sign in sign up
<<
Home , FinFisher, SpyEye, ZeroAccess botnet

4 Infrastructure Security as well. Retaliation continues in both cases, including further attacks carried out in protest against the arrest of suspects. In In suspects. of arrest the against protest in out carried attacks further including cases, both in continues Retaliation well. as attacks these with connection in authorities Turkish by arrested been have suspects 30 Over (OpTurkey). projects public-works against demonstrations on crackdown apolice protest Turkey to in outlets media and institutions government of websites on made also were attacks DDoS attacks. these in involved being of suspicion on Jordan in arrested been have people of A number retribution. in out carried been have to thought side Israeli the from attacks as well as (OpIsrael), sites related and government Israeli on attacks of anumber also were There (OpNorthKorea). leaked information account and altered were websites of number a which in Korea, North of government the to related websites on attacks of series a included High-profi incidents le causes. and incidents of avariety from stemming countries of number alarge in sites company and at government-related occurred leaks information and attacks DDoS period. this during continued as such hacktivists by Attacks Hacktivists Other and Anonymous of Activities I The Other: Security-related information, and incidents not directly associated with security problems, including highly concentrated traffi c associated with a with traffiassociated c concentrated highly including problems, security with associated directly not incidents and information, Security-related Other: against attacks DDoS ; other and worms network of propagation wide as such responses related and incidents Unexpected Incidents: Security a with connection in attacks to related etc., response, in taken measures incidents, of detection warning/alarms, signifidates; cant Historically History: international as such events international and circumstances foreign and domestic to related incidents to Responses Situations: Social and Political in or Internet the over used commonly software or equipment server equipment, network with associated vulnerabilities to Responses other. and Vulnerabilities: incidents security history, situation, social and political vulnerabilities, as categorized are report this in discussed Incidents *1 period* this during handled incidents of distribution the 1shows Figure 2013. 30, June 1and April between occurred that incidents to response and handling IIJ the discuss we Here, 1.2 incidents. security-related many experience to continues Internet the above, seen As leaks. information and hijackings domain associated with along occur, to continue ccTLD including registries domain on attacks Multiple websites. other from obtained been have to thought and IDs of alist using fraud commit to attempts were these speculated is it cases, of a number In sites. shopping and sites portal to access unauthorized of incidents many were there April In alterations. website related and compromises server Web of aseries also were There groups. other and Anonymous by made were attacks -based of a number period, survey last the from on Continuing 2013. 30, June 1through April from time of period the covers volume This relationships. cooperative has IIJ which with organizations and companies from obtained information and services, our through acquired information incidents, of observations from information Internet, the of operation stable the to related itself IIJ by obtained information general on based responded, IIJ which to incidents summarizes report This 1.1 year. this of beginning the since occurred have that incidents login unauthorized of spate the at look We also risks. associated various as well as security router home of state the examine and malware, ZeroAccess the of detection discuss we report, this In Security Router Home Security Infrastructure 1. Introduction notable event. websites. certain fact. historical past disputes. international in originating attacks and VIPs by attended conferences user environments. Incident Summary Incident 1 . Figure 1: Incident Ratio by Category Category by 1: Ratio Figure Incident History 0.4% Other 34.6% 2.0% Social Situation Political and (April 1 to June 30, 2013) 30, June 1to (April Security Incidents49.0% Vulnerabilities 14.0% During this period fi xes were released for Microsoft’s Windows* fi period this Microsoft’s for During released were xes I Vulnerabilities and their Handling active. very be to continue Anonymous than other Groups scale. in large not also were these but (OpPetrol), nations oil-producing and companies gas petroleum vulnerability in BIND9 DNS server that caused abnormal server stoppages through processing requests to certain resource fi also was resource codes xed* certain to requests processing through stoppages server abnormal caused that server DNS BIND9 in vulnerability A fivulnerabilities. released, many was xing server database Oracle the for update aquarterly applications, server Regarding released. were patches before exploited were vulnerabilities these of Several Ichitaro. Corporation’s fi and discovered was JustSystems in execution xed program arbitrary allowed that A vulnerability vulnerabilities. many fi that Java for updates of xed anumber released Oracle Acrobat. and Reader, Player, Flash Systems’ Adobe to made also for companies and organizations. An alert from the JPCERT Coordination Center* Coordination JPCERT the from alert An organizations. and companies for those including altered, were websites of A number coordinated. been have to thought is activity this so installed, 2) Kit Version Exploit (Blackhole BHEK2 as such kits exploit had to redirected were users that websites malicious The malware. with them infecting possibly website, altered an viewing after websites malicious to taken be to users caused These them. in embedded websites other to users redirected that JavaScript obfuscated or elements iframe had websites altered the of Many attention. of a lot attracted alterations website related and compromises server Web period, survey this During I Increasing Prevalence of Compromised Web Servers fi also were xed. scripting, cross-site and privileges of elevation involving those including in WordPress, vulnerabilities Multiple framework. application Web fiand Struts Apache the in xed several vulnerabilities thought to be particularly dangerous* particularly be to thought vulnerabilities several alterations, information leaks, or DDoS attacks, but the impact was limited* was impact the but attacks, DDoS or leaks, information alterations, experienced websites hundred several (OpUSA), May in fi and agencies institutions nancial government U.S. targeting attacks *13 JPCERT/CC, “JPCERT/CC Alert 2013-04-08 Alert regarding the usage of old versions of Parallels Plesk Panel” (http://www.jpcert.or.jp/english/at/2013/ Panel” Plesk Parallels of versions old of usage the regarding Alert 2013-04-08 Alert “JPCERT/CC JPCERT/CC, *13 your prevent to measures -Implement Month this for “Reminder published Japan Agency, Promotion (http://www.jpcert.or.jp/english/at/2013/at130027.html). websites” Information-technology the June in compromised example, For regarding Alert *12 2013-06-07 Alert “JPCERT/CC Center, Coordination JPCERT *11 (http://blogs.cisco.com/security/plesk-0- Servers” Web Targets 0-Day “Plesk vulnerability. this regarding details for post Blogs 9 BIND Cisco ISC in following the See vulnerability service of Denial *10 2013-06-05 Alert “JPCERT/CC vulnerability. this regarding alert an issued Center Coordination JPCERT The (http://technet. *9 (2839571)” Execution Code Remote Offi Allow Could ce Microsoft in Vulnerability -Important: MS13-051 Bulletin Security “Microsoft (http://technet.microsoft.com/en-us/ *8 (2838727)” Explorer Internet for Update Security Cumulative -Critical: MS13-047 Bulletin Security “Microsoft (http://technet.microsoft.com/en-us/security/bulletin/ *7 (2847204)” Explorer Internet for Update Security -Critical: MS13-038 Bulletin Security “Microsoft (http://technet.microsoft.com/en-us/ *6 (2829530)” Explorer Internet for Update Security Cumulative -Critical: MS13-037 Bulletin Security “Microsoft *5 (http://technet.microsoft.com/en-us/ (2817183)” Explorer Internet for Update Security Cumulative -Critical: MS13-028 Bulletin Security “Microsoft (2828223)” Execution Code Remote *4 Allow Could Client Desktop Remote in Vulnerability -Critical: MS13-029 Bulletin Security “Microsoft Microsoft, How Show *3 Attacks OpUSA “Failed attacks. these regarding details for post BLOG INTELLIGENCE SECURITY Micro Trend following the See *2 exploited* easily be could vulnerability this that reports to Due disclosed. was ended had support which for tool management server Panel Plesk Parallels the of version in a settings PHP fi no improper with from resulting A vulnerability available x for which support had ended, had been targeted on the altered websites* altered the on targeted been had ended, had support which for those including tools, management server and System) Management (Content CMS of versions old in vulnerabilities Many year. this of April since reported been have incidents 1,000 approximately at130018.html). of source the were these that indicated which Japanese), (in IPA. to reported alterations web the of most (http://www.ipa.go.jp/security/txt/2013/06outline.html) compromised!” being from website day-targets-web-servers/). (http://www.jpcert.or.jp/english/at/2013/at130026.html). (CVE-2013-3919)” microsoft.com/en-us/security/bulletin/ms13-051). security/bulletin/ms13-047). ms13-038). security/bulletin/ms13-037). security/bulletin/ms13-028). (http://technet.microsoft.com/en-us/security/bulletin/ms13-029). Operate” (http://blog.trendmicro.com/trendlabs-security-intelligence/failed-opusa-attacks-show-how-hackers-operate/). 10 , users were urged to upgrade to the latest supported version. A number of vulnerabilities were also discovered discovered also were vulnerabilities of Anumber version. supported latest the to upgrade to urged were , users 9 . 13 . 3 , * 12 . For this reason, an alert was issued regarding regarding issued was alert an reason, this . For 2 . In June, attacks were made on international international on made were attacks June, . In 11 indicated that at the time of its issue issue its of time the at that indicated 4 * 5 * 6 * 7 , and Offi, and ce* 8 . Updates were were . Updates

