This report from Kaspersky Lab summarizes the attacks and probes received by the Smallpot network during 2006. In our previous report covering the first half of 2006, we observed a notable increase in the number of attacks originating in US. Most of these were designed for financial gain, exploiting known vulnerabilities to infect machines with spambots and Trojan proxy servers.
This report looks at the most widespread attacks during 2006, and their geographical origin. It compares this year’s distribution data to that of 2005 and provides suggestions as to what is likely to happen during the upcoming year.
|Position||%||Type||Name||Advisory||Change in position (2005)|
|1||34.29||probe||HTTP GET Generic||—||—|
|4||6.51||probe||FTP anonymous login||—||+15|
|5||6.19||exploit||Buffer Overrun in Microsoft RPC Interface||MS03-026||+5|
|7||3.59||probe||SSH Bruteforce Password Crack||—||+1|
|10||2.78||worm||Blaster (and variants)||MS03-026||+2|
|12||2.07||worm||Lupper (and variants)||CVE-2005-1921, CVE-2005-0116, CVE-2005-1950||New|
|14||0.22||exploit||Microsoft SQL Server 2000 Resolution Service||MS02-039||-7|
|17||0.13||worm||Rbot/Agobot via Webdav exploit||MS03-007||—|
|18||0.10||probe||HTTP POST back||—||New|
|20||0.09||probe||Kuang backdoor execute command||—||New|
Compared to 2005, the number of HTTP GET Generic probes has risen by 2%, but it’s notably lower than for the first half of 2006. This is an indication that spammers have hit a saturation point, where they pump as much spam through open proxies as possible. There are no more open proxies to exploit. The small variations in the number of probes for this kind of service are due to new malware appearing and disappearing, specifically malware which installs either pirated, free or hacked proxy servers on compromised systems.
On the other hand, the number of probes attempting to find MSSQL servers has risen 4 positions, increasing by no less than 12% up. There are a few explanations for this phenomenon. First, bots from the infamous Rbot and Agobot families are so complex that they include exploits for almost every vulnerability that has a good chance of getting exploited in the wild. Additionally, the advent of open source bots has resulted in lots of new families which also have the same exploits packed into them. They differ little from the named bots mentioned above. Finally, there are more and more web-oriented applications which make use of large databases, and despite LAMP (Linux, Apache, MySQL, PHP) being the favorite platform, MSSQL is also becoming an ever more popular target. Of course, many of these installations are patched to the most recent versions. However, a weak SA password can be exploited no matter the server version.
Despite being four years old, the Slammer worm is still spreading actively. It has actually risen one place and there is no sign of it slowing down. As noted in previous reports, Slammer today is a constant contributor to background noise caused by malware on the Internet, its activity fueled by the hordes of infected machines both in Asia and around the globe.
FTP anonymous login attempts have gone up a record-breaking 15 positions, landing at number four in the rankings. They became a little less prevalent during the second half of 2006 and there seem to be clear indications that these probes will decrease in number over the next few months. They are mostly used to find open servers that can host malware or so-called “warez” – pirated software. FTP servers are arguably not the most efficient method of distribution, which is why other systems, such as BitTorrent or closed rings using Hamachi are becoming ever more popular among the computer underground.
The infamous buffer overrun in the Microsoft RPC Interface has gone up 5 positions in comparison to 2005. However, overall its prevalence is decreasing in comparison to the first half of 2006. Being a relatively old vulnerability (which was fixed back in 2003), it will no doubt continue to decrease, finally becoming a part of the Internet background noise, where it will probably stay for a fair while.
The number of Radmin probes, the second most prevalent type of probe during 2005, decreased quite significantly. Interestingly, the number did rise during the second half of 2006. This can be attributed to the free circulation of exploits and exploitation libraries
Secure Shell bruteforce password cracking is also gaining in popularity, moving up one position compared to 2005.It should be noted that in general, bruteforcing weak passwords is becoming more and more popular. With software giants such as Microsoft focusing more and more on security, it was to be expected that the bad guys would start targeting humans – the weakest link in the security chain.
