Computer Virus/Unauthorized Computer Access Incident ... · (3) Information security threats...
Transcript of Computer Virus/Unauthorized Computer Access Incident ... · (3) Information security threats...
Press Release
Jan 18, 2011 Information-technology Promotion Agency, Japan
- 1 -
Computer Virus/Unauthorized Computer Access Incident Report - December 2010 -
This is the summary of computer virus/unauthorized computer access incident report for December 2010, compiled by Information-technology Promotion Agency, Japan (IPA). I. Reminder for this Month
""RReemmeemmbbeerr tthhaatt eevveenn nnooww ccoommppuutteerr vviirruusseess aarree eevvoollvviinngg aanndd aappppllyy uuppddaatteess
ccoonnssiisstteennttllyy"" **11
*1 The 6th IPA Information Security Poster & Slogan Competition for Students (Conducted in fiscal 2010), Bronze Prize in
the Slogan Category for High School Students: Mr. Shogo Hayashi (2nd grade student of Rikkyo Niiza High School, in
Saitama, Japan)
In 2010, various information-security-related events have occurred, including a large number of PCs
being infected with a virus only by browsing a legitimate Websites; computer-virus creators being
arrested; and information leakage occurring successively. Typical examples of such cases are:
A number of legitimate Websites have been defaced, ranging from those of leading companies to
those of personal blogs. As a result, PC users visiting those sites contracted computer viruses
(From January to December).
Information leakage by means of unauthorized access (March, September, November, December),
and man-made leakage of sensitive information (October, November)
Recapture of a virus creator (August), and a person has become the first person to be arrested for
fraud conduct through the exploitation of a computer virus (May)
A number of Website alterations associated with political problems with neighboring countries
(regardless of public or private sector) (September)
Furthermore, technique for attacking PC users has become more multifaceted.
In this report, we look back what happened in 2010 and provide commentary of, and countermeasures
against, the following three immediate information security threats:
(1) Transition of attack method involving "Drive-by Download"*2
(2) Transition of fraudulent technique
(3) Information security threats concerning Smart Phone
We also consider the direction of information security threats (i.e., attack method) for the year 2011.
*2 "Watch out for 'Drive-by Download' attack in which PCs are infected with a virus only by browsing a Website" (the
December 2010 issue by IPA)
http://www.ipa.go.jp/security/english/virus/press/201011/E_PR201011.html
Figure 1-1: Various Forms of Virus-Infection and Threats
Press Release
Jan 18, 2011 Information-technology Promotion Agency, Japan
- 2 -
(1) Transition of Attack Method Involving "Drive-By Download"
When we look at the information security incidents (i.e., incidents and accidents related to
information security) that occurred in 2010, we can say that the sophistication of "Drive-by
Download" attack stood out. This attack method, applied also by so called "Gumblar"*3, has become
the mainstream of a method for infecting PCs with a virus in recent years.
To prevent damages caused by "Drive-by Download" attack, you need to understand: (i) How it
guides PC users to a malicious Website (ii) How it alters a legitimate Website and (iii) How it infects
PCs with a virus, as they comprise "Drive-by Download" attack and they have been evolving
respectively. The remainder of this section explains the above-mentioned three items, respectively.
*3 "Let’s learn the mechanism of Gumblar and take appropriate countermeasures" (the February 2010 issue by IPA)
http://www.ipa.go.jp/security/english/virus/press/201001/E_PR201001.html
(i)How it guides PC users to a malicious Website
In the past, it was thought that one can avoid the risk of contracting a virus as long as he does not
brows a suspicious Website on his own. Recently, however, a legitimate Website might also be
altered by an attacker to carry out "Drive-by Download" attack.
To guide PC users to such Website, the attacker, for example, may manipulate Search Engine
Optimization (SEO) - a technique to improve a web site's ranking in a keyword search result list - to
place a Website that carries out "Drive-by Download" attack in the top of the search result list (See
Figure 1-2). In this case, PC users, without noticing that this is a trapping link, might click on it, which
leads them to a malicious Website. Such Websites are removed from the candidates for the search
result list if detected during the monitoring process of a search site. But if it takes a long period for
those sites to be removed, it might result in heavy damages.