5 Infrastructure Security 6 Infrastructure Security April Incidents *Dates areinJapanStandardTime [Legend] 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 O O O O O O V V V V V S S S S S S S S S S S S S S There wasevidencethatalistofIDsandpasswordshadleakedfromcompetitors’servicebeenusedinattemptstologthegooIDsystem. Google andPayPalwerehijacked. 19th: (http://blogs.technet.com/b/microsoft_blog/archive/2013/04/17/microsoft-account-gets-more-secure.aspx). The OfficialMicrosoftBlog,“MicrosoftAccountGetsMoreSecure” unauthorized access. 18th: Microsoftannouncedtheywouldprovidetwo-stepverificationforaccount,toimprovethesecurityfeaturesdealingwith “Oracle CriticalPatchUpdateAdvisory-April2013”(http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html). 17th: Oraclereleasedtheirquarterlyscheduledupdate,whichfixedatotalof86vulnerabilitiesinmultipleproductssuchasandMySQL. “Oracle JavaSECriticalPatchUpdateAdvisory-April2013”(http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html). 17th: National InformationSecurityCenter,“RegardingConveningofthe1stGovernmentMinistryPoCAssembly”(http://www.nisc.go.jp/press/pdf/01poc.pdf)(inJapanese). of theCSIRTrepresentative(PoC)fromeachgovernmentministry. 10th: WiththeestablishmentofsystemssuchasCSIRTatgovernmentministries,1stPoC(PointContact)assemblywasheld,consisting “JPCERT/CC Alert2013-04-08regardingtheusageofoldversionsParallelsPleskPanel”(http://www.jpcert.or.jp/english/at/2013/at130018.html). Web alterationsinvolvingtheinstallationofmaliciousApachemodules. 8th: TheJPCERTCoordinationCenterissuedanalertduetotheprevalenceofoldversionsParallelsPleskPanelbeingusedincidents (http://www.soumu.go.jp/main_sosiki/joho_tsusin/eng/Releases/Telecommunications/130405_02.html). “Official AnnouncementofProposalsonPromotionInformationSecurityPolicyMIC” that shouldbetakenregardingthepromotionofinformationsecurityinshortandlongterm,aswellimprovementstoexistinginitiatives. Promotion ofInformationSecurityPolicyMIC.”Thissummarizedadvicefromarangeperspectivesregardingthedirectionformeasures 5th: TheInformationSecurityAdvisoryBoardoftheMinistryInternalAffairsandCommunicationsofficiallyannouncedits“Proposalson resulting inrewardpointsfor299IDsbeingused. 5th: ItwasannouncedthatfraudulentactivityhadoccurredonMarch26throughunauthorizedlogintoamembershiprewardspointssite, corresponding to779accountsthatwereloggedintofromIPaddressessuspectedbemalicious. 5th: BetweenApril1and5,2013,unauthorizedloginstookplaceatasitethatsellselectronicbooks.PasswordswereresetforuserIDs (http://www.ntt-east.co.jp/release/detail/20130404_02.html) (inJapanese). Nippon TelegraphandTelephoneEastCorporation,“RegardingUnauthorizedAccesstotheFLET’SHikariMembersClub” logged intowithoutauthorization.Asaresult,restrictionswereplaceduponaccountsandlogintothesite. 4th: FraudulentattemptsweremadetologintheFLET’SHikarimember’ssite,anditwasdiscoveredthat30accountsmayhavebeen NTT ResonantInc.,“RegardingtheimpactcausedbyunauthorizedlogintogooIDs”(finalreport)(http://pr.goo.ne.jp/detail/1703/)(inJapanese). 2nd: Oman NationalCERT,“SignsofaDNSCachePoisoningAttack”(http://www.cert.gov.om/media_news_details.aspx?news=20#.UgoN5pJzP kd). and domainsforanumberofwell-knownsitessuchasGooglewerehijacked. 23rd: AnumberofwebsiteswerecompromisedatOmanTelecommunicationsCompany, oneoftheccTLDregistrarsforOman’s.omdomains, “Unauthorized AccessofJAXAServer”(http://www.jaxa.jp/press/2013/04/20130423_security_e.html). source onApril17,andtherewasapossibilitythatinformationrelatedtooperation oftheInternationalSpaceStationhadbeenleaked. 23rd: TheJapanAerospaceExplorationAgency(JAXA)announcedthatitsservershadbeen accessedwithoutauthorizationbyanexternal 19th: ArevisiontothePublicOfficesElectionLawthatallowedInternetbeusedfor electioneeringwaspassedbytheUpperHouse. authorization byanunknownparty,leadingtothehijackingofdomainsforseveralprominentsitessuchasGoogleandMSN. 15th: TherewasanincidentinwhichFootprintComputerSolutions,theccTLDregistrarforKenya’s.kedomains,accessedwithout have beenusedbytheculpritseveraltimes. 12th: InrelationtotheRemoteControlVirusincident,itwasreportedthatjournalistsfromnewsoutletshadaccessedanemailaccountsaid data verificationworkrelatedtoafailurethatoccurredinMarchdraggingonlongerthanexpected. 1st: Troubleoccurredat200localauthoritiesaroundJapan,renderingtheBasicResidentRegisterNetworkinaccessible.Thiswascausedby this includedatemporaryslumpinstockpricesattheNewYorkStockExchange. 24th: TheTwitteraccountfortheAssociatedPresswasaccessedwithoutauthorization, and falseinformationdisseminated.Theimpactfrom (https://twitter.com/jpcert/status/322282948554530816) (inJapanese). For example,thefollowingstatementwasmadefromJPCERTCoordinationCenterTwitteraccount be conversionservicesformobilecommunications. 11th: Fraudulentwebsitesforanumberoffinancialinstitutionswerediscovered,generatinglotinterest.Itwaspointedoutthatthesemay “APSB13-11: SecurityupdatesavailableforAdobeFlashPlayer”(http://www.adobe.com/support/security/bulletins/apsb13-11.html). discovered andfixed. 10th: AnumberofvulnerabilitiesinAdobeFlashPlayerthatcouldallowunauthorizedterminationandarbitrarycodeexecutionwere “Microsoft SecurityBulletinSummaryforApril2013”(http://technet.microsoft.com/en-us/security/bulletin/ms13-Apr). as wellsevenimportantonesincludingMS13-035. 10th: MicrosoftpublishedtheirSecurityBulletinSummaryforApril2013,andreleasedtwocriticalupdatesincludingMS13-028MS13-029, Just AnotherWordPressWeblog,“GreaterSecuritywithTwoStepAuthentication”(http://en.blog.wordpress.com/2013/04/05/two-step-authentication/). 6th: WordPress.comannouncedsupportforanoptionalTwoStepAuthenticationfeatureusingGoogle’sauthenticationsystem. accessed withoutauthorization,andemails withvirusesattachedweresenttorelatedparties. 28th: Itwasreportedthatanexternalemailservice accountusedbyahigh-rankingJapanesegovernmentofficialforpersonalbusine ss was IDs ofotherindividualswithoutauthorization usingTor,andchangedpasswordsemailaddresseswithoutpermission. 25th: A15-year-oldyouthwasarrestedonsuspicion ofviolatingtheUnauthorizedComputerAccessLaw.Heisallegedtohaveaccessed the Vulnerabilities Attempts weremadetologingooIDswithoutauthorization,andaccountslockedduethepossibilityofunauthorizedlogin108,716accounts. Oracle releasedascheduledupdateforJavaSEJDKandJRE,fixing42vulnerabilitiesincludingthosethatallowedexecutionofarbitrarycode. The NICforKyrgyzstan’s.kgdomainswasaccessedwithoutauthorization,andmultiple domainsincludingwell-knownexamplessuchas S Security Incidents P Political andSocialSituation H History O Other targeting users who use the same ID and combination at other sites* other at combination password and ID same the use who users targeting somewhere, from obtained passwords and IDs of lists using made been have to believed are attacks incidents, recent the For authentication. login the only of testing as such known, not is perpetrator the of intent the which in incidents been also have There recently. seen those as such Japan in sites multiple on attacks large-scale of examples past few are there and sites, individual at aimed were attacks these cases most in However, time. some for frequently occurring been have above, mentioned incidents the in those as such lists using attacks as well as passwords, and IDs targeting attacks force Brute users. to addition in companies card credit by felt was signifi data, of impact cant world renown such as Google and PayPal. and Google as such renown world of companies for domains targeted hijackings domain incidents, these of each In hijackings. domain to subject were Burundi for .bi and for .ug including domains these, to addition In Google. as such sites big-name several of hijackings domain the in resulting domains, .om Oman’s for registrars ccTLD the of one Company, Telecommunications Oman at place took also access Unauthorized authorization. without accessed was domains .kg Kyrgyzstan’s for NIC the after PayPal, and Google as such sites, well-known of anumber of hijackings also were There MSN. and Google as such sites prominent several for domains of hijacking the to leading party, unknown an by authorization without accessed was domains, .ke Kenya’s for registrar ccTLD the Solutions, Computer Footprint which in occurred incident an April, In leaks. information and hijackings domain associated with along occur, to continue ccTLD including registries domain on attacks Numerous TLD on I Attacks incidents. these about information more for Login” Unauthorized of Incidents Recurring “1.4.3 See Japan issuedanother alert* Center Analysis and Sharing Information the Telecom incidents, recent the of identifi light in but ed, frequently is passwords information had been saved with the security codes used for credit card authorization* card credit for used codes security the with saved been had information personal as well as passwords and IDs user leaked, was information which in incidents the of one In found. being passwords and fi and names user servers, containing from les leaked being data to leading vulnerabilities exploited that compromises server with targeted, been have to thought are themselves lists which in incidents multiple were there Additionally, changed. being passwords or authorization, without used being points as such damages in resulted this cases of anumber In used. been have to believed are combinations password and ID of consisting lists which in incidents, related as well as authorization, without sites service member-oriented corporate or e-commerce, SNS, to in log to attempts many were there April From lists. of use the involve to thought was which fraud, identity through attempts login unauthorized as well as passwords, and IDs user obtain to attempts of number alarge were there period, survey this During Fraud Identity through Login Unauthorized and Passwords, and IDs Targeting I Attacks *17 Telecom Information Sharing and Analysis Center Japan, “[Alert] A spate of unauthorized use of user IDs / passwords, and recommended measures for for measures recommended and /passwords, IDs user of use unauthorized of Aspate “[Alert] Japan, Center Analysis and Sharing Information Telecom *17 2011” in (http://www.npa.go.jp/cyber/statics/h23/pdf040.pdf) Incidents Access Unauthorized of Status the of “Publication Agency, Police National *16 passwords and IDs believed it ID, login each for attempts passwords of number the to due that, fi its in report nal indicated companies affected the of One *15 (http://www.isms.jipdec.or.jp/doc/ Compliance)” /ISMS DSS PCI to (Guide Stores Member Card Credit for Guide’ Security “‘Information the example, For *14 the National Police Agency in 2012 confi rmed that 6.7% of users had reused passwords* reused 2012 in confihad Agency users of 6.7% Police that rmed National the by published programs” entry automatic continuous using attacks login unauthorized regarding results “Observation example, For past. the in out pointed been has this as such websites multiple at password and ID same the using of risk The users” (https://www.telecom-isac.jp/news/news20130412.html) (in Japanese). users” (https://www.telecom-isac.jp/news/news20130412.html) (in Japanese). work. would they if see to tested being were and fraudulently obtained been had services other for the 3of them. Requirement by storing from covered data prohibited are authentication merchants that sensitive meaning the in DSS, PCI included are codes security that indicates JIPDEC by published JIP-ISMS118-20.pdf) 17 . 15 . 14 . Due to this improper management management improper this to . Due 16 . The danger of reusing IDs and and IDs reusing of danger . The

7 Infrastructure Security 8 Infrastructure Security May Incidents *Dates areinJapanStandardTime [Legend] 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 O O V V V V V V V S S S S S S S S remote commandexecution,sessionaccessandmanipulationXSSattacks”(http://struts.apache.org/release/2.3.x/docs/s2-014.html). The ApacheSoftwareFoundation,“S2-014-AvulnerabilityintroducedbyforcingparameterinclusionintheURLandAnchorTagallows discovered andfixed. 23rd: AnumberofvulnerabilitiesinApacheStrutsthatcouldallowexecutionarbitrarycommands(CVE-2013-1965,CVE-2013-1966)were ‘Regarding UnauthorizedAccesstoOurServers’(publishedMay17)”(http://pr.yahoo.co.jp/release/2013/0523a.html)(inJapanese). Yahoo! JAPAN,“RegardingUnauthorizedAccesstoOurServers”(http://pr.yahoo.co.jp/release/2013/0517a.html)(inJapanese).“Follow-up have beenleakedfor1,480,000accounts. announced thatsomeirreversiblyencryptedpasswords,aswellinformationrequiredforresettingpasswordswhentheyaregotten,may on May16,andfilescontainingonlytheextractedIDsofupto22millionaccountsmayhavebeencreatedleaked.On23itwasalso 17th: Yahoo!JAPANannouncedthattheserversmanagingIDshadbeenaccessedwithoutauthorizationbyanexternalsource “APSB13-15 SecurityupdatesavailableforAdobeReaderandAcrobat”(http://www.adobe.com/support/security/bulletins/apsb13-15.html). discovered andfixed. 15th: AnumberofvulnerabilitiesinAdobeReaderandAcrobatthatcouldallowunauthorizedterminationarbitrarycodeexecutionwere (http://blog.bloomberg.com/2013-05-10/safeguarding-customer-data/). See thefollowingBloombergL.P.statementformoreinformation.“SafeguardingCustomerData” information serviceprovidedbyanotheroneofitsdivisions,andannouncedtheyhadundertakencorrectiveaction. 11th: BloombergL.P.admittedthatNewsreportershadaninappropriatelevelofaccesstothedatacustomersusingafinancial (http://www.justice.gov/usao/nye/pr/2013/2013may09.html). “Eight MembersOfNewYorkCellCybercrimeOrganizationIndictedIn$45MillionCampaign” See thefollowingUnitedStatesAttorney’sOfficeforEasternDistrictofNewYorkstatementmoreinformationaboutthisincident. data, andstole45milliondollarsfromATMsaroundtheworldwereindicted(UnlimitedOperation). 