Computer Virus/Unauthorized Computer Access Incident ... · (3) Information security threats concerning Smart Phone Smart Phone is a type of mobile phone that has become popular now

Press Release

Jan 18, 2011 Information-technology Promotion Agency, Japan

- 1 -

Computer Virus/Unauthorized Computer Access Incident Report - December 2010 -

This is the summary of computer virus/unauthorized computer access incident report for December 2010, compiled by Information-technology Promotion Agency, Japan (IPA). I. Reminder for this Month

""RReemmeemmbbeerr tthhaatt eevveenn nnooww ccoommppuutteerr vviirruusseess aarree eevvoollvviinngg aanndd aappppllyy uuppddaatteess

ccoonnssiisstteennttllyy"" **11

*1 The 6th IPA Information Security Poster & Slogan Competition for Students (Conducted in fiscal 2010), Bronze Prize in

the Slogan Category for High School Students: Mr. Shogo Hayashi (2nd grade student of Rikkyo Niiza High School, in

Saitama, Japan)

In 2010, various information-security-related events have occurred, including a large number of PCs

being infected with a virus only by browsing a legitimate Websites; computer-virus creators being

arrested; and information leakage occurring successively. Typical examples of such cases are:

A number of legitimate Websites have been defaced, ranging from those of leading companies to

those of personal blogs. As a result, PC users visiting those sites contracted computer viruses

(From January to December).

Information leakage by means of unauthorized access (March, September, November, December),

and man-made leakage of sensitive information (October, November)

Recapture of a virus creator (August), and a person has become the first person to be arrested for

fraud conduct through the exploitation of a computer virus (May)

A number of Website alterations associated with political problems with neighboring countries

(regardless of public or private sector) (September)

Furthermore, technique for attacking PC users has become more multifaceted.

In this report, we look back what happened in 2010 and provide commentary of, and countermeasures

against, the following three immediate information security threats:

(1) Transition of attack method involving "Drive-by Download"*2

(2) Transition of fraudulent technique

(3) Information security threats concerning Smart Phone

We also consider the direction of information security threats (i.e., attack method) for the year 2011.

*2 "Watch out for 'Drive-by Download' attack in which PCs are infected with a virus only by browsing a Website" (the

December 2010 issue by IPA)

http://www.ipa.go.jp/security/english/virus/press/201011/E_PR201011.html

Figure 1-1: Various Forms of Virus-Infection and Threats


Press Release


- 2 -

(1) Transition of Attack Method Involving "Drive-By Download"

When we look at the information security incidents (i.e., incidents and accidents related to

information security) that occurred in 2010, we can say that the sophistication of "Drive-by

Download" attack stood out. This attack method, applied also by so called "Gumblar"*3, has become

the mainstream of a method for infecting PCs with a virus in recent years.

To prevent damages caused by "Drive-by Download" attack, you need to understand: (i) How it

guides PC users to a malicious Website (ii) How it alters a legitimate Website and (iii) How it infects

PCs with a virus, as they comprise "Drive-by Download" attack and they have been evolving

respectively. The remainder of this section explains the above-mentioned three items, respectively.

*3 "Let’s learn the mechanism of Gumblar and take appropriate countermeasures" (the February 2010 issue by IPA)


(i)How it guides PC users to a malicious Website

In the past, it was thought that one can avoid the risk of contracting a virus as long as he does not

brows a suspicious Website on his own. Recently, however, a legitimate Website might also be

altered by an attacker to carry out "Drive-by Download" attack.

To guide PC users to such Website, the attacker, for example, may manipulate Search Engine

Optimization (SEO) - a technique to improve a web site's ranking in a keyword search result list - to

place a Website that carries out "Drive-by Download" attack in the top of the search result list (See

Figure 1-2). In this case, PC users, without noticing that this is a trapping link, might click on it, which

leads them to a malicious Website. Such Websites are removed from the candidates for the search

result list if detected during the monitoring process of a search site. But if it takes a long period for

those sites to be removed, it might result in heavy damages.

