Internet Attacks for 2006

Kaspersky labs recently released their 2006 Security Bulletin, in it they include loads of information they have collected from 2006. Topics like malware evolution, malware for UNIX-type systems, malware for cell phones, spam and, of course, internet attacks. Here are the top 20 internet probes and attacks from 2006.

1 34.29 probe HTTP GET Generic
2 16.38 probe MSSQL
3 8.54 worm Slammer.a
4 6.51 probe FTP anonymous login
5 6.19 exploit Buffer Overrun in Microsoft RPC Interface
6 4.08 probe Radmin
7 3.59 probe SSH Bruteforce Password Crack
8 3.30 exploit MS_ASN1
9 3.00 probe Webdav
10 2.78 worm Blaster (and variants)
11 2.22 probe HTTP CONNECT
12 2.07 worm Lupper (and variants)
13 0.50 exploit WINS
14 0.22 exploit Microsoft SQL Server 2000 Resolution Service
15 0.19 probe CGI-BIN probe
16 0.18 worm Dabber
17 0.13 worm Rbot/Agobot via Webdav exploit
18 0.10 probe HTTP POST back
19 0.09 probe Dipnet
20 0.09 probe Kuang backdoor execute command Source: Internet Attacks

Believe it or not the slammer worm is still growing, fueled by the numbers of infected machines in Asia and around the world. MSSQL probes are increasing, as did anonymous ftp logins attempts, although they decreased at the end of the year, and they are expecting them to decrease even more. The good old buffer overrun increased some when compared to last year, but, since it was fixed in 2003, it should be decreasing as well. They did notice two trends, that the older exploits are mainly used by bots and are becoming background noise and that there appears to be more of a focus on hacking servers because of weak passwords, since there are fewer and fewer vulnerabilities. The top 10 vulnerabilities used in attacks in 2006 are:

1 MS02-039 Buffer Overruns in SQL Server 2000 Resolution Service Might Enable Code Execution
2 MS03-026 Buffer Overrun in RPC May Allow Code Execution
3 MS04-007 An ASN.1 vulnerability could allow code execution
4 MS03-007 Unchecked buffer in Windows component may cause Web Server compromise
5 CVE-2005-1921 Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier
6 CVE-2005-0116 AWStats 6.1, and other versions before 6.3, allows remote attackers to execute arbitrary commands via shell metacharacters in the configdir parameter
7 CVE-2005-1950 in Webhints 1.03 allows remote attackers to execute arbitrary commands via shell metacharacters in the argument
8 MS04-045 Vulnerability in WINS could allow remote code execution
9 VU#909678 DameWare Mini Remote Control vulnerable to buffer overflow via specially crafted packets
10 MS03-051 Buffer overrun in Microsoft FrontPage Server Extensions could allow code execution

The top port used is still 445, but there was a big jump for port 1433, the port normally used by MSSQL, ports 1025, 1026 and 1027 are used by the Windows Messenger service and are ALMOST as popular as port 445, even though the messenger service is now disabled in XP SP2 and later versions of windows. They also note that web based attacks are the preferred method of stuffing your computer full of malware. Read the full report, here.