 5, vulnerability within the Windows Help and Support Center that could allow remote code execution was publicly disclosed. Like Stuxnet, this is yet another example of a zero-day vulnerability successfully attacked before a patch is made available. We witnessed attacks on the vulnerability as early as June 11th before Microsoft issued a patch for CVE-2010-1855 on July 13th. The attacks that occurred through Websites were made more potent because they were launched through the HCP protocol handler, which is used by all browsers. In many cases Websites that serve exploits will try to fingerprint browsers and launch attack code tailored to those browsers. 

To read the full July Threat Landscape report which includes the top threat rankings in each category, please visit: http://www.fortiguard.com/report/roundup_july_2010.html.

Don’t forget to stay connected to Tech2 via our Tech2.com Facebook page.