Threat

Intelligence
Report
April, 2015

Threat Intelligence Report

Table of Contents
I

Executive Summary

II

Global Data Analysis

Malicious Activities Source Countries

Attack Distribution Top 03 Foreign Attackers

Malware Attacks

Most Probing Countries

Most Probing Countries Unique IP Addresses

Most Probing IP Addresses

Most Attacking IP Addresses

Attacking IP Addresses 10 Attacks

Top Vulnerabilities

11

Most Malwares Detected

12

Detected Malware Hashes

13

Cnc IP Addresses & Domains

13

Attacked Protocols

14

SIP Attacks

15

What is SIP?

15

Web Attacks

16

IP Addresses Conducting Web Based Attacks

16

Web Attack Payloads

16

Brute-Force Attacks

18

Most Usernames Used

18

Most Passwords Used

18

Top IP Addresses Conducting SSH Attacks

19

Tools Used For SSH Based Attacks

19

VII

References

20

VIII

About TRIAM

21

IX

About Contributors

22

III

IV

VI

Copyrights 2015 - Trillium Information Security Systems (Pvt) Ltd.

Threat Intelligence Report

Executive Summary
To be able to respond to any threat effectively, one must
first identify the threat agents, understand their motives
and study their means of attack comprehensively, i.e. one
must achieve situational awareness to be able to defend
against, respond to, or counter a threat.
In an effort to provide situational awareness to the industry stakeholders, about the cyber threat landscape of
Pakistan, the TRIAM Threat Intelligence Team is extremely
proud to present you this monthly Threat Intelligence report for the month of April 2015.
In this edition of our monthly Threat Intelligence report
we have observed interesting set of activities being performed in Pakistan cyberspace. One of the interesting
observations has been the increased number of attacks
coming IP Addresses of China coinciding with the Chinese Prime Ministers visit to Pakistan in April. The details
of these attacks, and all other attacks are documented in
this report. The major set of attacks that have been discovered recently in Pakistan by global and TISS research
and IR teams are summarized as follows:
Equation Group Equation Group is the most advanced
APT group found so far and is called the Crown Creator of Cyber Espionage. According to Kaspersky Labs
researchers the group is unique in almost every aspect
of their activities: they use tools, that are very advanced
and expensive to develop, in order to infect victims, retrieve data and hide activity in a professional way, and
also utilize classic spying techniques to deliver malicious
payloads to the victims. More details for this advanced
APT group can be found on:
https://securelist.com/blog/research/68750/equationthe-death-star-of-malware-galaxy/
Ransomware Ransomware malware is constantly affecting Pakistan based organizations with key motive of
financial gains. Ransomware works by encrypting data of
infected machines belonging to organizations and individuals thus completely blocking the access to the data.
The decryption key is sent only if a ransom is paid. There
has been exponential increase in number of Ransomware
attacks in the year 2015 and taking preventive measures
from this threat is highly recommended at all layers.

posed to these or different malwares, please reach out to

us for focused and quick response.
This report has been compiled using our advanced threat
intelligence gathering platform consisting of sensors
like honeypots, web crawlers and aggregators deployed
through-out Pakistan. The information obtained using
these sensors are then enriched by correlating information from different sources. Our aim for releasing these
monthly reports is to enable all stakeholders in Pakistan
to keep abreast with on-going threats and remain vigilant in protecting their networks from potential attacks.
Trillium will soon make these threat feeds available to
Pakistan based organizations so that their Security Information and Event Management (SIEM) systems, Firewalls
and Intrusion Detection / Prevention Systems can be fed
to provide protection against Pakistan specific attacks.

In month of April
information gathered from our sensors indicates that:

Multiple IP addresses particularly from China have

been probing Pakistan cyberspace actively and looking for vulnerabilities to exploit.
Attacks of different nature that materialized and had
a major impact have been observed coming from
Romania, China and Brazil.
Among the detected malwares that are most active
in Pakistan cyberspace, 96% activity has been observed for Net-Worm.Win32.Kido.ih an infamous
worm that hogs network resources and is spread by
exploiting Microsoft OS specific vulnerabilities.

