Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/30/2010
06:35 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Sasfis Botnet Active This Month, Report Show

Fortinet publishes June 2010 Threat Landscape

SUNNYVALE, Calif., June 30, 2010 - Fortinet' (NASDAQ: FTNT) – a leading network security provider and worldwide leader of unified threat management (UTM) solutions – today announced its June 2010 Threat Landscape report showed that new variations of the Sasfis botnet have entered the malware Top 10 list. Sasfis, which has been competing with the Pushdo botnet in terms of sheer volume, was very active this month.

“We observed Sasfis loading a spambot component, which was heavily used to send out binary copies of itself in an aggressive seeding campaign,” said Derek Manky, project manager, cyber security and threat research, Fortinet. “The Sasfis socially-engineered emails typically had two themes; one looked like a fake UPS Invoice attachment, and the other was disguised as a fees statement. Much like the Pushdo and Bredolab botnets, Sasfis is a loader the spambot agent is just one of multiple components downloaded.”

IE Vulnerabilities Come Out of Retirement

This month, FortiGuard Labs saw a hit-and-run attack for the Internet Explorer HTML Object Memory Corruption Vulnerability (known as CVE-2010-0249 within Microsoft and MS.IE.Event.Invalid.Pointer.Memory.Corruption within Fortinet). This attack first surfaced in January 2010 and used in the infamous Aurora attacks to plant spy trojans within targeted, major corporations. The attack has since subsided, last appearing in FortiGuard’s top 10 in February’s Threat Landscape report.

Additional threat activities for the month of June:

200 Vulnerabilities: FortiGuard Labs covered more than 200 new vulnerabilities this period, nearly double from last report. This suggests that an increase in software vulnerabilities continue to be disclosed, ultimately available to hackers for malicious use.

Flash and Excel Vulnerabilities: FortiGuard Labs discovered four Flash and Excel vulnerabilities, which were disclosed and patched this period. For more information see FortiGuard's Adobe and Microsoft advisories.

Malicious Javascript Code: In terms of malware, the only detection that topped the aforementioned botnet binaries was JS/Redir.BK - obfuscated JavaScript code, which had a surge of activity on June 12 and June 13. The JavaScript code redirected users to various legitimate domains hosting an injected HTML page named "z.htm." FortiGuard observed JavaScript code was circulated through an HTML attachment in spam emails using various themes. In one attack, the HTML containing the malicious JavaScript code was attached as the file "open.htm" in an e-mail urging the user to update their MS Outlook client. The exact same e-mail also circulated with a FakeAV binary attachment, once again proving that spam templates are often recycled for various attacks. In another example, a “bad news” email socially engineered for the FIFA World Cup, had the same malicious JavaScript attached through a file named "news.html.”

“There is no doubt that JavaScript is one of the most popular languages used today for attacks,” Manky continued. “It is used in a growing number of poisoned document attacks (PDF), particularly with heap-spray based techniques. It's also used to launch exploits, and it is popular as a browser redirector to malicious sites, since the JavaScript code can be obfuscated and appear to be more complex than traditional IFrame based attacks from the past.”

FortiGuard Labs compiled threat statistics and trends for June based on data collected from FortiGate' network security appliances and intelligence systems in production worldwide. Customers who use Fortinet’s FortiGuard Subscription Services should already be protected against the threats outlined in this report.

To read the full June Threat Landscape report which includes the top threat rankings in each category, please visit: http://www.fortiguard.com/report/roundup_june_2010.html. For ongoing threat research, bookmark the FortiGuard Center or add it to your RSS feed. Additional discussion on security technologies and threat analysis can be found at the Fortinet Security Blog at http://blog.fortinet.com. To learn more about FortiGuard Subscription Services, visit http://www.fortinet.com/products/fortiguard.html.

FortiGuard Subscription Services offer broad security solutions including antivirus, intrusion prevention, Web content filtering and anti-spam capabilities. These services help protect against threats on both application and network layers. FortiGuard Services are updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and zero-day protection from new and emerging threats. For customers with a subscription to FortiGuard, these updates are delivered to all FortiGate, FortiMail™ and FortiClient™ products.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29378
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password [email protected]#y$z%x6x7q8c9z) for the e...
CVE-2020-29379
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D4L V1.01.49 and V1600D-MINI V1.01.48 OLT devices. During the process of updating the firmware, the update script starts a telnetd -l /bin/sh process that does not require authentication for TELNET access.
CVE-2020-29380
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. TELNET is offered by default but SSH is not always available. An attacker can intercept passwords sent in cleartext and conduct a man-in-...
CVE-2020-29381
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. Command injection can occur in "upload tftp syslog" and "upload tftp configuration" in the CLI via a crafted filename...
CVE-2020-29382
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. A hardcoded RSA private key (specific to V1600D, V1600G1, and V1600G2) is contained in the firmware images.