| 
1. For General
Internet End-Users
In the Internet Monitoring
(TALOT2), unwanted (one-sided) access in August totaled 497,340
cases using 10 monitoring points: unwanted (one-sided)
access captured at one monitoring point was about 1,604
cases of accesses from about 439 sources
per day.
The environment for each
monitoring point in TALOT2 is nearly equal to general users' Internet
connection; it can be considered that the same amount of unwanted
(one-sided) access may be received by the general internet users.
In another words, your computer is being accessed by 3 -
4 cases of accesses which are considered to be unauthorized from
440 unknown people everyday in average .
Chart
1: Number of Unwanted (One-sided) Access and Source Number of Access
at 1 Monitoring Point/Day
The number of access
and the source number of access at 1 monitoring point/day from April
to August, 2005 are shown in the Chart 1. This chart shows that
both the number of access and the source number of access other
than May are almost the same level of movement. It can be said that
the situation is being stabled.
2. Accessing
Status in August
Those
unauthorized accesses which may target vulnerability in Windows
are unchangeably many. Most of those accesses may consider to be
accessed by computers infected by certain worms. Considering that
current status indicating that the worm called bot is disseminated,
it is probable that those worms conducting such access should be
bot.
Those
accesses to 135 (TCP) and 445 (TCP) that especially have a number
of accesses may target legacy vulnerabilities in Windows: most of
those accesses are sent out from domestic; it is, therefore, assumed
that bot infection within domestic is getting enlarged.
System administrators should
confirm with or without of vulnerability in servers and be sure
to maintain them always up-to-dated.
General computer users should
maintain their own computers always up-to-dated to prevent from
bot infection. We also encourage them to effectively use anti-virus
software, etc.
Shift in movement for access
(shift in movement for number of access classified by destination
(kind of port)) in August, 2005 is shown in the Chart 2.1.1. It
can be seen that the accesses to the ports 135 (TCP), 445 (TCP)
and 139 (TCP) are unchangeably many.
Secondary, shift in movement
for source access (shift in movement for source number of access
classified by destination (kind of port)) is shown in the Chart
2.1.2. The source number of access classified by destination (kind
of port) here indicates the source number of access (source IP address)
which accessing specific destination (kind of port).
As for the accesses to the
ports 135 (TCP) and 445 (TCP), it can be seen that the source number
of access is many as well as the number of access. However, there
may be a case that same source address accesses multiple destinations:
please be noted that the source number indicated in the vertical
axis in the Chart 2.1.2 does not equal to the actual source number,
accordingly.
The difference between the
Chart 2.1.1 and the Chart 2.1.2 is almost the same sense just like
the difference between the number of detection and the reported
number upon virus detection/filing: it can be considered that the
accessing status of the number of access shown in the Chart 2.1.1
indicates threats of actual access and the accessing status of the
source number in the Chart 2.1.2 indicates the status of computers
infected (as the source) that causing actual accesses .
The Chart 2.2.1 and the Chart
2.2.2 show the ratio in number of access classified by destination
(kind of port) and the ratio in source number of access classified
by destination (kind of port).
The Chart 2.3.1 and the Chart
2.3.2 show the shift in number of access classified by destination
and the shift in source number of access classified by destination
on day-to-day basis.
In this press release, there
provides the information about the ratio for the number of access
by each destination port classified by source area also in the “
4.2. From Where and What Type of Access is coming? ”
in this document for your further reference.
From the Chart 2.4.1 to
the Chart 2.4.4 focus on those accesses that have many accesses
from April to August and show the shift in movement classified for
the source area.
2.1 Accessing
Status for the Unwanted (One-sided) access in August, 2005
Chart
2.1.1: Unwanted (One-sided) Accessing Status (Number
of Access) in August, 2005
Chart
2.1.2: Unwanted (One-sided) Accessing Status (Source
Number of Access) in August, 2005
In August, 2005, the Chart
2.1.1 and the Chart 2.1.2 indicate that the accesses to the port
445 (TCP) tended to increase from the last half of the month (please
refer to the dotted lined part in red in the Chart 2.1.1.) In addition,
the source number of access to the ports 135 (TCP) and 445 (TCP)
also tended to increase (please refer to the dotted lined part in
blue in the Chart 2.1.2.).
2.2 Ratio
Classified by Destination (Kind of Port) in August, 2005
Chart 2.2.1:
Ratio in Number of Access Classified by Destination
(Kind of Port) in August, 2005
Chart
2.2.2: Ratio in Source Number of Access Classified by Destination
(Kind of Port)
in
August, 2005
2.3 Accessing
Status Classified by Source Area in August, 2005
Chart
2.3.1: Shift in Number of Access Classified by
Source Area in August, 2005
Chart
2.3.2: Shift in Source Number of Access Classified by Source
Area in August, 2005
It also indicated in the
2.1. “Accessing Status”, the main cause of the increased access
to the port 135 (TCP) seemed to be the increased accesses from domestic.
In addition, the cause of the increased access to the port 445 (TCP)
seemed to be the increased accesses from domestic as well as from
China area.
2.4 Shift
in Movement for Access Classified by Source Area of Access from
April to August
Focusing on the access
that has a number of accesses from April to August, 2005, there
indicates shift in movement for those accesses classified by source
area as follows. The accesses to be targeted to are for the destination
ports 135 (TCP), 445 (TCP), 139 (TCP) and 1433 (TCP). Most of these
accesses can be considered to be the accesses targeting vulnerabilities
in Windows computers by bot series of worms.
Chart
2.4.1: Shift in Movement for Number of Access to
the Port 135 (TCP) Classified by Source Area
Chart
2.4.2: Shift in Movement for Number of Access to the Port
445 (TCP) Classified by Source Area
Chart
2.4.3: Shift in Movement for Number of Access to the Port
139 (TCP) Classified by Source Area
Those accesses to the
port 139 (TCP) from Korea, Hong Kong and Taiwan area are having
been increasing on and after June 5, 2005; the tendency still remains
in August.
