Over the past few years, security companies have observed a major increase in the number of attacks carried out against corporate and home users via the Internet. Noting this trend, Kaspersky Lab has been a pioneer in designing and deploying special monitoring tools across the IP space.
Since July 2001 Smallpot technology developed by Kaspersky Lab has collected literally millions of probes and attacks. This data has been used not only to create accurate statistics regarding the prevalence of different types of malware and hacker attacks on the Internet, but also to ensure top detection rates for Kaspersky Lab solutions as well as the quickest possible response to new and unknown threats.
One important observation is that a lot of the statistics which are made available on the Internet are calculated using reports provided by firewall software, in the form of TCP/IP port numbers which have been blocked. Although these can provide a good indication of the number of machines could potentially be compromised by a specific piece of malware or used by hackers to launch attacks on the Internet, they do not provide an exact picture of what malware has been used and they are not able to differentiate between the various exploits used by hackers to break into remote systems over the Internet. Such a fine level of information is only available when special software is used. Such software is designed to collect not only the port number, but the actual data sent during the attack. This is what the Smallpot technology does. Additionally, many reports cover only attacks carried out via the Internet, while paying little attention towards data mining attempts, or “probes”. For instance, many attacks against business users begin with a set of probes to collect information on the various services being made available via the Internet from the company' servers. These probes are not intrusive by themselves, but are usually followed by a targeted exploit or set of exploits. Such probes can be an early indication that a certain server is under attack and can be used to dynamically apply rules which block malicious attempts to gain access before the attacker has the chance to exploit any of the information they might have managed to obtain. Thus, this report doesn't only cover direct attacks carried out via the Internet, but also provides an overview of the various types of probes used to collect information prior to the attack. This information is relevant in determining the evolution of hacking techniques and procedures.
Finally, it should be noted that in every statistic the handling of errors plays maybe the most important role. To minimize the impact of errors on the final data and to provide an image as clear as possible, a network of sensors has to be evenly distributed across the IP space of the Internet (this can be translated into having as many nodes as possible, in as many countries as possible). The Smallpot network includes machines from all around the world, with many nodes being located in North America, Europe and Asia. During the years of research, KL has noticed that these are usually among the first to experience the effects of a new attack. Additionally, nodes located in IP spaces which are less populated ensure that the information received by the network includes not only the most prevalent attacks but also localized exploits. Although these may never been seen anywhere else in the world, they may be of interest to users from a particular area.
Let's take a look at some of the information provided by the Smallpot network in 2005.
|Rank||% of total||Type||Name||Advisory|
|1||32.21||probe||HTTP GET Generic||—|
|7||3.43||exploit||Microsoft SQL Server 2000 Resolution Service||MS02-039|
|8||2.85||probe||SSH Bruteforce Password Crack||—|
|10||2.29||exploit||Buffer Overrun in Microsoft RPC Interface||MS03-026|
|11||2.03||probe||Get HTTP Proxy Information||—|
|17||0.39||worm||Agobot via WebDAV exploit||MS03-007|
The “HTTP GET Generic” probe was by far the most common incident encountered during 2005 by the computers forming the Smallpot Network during 2005. According to research performed by KL, in most cases this type of probe is used by the automatic tool employed by spammers to find open proxies over the Internet, which can later be used to send spam. Other uses for this type of probe are to gather general information about a HTTP server in an attempt to locate any vulnerabilities which it may have.
The Dipnet worm appeared in early January 2005, and topped the charts until May 2005, when it started to become less widespread. The large number of attacks in January was followed in May by a huge wave of probes which attempted to find machines infected with this worm and control them. Dipnet.a contains a backdoor component running on port 11768, which allows any attacker to obtain full control of a compromised system, making it an interesting trampoline from which to launch other malware and. of course, send spam.
The Slammer worm was first seen on the Internet in January 2003, and it then caused one of the major outbreaks of the year. Sending itself over UDP port 1434, Slammer not only infected a very large number of machines, but it is still one of the most common worms spreading via the Internet at the moment, almost two years after the initial epidemic. The table below gives a breakdown of Slammer attacks in 2005 by month:
|Month||% of total|
As the table above shows, and looking at the distribution of Slammer attacks by source IP address in 2005, the worm is no longer infecting machines at any significant rate. However, infected machines are also not being disinfected at a significant rate either, which suggests that Slammer may still be with us for a while.
