Just a few days ago we installed a new network protocol analyzer in our lab here in Dublin. It was late when the configuration was done so we just fired it up and let it run until the next day. After all we didn't expect to get much attention in the beginning.

In a couple of hours, the first signs began to appear. Mainly there were port scans from zombies (a computer attached to the Internet that has been compromised by a hacker, or a malware program; generally, a compromised machine is only one of many in a botnet, and will be used to perform malicious tasks of one sort or another under remote direction). Most of them are trying to exploit common vulnerabilities as RPC but we've even seen SYM06-010 (Symantec Client Security and Symantec AntiVirus Elevation of Privilege) and RAdmin attempts.

After compiling the list in a more human readable format, we were able to determine also the countries from were those attacks were initiated, so here goes:

Graph

And remember, this activity was recorded only in a few hours.

Now, besides the port scans, we encountered something else.

Once in a while you need to reinstall the system and we all remember what that implies, specifically downloading and installing the updates. Sometimes, actually most of the times, accompanied by receiving messages telling you that the system is infected or that some critical errors were found. While in some cases the system does get infected with some obscure bot or something more fancy like Renos trojan, sometimes it's something like this:

Network monitor

STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION.
Windows has found 55 Critical System Errors.
To fix the errors please do the following:
1. Download Registry Update from: www.regfixit.com
2. Install Registry Update
3. Run Registry Update
4. Reboot your computer
FAILURE TO ACT NOW MAY LEAD TO SYSTEM FAILURE!

This is just an UDP packet for the Microsoft Messenger Service but is designed to trick the user into visiting a webpage (usually to download and install a rogue application). The best way to prevent this kind of actions is to stop the Messenger service in the first place, thus ignoring any of these bogus messages.

For the normal user who has just finished installing the operating system and connected it to the internet, all of these attacks happening are pretty invisible. Well, most of time. So when you connect that system to the outside world, you expect just to install the updates and then browse your favourite websites and get online with your friends. Bots knocking on your (back)door is the least thing you would expect.

Given the facts, we can't wait to see what other "goodies" are travelling on the wire.

Additional information:
http://www.microsoft.com/windowsxp/using/security/learnmore/stopspam.mspx
http://support.microsoft.com/kb/168893

-- Patrik Vicol && Andrei Saygo