FortiGuard Center
Threat Research and Response
Prevalence Report
The State of Malware - June 2008 EditionThis edition's highlights:
The following malware statistics are based on threats caught by Fortinet's FortiGate security appliances for the period May 21st - June 20th, 2008. Top Ten Variants Top ten malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition's Top 100 ranking, with "new" highlighting the malware's debut in the Top 100: Rank Malware Variant Percentage Top 100 Shift 1 W32/Netsky!similar 9.02 - 2 W32/OnlineGames!tr 7.6 new 3 W32/Virut.A 5.84 +1 4 W32/OnLineGames.fam!tr.pws 5.27 +2 5 HTML/Iframe_CID!exploit 4.06 -2 6 W32/Agent.LPV!tr 3.28 new 7 Adware/Vapsup 3.26 -5 8 HTML/Iframe.DN!tr.dldr 2.92 -1 9 W32/MyTob.FR@mm 2.87 +2 10 W32/Grew.A!worm 2.31 +5While there are no outstanding new faces this edition, there is still plenty of activity:
Malware variants' activity for this edition has been grouped into families and sorted as shown below. Percentage indicates the portion of activity accumulated by the family out of all threats reported in this edition. Top 10 shifts indicate positional changes compared to last edition's Top 10 ranking, with "new" highlighting the malware family's debut in the top ten: Rank Malware Family Percentage Top 10 Shift 1 OnlineGames 35.4 new 2 Netsky 15.3 -1 3 MyTob 9.8 -1 4 Virut 6.3 -1 5 Grew 2.3 +5OnlineGames now represents family activity from online gaming Trojans and, not surprisingly, has a strong hold on first position thanks to activity through the OnlineGaming family detections in our top 10. While the other names remained the same, Grew managed to slide its way into fifth place this edition. Activity recap This edition some activity remained consistent, such as Virut.A. The parasitic file infector has shown its prevalence by remaining in our top five for five consecutive months, and has shown increased activity compared to last edition. A vast majority of Virut.A was detected in Japan and Korea this edition, with a heavy amount of activity in the latter. While some new variants appeared this month, a majority of the faces remained the same. Grew.A activity has remained very consistent, and while not always in our top 10 has impressively managed to land in the top 15 for over 10 months. With these facts in mind, followed by a consistent activity pattern to the end of this edition, it can be assumed that the Grew.A worm will continue its prevalent activity throughout next month. Figure 1 below shows this edition's activity pattern for Vapsup, Virut.A, and the both Online Gaming trojan family detections listed in our top ten:  Figure 1: Malware activity this edition; a blend of gaming trojans, adware and parasitic file infectors As can be seen in the above figure, Virut.A's persistent activity throughout the last five months shows through a steady wave. The same cannot be said for Vapsup, which had such a dominant campaign last edition. While Vapsup had a strong start to the month, activity faltered towards the end of June. This same trend was noticed last year, when adware CashOn went on a heavy three month seeding campaign in Korea. We have now seen consistent activity for Online Gaming trojans throughout the last couple of months. This edition holds no exception, with two family detections landing within a top four ranking. Rightly so, this has generated quite a bit of interest. In our April 2008 edition, we explored the geographics of two trojans: OnlineGames.SIN and OnlineGamesEncPK.fam (the latter now referred to as OnLineGames.fam). The main point of interest in these two was heavy activity in Taiwan and China. This edition, we have compiled a geographic visual on total online gaming trojan activity that can be seen in Figure 2 below:  Figure 2: Total Online Gaming trojan activity for this edition, top five countries While the main activity remains in China and Taiwan, activity has risen in Turkey, observed Fortinet security researcher Derek Manky. This is mostly thanks to the OnlineGames!tr family detection, which placed second in our top 10 this edition. Heavy activity was split between China and Turkey for this detection, with China slightly ahead in terms of prevalence. Increased activity in the USA can also be noticed. With the online gaming market thriving with consumers, malicious activity will very likely continue for some time in this emerging sector as it forms a viable target. Solutions Customers who use Fortinet’s FortiGuard Subscription Services are already protected against the threats outlined in this report. Threat activity is compiled by Fortinet's FortiGuard Global Security Research Team using data gathered from its intelligence systems and FortiGate™ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. |