2009-01-01
Abstract
Gabor Szappanos researches the dangers of being an average computer user.
Copyright © 2009 Virus Bulletin
The idea for this article came to me as I was reading a tabloid newspaper to pass the time while travelling. The paper quoted an AV company which estimated that an average computer user is flooded with new malware threats every second, and that they are attacked by malware tens of thousands of times every day. Now, I thought that I had a more-or-less clear picture of what malware is spreading out there [1], and based on my experience, I felt that the estimates made in the newspaper were too high. To find out who was right, I decided to do some research into the dangers of being an average user.
For the sake of this experiment, we picked a Hungarian computer user (above). Any similarity to any persons, living or dead, is purely coincidental.
The activities of our user cover general email traffic and Internet browsing, with Internet connection at work and a broadband connection at home. Our user has not registered on any pornographic websites and does not use Viagra and the like (this is not a boast, just a statement of fact that is relevant to the user’s profile, and which will have consequences for the level of threat to which the user is exposed). As a result, our subject is less vulnerable than some users, and we must take into account the fact that some of the threats measured here will potentially be underestimated.
At home our subject is connected to the Internet. Without even sitting in front of his keyboard he is a target for external attacks simply because he is connected. These attacks come from lurking network worms. Our subject is not stupid enough to leave his home PC wide open to attack and has installed the latest security updates and a firewall which protect him from most of these lurking threats. However, we should take these threats into consideration because we know that there are many users who do not follow the same security practices. Simple worm traps located on the user’s ISP were used to measure the number of attacks from network worms. The number of threats captured by an SMB trap [2] on the day in question is shown in Table 1.
| Threat | Prevalence |
|---|---|
| Worm.Opaserv.AV | 3 |
| Worm.Opaserv.AK | 3 |
| Win32.Heretic.1986 + Opaserv.AK | 2 |
| IRC.Flood.AO | 2 |
| Worm.Opaserv.AB | 2 |
| IRC.Flood.AS | 2 |
| BAT.Flood.BS | 1 |
| Worm.Opaserv.AS | 1 |
| Hacktool.IpcScan.C | 1 |
| Backdoor.ServU-based.B | 1 |
| Tool.PsExec.A | 1 |
| Hacktool.SQLScan.C | 1 |
| Worm.Opaserv.BC | 1 |
| IRC.BNC.N | 1 |
| RiskTool.HideWindows.AB | 1 |
| Worm.Opaserv.AX | 1 |
| Win32.Parite.B | 1 |
| I-Worm.Opaserv.J | 1 |
| Backdoor.ServU-based.H | 1 |
Table 1. Number of threats captured in SMB trap.
Altogether 34 attacks were recorded from 27 different IP addresses. The list is dominated by ancient Opaserv variants. One of Opaserv’s attack vectors is an old vulnerability (MS00-072) which has long since been fixed, but it also attacks weak admin passwords. I would love to be able to say that this is no longer a threat because every computer has already been patched and no one is stupid enough to set a weak admin password like ‘admin’ or ‘123’. However, reliable sources suggest that 97% of the population does not reside at the genius end of the scale [3], and with weak passwords a common occurrence, these Opaserv variants remain a threat.
More recent network worms, predominantly bots, use a newer (and ever-increasing) set of Windows vulnerabilities to infect network-connected computers. These vulnerabilities are simulated (and the attacks are captured) by honeypots like nepenthes or mwcollect. This is a different vulnerability window for an average user and it is fair to enumerate the threats coming from it separately. The top 15 attacks observed on the day in question are shown in Table 2.
| Threat | Prevalence |
|---|---|
| Win32.Virut.Gen | 31 |
| Worm.Kolabc.DW | 30 |
| Trojan.DR.Agent.EXVG | 21 |
| Worm.SdBot.ACIV | 16 |
| Worm.Agobot.WPTY | 16 |
| Worm.Kolabc.DO | 10 |
| Worm.Rbot.ACWL | 9 |
| Worm.Agobot.WPUU | 9 |
| Worm.Rbot.MCH | 8 |
| Worm.Rbot.MCG | 7 |
| Worm.Akbot.CE | 7 |
| Worm.Allaple.Gen | 7 |
| Worm.Agobot.WPUM | 7 |
| Worm.Allaple.AA | 5 |
| Backdoor.Allaple.Gen.2 | 5 |
Table 2. Newer network worms.
Altogether there were 225 successful attacks from 98 different IP addresses. (By ‘successful attack’ we mean that the goat PC was attacked, and the connect-back code downloaded the attacking worm successfully.) Most of the captures were some flavour of bot, and even the Virut variants were infections on top of Rbot or Allaple variants.
On rough average, a user is subjected to a successful attack from such threats once every six minutes.
Unlike the Opaserv variants captured by the Samba traps, which would not reach any user with the relevant security updates applied, these worms are direct threats to our user. Deploying the latest security patches and using a firewall can decrease the user’s vulnerability, but a friendly ISP which filters out the Windows ports used by these worms can decrease the threat by several orders of magnitude. As a comparison, on a different ISP (with filtering in place) we recorded about four attacks per day using the same traps and set ups – all of them coming from an emerging new threat called SQLSlammer.
Email is still one of today’s major attack vectors – it no longer serves primarily as a medium for self-spreading worms, but for seeding new trojan versions. However, there are still a couple of old friends in the playground.
Sitting behind corporate protection in the workplace and having an ISP that provides email filtering at home protects our subject from most of these email attacks. As this configuration is typical for most users, it would not be appropriate to include these threats in our calculations. However, for interest’s sake, Table 3 shows a list of the top threats blocked by the email filter of a large Hungarian ISP (which happens to be our user’s ISP).
| Threat | Prevalence | Discovery | |
|---|---|---|---|
| [1] | I-Worm.Zafi.B | 2,694 | (2004.06) |
| [2] | I-Worm.Netsky.Q1 | 2,002 | (2004.03) |
| [3] | Exploit.IFrame.B | 1,744 | |
| [4] | I-Worm.Zafi.D | 1,005 | (2004.12) |
| [5] | Win32.Virut.Gen.4 | 980 | |
| [6] | I-Worm.Netsky.Q2 | 822 | (2004.03) |
| [7] | I-Worm.Netsky.R | 493 | (2004.03) |
| [8] | Trojan.FakeAlert.Gen!Pac | 423 | |
| [9] | I-Worm.Bagle.LC | 299 | (2006.12) |
| [10] | I-Worm.Netsky.D3 | 280 | (2004.03) |
| [11] | I-Worm.Bagle.ZIP.Gen.3 | 234 | (2006.06) |
| [12] | Worm.P2P.VB.CIL!CME-24 | 198 | (2006.01) |
Table 3. Top threats blocked by the email filter of a large Hungarian ISP.
The list also shows the discovery date of these worms (which is also almost exactly the date on which protection was released for them). Only two of the top ten are less than two years old, and the majority of the list comprises worms that are at least four years old. However, as discussed, this category of threats is unlikely to reach an average user.
Other email-borne attacks are filtered out by spam filters. A spam filter can serve as a first line of defence against email-based attacks [4].
While spam mostly transmits messages that keep the global underground economy rolling, it is also a part-time distributor of malware.
Figure 1 shows the distribution of spam types received by our subject. He has not taken any active steps to increase his chances of receiving spam (e.g. he is not using his email address as a spam trap). Users with a more active online social life may experience larger volumes of spam. For the sake of better statistics, the numbers were measured over a one-week period and averaged (a total of 1,740 messages, 250 daily). In total, 6% of the spam messages received by our user were associated with malware propagation.
The distribution of malware within these messages is shown in Figure 2. These include both malicious attachments and spammed links pointing to (MPacked) malware distribution sites.
Figure 3 shows an example of how difficult it can be to distinguish between a link that points to malware and one that points to a ‘conservative’ adult site. Altogether 105 malware messages were received within a week (15 per day), most of which were Exchanger, the Fakealert and Zlob.
In this investigation we are looking at a day in the life of our subject, but it is certainly not the first day. He has a history, and he may have been infected before. If there is already malware installed on his PC it will keep updating itself.
We could not simulate entirely the level of infection of our subject, but we got some help from our virus lab, where the update URLs of common malware families are monitored daily. Table 4 shows the most frequently updated malware domains on the day in question.
| URL | Prevalence | Family | Location |
|---|---|---|---|
| try-count.net | 151 | Tibs | Moscow, Russia |
| sum4count.net | 33 | Tibs | Moscow, Russia |
| user1.16-m8.net | 32 | DL.Small | Zhanjiang, China |
| ee1.tu-sg.info | 24 | OnlineGames | Yiwu, China |
| webair.com | 7 | Zlob | Jericho, NY, USA |
| 7894234.cn | 7 | OnlineGames | Shanghai, China |
| sql.78-11.net | 6 | OnlineGames | Beijing, China |
| 23488ss.cn | 5 | OnlineGames | Shanghai, China |
| zango.com | 4 | Adware.Zango | Bellevue, WA, USA |
| 111.hfdy2525.net | 4 | OnlineGames | Ruian, China |
| www.fsjinqu.cn | 4 | QQPass | Beijing, China |
Table 4. Most frequently updated malware domains.
Most of these are related to online games, which are not very popular in Hungary, so while these may be a more significant threat to the global population, they are not relevant to our target individual.
Other risk factors we have not measured (because our subject is not involved in them) include:
IRC: IRC is used mostly by bots for communication purposes, and less frequently for seeding.
Instant messaging: some common families mass-distribute download links on IM networks.
P2P file-sharing: our target kept a loose eye on P2P file sharing networks during the research week, but since he is not involved in the use of cracked software, there is no measurement data on this threat.
Drive-by exploits: these are an increasingly important vector for malware distribution. A large number of legitimate websites have been hacked to include downloader scripts (pointing mostly to MPack distributions). This threat was excluded because it was not possible to measure its prevalence accurately – but during the last week at least three popular legitimate Hungarian sites were found to be distributing malware via this method. So this is a real threat, but not measured here.
Although not measured in this investigation, all of these risk factors raise the overall threat level of an average user (if he happens to be using these technologies).
Are we being attacked every minute? Despite the fact that most of the threats have been underestimated, this investigation has shown that we are far from being threatened by thousands of trojans every day.
The investigation has shown that we face many threats every day coming at us from different directions – but with reasonable care these risks can be minimized.
[1] Szappanos, G. What is out there? Virus Bulletin, January 2006, p.10. http://www.virusbtn.com/pdf/magazine/2006/200601.pdf.
[2] Overton, M. Worm charming: taking SMB Lure to the next level. Proceedings of the Virus Bulletin International Conference, 2003.
