A day in the life of an average user

2009-01-01

Gabor Szappanos

VirusBuster, Hungary
Editor: Helen Martin

Abstract

Gabor Szappanos researches the dangers of being an average computer user.


The idea for this article came to me as I was reading a tabloid newspaper to pass the time while travelling. The paper quoted an AV company which estimated that an average computer user is flooded with new malware threats every second, and that they are attacked by malware tens of thousands of times every day. Now, I thought that I had a more-or-less clear picture of what malware is spreading out there [1], and based on my experience, I felt that the estimates made in the newspaper were too high. To find out who was right, I decided to do some research into the dangers of being an average user.

User profile

For the sake of this experiment, we picked a Hungarian computer user (above). Any similarity to any persons, living or dead, is purely coincidental.

The activities of our user cover general email traffic and Internet browsing, with Internet connection at work and a broadband connection at home. Our user has not registered on any pornographic websites and does not use Viagra and the like (this is not a boast, just a statement of fact that is relevant to the user’s profile, and which will have consequences for the level of threat to which the user is exposed). As a result, our subject is less vulnerable than some users, and we must take into account the fact that some of the threats measured here will potentially be underestimated.

The risks of being connected

At home our subject is connected to the Internet. Without even sitting in front of his keyboard he is a target for external attacks simply because he is connected. These attacks come from lurking network worms. Our subject is not stupid enough to leave his home PC wide open to attack and has installed the latest security updates and a firewall which protect him from most of these lurking threats. However, we should take these threats into consideration because we know that there are many users who do not follow the same security practices. Simple worm traps located on the user’s ISP were used to measure the number of attacks from network worms. The number of threats captured by an SMB trap [2] on the day in question is shown in Table 1.

ThreatPrevalence
Worm.Opaserv.AV3
Worm.Opaserv.AK3
Win32.Heretic.1986 + Opaserv.AK2
IRC.Flood.AO2
Worm.Opaserv.AB2
IRC.Flood.AS2
BAT.Flood.BS1
Worm.Opaserv.AS1
Hacktool.IpcScan.C1
Backdoor.ServU-based.B1
Tool.PsExec.A1
Hacktool.SQLScan.C1
Worm.Opaserv.BC1
IRC.BNC.N1
RiskTool.HideWindows.AB1
Worm.Opaserv.AX1
Win32.Parite.B1
I-Worm.Opaserv.J1
Backdoor.ServU-based.H1

Table 1. Number of threats captured in SMB trap.

Altogether 34 attacks were recorded from 27 different IP addresses. The list is dominated by ancient Opaserv variants. One of Opaserv’s attack vectors is an old vulnerability (MS00-072) which has long since been fixed, but it also attacks weak admin passwords. I would love to be able to say that this is no longer a threat because every computer has already been patched and no one is stupid enough to set a weak admin password like ‘admin’ or ‘123’. However, reliable sources suggest that 97% of the population does not reside at the genius end of the scale [3], and with weak passwords a common occurrence, these Opaserv variants remain a threat.

Nepenthes trap

More recent network worms, predominantly bots, use a newer (and ever-increasing) set of Windows vulnerabilities to infect network-connected computers. These vulnerabilities are simulated (and the attacks are captured) by honeypots like nepenthes or mwcollect. This is a different vulnerability window for an average user and it is fair to enumerate the threats coming from it separately. The top 15 attacks observed on the day in question are shown in Table 2.

ThreatPrevalence
Win32.Virut.Gen31
Worm.Kolabc.DW30
Trojan.DR.Agent.EXVG21
Worm.SdBot.ACIV16
Worm.Agobot.WPTY16
Worm.Kolabc.DO10
Worm.Rbot.ACWL9
Worm.Agobot.WPUU9
Worm.Rbot.MCH8
Worm.Rbot.MCG7
Worm.Akbot.CE7
Worm.Allaple.Gen7
Worm.Agobot.WPUM7
Worm.Allaple.AA5
Backdoor.Allaple.Gen.25

Table 2. Newer network worms.

Altogether there were 225 successful attacks from 98 different IP addresses. (By ‘successful attack’ we mean that the goat PC was attacked, and the connect-back code downloaded the attacking worm successfully.) Most of the captures were some flavour of bot, and even the Virut variants were infections on top of Rbot or Allaple variants.

On rough average, a user is subjected to a successful attack from such threats once every six minutes.

Unlike the Opaserv variants captured by the Samba traps, which would not reach any user with the relevant security updates applied, these worms are direct threats to our user. Deploying the latest security patches and using a firewall can decrease the user’s vulnerability, but a friendly ISP which filters out the Windows ports used by these worms can decrease the threat by several orders of magnitude. As a comparison, on a different ISP (with filtering in place) we recorded about four attacks per day using the same traps and set ups – all of them coming from an emerging new threat called SQLSlammer.

Email attacks

Email is still one of today’s major attack vectors – it no longer serves primarily as a medium for self-spreading worms, but for seeding new trojan versions. However, there are still a couple of old friends in the playground.

Sitting behind corporate protection in the workplace and having an ISP that provides email filtering at home protects our subject from most of these email attacks. As this configuration is typical for most users, it would not be appropriate to include these threats in our calculations. However, for interest’s sake, Table 3 shows a list of the top threats blocked by the email filter of a large Hungarian ISP (which happens to be our user’s ISP).

