Update
The first serious evidence of a worm outbreak was reported on November 22 2008 by PC World. Security researchers and companies have given this worm various names including Downadup, Conficker, Conflicker and Kido. Updated CAIDA analysis of this Conficker/Conflicker/Downadup worm as seen from the UCSD Network Telescope is now available.
Background
On October 23, 2008, Microsoft announced a security update that resolves a critical vulnerability in the Windows Server service (MS08-067) [1]. In this bulletin, Microsoft stated that "it is possible that this vulnerability could be used in the crafting of a wormable exploit". In addition to Microsoft's rapid response, other parties in the network security community also reacted quickly to spread information and tools on how to mitigate the spread of possible worms [2,3].
Some hours after Microsoft's announcement, on October 23, 9pm UTC, the CAIDA network telescope was turned on in order to track the development of anticipated worm spreads. The exploit code was reported to spread via TCP ports 139 and 445 [4]. Consequently, traffic amounts directed to these two ports have been closely monitored and the results of the first four weeks after the announcement of MS08-067 as seen from the CAIDA network telescope will be reported in the following paragraphs.
Results
Fig. 1 illustrates the traffic rate in packets/sec (pps) for packets with destination ports of 139 and 445 in logarithmic scale. Each measurement point represents the average traffic rate for the specific port for one-hour intervals, which results in 24 measurement points per day. As a reference point, we plot historical measurements from about a year ago (Monday 2007-09-24) in red on the same graph with data from Monday 2008-10-271. We also plot the packet rate of all traffic seen on the telescope during the corresponding times. The data points range from 2008-10-23, 9PM to 2008-11-19, 5PM UTC. During the four weeks, activities on both observed port numbers, 139 and 445, increased slightly, but not significantly more than the increase of total traffic observed on the telescope. This observation suggests that the slightly increasing traffic rates for 139 and 445 activity are partly due to a general increase in background radiation on the Internet during this time and not necessarily an increased activity due to MS08-067.
Beginning with October 31, occasional spikes in traffic destined to port 445 appear. This date corresponds to the first reports about widely available worm-software exploiting the MS08-067 vulnerability [5]. Each spike observed is caused by single source IP addresses generating between 5,000 and 6,000 pps during episodes of 0.5 - 3 hours to 'random' destination IP addresses within the range of the telescope. The scanning campaigns typically consist of 40-byte packets with source ports of 6000, which suggests that they could be generated by a common attack tool or script becoming available to the public about a week after the announcement of MS08-067.
On November 07 around 8 AM, activity on port number 139 increased more than on previous days during the same time of day. The following days, the traffic rate to port 139 stabilizes at about 50 pps above the traffic rate during the first two weeks observed. Note that this increased activity is not caused by single source IPs but by a generally higher level of traffic activity on port 139.
On November 17, around 9AM, two consecutive spikes in traffic rates for port 139 appear. These two spikes are caused by a single source IP, scanning with a rate of about 5000 pps through the IP range of the telescope, again using a source port of 6000 and packet length of 40 bytes. Port 3389 (Windows Remote Desktop) was also scanned, which suggests this scanning campaign may not be connected to a MS08-067 exploit, since Microsoft confirmed that this vulnerability relies on TCP ports 139 and 445 [4].
Figure 1: Traffic rates (pps) vs Time (UTC)
Conclusions
CAIDA's network telescope data shows no evidence of a worm outbreak following the reported vulnerability (MS08-067) for at least the first four weeks following the announcement. However, some changes were observed on TCP port 139 and 445 (the vulnerable port numbers [4]). Occasional traffic spikes were observed for short time intervals coming from single IP addresses. These spikes could either be caused by 'script-kiddy' type of attackers playing around with a new attack tool, or by botnet scanning campaigns spoofing one single address. Either way, the scale and volume of the scan attacks is not sufficiently significant to suggest a worm outbreak as observed earlier, e.g. the slammer worm [6].
Perhaps Microsoft and the security community did a good job in mitigating this vulnerability. Alternatively, the vulnerability did not prove to be severe enough to be attractive for large scale attacks (at least not). We think it's less likely, but it could also be the case that modern attack tools simply black-list the address space of the telescope.
References
[1] https://technet.microsoft.com/library/security/ms08-067
[2] http://www.snort.org/vrt/advisories/vrt-rules-2008-10-23.html
[3] https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-067
[5] http://isc.sans.org/diary.html?storyid=5275
[6] David Moore et al., "Inside the Slammer Worm," IEEE Security and Privacy, vol. 1, no. 4, pp. 33-39, Jul., 2003