label

Event Tracking
Significant incidents recently reported to HackerWatch.org

24 Hours
7 Days
30 Days
443,552
3,042,431
12,824,759
HackerWatch Event Maps
WorldTargetsSources
EuropeTargetsSources
Asia/AUTargetsSources
USTargetsSources
Special Worm Animation

Lovsan Worm Information

McAfee Security has noticed a marked increase in worldwide traffic stemming from the Lovsan/WSBlaster worm and its variants. Using data collected by their McAfee Personal Firewall application, McAfee is able to accurately determine the number of unique source IP addresses that were infected by the Lovesan/MS.Blaster worm. With this data, McAfee has created a larger perspective of this worm as well as the rate of infection to systems worldwide.

The graph below shows new infections over time as detected by HackerWatch.  The time used for the horizontal scale is hours GMT.  Midnight GMT is 5pm in California, 8pm on the east coast of the US. The new infections rate peaked around 11pm GMT on Monday, with over 68,000 new infected IP addresses appearing in that hour.  Peak hours in subsequent days have been as high as 35,000 per hour.

Over the entire course of the outbreak we have observed the total number of infected machines to be in excess of 1,436,535.

Unique Attackers per Hour

Related Pages

An animation of the progress of the worm is available.

You can check for specific infected nodes here: MSBlaster checkup page

Information about the worm, including detection and removal can be found at the McAfee Security Virus Information Library

What is HackerWatch.org? Learn more about us here.

More Details

Details:

The peak rate of infection was observed between 9 and 10pm GMT on 8/11. During this hour we observed 68490 new infections. In the five hour period between 8pm and 1am a total of 328,589 infections were observed. Between the start of the outbreak and 8:40pm GMT today we have directly observed 1268155 unique IPs that appear to be infected over the course of the outbreak. Many of these systems have either been repaired or are no longer active for other reasons. In the most recent 24 hour period approximately 320,000 infected systems have been observed.

Data source:

Customers who subscribe to McAfee Personal Firewall are protected from the Lovsan/WSBlaster worm and have had the ability since the latest version was released to optionally have all events recorded by their firewall automatically submitted to our central database at HackerWatch.org. An event is defined as a single instance of traffic being blocked by the firewall.

Situation:

The network started seeing increased traffic on port 135 over the weekend. Initial small increases are assumed to be tests of the RPC infection vector concept. Dramatic increases in traffic started appearing around 2pm GMT on Monday 8/11.

Methodology:

Event data processed by the HackerWatch system is aware of the source IP addresses of events hitting our customers' firewalls. By counting the first time a new IP is seen to be ‘scanning’ on port 135, the port this vulnerability exists on, we are able to identify newly infected systems. Graphing this data over time gives us a picture of the overall rate at which new computers are being infected.

Some margin of error is inherent in this data. The primary source of error would be computers that have connected to the internet using multiple IP addresses over time but remain infected. Each time a new IP address is used and scans one of our customers it would appear as a new infection.