Anti-Bot Countermeasures in Japan

Joint Workshop on Security 2008, Tokyo

- Introducing Cyber Clean Center -

25 March 2008 Telecom-ISAC Japan Planning and Coordination Division

K. Arimura

https://www.telecom-isac.jp/

● ●Japan’sJapan’s first first ISAC ISAC established established in in July July 2002. 2002. ● ●MembersMembers including including telecommunicati telecommunicationsons carriers carriers collect, collect, analyze analyze and and share share informat informationion and and take take timelytimely measures measures to to ensure ensure trouble trouble free free and and stable stable op operationserations of of services. services. Pres. : KDDI Corp. Members The companies in green are ISPs and carriers. VP’s : NTT Communications Corp., NIFTY Corp. Members : NEC Corp., SOFTBANK TELECOM Corp., Internet Initiative Japan Inc., Hitachi, Ltd., z Cooperative Matsushita Electric Industrial Co., Ltd., Oki Electric Industry Co., Ltd., activities and SOFTBANK BB Corp., Yokogawa Electric Corp., Matsushita Electric Works, Ltd., information NIPPON TELEGRAPH AND TELEPHONE EAST Corp., sharing are NIPPON TELEGRAPH AND TELEPHONE WEST Corp., NTT VISUAL centered on COMMUNICATIONS Corp., KDDI R&D Laboratories, NEC BIGLOBE, Ltd. working NIPPON TELEGRAPH AND TELEPHONE Corp., FUJITSU LIMITED groups. Alliance members: Little eArth Corporation Co., Ltd., Intec NetCore Inc., Trend Micro Inc., z The color of T- ISAC-J IBM Japan Co., Ltd./ISS activities are Observers : Ministry of Internal Affairs and Communications, reflected in the National Institute of Information and Communications Technology, etc. WGs. z Responses to DDoS attacks z Wide area monitoring Main z Monitoring of BGP routing information activities of z Measures to counter Antinny WGs 9 Research and Investigation of infection by botnets in Japan 1 9 Measures to counter bot programs / Operation of the website CCC etc.

The Anti-bot Measures Project was launched in December 2006.

・Our portal site: Cyber Clean Center https://www.ccc.go.jp/

• Promotion and collaboration among 2 ministries (MIC and METI). • Organized by Telecom-ISAC Japan, JPCERT/CC and IPA. • Co-operation with 65 ISPs who are ISAC members (currently) and antivirus vendors in the anti-bot measures workflow. • From FY 2006 to 2010 • Main objectives: To reduce the number of bot-infected users To make removal tools that specialize in bots that are widespread in Japan To provide specimens to security vendors participating in the project. 2

About 80% of malware programs The estimated infection rate is observed on Japanese telecom 2%-2.5% networks are classified as bot Equivalent to 400k - 500k programs people (computers) 【Estimate from the results of studies by T-ISAC-J and JPCERT/CC in 2005】【Estimate from the results of studies by T-ISAC-J and JPCERT/CC in 2005】

It takes about 4 minutes on About 100 types of bots are average for an unprotected captured in our honey-pot as PC to be infected when connected to the Internet. unknown types per day. 【Number of bot programs with unique hash 【From experiments conducted by T-ISAC-J and capturing by CCC】 JPCERT/CC in 2005】

And z It was revealed that traffic caused by botnets or viruses tops 300Mbps per IP. z A total of around 10Gbps of traffic from Japanese IP addresses are 3 wasted by botnets. (SPAM mail traffic via botnets are not included.)

Herder (originator) C&C server (IRC server) Bot (Bot-infected PC)

What should countermeasures target? ×× ○ ● ●Herders are difficult to Servers are located mainly ● Detect bot-infected PCs in locate. outside Japan. order to contact and alert ●Dealing with herders is the ● In some countries, C&C the PC users about bot workYes, of law enforcement It is serversThe are reason subject to infection,Yes, and urgeWE them to agencies. monitoring in order to take steps for bot-removal. ● Users must know how to ●It is believed to fall outside capture criminals. ● prevent re-infection and the scopeLEA’s of ISP operations. The situationwe are is like a cat- can take and-mouse game, since new increase their knowledge level regarding bots. C&C servers will appear after Job! ● Make careit harder toof be being upgradedhere! from bots infected by bots in Japan so every time current servers that users can connect their are eliminated. PCs to thethis! Internet at ease. ● Nevertheless, we want to ● It is absolutely necessary to use eliminate C&C servers in HoneyPots to collect bots and 4 Japan. locate infected PCs!

[Reference 2] ISP

････ ④Requesting ⑥Sending e-mail for alerting identification of about infection and infected PCs urging removal of bots ⑤Identifying infected PCs Cyber Clean Center Bot-infected PCs (Users of participating ISPs) ･･ Analysis InternetInternet !! Honey- ①Infection activities pots

⑦Accessing the ②Detection of infection countermeasures activities Capture of bot website analytes

Counter- Analytes and measures ⑧Downloading the bot- [Reference 3] related information removal tools website ･･ Bot-infected PCs (General users) Accessing the disclosure website Disclosure ③ [Reference 1] Preparation of bot 5 website removal tools Downloading the bot-removal tools

Cyber Clean Center Steering Committee (CCC-SC)

Bot countermeasure system Bot countermeasure program Bot infection prevention operation group Organized by analysis group Organized by promotion group Organized by

Bot specimens captured SuperSuper Bot specimens shared honeypotshoneypots

InternetInternet

Bot specimens collected SecuritySecurity VendorsVendors Removal tool creation Anti-virus products updated to provide Analysis of bot (CCC Cleaner) protection specimens

Removal tool provided BotBot-removal-removal tooltool distributiondistribution Pattern files Operation test of removal tool sitesite provided to antivirus customers InfectedInfected usersusers 6

Japanese Version

http://www.ccc.go.jp/

Website for the public 7 English Version

Subject: 【重要】悪性プログラム(BOT)駆除のお願い

あんしん太郎様

平素はAnshin-Netをご利用いただき誠にありがとうございます。セキュリティ担当 ○○と申します。

総務省・経済産業省の連携プロジェクトである「サイバークリーンセンター (以下、CCC)」より、ボット（BOT）※1感染者からの感染活動に伴う通信が検出されたため、感染者に対しBOTの駆除を案内して欲しいとの連絡が弊社に寄せられました。

そのため、弊社においてCCCからの情報をもとに感染活動を実施しているOCN回線を確認したところ、ご契約の回線（お客さま番号「${ISP_CUSTOMER_ID}」）であることが判明いたしました。

ボットは他のお客様に感染を広げるだけではなくお客様のパソコン内の情報を外部に流出させる恐れもある非常に悪質なウイルスです。

Tracking ID つきましては、下記のボット対策サイトへアクセス後、サイト内の手順に従ってボット駆除の実施や再発防止の実施をお願い申し上げます。 given to each対応が完了しましたら、サイト内に設置された対策完了ボタンを押して頂くこと user で、弊社でもお客様の対策実施状況が確認できますので、ご協力お願い申し上げます。 To ■ボット（BOT）対策サイト ━━━━━━━━━━━━━━━━━━━━━━ Counter- https://taisaku.ccc.go.jp/7a4ckxkk3hakf2mf77t9c9iz9CLICK ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ measures ｜対策後は必ずサイト上で完了連絡をしていただきますようお願いいたします。 site ｜なお完了連絡がない場合は再度ご案内させていただくことがございます。 8 ～以下省略～

From the alert e-mail The Tracking ID [Step3] Results of running cleaner are displayed and sent to CCC

+ ①Survey Number of files Number of files searched cleaned

Number of files number of files not cleaned infected by 【Step1】 viruses 【Step2】 + ②Bot-removal status ③ List of malware causing infection 9 [Sending Results of Running CCC Cleaner] Copyright©2004-2008 Telecom-ISAC Japan. All Rights Reserved. Dec. 2006 - Jan. 2008 Results of CCC’s Activities (except for some data)

①① TotalTotal numbernumber ofof specimensspecimens ②②NumberNumber ofof uniuniqueque specimensspecimens：：159,683159,683 ③③ NumberNumber ofof unknownunknown collected:collected: 6,534,8446,534,844 [Since[Since aa numbernumber ofof thethe specimensspecimens specimensspecimens：：8,3778,377 [Specimens,[Specimens, suchsuch asas botbot collectedcollected areare thethe same,same, thosethose thatthat areare [Unique[Unique specimensspecimens areare programsprograms (binary(binary files)files) are are identicalidentical inin sizesize andand externalexternal examinedexamined usingusing collectedcollected fromfrom amongamong thethe characteristicscharacteristics areare removedremoved toto separateseparate commercialcommercial anti-virusanti-virus countlesscountless attacksattacks onon the the "honey-"honey- uniqueunique specimensspecimens (binary(binary files).]files).] software,software, thenthen thosethose thatthat pot.“]pot.“] areare undetectableundetectable are are separated.]separated.] ISP ⑥⑥ SecuritySecurity alerts:alerts: 6 Security alert e-mail Infected PC’s IP list ④Number of 197,035197,035 timestimes ････ ④Number of specimens reflected [This[This isis thethe numbernumber Analysis of specimens reflected ofof securitysecurity alertsalerts thatthat source attacking inin removalremoval tools:tools: PCs infected by ･･ 6,915 cooperatingcooperating ISPsISPs Bot Programs 1 2 Isolation 6,915 providedprovided toto infectedinfected Supper [Unknown[Unknown specimensspecimens are are users.]users.] !! Honey 3 analyzedanalyzed toto create create bot-bot- pots removalremoval toolstools for for thosethose thatthat areare high-riskhigh-risk andand NumberNumber ofof recipients:recipients: Analysis of programs ･ 48,391 Access currentlycurrently infectinginfecting manymany 48,391 5 PCs.] 7 Measure 4 PCs.] Site ⑤⑤Bot-removal tools ⑦⑦ RatioRatio ofof securitysecurity Download removal tool Bot-removal tools 8 Making removal tool Updated: 53 times alertalert recipientsrecipients Updated: 53 times 【CCC Cleaner】 [Bot-removal tools are whowho downloaddownload [Bot-removal tools are updated every week.] bot-removalbot-removal tools:tools: Cyber Clean Center updated every week.] 30%30%