The details of information gathered by our sensors are

described further in this report.
We hope that you find this months report useful and feel
free to contact us with any feedback.
DFIR Research team, Threat Intelligence
www.triam.com.pk
www.infosecurity.com.pk

If you require more details on these threats or are ex-

Copyrights 2015 - Trillium Information Security Systems (Pvt) Ltd.

Threat Intelligence Report

Global Data Analysis

This section presents analysis of attack data from sensors deployed at different places in Pakistan. We process millions
of log entries and security alerts that are being captured by our custom and purpose built sensors during the threat
analysis. In order to provide real time threat intelligence and security alerts to our customers we perform advanced
analytics on the collected alerts by correlating security events from multiple sensors

Malicious Activities Source/Host Countries

The countries hosting IP addresses
that are carrying out malicious
activities in Pakistan cyberspace are
shown in Figure 1.

Figure 1 - Percentage of events by source/host countries

Attack Distribution Top 03 Foreign Attackers

The following figures present
the distribution of attack types
originating from top three countries
hosting the attacking IP addresses.
It is quite evident from the following
figures that attack type distributions
of each originating/hosting country
is very different from the other. These
figures reflect the fact that attack
types, motivation of attackers, and
sophistication of attacks are different
in different regions of the World.
Figure 2 - Attacks Originating from IP Addresses Hosted in China

Copyrights 2015 - Trillium Information Security Systems (Pvt) Ltd.

Threat Intelligence Report

Figure 3 - Attacks Originating from IP Addresses Hosted in Romania

Figure 4 - Attacks Originating from IP Addresses Hosted in Brazil

Copyrights 2015 - Trillium Information Security Systems (Pvt) Ltd.

Threat Intelligence Report

Malware Attacks

Malware attacks are the major threats being faced by Pakistani organizations. Using the Internet, attackers employ
unique malware based techniques to infect their target systems for different reasons varying from creating mere
nuisance to stealing credentials to eavesdropping on communication to capturing proprietary and highly confidential
information.
Attackers scan the Internet to look-out for vulnerable services and try to exploit them to gain access to the system and
ultimately the network. Often root-kits (type of malware) are used to take over and maintain control of a compromised
system. The following section of the report will present the latest trends of malware based attacks which were identified
based on the information gathered from our sensors during the month of April.
The correlated information from different sensors reveals that there were more than 2,54,000 number of connection
attempts to Pakistan cyberspace from different countires of the world. Furthermore, we detected more than 57,000
materialized attacks that were launched in this period. Over 9,000 unique IP addresses tried to establish a connection
with our deployed sensors through-out Pakistan at-least once.
After thorough automated analysis and correlation, most of these connection attempts were classified as malicious
and were doing intense scanning for figuring out running services (particularly the vulnerable ones) over Pakistan
cyberspace.
One of the top IP address that established most number of connections was found to be 89.40.31.192 with more
than 38,400 connections. The origin of this IP address was found to be Romania. There were about 1900 unique IP
addresses that succeeded in exploiting a particular vulnerability and uploaded some malware. Total number of attacks
launched during this time period was more than 57,000.
One of the top IP addresses that initiated most number of attacks was found to be 89.40.31.192 with about 12,300
successful attacks. The origin of this IP address was found to be Romania. The most number of attacks were launched
by exploiting MS08-067, MS08-068, MS09-001 vulnerabilities, which could allow remote code execution.
Furthermore, as per our correlated information, port 445 received the highest number of attack traffic with 87.48% of
total attacks received. The service hosted on port 445 was SMBD (Server Message Block Daemon).
Further information related to IP addresses trying to make connections and doing attacks, top malware found, top
vulnerabilities exploited and top protocol / services exploited is given below.

