|
Lovsan Worm Information
McAfee Security has noticed a marked increase in worldwide traffic stemming from the Lovsan/WSBlaster worm and its variants. Using data collected by their McAfee Personal Firewall application, McAfee is able to accurately determine the number of unique source IP addresses that were infected by the Lovesan/MS.Blaster worm. With this data, McAfee has created a larger perspective of this worm as well as the rate of infection to systems worldwide.
The graph below shows new infections over time as detected by HackerWatch.
The time used for the horizontal scale is hours GMT. Midnight GMT is 5pm
in California, 8pm on the east coast of the US. The new infections rate peaked
around 11pm GMT on Monday, with over 68,000 new infected IP addresses
appearing in that hour. Peak hours in subsequent days have been as high as 35,000 per hour.
Over the entire course of the outbreak we have observed the total number of infected machines
to be in excess of 1,436,535.
Unique Attackers per Hour
Related Pages
An animation of the progress of the worm is available.
You can check for specific infected nodes here: MSBlaster checkup page
Information about the worm, including detection and removal can be found at
the McAfee Security Virus Information Library
What is HackerWatch.org? Learn more about us here.
More Details
Details:
The peak rate of infection was observed between 9 and 10pm GMT on 8/11. During
this hour we observed 68490 new infections. In the five hour period between 8pm
and 1am a total of 328,589 infections were observed. Between the start of the
outbreak and 8:40pm GMT today we have directly observed 1268155 unique IPs that
appear to be infected over the course of the outbreak. Many of these systems
have either been repaired or are no longer active for other reasons. In the most
recent 24 hour period approximately 320,000 infected systems have been observed.
Data source:
Customers who subscribe to McAfee Personal Firewall are protected from the Lovsan/WSBlaster worm and have had the ability since the latest version was released to optionally have all events recorded by their firewall automatically submitted to our central database at HackerWatch.org. An event is defined as a single instance of traffic being blocked by the firewall.
Situation:
The network started seeing increased traffic on port 135 over the weekend.
Initial small increases are assumed to be tests of the RPC infection vector
concept. Dramatic increases in traffic started appearing around 2pm GMT on
Monday 8/11.
Methodology:
Event data processed by the HackerWatch system is aware of the source IP
addresses of events hitting our customers' firewalls. By counting the first time
a new IP is seen to be ‘scanning’ on port 135, the port this vulnerability
exists on, we are able to identify newly infected systems. Graphing this data
over time gives us a picture of the overall rate at which new computers are
being infected.
Some margin of error is inherent in this data. The primary source of error would
be computers that have connected to the internet using multiple IP addresses
over time but remain infected. Each time a new IP address is used and scans one
of our customers it would appear as a new infection.
|