Radmin (versions lower than 2.2) is full-featured remote administration software for PCs which is used by home users and it is also widely deployed in corporations to simplify tasks such as the installation of updates by system administrators. Because Radmin is a commercial application, not all antivirus products will detect it as malware. This makes the software making it a prime choice for hackers who need to secure access to a compromised system. By default, Radmin uses TCP port 4899; this makes the program a direct target for brute force password crackers, which accounted for over 8% of all Internet probes and attacks in 2005.
Microsoft Security Bulletin MS03-007, originally released in March 2003, describes a buffer overflow in ntdll.dll which can be exploited through WebDAV, the Distributed Authoring and Versioning implementation in IIS. Since information about the vulnerability was published, many hacking tools have appeared on the Internet. Such tools provide complete automation for scanning and identifying hosts that can be compromised this way, making it a top attack vector for hackers during 2005.
Number 6 in the Kaspersky Top 20 Internet probes and attacks for 2005 is occupied by generic Microsoft SQL probes, which test for the presence of a MSSQL server at the target IP address. They are used to determine various protocol specifics with the final intention of choosing the right exploit for the MSSQL version installed on the machine, or attempting to guess one of the administrative passwords for the SQL server prior to a brute force attack. The Spida.a worm relied on this method to spread back in 2002 and caused major epidemics around the world, with Korea being particularly hard hit.
The Secure Shell Server (SSH) is another service which is often targeted by brute force password cracking tools. Most of these tools will try to log in using a list of common usernames and passwords. Of course, these cannot be used to launch a large scale attack over the Internet, but they can be used to find small numbers of machines which can be later used to launch other attacks more or less anonymously.
The Microsoft SQL Server Resolution Service Buffer Overflow is mostly known for being used by the Slammer worm to replicate. During 2005 several other pieces of malware which take advantage of this vulnerability appeared. Additionally, there are automated hacking tools which use this vulnerability to inject backdoors in a vulnerable machine. This makes the vulnerability another popular choice for malware authors and hackers.
The first exploits targeting the MS ASN.1 exploit were detected in June 2005, with the highest number of reports in July. They coincided with the appearance of a new breed of Rbot variants using this exploit. Later in the year, this exploit was integrated into other pieces of malware such as Bozori.c.
One of the most widespread worms which uses the vulnerability detailed in MS03-026 is Lovesan, also known as “Blaster”. The exploit used by this worm has also been incorporated in many Rbot variants and countless other worms, some of which have caused real outbreaks during 2003 and 2004.
New versions of the Bagle worm, which was first detected in January 2004, have been appearing on an almost monthly basis. A backdoor is built into most Bagle variants which allow an attacker to control the machines infected by the malware (as long as s/he knows the victim machine's IP). Additionally, there are hundreds of other worms which scan and attempt to infect machines which have an active Bagle backdoor. This strategy has become an established one.
Just like Radmin, Dameware is a suite of tools which can be used to remotely administer a machine over TCP/IP. A vulnerability exists in Dameware Mini Remote Control Server versions prior to 3.73, which can be used to directly execute arbitrary code on a vulnerable system. The vulnerability was first reported in December 2003; however, with more and more hosts applying patches and updating to the most recent version of the software, the vulnerability and consequent threat is becoming less widespread.
The Dabber worm is an interesting case of malware which only infects machines already compromised by a different worm, in this case, Sasser. Another notable case of malware which functions in the same way is Doomjuice, which infected computers already compromised by the widespread MyDoom.a and .b worms. With Sasser dying out, Dabber is following a similar pattern and slowly disappearing from the net.
WINS exploits, mostly used by Rbot and Agobot variants on port 42, are the last of the notable attacks in the 2005 top 20. The highest number of WINS exploits was detected in January 2005, and they have been declining ever since.
As the previous top 20 shows, most of the vulnerabilities used in Internet attacks are in Microsoft software and generally, they are old vulnerabilities which were fixed quite a long time ago. This is an indication that many computers connected to the Internet do not receive updates automatically, and that their owners are not interested into ensuring that their systems have the latest patches and service packs from Microsoft installed.
