Conficker – ZIRCONIC

Honeypot update – I still have four Dionaea honeypots running in NYC, Frankfurt, Bangalore and Singapore (the GRAB series) and a single Conpot running in NYC (JUMPSEAT).

sepstats1

I didn’t have a similar issue in September as I did in August (when the sheer volume of traffic caused the honeypots to run out of inodes in the first 3-10 days of the month) though Frankfurt ran out towards the very end of the night on the 30^th of September, so that cut it close a bit.

GRAB-NYC03:
Connections: 752,296
Unique IPs: 19,507
Files Downloaded: 5
sepstats2

sepstats3

Interesting to see Kazakhstan make the list this time, with Romania making up a sizable portion of the totals this time around.

sepstats4

UPnP, again, strongly the most popular, and therefore no surprise when we look at the ports:

sepstats5

sepstats6

The top IP address, 40.84.185.138 leads back to Microsoft, actually, as do the next three addresses. 191.237.45.46 apparently leads back to Microsoft also, but this particular entry gets associated with someone apparently with Microsoft in Brazil (Benjamin Orndorff, who apparently is located in Seattle). Maybe this is just a provocation… The next two after that lead back to hosting providers in Europe, while the one after that, 65.19.129.154, seem to lead back to an electric company in California, with a NOC in Sterling, VA. The last two are Microsoft and a hosting provider in Canada.

Here’s a map showing the attacker locations:

sepstats7
sepstats8

Next is the Frankfurt honeypot:

GRAB-FRA01:
Connections: 1,127,930
Unique IPs: 20,659
Files Downloaded: 15

Pretty spectacular number of connections – this is a new personal record for any of my honeypots.

sepstats9
sepstats10
Vietnam making the top 3 this time!

Similar results in terms of the shape of the graph for services, but wow – over a million UPnP connections.

sepstats11

sepstats12
sepstats13
The top IP address leads back to some person in Vietnam. The second highest leads back to that electric company. Turns out it’s actually a hosting provider (Hurricane Electric), so not mysterious anymore. The remainder are hosting providers in France, Hong Kong, and also some of the same parties from Microsoft that we saw earlier with GRAB-NYC.

Now for the maps:

sepstats14
sepstats15

GRAB-SIN01:
Connections: 500,737
Unique IPs: 21,688
Files Downloaded: 10,518

Again, not a mistake – this honeypot set a new record for number of samples collected. Like last month – almost ALL of these downloads were Conficker variants. I did find one other piece of malware in there (Parite-C). I find it really interesting that there is so much Conficker in this region, and how it doesn’t seem to spread to my other honeypots.

sepstats16
sepstats17

India makes the list, which is a first, as well as Venezuela and Ireland.

sepstats18

sepstats19

Services and ports are pretty much in line with other regions.

sepstats20
Microsoft coming in at number 1! And 2, and 3, and 4, 5… and 7… and 10. What the hell? The rest were just some hosting providers in various places (one in India).

Now, maps:

sepstats21

sepstats22

Bangalore:

GRAB-BAN01:
Connections: 457,464
Unique IPs: 21,221
Files Downloaded: 2

As usual, dismal number of files collected from Bangalore. Also, like last month,this honeypot has the highest number of unique IPs of all the GRAB honeypots.

sepstats23

sepstats24

Services/ports in line with other regions:

sepstats25

sepstats26

Microsoft dominates these results also, 7/10. The rest are hosting providers (including one from AWS).

sepstats27

Some maps:

sepstats28

sepstats32

Much more activity on JUMPSEAT in September, here are the total connections by protocol:

sepstats30

Last month saw Modbus as the most popular protocol, followed by all variants of HTTP, so much different this month. Perhaps the parties involved noticed that my honeypot doesn’t quite seem right and stopped bothering.

sepstats31

Lots of activity, but nothing as clearly anomalous as when we had shodan.io scanning the honeypot in August. 80.82.70.24 leads back to a hosting provider in Seychelles. 184.105.139.67 is Shadow Server, again. 52.42.34.123 leads back to Amazon while the next two lead back to Poland. One of them is actually a security company I’m familiar with! Hello there! The last one leads back to UC Berkeley.

That’s it for September, on to other things.

Time for an update on my constellation of honeypots. As you may recall from my last update, I currently have four Dionaea honeypots running in NYC, Frankfurt, Bangalore and Singapore (the GRAB series) and a single Conpot running in NYC (JUMPSEAT).

grab1

I had a bit of an issue this month that caused me to lose some data from the honeypots. The issue was the same on all the GRAB honeypots, but the circumstances were different and this is what’s interesting to me. I ran out of inodes on all four honeypots. On two of them (NYC and Frankfurt), this is definitely my fault as I never backed up and removed the bistreams stored on both of them, so after almost two months of operation I simply ran out of inodes there. However, on my other two, what was pretty crazy is that I ran out of inodes shortly after bringing them online due to the high volume of traffic on both honeypots. One honeypot ran out of inodes after seven days, and the other after three days due to the sheer volume of attacks. I didn’t think I’d have to check on them that frequently, but looks like we’re doing ok now. Maybe there was some sort of campaign in that part of the world… Here are the stats.

GRAB-NYC03:
Connections: 757,521
Unique IPs: 19,192
Files Downloaded: 12

2ndmonth1

2ndmonth2

Similar results to last time I measured – though keep in mind that I did lose about 10 days of data from this one, so the full results probably would have been much higher. Romania increased its share to about 6% of the total attacks (up from about 0.71% last month).

2ndmonth3

2ndmonth4

A more varied mix of services, while UPnP remains the most popular.
Again, not a shock that the most activity also came through port 1900, the UDP port for UPnP.

2ndmonth5

Actually a new set of top 10 IPs this time, with fewer attacks per IP address than last month (which had one address responsible for about 80,000 attacks). The top IP with 14,057 attacks leads back to AWS. The next one, 45.32.222.158, leads to Choopa, LLC, a managed hosting company in Matawan, NJ. According to their Google reviews, they are known for hosting malicious actors. Good to keep in mind in case I ever need a “permissive” host someday. Number 4 on the list, 94.236.95.171, is odd because it originates at Beggars Group, Ltd, a group of record labels. Numbers 5 and 6 originate in Beijing.

Here’s a map showing the attacker locations:
2ndmonth6

2ndmonth7

Next is the Frankfurt honeypot:

GRAB-FRA01:
Connections: 745,068
Unique IPs: 13,803
Files Downloaded: 13

Again, results more or less in line with last month, keeping in mind the loss of 10 days of data. More unique IPs this time, many fewer files downloaded.

2ndmonth8

2ndmonth9

Similar to the results from the NYC honeypot.

2ndmonth10

The huge number of UPnP connections looks more like the prior month’s results (compared with NYC’s results).

2ndmonth11

Therefore, no shock here when looking at ports.

2ndmonth12

Like NYC, a new set of characters this time around. Nearly 110,000 attacks from 54.211.52.121, which leads back to AWS. In number 3, 94.236.95.171, we again see that Beggars Group, Ltd entity. Numbers 4 and 5 lead back to Beijing.

Here’s another map of the attackers, with an alternate view of the same data as well:

2ndmonth13

2ndmonth14

Now for the new honeypots!

GRAB-SIN01:
Connections: 154,834
Unique IPs: 17,750
Files Downloaded: 2,003

That’s not a mistake – I really did get just over 2,000 files collected in the Singapore honeypot. Almost all of them were Conficker variants. Out of all the unique binaries, I only found one Pepex variant and a Poebot variant, then 137 different Conficker binaries. I haven’t found Conficker in any of my other honeypots so far. Really unbelievable how many files I captured in such a small attack surface (compared with my other honeypots).

2ndmonth15 2ndmonth16

Interesting split – this makes me think that there is some sort of regional difference here, at least compared with my other honeypots. We see China higher up and also Vietnam, which so far I haven’t seen in the top 10 anywhere else.

2ndmonth17

A bit more diversity in these services, closer to what NYC looked like vs. Frankfurt.

2ndmonth18

2ndmonth19
This time, Beggars Group is the top IP address messing around with my Singapore honeypot. Coming in at number 3 is 208.78.164.135, at Valve Corporation. Number 6, 188.165.192.91, leads to OVH in France. Number 9, 54.166.233.236, shows up as AWS. The final one there, 93.174.93.136, leads to Quasi Networks, based in Seychelles. Their barely functioning website advises that they are building sites in Amsterdam, Stockholm, Frankfurt, Moscow and London and that their website will be online soon. I guess they already have the hosting up and running… Another one to keep in mind in case I need a permissive host. Interesting that this hub didn’t see any Chinese addresses in the top 10.

2ndmonth21 2ndmonth20

Bangalore:

GRAB-BAN01:
Connections: 72,685
Unique IPs: 19,299
Files Downloaded: 1

Dismal number of files collected from Bangalore. Interesting that this honeypot has the highest number of unique IPs of all the GRAB honeypots. Also interesting that this honeypot has the highest diversity of connections (the top is “Other” which encompasses individual countries that were too small to fit on the top 10 on their own, followed by China and the USA).

2ndmonth22 2ndmonth23

Nothing too out of the ordinary in terms of services and ports:

2ndmonth28 2ndmonth27 2ndmonth24

Beggars Group, Ltd, is number 1 again, at 94.236.95.171. Numbers 2 and 3 are in Beijing, number 4 is Valve Corporation again. We saw OVH again, in 8^th place, at 188.165.192.91. Otherwise, nothing too new or interesting here.

Some maps:

2ndmonth25 2ndmonth26

With JUMPSEAT, I’m running a Conpot honeypot, and I don’t have as many options as far as reporting as I do with the Dionaea honeypots. I took the raw logs and did some work with them in LibreOffice. Here are some numbers regarding the total numbers of connections that I had:

2ndmonth29

Modbus was the most popular protocol, followed by all variants of HTTP. There were a few other things scattered around in there. Looking at attacks by IP address, things get more interesting:

2ndmonth30

71.6.167.142 leads to a hosting company called CariNet out in San Diego, CA. This person scanned just about every port on JUMPSEAT. The other addresses were definitely more typical of the activity I got on this honeypot, as you can see from the numbers. 113.240.250.156 and 106.38.241.111 lead to Beijing. 91.196.50.33 and 185.25.148.240 lead back to a hosting company in Poland. 67.87.198.46 actually leads to Optimum Online in NY – is someone scanning these from home?

When I ran 71.6.167.142 through robtex.com, it actually appears that this is shodan.io. The way it scanned the honeypot makes sense now.

That’s it for this month.

Tag: Conficker

September 2016 Honeypot Results

August Honeypot Statistics