Traffic and Event Review of May 2004
Overall System Traffic
256,922 outbound log events. Full security audit performed on an
external system on the morning of May 29th resulted in a huge spike of traffic.
Unique outbound Destinations per hour. Spike on May 13th from test of
228,428 unsolicited events logged. Spikes explained below. NOTE
ISP had a brief outage on the morning of May 21st.
Unique inbound Sources per hour. Spike on May 29th was from ICMP
traffic, see below.
The spike on May 29th was ICMP return traffic from various external security
Events of May 15th and May 29th were local events explained below.
Trends indicate that a number of infected systems are turned off daily and most
infected systems are on during the mid evening hours.
215,326 Alerts of 39 different types
25,354 unique alert sources. 126.96.36.199 was the principle source of
the spam being sent to the spam honey pot. Note since most addresses are
within our local netblock it indicates that the most common worms use a weighted
IP generation algorithm to focus on local IP addresses.
May exploit of choice was certainly the LSASS vulnerability exploit as a
number of new worms appeared this month exploiting this vulnerability, this
vulnerability is described in
Microsoft Security Bulletin MS04-011.
We also saw a reduction of the number of systems which scan multiple ports (ie
Agobot infected systems) as most scans are now uni-port scans.
Sasser - April 30th
Scanned port 445 for LSASS vulnerable systems then opens a remote shell on
9996 and uses it's own ftp server on 5554 to download the worm.
Bobax - May 17th
Scanned port 5000 looking for XP systems which it then attacks using the
LSASS exploit on port 445.
Korgo - June 1
Korgo is another LSASS exploiting worm, but I suspect it has already infected
more systems then Sasser did.
Messenger Spam Levels
You would think that someone being interrupted by Messenger Pop-ups every 3
minutes might look for the cause and a solution. I should add that simply
turning off Microsoft's Messenger Service is NOT a solution as suggested by some
people. If you are receiving Messenger Spam then its very likely you have
been exposed to far worse malware and you should ensure that your system is
clean and consider a hardware firewall or at least a software firewall as
defence against malware including Messenger Spam.
We had two local events on our network, meaning that these events were not
global internet events. The first event was TCP Port 139 scans to our
netblock (we had another honeypot on the same netblock pick up the event as
well). The second event was the result of configuring a honeypot to check
on the spammers looking for open spam engines on TCP Port 65506. Our honey
pot is passive meaning they can send us spam to bounce but our system just eats
it and nothing is passed on. It would appear that Spammers are still very
aggressive about using compromised systems to send out their spam.
About this system
The test network used is a home system running on a high speed cable network
with no services exposed to the internet (meaning no web server etc), so this
traffic could be considered typical for most home systems. All reports and
graphs were produced using Link Logger connected to a Zyxel Zywall 10W.
Page last updated on
June 05, 2004