Most Probing
Countries
The IP Addresses from countries doing
the most probing and connection
attempts are shown in Figure 5.
Probing is done to find services
running on targeted systems and
their corresponding vulnerabilities in
the target machines which can be
exploited.
Figure 5 - Country Based Conection Distribution

Copyrights 2015 - Trillium Information Security Systems (Pvt) Ltd.

Threat Intelligence Report

Most Probing Countries

Unique IP Addresses
The Figure 6 shows the countries hosting
the highest number of unique IP addresses
that are found to be making connections
and doing probing.

Figure 6 - Country Based Unique IP Distribution

Most Probing
IP Addresses
The Figure 7 shows the list of
individual IP addresses that are found
to be making connections and doing
probing.

Figure 7 - IP Based Conection Distribution

IP Addresses

Connection Attempts

Country

89.40.31.192

38,444

Romania

117.239.228.134

33,135

India

103.24.97.190

16,326

Pakistan

196.29.120.73

15,661

Ghana

94.248.197.73

10,788

Hungary

46.241.224.234

7,181

Armenia

78.106.81.248

6,639

Russian Federation

89.179.28.158

6,271

Russian Federation

128.75.169.45

4,830

Russian Federation

128.74.198.210

4,781

Russian Federation

Table 1, shows a list of Top 10 unique

IP addresses that established highest
number of connection attempts.

Table 1 - IP Address Based Connection Distribution

Copyrights 2015 - Trillium Information Security Systems (Pvt) Ltd.

Threat Intelligence Report

Most Attacking
IP Addresses
Figure 8 gives the list of individual IP
addresses that initiated most number
of malware attacks by successfully
exploiting vulnerabilities.

Figure 8 - IP Address Based Distribution

IP Addresses

Successful Attacks

Country

89.40.31.192

12357

Romania

117.239.228.134

10680

India

196.29.120.73

7266

Ghana

46.241.224.234

3576

Armenia

94.248.197.73

3402

Hungary

78.106.81.248

2175

Russian Federation

89.179.28.158

2053

Russian Federation

93.81.179.136

1384

Russian Federation

37.145.174.57

1228

Russian Federation

95.29.232.52

1101

Russian Federation

Table 2 below shows the list of Top 10

IP Addresses that launched highest
number of attacks.

Table 2 - IP Address Based Distribution

Copyrights 2015 - Trillium Information Security Systems (Pvt) Ltd.

Threat Intelligence Report

Attacking
IP Addresses - 10 Attacks
Table 3, provides the list of IP addresses that initiated minimum of 10 malware based attacks on Pakistan cyberspace. It
is advised to block these IP addresses on your gateways. Please contact us if you would like to have full list of suspicious
IP addresses.

IP Addresses

Successful Attacks

Country

89.40.31.192

12357

Romania

117.239.228.134

10680

India

196.29.120.73

7266

Ghana

46.241.224.234

3576

Armenia

94.248.197.73

3403

Hungary

78.106.81.248

2175

Russian Federation

89.179.28.158

2053

Russian Federation

93.81.179.136

1384

Russian Federation

37.145.174.57

1228

Russian Federation

95.29.232.52

1101

Russian Federation

37.146.102.200

1000

Russian Federation

78.106.128.120

995

Russian Federation

37.145.177.90

934

Russian Federation

89.179.191.88

641

Russian Federation

95.29.208.177

495

Russian Federation

95.29.218.25

364

Russian Federation

59.103.197.121

362

Pakistan

2.94.120.46

358

Russian Federation

128.75.187.7

300

Russian Federation

93.80.248.154

267

Russian Federation

93.80.189.33

259

Russian Federation

189.4.133.231

243

Brazil

93.80.239.232

229

Russian Federation

128.74.221.216

220

Russian Federation

93.81.184.86

220

Russian Federation

187.21.245.55

206

Brazil

37.145.178.237

188

Russian Federation

189.4.134.2

160

Brazil

187.21.246.10

157

Brazil

46.241.229.78

126

Armenia

Copyrights 2015 - Trillium Information Security Systems (Pvt) Ltd.