Figure 1-2: Image of Exploitation of SEO
(ii)How it alters a legitimate Website
In September 2010, a case was confirmed in which not a Website itself but its components had been
altered by an attacker. The targeted components were advertising banners and other components
that were provided by external providers to enterprises, etc. for their Websites and apparently, the
attackers had embedded operation code for guiding site visitors to a malicious Website into the data
area of those components. In this new method*4, the attackers broke into the servers of the Website
component providers and altered the data stored on them. By 2009, a typical Website alteration
Press Release
Jan 18, 2011 Information-technology Promotion Agency, Japan
- 3 -
technique had been SQL injection, but since 2009, unauthorized access by an attacker stealing an
ftp account has frequently been observed (as in the case of Gumblar*5.) In both cases, "operation
code" for guiding site visitors to a malicious Website was embedded into Web pages.
*4 "Watch out for 'Drive-by Download' attack in which PCs are infected with a virus only by browsing a Website" (the
December 2010 issue by IPA)
http://www.ipa.go.jp/security/english/virus/press/201011/E_PR201011.html
*5 "Review how your Website is managed!" (the April 2010 issue by IPA)
http://www.ipa.go.jp/security/english/virus/press/201003/E_PR201003.html
(iii) A Virus-infection from a malicious Website
In 2010, the following methods are used for virus-infection for "Drive-by Download" attack:
Exploitation of vulnerability in Application Software - Adobe Reader, Flash Player, and JRE
etc.
Exploitation of vulnerability in Windows – a vulnerability in Windows Shell (MS10-046) was
exploited. In this new attack*6,
PCs are infected with a virus only by opening the folder
containing a doctored short-cut file (lnk file).
*6 "A virus has emerged that spreads via USB thumb drive with a new attack method!" (the September 2010
issue by IPA)
http://www.ipa.go.jp/security/english/virus/press/201008/E_PR201008.html
How to prevent it
Nowadays, even specialists cannot identify which Website infects site visitors' PCs with a virus. For
this reason, one cannot prevent virus-infection only by exercising cautions in browsing Websites. As
shown in (iii), various vulnerabilities are exploited by attackers to cause virus-infection. So it is
essential for you to eliminate vulnerability in the OS and application software running on your
PC. Apart from this, it is also effective to install "Integrated Antivirus Software" that can block
access to harmful Websites and to keep it up-to-date. Collecting information on vulnerabilities in
OSs and application software on a daily basis should help you take appropriate response in the
event of contingency.
IPA provides, free of charge, "MyJVN Version Checker" – an easy-to-use tool that allows PC users
to check whether software products installed on their PC are the latest versions.
For the Website containing this tool, about one million accesses are made every month on
average (hitting a record high of about four million in January 2010), indicating that it has been used
regularly by PC users. Since November 2010, Windows 7 has also been supported.
<Reference>
"MyJVN Version Checker" (IPA)
http://jvndb.jvn.jp/apis/myjvn/#VCCHECK (in Japanese)
(2) Transition of Fraudulent Technique
Recent trend is that attackers deceive PC users by means of spoofing. So far, various forms of
fraudulent techniques have been observed, including Spam e-mails spoofed as a greeting card which is
sent seasonably; exploitation of popular Web services, including Social Networking Service (e.g., mixi,
Facebook), Micro-blog service (e.g., Twitter) and user-generated video site (e.g., YouTube). This section
explains the mechanism of these fraudulent techniques.
(i)An Attack that Exploits Popular Services
Press Release
Jan 18, 2011 Information-technology Promotion Agency, Japan
- 4 -
Attackers use services and functions within SNS and deceive PC users by using the following
techniques:
Posts an article that provokes one's desires and induces PC users to click on the trapping
link contained in it
For example, using Twitter, an attacker may tweet: "xxx is now available free of charge!",
"Chance to get a gift card which is worth 1,000 dollars!" etc. to induce PC users to click on
the trapping link contained in those articles. Those who clicked on that link would be guided
to a phishing Website or a Website that infects site visitors' PCs with a virus.
Exploits the abbreviated URL*7 service.
This is a service for converting a long URL beginning with "http://" to shorter one.
Abbreviated URLs are often used for Micro-blog which only allows a limited number of
characters to be entered. They are convenient, but they are also being used by attackers to
guide PC users to a malicious Website as their original URLs are hidden from the eyes of
those users.
