Test Center ThreatWatch: Sept. 29

SpamWatch Sept. 26 - Sept. 29

As the month nears the end, mail volumes decline steadily, especially over the weekend. Malicious mail - spam made up less than half the seven-day-average for daily volumes.

Blocked connections hovered at about 88.5 percent and spam stayed at about 11 percent over the weekend, while total mail volumes declined 17 percent. Friday saw only 3.8 percent more total mail than Sunday.

Virus volumes went up again, with three times more viruses hitting the mail servers on Sunday than on Friday. New viruses made their appearance over the weekend -- Troj/DwnLdr-HIH, Troj/Doc-Zip, and Troj/Dloadr-BTP. Troj/Doc-Zip is a family of zip files that contain malware. They are sent in spam pretending to contain information in an attached document. The zip file containing the supposed document is often password protected.

China remains a source, with two virus relays. The other relays were located in Japan, France, and Russia.

id

unit-1659132512259

type

Sponsored post

The two spam relays from a California-based hosting provider with a data center in Mineola, N.Y. that we noticed mid-week last week continue to hit our servers over the three day period.

The most active mail relay the filters blocked was based in Hundary and is listed in SPAMCOP, XBL, and CBL. Another active relay came from the Netherlands, appearing on XBL and CBL. A Herndon-Va. address (using the Road Runner service) hit the servers both on Friday and Sunday. It is also known, appearing on XBL, CBL, and SORBS.

AttackWatch Sept. 29

Presumably hostile scanning attempts comprised much of the activity logged by the trap network over the weekend. Several TCP scans were conducted via SYN SCAN -- a port scanning method which never opens a full TCP connection, the benefit to the hacker being that this type of scanning is a bit faster than traditional TCP scan methods.

There were also a number of scans against the IIS proxy service reported; scans were logged as coming from the domain www.wantsfly.com --- which appears to be some kind of scanning bot originating out of mainland China.

In fact, there was lots of activity againist the trap network by IP addresses that traced back to Asia. There were some brute force attempts to log into SQL server as well as IIS intrusion attempts, thwarted by SSL security on IIS. Logfiles indicate ICMP echo requests coming from an address from Russia; these are requests that hackers routinely use to garner some information about a machine; usually the operating system type.

Some of the logged attacks are repeat offenders; once again there was continued scanning for a Symantec Anti Virus exploit, and the usual SMTP relay attempts from a Taiwanese IP address.

A few SQL server UDP worm attacks via Buenos Aires, Argentina were logged.

Interestingly, with the majority of these attacks over the weekend, most of the domain information of the intruders/visitors was not logged. In fact a number of IP addresses were not even traceable. Most previous attacks against the trap network had full visitor domain information listed, and the majority of IP address information was traceable.