10

Threat Intelligence Report

IP Addresses

Successful Attacks

Country

88.158.45.194

120

Romania

128.74.208.154

111

Russian Federation

93.81.170.38

110

Russian Federation

119.154.250.73

100

Pakistan

46.241.232.20

91

Armenia

37.146.72.76

80

Russian Federation

88.158.42.124

78

Romania

187.21.245.175

69

Brazil

46.241.234.236

60

Armenia

213.191.165.250

51

Bulgaria

46.241.234.241

50

Armenia

81.181.81.94

50

Romania

117.214.192.50

48

India

62.221.159.186

47

Bulgaria

37.145.168.50

46

Russian Federation

88.158.43.53

41

Romania

159.224.159.200

39

Ukraine

95.29.237.152

36

Russian Federation

46.241.232.90

35

Armenia

79.121.38.197

35

Hungary

117.220.141.170

24

India

176.63.146.35

24

Hungary

37.144.248.0

23

Russian Federation

176.73.36.100

21

Georgia

59.103.195.49

20

Pakistan

117.220.136.36

19

India

88.158.45.192

19

Romania

93.80.161.229

19

Russian Federation

92.87.135.28

16

Romania

46.241.243.195

14

Armenia

79.46.167.207

12

Italy

37.145.184.205

11

Russian Federation

37.145.148.107

10

Russian Federation

Table 3 - IP Address Based Distribution - 10 Attacks

Copyrights 2015 - Trillium Information Security Systems (Pvt) Ltd.

11

Threat Intelligence Report

Top 10 Vulnerabilities

MS05-39
Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege.
https://technet.microsoft.com/en-us/library/security/ms05-039.

Below is the list and details of vulnerabilities that were

exploited the most for malware based injection. It is
strongly recommended to fully patch all of the known
vulnerabilities related to OS and third-party programs
installed in your network. You can contact us to perform
security assessment of your IT infrastructure for any
potential loopholes and vulnerabilities.

aspx

MS05-017
Vulnerability in Message Queuing Could Allow Code Execution.
https://technet.microsoft.com/en-us/library/security/ms05-017.
aspx

Vulnerability

Name

Unknown

ClosePrinter

MS08-67

Net Path Canonicalize

MS06-66

Nw Change Password

MS07-065

QM Create Object Internals

MS05-39

PNP Query Res Conf List

MS05-017

QM Delete Object

MS04-12

Remote Create Instance

MS04-11

DS Roler Upgrade DownLevel

MS04-031

NDdeSetTrustedShareW

MS03-39

Net Add Alternative Computer

Table 4 - Top 10 Vulnerabilities

MS04-12
Cumulative Update for Microsoft RPC/DCOM.
https://technet.microsoft.com/en-us/library/security/ms05-017.
aspx

MS04-11
Security Update for Microsoft Windows.
https://technet.microsoft.com/en-us/library/security/ms04-011.
aspx

MS08-67
Vulnerability in Server service that could allow remote code
execution.

MS08-67

http://support.microsoft.com/kb/958644

Vulnerability in Server service that could allow remote code

execution.
http://support.microsoft.com/kb/958644

MS04-031
Vulnerability in NetDDE Could Allow Remote Code Execution.

MS06-66

https://technet.microsoft.com/en-us/library/security/ms04-031.

Vulnerabilities in Client Service for NetWare Could Allow Re-

aspx

mote Code Execution.

https://technet.microsoft.com/en-us/library/security/ms06-066.
aspx

MS03-39
Buffer Overrun In RPCSS Service Could Allow Code Execution.

MS07-065
Vulnerability in Message Queuing Could Allow Remote Code
Execution.

https://technet.microsoft.com/en-us/library/security/ms04-011.
aspx

https://technet.microsoft.com/en-us/library/security/ms07-065.
aspx

Copyrights 2015 - Trillium Information Security Systems (Pvt) Ltd.