*7 "Watch out for an attack that focuses on a popular service!" (the May 2010 issue by IPA)
http://www.ipa.go.jp/security/english/virus/press/201004/E_PR201004.html
(ii)An Attack that Exploits E-mails (A Virus Attached to an E-mail)
In this attack, the attacker sends an e-mail being spoofed as the one from a friend/acquaintance of
the recipient or as the one containing useful information on a commercial product that seems
beneficial to the recipient. These e-mails are typically sent along with an URL to guide the recipient
to a Website that causes a virus-infection or an attachment file containing a virus. If the recipient
clicks on that link or opens that file, his PC is infected with a virus. He might do this without careful
consideration as he believes that this was an e-mail from his acquaintance or the one containing
useful information related to him.
Contents of such e-mails can be attractive information for the recipients (e.g., information on
international sports events, popular games, or commercial products manufactured by enterprises; or
the information containing keywords in fashion.
How to prevent it
As for the above-mentioned attack, in most cases, a technique to put PC users off their guard was
applied. Even if it seems to be a "tempting offer", if you think that the message or the e-mail
itself is unrelated to you, you should leave it as it is or delete it immediately. And even if it
was a tweet/message/e-mail from your acquaintance, if you find anything suspicious, you
should doubt it and refrain from opening the file attached to it or from clicking any URLs
contained in it. As for abbreviated URLs, you can learn original URLs by using a tool or service
designed to convert abbreviated URLs into original ones and to display them.
Collecting information from news sites and other sources on a daily basis should help you grasp
the mechanism of new fraud techniques and establish preventive measures.
(3) Information security threats concerning Smart Phone
Smart Phone is a type of mobile phone that has become popular now. For Smart Phone, several
vulnerabilities have been detected in its OS, along with some viruses that infect it. The number of Smart
Phone users is expected to rise in the future and so does attacks targeted at Smart Phone.
Press Release
Jan 18, 2011 Information-technology Promotion Agency, Japan
- 5 -
(i)Case examples of attacks
Several viruses that infect Smart Phone have been detected. Attackers embed such viruses in
system update files or pretended-to-be useful application software to induce Smart Phone users to
download them. Major vulnerability information and case examples of virus-infection are as follows:
iPhone (Apple iOS)
A vulnerability in PDF-file processing has been detected; a vulnerability has been detected
that allows for the elevation of privilege;
A virus has been detected that changes wallpapers. This virus infects iPhone whose
protection feature is disabled (so called Jail Break.)
Android (Google Android)
A vulnerability was detected in Android's standard Web browser that allows attackers to
steal its users' information. Files stored in the body of Smart Phone or memory cards might
also be stolen.
A virus has been detected in Russia that exploits a billing function for Short Message
Service (i.e., a service that allows an e-mail with a small number of characters to be
exchanged among mobile phones.) With the pretense of video-replay software, it induces
the mobile phone users to install it. If infected, that mobile phone sends SMS mails on its
own. In abroad, there is a pay-as-you-go SMS e-mailing system, so attackers, by having the
virus-infected mobile phones send SMS mails, can fraudulently obtain the money paid by
the phone users.
A virus has been detected that sends the phone user's location information to external
parties in an unauthorized manner. This virus is spoofed as ordinary application software
and distributed from Android Market – A Website that sells and distributes application
software for Android terminals.
How to prevent it
To avoid contracting a virus, as in the case of PCs, mobile phone users should eliminate
vulnerabilities. Keep up-to-date OSs and application software running on your PC. It is also
important to acquire application software only from a reliable site.
Apple iOS
Applications for Apple iOS are available only from Apple's official site "App Store". The
applications acquired from App Store allow their users to check if any updates are available
and to apply a centrally-managed update. It is recommended for application users to check
them regularly. Users should not disable iOS's protection feature (i.e., Jail Break).
Google Android
As for applications for Google Android, you should acquire them only from Android Market or
other sites that allow you to check if any updates are available and to apply a
centrally-managed update; you should avoid acquiring them from personal sites or
unreliable sites. When acquiring such applications from non-Android Markets, it is
recommended to first check for any negative reputations concerning those applications, by
conducting a keyword search with their names on the Internet. In order to avoid installing a
low-reliability application, make sure that the check box "Allows applications from an
unknown source to be installed" is unchecked.
(4) Foresight for the Year 2011
Press Release
Jan 18, 2011 Information-technology Promotion Agency, Japan
- 6 -
The above-mentioned three threats are expected to pose an increased threat in the future. Foresight
for these threats is as follows:
Attack method involving "Drive-by Download"
As a way to directly guide site visitors to a malicious Website, SEO poisoning*8 is expected to be
used frequently in the future. This is because the Internet users tend to carry out a keyword
search in the first place. If SEO is manipulated by an attacker so that a link to a malicious
Website is displayed in a keyword search result list, PC users might click on it, which would
result in a virus-infection. In the future, a technique to more efficiently spread a virus would
emerge with greater sophistication. So it is important to keep an eye out for new information
available. Whenever any vulnerability is brought to light, it is exploited by attackers and this
trend would remain unchanged in the future. Depending on the vulnerability identified, a new
attack method might be developed and a new virus with a new infective form might also emerge.
*8 SEO poisoning: A technique to causes a link to a malicious Website to be displayed in a keyword search
result list by exploiting the mechanism of SEO.
Fraudulent technique
Due to the rise of PC users' security awareness and advanced countermeasures taken by ISPs
against SPAM e-mails, attackers have come to use not only SPAM e-mails but also Social
Networking Service. This trend is expected to continue for some time in the future.
Information security threats concerning Smart Phone
As in the case of PCs, "Drive-by Download" attack is expected to be carried out frequently
through the exploitation of vulnerabilities in Smart Phone.
Depending on the virus with which Smart Phone is infected, personal information stored in the
address book might be leaked; or its user might be defrauded of his money or suffer other
immense damages.
Press Release
Jan 18, 2011 Information-technology Promotion Agency, Japan
- 7 -
II. Computer Virus Reported – for more details, please refer to Attachment 1 –
(1) Computer Virus Reported
While the virus detection count *1
in December was about 23,000, down 28.2 percent from about 32,000 in November, the virus report count
*2 in December was 874, down 20.1 percent from 1,094
in November.
*1 Virus detection count: indicates how many times a specific virus appeared in the reports submitted, or the aggregate virus detection counts for a specific period.
*2 Virus report count: indicates how many reports on a specific virus were submitted. If the same type of viruses were reported by the same person with the same detection day, they are counted as one report regarding the virus of that sort.
* In December, the virus report count, which was obtained by consolidating about 23,000 virus detection reports, was 874.
W32/Netsky marked the highest detection count at about 17,000, followed by W32/ Mydoom at about 3,000 and W32/Autorun at about 1,000.
Figure 2-1: Virus Detection Count
Figure 2-2: Virus Report Count
Press Release
Jan 18, 2011 Information-technology Promotion Agency, Japan
- 8 -
(2)Malicious Programs Detected
For the number of malicious programs detected, we have not seen a rapid increase as marked in
September. This is the same trend as in October and November. (See Figure 2-3)
This sort of malicious program is often contained in an e-mail attachment and distributed, and in
some cases, Bot*3
-infected PCs are used for the mail distribution.
Cyber Clean Center (CCC) *4
provides anti-Bot measures as well as online Bot-removal tools. To avoid taking part in the e-mail distribution of malicious programs, check your PC for Bot infection, and then implement infection-prevention measures, including blocking the entry of malicious programs.
<Reference>
“Some hints to prevent BOT infection” (Cyber Clean Center)
https://www.ccc.go.jp/knowledge/ (in Japanese)
*3 Bot is designed to penetrate into a computer in the same manner as that of a computer virus and to remotely
operate the victim's computer via the network.
*4 Cyber Clean Center is a Bot countermeasure project launched by the Ministry of Internal Affairs and
Communications and the Ministry of Economy, Trade and Industry.
<Reference> What is Cyber Clean Center?
https://www.ccc.go.jp/en_ccc/index.html
Figure 2-3: Malicious Program Detection Count
Press Release
Jan 18, 2011 Information-technology Promotion Agency, Japan
- 9 -
III. Unauthorized Computer Access Reported (including Consultations) – for more
detail, please refer to Attachment 2 –
Table 3-1: Unauthorized Computer Access Reported (including Consultations)
Jul. '10 Aug. Spt. Oct. Nov. Dec.
