| This is an observation
status by Internet Monitoring System (TALOT2) for October 2007 compiled
by IPA.
1. To the
General Internet Users
In the Internet Monitoring
(TALOT2), unwanted (one-sided) access in October totaled 278,497
cases using 10 monitoring points: unwanted (one-sided)
access captured at one monitoring point was about 898
accesses from about 233 sources per day.
The environment for each
monitoring point in TALOT2 is nearly equal to general users' Internet
connection; it can be considered that the same amount of unwanted
(one-sided) access may be received by the general internet users.
In another words, your computer is being accessed 4 times
which can be considered unauthorized accesses from 233 unknown people
(source) everyday in average.
Chart
1.1: Unwanted (One-sided) Number of Access and Source Number of
Access/Monitoring Point/Day
in Average
The Chart 1-1 shows the
unwanted (one-sided) number of access and the source number of access/monitoring
point/day in average from May to October 2007. According to this
chart, both unwanted (one-sided) accesses were slightly increased
from September.
2. Accessing
Status in October
Accessing Status in October
2007 was slightly increased compared with the ones in August and
September. This was the cause that the accesses to the ports 135/tcp
and 445/tcp which seemed to target the vulnerability in Windows.
2.1. The
Access Targeting Vulnerability in Windows
Both accesses to the ports
135/tcp and 445/tcp seemed to target previously publicized vulnerabilities
in Windows such as MS03-026, MS04-011, etc,: however, they are still
accessed frequently. Nowadays, their main accesses seemed to further
enlarge infection of bot by those computers which already infected
by bot.
Most of their source area
was Japan (See the Chart 2.1.1.). In addition, it is realized that
single source accessed to the ports 135/tcp and 445/tcp several
to hundreds of times concurrently (See the Chart 2.1.2.). As far
as it is seen, it can be say that there remains number of computers
infected by bot in Japan .
Chart 2.1.1:Ratio
in Number of Access to the Ports 135/tcp and 445/tcp Classified
by Source Area in October 2007
Chart 2.1.2:
Unwanted (One-sided) Accessing Status (Number of Access) to the
Ports 135/tcp and 445/tcp in October 2007
2.2. Accessing
Status from Initial Monitoring up to Current
It has been passed 3 years and 4
months since the Internet monitoring (TALOT2) was initiated: currently,
both the number of access and the source number of access are tending
to moderately decrease. There may be several reasons for the decrease;
the major reason is the decrease of worm virus. It seems that the
significant infection damage caused by the worm virus which target
vulnerability of Windows such as W32/SQLSlammer, W32/MSBlaster,
W32/Welchia or W32/Sasser, etc. lessened.
Chart 2.2.1:
Unwanted (One-sided) Number of Access and Source Number of Access/Monitoring
Point/Day from June 2004 to October 2007
The reasons that the infection
damage is lessened are the distribution of such virus is getting
decreased and adequate security measures (installation of anti-virus
software, application of security patches, etc.) are promulgated
in variety levels of both corporate/individual users. In addition,
anti-spam/virus mail measures served by respective Internet providers
also help to prevent infection damages. It is also supported by
the decreases of the reported number of virus and the detection
number of virus in the monthly computer virus report publicized
by IPA.
However, nowadays, there
are number of access which considers bot is getting increased in
lieu of worm virus. As it is explained in the Section 2.1 in this
document, accesses from Japan is still in significant; it can be
considered that there remains number of bot virus in Japan Accordingly,
it can be assumed when the latest vulnerability of application software
inclusive of Windows will be publicized, such accesses will also
be increased.
Both the number of access and the
source number of access were decreased from May to September 2007;
however, it was slightly increased in October. As far as it shows
in the Chart 2.2.2, such accesses were once decreased awhile, but
were again increased, so that such trend may be repeated in the
future.
Chart 2.2.2:
Unwanted (One-sided) Number of Access and Source Number of Access/Monitoring
Point/Day in Average from June to October 2007
Accordingly, all the users
be sure to check with or without of vulnerability in the application
software now you are using inclusive of Windows with vulnerability
information and maintain your computer always up-to-dated. Upon
checking, you are to follow to system administrator's instructions.
<Referential Information>
Information relevant to the
new worm “W32/SQLSammer” (in Japanese)
http://www.ipa.go.jp/security/ciadr/vul/20030126ms-sql-worm.html
Information relevant to “W32/MSBlaster”
(in Japanese)
http://www.ipa.go.jp/security/topics/newvirus/msblaster.html
Information relevant to “W32/Welchia”
(in Japanese)
http://www.ipa.go.jp/security/topics/newvirus/welchi.html
(in Japanese)
Information relevant to the
new worm “W32/Sasser” (in Japanese)
http://www.ipa.go.jp/security/topics/newvirus/sasser.html
Brochure for anti-bot
measures (pdf file 2.06 MB)
http://www.ipa.go.jp/security/english/virus/antivirus/pdf/Bot_measures_eng.pdf
Cyber Clean Center – the
collaboration project in between the Ministry of Internal Affairs
and Communications (MIC) and the Ministry of Economy, Trade and
Indsutry (METI)
https://www.ccc.go.jp/en_index.html
Procedure how to remove bot
(in Japanese)
https://www.ccc.go.jp/flow/index.html
Procedure how to use Microsoft
Update and Windows Update (Microsoft)
http://www.microsoft.com/protect/computer/updates/mu.mspx
2.3. Accessing
Status from Initial Monitoring up to Current
The Chart 2.3.1 shows the shift in
unwanted (one-sided) accessing status (number of access) and the
Chart 2.3.2 shows the shift in unwanted (one-sided) accessing status
(source number of access) in October 2007.