 ThreatPrevalenceDiscovery
[1]I-Worm.Zafi.B2,694(2004.06)
[2]I-Worm.Netsky.Q12,002(2004.03)
[3]Exploit.IFrame.B1,744 
[4]I-Worm.Zafi.D1,005(2004.12)
[5]Win32.Virut.Gen.4980 
[6]I-Worm.Netsky.Q2822(2004.03)
[7]I-Worm.Netsky.R493(2004.03)
[8]Trojan.FakeAlert.Gen!Pac423 
[9]I-Worm.Bagle.LC299(2006.12)
[10]I-Worm.Netsky.D3280(2004.03)
[11]I-Worm.Bagle.ZIP.Gen.3234(2006.06)
[12]Worm.P2P.VB.CIL!CME-24198(2006.01)

Table 3. Top threats blocked by the email filter of a large Hungarian ISP.

The list also shows the discovery date of these worms (which is also almost exactly the date on which protection was released for them). Only two of the top ten are less than two years old, and the majority of the list comprises worms that are at least four years old. However, as discussed, this category of threats is unlikely to reach an average user.

Other email-borne attacks are filtered out by spam filters. A spam filter can serve as a first line of defence against email-based attacks [4].

Spam

While spam mostly transmits messages that keep the global underground economy rolling, it is also a part-time distributor of malware.

Figure 1 shows the distribution of spam types received by our subject. He has not taken any active steps to increase his chances of receiving spam (e.g. he is not using his email address as a spam trap). Users with a more active online social life may experience larger volumes of spam. For the sake of better statistics, the numbers were measured over a one-week period and averaged (a total of 1,740 messages, 250 daily). In total, 6% of the spam messages received by our user were associated with malware propagation.

Types of spam messages received.

Figure 1. Types of spam messages received.

The distribution of malware within these messages is shown in Figure 2. These include both malicious attachments and spammed links pointing to (MPacked) malware distribution sites.

Distribution of malware within spam.

Figure 2. Distribution of malware within spam.

Figure 3 shows an example of how difficult it can be to distinguish between a link that points to malware and one that points to a ‘conservative’ adult site. Altogether 105 malware messages were received within a week (15 per day), most of which were Exchanger, the Fakealert and Zlob.

Which one of these points to malware? (the message captured on OSX is safe – at least from malware).

Figure 3. Which one of these points to malware? (the message captured on OSX is safe – at least from malware).

Download updates

In this investigation we are looking at a day in the life of our subject, but it is certainly not the first day. He has a history, and he may have been infected before. If there is already malware installed on his PC it will keep updating itself.

We could not simulate entirely the level of infection of our subject, but we got some help from our virus lab, where the update URLs of common malware families are monitored daily. Table 4 shows the most frequently updated malware domains on the day in question.

URLPrevalenceFamilyLocation
try-count.net151TibsMoscow, Russia
sum4count.net33TibsMoscow, Russia
user1.16-m8.net32DL.SmallZhanjiang, China
ee1.tu-sg.info24OnlineGamesYiwu, China
webair.com7ZlobJericho, NY, USA
7894234.cn7OnlineGamesShanghai, China
sql.78-11.net6OnlineGamesBeijing, China
23488ss.cn5OnlineGamesShanghai, China
zango.com4Adware.ZangoBellevue, WA, USA
111.hfdy2525.net4OnlineGamesRuian, China
www.fsjinqu.cn4QQPassBeijing, China

Table 4. Most frequently updated malware domains.

Most of these are related to online games, which are not very popular in Hungary, so while these may be a more significant threat to the global population, they are not relevant to our target individual.

Other risk factors we have not measured (because our subject is not involved in them) include:

  • IRC: IRC is used mostly by bots for communication purposes, and less frequently for seeding.

  • Instant messaging: some common families mass-distribute download links on IM networks.

  • P2P file-sharing: our target kept a loose eye on P2P file sharing networks during the research week, but since he is not involved in the use of cracked software, there is no measurement data on this threat.

  • Drive-by exploits: these are an increasingly important vector for malware distribution. A large number of legitimate websites have been hacked to include downloader scripts (pointing mostly to MPack distributions). This threat was excluded because it was not possible to measure its prevalence accurately – but during the last week at least three popular legitimate Hungarian sites were found to be distributing malware via this method. So this is a real threat, but not measured here.

Although not measured in this investigation, all of these risk factors raise the overall threat level of an average user (if he happens to be using these technologies).

Conclusion

Are we being attacked every minute? Despite the fact that most of the threats have been underestimated, this investigation has shown that we are far from being threatened by thousands of trojans every day.

The investigation has shown that we face many threats every day coming at us from different directions – but with reasonable care these risks can be minimized.

Bibliography

[1] Szappanos, G. What is out there? Virus Bulletin, January 2006, p.10. http://www.virusbtn.com/pdf/magazine/2006/200601.pdf.

[2] Overton, M. Worm charming: taking SMB Lure to the next level. Proceedings of the Virus Bulletin International Conference, 2003.

[3] Bontchev, V. Anatomy of a Virus Epidemic. Proceedings of the Virus Bulletin International Conference, 2001.

[4] Overton, M. Canning more than Spam with Bayesian filtering. Proceedings of the Virus Bulletin International Conference, 2004.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.