Fortinet’s Latest FortiGuard Labs Reports a 30 Percent Increase in Mobile Malware in the Last Six Months; Seeing 1300 New Samples Per Day

Team Reveals that Attackers are Taking Advantage of Old Vulnerabilities, Despite Being Patched, in Ruby on Rails, Java, Acrobat and Apache

MALAYSIA, September 4,  2013 ― Fortinet − a world leader in high-performance network security– recently announced the findings of its FortiGuard threat landscape research for the period of January 1 − July 31, 2013.

1)  Mobile Malware on the Rise

FortiGuard Labs observed a 30 percent increase in mobile malware in the labs over the last six months. The team is now seeing more than 1,300 new samples per day, is currently tracking over 300 unique Android malware families and over 250,000 unique malicious Android samples.


2)  Bring Your Own Trouble

The Bring Your Own Device (BYOD) phenomenon has many benefits for a business, chief among them are increased employee efficiency and productivity gains. However, the disadvantage of a lenient BYOD policy is the threat of mobile malware infecting the user’s device and, subsequently, the business network.

“Three years ago, mobile malware wasn’t much of a concern for users or businesses. Most malware at the time targeting smartphones and tablets were nothing more than annoyware such as the Cabir virus or scam software used to commit SMS fraud or replace icons,” said Axelle Apvrille, senior mobile anti-virus researcher for Fortinet’s FortiGuard Labs. “However, as devices have proliferated, so, too, have cybercriminals eager to capitalize on the growing user base, and our research shows the proliferation of mobile malware will not abate anytime soon.”

3)  2013 Changed the Mobile Threat Landscape

In 2013, the mobile threat landscape changed dramatically. Wide scale manufacturer adoption of Google’s Android OS globally has led to an explosion of smartphones in the marketplace. Android devices are available in every market, at price levels from the incredibly inexpensive to feature-rich, cutting edge computing monsters. Coupled with the explosion of available applications to extend device functionality, cybercriminals and other nefarious types have used this platform as a new business opportunity.

4)  Mobile Ransomware Has its Coming Out

In 2012, FortiGuard predicted that the financially lucrative ransomware would make its way onto mobile phones.

“Ransomware has been incredibly successful financially for cybercriminals, it’s no surprise they’ve turned their attention to mobile devices,” said Richard Henderson, security strategist for Fortinet’s FortiGuard Labs. “The Fake Defender malware for Android follows the same M.O. as PC fake antivirus software – it pretends to be altruistic, but in reality, it lies in wait to launch its true form. This malware then locks the victim’s phone and demands payment before unlocking the device.

Once the phone is locked, the victim can either pay the ransom or completely erase their device, losing all their photos and data unless they have a full backup elsewhere.”

5)  New Attacks on Old Vulnerabilities

Even though we’ve seen recent patches for Ruby on Rails, Java, Adobe Acrobat and Apache, FortiGuard Labs is finding attackers are still exploiting those old vulnerabilities.

6)  Ruby on Rails

In January 2013, it was announced that a critical vulnerability in the Ruby on Rails Framework could allow a remote attacker to execute code on the underlying Web server.

Ruby on Rails (RoR) is a Web application framework for the Ruby programming language. Put simply, it allows for rapid, easy and elegant deployment of “Web 2.0” Websites. RoR is a popular framework: hundreds of thousands of Websites online use RoR in some fashion. Further adding to the problem, a Metasploit module was made available to scan for the vulnerability, making the ability to find a Web server to exploit a trivial matter.

7)  Java Remote Code Execution

In January 2013, a zero-day exploit that was able to bypass Java’s sandbox and run arbitrary Java code was discovered.

Java is a ubiquitous technology online – most computers have some form of Java installed and enabled. The vulnerability allowed a malicious applet to run any Java program, bypassing Java’s sandbox and granting full access to the vulnerable computer.

Attacks were discovered in the wild and the exploit was quickly integrated into many popular crimeware attack kits, such as BlackHole, Redkit and Nuclear Pack, giving purchasers of these kits the ability to take advantage of the exploit and install malware on computers. A Metasploit module was also created for the vulnerability, making the ability to find victims a simple point and click affair.

8)  Acrobat/Acrobat Reader Zero-Day in the Wild

In February 2013, a PDF pretending to be a travel visa form from Turkey was detected circulating in the wild and took advantage of a previously unseen vulnerability in Adobe’s Reader software. The exploit worked with all recent versions of Adobe Reader (9.5.X, 10.1.X, and 11.0.X), and on most versions of Microsoft Windows, including 64-bit Windows 7 and most Mac OS X systems.

The exploit PDF was used by cybercriminals in order to install malware on their target’s computers.

9) CDorked Attacks Apache

In late April 2013, a new attack on the popular Apache Web server was discovered. Dubbed CDorked, the malware was able to compromise the Web server and redirect visitors of the compromised Web server to other servers that deliver malware using the BlackHole exploit kit. The attack may also have targeted the Lighttpd and Nginx Web server platforms.

Follow Fortinet Online: Twitter at: www.twitter.com/fortinet; Facebook at: www.facebook.com/fortinet; YouTube at: http://www.youtube.com/user/SecureNetworks.

