Malware propagation information from microsoft.
Microsoft recently released a report on the statistics they are collecting via MSRT.
There is a nice executive summary but please read beyond that. One security trade publication clearly misread the summary and posted a misquote (62% of computers infected with backdoor). That is not what the report states. The 62% number is the percentage of machines that had malware removed from them by MSRT AND had a backdoor installed on them. Restated more then ˝ of the machines where an infection was detected and removed also had remote control backdoors on them. No surprise there really. Although there are ways for the hackers to use a system without a backdoor tool installed for the most part the hackers want to be able to remotely upgrade and control systems they have compromised.
The actual report comes from the Rapid Response Team Waggener Edstrom Worldwide.
Overall the report is very good. There are lots of nice charts and graphs. The author did a good job normalizing statistics but also provided the unnormalized view. They don't really mention false negatives until nearly the end of the document. I do not completely agree with their malware categories however since those are well defined up front I had no problem understanding what they meant by email worm, p2p worm, im worm exploit worm, backdoor Trojan, rootkit or virus. They also claim that MSRT is part of a defense in depth even when you have another antivirus package installed. Due to its lack of realtime protection I would say its not defense at all. Its reactive and only comes into play after the fact of infection. Since it is also fairly limited in the malware it detects and the signatures are usually only updated once a month I don't know of any current antivirus package that would miss a virus that MSRT would detect. So I do not agree this provides defense in depth. I do however see serious benifit to running MSRT. It certainally has contributed to the effort of getting infected systems cleaned.
Some other fun facts I gleaned from this report:
MSRT only removes live malware or malware that will be autorun during a reboot.
1 computer in 355 had malware that was recognized and removed.
5% of the root kits removed were WinNT/F4IRootkit (aka the sony root kit) with about 420k removals from 250k machines.
35% of the computer infected were infected via the end user clicking or opening something.
20% of the computers cleaned had been infected sometime in the past.
So if you have a little time and you are interested in malware propagation I recommend reading this report.
Top 100 security tools
You can find the list at http://SecTools.Org
From that link
`I (Fyodor) asked users from the nmap-hackers mailing list to share their favorite tools, and 3,243 people responded. This allowed me to expand the list to 100 tools, and even subdivide them into categories. Anyone in the security field would be well advised to go over the list and investigate tools they are unfamiliar with. I discovered several powerful new tools this way. I also will be pointing newbies to this site whenever they write me saying "I don't know where to start".
Respondents were allowed to list open source or commercial tools on any platform. Commercial tools are noted as such in the list below. No votes for the Nmap Security Scanner were counted because the survey was taken on a Nmap mailing list. This audience also means that the list is slightly biased toward "attack" tools rather than defensive ones.'
isc.org provides attack mitigation
Some services respond to potentially spoofed udp packets.
MITIGATION for DNS servers.
Upgrade to bind 9.3.3b1 OR
MITIGATION for other udp services:
Disable or restrict access to UDP services that don't need to be open to the internet.
The basic issue here is very old. It was originally reported in 1999. The CVE number for it is CVE-1999-0103. http://nvd.nist.gov/nvd.cfm?cvename=CVE-1999-0103
"Echo and chargen, or other combinations of UDP services, can be used in tandem to flood the server, a.k.a. UDP bomb or UDP packet storm."
If you consider DNS to be one side of an "other combination" of UDP services this is not new. What is new is that this version of bind will not send FORMERR packets if the original packet came from the set of well known UDP ports listed above. ISC.ORG has added some code to mitigate attacks with well known spoofed source ports. I do not know of any other DNS software vendor that has added this capability.
7 years ago CERT and others warned us not to leave things like echo and chargen open.
However some OSes and network equipment vendors still ship products with those types of services enabled by default and open to the world. Those services haven't not been in common usage since the 1990's.
--- 9.3.3b1 released ---
<SNIP>
1951. [security] Drop queries from particular well known ports.
<SNIP>
Comments