Figure 1-2: Image of Exploitation of SEO

(ii)How it alters a legitimate Website

In September 2010, a case was confirmed in which not a Website itself but its components had been

altered by an attacker. The targeted components were advertising banners and other components

that were provided by external providers to enterprises, etc. for their Websites and apparently, the

attackers had embedded operation code for guiding site visitors to a malicious Website into the data

area of those components. In this new method*4, the attackers broke into the servers of the Website

component providers and altered the data stored on them. By 2009, a typical Website alteration


Press Release


- 3 -

technique had been SQL injection, but since 2009, unauthorized access by an attacker stealing an

ftp account has frequently been observed (as in the case of Gumblar*5.) In both cases, "operation

code" for guiding site visitors to a malicious Website was embedded into Web pages.

*4 "Watch out for 'Drive-by Download' attack in which PCs are infected with a virus only by browsing a Website" (the

December 2010 issue by IPA)


*5 "Review how your Website is managed!" (the April 2010 issue by IPA)


(iii) A Virus-infection from a malicious Website

In 2010, the following methods are used for virus-infection for "Drive-by Download" attack:

Exploitation of vulnerability in Application Software - Adobe Reader, Flash Player, and JRE

etc.

Exploitation of vulnerability in Windows – a vulnerability in Windows Shell (MS10-046) was

exploited. In this new attack*6,

PCs are infected with a virus only by opening the folder

containing a doctored short-cut file (lnk file).

*6 "A virus has emerged that spreads via USB thumb drive with a new attack method!" (the September 2010

issue by IPA)


How to prevent it

Nowadays, even specialists cannot identify which Website infects site visitors' PCs with a virus. For

this reason, one cannot prevent virus-infection only by exercising cautions in browsing Websites. As

shown in (iii), various vulnerabilities are exploited by attackers to cause virus-infection. So it is

essential for you to eliminate vulnerability in the OS and application software running on your

PC. Apart from this, it is also effective to install "Integrated Antivirus Software" that can block

access to harmful Websites and to keep it up-to-date. Collecting information on vulnerabilities in

OSs and application software on a daily basis should help you take appropriate response in the

event of contingency.

IPA provides, free of charge, "MyJVN Version Checker" – an easy-to-use tool that allows PC users

to check whether software products installed on their PC are the latest versions.

For the Website containing this tool, about one million accesses are made every month on

average (hitting a record high of about four million in January 2010), indicating that it has been used

regularly by PC users. Since November 2010, Windows 7 has also been supported.

<Reference>

"MyJVN Version Checker" (IPA)

http://jvndb.jvn.jp/apis/myjvn/#VCCHECK (in Japanese)

(2) Transition of Fraudulent Technique

Recent trend is that attackers deceive PC users by means of spoofing. So far, various forms of

fraudulent techniques have been observed, including Spam e-mails spoofed as a greeting card which is

sent seasonably; exploitation of popular Web services, including Social Networking Service (e.g., mixi,

Facebook), Micro-blog service (e.g., Twitter) and user-generated video site (e.g., YouTube). This section

explains the mechanism of these fraudulent techniques.

(i)An Attack that Exploits Popular Services




http://jvndb.jvn.jp/apis/myjvn/#VCCHECK

Press Release


- 4 -

Attackers use services and functions within SNS and deceive PC users by using the following

techniques:

Posts an article that provokes one's desires and induces PC users to click on the trapping

link contained in it

For example, using Twitter, an attacker may tweet: "xxx is now available free of charge!",

"Chance to get a gift card which is worth 1,000 dollars!" etc. to induce PC users to click on

the trapping link contained in those articles. Those who clicked on that link would be guided

to a phishing Website or a Website that infects site visitors' PCs with a virus.

Exploits the abbreviated URL*7 service.

This is a service for converting a long URL beginning with "http://" to shorter one.

Abbreviated URLs are often used for Micro-blog which only allows a limited number of

characters to be entered. They are convenient, but they are also being used by attackers to

guide PC users to a malicious Website as their original URLs are hidden from the eyes of

those users.