Microsoft ASN.1 exploits are nowadays almost exclusively used in bots, along with other popular exploits which target relatively old vulnerabilities. For instance, the WebDAV vulnerability described in Microsoft Security Bulletin MS03-007, is a year old than the ASN.1 vulnerability, and is only slightly less popular.
The Blaster worm and variants, which occupied twelfth place in 2005, has risen to tenth place. Although it's not causing many infections, but it doesn’t seem to be dying away very fast either, and it will probably be a part of the background noise for a while to come. It should be noted that since Microsoft is delivering a Blaster disinfection tool via Windows Update, most of the machines that are still infected are probably running old versions of Windows (e.g. NT4) which have no automatic updates. It will be interesting to see if the recent release of Windows Vista will affect this base of old operating systems in any way, with people upgrading from NT4/2000 to XP or 2003, if not directly to Vista.
HTTP CONNECT attempts have also increased in number, having risen four places in comparison to 2005. The notable in crease in the number of such probes in the second half of 2006 is likely to keep increasing, as this is an alternative method of probing for open proxies.
The Lupper worm and other derived variants are now extinct, but they were quite prevalent in the first two months of 2006. Lupper was proof that not only can worms for non-Windows platforms become widespread, but also that they can do this quite fast. The last report we received of Lupper was in July 2006.
WINS exploits have increased slightly, although not by any significant percentage. This increase is probably caused by the various worms which pack them together with hundreds of other exploits.
One interesting entry is the CGI-BIN probes in fifteenth place. We have noticed these probes in the past; however, they have increased in number in 2006. Some of them are caused by worms which exploit the same scripts as Lupper and friends, while others are generated by various hacking tools.
HTTP POST back probes are another interesting entry. These probes are an attempt to initiate a connection to the machine from which the connection originated, usually to port 16667, 6667 or 6660. Sitting on these machines is a service which logs all connections; this is a sign that the computer is running an open proxy server.
To summarize our observations for 2006 so far, there are two clear trends. Firstly, old exploits are becoming a type of background noise on the Internet and are mostly used in bots. Secondly, as relatively few new vulnerabilities are being found and exploited remotely via the Internet, the focus is shifting to finding and hacking servers (such as SSH and MSSQL) which have services protected by weak passwords.
|1||MS02-039||Buffer Overruns in SQL Server 2000 Resolution Service Might Enable Code Execution|
|2||MS03-026||Buffer Overrun in RPC May Allow Code Execution|
|3||MS04-007||An ASN.1 vulnerability could allow code execution|
|4||MS03-007||Unchecked buffer in Windows component may cause Web Server compromise|
|5||CVE-2005-1921||Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier|
|6||CVE-2005-0116||AWStats 6.1, and other versions before 6.3, allows remote attackers to execute arbitrary commands via shell metacharacters in the configdir parameter|
|7||CVE-2005-1950||hints.pl in Webhints 1.03 allows remote attackers to execute arbitrary commands via shell metacharacters in the argument|
|8||MS04-045||Vulnerability in WINS could allow remote code execution|
|9||VU#909678||DameWare Mini Remote Control vulnerable to buffer overflow via specially crafted packets|
|10||MS03-051||Buffer overrun in Microsoft FrontPage Server Extensions could allow code execution|
When it comes to vulnerabilities exploited by attacks carried out over the Internet, 2006 stands apart from previous years. This is due to the increase in the number of exploits directed at non-Microsoft operating systems and products. However, the second half of 2006 marked a significant downturn in the number of such exploits, as the worm responsible for these attacks – Lupper – became extinct.
Interestingly, there was an increased focus on attacks targeting MSSQL servers. This is why the vulnerabilities which occupied first and second place in our report for the first half of 2006 have exchanged position, with attacks targeting the vulnerability detailed in Microsoft Security Bulletin MS02-039 now being the most prevalent.
As in our previous report, no vulnerability detected in 2006 makes it into the Top Ten.
