Hit-and-run attack one of the top security threats in June

Monday, 05 July, 2010

Fortinet, a network security provider and a  leader of unified threat management (UTM) solutions, has published its June 2010 Threat Landscape report which showed that new variations of the Sasfis botnet have entered the malware Top 10 list. Sasfis, which has been competing with the Pushdo botnet in terms of sheer volume, was very active.

In June 2010, FortiGuard Labs saw a hit-and-run attack for the Internet Explorer HTML Object Memory Corruption Vulnerability (known as CVE-2010-0249). This attack first surfaced in January 2010 and was used in the infamous Aurora attacks, which planted spy trojans within targeted major corporations.

“There is no doubt that JavaScript is one of the most popular languages used today for attacks,” said Derek Manky, Project Manager, cyber security and threat research, Fortinet. “It is used in a growing number of poisoned document attacks (PDF), particularly with heap-spray-based techniques. It's also used to launch exploits and it is popular as a browser redirector to malicious sites, since the JavaScript code can be obfuscated and appear to be more complex than traditional IFrame-based attacks from the past.

“We observed Sasfis loading a spambot component, which was heavily used to send out binary copies of itself in an aggressive seeding campaign,” said Manky. “Much like the Pushdo and Bredolab botnets, Sasfis is a loader - the spambot agent is just one of multiple components downloaded.”

Threat activities for the month of June included:

  •  200 Vulnerabilities: FortiGuard Labs covered more than 200 new vulnerabilities this period, nearly double from last report. This suggests that an increase in software vulnerabilities continue to be disclosed, ultimately available to hackers for malicious use.
  • Flash and Excel Vulnerabilities: FortiGuard Labs discovered four Flash and Excel vulnerabilities, which were disclosed and patched this period.
  • Malicious Javascript Code: In terms of malware, the only detection that topped the aforementioned botnet binaries was JS/Redir.BK - obfuscated JavaScript code, which had a surge of activity on 12 June and 13 June. The JavaScript code redirected users to various legitimate domains hosting an injected HTML page named 'z.htm'. FortiGuard observed JavaScript code was circulated through an HTML attachment in spam emails using various themes. In one attack, the HTML containing the malicious JavaScript code was attached as the file 'open.htm' in an email urging the user to update their MS Outlook client. The exact same email also circulated with a FakeAV binary attachment, once again proving that spam templates are often recycled for various attacks. In another example, a 'bad news' email socially engineered for the FIFA World Cup had the same malicious JavaScript attached through a file named 'news.html'.

FortiGuard Labs compiled threat statistics and trends for June based on data collected from FortiGate network security appliances and intelligence systems in production worldwide. Customers who use Fortinet’s FortiGuard Subscription Services should already be protected against the threats outlined in this report.

Related News

CrowdStrike to buy Adaptive Shield

CrowdStrike is augmenting its SaaS security capabilities through the acquisition of Israeli-based...

LockBit named nastiest malware of 2024

LockBit, a ransomware malware known to have been used to attack Australian targets, has been...

Extreme Networks launches ZTNA solution

Extreme Networks' new ExtremeCloud Universal ZTNA solution combines cloud network access...


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd