Irish Honeynet Attracts Trojans

An Irish decoy computer network set-up to study would-be cyber attackers was hit over 350 times in June with many of the attacks being Trojan Horses.



The Irish Honeynet, which was established in Ireland by Data Electronics (then Inflow), Deloitte & Touche and Espion in mid-March, recorded 364 attacks on its server during June. According to those behind the initiative, the period also saw a "massive" increase in the attempted use of Trojan Horse programs, particularly the SubSeven Trojan Horse program.


Trojan Horse programs allow their users to illicitly control a computer remotely and the SubSeven Trojan Horse gives them the ability to see the screen as the computer's user sees it, log all keystrokes (including passwords), and it can be configured to inform an attacker when the infected computer has connected to the Internet. The attacker can then use the infected system to attack other systems.


According to Colm Murphy, technical director of Espion, it is not clear why there has been such an upturn in the use of Trojan Horse programmes. "They are scanning for infected servers, which are easy targets because once infected they are easy to control," he said.


The Irish Honeynet also detected during June the use of a number of highly sophisticated methods of attack such as IP spoofing, which involves an attacker pretending to have an IP address on a victim's LAN. They may pretend to be a crucial machine on the network, such as an e-mail or file server, which will receive useful and often confidential material.


Since its establishment, the Irish Honeynet has been attacked a total of 922 times up until the end of June, with the majority of the attacks coming from Asia (33 percent), as well as the US and Canada (30 percent), and Europe (32 percent). Only between 5 percent and 10 percent of the attacks actually compromised the system.


The purpose of the Honeynet is to collect data and information about the methods used by malicious cyber attackers (Blackhats) to break into the computer systems of organisations. It consists of a server connected to the Internet on a random and constantly changing IP address. Although the server itself contains very little information, it is designed to mimic the Internet infrastructures commonly used by organisations and is embedded with tracking and monitoring tools.


"Up until now, most Irish security statistics have been based on studies from the US and to a lesser extent from the UK," explained Murphy. "The Irish Honeynet was set-up to measure just how vulnerable Irish organisations actually are to attack and results to date have shown that it does not matter where a company is based, if it is vulnerable then this will be exploited by blackhats."


There are several Honeynets around the world and most of them, including the Irish one, are associated with the non-profit US-based Honeynet Research Alliance.

-----

source: electricnews.net