In 2006, we saw a huge increase in the number of connections to port 1433, which is commonly used by MSSQL. This massive change took place in the second part of the year, rising from 1.68% to 12.59% of all ports attacked. However, the overwhelming majority of attacks and probes still target port 445, which is used by recent Windows versions for SMB (file and printer sharing) over TPC.
Ports 1025, 1026 and 1027 are used by the Windows Messenger service and are still a preferred target for spammers. The Windows Messenger service (not to be confused with MSN Messenger, an IM application) is disabled by default in XP SP2 and most recent Windows versions. However, this is not stopping the spammers, who continue to send packets.
Port 80, used by HTTP connections, still ranks high in fourth position. 4. Most port 80 connections are caused by spammers looking for open proxies. Such attacks usually begin with a fetch of the site index, followed by attempts to fetch remote sites. In some cases, specific exploits are delivered once the web server software has been identified. Additionally, search engines are also responsible for a significant number of port 80 connections to our honeypots. For example, it took less than six hours for Googlebot to probe a newly installed honeypot which had been given an arbitrary IP address in the USA.
The use of Port 21, which was on the rise during the first six months of 2006, has decreased quite a bit during the last few months It appears that the bad guys have found more efficient methods for distributing software, or they have figured out that FTP servers are not very suitable for their purposes.
Over the past three years, China and the USA have been fighting it out for the dubious honour of topping the “Geographical distribution of Internet Attacks and probes” chart. In 2004, the USA was the number one offender, a situation which changed abruptly in 2005 when China took first place with 27.38% of all attacks. During the first half of 2006, the USA was responsible for more than 40% of all attacks. However, this changed during the second half of the year, resulting in the figures given above.
Now, with the number of attacks originating in the USA decreasing, China is again on the rise, jumping from 17% during the first six months to a total of 21.73% for the entire year. The increase was particularly noticeable in the last few months of 2006.
An interesting entry in the rankings is Saudi Arabia, which is now responsible for 1.97% of all attacks. Ukraine is notable as it is a new entry, which has made its way to fourth place, with Israel, another addition, joining the rankings in nineteenth place.
Finally, it should be noted that the number of attacks originating in both Germany and the Philippines have decreased significantly. Both these countries have been a constant source of attacks in the past so it is good to see that the situation is improving somewhat.
In 2006, Microsoft has released 78 security bulletins dealing with various vulnerabilities. Most of these were in Windows but some vulnerabilities were also found in Office and other related products.
Some of them, such as MS06-070 (Vulnerability in Workstation Service Could Allow Remote Code Execution (924270)) or MS06-040 (Vulnerability in Server Service Could Allow Remote Code Execution (921883)) deal with vulnerabilities which can be directly exploited over the Internet, There haven’t, however, been any reports of major attacks relying on these vulnerabilities. One explanation could be that most of these vulnerabilities have been privately reported to Microsoft by dedicated “bug-hunting” companies and exploits have not been made public. Another possible explanation is that most of the systems which can be accessed via the Internet (i.e. those with no firewall) run older versions of Windows which are vulnerable to other, easier to launch attacks.
Overall, the number of vulnerabilities in Microsoft products detected in 2006 and exploited directly over the Internet is very small. As a side note, remotely exploitable vulnerabilities which require direct user interaction have not been included here. This type of vulnerability has been massively exploited throughout 2006, which is why they will be covered in a future, separate report. Such vulnerabilities include those described in MS06-078 (Vulnerability in Windows Media Format Could Allow Remote Code Execution (923689)), MS06-071 (Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (928088)) and MS06-062 (Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (922581)).
As usual, you can use IE to go to http://update.microsoft.com/ to patch affected Windows systems. Do not forget to update Office as well, since many of the vulnerabilities disclosed in 2006 deal with Office-related products such as Word or PowerPoint.