*7 "Watch out for an attack that focuses on a popular service!" (the May 2010 issue by IPA)


(ii)An Attack that Exploits E-mails (A Virus Attached to an E-mail)

In this attack, the attacker sends an e-mail being spoofed as the one from a friend/acquaintance of

the recipient or as the one containing useful information on a commercial product that seems

beneficial to the recipient. These e-mails are typically sent along with an URL to guide the recipient

to a Website that causes a virus-infection or an attachment file containing a virus. If the recipient

clicks on that link or opens that file, his PC is infected with a virus. He might do this without careful

consideration as he believes that this was an e-mail from his acquaintance or the one containing

useful information related to him.

Contents of such e-mails can be attractive information for the recipients (e.g., information on

international sports events, popular games, or commercial products manufactured by enterprises; or

the information containing keywords in fashion.

How to prevent it

As for the above-mentioned attack, in most cases, a technique to put PC users off their guard was

applied. Even if it seems to be a "tempting offer", if you think that the message or the e-mail

itself is unrelated to you, you should leave it as it is or delete it immediately. And even if it

was a tweet/message/e-mail from your acquaintance, if you find anything suspicious, you

should doubt it and refrain from opening the file attached to it or from clicking any URLs

contained in it. As for abbreviated URLs, you can learn original URLs by using a tool or service

designed to convert abbreviated URLs into original ones and to display them.

Collecting information from news sites and other sources on a daily basis should help you grasp

the mechanism of new fraud techniques and establish preventive measures.

(3) Information security threats concerning Smart Phone

Smart Phone is a type of mobile phone that has become popular now. For Smart Phone, several

vulnerabilities have been detected in its OS, along with some viruses that infect it. The number of Smart

Phone users is expected to rise in the future and so does attacks targeted at Smart Phone.


Press Release


- 5 -

(i)Case examples of attacks

Several viruses that infect Smart Phone have been detected. Attackers embed such viruses in

system update files or pretended-to-be useful application software to induce Smart Phone users to

download them. Major vulnerability information and case examples of virus-infection are as follows:

iPhone (Apple iOS)

A vulnerability in PDF-file processing has been detected; a vulnerability has been detected

that allows for the elevation of privilege;

A virus has been detected that changes wallpapers. This virus infects iPhone whose

protection feature is disabled (so called Jail Break.)

Android (Google Android)

A vulnerability was detected in Android's standard Web browser that allows attackers to

steal its users' information. Files stored in the body of Smart Phone or memory cards might

also be stolen.

A virus has been detected in Russia that exploits a billing function for Short Message

Service (i.e., a service that allows an e-mail with a small number of characters to be

exchanged among mobile phones.) With the pretense of video-replay software, it induces

the mobile phone users to install it. If infected, that mobile phone sends SMS mails on its

own. In abroad, there is a pay-as-you-go SMS e-mailing system, so attackers, by having the

virus-infected mobile phones send SMS mails, can fraudulently obtain the money paid by

the phone users.

A virus has been detected that sends the phone user's location information to external

parties in an unauthorized manner. This virus is spoofed as ordinary application software

and distributed from Android Market – A Website that sells and distributes application

software for Android terminals.

How to prevent it

To avoid contracting a virus, as in the case of PCs, mobile phone users should eliminate

vulnerabilities. Keep up-to-date OSs and application software running on your PC. It is also

important to acquire application software only from a reliable site.

Apple iOS

Applications for Apple iOS are available only from Apple's official site "App Store". The

applications acquired from App Store allow their users to check if any updates are available

and to apply a centrally-managed update. It is recommended for application users to check

them regularly. Users should not disable iOS's protection feature (i.e., Jail Break).

Google Android

As for applications for Google Android, you should acquire them only from Android Market or

other sites that allow you to check if any updates are available and to apply a

centrally-managed update; you should avoid acquiring them from personal sites or

unreliable sites. When acquiring such applications from non-Android Markets, it is

recommended to first check for any negative reputations concerning those applications, by

conducting a keyword search with their names on the Internet. In order to avoid installing a

low-reliability application, make sure that the check box "Allows applications from an

unknown source to be installed" is unchecked.

