Kaspersky Security Bulletin, January – June 2006: Internet Attacks

1. Malware Evolution
2. Malware for non Win32 platforms
3. Internet Attacks
4. Malicious programs for mobile devices
5. Spam Report

In the previous report from Kaspersky Lab¹, we discussed the most popular forms of attack carried out over the Internet during 2005, as well as providing a breakdown of their distribution according to the country the attack originated in. We also gave an overview of the evolution of some popular pieces of malware throughout the year, and concluded that China was the main player, with more than 38% of attacks coming from replicating malware which originated there.

This current paper analyzes the attacks intercepted by the Smallpot network during the first six months of 2006. We will be looking again at the distribution of attacks based on source IP address and the associated country of origin, and see if the situation has changed in any major way since 2005. The final part of the article looks at some of the patches released in the first half of 2006 which could have an impact on Internet attack and malware evolution, and includes conclusions and prognoses for the future.

Statistics

With no visible decrease in the amount of spam sent via the Internet, it’s no surprise that the HTTP GET generic probe still holds the top place. Actually, we registered a notable increase of over 5% in the number of probes. This demonstrates that searching for open proxies that can later be used to send spam is still very common, no doubt because it is profitable.

FTP anonymous login attempts are in second place. They have risen seventeen places since last year, and now comprise over 12% of the total number of probes and attacks. In most cases, such probes are generated by automated tools which are designed to find ftp sites that can then be used to upload and share illegal software.

The notorious vulnerability exploited by Blaster, the Microsoft RPC Interface buffer overrun which was detailed in MS03-026, has also jumped no less than 7 positions. This can be attributed to the increase in the number of bots (Rbot and IRCbot-based variants) that use exploits for this vulnerability. Their source code, as well as easy to use MS03-026 exploits, is widely available. It should be noted that this is just one of the vulnerabilities exploited by such bots, but it is by far the most popular, despite being more than three years old.

Slammer, the MSSQL worm released in January 2003 is still spreading actively; actually, reports of Slammer appear to be on the rise. With 9.20% of the total, these attacks form background noise on the Internet – a random machine connected to the Internet will be attacked by Slammer at least once a day.

Lupper, a relatively new Linux worm which appeared in November 2005, but which took some time to spread over the Internet, comes in at number five. This worm, which uses various exploits targeting popular PHP/CGI scripts/libraries, accounts for more than 4% of all reports received in the first six months of 2006.

As the table above shows, most of the attacks carried by this worm occurred in January and February before becoming less common. The evolution of new versions capable of using newly discovered exploits was the cause of the increase in attacks in June.

Interestingly, just as Microsoft RPC Interface buffer overruns have become more widespread, the same happened with the infamous Blaster worm, which is still spreading via the Internet. Although less common than Slammer, Blaster still accounts for almost 4% of all attacks.

Webdav attacks (MS03-007), carried out by bots and hacking tools, have gone down two places. Such attacks are relatively old, and probably less successful nowadays than in the past. However, they are still being used by recent worms which exploit much newer vulnerabilities.

Radmin attacks, which were in third place in the 2005 rankings, have sunk six places. With patches available for the vulnerable software versions and much newer versions of Radmin being deployed, these attacks will probably continue to decrease.

SSH password brute force attacks and MSSQL handshake attempts (which are usually followed by brute force login attempts) can be found in positions nine and ten. Both of these are less effective methods for breaking into a system, and are therefore generally used in a targeted fashion than on a large scale. Of course, once a system has been identified as running a SSH or MSSQL server, the attacker can begin a dictionary-based password attack on common accounts such as “root” or “SA”.

Microsoft ASN.1 exploits have also decreased by approximately 0.5% and have fallen two places. In the past, such exploits were attributed to Rbot variants and Bozori.c. Rbot variants are still spreading, but Bozori.c is now almost extinct, which explains the reduction in the number of attacks.

On the other hand, the somewhat newer WINS attacks have actually become more common. Again, these attacks are mainly used mostly in network worms.

The probes which search for the backdoor installed by the Dipnet worm have demonstrated the most rapid decline, falling from third place last year to seventeenth place this year. Since Dipnet was more or less eradicated in the autumn of 2005, the chances of finding a machine still infected by this worm are rather low. The spammers who use automated tools to search for such machines have, no doubt, adjusted their tactics accordingly.

The top twenty for the first half of 2006 contains four new entries. In addition to Lupper, we intercepted an increased number of probes searching for the Kuang backdoor, HTTP HEAD requests and SSL handshake requests. The increase in Kuang backdoor probes can be attributed to worms which can replicate by infecting machines already infected by the backdoor; the other two are typical “request for information” probes.

