Honey Net Activity Not So Sweet

The cause is well known by now. Financial and political reasons are giving cybercriminals an impetus like never before to commit sophisticated attacks, steal data and disrupt government infrastructures.

Cybercrime is becoming more complex, is affecting a wider variety of technologies and is often outpacing the defenses of security vendors.

In the CRN Test Center, our security honey net gives us a view into a microcosm of the cybercrime going on. Attacks are relentless and have become a global epidemic.

We have been documenting what's been "trapped" in the honeypot. Since the beginning of the year, there are definite patterns in which certain types of attacks and malware occur more frequently at some times than others. Some threats are pervasive throughout the year.

In the beginning of 2009 and end of last year, the most frequently occurring threats in our security testbed seemed to be those associated with hacking into databases. SQL UDP worm attacks abounded.

Log reports also witnessed instances of brute force login attempts that looked as if they were made with the use of a random password generator. All of the recorded SQL UDP attacks had IP addresses that seemed to originate from China when those addresses were placed in a number of IP geo-locator tools.

We also saw an increase in spam during the presidential election. There were myriad news reports of massive amounts of spam with Barack Obama as the subject. Although we did not see e-mails specific to Obama, we did see an increase in spam at that time.

Around the same time, we also saw a significant increase in the amount of port scanning. These types of scans are usually the work of botnets—networked computers that often number in the thousands that serve as drones, seeking out entryways into vulnerable networks.

In April, the world learned of the Conficker virus. Although we could not definitively get a diagnosis that the test network had been infected with Conficker, one of the laptops connected to the security testbed did display symptoms of Conficker. These symptoms included browser redirection and mystery .dll messages that occurred on bootup that referenced nonsense .dll filenames like "wxyghxyzing.dll could not load." The laptop exhibited other strange behavior such as with loading drivers that never had a problem loading before and an inability to connect to antimalware and P2P sites.

Around the time of the Olympics we saw the amount of spam relay attempts coming from Beijing rev up. In fact, for a few weeks most of the port scans and relays were coming from that area of the world including Taiwan.

However, we have seen attacks from IP addresses that come from all over. We detected packet sniffs from IP addresses that resolved back to French ISPs. TCP Syn Scans were logged as coming from IP addresses tracing to Korea, Canada, Bangladesh and within the U.S.

Recently, the honey net logged activity surrounding the MyDoom virus. There were numerous attempts at one point to upload and run code via a back door using this somewhat dated virus. MyDoom can be used to send junk e-mail to an infected machine, but it is more commonly used to send DoS attacks against sco.com and Microsoft.com. The IP addresses associated with these attacks resolved back to China.

The Test Center's threat network saw an increase in the amount of activity coming from Eastern Europe as well as Asia. Around the time of entertainer Michael Jackson's death, we saw a spike in the amount of spam coming from these locations.

There is activity every day in our Threat Network. Activity logs are created constantly with no noticeable "rest" period. It can be a daunting task to go through all of the logfiles. Looking ahead, we will be focusing on continued but emerging issues such as Denial-of-Service attacks—as hit social networking sites, including Twitter, at the beginning of August. However, it gives evidence that cybercrime and defending a network against it are both 24x7 jobs.

COMMUNITY: Connect with the Test Center at Community.CRN.com