This lack of action creates a solid base of vulnerable systems which can be targeted by malware and hackers alike, providing a constant source of machines which can be hacked and turned into zombies for sending spam or distributing more malware.
|1||MS02-039||Buffer Overruns in SQL Server 2000 Resolution Service Could Enable Code Execution (Q323875)|
|2||MS03-007||Unchecked Buffer in Windows Component Could Cause Server Compromise (815021)|
|3||MS03-026||Buffer Overrun in RPC Interface Could Allow Code Execution (823980)|
|4||MS04-007||ASN.1 Could Allow Code Execution (828028)|
|5||VU#909678||DameWare Mini Remote Control vulnerable to buffer overflow|
|6||MS04-045||Vulnerability in WINS Could Allow Remote Code Execution (870763)|
|7||MS02-061||Escalation of Privilege in SQL Server Web Tasks (Q316333)|
|8||MS05-039||Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (899588)|
|9||MS01-059||Unchecked Buffer in Universal Plug and Play Could Allow Remote Code Execution and Elevation of Privilege|
|10||—||AWStats Rawlog Plugin Logfile Parameter Input Validation Vulnerability|
Of all the vulnerabilities from the top 10 above, only one was reported in 2005, namely the MS05-039 UpnP Vulnerability.
We can therefore conclude that during 2005, although relatively few new critical Windows vulnerabilities were detected (in comparison with previous years), there is a large existing base of machines around the Internet which is vulnerable to older attacks. This provides malware writers with a ready target which can later be used to quickly distribute new self-replicating malicious code or Trojans.
|Rank||% of total||Port|
Our research shows that many attacks against a machine or set of machines via the Internet begin with a port scan, in which all the open ports are logged and flagged for later investigation. Additionally, many worms will scan for potentially vulnerable machines in their B-class / C-class, attempting to open connections to various ports before exploiting a specific vulnerability.
In 2005, the most actively sought-after port was 445/TCP, which is used by Windows 2000 and its cousins for SMB (file and printer sharing) over TCP. In older Windows versions, ports 135 and 139 were used for the same purpose, but starting with Windows 2000, Microsoft switched to using port 445, if available. For compatibility reasons, if a SMB server is not found on port 445, older ports 135 and 139 get used instead. Of the top 10 vulnerabilities used in Internet attacks, the following can be exploited over port 445: MS03-026, MS04-007 (ASN.1) and the recent MS05-039 (UPnP).
Port 80, which is used for HTTP transfers, came second. It reached this position thanks to the number of scans looking for open proxies and because of the exploits which can be carried out via HTTP. Out of the top 10 vulnerabilities used in Internet attacks, the “AWStats Rawlog Plugin Logfile Parameter Input Validation Vulnerability” can be exploited over port 80.
Port 135, used by Microsoft's DCOM Service Control Manager, is another popular target for hackers and worms. Most of the time, it is used to deliver exploits for the MS03-026 vulnerability. Many, if not most, recent Rbot and Agobot variants use port 135 to spread, as does the still widespread Lovesan / Blaster worm.
Ports 1025, 1026 and 1027 UDP are used by spammers to send spam to the Windows Messenger Service, which listens on these ports. The Messenger Service is also available through port 135. However, since the Blaster outbreak many ISPs block port 135, while leaving the others open to potential abuse.
Ports 1433 and 1434 UDP are used by Microsoft's SQL Server and worms and hackers alike use them to deliver various exploits for the server. Port 1434 UDP is used by attacks targeting MS02-039, the most actively exploited vulnerability in 2005, mainly by the Slammer worm.
Port 4899, used by Radmin, is another popular target for hackers, as its position at number four position in the top 20 Internet probes and attacks shows. This port is also targeted by several worms, for instance Rahak.a and several Agobot variants.
The large number of port 15118 probes can be attributed to the Dipnet.e worm and variants, which use it to identify already infected hosts. Because Dipnet opens a backdoor on this port, the port is also targeted by scanning tools employed by spammers to identify machines that can be used to distribute other malware and/or spam. Interestingly, port 11768, used by previous Dipnet variants, didn't make it into this year's top 20. Port 2745 is used in a similar way by the Bagle backdoor and port 3127 by the Mydoom backdoor.
Traditionally, port 5554 is assigned to SGI Embedded Support Partner web servers but the high volume of traffic intercepted during 2005 on this port is due to Sasser, which runs an ftp server on it. The Dabber worm, which appeared in May 2004, uses an exploit for the port 5554 ftp server run by Sasser, and is therefore mostly responsible for the traffic observed on this port.
Port 4444 is nothing other than the Blaster command line shell, which is used during the worm's replication; it is also a target for port scanners looking for a ready-to-use backdoor in the system.
Port 3128 is traditionally used for proxy servers, making it a target for spammers looking for machines which can be used as gateways to distribute spam. Additionally, there are several known worms which contain hard-coded proxy servers on this port too.
