Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Substantial Increase in Infected System Numbers (is it real?) - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Substantial Increase in Infected System Numbers (is it real?)
Starting mid October, we did see a jump in the numbers of "source IPs" recorded by DShield. "Sources" are essentially the sources of packets dropped by firewalls and reported to DShield. While there are some false positives of course (so I wouldn't go as far as to say that all of these systems are exploited), the majority of these systems is typically part of a botnet or infected with the worm of the day.

For the last few months, he number of source IPs hovered at around 1 million per day. However, as of Oct. 18th, this number all for sudden surged to about 1.6-1.8 Million.This coincides with a dramatic increase in spam. While I haven't had a chance yet to exactly correlate this with spam numbers, the time looks suspiciously similar.

Note that the number of source IPs in our database not only correlates to the number of infected systems, but it is also related to how aggressively these systems scan. We did see one trend over the last year where infected systems scan less aggressively as they used to. This is somewhat part of the shift from random worms to more intelligent bots.

See below for a graph of source IPs vs. date for the last month. Note that this is still work in progress. We did not have a chance yet to eliminate all possible errors like a skewed submitter, an error in our data interpretation or the like. But the number of sources has been very steady since June (second graph shows the longer term numbers).

Update: A bit more analysis.... it looks like not all submitters are seeing the same increase. So either this is target, or there is some skew in the data. Some of the users seeing big increases are long time submitters.However, one particular new user reported from 900k sources! So this could very well cause issues.

Update(2): even after removing the suspect submitter, we still see a significant increase. So a lot of the 900k sources reported have also been reported by others. The total without the suspect submitter is about 1.2 Million sources post Oct. 16 (900k before).

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022


4473 Posts
ISC Handler
Nov 7th 2006

Sign Up for Free or Log In to start participating in the conversation!