Fortinet最新的研究报告显示移动恶意软件在六个月里滋生了30%；平均一天内增长了1300个样本

Fortinet研究组揭露攻击者利用旧漏洞的优势侵袭Ruby on Rails, Java, Acrobat和Apache

【2013年9月4日，马来西亚】世界级高性能网络安全组织Fortinet最近公布了于1月1日至7月31日威胁环境的调查报告。

1） 移动恶意软件与日俱增

FortiGuard Labs统计在六个月内移动恶意软件的滋生已经上升至30%。据报告指出，每个月至少有1300新的病毒样本出现，并持续侵袭300个Android系统的恶意软件家族与超过250，000的Android系统的恶毒样本。

2） 自携设备  自找麻烦

在这个自携设备现象日益普遍的情况下，这种现象也为许多生意人带来了不少利益，其中一个好处是生意人在这种现象下能提升自己的工作效率和生产能量。自携设备现象最大的坏处就是继恶意软件的日益繁衍，许多用户的自携设备受到了负面的影响，继而影响了整个业务的网络系统。

Fortinet资深行动防毒研究员Axelle Apvrille指出，“三年前，移动恶意软件对许多用户和业务来说并不是什么很大的顾虑。对于针对智能手机和平板电脑下受的恶意软件，其负面影响并没有像Cabir病毒或诈骗软件那样伤脑筋。那些病毒和软件因为被用来送出简讯诈骗讯息或更换图示而造成了很多困扰。 “然而，随着智能设备的增殖，这些网络上的罪犯就更加想独霸整个用户基地，我们的研究也显示这些移动恶意软件的滋生不会在近期内缓和下来。”

3） 2013年改变了网络威胁的趋势

网络病毒的扩大范围于2013年有着大幅度的转变。由于全球大部分的制造商都采用了Google的Android系统，造就了智能手机市场越来越发达。Android设备几乎遍布了每个市场，价格从低价到全功能及先进的变型产品都能找到。由于Android系统能利用各种应用程式来增加行动设备的功能，这令攻击者将Android平台视为新的商业契机。

4） 勒索软件出现在行动设备

FortiGuard Labs于2012年预测勒索钱财的软件将会在行动设备上肆虐。

“透过勒索软件(Mobile Ransomware)于金钱财物上进行网络犯罪是件非常容易的事，故此攻击者把注意力转去行动装置并不足为奇”Fortinet保安战略家Richard Henderson说道：“这些软件披着防护软件的外衣入侵Android系统，如同假冒防病毒软件入侵电脑的手法一样，表面上是防护系统装备受到攻击，实际上是在静待适合的时间进行骗取手段。这种恶意软件会把受害人的手机锁住，直至受害人执行了所要求的付款后才会将装备解锁。手机一旦被锁住后，受害人就得支付赎金或丢弃手机来解决这个问题。除非受害人有完整的备份，否则便会失去手机中的照片与资料。”

5） 新型攻击形式针对旧漏洞发出攻击

虽然Ruby on Rails, Java, Adobe Acrobat, 和FortiGuard Labs已经有新期的补丁帮忙对抗恶意软件，FortiGuard Labs仍在努力寻找这些利用新招攻击旧漏洞的攻击者。

6） Ruby on Rails

于2013年1月，Ruby on Rails的骨架被发现拥有一个致命的漏洞。这个漏洞开启了让攻击者索取相关网络服务器的略码。

Ruby on Rails (RoR)是运用Ruby程式设计语言的网络应用程式骨架。简单来说，这个应用程式能让网页有更快速，简易和优雅的部署方式。RoR是个受欢迎的骨架；现在有千百个网页正运用这个应用程式。

更糟糕的是，一个利用网络服务器开发琐碎网络个体的Metasploit组件正被开发。这组件还拥有浏览网络漏洞的功能。

7） Java远程执行代码

2013年1月，一个零-天开采程序被发现了。这个程序能绕过Java的砂箱(sandbox)并且能随意启动Java代码。Java在网络上是一个普及的科技 – 大部分的电脑都有安装不同形式的Java系统。

Java所拥有的漏洞令一些恶毒的小程式能随意启动任何有用到Java程式的软件。它能绕过Java的砂箱并能侵入完全没有保护措施的电脑系统。

在攻击日渐严重的情况下，这种攻击形式立刻被加入各种其他攻击形式的行列，其中包括了BlackHole，RedKit，和Nuclear Pack。购买这些攻击配套的攻击者能利用这些系统随意安装和侵袭其他电脑。Metasloit组件也根据各种系统的漏洞而被制造出来，这令寻找受害者的工作更加简单。

8） Acrobat/Acrobat reader 零-天猖狂

2013年2月，一个来自土耳其的PDF格式软件假冒成一个旅游签证并利用了Adobe未发现的漏洞进行对Adobe软件的侵袭。这项侵袭工程能成功地侵袭Adobe各种新型的软件（9.5.X，10.1.X，和11.0.X）和Microsoft Windows的软件，其中包括了64-位的Windows 7软件和大部分的Mac OS系统。

这个假冒的PDF软件被网络罪犯利用来安装恶意软件于受害者的电脑中。

9） CDorked 对 Apache 进行攻击

于2013年4月末，一个针对Apache网路服务器进行的攻击被发现了。这个被称为CDorked的恶意软件利用BlackHole把网络服务器的性能妥协并将用户重定向到其他的服务器。这项攻击也对Lighttpd 和 Nginx的网络服务器进行了攻击。