[ISN] A glitch in the Matrix, or a hungry exploit?

From: InfoSec News (alerts@private)
Date: Sun Jul 01 2007 - 22:27:33 PDT


By Sunnet Beskerming
30th June 2007

Sunnet Beskerming researchers observed an interesting deviation in 
global network traffic over the last 24 hours, particularly for South 
American, Asian, and Australian networks. Normally, global Internet 
traffic (as observed by the Internet Traffic Report) oscillates around 
nine per cent packet loss, with global response times of 138 ms, and the 
internally derived traffic index at around 79.

Sustained over the last 24 hours, the traffic index has dipped almost 
five per cent, packet loss has climbed to 11 per cent, and the global 
response time to almost 150 ms.

Normal spikes and dips as observed on the Internet Traffic Report show 
up as no more than three- or four-hour blocks of odd results before 
settling back into normalcy. This latest spike and dip has been 
sustained for at least 18 hours, with a rapid ramp up in the six hours 
prior to the peaks (and lows) being reached.

When the figures are considered against the seven-day average, and the 
30-day average, the deviation appears to be quite significant and seems 
to mark a distinct event or set of events. When the reports for Asia, 
South America, and Australia are looked at in isolation, the three 
regions appear to be suffering from a related event, with similar 
patterns being observed in the data being put forward for those regions. 
Data for Europe and North America indicates that whatever is affecting 
the other regions, it isn't affecting Europe or North America. 
Independently sourced data at Keynote (using their Internet Health 
Report) indicates that there is nothing adversely impacting the US at 
this time.

Either these regions are experiencing the first stages of a global 
event, or they contain networks that are under a sustained attack for 
some specific reason.

So, what can be causing this problem? There appears to be nothing that 
is being reported by any of the usual agencies or news feeds, with SANS 
indicating a GREEN Threat level, and Symantec, McAfee, and the other 
major security software providers not indicating any new malicious 
software emergence.

Looking at the current Top 10 report from SANS, it appears that Port 
5901 (used for VNC) is leading the charge for the top rating across all 
metrics (including a 20 per cent lead on the next port on the rising 
Trends chart). At the time of writing, the raw data for Port 5901 was 
showing disturbing results.

While there is spam, drive-by phishing attacks, and persistent worms 
attacking global networks, these have been ongoing attacks and should 
not be responsible for such a large change in such a short period of 
time by themselves.

If we consider port 5901 to be relevant to the reason behind the 
attacks, then we might have found a potential cause, and a potential 

An exploit was added a couple of days ago to a number of security 
mailing lists, distribution sites, and other sources, which targets a 
remote code execution vulnerability in the AMX VNC ActiveX control. 
Since appearing on these sources it has spread to thousands of sites, 
and is guaranteed to have been seen by many, many people - some with 
malicious intent.

Although a remote code execution exploit is nothing special nowadays, 
this particular piece of code claims to achieve its goals without 
alerting the victim to the fact that they have just been successfully 

Whether or not it is relevant to the real reason behind the observed 
response time and packet loss deviation will be seen over time. At the 
least, administrators and end users should keep a closer eye on their 
systems and networks over the next few days to see if this unknown 
problem is going to spread.

(c) Sunnet Beskerming Pty. Ltd - http://www.beskerming.com/company

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Sun Jul 01 2007 - 22:36:17 PDT