Monthly stats: July 2015

July has been an exciting month for us. We have been steadily expanding our worldwide honeypot sensor coverage to a total of 57 sensors in the following countries: NL, US, UK, DE, RO, JP, UA, SA, AU, SG, HK, BR

But the majority of our effort has been building out our extensive analytic capabilities for data mining threat intelligence world wide.

We have chosen splunk to assist us in this endeavor and we would like to share with you some of our metrics.

Stats

  • 1.585.102  Total attacks
  • 76.775 Unique ip’s
  • 478 Unique malware binaries harvested
  • 2534 Unique url’s

Top attacking country’s

p0f_top_attacking_countrys

Our top sensor within the infrastructure is p0f. It is mainly deployed to fingerprint the attacker and gather interesting information like OS type and type of connection.

p0f_top_OS

Top deployed honeypot sensors
Top_honeypots_by_type

Top ports

Top 10 ports scanned / attacked. Port 445 was the most popular port to interact with. This is mostly due to the Conficker Worm.

p0f_top_Ports

Not much explanation needed for this part, other then folks in Nagasaki burned the most electricity 🙂

Top_Attacker_Cities

Fun fact

Did you know that hackers are the most active on Thursday ? We are surprised about this, lets see if this is persistent in the next month! Also if you got any suggestions about this tell us.

Top_Attacks_per_day

Malware

From all the malware we captured it is still most commonly a variant of W32/Conficker!Generic ( what a surprise )

Top 3 received in MD5 hash:

  • 62c6c217e7980e53aa3b234e19a5a25e
  • 9c09418c738e265a27e6c599f43d86ab
  • 87136c488903474630369e232704fa4d

There are still some unknowns to chunk through, maybe we post more about them later.

Max created something awesome last week so we can filter out unknown malware! It is a script that exports MD5 hashes from splunk and compare’s it with the virustotal database. Source available on github.

Snort

The last stats for this month are coming from snort, its an IDS that will receive periodic updates with new rules to detect malware and attacks.

TOP 5 Attacks Signatures:

  1. ET SCAN Potential SSH Scan (521 times)
  2. ET POLICY Suspicious inbound to MSSQL port 1433 (246 times)
  3. ET DROP Dshield Block Listed Source group 1 (103 times)
  4. ET POLICY Suspicious inbound to mySQL port 3306 (88 times)
  5. ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 9 (85 times)

 

Sponsors

For the sharp minded folks, at the beginning of this report you could read that we expanded our honeypot infrastructure, this is because we have found 2 great sponsors! They stepped up and provided us with reliable servers, spread over multiple country’s.

It was very easy for us to deploy them as both company’s have a great customer panel with all the needs for deploying / managing servers.

Therefor we would like to shout a big thank you to host1plus and digitalocean