Chart 2.3.1:
Unwanted (One-sided) Accessing Status (Number of Access) in October
2007
Chart 2.3.2:
Unwanted (One-sided) Accessing Status (Source Number of Access)
in October 2007
2.4. Ratio
Classified by Destination (by Port) in October 2007
The Chart 2.4.1 shows the Ratio in
Unwanted (One-sided) Number of Access Classified by Destination
(by Port) and the Chart 2.4.2 shows the Ratio in Unwanted (One-sided)
Source Number of Access Classified by Destination (by Port) in October
2007.
Chart 2.4.1:
Ratio in Number of Access Classified by Destination (Port Type)
in October 2007
Chart 2.4.2:
Ratio in Source Number of Access Classified by Destination (Port
Type) in October 2007
2.5. Accessing
Status Classified by Source Area in October 2007
The Chart 2.5.1 shows the shift in
Unwanted (One-sided) Number of Access Classified by Source Area
the Chart 2.5.2 shows the Ratio in Unwanted (One-sided) Number of
Access Classified by Source Area in October 2007.
Chart 2.5.1.:
Shift in Number of Access Classified by Source Area in October 2007
Chart 2.5.2:
Ratio in Number of Access Classified by Source Area in October 2007
The Chart 2.5.3 shows
the shift in Unwanted (One-sided) Source Number of Access and the
Chart 2.5.4 shows the ratio in Unwanted (One-sided) Source Number
of Access Classified by Source Area in October 2007.
Chart 2.5.3:
Shift in the Source Number of Access Classified by Source Area in
October 2007
Chart 2.5.4:
Ratio in Source Number of Access Classified by Source Area in October
2007
3. Statistic Information
3.1. Ratio
in Destination (by Port) from May to October 2007
The Chart 3.1.1 shows
the Ratio in Number of Access Classified by Destination (by Port)
and the Chart 3.1.2 shows the Ratio in Source Number of Access Classified
by Destination (by Port) from May to October in 2007.
Chart 3.1.1:
Ratio in the Number of Access Classified by Destination (Port Type)
from May to October 2007
Chart 3.1.2:
Ratio in the Source Number of Access Classified by Destination (Port
Type)
from May to October 2007
3.2. Ratio
in Source Area from May to October 2007
The Chart 3.2.1 shows the Ratio in
Number of Access Classified by Source Area and the Chart 3.2.2 shows
the Ratio in Source Number of Access Classified by Destination from
May to October 2007.
Chart 3.2.1:
Ratio in Number of Access Classified by Source Area from May to
October 2007
Chart 3.2.2:
Ratio in Source Number of Access Classified by Source Area from
May to October 2007
4. Supplementary
Explanations
Following are the explanations
for the destination (port type) remarkably accessed (either in-bound
or out-bound or both) in October 2007.
Kind
of Port |
Interpretations
|
135
(TCP) |
This
is the default port for the Microsoft Windows Remote Procedure
Call (RPC) and is renowned for the unauthorized computer accesses
(W32/MSBlaster, etc.) which target vulnerability (MS03-026)
relevant to RPC. |
| 445
(TCP) |
Renowned
for those file sharing (network sharing) that has not been
well-protected and unauthorized computer accesses (W32/Sasser,
etc.) which targets vulnerabilities specifically in Windows
2000. |
1026
(UDP)/
1027 (UDP) |
Renowned
for sending popup (spam) messages exploiting Microsoft Windows
Messenger service which is differ from MSN Messenger. |
Ping
(CMP) |
This
port is originally used to check if the other party or person's
computer is in operation and is renowned for being used by
W32/Welchia, etc. for the purpose to search to target computers
for unauthorized accesses. |
| 1433
(TCP) |
This
is the default port for Microsoft SQL Servers which searches
those computers for which SQL Server is in operation. The
port is also renowned for unauthorized computer access activities
which target vulnerabilities in SQL Servers. |
139
(TCP) |
Renowned
to target those file sharing (network sharing) that has not
been well-protected, generally, it is probable to be the accesses
targeting to vulnerabilities in Windows. |
| 2967
(TCP) |
This
is the port that Symantec Client Security and Symantec AntiVirus
use as default. This time, it seemed that accesses targeted
vulnerability in these products. |
1434
(UDP) |
Renowned
for the unauthorized access, etc. targeting vulnerability
in Microsoft SQL Server (W32/SQLSlammer, etc.) |
22 (TCP)
|
The
access which targets SSH (Secure Shell: the command execution
tool for which security is enough strengthened by encrypting
its communication path) to intrude to a system by password
cracking attack. |
|
Japanese
backnumber