12

Threat Intelligence Report

Top Few Detected Malwares

Table 5 gives the list of most malwares that have been detected in Pakistan cyberspace. The naming convention used for
these malwares is based on Kaspersky detection. You can find the same malware with different name which are given
to them by other antivirus engines.

Name

Percent

Net-Worm.Win32.Kido.ih

94.12%

Backdoor.Win32.Rbot.bni

2.28%

Net-Worm.Win32.Allaple.e

1.20%

Net-Worm.Win32.Kido.kj

1.08%

Trojan-Downloader.Win32.Kido.bu

<1%

Trojan-Spy.Win32.Small.pex

<1%

Trojan.Win32.Genome.tusc

<1%

Backdoor.Win32.Agent.aknp

<1%

Trojan.Win32.Genome.ahpxd

<1%
Table 5 - Top Malwares Detected

Detected Malwares Hashes

Table 6, provides the list of hashes for the most malwares detected in Pakistan cyberspace. These hashes may be helpful
in quickly retrieving the detail of a particular malware from different online sources.
To verify whether your antivirus engine detects the malwares given in Table 6, simply put the hash value in virustotal.com.

Malware

Presence

MD5 Hash

Net-Worm.Win32.Kido.ih

94.12%

029e95604293d13fbf621a10ae11edfe
099384dc46cca644e859cb7fb1d6de8b
0af49bbed7ec17b2e8b5ae7b87920715
0ea2203e8c7a1700b29271755e371392
0ea2203e8c7a1700b29271755e371392

Backdoor.Win32.Rbot.bni

2.28%

c1989130056c32fa305e3de57f6f40f1

Net-Worm.Win32.Allaple.e

1.20%

247a51c8a6ea90209fad9bc9208dd48e

Net-Worm.Win32.Kido.kj

1.08%

B8099f59ec27f47e13ca2445731776c8

Trojan-Downloader.Win32.Kido.bu

<1%

4bb05060ae675d1d7177df05e1ac15b4

Trojan-Spy.Win32.Small.pex

<1%

f4d56bac967e0217a0049fe717cc634b

Trojan.Win32.Genome.tusc

<1%

b0426ed44d7819d1ab5ead9b12fd2879

Backdoor.Win32.Agent.aknp

<1%

7867de13bf22a7f3e3559044053e33e7

Trojan.Win32.Genome.ahpxd

<1%

4d56562a6019c05c592b9681e9ca2737

Net-Worm.Win32.Kido.dam.ak

<1%

468348280af746400d629a00ab782f21

Table 6 - Detected Malware Hashes

Copyrights 2015 - Trillium Information Security Systems (Pvt) Ltd.

13

Threat Intelligence Report

CnC IP Addresses & Domains

Following tables show the list of IP addresses and domain names that are found to be malicious and were
communicating with infected machines

IP Addresses

Country

Domains

221.8.69.25

China

xqpjtkqid.biz

204.27.59.22

India

yeigidwnrda.ws

195.22.26.231

Portugal

zwvnfggq.ws

195.223.0.0

Italy

smcxq.biz

212.184.0.0

Germany

abyoqc.cn

149.20.56.32

United States

ztcabv.cn

149.20.56.33

United States

gwjewwqgig.cn

149.20.56.34

United States

pdcpbbkit.cn

221.8.69.25

China

xiammogc.cn

54.235.146.190

United States

checkip.dyndns.com

54.235.146.225

United States

xdz.no-ip.org

216.146.38.70

United States

216.146.39.70

United States

216.146.43.70

United States

91.198.22.70

United Kingdom

128.30.52.37

United States

204.95.99.86

United States

Table 8 - CnC Domains

Table 7 - CnC IP Addresses

Copyrights 2015 - Trillium Information Security Systems (Pvt) Ltd.

