January Hong Kong Honeypot Report

First published: 31^st January 2013

This is the thirteenth monthly report from West Coast Labs's honeypot in Hong Kong, providing some indication of the type and level of malware threat in Hong Kong, but it is only based on a single honeypot, so the conclusions should be treated with caution. Because of public holidays, this report covers from 20th December 2012. After six months of low numbers, there has been a sudden jump, and this is the highest number of attacks since July 2012.

Average Time To Infect: 6 hours 5 minutes

The average time to infect is an indication of how long it would be before a vulnerable computer connected to the internet in Hong Kong became infected.

Summary

Total number of attacks : 154
18 are brand new to this honeypot.

Source of Attacks

The following breaks down where these attacks have come from by use of IP geolocation.

125	United_States
10	Japan
4	Germany
4	China
2	France
2	Canada
2	United_Kingdom
1	Malaysia
1	Singapore
1	Taiwan
1	Pakistan
1	Jordan

Malware

Checksum (md5)	This month	Previous count	Detection*
64b4345a946bc9388412fedd53fb21cf	1	0 ***NEW	Y (w32/trojan-sml-sdcw!eldorado , UDS:DangerousObject.Multi.Generic , , )
662cc2048da87cc777261e8a7df27d23	1	0 ***NEW	Y (w32/virut.7116 , Backdoor.Win32.Rbot.adqd , , )
8c30591c9abacd805711dc2c8f1639ee	1	0 ***NEW	Y (W32/Virut.7116 , Net-Worm.Win32.Allaple.e Virus.Win32.Virut.av , , )
af1894848b6525c7882c33b59d1bbebd	1	1	Y (w32/allaple.h , Net-Worm.Win32.Allaple.e , , )
f18d10439daaa8a760fcfedc39d4bfcd	1	0 ***NEW	Y (w32/newmalware-rootkit-i-based!maximus , Trojan.Win32.Genome.aixqc , , )
a7fb7ecabf6c3ae0bdd6c970e10b3de1	1	0 ***NEW	N (, , , ) script
ed0dabd71a2bfd485259ad4ce30a6041	1	0 ***NEW	N (, , , ) script
ab866c52c0d90d0ea20fed2fe0ec259b	1	0 ***NEW	N (, , , ) script
340c1a84d216991f0f3f4dbe4756893c	1	0 ***NEW	N (, , , ) script
4d56562a6019c05c592b9681e9ca2737	1	0 ***NEW	Y (w32/trojan-sml-sdcw!eldorado , Trojan.Win32.Genome.ahpxd Net-Worm.Win32.Kido.ih UDS:DangerousObject.Multi.Generic , , )
7327d60e3ca15556f57e2378e762c8fd	116	0 ***NEW	N (, , , ) script
267b7ddeae1e9601f9800f3b76ed45da	1	0 ***NEW	Y (w32/rahack.a.gen!eldorado , Net-Worm.Win32.Allaple.b , , )
952098cf3c65cfcb52282d8959ddffd3	1	5	Y (W32/Allaple.H , Trojan.Win32.Genome.rioo Net-Worm.Win32.Allaple.e , , )
3d19d0b6638bb7ccf65f8d25b4c13d6b	1	0 ***NEW	Y (w32/rahack.a.gen!eldorado , Net-Worm.Win32.Allaple.b , , )
0da155b04f16dafafffbb1a485b3d0e1	1	0 ***NEW	Y (w32/sdbot.otr , Net-Worm.Win32.Kolab.aefe Backdoor.Win32.Rbot.bqj , , )
bbb5034e33568e100dd3dadabb5a57e9	3	21	Y (w32/sdbot.otr , Net-Worm.Win32.Kolab.aefe Backdoor.Win32.Rbot.bqj , , )
14a09a48ad23fe0ea5a180bee8cb750a	2	8	Y (W32/Trojan5.DCW w32/backdoor.zzr , Backdoor.Win32.Rbot.aftu Backdoor.Win32.Rbot.bqj Backdoor.Win32.DsBot.vd , , )
321e5688f6a04e8482cec37515fa85f8	1	0 ***NEW	Y (w32/rahack.a.gen!eldorado , Net-Worm.Win32.Allaple.b , , )
8a5ce07df6a5357dafa84f5317aaad35	1	7	Y (w32/sdbot.otr , Net-Worm.Win32.Kolab.aefe Backdoor.Win32.Rbot.bqj , , )
038edde0c5a188ea6eed9406923a9771	1	0 ***NEW	Y (w32/virut.7116 w32/sdbot.aefv , Backdoor.Win32.Rbot.adqd , , )
a812cb8d6ca7e1b57dfffbc7ab6a8101	1	0 ***NEW	Y (w32/rahack.a.gen!eldorado , Net-Worm.Win32.Allaple.b , , )
833cda5b5bef5989deb6bf57c557ce30	1	2	Y (W32/Trojan5.DCW w32/backdoor.zzr , Backdoor.Win32.Rbot.aftu Backdoor.Win32.Rbot.bqj Backdoor.Win32.Rbot.abfy , , )
1d53fb866c27a421f7557e3cda0592ac	8	14	N (, , , ) script
a2ad8c9c758e07d6b5e37ed949360835	3	0 ***NEW	Y (w32/rahack.a.gen!eldorado , Net-Worm.Win32.Allaple.b , , )
3875b6257d4d21d51ec13247ee4c1cdb	2	40	Y (W32/Sdbot.AEFV W32/Malware!44f4 , Backdoor.Win32.Rbot.bni , W32Rbot!I2663.exe , )
e1b0c382fe1aafe918765267440c2cb8	1	0 ***NEW	Y (w32/genbl.e1b0c382!olympus , Backdoor.Win32.Ruskill.pqd , , )

One of these files have appeared in the Wildlist.

Note:

The parameter 'Detection' here relates to whether one or more scanners was able to associate a name with this checksum.