Total for Reported (a)
14 18 15 14 14 22
Damaged (b)
9 12 10 8 7 7
Not Damaged (c)
5 6 5 6 7 15
Total for Consultation (d)
44 56 47 40 45 27
Damaged (e)
23 16 8 15 12 7
Not Damaged (f)
21 40 39 25 33 20
Grand Total (a + d)
58 74 62 54 59 49
Damaged (b + e)
32 28 18 23 19 14
Not Damaged (c + f)
26 46 44 31 40 35
(1)Unauthorized Computer Access Reported
The report count for unauthorized computer access in December was 22, 7 of which reportedly had certain damages.
(2)Unauthorized Computer Access and Other Related Problems Consulted
The consultation count for unauthorized computer access and other related problems was 27 (3 of which were also included in the report count). 7 of them reportedly had certain damages.
(3)Damages Caused
The breakdown of the damage reports were: intrusion (5); DoS Attack (1); Malicious code embedded (1).
Damages caused by "intrusion" were: data being stolen (1); a tool to attack external sites being embedded into a Web server, which in turn served as a stepping stone for attacking other sites (1), an account being created in an unauthorized manner (1) and others (2). The causes of the intrusion were: Inappropriate settings on the part of a server (2), OS and Web application vulnerability being exploited (3).
Press Release
Jan 18, 2011 Information-technology Promotion Agency, Japan
- 10 -
(4)Damage Instance
[Intrusion]
(i)Our Website was accessed in an unauthorized manner through the exploitation of
vulnerability in a Web application
Instance
- I found a trace of an unauthorized access made to our Website. A
Website access log analysis tool detected an abnormal figure,
indicating such unauthorized access had been made.
- Through the in-depth analysis of that access log, the cause of the
unauthorized access was found to be SQL injection attack.
- A Web application in use had a vulnerability to SQL injection attack
that was exploited by the attacker to attack our Website.
(ii)From outside, an attack tool was embedded into our server whose settings were incorrect.
As a result, our server was used as a stepping stone for attacking others
Instance
- I confirmed that our server had received an attack from outside and
that a tool to attack others had been embedded.
- I found that our server had also been used as a stepping stone for
making a connection to an IRC server.
- Upon inspecting our server, I found incorrect settings on the part of
the company being in charge of its settings.
- The configuration files "/etc/hosts.allow" and "/etc/hosts.deny" that
control accesses from other computers had setting errors, making it
easy for an attacker to break into the server from outside.
Press Release
Jan 18, 2011 Information-technology Promotion Agency, Japan
- 11 -
IV. Virus and Unauthorized Computer Access related Consultations
The total number of consultations in December was 1,536. 474 of which were related to "One-Click
Billing" (compared to 483 in November); 10 to "Hard Selling of Security Software" (compared to
18 in November); 4 to "Winny" (compared to 8 in November); 0 to "A Suspicious E-Mail Sent to a
Specific Organization to Collect Specific Information/Data" (compared to 10 in November)
Table 4-1: Total Number of Consultations Handled by IPA over the Past Six Months
Jul. '10 Aug. Sep. Oct. Nov. Dec.
Total 2,133 2,432 2,102 1,813 1,692 1,536
Automatic Response System
1,142 1,298 1,142 1,065 1,036 954
Telephone 924 1,053 872 675 580 531
e-mail 66 75 85 69 72 49
Fax, Others 1 6 3 4 4 2
* IPA set up "Worry-Free Information Security Consultation Service" that provides consultation/advises for
computer virus, unauthorized computer access, problems related to Winny as well as overall information
security.
E-mail address: [email protected]
Tel.: +81-3-5978-7509 (24-Hour Automatic Response; Consultations are provided by IPA Security Center personnel and available from Mon. – Fri., 10:00 – 12:00, 13:30 – 17:00)
Fax: +81-3-5978-7518 (24-Hour Automatic Response) *”Automatic Response System”: Numbers responded by automatic response "Telephone”: Numbers responded by the Security Center personnel *Total Number includes the number in the Consultation
(d) column in the Table 3-1, “III. Unauthorized Computer
Access Reported (including Consultations)”.