10th: EightmembersofahackergroupthatcompromisedcreditcardprocessingcompanyinIndia,alteredsavingsandwithdrawallimit issued afterevidencepointedtothefactthatlistsofIDsandpasswordsobtainedfromotherserviceswerebeingused. access hadbeenconfirmed.MoreinformationabouttheseincidentswaspublishedonMay16,andawarningnottoreusepasswords between May4and8.Itwasannouncedthatloginhadbeenlockedforapproximately15,000useraccountswhichunauthorized 8th: Therewereattemptstologinane-commercesitewithoutauthorization,withabout1,110,000incidentsofunauthorizedaccess (http://pastebin.com/LXHKjsfg). Information onattacktargetsanddetailsoftheattackscanbeconfirmedinfollowingPastebinstatement.“#OpUSAtargetlist” information leaks,andDDoSattackscoordinatedbyAnonymous(OpUSA). 8th: Severalhundredwebsites,includingsitesforU.S.governmentagenciesandfinancialinstitutions,wereaffectedbyalterations, (https://technet.microsoft.com/en-us/security/advisory/2847140). “Microsoft SecurityAdvisory(2847140)VulnerabilityinInternetExplorerCouldAllowRemoteCodeExecution” could allowremotecodeexecutionwhenamaliciouswebsiteisviewed.ThisvulnerabilitywasfixedinMS13-038onMay15. 4th: Microsoftreleasedasecurityadvisory(2847140)regardingvulnerabilityinIE8forwhichnofixwasavailable(CVE-2013-1347), (https://citizenlab.org/2013/04/for-their-eyes-only-2/). See thefollowingCitizenLabreportformoreinformation.“ForTheirEyesOnly:TheCommercializationofDigitalSpying” government agenciesofvariouscountriesarethoughttobeusingintheirinformation-gatheringactivities. 1st: TheUniversityofToronto’sCitizenLabpublisheditslatestreportontheFinSpy(FinFisher)commercialsurveillancesoftware,which 31st: Thewebsitesofthenic.mwandregister.mw domainregistriesforMalawiwerealteredbyanunknownparty. (http://www.prolexic.com/news-events-pr-prolexic-stops-largest-ever-dns-reflection-ddos-attack-167-gbps.html). “167 GbpsAttackTargetedReal-TimeFinancial ExchangePlatform” using DNSamplificationagainstafinancialexchangemarketsystem.92%ofthedevices thatparticipatedinthisattackwereopenresolvers. 31st: U.S.companyProlexicTechnologies,whichprovidesDDoSdefenseservices,announced thatithadpreventeda167GbpsDDoSattack as securitycodes. accessed withoutauthorizationonApril23,leadingtotheleakofup146,701pieces ofcustomerinformation,includingcreditcarddatasuch 27th: Itwasannouncedthatthewebsiteforacompanyrentsmobilephonesand Wi-Firouterstooverseastravelershadbeen discovered andfixed.AlthoughCVE-2013-1966hadbeenfixedpreviously,itwas againduetothemeasuresnotbeingsufficient. 27th: AnumberofvulnerabilitiesinApacheStrutsthatcouldallowexecutionarbitrary commands(CVE-2013-1966,CVE-2013-2115)were (http://www.cas.go.jp/jp/seisaku/bangoseido/english.html). See thefollowingCabinetSecretariatsiteformoreinformation.“TheSocialSecurity andTaxNumberSystem” the UpperHouse. 24th: “TheBillontheUtilizationofaNumbertoIdentifySpecificIndividualsforAdministrative Procedures(MyNumberLaw)”waspassedby “APSB13-14: SecurityupdatesavailableforAdobeFlashPlayer”(http://www.adobe.com/support/security/bulletins/apsb13-14.html). discovered andfixed. 15th: AnumberofvulnerabilitiesinAdobeFlashPlayerthatcouldallowunauthorizedterminationandarbitrarycodeexecutionwere “Microsoft SecurityBulletinSummaryforMay2013”(http://technet.microsoft.com/en-us/security/bulletin/ms13-May). as eightimportantonesincludingMS13-039. 15th: MicrosoftpublishedtheirSecurityBulletinSummaryforMay2013,andreleasedtwocriticalupdates,MS13-037MS13-038,aswell Vulnerabilities S Security Incidents P Political andSocialSituation H History O Other Security Strategy to Protect Citizens” established in 2010* in established Citizens” Protect to Strategy Security “Information the replace to security information regarding strategy basic anew as up drawn been had which Strategy,” Security “Cyber the of conclusion Council’s Policy Security Information the included initiatives agency Government I Government Agency Initiatives care. with used be must it so laundering, money as such crimes in use for identifipotential been its also with have ed issues hand, other the On etc. WikiLeaks, to donations making for utilized been has it and name, your disclosing without used be can it anonymously, exchanged be can currency virtual for planning foreign and security policy (in other words, a Japanese version of the NSC), the Act Regarding Establishment Establishment Regarding Act the NSC), the of version aJapanese words, other (in policy security and foreign Council planning for Security aNational of establishment the regarding Furthermore, Forces. Self-Defense the and Defense of Ministry of the networks and systems the on attacks cyber countering for measures comprehensive implement to ability the improving May, in for name) (provisional Force Defense aCyberspace establish would it that announcing Defense of Ministry the as such attacks, cyber to responding for systems enhance to moves other were There effi the to investigations. of July in improve ciency established be would police, regional from dispatched investigators and Bureau Safety Community Department’s Police Metropolitan the of Division Countermeasure Crime Cyber the from investigators of consisting squad, crime cyber aspecial that announced also was it 1. June In April on 13 in prefectures established were attacks cyber units investigating for special businesses, private-sector and agencies government targeting attacks cyber in increase an to due Additionally, functions for international collaboration, and improvements to human resource development and literacy levels* literacy and development resource human to improvements and collaboration, international for to functions enhancements capabilities, analysis attack of preparation agencies, government of capability response emergency the to improvements included These plan. annual an as FY2013 in specifiimplemented be to summarizing this, initiatives c fi also was 2013” on Security based “Cyber nalized improvements. functional necessary the of implementation following FY2015, around by name)” (provisional Center Security “Cyber the become would Center) Security Information (National accessed by resetting all customer passwords* customer all resetting by accessed been had information customer that possibility the to responded and access, unauthorized experienced also name.com provider hosting DNS U.S. accessed. been had information card credit including details customer that possibility the to due accounts customer all for passwords the reset they authorization, without accessed was Moniker registrar DNS U.S. After *24 National Information Security Center, “Information Security Policy Council - 32nd Assembly” (June 27, 2013) (http://www.nisc.go.jp/conference/seisaku/ 27, 2013) (June Assembly” -32nd Council Policy Security “Information Center, Security Information National *24 (http://www.nisc.go.jp/conference/seisaku/ 2013) 10, (June Assembly” -32nd Council Policy Security “Information Center, Security Information National *23 (http://www. bitcoining” by “Skypemageddon malware. this about information more for post Blog SECURELIST Lab Kaspersky following the See *22 (https://www.mtgox.com/ happened?” What days: few epic an been “It’s incident. this about information more for statement Mt.Gox following the See *21 (http://blogs.cisco.com/security/hijacking-of- Solutions” Network from Records DNS of “‘Hijacking’ information. more for Blog Cisco following the See to due Outage DNS *20 Report: “Incident attacks. the about information more for affected, companies the of one DNSimple, from post blog following the See *19 Name.com Blog, “We got hacked” (http://www.name.com/blog/general/2013/05/we-got-hacked/). *18 a DDoS attack* to response the during error operation an to due hijacked been have to appearing domains 5,000 approximately in resulted using the authoritative DNS servers of these service providers* service these of servers DNS authoritative the using amplifi DNS via cation servers other on made attacks DDoS were attacks these that known now is It etc. failures, service to leading providers, service hosting DNS of a number for servers DNS authoritative on out carried were attacks DDoS June, In occurred. also have party unknown an by altered were domains .mw Malawi’s manage that registries . On April 3, the Mt.Gox Bitcoin exchange was the target of a DDoS attack, affecting service temporarily* service affecting attack, aDDoS of target the was exchange Bitcoin Mt.Gox the 3, April On Bitcoin. targeting attempts phishing and attacks as such incidents many been have there aresult, As April. in $266 of ahigh reaching dollars U.S. against rate exchange the with value, in soaring been had Bitcoin of value The systems. its and currency virtual Bitcoin net-based the on made attacks of anumber regarding discussion of alot was there period, survey current the During on Bitcoin I Attacks that target Bitcoin indirectly are also on the rise, such as the discovery of malware that mines Bitcoin* mines that malware of discovery the as such rise, the on also are indirectly Bitcoin target that index.html#seisaku36) (in Japanese). index.html#seisaku35) (in Japanese). securelist.com/en/blog/208194210/Skypemageddon_by_bitcoining). press_release_20130404.html). dns-records-from-network-solutions/). (http://blog.dnsimple.com/incident-report-dns-outage-due-to-ddos-attack/). DDoS Attack” 20 . 18 . Incidents in which the websites for the nic.mw and register.mw domain domain register.mw and nic.mw the for websites the which in . Incidents 23 . To enhance systems for promotion, it was also decided that NISC NISC that decided also was it promotion, for systems . To enhance 19 . Another incident in June at U.S. fi U.S. at June in Solutions incident Network rm . Another 22 . Because the Bitcoin Bitcoin the . Because 24 21 . . Attacks . Attacks

9 Infrastructure Security 10 Infrastructure Security June Incidents *Dates areinJapanStandardTime [Legend] 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 O O O O V V V V V V V V V V V S S S S S S S Internet SystemsConsortium,“CVE-2013-3919:Arecursiveresolvercanbecrashedbyaqueryformalformedzone”(https://kb.isc.org/article/AA-00967/). 5th: Parallels, “ParallelsPleskPanel:phppath/PHPvulnerability”(http://kb.parallels.com/116241). upgrade toanewerversion. security-related mailinglist.Becausethisvulnerabilityonlyaffectsoldversionsforwhichsupporthasalreadyended,usershavebeenurgedto 6th: AvulnerabilityinParallelsPleskPanelversions9.0-9.2.3thatcouldallowremotearbitrarycodeexecutionwasdisclosedona Expression allowsremotecommandexecution.”(http://struts.apache.org/release/2.3.x/docs/s2-015.html). The ApacheSoftwareFoundation,“S2-015-AvulnerabilityintroducedbywildcardmatchingmechanismordoubleevaluationofOGNL discovered andfixed. 5th: AnumberofvulnerabilitiesinApacheStrutsthatcouldallowexecutionarbitrarycommands(CVE-2013-2134,CVE-2013-2135)were on recentDDoSattacks-June2013”(http://www.tppwholesale.com.au/support/service-alerts/more-information-recent-ddos-attacks). (http://www.tppwholesale.com.au/support/service-alerts/unscheduled-service-interruption-tpp-wholesale-dns-3rd-june-2013). “Moreinformation Interruption -TPPWholesaleDNS3rdJune2013” For moreinformation,seethefollowingannouncementsfromTPPWholesalePtyLtd,whichwasoneofthosetargeted.“UnscheduledService service failures,etc. 4th: DDoSattacksweremadeonauthoritativeDNSserversforanumberofhostingservices,suchasDNSimpleandeasyDNS,causing “‘Hijacking’ ofDNSRecordsfromNetworkSolutions”(http://blogs.cisco.com/security/hijacking-of-dns-records-from-network-solu tions/). operation errorwhenrespondingtoaDDoSattack.SeethefollowingCiscoBlogfor moreinformationaboutthisincident. 21st: AnaccidentoccurredatU.S.companyNetworkSolutions,causingabout5,000domains toappearasiftheyhadbeenhijackeddue The OperaSecuritygroup,“Securitybreachstopped”(http://my.opera.com/securitygroup/blog/2013/06/26/opera-infrastructure-attack). fraudulent certificateswasdistributedusingtheautomaticupdatesystem. announced thatbetween10:00and10:36AMJapantime,severalthousandWindowsusersmayhavebeenaffectedwhenanupdatefileusing 19th: OnJune26,Operastatedithadbeencompromisedinatargetedattack,resultingthetheftofcodesigningcertificates.Theyalso “Stable ChannelUpdate”(http://googlechromereleases.blogspot.jp/2013/06/stable-channel-update_18.html). management notbeingcarriedoutinFlashapplications. environment ofamachineviamethodssuchasclickjackingattackswasdiscoveredandfixed.Thiscausedbyproperauthority 19th: AvulnerabilityintheFlashplug-inforGoogleChromethatcouldallowathirdpartytoobtainimportantinformationfromphysical “Oracle JavaSECriticalPatchUpdateAdvisory-June2013”(http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html). execution ofarbitrarycode. 19th: OraclereleasedtheirquarterlyscheduledupdateforJavaSEJDKandJRE,fixing40vulnerabilitiesincludingthosethatallowed ontvreemden containersmetcocaïne”(http://www.om.nl/actueel/nieuws-persberichten/@161061/drugshandelaren/)(inDutch). See thefollowingstatementfromDutchprosecutorsformoreinformationaboutthisincident.“Drugshandelarenhackenrederijenen apprehended throughajointinvestigationconductedbymultipleagenciesintheNetherlandsandBelgium. 18th: ItwasannouncedthatagrouphadcompromisedportsysteminAntwerpandsmuggledweaponsdrugsbeen (http://www.justsystems.com/jp/info/js13002.html) (inJapanese). *JustSystems Corporation,“[JS13002]RegardingtheRiskofMaliciousProgramExecutionExploitingaVulnerabilityinIchitaro” 18th: AvulnerabilityinIchitarothatallowedarbitrarycodeexecutionwasdiscoveredandfixed. “Alert (ICS-ALERT-13-164-01)MedicalDevicesHard-CodedPasswords”(http://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-164-01). vendors, duetohard-codedpasswordsbeingused. 14th: U.S.ICS-CERTissuedanalertencouragingpropermanagementandaccessrestrictionsforapproximately300medicaldevicesfrom40 (http://www.soumu.go.jp/main_sosiki/joho_tsusin/eng/Releases/Telecommunications/130612_06.html). “Official AnnouncementofReportfromResearchSocietyforUseandCirculationPersonalData” highly-convenient servicestakingprivacyintoconsideration. their evaluationoftheproperusebigdatathatincludespersonaldata,andcirculationinformationrequiredforproviding 12th: TheMinistryofInternalAffairs’ResearchSocietyforUseandCirculationPersonalDatapublishedareportsummarizingtheresults “JPCERT/CC Alert2013-06-07regardingcompromisedwebsites”(http://www.jpcert.or.jp/english/at/2013/at130027.html). April 2013,withmostalteredwebsitesusedtoredirectusersattacksites. 7th: JPCERT/CCissuedanalertregardingaspateofwebsitealterationincidentsinJapan.About1,000havebeenreportedsince (http://www.microsoft.com/en-us/news/Press/2013/Jun13/06-05DCUPR.aspx). “Microsoft, financialservicesandothersjoinforcestocombatmassivecybercrimering” 6th: MicrosoftannouncedithaduncoveredtheCitadelbotnettogetherwithanumberofpartnerssuchasFBIandFS-ISAC. (http://www.adobe.com/jp/aboutadobe/pressroom/pressreleases/20130628_LGPKI.html) (inJapanese). “Adobe SystemsCooperatesinLocalAuthorities SystemsDevelopmentCenter’sCyberAttackCountermeasures” 28th: What lessonsshouldwetakefromthis?”(http://blog.trendmicro.co.jp/archives/7462) (inJapanese). See thefollowingTrendMicroSECURITYBLOGpostformoreinformation.“More large-scalecyberattacksonSouthKorea:Whathappened? There werealsomultiplesystemfailuresthoughttobecausedbymalware. 25th: InSouthKorea,websitealterationsandDDoSattacksweremadeonanumberofgovernment-related websitesandcorporatewebsites. WordPress.com Blog,“WordPress3.5.2MaintenanceandSecurityRelease”(http://wordpress.org/news/2013/06/wordpress-3-5-2/). 22nd: (https://www.facebook.com/notes/facebook-security/important-message-from-facebooks-white-hat-program/10151437074840766). “Important MessagefromFacebook’sWhiteHatProgram” 22nd: AvulnerabilityinFacebook’sDownloadYourInformationtoolthatunintentionally exposedthecontactdetailsforsomeuserswasfixed. “APSB13-16: SecurityupdatesavailableforAdobeFlashPlayer”(http://www.adobe.com/support/security/bulletins/apsb13-16.html). discovered andfixed. 13th: AnumberofvulnerabilitiesinAdobeFlashPlayerthatcouldallowunauthorizedterminationandarbitrarycodeexecutionwere “Microsoft SecurityBulletinSummaryforJune2013”(http://technet.microsoft.com/en-us/security/bulletin/ms13-Jun). ones includingMS13-051. 12th: MicrosoftpublishedtheirSecurityBulletinSummaryforJune2013,andreleasedtheMS13-047criticalupdateaswellfourimportant relation totheRemoteControlVirusincident. 25th: Chargeswerefiledagainstanumberofjournalistssuspectedaccessinganemail accountthoughttohavebeenusedbytheculpritin signatures inAdobeReaderandAcrobatas partofitscyberattackcountermeasures,inresponsetoLGPKIinitiativesforthedigitalsigningPDFfiles. Vulnerabilities A vulnerability(CVE-2013-3919)inBIND9.xthatcouldallowexternalpartiestocauseacrashusingspeciallycrafteddatawasdiscoveredandfixed. Adobe announcedithadpreparedasystem thatallowseasyverificationofLocalGovernmentPublicKeyInfrastructure(LGPKI)digital 12 vulnerabilitiesinWordPresswerefixed,includingafixforserver-siderequestforgeries thatcouldallowattackerstogainaccessasite. S Security Incidents P Political andSocialSituation H History O Other such as electioneering via being prohibited* being email via electioneering as such voters, eligible of activities Internet the on restrictions certain also are there that noted be must it hand, and other the On Twitter. Facebook as such services using Internet the over electioneering conduct to parties political and candidates allowed This passed. was electioneering for Internet the use to possible it making OffiLaw Public the to Election ces arevision April, In I Other due to similarities between the attacks* the between similarities March in to due place took that Attack Cyber 3.20 the to related be to suspected are attacks These malware. by caused be to believed failures system and Anonymous by instigated been have to thought alterations Web several were there and attackers, of anumber by simultaneously out carried were attacks that appears It servers. DNS on made attacks DDoS and altered, were Korea South in websites corporate and websites government-related multiple which in occurred incident an 25, June On diplomacy. foreign affect could they concerns are there EU, and the including world, the around countries other and U.S. the in both criticized were activities These conferences. international as such locations at traffiinformation Internet gathering and c, convey to used networks fi the on cable eavesdropping optic be ber may NSA the that reports also were There agencies. government from received disclosure data for requests of number the of details published and data, the provide to compelled legally were they that explained indicated was involvement whose companies of anumber reason, this For Internet. the with associated companies U.S. major of cooperation the with run being was and photos, videos, Internet-based as such data monitors that PRISM called a program records, phone collecting to addition in and , in targeted being also were citizens U.S. that reported was it but time, some for terrorism to related information gathering been has NSA The buzz. of alot up stirred publisher newspaper aU.K. by released (NSA) Agency Security National U.S. the of activities the regarding article an June, In October. last incident Virus Control Remote the behind culprit the by used been have to thought account email an accessing of suspicion on journalists of a number against fi were papers criminal prosecutors with this, to led connection In incidents. seven to relation in business of obstruction fraudulent as such crimes with charged being him in resulted eventually February in arrested suspect the into investigation year, the last of October from headlines made that Virus Control Remote the concerning incidents of series the Regarding a National Security Council* Security a National of Establishment Regarding Figures Key of a Meeting following Cabinet the by approved was Council Security a National of *27 The malware used in the latest incidents had several similar features, such as initiating attacks at a predetermined time. See the following Symantec Symantec following the See time. apredetermined at attacks initiating as such features, similar several had incidents latest the in used malware The *27 to revisions with associated activities electioneering about information more for site Communications and Affairs Internal of Ministry following the See *26 (http://www.kantei.go.jp/jp/singi/ka_ Council” Security National of a Establishment Regarding Figures Key of “Meeting OffiMinister, Prime the of ce *25 korean-war). on Continue Korea South Against Cyberattacks of Korean War” (http://www.symantec.com/connect/blogs/four-years-darkseoul-cyberattacks-against-south-korea-continue-anniversary- Anniversary DarkSeoul of Years “Four malware. the of behavior the on information more for blog Response Security (in Japanese). (http://www.soumu.go.jp/senkyo/senkyo_s/naruhodo/naruhodo10.html) Electioneering” Internet on Ban the of Removal regarding “Information law the (in Japanese). yusiki/) 25 . 27 . 26 .

11 Infrastructure Security 12 Infrastructure Security accounted for by the use of IP spoofi IP of use the by for ng* accounted is this We believe foreign. or domestic whether addresses, IP of number large extremely an observed we cases, most In minutes). 37 and (54 hours minutes 37 and hours, six days, two for lasted that attack aserver was attack sustained longest The hours. 24 over lasted 0.2% and hours, 24 and minutes 30 between 21% lasted commencement, of minutes 30 within ended 78.8% attacks, all Of packets. pps 55,000 to up using bandwidth of Mbps 295 in resulted and classifiattack, was study server as a ed under period the during observed attack largest The attacks. capacity bandwidth no were There 1.9%. remaining the for accounted attacks compound and incidents, all 98.1%of for accounted attacks Server report. prior our to compared attacks of number daily average the in decrease a day, indicating per attacks 5.65 to averages This attacks. 514 DDoS with dealt IIJ study, under months three the During time). same the at conducted Figure 2: Trends in DDoS Attacks DDoS in Trends 2: Figure *31 A “bot” is a type of malware that institutes an attack after receiving a command from an external C&C server. A network constructed of a large number number alarge of constructed Anetwork server. C&C external an from acommand receiving after attack an institutes that malware of atype is A“bot” the of *31 address IP actual the than other address an given been has that packet attack an sends and Creates address. IP asender’s of Misrepresentation *30 TCP of start the signal that packets SYN of volumes mass send fl SYN TCP attacks flood GET fl attacks. HTTP ood fl and SYN ood, TCP connection TCP The ood, fragments. and packets IP *29 larger-than-necessary of volumes massive sending by a target of capacity bandwidth network the overwhelms that Attack *28 types: onattacks bandwidth three into capacity* attacks DDoS 2categorizes Figure impact. of degree the determine largely will performance) server and (bandwidth attacked environment the of capacity the and attack, a DDoS out carry to used be can that methods many are There situation. each of facts the fi the ascertaining from diffi excluded the to are accurately due gure in culty incidents these but attacks, DDoS other to responds also IIJ standards. Service Defense DDoS IIJ on based attacks be to judged traffianomalies c shows information This 2013. 