(4) Foresight for the Year 2011

Press Release


- 6 -

The above-mentioned three threats are expected to pose an increased threat in the future. Foresight

for these threats is as follows:

Attack method involving "Drive-by Download"

As a way to directly guide site visitors to a malicious Website, SEO poisoning*8 is expected to be

used frequently in the future. This is because the Internet users tend to carry out a keyword

search in the first place. If SEO is manipulated by an attacker so that a link to a malicious

Website is displayed in a keyword search result list, PC users might click on it, which would

result in a virus-infection. In the future, a technique to more efficiently spread a virus would

emerge with greater sophistication. So it is important to keep an eye out for new information

available. Whenever any vulnerability is brought to light, it is exploited by attackers and this

trend would remain unchanged in the future. Depending on the vulnerability identified, a new

attack method might be developed and a new virus with a new infective form might also emerge.

*8 SEO poisoning: A technique to causes a link to a malicious Website to be displayed in a keyword search

result list by exploiting the mechanism of SEO.

Fraudulent technique

Due to the rise of PC users' security awareness and advanced countermeasures taken by ISPs

against SPAM e-mails, attackers have come to use not only SPAM e-mails but also Social

Networking Service. This trend is expected to continue for some time in the future.

Information security threats concerning Smart Phone

As in the case of PCs, "Drive-by Download" attack is expected to be carried out frequently

through the exploitation of vulnerabilities in Smart Phone.

Depending on the virus with which Smart Phone is infected, personal information stored in the

address book might be leaked; or its user might be defrauded of his money or suffer other

immense damages.

Press Release


- 7 -

II. Computer Virus Reported – for more details, please refer to Attachment 1 –

(1) Computer Virus Reported

While the virus detection count *1

in December was about 23,000, down 28.2 percent from about 32,000 in November, the virus report count

*2 in December was 874, down 20.1 percent from 1,094

in November.

*1 Virus detection count: indicates how many times a specific virus appeared in the reports submitted, or the aggregate virus detection counts for a specific period.

*2 Virus report count: indicates how many reports on a specific virus were submitted. If the same type of viruses were reported by the same person with the same detection day, they are counted as one report regarding the virus of that sort.

* In December, the virus report count, which was obtained by consolidating about 23,000 virus detection reports, was 874.

W32/Netsky marked the highest detection count at about 17,000, followed by W32/ Mydoom at about 3,000 and W32/Autorun at about 1,000.

Figure 2-1: Virus Detection Count

Figure 2-2: Virus Report Count

Press Release


- 8 -

（2）Malicious Programs Detected

For the number of malicious programs detected, we have not seen a rapid increase as marked in

September. This is the same trend as in October and November. (See Figure 2-3)

This sort of malicious program is often contained in an e-mail attachment and distributed, and in

some cases, Bot*3

-infected PCs are used for the mail distribution.

Cyber Clean Center (CCC) *4

provides anti-Bot measures as well as online Bot-removal tools. To avoid taking part in the e-mail distribution of malicious programs, check your PC for Bot infection, and then implement infection-prevention measures, including blocking the entry of malicious programs.

<Reference>

“Some hints to prevent BOT infection” (Cyber Clean Center)

https://www.ccc.go.jp/knowledge/ (in Japanese)

*3 Bot is designed to penetrate into a computer in the same manner as that of a computer virus and to remotely

operate the victim's computer via the network.

*4 Cyber Clean Center is a Bot countermeasure project launched by the Ministry of Internal Affairs and

Communications and the Ministry of Economy, Trade and Industry.

<Reference> What is Cyber Clean Center?

https://www.ccc.go.jp/en_ccc/index.html

Figure 2-3: Malicious Program Detection Count

https://www.ccc.go.jp/knowledge/index.html

https://www.ccc.go.jp/en_ccc/index.html

Press Release


- 9 -

III. Unauthorized Computer Access Reported (including Consultations) – for more

detail, please refer to Attachment 2 –

Table 3-1: Unauthorized Computer Access Reported (including Consultations)

Jul. '10 Aug. Spt. Oct. Nov. Dec.