The last positions in the top 20 are occupied by port 6129 (Dameware), 42 (WINS), 21 (FTP). This correlates with the traffic noted earlier in the Top 20 Internet probes and attacks for 2005.
|Rank||% of total||Country|
This year, China has become the leading source of Internet attacks and probes, bypassing the US which used to hold this position. Undoubtedly, this is due to increased connectivity in China, which according to the CIA World Factbook reached 94 million users at the end of 2004, It is also due to the increased popularity of security solutions in the US as well as stricter cybercrime laws. It is also worth noting that the first three positions in this top twenty account for more than 50% of the attacks and probes worldwide.
An interesting note here is that China hosts 57% of the machines infected by Slammer, while Korea, which used to lead in this respect two years ago, now has less than 1% of all infected machines. This reflects the differing levels of interest in security in these two countries.
It is also relevant to rank the number of attacks according to the size of population. The resulting top twenty shows the following important changes:
Hong Kong and South Korea, countries with relatively small populations but very high Internet connectivity lead the ratings, with Canada, the Netherlands and the US coming next. China is in10th place due to its extremely large population.
Maybe even more relevant is to rank the number of attacks according to overall internet connectivity in the relevant countries:
The table above shows the distribution of attacks according to internet connectivity of all countries. Again, Hong Kong is top position, and Korea is close to the top again, in 6th place. Russia is now number four.
In terms of malware which replicates at network level, the table below gives an overview of the current situation:
|Rank||% of total||Country|
Again, China and the US account for most of the infections worldwide, but Japan comes third with another interesting case, India, at number 7. Compared with last year, the number of infected machines in both Japan and India is on the rise.
This year, a number of critical vulnerabilities were detected in Microsoft products. However, only one, MS05-039, has been exploited at some extent. Vulnerabilities which have not yet been exploited by worms and hackers at a significant rate include MS05-051 (exploited by Dasher.b but without any widespread impact), MS05-043 (a vulnerability in the Print Spooler Service), MS05-021 (a vulnerability in Exchange Server), MS05-019 (a vulnerability in Windows TCP/IP implementation) MS05-011 (a vulnerability in SMB) and MS05-010 (a vulnerability in the License Logging Service). Kaspersky Lab recommends that all users should install the updates provided by the vendor through Windows Update at http://windowsupdate.microsoft.com/ .
Of the new critical vulnerabilities that affect Unix systems, the “XML-RPC for PHP PHP Code Execution Vulnerability” is maybe the most important. Since the XML-RPC component is used by many popular web applications such as b2evolution, WordPress and TikiWiki, worms such as Lupper, which attempt to exploit this vulnerability have become prevalent in their category. The “AWStats "configdir" Parameter Arbitrary Command Execution Vulnerability” is also a popular target for attacks on Unix machines.
The “AWStats Rawlog Plugin Logfile Parameter Input Validation Vulnerability”, which is used by the Lupper worm and variants to spread, is one of the older vulnerabilities for Unix systems which is still being exploited.
Patches for these vulnerabilities can be downloaded from:
In addition to these vulnerabilities, attackers have been mostly relying on misconfigured systems and older exploits to gain access to Unix machines.
Data from 2005 shows several clear trends. Firstly, two major types of target are evident on the Internet. The first type encompasses machines running very old software. These machines are not only vulnerable to recent exploits, but also many older ones. It's obvious that the owners of these machines do not install patches and service packs promptly; this provides a mass of “ready to infect” servers on the Internet.
The second type is composed of machines which are quickly patched by their owners, and the number of successful attacks exploiting fresh vulnerabilities is therefore much lower than in previous years. This indicates that recent campaigns to raise awareness of IT security issues are either having a palpable effect (mainly in the US) or being completely ignored in countries such as China. It is these countries which host the vast majority of systems running older, vulnerable operating systems and products.
Another important trend is the huge increase in attacks linked to spamming activities, attacks which attempt to plant malware that can be used to send spam or that can be used for financial gain. In addition to this, most of the worms that have been spreading via the Internet at network level recently include a backdoor component. As soon as these become widespread, they get exploited by spammers. For similar reasons, the number of probes searching for open proxies also showed a marked increase.
Flash worms, which used to be a serious problem two years ago, are no longer topping the charts. Their place has been taken by malware which is written with direct financial gain in mind. This points to the emergence of a new phenomenon, the so called “business worms” which we have already written about.
Finally, in 2006 we expect attacks linked to spamming to continue to increase, as well as an increase in the number of worms or bots which exploit not one or two, but many different vulnerabilities, both new and old. Kaspersky Lab will also be closely monitoring the situation in China closely, as the large number of vulnerable machines there has a potentially major impact on the rest of the world.