30, June 1and April between Service Defense DDoS IIJ the by handled attacks DDoS of circumstances the 2shows Figure I Direct Observations services. hindering of purpose the for processes server or bandwidth network traffioverwhelm to c unnecessary of large volumes cause rather but vulnerabilities, of that as such knowledge advanced utilizes that type the not are attacks these of most However, widely. vary involved methods the and occurrence, adaily almost are servers corporate on attacks Today, DDoS 1.3.1 1.3 (No. of Attacks)(No. 20 12 18 10 16 14 2013.4.1 0 2 8 4 6 of bots acting in concert is called abotnet. called is concert in acting bots of individuals. of number alarge from or location, adifferent from coming is attack the if as appear it make to attacker memory. and capacity processing mass wasting send then and commands, server, aWeb on protocol GET HTTP of connections TCP volumes establish fl GET attacks connection HTTP ood TCP memory. and connections. TCP capacity actual of volumes processing of mass wastage the establish fl causing attacks ood connections, incoming major for prepare to target the forcing connections, fl ICMP an called ood. is packets ICMP of fl use aUDP the while called is ood, packets UDP of use Incident Survey Incident DDoS Attacks DDoS 28 , attacks on servers* on , attacks 2013.5.1 30 and * and 31 29 usage as the method for conducting DDoS attacks. DDoS conducting for method the as usage , and compound attacks (several types of attacks on a single target target asingle on attacks of types (several attacks compound , and 2013.6.1 Server Attacks Capacity AttacksBandwidth Compound Attacks (Date) observation project operated by IIJ* by operated project observation *33 The mechanism and limitations of this observation method, as well as some of the results of IIJ’s observations, are presented in IIR Vol.8 (http://www.iij. Vol.8 IIR in presented are observations, IIJ’s of results the of some as well as method, observation Activities.” this of Malware “1.3.2 limitations also and See IIJ. by mechanism The operated project observation *33 activity amalware MITF, the by established Honeypots *32 Port) by Trends Packets, (Observed Attacks DDoS by Caused Backscatter of Observations 4: Figure honeypots* the using backscatter attack DDoS of observations our present we Next I Backscatter Observations and fi nancial institutions, and in June a number of attacks attacks of number a June in and fi and institutions, nancial agencies government U.S. on attacks were May,In there Anonymous. by made been have to thought April in Korea North to related sites on attacks included backscatter of observations IIJ’s via detected were that period survey current the during attacks DDoS Notable known. not is attacks the of purpose the so applications, standard by used normally not are ports These period. this within observed 10,000 over of atotal with time, some for continued and day, aparticular on concentrated not were attacks These 30. May 21 and May between observed were provider hosting aDutch for servers targeting 6010/TCP on Attacks observed. were provider hosting aU.S. against 2106/TCP on attacks of number 1, May alarge and 30 April Between States. United the in providers hosting of a number targeting observed were games, to related be to thought 25565/TCP, on Attacks providers. hosting Dutch and U.S., Swiss, for servers the on those including observed, also were (22/TCP) SSH targeting attacks Many vendor. e-commerce aChinese and provider hosting aU.S. of servers Web the targeting observed were attacks 5, June On 3. June on observed were Germany in provider asecurity for servers Web on Attacks detected. also were provider hosting U.S. another of servers Web the on attacks 17, May On observed. were providers hosting U.S. and in site ascience-related of servers Web the 2, on April on attacks when (80/TCP) servers Web of anumber from those included observed packets backscatter of numbers large Particularly 6005/TCP. and 6010/TCP unused typically the and 25565/TCP, game-related the as for well as SSH, 22/TCP and DNS for used 53/TCP as such ports on observed also were Attacks period. target the for during total the of accounting 51.8% services, Web for used port 80/TCP the was observed attacks DDoS the by targeted commonly most port The port. by numbers packet in trends 4shows Figure and country, classifi addresses IP by ed sender’s the 3shows Figure 2013, 30, June 1and April between observed backscatter the For interposition. any without party athird as networks external on (No. ofPackets) 10,000 15,000 20,000 25,000 30,000 5,000 2013.4.1 0 ad.jp/en/company/development/iir/pdf/iir_vol08_EN.pdf) under “1.4.2 Observations on Backscatter Caused by DDoS Attacks.” DDoS by Caused Backscatter on Observations “1.4.2 under ad.jp/en/company/development/iir/pdf/iir_vol08_EN.pdf) 33 . By monitoring backscatter it is possible to detect some of the DDoS attacks occurring occurring attacks DDoS the of some detect to possible is it backscatter monitoring . By 2013.5.1 Figure 3: Distribution of DDoS Attack Targets According According Targets Attack DDoS of 3: Figure Distribution EU 6.0% CN 5.8% NL 4.8% RU 4.7% TR 3.2% PL 3.1% AR 1.8% Other 23.1% 2013.6.1 Period under Study) under Period Entire Country, (by Observations Backscatter to 32 set up by the MITF, a malware activity activity MITF, a malware the by up set (Date) 80/TCP 53/TCP 25565/TCP 22/TCP 6010/TCP 6005/TCP 8404/TCP 2106/TCP 30800/TCP 53/UDP Other US 33.9% DE 6.1% FR 7.5%

13 Infrastructure Security 14 Infrastructure Security 6675/TCP on a wide range of IP addresses. This This addresses. IP honeypot of range awide on 6675/TCP to 6666/TCP targeting communications in increase an was there mid-May, and April late Between known. not is this of purpose the random, were itself data the and lengths data the both Because 6. April on place took also Iran to allocated address IP an from specifiaddress IP honeypot c a targeting communications 56994/UDP 15. April on Korea South to allocated addresses IP from 12, and April on Korea South and China, , to allocated addresses IP from coming observed were communications concentrated example, For period. survey current the during occurred also attacks dictionary SSH be to thought Communications such as 6666/TCPand 56994/UDP. applications, common by used not ports on observed were purpose unknown an of communications Additionally, requests. echo ICMP and MySQL, for used 3306/TCP SSH, for used 22/TCP Windows, for function login remote RDP 3389/ the by Server, used SQL TCP Microsoft’s by used 1433/TCP targeting behavior scanning observed We also systems. operating Microsoft by utilized ports TCP targeting behavior scanning demonstrated honeypots the at arriving communications the of Much MSRPC. on attacks as such a specifi to port, c connections multiple involved attack the when attack a single as connections TCP multiple count to data corrected we observations these in Additionally, study. to subject period entire the over ten) (top types packet incoming for trends the showing honeypot, per average the taken We have observation. of purpose the for honeypots numerous up set has MITF The packets). (incoming volumes total the in trends 6shows Figure 2013. 30, June 1and April between honeypots the into coming communications for country by addresses IP sender’s of distribution the 5shows Figure of RandomI Status Communications attack. for atarget locate to attempting scans or random, at atarget selecting malware by communications be to appear Most Internet. the over arriving Figure 6: Communications Arriving at Honeypots (by Date, by Target Port, per Honeypot) per Port, Target by Date, (by Honeypots at Arriving Communications 6: Figure MITF* the of observations the of results the discuss will we Here, 1.3.2 detected. were MIT on attacks and behavior, radical exhibits the in that U.S. group areligious on attacks June, and May between specialists security U.S. well-known of websites the on attacks agencies, intelligence Israeli on attacks from be to thought Backscatter observed. were agencies government Swedish on *35 A system designed to simulate damages from attacks by emulating vulnerabilities, recording the behavior of attackers, and the activities of malware. of activities the and attackers, of behavior the recording vulnerabilities, emulating by attacks from damages simulate to designed Asystem *35 malware observing 2007, May in activities began (MITF) Force Task Investigation Malware The Force. Task Investigation Malware of abbreviation An *34 MITF uses honeypots* uses MITF (No. ofPackets) 1,000 1,200 1,400 200 400 600 800 2013.4.1 0 network activity through the use of honeypots in an attempt to understand the state of malware activities, to gather technical information for for information technical countermeasures. fi gather to actual to these link to ndings and activities, malware of countermeasures, state the understand to attempt an in honeypots of use the through activity network Malware Activities 35 connected to the Internet in a manner similar to general users in order to observe communications communications observe to order in users general to similar amanner in Internet the to connected 2013.5.1 34 Figure 5: Sender Distribution (by Country, Entire Period Period Entire Country, (by 5: Figure Distribution Sender , a malware activity observation project operated by IIJ. The The IIJ. by operated project observation activity , amalware CN US KR IR TW RU IN BR RO HK Other 21.6% Outside Japan 94.3% 38.4% 10.7% 4.8% 4.4% 3.6% 3.3% 2.3% 1.9% 1.8% 1.5% 2013.6.1 under Study) (Date) Within Japan 5.7% 445/TCP 22/TCP 1433/TCP 3389/TCP 6666/TCP 139/TCP 135/TCP ICMP Echorequest 3306/TCP 56994/UDP Other Other1.1% 0.1% I ISP 0.1% H ISP IIJ 0.2% G ISP 0.2% F ISP 0.2% E ISP 0.5% D ISP 0.6% C ISP 0.7% B ISP 1.9% A ISP 0.1% In Figure 8 and Figure 9, the number of acquired specimens show the total number of specimens acquired per day* per acquired specimens of number total the show specimens acquired of number the 9, Figure 8and Figure In specimens. unique of number the in trends 9shows Figure acquired. specimens malware of number total the in trends shows 8 Figure while study, under period the during malware for source acquisition specimen the of distribution the 7shows Figure Activity Network I Malware behavior. scanning related be to this believe we range, this in ports use clients IRC some because and IRC, for used aport is 6667/TCP States. United the and China from mainly was *37 This fi gure is derived by utilizing a one-way function (hash function) that outputs a fi xed-length value for various input. The hash function is designed to designed is function hash The input. various for value a outputs xed-length that fi function) (hash function one-way a utilizing by fi This derived is gure *37 honeypots. by acquired malware the indicates This *36 Conficker) (Excluding Specimens Unique of Number the in Trends 9: Figure Conficker) (Excluding Acquired Specimens Malware of Number Total the in Trends 8: Figure number of unique specimens is the number of specimen variants categorized according to their digest of a hash function* ahash of digest their to according categorized variants specimen of number the is specimens unique of number Figure 7: Distribution of Acquired Specimens by Source Source by Specimens Acquired 7: of Figure Distribution (Total No.ofSpecimensAcquired) 100 150 200 250 300 (No. ofUniqueSpecimens) 10 15 20 25 30 35 40 45 2013.4.1 50 2013.4.1 5 0 0 TW US CN BR RU TH ID IN RO BG Other 34.0% Outside Japan 97.6% fact into consideration when using this methodology as a measurement index. this take to ameasurement as efforts methodology best this its using when expended has MITF the consideration values, into hash fact different having that given malware same value, the of hash by specimens in specimens of result may uniqueness padding the and guarantee cannot obfuscation we While inputs. different for possible as outputs different many as produce 10.3% 9.3% 5.0% 3.6% 3.3% 3.2% 7.4% 7.2% 7.2% 7.1% Excluding ConfiExcluding cker) Study, under Period Entire Country, (by 2013.5.1 2013.5.1 Within Japan 2.4% Other 0.1% 0.3% ISP E 0.4% ISP D 0.4% ISP C 0.5% ISP B 0.7% ISP A 2013.6.1 2013.6.1 (Date) (Date) NotDetected Trojan.Dropper-18535 Trojan.Spy-78857 Trojan.SdBot-9861 Trojan.Mybot-5073 Worm.Allaple-2 Heuristics.W32.Parite.B Worm.Agent-194 Trojan.Agent-71049 Trojan.Agent-71068 Other NotDetected Empty file Trojan.Dropper-18535 Trojan.Spy-78857 Trojan.Dropper-20380 Trojan.Agent-173287 Trojan.Agent-71049 Worm.Agent-194 Trojan.Spy.Zbot-440 Worm.Mydoom-21 Other 36 , while the the , while 37 .

