Link Logger Home ZyXel Banner Binary Visions

May 2004
Link Logger for Windows
Home Home Product Info Product Info Download Download/Purchase Support Support  
Link Logger for Windows

NewsLatest News

Screen ShotsScreenshots

Customer CommentsFeedback

Common ScansScans

Additional ResourcesResources

Traffic and Event Review of May 2004

Overall System Traffic

Outbound Traffic

256,922 outbound log events.  Full security audit performed on an external system on the morning of May 29th resulted in a huge spike of traffic.

Unique outbound Destinations per hour.  Spike on May 13th from test of nmap feature.

Inbound Traffic

228,428 unsolicited events logged.  Spikes explained below.  NOTE ISP had a brief outage on the morning of May 21st.

Unique inbound Sources per hour.  Spike on May 29th was from ICMP traffic, see below.

The spike on May 29th was ICMP return traffic from various external security audits.


Alert Traffic

Inbound Alerts

Events of May 15th and May 29th were local events explained below.  Trends indicate that a number of infected systems are turned off daily and most infected systems are on during the mid evening hours.


215,326 Alerts of 39 different types


25,354 unique alert sources. was the principle source of the spam being sent to the spam honey pot.  Note since most addresses are within our local netblock it indicates that the most common worms use a weighted IP generation algorithm to focus on local IP addresses.



Significant Events

May exploit of choice was certainly the LSASS vulnerability exploit as a number of new worms appeared this month exploiting this vulnerability, this vulnerability is described in Microsoft Security Bulletin MS04-011.

We also saw a reduction of the number of systems which scan multiple ports (ie Agobot infected systems) as most scans are now uni-port scans.

Sasser - April 30th

Scanned port 445 for LSASS vulnerable systems then opens a remote shell on 9996 and uses it's own ftp server on 5554 to download the worm.

Bobax - May 17th

Scanned port 5000 looking for XP systems which it then attacks using the LSASS exploit on port 445.

Korgo - June 1

Korgo is another LSASS exploiting worm, but I suspect it has already infected more systems then Sasser did.


Messenger Spam Levels

You would think that someone being interrupted by Messenger Pop-ups every 3 minutes might look for the cause and a solution.  I should add that simply turning off Microsoft's Messenger Service is NOT a solution as suggested by some people.  If you are receiving Messenger Spam then its very likely you have been exposed to far worse malware and you should ensure that your system is clean and consider a hardware firewall or at least a software firewall as defence against malware including Messenger Spam.


Local Events

We had two local events on our network, meaning that these events were not global internet events.  The first event was TCP Port 139 scans to our netblock (we had another honeypot on the same netblock pick up the event as well).  The second event was the result of configuring a honeypot to check on the spammers looking for open spam engines on TCP Port 65506.  Our honey pot is passive meaning they can send us spam to bounce but our system just eats it and nothing is passed on.  It would appear that Spammers are still very aggressive about using compromised systems to send out their spam.


About this system

The test network used is a home system running on a high speed cable network with no services exposed to the internet (meaning no web server etc), so this traffic could be considered typical for most home systems.  All reports and graphs were produced using Link Logger connected to a Zyxel Zywall 10W.

Page last updated on June 05, 2004