Figure 4-1: Number of the "One-Click Billing" Cases Consulted
Press Release
Jan 18, 2011 Information-technology Promotion Agency, Japan
- 12 -
Major consultation instances are as follows:
(i)I received an e-mail from my ISP, saying "Your PC is carrying out an activity that
violates a copyright"
What was consulted
I received an e-mail from my ISP, saying "An activity that violates a copyright
is being carried out by a terminal that can only be logged on with your login
ID."
Response
Assuming from the contents of the e-mail from that provider, aren't you
using file-sharing software such as Winny? If you are sure you haven't
installed it, it is possible that anyone else in your family have installed it.
As far as the violation of a copyright is concerned, there is nothing we can
advice, but if you are using file-sharing software such as Winny, your PC
might be infected with a virus, which might result in information leakage.
Since January 1, 2010, the Police Agency has been monitoring file-sharing
networks and there has been a report of a person being arrested for violating
a copyright. So if you have something in your mind, you should promptly take
appropriate steps.
<Reference>
IPA - To Prevent Information Leakage Caused by Winny
http://www.ipa.go.jp/security/topics/20060310_winny.html (in Japanese)
(ii)Infected with a USB-thumb-drive-based virus
What was
consulted
After I inserted a USB thumb drive into my notebook running an antivirus
software whose renewal deadline had passed, I became unable to access
Websites of Microsoft and Symantec, etc.
When I inserted that USB thumb drive into a PC running a valid antivirus
software, a virus called "W32.Downadup" was detected.
When I asked the manufacture of my notebook to check for it, I was
recommended to perform initialization, but I want to avoid it as practicably as
possible.
Response
W32.Downadup is a virus that exploits vulnerabilities in Windows and it has
been confirmed to use USB thumb drives as its infection route. If you
had extended the deadline of the antivirus software running on your
notebook, you would've been able to avoid the virus-infection. Apparently,
access to the Websites of Microsoft and Symantec, etc. is obstructed by this
virus.
By updating your antivirus software, you might be able to clean that virus,
but if it did not work, it is recommended to perform initialization.
<Reference>
"Are Vulnerabilities in Your PC Eliminated?” (the February 2009 issue by IPA)
http://www.ipa.go.jp/security/english/virus/press/200901/E_PR200901.html
Press Release
Jan 18, 2011 Information-technology Promotion Agency, Japan
- 13 -
V. Access Status Captured by the Internet Fixed-Point Monitoring System (TALOT2) in December
According to the Internet Fixed-Point Monitoring System (TALOT2), 81,226 unwanted (one-sided) accesses were observed at ten monitoring points in December 2010 and the total number of sources
*
was 37,550. This means on average, 290 accesses form 134 sources were observed at one monitoring point per day. (See Figure 5-1)
*Total number of sources*: indicates how many sources in total were observed by TALOT2. If multiple accesses
from the same source were observed at the same monitoring point/port on the same day, they are considered one access from the specific source on that day.
Since the environment of each monitoring point for TALOT2 is equivalent to that of general Internet connection, an equal number of such accesses are thought to be made in the Internet users’ system environment.
* For maintenance work, we shut down the systems from December 22 to December 24. Therefore, the statistical
information was derived from the data excluding that of these three days. Normally, the systems are in operation all
times.
Figure 5-1: Daily, Averaged Number of Unwanted (One-Sided) Accesses and Sources at the Same Monitoring Point/Port per Month (From July 2010 to December 2010)
The Figure 5-1 shows daily, averaged number of unwanted (one-sided) accesses and sources at the same monitoring point/port per month (from July 2010 to December 2010). As shown in this figure, the number of unwanted (one-sided) accesses increased in December compared to November.
The Figure 5-2 shows the December-over-November comparison results for the number of unwanted (one-sided) accesses, classified by destination (port type). As shown in this figure, compared to the November level, there has been a particular increase in the number of access to 445/tcp.
Access to 445/tcp has been on the increase as in the last month and the increase in the number of accesses from the U.S and Japan contributed to the increase in the overall figure (See Figure 5-3).