Chart
2.4.4: Shift in Movement for Number of Access to the Port 1433 (TCP)
Classified by Source Area
The accesses to the port
1433 (TCP) are having been stabled (been regularized).
3. Statistic Information
3.1 Ratio in
Destination (Kind of Port) from April to August, 2005
Chart
3.1.1: Ratio in Number of Access Classified by Destination
(Kind of Port) from April to August
Chart
3.1.2: Ratio in Source Number of Access Classified by Destination
(Kind of Port)
from
April to August, 2005
3.2 Ratio
Classified by Source Area from April to August, 2005
Chart
3.2.1: Ratio in Number of Access Classified by Source Area
from April to August, 2005
Chart
3.2.2: Ratio in Source Number of Access Classified by Source
Area from April to August, 2005
4. Other Statistics
Information
4.1. Statistics
Classified by Time from April to August, 2005
The statistics for the
number of access classified by destination (kind of port) shift
in time from April to August is shown in the Chart 4.1.1. The statistics
for the number of access classified by destination (kind of port)
shift in time for August, 2005 is shown in the Chart 4.1.2.
Chart
4.1.1: Statistics for the Number of Access Classified by Destination
(Kind of Port) Shift in Time from April to August,
2005
Chart
4.1.2: Statistics for the Number of Access Classified by Destination
(Kind of Port) Shift in Time for August, 2005
4.2. From
Where and What Type of Access is Coming?
The ratio in number of
access classified by destination (kind of port) by source area for
August, 2005 is shown from the Chart 4.2.1 to 4.2.11. They clarify
the differences among destinations (kind of ports) of accesses by
each of specific source area. Since all the graphs shown from the
Chart 4.2.2 to 4.2.11 further specifies each destination (kind of
port) in sequence as with the one in the entire graph shown in the
Chart 4.2.1, there also appears the destinations (kind of ports)
of which number of access is 0 depending on a source area. As with
these destination (kind of port), there appears an “x” mark on
the destination (kind of port) in that chart: please be noted, in
advance.
Those destinations (kind
of ports) of accesses shown in these graphs do not obviously indicate
the status in each source area; however, according to the difference
among source areas, many of them feature a number of accesses to
specific destination for which shows a certain pattern from each
area.
Chart
4.2.1: Ratio in Number of Access Classified by Destination (Kind
of Port) in August, 2005
Here in after describes
the meaning of destination (kind of port) for your further reference.
135
(TCP) |
Default
port for Microsoft Windows Remote Procedure Call (RPC). Widely
renowned port for unauthorized access (ex. W32/MSBlaster,
etc.) targeting vulnerability (MS03-026) in RPC. |
445
(TCP) |
Renowned
port for insufficiently protected file (network) sharing and
unauthorized access (ex. W32/Sasser, etc.) targeting specific
vulnerabilities in Windows 2000. |
139
(TCP) |
Renowned
port for unauthorized access targeting insufficiently protected
file (network) sharing. |
1026
(UDP)/
1027 (UDP) |
Renowned
for sending pop-up (spam) messages using Microsoft Windows
Messenger Service which differs from MSN Messenger. |
Ping
(ICMP) |
Used
for checking whether a targeting computer is in operation.
Renowned port exploited by W32/Welchia, etc. to search targeting
computer for unauthorized access. |
1433
(TCP) |
Default
port for Microsoft SQL Server which searches such computer
that SQL Server is in operation. Also renowned port for unauthorized
access targeting vulnerability in SQL Server. |
137
(UCP) |
This
is the port for NETBIOS and is exploited to connect (intrude)
to a computer via NETBIOS. |
4899
(TCP) |
Renowned
port for unauthorized access targeting vulnerability in RAdmin
for remote manipulation. RAdmin is the application used to
operate number of computers remotely. |
1434
(UDP) |
Renowned
port for unauthorized access (W32/SQL Slammer, etc.) targeting
vulnerability in Microsoft SQL Server. |
Chart
4.2.2: Ratio in Number of Access Classified by Destination (Kind
of Port) from Domestic in August, 2005
Chart 4.2.3:
Ratio in Number of Access Classified by Destination (Kind of Port)
from China Area in August, 2005
As for the accesses to the
ports 1026 (UDP) and 1027 (UDP) from China Area, the source number
of access is very small and some specific source addresses were
accessing a number of accesses. For further details of these accesses,
please refer to the press release issued on last month.
http://www.ipa.go.jp/security/english/virus/press/200507/TALOT200507.html
Chart 4.2.4:
Ratio in Number of Access Classified by Destination (Kind of Port)
from Korea Area in August 2005
Chart 4.2.5:
Ratio in Number of Access Classified by Destination (Kind of Port)
from Hong Kong Area in August, 2005
Chart
4.2.6: Ratio in Number of Access Classified by Destination (Kind
of Port) from U.S.A. Area in August, 2005
Chart 4.2.7:
Ratio in Number of Access Classified by Destination (Kind of Port)
from Taiwan Area in August, 2005
Chart 4.2.8:
Ratio in Number of Access Classified by Destination (Kind of Port)
from India Area in August, 2005
Chart 4.2.9:
Ratio in Number of Access Classified by Destination (Kind of Port)
from Brazil Area in August, 2005
Chart 4.2.10:
Ratio in Number of Access Classified by Destination (Kind of Port)
from Canada Area in August, 2005
Chart 4.2.11:
Ratio in Number of Access Classified by Destination (Kind of Port)
from Germany Area in August, 2005
|
Japanese
backnumber