14

Threat Intelligence Report

Attacked Protocols

Table 9, below, shows the list of protocols which were

found being exploited for most number of attacks.

Protocol

Exploitations

SMB

87.48%

SIP

4.94%

MSSQL

3.85%

MYSQL

1.55%

HTTP

1.24%

EPMAP

<1%

MIRROR

<1%

RSH

<1%
Table 9 - Attacked Protocols

SMB: The Server Message Block, operates as an application-layer network protocol mainly used for providing
shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network.

SIP: The Session Initiation Protocol is a communications

protocol for signaling and controlling multimedia communication sessions. The most common applications of
SIP are in Internet telephony for voice and video calls.

MYSQL: The MySQL protocol is used between MySQL

Clients and a MySQL Server. It is implemented by:
Connectors (Connector/C, Connector/J, and so
forth)
MySQL Proxy
Communication between master and slave replica-

The Hypertext Transfer Protocol (HTTP) is an application protocol for distributed, collaborative, hypermedia
information systems. HTTP is the foundation of data
communication for the World Wide Web. Hypertext is
structured text that uses logical links (hyperlinks) between nodes containing text.

Microsoft EPMAP (End Point Mapper), also known as

DCE/RPC Locator service, used to remotely manage
services including DHCP server, DNS server and WINS.
Also used by DCOM.

Mirror: (Managing Isolation in Replicated Real time Object Repositories), a concurrency control protocol specifically designed for firm-deadline application operating on replicated real-time databases.

RSH: The remote shell (rsh) is a command line computer program that executes shell commands as another
user, and on another computer across a computer network.

MSSQL: Tabular Data Stream protocol which is used

by Microsoft SQL Server. It listens to tcp/1433 and allows clients to login. It can decode queries run on the
database.

Copyrights 2015 - Trillium Information Security Systems (Pvt) Ltd.

15

Threat Intelligence Report

SIP Attacks
What is SIP
The Session Initiation Protocol (SIP) is a communication protocol for signaling and controlling
multimedia communication sessions. The most common applications of SIP are in Internet telephony
for voice and video calls, as well as instant messaging using Internet Protocol (IP) networks.

SIP Attacks division

Most SIP attacks can be divided into two groups. First represents various types of a PBX scanning
and probing. Attacker send OPTION message and wait for an answer or simply try to place a call
with immediate cancellation (It means INVITE message followed by CANCEL message). The second
group represents flood attacks using REGISTER message. REGISTER message is used by a user
agent to register to the registrar (SIP Server). An attacker sends continuous REGISTER messages to
the SIP Server in order to downgrade the Server performance and ultimately making it inaccessible
for authorized users.

Register flooding attack

Application layer attack on the Session Initiation Protocol (SIP) is used in VoIP services, targeted
at causing denial of service to SIP servers. A SIP register flood consists of sending a high volume
of SIP register packets to SIP servers, therefore exhausting their bandwidth and resources. 96%
messages type were REGISTER based in our sensors.

SIP Message

No. of Distinct Connections

Total Messages

Register

3862

73448
Table 10 - SIP REGISTER Message

Malicious IP

Total

85.25.160.106

42037

212.129.61.222

9909

188.138.26.190

18088

195.154.39.5

3057

212.83.137.238

211

Table 11 - SIP Malicious IP Addresses

Copyrights 2015 - Trillium Information Security Systems (Pvt) Ltd.

16

Threat Intelligence Report

Web Attacks
As websites and web based applications are rapidly growing so are the threats. Complex business
applications are now being delivered over the web (HTTP) and paving way for attackers to exploit
any kind of vulnerability.
The following section presents important data relevant to the web attacks faced by Pakistan
cyberspace.

Top Few Countries With

Most Web Attacks
The countries hosting IP Addresses
performing the most attacks are
shown in Figure 9:

Figure 9 - Countries with Web Based Attacks

Top Few IP Addresses Most Web Attacks

Following is the list of IP addresses
which are found to be launching
highest number of Web attacks. It
is recommended to block these IP
addresses to secure your system
from such attacks.