Press Release
Jan 18, 2011 Information-technology Promotion Agency, Japan
- 14 -
Figure 5-2: December-over-November Comparison for the Number of Accesses by Destination (Port Type)
Figure 5-3: Access to 445/tcp
(1) Access Reports for the Year 2010
Figure 5-4 shows daily, averaged number of unwanted (one-sided) accesses and sources at the same monitoring point/port per month (from January 2010 to December 2010). When we look at the number of unwanted (one-sided) accesses, it has been on the decrease from the end of January except April, June and September which marked increase and in the end of the year, the umber was reduced to about half of the January level.
Press Release
Jan 18, 2011 Information-technology Promotion Agency, Japan
- 15 -
Figure5-4: Daily, Averaged Number of Unwanted (One-Sided) Accesses and Sources at the
Same Monitoring Point/Port per Month (From January 2010 to December 2010)
Figure 5-4 shows the breakdown of the number of accesses by destination (port type) (from January 2010 to December 2010). As shown in this figure, access to 445/tcp which occupied a large portion at the beginning of the year has been decreasing significantly, ending up with the half of the December accesses.
Figure5-5: Breakdown of the Number of Accesses by Destination (Port Type) (From January
2010 to December 2010)
The Figure 5-6 shows the year-2009-over-year-2010 comparison results for the number of unwanted
(one-sided) accesses, classified by destination (port type). As shown in this figure, access to 445/tcp,
17500/udp and 9415/tcp has been on the increase from the 2009 level, with 445/tcp marking an
increase of 30,000, 17500/udp with about 40,000 and 9415/tcp with about 20,000. On the other hand,
Press Release
Jan 18, 2011 Information-technology Promotion Agency, Japan
- 16 -
access to 135/tcp, Ping (ICMP) and 2967/tcp has been on the decrease, with 135/tcp marking a
decrease of about 210,000, Ping (ICMP) with about 60,000 and 2967/tcp with about 30,000.
Figure 5-6: Year-2009-over-Year-2010 Comparison for the Number of Accesses for each
Destination (Port Type)
One characteristic of the accesses to TALOT2 which were observed in 2010 was a significant increase
in the number of assesses to 17500/udp and 9415/tcp. As for 17500/udp, access was made from
multiple IP addresses within the same segment at a regular interval against a single monitoring point
for TALOT 2. Upon inspecting this access, we confirmed the existence of an application that sends
broadcast to 17500/udp, so this is considered one of the causes for such access. What was thought to
be from multiple IP addresses has turned out to be from one PC sending a variable broadcast to the
monitoring point for TALOT2 at each start up process. Because the rest of the monitoring points were
configured to prevent broadcast from reaching the terminal, such access was not detected.
As for 9415/tcp, software program with the proxy feature that is posted on a Website in China was
found to be waiting for this post to open. It is possible that a person with malicious intent was in search
for a PC where this software program is installed so that he could use it as a stepping stone to carry out
an attack against a Web server, etc.
Figure 5-7 shows monthly variation in the number of unwanted (one-sided) accesses to 17500/udp
(from January 2010 to December 2010).
Figure 5-8 shows monthly variation in the number of unwanted (one-sided) accesses to 9415/tcp.
Press Release
Jan 18, 2011 Information-technology Promotion Agency, Japan
- 17 -
Figure 5-7: Access to 17500/udp
Figure 5-8: Access to 9415/tcp
For more detailed information, please also refer to the following URLs:
Attachment_3: Observations by the Internet Fixed-Point Monitoring System (TALOT2) http://www.ipa.go.jp/security/english/virus/press/201012/documents/TALOT2-1012.pdf
Press Release
Jan 18, 2011 Information-technology Promotion Agency, Japan
- 18 -
Variety of statistical Information provided by the other organizations/vendors is available at the following sites:
JPCERT/Coordination Center (CC):http://www.jpcert.or.jp/english/
@police:http://www.cyberpolice.go.jp/english/
Council of Anti-Phishing Japan: http://www.antiphishing.jp/ (in Japanese)
Symantec:http://www.symantec.com/
Trendmicro:http://us.trendmicro.com/us/home/
McAfee:http://www.mcafee.com/us/
Inquiries to:
IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC) Kagaya /Hanamura /Miyamoto/Furukawa Tel.: +81-3-5978-7591 Fax: +81-3-5978-7518
E-mail: