CERT Polska Annual Report 2012

Date of publication: 23/04/2013, CERT Polska

Our Annual Report for 2012 is based mostly on data feeds from various automated systems. They provided us with information on more than 10.5 million of incidents in Polish networks last year. Most of this data is consequently passed on via n6 platform to corresponding Internet providers for handling. Incidents reported to CERT Polska directly make for another prominent source of information. They are often the most serious ones, requiring our in-depth analysis and coordination. They often involve new malicious software, emerging botnets or phishing. In 2012 there were as many as 1082 incidents reported directly – more than 80% increase in comparison to 2011. The number of directly reported incidents between 1996 and 2012 is presented on the figure below. Liczba incydentów w latach 1996-2013

Based on this data, we make an attempt to describe the “security landscape” of Polish networks and identify the most important problems and trends.

Key observations summarizing the report:

    • Poland compares favourably against other countries with regard to the number of websites used for phishing and hosting malware, outside the top ten in both statistics. Unfortunately, it is much worse in case of problems related to infected end user machines : ie. machines used by bots, for scanning and spam. Most affected are the networks of mobile operators and Netia – one of the largest telecommunication operators, which operates a large DSL network;
    • Most reports concerning bots (infected machines centrally managed by miscreants), involved three types of malware: Virut, DNSChanger and various flavours of ZeuS. In total, we observed an average of 8,000 bots each day infected with these types of malware;
    • We have been observing a steady growth in the number of phishing incidents – both in the traditional form, involving the creation of sites that pretend to be bank, e-store etc. services, as well as connected with malware that is able to modify the content of bank web pages served to user on the fly;
    • SMB in Microsoft Windows (445/TCB) is still the primary service being scanned. Worms which propagate by using this service, such as Sasser or Conficker, are still doing well despite the fact that they were created five and more years ago!
    • There was a 56% reported increase in the number of DNS servers in Polish networks that are incorrectly configured as completely open, posing a serious threat to all Internet users, as they can be easily used to amplify DoS attacks. The main reason for this problem is the lack of awareness among administrators.

For the first time the statistics in our report take into account the size of each ISP’s autonomous system. We believe it provides a relatively fair way to compare scale of problems across different operators.

The report includes descriptions of selected events and occurences in IT security, as well as a separate document with a report from the ARAKIS early warning system.

The report can be downloaded from here.