Test Center ThreatWatch: Sept. 15

Editor's Note: The CRN Test Center is providing analysis of data collected through our security test bed, including information coming into our spam filters and honeynet.

Spam Watch: Sept. 12 - Sept. 14:

Even spam takes the weekend off (once in a while) as volumes hit new lows over the previous three days.

Total spam and virus activity declined streadily as the week ended. The average daily mail volume dipped to 4,426 messages, a 22-percent drop from the daily average so far this month. The mail breakdown on Friday is similar to the numbers published by other security vendors, with about 85.3 percent of mail connections blocked, 13.9 percent identified as spam, and 0.3 percent with viruses.

More viruses hit the server on Friday than the previous peak on Thursday. While the increases looked significant, the change is actually minimal: 0.2 percent of total mail volumes on Thursday, and 0.3 percent on Friday.

id
unit-1659132512259
type
Sponsored post

Malware EncPk-CZ (identified by Sophos in May) reappeared over the weekend. This virus, a low-level threat, pretends to be a security program. It can download other files from the Internet and create a startup registry entry. The second most common Trojan, Agent-HQM copies itself to \Cpl32ver.exe. Details are still unavailable for Trojan Agent-HNY, the new and most common virus seen last week.

The filters were updated for three new Trojans -- Troj/Banker-ENE, Troj/Agent-HQS, and Troj/Agent-HQQ, none of which have hit the servers yet. Trojan Agent-HQS accesses the Internet and communicates with a remote server via HTTP. It also copies itself to \oembios.exe and changes the registry entry to run itself on startup. Trojan Agent-HQQ copies itself to \symlrserv.exe and runs continuously in the background as a backdoor server. A remote intruder can gain access and control over the computer via IRC channels.

Threats came from all over the globe with spam relays in Japan, Brazil, Republic of Korea, and Boston. The virus relays were in Rumania, China, and Hungary. With the exception of the Boston server, these were all listed on Real-Time Blocking Lists. Blocked connections came from known relays in Republic of Korea (3 distinct ones), the Russian Federation, and Italy.

Attack Watch: Sept. 14:

Hurricane Ike, football and other events must have been keeping hackers busy -- at least the ones who have been knocking on our network of late.

Of the scattered attempts to hit our trap network, there were some attempts to relay spam through MS Messenger Service via port 1027. A reverse lookup on the visitor's IP addressing information using the Website domaintools.com yielded no results. Using ARIN WHOIS Database Search (http://ws.arin.net), the IP address reports that it from the Asia Pacific Network Information Centre, known as APNIC, which also made attempts against our trap network last week.

APNIC is the internet registry association for Asia Pacific countries including China, Taiwan, New Zealand, the Philippines and Malaysia. The spamming attempt appears to come from a machine that is using an IP address registered by this association, and not from APNIC directly.