IP Addresses

Attacks %

Countries

66.74.17.157

21.25%

United States

176.99.122.190

17.70%

Ukraine

176.10.99.200

13.21%

Switzerland

212.83.167.175

10.45%

France

118.138.9.49

10.33%

Germany

176.10.99.201

9.12%

Switzerland

18.239.0.155

7.95%

United States

176.126.252.12

5.82%

Romania

69.197.148.26

2.18%

United States

109.163.234.4

1.99%

Romania

Table 12 - IP Addresses Conducting Web Based Attacks

Copyrights 2015 - Trillium Information Security Systems (Pvt) Ltd.

17

Threat Intelligence Report

Top Few
Web Attacks
Among the type of attacks that we
observed, SQL injection was seen the
most in Pakistan cyberspace.

Figure 10 - Web Based Attacks

Copyrights 2015 - Trillium Information Security Systems (Pvt) Ltd.

18

Threat Intelligence Report

Brute-Force Attacks
A brute-force attack is the simplest method to gain access to an application or operating system by applying different
credentials. In brute-force attack, an attacker tries different but exhaustive combinations of usernames and passwords,
over and over again, until he is successfully logged-in. The following section presents the data relevant to brute-force
activities performed on SSH protocol in Pakistan cyberspace.

Most Commonly
Used Usernames
Below table lists the most user attempts seen
in Pakistan for SSH. The root username was
tried the most number of times. It is strongly
recommended to avoid such user names
or use complex user names or two factor
authentications.

Username

Attempts

root

119497

ubnt

251

admin

113

guest

28

test

26

support

23

tester

14

testing

14

user

12
Table 13 - Most Usernames Used

Most Commonly
Used Passwords
Below table lists the most attempted passwords.
The admin password was tried the most number
of times. It is strongly recommended to avoid
these types of passwords.

Password

Attempts

admin

88

root

82

123456

70

ubnt

67

password

62

1qaz2wsx

57

passw0rd

29

1q2w3e4r

29

!qaz@wsx

28

qwerty

25

abc123

25

Table 14 - Most Passwords Used

Copyrights 2015 - Trillium Information Security Systems (Pvt) Ltd.

19

Threat Intelligence Report

Top few IP Addresses

Conducting SSH Attacks
Below table lists the IP addresses with origin
that have carried out maximum SSH attacks in
Pakistan cyberspace. It is strongly recommended
to block these IP address on gateway level.

IP Address

Attempts

Country

58.218.199.49

1538

China

61.160.213.190

1302

China

58.218.204.245

1241

China

58.218.213.254

1175

China

221.229.166.28

1157

China

117.21.174.111

1150

China

58.218.204.226

1149

China

221.229.166.27

1138

China

58.218.204.248

1087

China

58.218.199.195

1040

China

Table 15 - IP Addresses Conducting SSH Attacks

Mostly Used Tools For

SSH Based Attacks
Below is the list of tools that were used to gain
access on SSH in Pakistan cyberspace.

Tools

Connections

SSH-2.0-PUTTY

40138

SSH-2.0-libssh2_1.4.3

1962

SSH-2.0-libssh2_1.4.1

620

SSH-2.0-JSCH-0.1.51

90

SSH-2.0-libssh2_1.5.0

72

SSH-2.0-PuTTY_Release_0.63

34

SSH-2.0-Granados-1.0

24

SSH-2.0-PuTTY_Local:_
May_14_2009_21:12:18

20

SSH-2.0-libssh2_1.4.2

12

Table 16 - Tools Used For SSH Attacks

Copyrights 2015 - Trillium Information Security Systems (Pvt) Ltd.