10 TotalTotal DownloadsDownloads ofof RemovalRemoval ToolsTools：： 284,100284,100

z The user response rate from e-mail notification is excellent z The ratio of site visitors is gradually rising but seems to have peeked z The download rate fell in November due to a change in procedures (Windows Update required before downloading the tools)

50% 45% 40% 35% Rate of visiting the web site 30% Rate of downloading the tools 25% Rate of sending reports 20% 15% 10% 5% 0% 2/1- 3/1- 4/1- 5/1- 6/1- 7/1- 8/1- 9/1- 10/1- 11/1- 12/1- 2008 11 2/28 3/31 4/40 5/31 6/30 7/31 8/31 9/30 10/31 11/30 12/31 1/1- 1/31

Changes in Number of New Infections by ISP

Linear approximation ISP A ISP B ISP C

120

100

0 2007/02/09 2007/03/09 2007/04/09 2007/05/09 2007/06/09 2007/07/09 2007/08/09 2007/09/09 2007/10/09 2007/11/09

ISP A ISP B ISP C

There is a trend of a decline in the number There is a trend of a decline in the number 12 ofof newnew usersusers infectedinfected byby malwaremalware

Malware samples collected by bot honeypots worldwide (2007) （Courtesy Trend Micro Inc.）

France Germary Japan Korea US Malaysia

Jun Jul Aug Sep Oct Nov Dec

InIn Japan,Japan, vulnerabilityvulnerability attacksattacks (worm(worm typetype 13 infections)infections) tendtend toto bebe onon thethe declinedecline 13 Copyright©2004-2008 Telecom-ISAC Japan. All Rights Reserved. Anticipated New Threats Related to Bots

The mode of infection is shifting from vulnerability attack type to other modes, and the threat of bots themselves is increasing (estimate).

2007

2005 IM- E-mail 2P-Ptype based All bot infections E-mail Skype- based Web-based infection Vulnerability attack type (Worm type infection) Combined Vulnerability Attack type (Worm type infection) 14

20000 18000 16000 14000

t of Cleaner Results) 12000

報告数 10000 ル

ー 8000 ツ 6000 4000 2000 0

Detection Reports (Repor 0 5 10 15 20 25 Total Number of Attacks Detected in Honeypot (hash-based) Honey捕獲検体種類数 (ツール実行前1ヶ月)

There is one type of sample that a PC attacks once the CCC honey-pot , Used as a topic in user education but the PCs are infected by an 15 average of 200.4 malwares.

40% 41%

35% 31% 32% 30% Countermeasures Site, vulnerability attack malware 27% 25% 25% Public Site, vulnerability attack malware 23% 23% 21% 21% 20% 19% Countermeasures Site, web-based malware

15% 16% Public Site, web-based malware 14% 14% 11% 10% 11% 6% 5%

0% 2007/11 2007/12 2008/01 2008/02 1. Data “Bot infection list” sent using the reporting function after running CCC Cleaner 2. Data analysis The content of the list has been classified into web-based infections and vulnerability attacks. The number of types are tabulated on a monthly basis. 3. Trend estimation The type of bots using web-based infections are on the increase. The types of bots using vulnerabilities are on the decline.

The number of infections based on the monthly tabulation results shows a similar trend. 16 However, further analysis of monthly trends is required.

z Change the composition of honeypots

z Consider modes of infection other than vulnerability attacks ¾ Field surveys of malware using web-based infection ¾ Consider and implement countermeasures against malware using web-based infection

z Broaden the reach of ISPs (Increase number of partners)

z Build a closer relationship with global partners

z Inform the public about anti-malware measures 17