As for Linux users, a number of serious vulnerabilities were reported in 2006, most of them related directly to the Linux kernel. Some of these allow DoS attacks against a vulnerable system, while the others allow elevation of privileges. It should be noted however, that Linux distributions nowadays install various other software packages, so perhaps it’s not entirely accurate to call them “Linux vulnerabilities”. For instance, earlier this year, a serious vulnerability was reported in ‘sendmail’; however, most modern Linux distributions do not install sendmail by default. Nevertheless, most of the attacks carried out in 2006 against Linux systems relied on vulnerabilities in third party software packages. For example, in May 2006 a vulnerability was found in WordPress, the popular blogging software, which allows code execution on the victim machine (*3). Although WordPress is not installed by default in most Linux distributions, it is a popular choice and many hosting companies include it by default in their packages. As IT professionals never tire of pointing out, security is like a chain, and a chain is only as strong as its weakest link.
In addition to securing the system and limiting access to services for those from the outside world, keeping Linux (and Unix systems in general) up to date is just as important as keeping Windows systems up to date. Tools such as ‘yum’ and ‘apt’ make this a relatively easy task.
Finally, in the case of MacOS X, a number of vulnerabilities were disclosed in 2006, some of which allow the execution of code on the victim machine. None of these have been spotted in the wild, and Apple has thankfully been fairly swift in patching. Moreover, MacOS X keeps itself updated by default. This generally results in unpatched machines connected to the Internet being a relatively rare occurrence.
The developments of 2006 have highlighted two major trends in the evolution of attacks carried out via the Internet.
The first trend is the now constant “background noise” on the Internet, which is caused by the Slammer worm and the bot armies which exploit relatively old vulnerabilities. Most of these infections originate in Asia and there is no sign of them disappearing, at least for the time being. Currently approximately 15% of traffic at network level is caused by this background noise, which is not an overly high figure, and it can be compared to the volume of spam around 1999. With newer operating systems being made available, it can be assumed that the number of older, vulnerable installations will also decrease. This will hopefully resulting in a reduction of background noise. It would be most unfortunate if the noise reached the volume levels currently exhibited by spam; an Internet composed of 90% background noise would be not just annoying but totally unusable.
The second trend is probably far more significant in terms of the evolution of the Internet. With increased interest being shown in secure software and the rapid deployment of security updates, the number of vulnerabilities which can be exploited directly over the Internet has decreased significantly. Most recent Linux distributions come with built-in auto updaters and sometimes these are enabled by default. Whenever a bug is found, the potentially vulnerable machine will fetch the update and install it, sometimes without the user even being aware that this has taken place. The same is true for Windows, with Microsoft having made great efforts to ensure that Windows Update is effective. Because of this, there is an interesting change in the types of attack carried out over the Internet, and this will doubtless have a strong effect in the near future. With bugs being fixed and new vulnerabilities which can be remotely exploited on a major scale becoming less frequent, the bad guys have begun focusing on services protected by weak passwords. This is demonstrated by the increase in password bruteforce guessing attacks directed at MSSQL, SSH, FTP and other similar, widespread services.
The decrease in widespread vulnerabilities which can be exploited remotely via the Internet has resulted in another trend: the emergence of web-based delivery vectors. Of course, the difference is that a malicious website requires the user to visit the site in order to trigger the attack, but this has not prevented the bad guys from using them. Actually, the number of web-based attacks has increased to such an extent that this is now the preferred method of malware delivery. An upcoming report on web-based threats will cover this aspect in detail.
As for the prevention and mitigation of Internet attacks, the solution is relatively simple. While not much can be done about the background noise, there is a simple way of avoiding attacks which attempt to gain access to services only protected by passwords. Simply make sure none of the services exposed to the Internet can be accessed by using only passwords: they should require at least a two factor authentication method. For SSH, disable password-based authentication and use public keys protected by local passwords. Replace FTP with SFTP, and for web access, use SSL and user certificates. Unfortunately, two factor authentication for MSSQL may prove a problem and there is currently no simple solution available. However, you can ensure that only authorized machines can connect to SQL servers by filtering the outside world at the firewall layer.
If these simple steps were to be taken by everyone, the Internet would be a much safer place for everybody to enjoy.