20

Threat Intelligence Report

List of Figures
Figure 1 - Percentage of events by source countries

Figure 2 - Attacks Originating from IP Addresses Hosted in China

Figure 3 - Attacks Originating from IP Addresses Hosted in Romania

Figure 4 - Attacks Originating from IP Addresses Hosted in Brazil

Figure 5 - Country Based Connection Distribution

Figure 6 - Country Unique IP Distribution

Figure 7 - IP Based Connection Distribution

Figure 8 - IP Address Based Distribution

Figure 9 - Countries with Web Based Attacks

16

Figure 10 - Web Based Attacks

17

List of Tables
Table 1 - IP Address Based Connection Distribution

Table 2 - IP Address Based Distribution

Table 3 - IP Based Distribution 10 Attacks

Table 4 - Top 10 Vulnerabilities

10

Table 5 - Top Malwares Detected

12

Table 6 - Detected Malware Hashes

12

Table 7 - CnC IP Addresses

13

Table 8 - CnC Domains

13

Table 9 - Attacked Protocols

14

Table 10 - SIP REGISTER Message

15

Table 11 - SIP Malicious IP Addresses

15

Table 12 - IP Addresses Conducting Web Based Attacks

16

Table 13 - Most Usernames Used

18

Table 14 - Most Passwords Used

18

Table 15 - IP Addresses Doing SSH Attacks

19

Table 16 - Tools Used For SSH Attacks

19

Copyrights 2015 - Trillium Information Security Systems (Pvt) Ltd.

21

Threat Intelligence Report

About TRIAM
With almost a decade of experience, expertise and leadership in the information security
market, Trillium Information Security Systems (Pvt) Ltd. has launched Pakistans first
and only focused Managed Security Service Provider brand TRIAM.
TRIAMs portfolio of information security services is backed by the industrys leading minds. Our team has an
accumulated experience of more than 150 years of delivering successful information security projects to leading
enterprises from all industry verticals of Pakistan, and the region. In addition to our industry experience, TRIAM
researchers have published over 45 research papers thereby enabling TRIAM to explore/study/understand niche
areas of the information security domain.
TRIAM is hence launched as the one of the regions most skilled and experienced information security service provider
delivering services to customers that are backed by world leading threat intelligence.

TRIAM Service Portfolio

Security Monitoring

Stored Data Security Analytics

Real-Time Data Security Analytics
Digital Forensics & Incident Response Services
Malware Analysis

Digital Forensics & Investigation

Incident Handling & Reporting
Security Assessment Services

Application Security Assessment

Infrastructure Security Assessment
Threat Intelligence Services
Threat Feeds

Botnet Tracking

Threat Notifications

Copyrights 2015 - Trillium Information Security Systems (Pvt) Ltd.

22

Threat Intelligence Report

About Contributers
This research has been conducted by Trillium Information Security Systems
(TISS) in collaboration with Applied Security Engineering Research Group
at the COMSATS Institute of Information Technology.
We would like to thank the team members of the TRIAM Threat Intelligence
Team and the TISS OPSEC Team for their attention and contribution to
the publication of this report.

For more
Information
To learn more about Trillium Information
Security Systems and its brand TRIAM,
please visit:
infosecurity.com.pk
triam.com.pk

Copyrights 2015 - Trillium Information Security Systems (Pvt) Ltd.

23

Threat Intelligence Report

Copyright Trillium Information Security Systems (Pvt) Ltd. 2015

Trillium Information Security Systems (Pvt) Ltd.
Head Office
10th Floor, AWT Plaza,
5-The Mall,
Rawalpindi, Pakistan.
46000
Produced in the Islamic Republic of Pakistan.
March 2015
This document is current as of the initial date of
publication and may be changed by
Trillium Information Security Systems at any time.
The information contained in this guide is for educational and awareness purposes only. There is
no way TISS may be responsible for any misuse
of the information.
All the information contained in this document
is meant for developing information security defense skills among the recipients of this document in order to help in preventing malicious attacks.
The information in this document is provided as
is without any warranty, express or implied.

Copyrights 2015 - Trillium Information Security Systems (Pvt) Ltd.

Threat Intelligence Team