Total for Reported (a)

14 18 15 14 14 22

Damaged (b)

9 12 10 8 7 7

Not Damaged (c)

5 6 5 6 7 15

Total for Consultation (d)

44 56 47 40 45 27

Damaged (e)

23 16 8 15 12 7

Not Damaged (f)

21 40 39 25 33 20

Grand Total (a + d)

58 74 62 54 59 49

Damaged (b + e)

32 28 18 23 19 14

Not Damaged (c + f)

26 46 44 31 40 35

（1）Unauthorized Computer Access Reported

The report count for unauthorized computer access in December was 22, 7 of which reportedly had certain damages.

（2）Unauthorized Computer Access and Other Related Problems Consulted

The consultation count for unauthorized computer access and other related problems was 27 (3 of which were also included in the report count). 7 of them reportedly had certain damages.

（3）Damages Caused

The breakdown of the damage reports were: intrusion (5); DoS Attack (1); Malicious code embedded (1).

Damages caused by "intrusion" were: data being stolen (1); a tool to attack external sites being embedded into a Web server, which in turn served as a stepping stone for attacking other sites (1), an account being created in an unauthorized manner (1) and others (2). The causes of the intrusion were: Inappropriate settings on the part of a server (2), OS and Web application vulnerability being exploited (3).

Press Release


- 10 -

（4）Damage Instance

［Intrusion］

（i）Our Website was accessed in an unauthorized manner through the exploitation of

vulnerability in a Web application

Instance

- I found a trace of an unauthorized access made to our Website. A

Website access log analysis tool detected an abnormal figure,

indicating such unauthorized access had been made.

- Through the in-depth analysis of that access log, the cause of the

unauthorized access was found to be SQL injection attack.

- A Web application in use had a vulnerability to SQL injection attack

that was exploited by the attacker to attack our Website.

（ii）From outside, an attack tool was embedded into our server whose settings were incorrect.

As a result, our server was used as a stepping stone for attacking others

Instance

- I confirmed that our server had received an attack from outside and

that a tool to attack others had been embedded.

- I found that our server had also been used as a stepping stone for

making a connection to an IRC server.

- Upon inspecting our server, I found incorrect settings on the part of

the company being in charge of its settings.

- The configuration files "/etc/hosts.allow" and "/etc/hosts.deny" that

control accesses from other computers had setting errors, making it

easy for an attacker to break into the server from outside.

Press Release


- 11 -

IV. Virus and Unauthorized Computer Access related Consultations

The total number of consultations in December was 1,536. 474 of which were related to "One-Click

Billing" (compared to 483 in November); 10 to "Hard Selling of Security Software" (compared to

18 in November); 4 to "Winny" (compared to 8 in November); 0 to "A Suspicious E-Mail Sent to a

Specific Organization to Collect Specific Information/Data" (compared to 10 in November)

Table 4-1: Total Number of Consultations Handled by IPA over the Past Six Months

Jul. '10 Aug. Sep. Oct. Nov. Dec.

Total 2,133 2,432 2,102 1,813 1,692 1,536

Automatic Response System

1,142 1,298 1,142 1,065 1,036 954

Telephone 924 1,053 872 675 580 531

e-mail 66 75 85 69 72 49

Fax, Others 1 6 3 4 4 2

* IPA set up "Worry-Free Information Security Consultation Service" that provides consultation/advises for

computer virus, unauthorized computer access, problems related to Winny as well as overall information

security.

E-mail address: [email protected]

Tel.: +81-3-5978-7509 (24-Hour Automatic Response; Consultations are provided by IPA Security Center personnel and available from Mon. – Fri., 10:00 – 12:00, 13:30 – 17:00)

Fax: +81-3-5978-7518 (24-Hour Automatic Response) *”Automatic Response System”: Numbers responded by automatic response "Telephone”: Numbers responded by the Security Center personnel *Total Number includes the number in the Consultation

(d) column in the Table 3-1, “III. Unauthorized Computer

Access Reported (including Consultations)”.

Figure 4-1: Number of the "One-Click Billing" Cases Consulted

Press Release


- 12 -

Major consultation instances are as follows:

（i）I received an e-mail from my ISP, saying "Your PC is carrying out an activity that

violates a copyright"

What was consulted

I received an e-mail from my ISP, saying "An activity that violates a copyright

is being carried out by a terminal that can only be logged on with your login

ID."

