Test Center ThreatWatch: Sept. 18

Holy viruses, Batman!

An honest-to-goodness virus outbreak occurred yesterday, confirmed both by MXLogic and Cisco's IronPort, with some spillover activity continuing into today. For the past few weeks, viruses consisted of about one percent or less of total mail volume; yesterday, it shot up to 23 percent.

Where are they coming from? Well, it's hard to tell. The bulk of the IP addresses are from Europe, the United Kingdom, to be precise. However, they are all "clean" addresses -- not known offenders appearing on any of the major Real-Time Blocking Lists -- so these are all relays, and the scammers can be anywhere. Both TrustedSource and IronPort identified Germany as the biggest source of malware threats.

There were two types of threats -- viruses and suspicious objects. The antivirus automatically dropped the viruses, the most common one being a new low-level Trojan, Agent-HRF (no other information available from Sophos). Barracuda also listed this Trojan in its list of latest real-time virus threats. After further analysis, the filters determined that the suspicious objects were safe and delivered them.

All other mail activity -- legitimate, spam, and blocked connections -- were more or less consistent with the past few days.

Attack Watch: Sept. 18

After an active Wednesday, spammers and hackers seem to be at a lull today -- save for an increase in DOS Attack-related activity. Our log files have recorded overnight a few TCP scans from Beijing, some DOS Attacks on SQL server port 1433 from an Hong Kong-based IP address.

We also see evidence of ICMP echo requests coming from, of all places, Brooklyn, New York. ICMP Echo requests are commonly sent by hackers to send a denial of service to machine, by flooding it with ping requests. Most patched operating systems can detect ICMP floods, and will either drop or block connections as will firewalls, so this is not a threat seen a lot in current data centers.

Tweet