Myanmar surprises as top source of malicious internet traffic

Myanmar was the originator of 13% of the malicious internet traffic, followed by the US with 10% and Taiwan with 9.1%, according to Akamai's State of the Internet report for the first quarter of 2011.

Among the changes from the 2010 fourth quarter report, the US rose from fifth to second place as the source of malicious internet traffic in the 2011 first quarter. Russia dropped to fourth place, accounting for 7.7% of malicious traffic, down from 10% in the previous quarter. Regarding malicious traffic originating from mobile network providers, Italy remained in the top spot, responsible for 25% of the traffic in the 2011 first quarter.

Akamai measures malicious internet traffic based on what it terms “attack traffic.” The company maintains a distributed set of agents deployed across the internet that monitor attack traffic. Based on the data collected by these agents, Akamai identifies the top countries from which attack traffic originates, as well as the top ports targeted by these attacks.

On a regional basis, nearly half of the attack traffic came from the Asia Pacific/Oceania region, nearly 30% came from Europe, and just over 20% came from the Americas.

The top port targeted in the first quarter of 2011 was Port 445 (Microsoft-DS), with 34% of the attack traffic, although this was down from 47% in the fourth quarter of 2010. The report attributed the decline in attacks targeted at Port 445 to efforts against the Conficker worm, which targets that port.

“Port 445, the Microsoft directory services port, has consistently been at the top of the list for the past two to three years….Ultimately, we believe that there are still a set of systems out there that are compromised and still trying to spread [the Conficker worm] and that is some of the traffic we see there”, David Belson, author of the Akamai report, told Infosecurity.

This was followed by Port 80 (WWW), which saw a seven-fold increase in attacks compared with the fourth quarter of 2010. The increase was primarily from the attack traffic originating from Myanmar.

“It is not clear whether there was an organized effort from Myanmar or if there were compromised systems there being used as a proxy for attacks, or exactly what drove it”, Belson observed.

Rounding out the list of ports under attack were Port 443 (HTTPS/SSL), receiving 4.7% of the attack traffic; Port 23 (Telnet), 4.1%; Port 22 (SSH), 3.3%; Port 1433 (Microsoft SQL Server), 1.7%; Port 25 (SMTP), 1.6%; Port 9050 (Versiera Agent Listener), 1.5%; Port 21 (FTP), 1.5%; and Port 135 (Microsoft-RPC), 1.5%.

Regarding the top ports targeted by attacks originating from China, the report noted that the top three targeted ports (1433, 3389, 445) accounted for just over 20% of the first quarter attacks observed originating from China and are all used by Microsoft software and protocols. Port 22 (SSH) and Port 3306 (mySQL) round out the top five within China, possibly indicating that attacks targeting these two ports are searching for systems with weak passwords that can be exploited for the installation of malware or for use as members of a botnet, the report added.

What’s hot on Infosecurity Magazine?