Response

Assuming from the contents of the e-mail from that provider, aren't you

using file-sharing software such as Winny? If you are sure you haven't

installed it, it is possible that anyone else in your family have installed it.

As far as the violation of a copyright is concerned, there is nothing we can

advice, but if you are using file-sharing software such as Winny, your PC

might be infected with a virus, which might result in information leakage.

Since January 1, 2010, the Police Agency has been monitoring file-sharing

networks and there has been a report of a person being arrested for violating

a copyright. So if you have something in your mind, you should promptly take

appropriate steps.

<Reference>

IPA - To Prevent Information Leakage Caused by Winny

http://www.ipa.go.jp/security/topics/20060310_winny.html (in Japanese)

（ii）Infected with a USB-thumb-drive-based virus

What was

consulted

After I inserted a USB thumb drive into my notebook running an antivirus

software whose renewal deadline had passed, I became unable to access

Websites of Microsoft and Symantec, etc.

When I inserted that USB thumb drive into a PC running a valid antivirus

software, a virus called "W32.Downadup" was detected.

When I asked the manufacture of my notebook to check for it, I was

recommended to perform initialization, but I want to avoid it as practicably as

possible.

Response

W32.Downadup is a virus that exploits vulnerabilities in Windows and it has

been confirmed to use USB thumb drives as its infection route. If you

had extended the deadline of the antivirus software running on your

notebook, you would've been able to avoid the virus-infection. Apparently,

access to the Websites of Microsoft and Symantec, etc. is obstructed by this

virus.

By updating your antivirus software, you might be able to clean that virus,

but if it did not work, it is recommended to perform initialization.

<Reference>

"Are Vulnerabilities in Your PC Eliminated?” (the February 2009 issue by IPA)


http://www.ipa.go.jp/security/topics/20060310_winny.html


Press Release


- 13 -

V. Access Status Captured by the Internet Fixed-Point Monitoring System (TALOT2) in December

According to the Internet Fixed-Point Monitoring System (TALOT2), 81,226 unwanted (one-sided) accesses were observed at ten monitoring points in December 2010 and the total number of sources

*

was 37,550. This means on average, 290 accesses form 134 sources were observed at one monitoring point per day. (See Figure 5-1)

*Total number of sources*: indicates how many sources in total were observed by TALOT2. If multiple accesses

from the same source were observed at the same monitoring point/port on the same day, they are considered one access from the specific source on that day.

Since the environment of each monitoring point for TALOT2 is equivalent to that of general Internet connection, an equal number of such accesses are thought to be made in the Internet users’ system environment.

* For maintenance work, we shut down the systems from December 22 to December 24. Therefore, the statistical

information was derived from the data excluding that of these three days. Normally, the systems are in operation all

times.

Figure 5-1: Daily, Averaged Number of Unwanted (One-Sided) Accesses and Sources at the Same Monitoring Point/Port per Month (From July 2010 to December 2010)

The Figure 5-1 shows daily, averaged number of unwanted (one-sided) accesses and sources at the same monitoring point/port per month (from July 2010 to December 2010). As shown in this figure, the number of unwanted (one-sided) accesses increased in December compared to November.

The Figure 5-2 shows the December-over-November comparison results for the number of unwanted (one-sided) accesses, classified by destination (port type). As shown in this figure, compared to the November level, there has been a particular increase in the number of access to 445/tcp.

Access to 445/tcp has been on the increase as in the last month and the increase in the number of accesses from the U.S and Japan contributed to the increase in the overall figure (See Figure 5-3).

Press Release


- 14 -

Figure 5-2: December-over-November Comparison for the Number of Accesses by Destination (Port Type)

Figure 5-3: Access to 445/tcp

(1) Access Reports for the Year 2010

Figure 5-4 shows daily, averaged number of unwanted (one-sided) accesses and sources at the same monitoring point/port per month (from January 2010 to December 2010). When we look at the number of unwanted (one-sided) accesses, it has been on the decrease from the end of January except April, June and September which marked increase and in the end of the year, the umber was reduced to about half of the January level.

