2011-04-29
The Dragon Research Group maintains a network of machines we affectionately call "Pods". These Pods run a custom-built and hardened *nix distro which listens on several ports, one such port is 22/TCP SSH. We see a fair amount of brute force password attacks every day against this port; about 36,000 guesses per day on average. We decided to take a deeper look at the attack data, because, well, that's what we do here.
The sample of data used in this study is from a recent 30 day period. It is important to note that this dataset is a very small sample of global Internet IP address space and may not be representative of a more complete global Internet picture. During this time period we saw...
- About 3,400 attacks
- Over 1,000,000 (one million) pwauth guesses, about 300 per attack
- 1,485 unique attacker IP addresses from 532 different AS numbers
We took the unique IP attacker addresses and compared it with a database of some 129,000 malicious domains and IP addresses; we found some interesting correlations.
Top Attacking Nets are Consumer ISPs?
Top attacking networks appear to be ISPs who sell to consumers. It's
likely that these are zombie bots (infected machines participating in
botnets).
Attacking Nets Full of Badness
Correlation to the mal-data shows that some of these networks are full of
"badness". The top 10 networks from our SSH attack data are also
home for 3,582 malicious domains, or approximately 10% of the malicious
domains we have listed. Meaning they not only host attack machines but
websites that serve malware, rogueware, phishing sites, etc. Some of the
ISPs are rather large which would propel them higher on the list, we did
not do any type of ratio comparison of unique IPs seen versus total
allocated to the AS number.
| TYPES : | trojans, droppers, rootkits, C&C, phishing sites, redirectors |
| DELIVERY / EXPLOITATION : | 0-day exploits, fake anti-virus, fake Microsoft updates, fake videos, fake pics, fake codec, mass SQL injection attack |
| MALWARE NAMES : | Bredolab, Conficker, Wsnpoem, ZeuS, Zbot, Waledac, Gumblar, Koobface, Russkill, SpyEye, Virut, Asprox, Mebroot, TDSS, Cutwail, KillAV, TDSS, Swisyn, Rustock, InfoStealer |
| BRANDS ATTACKED : | U.S. Govt. CDC, Facebook, President Obama, Microsoft, US Govt. IRS, MySpace, Twitter, HSBC |
| EXPLOITS : | Windows, MS RealPlayer, PDF, IE, 0-days, (Eleonore, Phoenix, Fragus, Liberty, Yes, LuckySploit, Fragus, Krap) |
Top AS = Top Source of Mal-Data
#1 AS number on the SSH hits list matches #3 on the mal-data list,
accounting for 2,181 mal-domains: CHINANET-BACKBONE No.31Jin-rong Street.
According to the CIDR Report
(CIDR
Report Listing for AS 4134) this ASN is huge, accounting for some
100 million IP addresses, so that could in part account for the large
number in our report.
- Domains injected into SQL servers during SQL injection attack.
- Domains used in various phishing spam and malware attacks.
- Exploits for Windows, PDFs.
- Malware distribution and C&C for ZeuS, Wsnpoem, Zbot, Bredolab, SpyEye, Koobface, Waledac, Russkill.
- Fake videos, fake anti-virus software, flash.
Top Attacking Country = China
Top attacking country by IP location: China, accounting for roughly 21%
of all unique IPs. Next is the US with 13%. Incidentally, Russia and
Ukraine, known to host their fair share of malware, miss the top 10
ranking coming in as 12th and 13th respectively.
posted at 12:00 am | permanent link
Apply to DRG
Host a DRG Distro Pod
Insight & Analysis
Tools
Weekend Reads
Security Innovation Grant
Mailing lists
DRG PGP public key
Follow us on Twitter
Feedback: dragon@dragonresearchgroup.org
Archives: