15 Countries most affected by security honeypots

Honeypot Identifies Potential of Stolen CredentialsThe Swiss Security Blog (SSB) published results of research performed from honeypots implemented on their network. This is a small example of the benefits of honeypots, while exposing the potential damage new Trojans accomplish everyday.  Security Honeypots are closely monitored network decoys serving several purposes:

– distract adversaries from more valuable machines on a network

– act as an early warning system for new attack and exploitation trends

– allow in-depth examination of adversaries during and after the exploitation of a honeypot.

The results of the research identified a Trojan in the The Swiss Security Blog honeypots. An initial analysis identified the Trojan had contacted a server in Russia. A closer look revealed up to 200 simultaneous sessions between this server and many potentially infected clients. This was quite a large scaled command and control server (C&C).  A C&C is designed to serve thousands of infected systems in order to keep groups of different malware running. An in-depth examination of the data flowing between the SSB honeypots and this C&C suggested that the infected client received usernames and passwords for compromised FTP accounts around the world. Although it may be speculation, the goal was to implement keyloggers or trade in specialized criminal markets for this kind of information to be plausible. Subsequently, the infected clients used the supplied credentials in order to log into the affected FTP accounts and recursively scanned for typical filenames appearing on websites (like index.html). Not all of the accounts are necessarily websites, but a a decent amount were. Appropriate filenames found are modified in a subtle way for unsuspecting visitors to enter their login credentials into those websites. People using browsers with unpatched vulnerabilities would be infected by malware without requiring any additional action by the users. This kind of infection is called a DriveBy infection, because users can be infected by simply accessing a website (hence “drive-by”). “Drive By” infections are increasingly presenting themselves as the method of choice, instead of sending virus containing spam emails.

As of December 15, 2008, the table below provides a snapshot of the fifteen countries with the largest number of stolen credentials from these honeypots:

Rank     Country   # of credentials
1     United States             33,033
2     Russia                       19,464
3     UNKNOWN               16,209
4     Turkey                        4,210
5     Germany                    4,153
6     Hungary                     3,787
7     Australia                    3,318
8     Ukraine                      2,895
9     Czech Republic         2,568
10   Thailand                    1,967
11    India                         1,951
12   Poland                       1,927
13   Canada                     1,737
14   Kingdom                   1,643
15   France                       1,562
16   Other                      11,618

Written by Carl E. Reid

Carl E. Reid

Leave A Reply