15 Infrastructure Security 16 Infrastructure Security 41% compared to the 3.2 million PCs observed in November 2011, but it demonstrates that infections are still widespread. still are infections that 2011, demonstrates it but November in observed PCs million 3.2 the to 41% compared Working Group*Working Confi the of cker observations the to According 2%. about by down also were specimens Unique period. survey previous the to compared 13% approximately by increased report this by covered period the during acquired specimens of number total The fi from it report. this in omitted gures have we far, so by malware prevalent Confi that most the remains cker demonstrates This specimens. unique of 97.3% and acquired, specimens of number total Confi the fi of 99.7% While periods, for malware. short accounts over fall cker and rise different 791 gures representing report, this by covered period the during day per acquired were Confispecimens Including 33,250 of average cker,an I Conficker Activity format. letters).com” random a“www.(6 use generates malware this domains the that indicates servers* C&C botnet of 120 confi MITF presence the the rmed addition, In downloaders. were 6.4% and bots, were 53.2% worms, were acquired specimens malware of 40.4% observation under period current the during analysis, independent MITF’s the Under June. late and April early in France and U.S. the in observed was Kong Hong and this is due to the presence of a single type of malware with a DGA (Domain Generation Algorithm)* Generation (Domain aDGA with malware of type asingle of presence the to due is this on an ongoing basis in Indonesia and the Philippines in April. Two bot variants* Two bot April. in Philippines the and Indonesia in basis ongoing an on observed intermittently in the same regions in May and June, and aworm* and June, and May in regions same the in intermittently observed 4 Confi ckerworkinggroup.org/wiki/pmwiki.php/ANY/InfectionTracking). (http://www.confi ckerObservations Group Working *44 based to connect to server C&C the for name adomain generates automatically malware which in systems to refers bots. of Algorithm) number alarge of Generation (Domain DGA consisting abotnet to commands provides *43 that Aserver Server. &Control Command of abbreviation An *42 AP (http://about-threats.trendmicro.com/Malware.aspx?id=36201&name=WORM_DEBORM.AP&language=au). WORM_DEBORM. *41 (http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fHamweq). Win32/Hamweq *40 Trojan:Win32/Ircbrute (http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Trojan%3AWin32%2FIrcbrute). *39 (http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FNeurevt.A). Trojan:Win32/Neurevt.A *38 malware* learned we closely, more specimens undetected these investigating After malware. different 22 representing study, under period the during day per acquired were specimens 109 average, On data. totaling when Confi any results removed and cker packages, software anti-virus Confi multiple using detected cker have 9we Figure 8 and Figure for report, previous our with As name. malware by coded color displayed is variants top 10 the of breakdown a and software, identifi also anti-virus are using ed Specimens down by generating a new domain name and reconnecting. and name shut is domain anew server C&C generating by down connected the after activity resume and recover to and URL devices, avoid to used is ltering fi This time. the afion as such rule, xed 42 and 15 malware distribution sites. The number of C&C servers has risen dramatically since the last report, but but report, last the since dramatically risen has servers C&C of number The sites. distribution 15 malware and 44 , as of June 30, 2013, a total of 1,312,964 unique IP addresses are infected. This is a drop of approximately approximately of a drop is This infected. are addresses IP unique 1,312,964 of a total 2013, 30, June of , as 41 sourced to IP addresses allocated to the U.S. U.S. the to allocated addresses IP to sourced 38 that steals accounts had been observed observed been had accounts steals that 39 * 40 controlled by IRC servers were also also were servers IRC by controlled 43 function. IIJ analysis analysis IIJ function. As previously shown, attacks of various types were properly detected and dealt with in the course of service. However, attack ongoing attention. requiring continue, attack attempts However, service. of course the in with dealt and detected properly were types various of attacks shown, previously As server. fi to ona Web attempts vulnerabilities nd been have to thought are attacks 27. These June on targets of number at a directed China in specifisources from attack c attacks were there Additionally, 9. June from on Tor be to thought sources attack of number a from specifitargets attack c on attacks and 3, June on China in sources attack of number a from specifi same the on targets c 19, attacks April on targets specifi at c directed China in sources specifi from attack c attacks also were There place. took also aspecifi at target c directed States United the in specifisources from attack c attacks 2, May On 2. May and 1 May specifibetween at targets directed c Netherlands the and U.S. the including sources attack of anumber from attacks large-scale were there period, this During some days. on occurred specifithat on targets c attacks large-scale to due place, 3rd to rose China from Attacks report. previous the to compared servers Web against made were attacks injection SQL Fewer order. in following countries other with respectively, 19.1%, and 21.8% for accounted China and States United the while observed, 31.1% for attacks of source the was Japan IPS Service. Managed IIJ the on signatures by detected attacks of asummary are These attacks. of numbers the in trends 11 shows Figure 2013. 30, June 1 and April between detected servers Web against attacks injection SQL of distribution the 10 shows Figure content. Web rewrite to attempt that those and servers, database to overload attempt that those data, steal to attempt that those patterns: attack three of one in occur to known are injections SQL security. Internet the in topics major the of one remaining past, the in times fl have numerous attacks frequency in up ared Of the types of different Web server attacks, IIJ conducts ongoing surveys related to SQL injection attacks* injection SQL to related surveys ongoing conducts IIJ attacks, server Web different of types the Of 1.3.3 *45 Attacks accessing a Web server to send SQL commands, thereby manipulating an underlying database. Attackers access or alter the database content content database the alter or access Attackers database. underlying an manipulating thereby commands, SQL send to server a Web accessing Attacks *45 Type) Day, Attack by (by Attacks Injection SQL in 11: Trends Figure Figure 10: Distribution of SQL Injection Attacks by Source by Attacks Injection SQL of 10: Figure Distribution CN 19.1% DE 4.1% NL 3.1% UA 2.4% HK 2.3% JM 1.7% PT 1.4% TW 1.2% Other 11.8% (No. Detected) 1,000 1,500 2,000 2,500 3,000 3,500 500 2013.4.1 0 without proper authorization, and steal sensitive information or rewrite Web content. Web rewrite or information sensitive steal and authorization, proper without SQL Injection Attacks Injection SQL (5,039) (6,380) 2013.5.1 (9,991) (7,727) US 21.8% JP 31.1% (3,441) 2013.6.1 (4,533) (Date) SQL_Injection HTTP_GET_SQL_UnionAllSelect HTTP_GET_SQL_UnionSelect URL_Data_SQL_1equal1 HTTP_POST_SQL_WaitForDelay HTTP_GET_SQL_Convert_Int HTTP_GET_SQL_Select_Count SQL_Injection_Declare_Exec SQL_SSRP_MDAC_Client_Overflow HTTP_POST_SQL_UnionSelect Other 45 . SQL injection injection . SQL

17 Infrastructure Security 18 Infrastructure Security have begun to differ dramatically from those fi rst seen, with some forming via P2P, and others only operating in user user in operating only P2P, via others and botnets forming fisome with those from seen, rst dramatically differ to variants begun have ZeroAccess of implementations years, recent In software. cracked fake as it distributing by techniques engineering *50 Exploit kits were explained during IIJ Technical Week 2010. “IIJ Technical WEEK 2010 Security Trends for 2010 (1) Web Infection Malware Trends” (http:// Trends” Malware Infection Web (1) 2010 for Trends Security 2010 WEEK Technical “IIJ 2010. Week Technical IIJ during explained were kits Exploit *50 is viewer the by used computer the If content. Web views auser when vulnerabilities exploiting by infections malware cause downloads Drive-by *49 Once artifacts. OS to make they that changes the as well as out, carried communications the of characteristics the on defi are based ned IOCs malware, For threats. known of existence the indicating information technical is Compromise) of (Indicator IOC An *48 Additionally, SpyEye. about information more for (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol13_EN.pdf) SpyEye” “1.4.2 Vol.13 under IIR See *47 from accessible directly addresses IP global with (nodes nodes super of infection for ratio highest 3rd the had Japan that noted Sophos report, its In *46 Figure 12: Behavior of User ZeroAccess Mode Variants (Dropper) ZeroAccess* regarding report analysis an published year, Sophos last of September In 2009. around from emerge to began that malware a bot-type is ZeroAccess 1.4.1 incidents. login unauthorized of spate recent the discuss we Finally, exploited. being routers home of risks potential the examine we Next, malware. ZeroAccess the detecting for techniques at alook take we First, themes. three covering period this during undertaken have we surveys the from information present we Here, incidents. prevalent of analyses and surveys independent perform to continuing by countermeasures implementing toward works IIJ Accordingly, next. the to minute one from scope and type in change Internet the over occurring Incidents 1.4 IOC (Indicators of Compromise)* IOC (Indicators fi our the share and IIJ, by regarding ndings analyzed variants ZeroAccess recent of behavior the explain we section, this In SpyEye and variants* ZeuS and SpyEye like just plug-ins DLL executing for afunction with equipped is ZeroAccess However, computers. infected on mining Bitcoin and fraud click through exploitation monetary was malware the of purpose main The time. the at affected also were Japan in computers of number a large that indicated It country. each for ratios node infected provided and point, that to up ZeroAccess In many cases, ZeroAccess is installed via drive-by downloads* drive-by via installed is ZeroAccess cases, many In Variants Mode User ZeroAccess of I Behavior Management Server Pay-Per-Install Update www.iij.ad.jp/company/development/tech/techweek/pdf/techweek_1119_1-3_hiroshi-suzuki.pdf) (in Japanese). www.iij.ad.jp/company/development/tech/techweek/pdf/techweek_1119_1-3_hiroshi-suzuki.pdf) content. Web the viewing by merely malware with infected is it vulnerable, le_upload/dsp- w25a.pdf). (http://www.rsaconference.com/writable/presentations/fi Formats” and Standards of Overview standard. An each of points bad Compromise: of and good the Indicators compares 2013 “Sharing Conference RSA at Harrington Chris by OpenIOC, made include standards presentation IOC following The swiftly. IODEF. with and dealt CybOX, be can malware same the with infection of incidents defi is subsequent ned, malware to related IOC an variants. its and behavior ZeuS of explanation an for Citadel The “1.4.2 Vol.18 under IIR or (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol18_EN.pdf) ZeuS” of Variant (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol16_EN.pdf) Variants” its and ZeuS “1.4.3 Vol.16 under IIR see Gain” Financial Massive for Fraud and Mining Botnet: ZeroAccess “The (http://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/Sophos_ZeroAccess_Botnet.pdf). nodes. non-super of infection for ratio highest 10th the and nodes), infected other Focused Research Focused An Examination of ZeroAccess and its IOC its and ZeroAccess of Examination An (4) server asneeded installation statusto infected computerand Sends informationon bypass UAC privileges and elevate Attempts to 47 , so new features may be incorporated in the future. the in incorporated be may features new , so (after privilegeelevation) 48 for detecting them on infected computers. infected on them detecting for Dropper Dropper 46 . The report stated that 9 million computers worldwide had been infected with with infected been had worldwide computers 9million that stated report . The (6) (1) (5) (2) (3) destination andinjectiontarget),deletesitself Executes additionalinstallationprocess(changesthe Code injectionintoexplorer.exe Code injectionintoexplorer.exe(2nd) and services Shuts downWindowssecurityprocesses and addsautorunsettingstoregistry Extracts andsavesfilesfromin-lineCAB, 49 using exploit kits* 50 such as Blackhole, or using social social using or Blackhole, as such node listfile Main DLLandinitial explorer.exe explorer.exe Windows Defender DLL dropped Executes main notifications security-related Suppresses necessary for pay-per-install services* pay-per-install for necessary information the collecting for be to thought is This status. installation the and computers infected on process, information sending installation the during frequently sources external with communicates also dropper The security. to related services variants actually depending mode differs on the user variant. ZeroAccess for path installation DLL The malware. of behavior the to related directly not are that data of pieces superfi merely cial are they defi be because is This information ned. this that recommend not Ido personally However, URLs. defi IOC for are elements used nitions and keys, commonly finames, most le The registry above. values, hash le detailed fi behavior its on based computers, infected on variants ZeroAccess detecting for IOC the at look abrief take will we Here Observations I IOC-related it. execute and download fipeers other executable make and le, arbitrary an upload to ZeroAccess of creator the than other afi of diffiit parties section third makes for This cult le. resource the from data to relating signature verifi and fithe es extracts NTFS the also of It system. information le entry the in included (EA) Attribute Extended the from signature as well as stamp time and size as such verifimetadata plug-in es ZeroAccess extracting by peers. les fi other with communications out carries mainly itself DLL installed the so plug-ins, using executed are above mentioned functions mining fiBitcoin and plug-in fraud click TCP. uploads over and The les UDP, via downloads and commands bot receives and fi list node initial the sends on then It based le. network P2P ZeroAccess the to connects DLL installed the Subsequently, give an outline of ZeroAccess user mode variant behavior* variant mode user ZeroAccess of outline an give 13 12 Figure and Figure dropper. the by installed aDLL and adropper, of consist ZeroAccess of variants mode User mode. Figure 13: Behavior of ZeroAccess User Mode Variants (Installed DLL) (Installed Variants Mode User ZeroAccess of Behavior 13: Figure notifi cations. After bypassing UAC by exploiting the DLL load order* load DLL the exploiting by UAC notifibypassing After cations. security-related IAT suppress to the in actioncenter.dll and wscntfy.dll for entries the hooks and explorer.exe, into code injects wscntfy.exe, and MSASCui.exe as such security Windows to related processes down shuts it example, For smoothly. proceed to installation allowing places, many in functions security Windows some disables that code executes dropper The *53 Pay-per-install is a system in which money is paid based on the number of computers malware is installed on. The amount paid differs depending on a on depending differs paid amount The on. installed is malware computers of number the on based paid is money which in a system is Pay-per-install *53 then folder, temporary to a this fi dropper extracts The rst dropper. the of area data the in aCAB in stored is installer Flash Adobe an variants, recent In *52 basic the that found have we but services.exe, to a applies that variant confi also another has IIJ rmed here, explained variants the to addition In *51 (3) presentation by Juan Caballero at USENIC Security ’11 for market research and observations on pay-per-install services. “Measuring Pay-per-Install: The The Pay-per-Install: “Measuring services. pay-per-install on (http://usenix.org/events/sec11/tech/full_papers/Caballero.pdf). of Distribution” Malware Commoditization observations following and the See research ’11 market for ZeroAccess. with Security USENIC at infected Caballero computers Juan of by number the presentation increasing factors the of one is above system mentioned service report Sophos The pay-per-install this gained. that privileges of indicates type the and version, OS the GeoIP, the as such computer, infected the on information of variety privileges. elevated with again executed is dropper the “Yes” selects user the if and installer, the of upon execution displayed is prompt UAC a Next, installer). Flash Adobe the in DLL same for a (the used finame the le fi under “msimg32.dll” name, le itself saves same. the is behavior received (TCP) Files aresentand ZeroAccess P2P Network Main DLL (2) (1) commands (UDP) updated usingthree Peer andfileinformationis the plug-inisloadedandexportfunctionexecuted. exists, thesignatureforitsmetadataandcontentisverified.Then The initialnodelistfileismappedtomemory,andifaplug-in 53 . 