Top Ten Vulnerabilities Used in Internet Attacks

Compared to last year, we saw an increase in the number of attempts to exploit vulnerabilities in non-Microsoft operating systems and products. Most notably, some of the vulnerabilities exploited by Lupper have entered the rankings, occupying fifth, sixth and seventh positions.

And the most exploited vulnerability during Internet attacks in the first half of 2006 is the familiar Buffer Overrun in RPC Interface, detailed in Microsoft’s Security Bulletin MS03-026, and better known as the vulnerability exploited by Blaster.

While exploits for vulnerabilities described in MS03-026 and MS03-007 have decreased in prevalence since our previous report, however, they are still frequently exploited by both malware and attackers.

The last notable difference is the addition of MS03-051, which enters the rankings in tenth place. The associated Security Bulletin, entitled “Buffer Overrun in Microsoft FrontPage Server Extensions Could Allow Code Execution (813360)” provides links to the security updates needed to patch vulnerable machines.

Overall, it should be noted that all of the top ten vulnerabilities were detected prior to 2006. This doesn’t mean that newer vulnerabilities are not being exploited. It simply means that they are not currently being exploited on a large scale.

Top Twenty ports used in Internet attacks

In the past, the top twenty ports used in Internet attacks has proved a valuable source of information about the vulnerabilities most sought-after by hackers and cyber criminals. In 2005, port scans attempted to exploit machines running Windows, with port 445 being the number one target. It probably comes as no surprise that port 445 probes still top the rankings for the first half of 2006. We highlighted this issue in our previous report, and concluded that the vast majority of Internet attacks are either targeting very old versions of Windows or very new, unpatched vulnerabilities.

There was an interesting increase in the number of probes and attacks on ports 1025, 1026 and 1027 probes. These are all used by spammers to send Windows Messenger Service messages. Despite being blocked by default in newer versions of Windows, the large number of machines running Windows 2000 and Windows XP without P2 still make these ports a frequent target.

Port 80 attacks have remained more or less constant, their percentage share being maintained by the search for open proxies mentioned above. It’s interesting to note that in some cases, Smallpot machines have been hit by search engine bots which appear to be probing random IP addresses on the Internet. Once a web server is identified, the search engine spider attempts to fetch the index page and later, the entire website. This explains why people setting up web servers on their home machines have later found their site address listed on major search engines without having published it anywhere on the Internet.

Port 21 (FTP) probes have also increased, rising by twelve places. As explained in the previous chapter, FTP has become a popular target for tools which identify sites that can be used to distribute pirated software. This activity, and the corresponding increase, is directly related to the rise of cybercrime, particularly Internet crime.

Geographical distribution of Internet attacks and probes

Back in 2004, the US was the top source for the probes and attacks which we intercepted. However, in 2005 the situation changed when China overtook the US by more than 6%. This year the situation is reversed, with a staggering 40.60% of all attacks worldwide again originating from the US. 17.22% of attacks originate in China; this is a small drop in percentage terms, and is not due to a decrease in the actual number of attacks coming from China but to the huge increase in the number of attacks coming from the US.

South Korea, which was in third place last year, has dropped to ninth, with its place being taken by the Philippines. Germany also demonstrates a noticeable ascending trend; in comparison to last year, we intercepted, on average, three times more attacks originating in Germany.

Another notable change is France, which moved up to sixth place in comparison with fourteenth place last year. Russia, on the other hand, has dropped from sixth to tenth place.

Needless to say, the most significant change is the major increase in the number of attacks and probes coming from the US. Such an increase was unexpected; during the period surveyed in the previous report, the reduction in attacks coming from the US was attributed to the increasing popularity of security solutions as well as stricter laws on cybercrime. The significant reversal demonstrated in the first half of 2006 is very discouraging.

The number of specific malware-related attacks originating in the US has also increased noticeably. For instance, the table below shows the geographical distribution of machines infected with Lupper variants during the first half of 2006.

In the past, the majority of machines infected with network malware were located in China. Now, however, the situation is very different. Almost a third of all Lupper infections detected originated in the US – a significantly high figure. Countries such as Poland, Japan and Germany have always shown signs of Linux infections, simply because Linux seems to be a popular choice of OS in these countries. China stands in third place with 7.87%, but overall, Linux malware cases are relatively rare; most of the malware-related attacks coming from China are caused by Slammer. This is clearly shown by the table below:

Compared to the previous year, the most noticeable point is that apart from the 71.77% of all Slammer infections being located in China, the virus is almost extinct in the rest of the world.

Important patches

As the information above shows, we’ve reached a point in the evolution of security where newer vulnerabilities are rarely exploited at a grand scale. There have been a few notable exceptions, and in these cases, the vulnerabilities have been exploited by worms which used the loopholes to replicate. The vast majority of such worms were written for profit.

