July has been an exciting month for us. We have been steadily expanding our worldwide honeypot sensor coverage to a total of 57 sensors in the following countries: NL, US, UK, DE, RO, JP, UA, SA, AU, SG, HK, BR
But the majority of our effort has been building out our extensive analytic capabilities for data mining threat intelligence world wide.
We have chosen splunk to assist us in this endeavor and we would like to share with you some of our metrics.
- 1.585.102 Total attacks
- 76.775 Unique ip’s
- 478 Unique malware binaries harvested
- 2534 Unique url’s
Top attacking country’s
Our top sensor within the infrastructure is p0f. It is mainly deployed to fingerprint the attacker and gather interesting information like OS type and type of connection.
Top deployed honeypot sensors
Top 10 ports scanned / attacked. Port 445 was the most popular port to interact with. This is mostly due to the Conficker Worm.
Not much explanation needed for this part, other then folks in Nagasaki burned the most electricity 🙂
Did you know that hackers are the most active on Thursday ? We are surprised about this, lets see if this is persistent in the next month! Also if you got any suggestions about this tell us.
From all the malware we captured it is still most commonly a variant of W32/Conficker!Generic ( what a surprise )
Top 3 received in MD5 hash:
There are still some unknowns to chunk through, maybe we post more about them later.
Max created something awesome last week so we can filter out unknown malware! It is a script that exports MD5 hashes from splunk and compare’s it with the virustotal database. Source available on github.
The last stats for this month are coming from snort, its an IDS that will receive periodic updates with new rules to detect malware and attacks.
TOP 5 Attacks Signatures:
- ET SCAN Potential SSH Scan (521 times)
- ET POLICY Suspicious inbound to MSSQL port 1433 (246 times)
- ET DROP Dshield Block Listed Source group 1 (103 times)
- ET POLICY Suspicious inbound to mySQL port 3306 (88 times)
- ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 9 (85 times)
For the sharp minded folks, at the beginning of this report you could read that we expanded our honeypot infrastructure, this is because we have found 2 great sponsors! They stepped up and provided us with reliable servers, spread over multiple country’s.
It was very easy for us to deploy them as both company’s have a great customer panel with all the needs for deploying / managing servers.