Fortinet report shows domination of ransomware

by CXOtoday Staff    Apr 14, 2010

Fortinet, a network security and unified threat management (UTM)
solution provider. According to the company’s March 2010 threatscape
report, there seems to be a domination of ‘ransomware’ threats. Nine of
the detections in the malware top ten list have been a result of either
scareware or ransomware infesting the victim’s PC.

observed the primary drivers behind these threats to be two notorious
botnet ‘loaders’ — Bredolab and Pushdo. Another finding is the
entrance of a new zero-day threat in FortiGuard’s top ten attack list
– MS.IE.Userdata.Behavior.Code.Execution — which accounted for 25
percent of the detected activity last month.
Key threat activities for the month of March:
- High activity of SMS-based ransomware (W32/DigiPog.EP):
DigiPog is an SMS blocker using Russian language, locking out a system
and aggressively killing off popular applications like Internet
Explorer and Firefox until an appropriate code is entered into a field
provided to the user. To obtain the code, a user must send a SMS
message to the provided number, receiving a code in return. Upon
execution, DigiPog registers the user’s MAC address with its server.
This is the first time that an SMS-based ransomware has figured in
Fortinet’s top ten list.
- Botnet competition: While the
infamous Bredolab and Pushdo botnets have been identified as the ones
behind the strong ransomware activity this month. However, Sasfis,
another botnet loader, moved up eight positions in our Top 100 attack
list from last month, landing just behind Gumblar and Conficker network
activity in the fifth position. Sasfis is an example of simplified
botnets that are used heavily for malicious business services (which
Fortinet calls crime as a service).
- Zero-day attack: A
new zero-day threat, MS.IE.Userdata.Behavior.Code.Execution
(CVE-2010-0806, FortiGuard Advisory 2010-14), triggers a vulnerability
in Internet Explorer, making remote code execution through a drive-by
download (no user interaction required) possible. Accounting for one
fourth of the detected activity in March, this exploit was ranked
number two in our top ten attacks last month and remains very active,
predominantly in Japan, Korea and the U.S.
"As we predicted
for 2010, cybercriminals are clearly pursuing new ways to lure
consumers and threaten the enterprise at large. Troublesome zero-day
exploits continue to attack popular client-side software, while methods
such as ransomware and crime as a service help them increase their
reach and make their attacks more effective against end users," said
Derek Manky, project manager, cyber security and threat research,

FortiGuard Labs’ threat statistics for March are based
on data collected from the FortiGate network security appliances and
intelligence systems in production worldwide.