Despite this, it’s important not to underestimate the importance of patches and security packs, which should be installed as soon as possible after release in order to minimize the window of exposure. During the past three years, thanks to the Trusted Computing Initiative, Microsoft has not only concentrated on fixing security issues in Windows and other products but also in delivering patches more quickly than previously. Since the list of the top 10 vulnerabilities exploited in Internet attacks contains no vulnerability disclosed in 2006, we can only assume that this is the right approach to take.

A number of severe security issues were identified in Microsoft software during the first six months of 2006 (severe here is used to mean vulnerabilities that can be remotely exploited and result in arbitrary code execution.) The most exploited vulnerabilities so far have undoubtedly been the pack of loopholes identified in various Microsoft Office products such as Word or PowerPoint. Exploits for these vulnerabilities have been reported in in the wild. The vulnerabilities are detailed in Microsoft Security Bulletin MS06-027 bulletin entitled “Vulnerability in Microsoft Word Could Allow Remote Code Execution (917336)“, as well as in Microsoft Security Bulletins MS06-028 and MS06-012.

Remotely exploitable vulnerabilities have also been identified in various versions of Windows; of these, the TCP/IP vulnerability described in Microsoft Security Bulletin MS06-032 is probably the most severe. However, it should be noted that the IP Source Routing feature has to be enabled in order for this vulnerability to be exploited; the feature is disabled by default in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 systems. Another critical vulnerability is detailed in Microsoft Security Bulletin MS06-025, “Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280)“. If successfully exploited this vulnerability allows a remote malicious user to take total control of the victim system.

To patch affected systems, use IE to go to http://update.microsoft.com/ and make sure you have Automatic Updates enabled.

In terms of Linux systems, the number of critical system vulnerabilities identified during the first half of 2006 was low. Putting misconfiguration issues aside, recent cases of system compromise on Linux have been due to bugs in various third party libraries and products, such as ‘sendmail’. A serious vulnerability in ‘sendmail’ was identified in March this year, and is detailed in a Secunia Security Advisory². All modern Linux distributions come with an auto update utility, such as ‘yum’³, which can be used to download and install the latest security patches for the registered packages in the system.

As our report on the subject showed⁴, MacOS X has not been free of vulnerabilities either. Fortunately, MacOS X keeps itself updated by default, but users should ensure that the operating system is configured to check for updates as often as allowed, by choosing System Preferences -> Update Software -> Check for updates -> Daily. An additional security measure is to select “Download important updates in the background”.

Conclusion

Analysis of the data we have collected in the first half of 2006 results in two clear conclusions.

First of all, there has been an unexpected major increase in the number of attacks originating in the US. This increase can be attributed not only to decreased spending on, but also to the evolution of new types of attack which exploit loopholes in such solutions. A related conclusion is that while companies have invested in protecting their Microsoft-powered machines, they have not done the same for their Linux machines. This may be due to the false sense of security which seems to be widespread in the case of *nix systems; whatever the cause, it seems that system administrators have neglected to keep their machines up to date. This is obvious from the fact that the US hosted a third of all machines infected with malware which exploited recent vulnerabilities in popular PHP libraries and tools. Thankfully most of those machines have been patched by now. However, it should be noted that Lupper (and variants) was the second most widespread network worm during the first six months of 2006.

The second, more important conclusion is confirmation of a trend we have noted and written about since 2003: cybercrime is on the rise. Our analysis of the data presented in this report, and of other data relating to the period, shows very clearly that more and more resources are being invested into making money illegally via the Internet. Whether it be by sending spam, or selling pirate software or other stolen goods. Right now, most of the people involved in such activities seem to be based in the US, but cybercrime is not limited to a single country. It has become a global phenomenon.

In our previous report we predicted that the attacks connected with spamming would continue to increase, and this is confirmed by the data presented in this article. Interestingly, a new kind of attack emerged, again one related to cybercrime: finding FTP accounts that can be used to host malware, pirate software and other information free of charge. Protection against such attacks is usually a matter of installing the latest patches, a reliable, well configured firewall and an antivirus solution. Last but not least, it’s very important to make sure that all accounts which are exposed to the Internet have safe passwords, and that they are always accessed via secure connections (SSL, SSH).

At Kaspersky Lab, we will continue to monitor the situation and report on the latest trends in malware writing, Internet attacks and cybercrime. This cycle of articles will continue with Internet Attacks 2006, which will examine data collected and analyzed throughout the year.

References:

1. Internet Attacks 2005, on securelist.com
2. Secunia, http://secunia.com/advisories/19342/
3. The Yellow Dog Updater, Modified (YUM), http://linux.duke.edu/projects/yum/
4. Malware Evolution: MacOS X Vulnerabilities 2005 – 2006 on securelist.com