51 . 52 , it shuts down a large number of processes and and processes of number alarge down shuts , it Initial NodeListFile Plug-In Files

19 Infrastructure Security 20 Infrastructure Security for tricky deletion processing* deletion tricky for I would recommend everyone give it atry. it give everyone recommend I would so it, to advantages many are there here shown as but moment, the at Japan in often taken not is incident an to responding defi using of when IOC ned approach The investigations. in part take also can malware of knowledge specialist without those that means This easily. shared be can afi use they so also IOCs format, xed incident. an of resolution swift the to lead can IOC using quickly threats detect to able being this, like cases In checked. be must computers of number alarge when more the all applies This cases. many in this detect to time along take will it infected, are you once Consequently, software. anti-virus and functions security Windows disables late of malware the ZeroAccess, of behavior the by demonstrated as Additionally, consideration. thorough without trusted be cannot that programs executing not by vigilant stay and parties, third from that including date, to up software keep to necessary is it Namely, infection. preventing for crucial are date to IIR this in emphasized have we points that means This Internet. the over distributed programs fake of execution the and kits, exploit using downloads drive-by are ZeroAccess for vectors infection main The computers. infected on it detecting for IOC generic at look aquick took and ZeroAccess, of behavior the explained we section, this In I Summary driver. its by imported API the as such elements using earlier, appeared that ZeroAccess mode kernel the for IOC generic generate to possible also is it However, IOC. its discussed and variants, mode user ZeroAccess of behavior the at alook taken have we Here *57 It obtains the shell path (normally cmd.exe) by searching for environment variables, launches the shell in a suspended state, and then changes the the changes then and state, asuspended in shell the launches variables, environment for code. searching by shell like cmd.exe) status, (normally path execution shell the current the of obtains It regardless *57 operation intended the out carry to able be to designed Code *56 and code, injecting when ZwQueueApcThread and ZwQueryInformationThread as such APIs low-layer comparatively uses ZeroAccess example, includes For Lteg: to *55 (response fiLter les), downloads and info, peer updates responses, receives then communication: (initiates Lteg include types Command *54 string* defiare 4-byte a using ned names command UDP, over these and commands bot receives and sends DLL installed the example, For variants. of number greater a detect to used be can and generic, more is IOC the behavior, malware to defiBy relates that information ning by both parties communicating, so this is another value that is unlikely to change. The API* The change. to unlikely is that value another is this so communicating, parties both by used be must key same The payload. the on used is key a4-byte on based XOR received, and sent are commands call/jmp commands used in the PIC (Position-Independent Code)* (Position-Independent PIC the in used commands call/jmp the via acquisition data or calls function API as such code, distinctive of alot contains dropper The image. memory the in it detect to possible defirealistically are not is it dropper ned, the of characteristics the if even so installed, is DLL the once itself fideletes dropper The executable les. different completely are DLL installed the and dropper the that is here noted be should that thing one ZeroAccess, For data. memory volatile the of image a binary be must target the above, mentioned information the on based fiIOC the on malware applying the when for so used is system, le packing generic as known Compression this. as such information combining by generated be can IOC generic A defi be also characteristic. as a ned execution context and stack of the shell process to delete the dropper being executed. being dropper the delete to process shell the of stack and context execution fi and operations. le registry for ZwCreateFile and ZwDeleteValueKey botnet). to peers new (broadcasts Lwen and fi and peer information), some le 57 . However, these cannot be used as IOC. as used be cannot these . However, 54 . These are fi xed unless a completely different P2P protocol is used. Furthermore, when when Furthermore, used. is protocol P2P different fi are completely . These a unless xed 56 , code for extending the stack area dynamically, and code code and dynamically, area stack the extending for , code 55 that ZeroAccess imports can can imports ZeroAccess that Changer malware* Changer DNS the example, For authorization. without changed being settings other and DNS to leading home, at used PC infected malware by a router home of a confi the on interface launched was guration attack an which in incidents been have There PC Home Infected an on Malware by Caused I Confi Changes guration fraudulently. VoIP as such services optional to up signs or authorization, without services access uses party athird when damages monetary to led has This information. this obtained and privileges, administrator with adevice accessed has party external an which in incidents been have there Consequently, text. plain in router the to ISP) an to connecting for password and ID the example, (for information authentication save devices some that known also is It privileges. administrator with router the access to possible was it installation, of time the since password or settings the changed not had users confi to users because However, them. encourage gure that instructions and password are used* are password and ID administrator default the when privileges administrator with Internet the on anywhere from in log to possible being it of issue the to leads This settings. default their under restrictions access any implement not do routers home Some I Unauthorized to Access Management Interfaces software. malicious of installation the and banking, online for passwords and IDs of theft the as such This damages to led servers. fake to users redirecting banks, as such institutions for sites of resolution name the during responses fraudulent returned servers DNS malicious The technique. this using fraudulently compromised been had world the around units million Internet can play a part in amplifying the volume of traffi c when they are exploited from the Internet (Figure 14). Even though though Even 14). (Figure Internet the from exploited are traffi of they volume when c the amplifying in apart play can Internet the over communicate can network a home to connected devices that so resolution name DNS assisting for functions particular, In settings. default the under locations external from used functions their having of risk at are routers home Some Attacks DDoS in Participation Resolver Open I DNS routers. home on settings change to attempted that code attack 300 Gbps* 300 at peaking scale, of unheard apreviously of 2013 was March in organization anti-spam aEuropean on attack A DDoS 1.4.2 *63 See “1.4.2 DNS Changer Malware” in IIR Vol.15 (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol15_EN.pdf) for more information about the the about information more for Vol.15 (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol15_EN.pdf) IIR in Malware” Changer DNS “1.4.2 See *63 Users” by Taken be to Steps and Vulnerability, Router Brand Logitec “[Warning] Japan, Telecom-isac product. domestic following the example, For *62 (http://www.cert.br/docs/ CERT.br. organization CSIRT Brazilian by presentation following the in found be with can incident addresses this about identify to world information the More around addresses *61 IP surveys which (http://openresolverproject.org/), Project Resolver Open the attack, this of light In *60 DSL and connections Internet TV cable as such services for equipment terminating as function that devices to refer routers home report, this In are.com/ *59 (http://blog.cloudfl Internet” the Broke Almost That DDoS “The attack. this about information more for post blog CloudFlare following the See *58 DNS servers and home routers* home and servers DNS their settings to reference malicious DNS servers that had been prepared by an unknown party* unknown an by prepared been had that servers DNS malicious reference to settings their change to exploited been had modems) (ADSL routers home of anumber affecting avulnerability that light to 2011,In came it I Changes to DNS by Settings Exploiting Vulnerabilities routers. home to related incidents as well as years, few past the over occurred have that routers home targeting attacks at look will we First, Incidents I Home Router-Related consider measures for resolving it. and situation, this of cause the discuss households, in used generally routers home of state current the summarize we Here redirected to a malicious site. Trend Micro, “Targeted Attack in Mexico: DNS Poisoning via Modems” (http://blog.trendmicro.com/trendlabs-security- Modems” intelligence/targeted-attack-in-mexico-dns-poisoning-via-modems/). via Poisoning DNS Mexico: in were Attack banks for “Targeted Micro, Trend servers site. individual amalicious to accessing redirected users which in example an is 2012 in Mexico in incident following the Additionally, malware. Changer DNS (in Japanese). (https://www.telecom-isac.jp/news/news20120730.html) DNS Fake Reference Routers “Home post. blog IIJ-SECT due to Confifollowing Server Unauthorized the in details (https://sect.iij.ad.jp/d/2012/06/148528.html). guration Changes” further reported also We rstsymposium2012.pdf). palestras/certbr-fi routers. home as such devices CPE of settings the review to users urging alert an issued attacks, amplifi DNS in cation used be could that settings providers. by (CPE) Equipment Premises Customer called commonly also is This connections. the-ddos-that-almost-broke-the-internet). Home Security Router 58 . This used DNS amplifi cation attack (details below) techniques, and is said to have reached this scale by using using by scale this reached have to said is and techniques, below) (details amplifi DNS attack used . This cation 63 that was paralyzed in 2012 not only changed the DNS settings on an infected PC, but also contained contained also but PC, infected an on settings DNS the changed only 2012 in not paralyzed was that 62 . In most cases routers were equipped with access control functions, and the manual contained contained manual the and functions, control access with equipped were routers cases most . In 59 with confi guration issues as stepping stones* stepping as confi with issues guration 60 . 61 . It is said that up to 4.5 4.5 to up that said is . It