Press Release


- 15 -

Figure5-4: Daily, Averaged Number of Unwanted (One-Sided) Accesses and Sources at the

Same Monitoring Point/Port per Month (From January 2010 to December 2010)

Figure 5-4 shows the breakdown of the number of accesses by destination (port type) (from January 2010 to December 2010). As shown in this figure, access to 445/tcp which occupied a large portion at the beginning of the year has been decreasing significantly, ending up with the half of the December accesses.

Figure5-5: Breakdown of the Number of Accesses by Destination (Port Type) (From January

2010 to December 2010)

The Figure 5-6 shows the year-2009-over-year-2010 comparison results for the number of unwanted

(one-sided) accesses, classified by destination (port type). As shown in this figure, access to 445/tcp,

17500/udp and 9415/tcp has been on the increase from the 2009 level, with 445/tcp marking an

increase of 30,000, 17500/udp with about 40,000 and 9415/tcp with about 20,000. On the other hand,

Press Release


- 16 -

access to 135/tcp, Ping (ICMP) and 2967/tcp has been on the decrease, with 135/tcp marking a

decrease of about 210,000, Ping (ICMP) with about 60,000 and 2967/tcp with about 30,000.

Figure 5-6: Year-2009-over-Year-2010 Comparison for the Number of Accesses for each

Destination (Port Type)

One characteristic of the accesses to TALOT2 which were observed in 2010 was a significant increase

in the number of assesses to 17500/udp and 9415/tcp. As for 17500/udp, access was made from

multiple IP addresses within the same segment at a regular interval against a single monitoring point

for TALOT 2. Upon inspecting this access, we confirmed the existence of an application that sends

broadcast to 17500/udp, so this is considered one of the causes for such access. What was thought to

be from multiple IP addresses has turned out to be from one PC sending a variable broadcast to the

monitoring point for TALOT2 at each start up process. Because the rest of the monitoring points were

configured to prevent broadcast from reaching the terminal, such access was not detected.

As for 9415/tcp, software program with the proxy feature that is posted on a Website in China was

found to be waiting for this post to open. It is possible that a person with malicious intent was in search

for a PC where this software program is installed so that he could use it as a stepping stone to carry out

an attack against a Web server, etc.

Figure 5-7 shows monthly variation in the number of unwanted (one-sided) accesses to 17500/udp

(from January 2010 to December 2010).

Figure 5-8 shows monthly variation in the number of unwanted (one-sided) accesses to 9415/tcp.

Press Release


- 17 -

Figure 5-7: Access to 17500/udp

Figure 5-8: Access to 9415/tcp

For more detailed information, please also refer to the following URLs:

Attachment_3: Observations by the Internet Fixed-Point Monitoring System (TALOT2) http://www.ipa.go.jp/security/english/virus/press/201012/documents/TALOT2-1012.pdf

http://www.ipa.go.jp/security/english/virus/press/201012/documents/TALOT2-1012.pdf

Press Release


- 18 -

Variety of statistical Information provided by the other organizations/vendors is available at the following sites:

JPCERT/Coordination Center (CC)：http://www.jpcert.or.jp/english/

@police：http://www.cyberpolice.go.jp/english/

Council of Anti-Phishing Japan: http://www.antiphishing.jp/ (in Japanese)

Symantec：http://www.symantec.com/

Trendmicro：http://us.trendmicro.com/us/home/

McAfee：http://www.mcafee.com/us/

Inquiries to:

IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC) Kagaya /Hanamura /Miyamoto/Furukawa Tel.: +81-3-5978-7591 Fax: +81-3-5978-7518

E-mail:

http://www.jpcert.or.jp/english/

http://www.cyberpolice.go.jp/english/

http://www.antiphishing.jp/

http://www.symantec.com/

http://us.trendmicro.com/us/home/

http://www.mcafee.com/us/

Documents

Computer Virus/Unauthorized Computer Access Incident ... · (3) Information security threats concerning Smart Phone Smart Phone is a type of mobile phone that has become popular now