I’ve been looking at ATLAS data for the past few days, looking at new features to add to ATLAS and also for real data coming out of it. In short, the world’s not ending, we’re just looking at possible exploit activity.
UDP port 407, used in Timbuktu, has shown up lately. A recent vulnerability, CVE-2007-4221, could be the target of new attacks. Hence, I went looking for UDP port 407 attackers and only one or two show up. Nothing surprising …
TCP port 4899, used in RAdmind, is also a frequently scanned for port. This morning a friend was asking about it, he’s seen a spike in firewall hits in the past day or so. ATLAS’ view of TCP port 4899 shows that there’s a steady stream of attackers, but no massive uptick. It looks like some continual interest in it, just people plunking away at the classics.
And finally a bunch of us are talking about Storm Worm numbers after reading Storm Drain, from the Microsoft Anti-Malware Engineering Team blog. Several people, myself included, had put size estimates in the millions of hosts. Microsoft’s numbers suggest far, far fewer, on the order of hundreds of thousands. People tell me they have seen a decrease in the number of DDoS attacks from Storm, and also I have seen a slowing of the email lures in the past week and a half. It looks like the MSRT is having an effect. Some people estimate half, some about 25%, but overall a real decrease. To quote:
Finally, to the numbers (numbers as of 2PM Tuesday, PDT).
The Renos family of malware has been removed from 668,362 distinct machines. The Zlob family has been removed from 664,258 machines. And the Nuwar family has been removed from 274,372 machines. In total, malware has been removed by this month’s MSRT from 2,574,586 machines.
So, despite some public concern in the press and among researchers about the “Storm” worm, it ranks third among the families of malware whose signatures have been added to the MSRT.
Just another day at the office …