21 Infrastructure Security 22 Infrastructure Security Figure 14: DNS Amplifi cation DDoS Attacks using DNS Open Resolvers as Stepping Stones Stepping as Resolvers Open DNS using Attacks Amplifi DDoS DNS 14: cation Figure home routers* It is clear that vulnerabilities related to the Universal Plug and Play library that were disclosed in January 2013* January in disclosed were that library Play and Plug Universal the to related vulnerabilities that clear is It in Libupnp I Vulnerabilities basis. adaily on out carried are attacks such as one that peaked at 167 Gbps in May* in Gbps 167 at peaked that one as such attacks, large-scale particularly in used been has it recently but past, the in place taken also have method this using Attacks from the Internet* the from stones, with 4,625 IP addresses in Japan also having a hand in the incident* the in ahand having also Japan in addresses IP 4,625 with stones, *69 At the time of writing, the results of a search using SHODAN (http://www.shodanhq.com/), which collects information on implementations by IP address, address, IP by implementations on information collects which (http://www.shodanhq.com/), SHODAN using asearch of results the writing, of time the At *69 overfl ow Buffer identifiJVN, “JVNVU#90348117 ed. vulnerabilities multiple the by affected products the on information summarizes JVN following The *68 buffer multiple contains (libupnp) Devices UPnP for SDK “Portable vulnerabilities. of anumber on information contains report Rapid7 following The *67 (http://www. Attack” Refl DNS DDoS ection Largest-Ever Stops “Prolexic attack. this on information more for announcement Prolexic following the See *66 degree what to known not is it and servers, were attack the in apart played that resolvers open the of many indicated presentation same the However, *65 le/0009/58878/tom-paseka_1361839564. (http://www.apricot2013.net/__data/assets/pdf_fi Recursor” Open the of curse “The CloudFlare’s to According *64 attack* another regarding CloudFlare from statement a In above. presented Europe in example the as such attack DDoS alarge-scale cause can way, they same the in exploited are devices Internet-connected of number large a when traffiamount, small by a amplify c only can routers home individual and thehomerouterpassesitontodevicethatissuedquery. are acquiredinresponse.Thisresponseisforwardedtothehomerouter, server ontheInternet,andresourcerecordscorrespondingtoquery DNS serveroftheISPultimatelysends queriestoanauthoritativeDNS router forwardsthesetotheexternalcacheDNSserverofISP,etc.The network devicesendsDNSqueriestothehomerouter,and Under normalDNSnameresolution,shownbythepurplelines,home However, this fi gure is thought to include devices such as printers connected to networks run under a comparatively open policy, like those at universities, universities, at routers. those like home policy, open represent only not does comparatively it a so under run networks to connected negotiation. printers as UPnP such initial in used devices include to protocol fi SSDP this the thought to is However, gure respond that Japan) in million 2.7 (approximately worldwide addresses IP million 28 showed vulnerabilities (in Japanese). in Portable SDK for UPnP” (https://jvn.jp/cert/JVNVU90348117/index.html) (http://www.kb.cert.org/vuls/id/922681). overfl SSDP” in ows ection-ddos-attack-167-gbps.html). prolexic.com/news-events-pr-prolexic-stops-largest-ever-dns-refl awhole. as attack the to contributed routers home introduced. example attack the for region c Asia-Pacifi the in addresses IP most the for account Japan 2013, Apricot at presentation pdf) 68 . Unless fi rmware that eliminates the vulnerabilities is used, there is a risk of users being left open to attacks attacks to open left being users of risk is a there used, is vulnerabilities the fi. Unless eliminates that rmware Cache DNSServerofISP,etc. Authoritative DNSServer 69 . an OpenResolver Home RouterServingas (2) (5) (3) (1) (4) Authoritative DNSServerwith 66 . IIJ’s MITF honeypot observations also show that attempts to set off these these off set to attempts that show also observations honeypot MITF . IIJ’s Large ResourceRecords Attacker 64 , open resolvers in a large number of countries served as stepping stepping as served countries of number alarge in resolvers , open (6) (1) (6) (5) The ISP'sDNSserverforwardstheattackresponsetohomerouter. (4) attack DNSthe query,of the contentlargeon Based resource records (3) Because thesecommunicationsarefromalegitimateuser,theDNS (2) The homerouterprocessestheDNSqueryfromattackerasifit (1) The attackersendsanattackDNSquerytothehomerouterservingas open resolvers. caused whenthefollowingprocedureisrepeatedforlargenumbersof are resolvers open exploiting amplification DNS on based attacks DDoS In it receivestothesource. The homerouterforwardstheattackresponse this case,thesourceisIPaddressoftargetspoofedbyattacker. the attackresponse. are sentfromtheauthoritativeDNSservertoISP'sas Internet-based authoritativeDNSserver. legitimate DNSqueries,soitsendstheattackqueryto server oftheISPcannotdifferentiatebetweenattackDNSqueryand server oftheISP,etc. DNS tothe it were arequestfromthehomenetwork,andforwards amount ofinformationisrequested. source, andthequeryconsistingofaresourcerecordcontaininglarge an openresolver.Atthistime,thetarget'sIPaddressisspoofedas 65 . Attack Target 67 affect some some affect they should provide default settings that can be used safely by simply turning on the power when deploying a device, and and adevice, deploying when power the on turning simply by safely used be can that settings default provide should they example, For secure. more products their make to aim to need also would routers home provide that developers product The life. day-to-day in them implementing for essential be would processes these assisting for tools that meaning work, of amount inordinate an require would This log. communications daily a check and settings, of confito security the rm finecessary is latest it the Then, use to rmware. endeavor and them, of each for information vulnerability the of note make it, to connect will that fidevices the all must users one, identify rst acorporate as way same the in network To ahome run risks. reduce to side Internet the on communications regulate to is Another operation. everyday for them use and networks, home into corporations as such organizations at networks of operation secure the for used techniques and technology the bring to is One situation. this resolving to approaches two envisage can we now, of As I Resolvingthe Situation issues. the resolving for countermeasures evaluate to used be will they serious, particularly is situation the if but survey, the from results of publishing the regarding made been has statement no writing, of time the At fi accurate and gures. reliable highly with status the ascertaining at aimed is environment survey aunique of application The resolvers. open DNS as such communications DNS of volume the increase that factors are there not or whether Play, and and Plug Universal to related protocols to responds it not or whether accessed, be can survey on the situation here* situation the on survey a stepping stone, allowing your household to be viewed by anyone* by viewed be to household your allowing stone, a stepping as router ahome using exploited are electronics home network-enabled in vulnerabilities when privacy of invasion direct of arisk also is There usage. Internet household of details expose may and network, ahome on devices key are routers Home PersonalPrivacy Regarding I Risks perspectives. three following the of terms in risks different generates state avulnerable in router ahome Leaving Routers Home Vulnerable on Risks I Security *72 Telecom-ISAC Japan, “A Survey on the Presence of Vulnerabilities in Network Devices” (https://www.telecom-isac.jp/news/news20130617.html) (https://www.telecom-isac.jp/news/news20130617.html) Devices” Network in Vulnerabilities of Presence the on “A Survey Japan, *72 (https://www.telecom-isac.jp/english/index.html). Telecom-ISAC Japan Center Analysis and Sharing Information Telecom *71 Sophos reported. been actually has TVs network-enabled brand Samsung Korean South in function camera the of control enables that Avulnerability *70 ISAC Japan* ISAC Telecom- so Japan, in status current the indicating information precise provide above presented surveys overseas the of Few Japan in Routers Home Vulnerable on Survey I Fact-Finding urgently. taken be should measures corrective think we and perspectives, of anumber from dangerous extremely be would is it as situation the leaving believe we assumptions, these From serious issue. a is attacker true the trace to harder it make to stones stepping as used be can they fact the and communications, recording for features few have also routers home traffi of Most amount asmall exploited. when c generate only they individually though even scale overall in severe are that attacks cause can they routers, home of number avast are there Because aWhole as Internet the for I Risks etc. attacks, targeted in applied being communications of risk the presents This unconditionally. this trust to tend end receiving the on those and family, from mostly are environment network ahome from communications Additionally, information. work access to basis adaily on environments home compromised to connected are that smartphones trust to wise is it whether questionable is it schemes, BYOD in as such allowed, is work for devices personal of use the when particular, In organizations. and companies to risk indirect an poses recently use in growth explosive seen has that etc.) tablets, and (smartphones equipment communication and information portable The I Risks for Companies and Organizations (in Japanese). (http://nakedsecurity.sophos. malware” in plug or channels change you, com/2012/12/12/samsung-tv-vulnerability/). watch to hackers allows hole security TV Smart “Samsung Blog, Nakedsecurity 71 , a security organization made up of a gathering of domestic telecom carriers, is conducting afact-fi conducting is nding carriers, telecom domestic of agathering of up made organization , asecurity 72 . This survey focuses on ascertaining whether the management interface of a home router router ahome of interface management the whether ascertaining on focuses survey . This 70 .

23 Infrastructure Security 24 Infrastructure Security Generally one of the following three techniques are used in large-scale unauthorized logins* unauthorized large-scale in used are techniques three following the of one Generally I Unauthorized Login Techniques implement. can users that measures propose and incidents, of series this of overview an present we report this In information. registration of theft the at aimed be to thought incidents access unauthorized and Japan, in services online force attacks. A more effi cient attack technique is the dictionary attack, in which a dictionary of commonly-used strings strings commonly-used of dictionary a which in attack, dictionary the is effitechnique Amore attack cient attacks. force brute called are what in (“aaaa,” “aaab,” “aaac”...), password and fiID to the for strings attempts valid nd force brute involve Meanwhile, the regulation of communications could result in lost opportunities and adverse effects* adverse and opportunities lost in result could communications of regulation the Meanwhile, users. of devices communications the protecting for functions have which services, efforts to encourage general users to use functions on their current routers and confi and soundness. routers their rm current their on functions use to users general encourage to efforts andhave ISPs begun organizations, Internet-related organizations, immediately, of a initiated security be number can that measures for As asignifi take time. of would amount here cant considered those as such measures of implementation The example. afact-fi in for survey, nding vulnerabilities have to discovered were routers home million if as such several ISPs, or developers product of efforts individual the through corrected be not could situation the that clear became it when only countermeasure arealistic as discussed be should communications of regulation The carefully. evaluated be *76 For small-scale unauthorized login, such as incidents conducted manually by an acquaintance of the target, etc., common methods used include guessing guessing include used methods common etc., target, the of acquaintance an by manually conducted incidents as such login, unauthorized small-scale For owner’s ID original *76 the without party a third by login service to refer we authentication, requires that service online a given to regard with report, this In *75 Universal if example, For time. desired the at out carried be to communications allowing not Internet the to refer here mentioned effects adverse The *74 AWALLED OF USE THE FOR PRACTICES BEST “MAAWG ISPs. at gardens walled on information more for material reference MAAWG following the See *73 Figure 15: of Unauthorized Illustration List-Based Login login)* (fraudulent login unauthorized of aspate was there 2013, March around From 1.4.3 garden* walled of implementation widespread considering worth be also would It Internet. the over routers home of operation the managing and issues, confi guration checking for services into look must providers security and carriers Telecom networks. home to connected devices the protect to required be would communications of summaries recording for functions improved Furthermore, necessary. be also would use external detecting for afunction of addition The updates. auto as such functions through fi new publicizing distributing and firmware, appropriately vulnerabilities, to xes quickly responding for a system design Uses thesameID/passwordwithallservices (1)’ that hasinfectedthecomputer stolen fromPCsusingmalware IDs/passwords forServiceAare the password based on profi les, and social engineering to get the other party to reveal their password through trickery. through password their reveal to party other the get to engineering profisocial on and based les, password the login.” “unauthorized as intent be may it example, For today. know we home. at Internet the server own from your build diffi to more cult different significantly very a situation create could used HTTP of communications DNS or regulation approach, interfaces the on management Web depending in However, minor. be would impact anticipated the Internet, the over usable not were Play and Plug les/news/MAAWG_Walled_Garden_BP_2007-09.pdf). GARDEN” (http://www.maawg.org/sites/maawg/fi A Spate of Unauthorized Login Incidents Login Unauthorized of ASpate Virus Password: hogehoge ID: taro ID taro hogehoge Password Service D Service A Service C Service B Password: hogehoge ID: taro (1) ID/password pairsisstolen authorization, andalistof Service Aisaccessedwithout (2) 75 incidents targeting registration-based registration-based targeting incidents in tootherserviceswithoutauthorization IDs/passwords forServiceAareusedtolog 76 . The most basic attacks attacks basic most . The ... saburo jiro taro ID 74 , and would need to to need would , and Unauthorized login ID/password theft Legitimate serviceuse ... piyopiyo fugafuga hogehoge Password 73 access access passwords for each service* each for passwords different set they that answered respondents of 20% IPA 2012, by in just conducted survey awareness an in However, service. online each for used are passwords and IDs different as long as issue alarge not are attacks list-based Normally, becoming readily available to attacker communities, etc. communities, attacker to available readily becoming are users Japanese of passwords and IDs user the combining lists and dictionaries effective highly that surmise can year, we this of beginning the since services Japan-oriented targeting incidents login refland unauthorized of spate the involved, on is group ecting attack of kind this Assuming connection. of kind some with parties by or attacker, same were the by out attacks carried corresponding the that suggests This time. of space ashort within attacked been have services, e-commerce or services communication-related as such industries, same the in services online that see can we login, unauthorized on Focusing 2013. in disclosed access unauthorized and login unauthorized of incidents main the Table 1summarizes Purpose their and Attacks of Series I The fraudulently. points using and authorization, without service apoints provide that sites shopping online into logging attackers involved actually incidents publicly-disclosed of Anumber will. at valuables or transfer goods, purchase information, personal view to free are attackers service, the by provided details the on depending so not, or user original the is party a whether determine to provider diffi is service it the for cult succeeds, login unauthorized When information gathered via phishing, and account information stolen directly from users’ PCs using malware* using PCs users’ from directly stolen information account and phishing, via gathered account information services, online other to access unauthorized through stolen information account from lists these create to believed are Attackers advance. in attacker the by obtained combinations password and ID of lists using attempts login involves technique attack list-based the Finally, one-by-one. attempted entry each and prepared, is “abc123,” etc.) (“password,” *78 IPA, “Survey on Awareness of Information Security Threats for FY2012” (http://www.ipa.go.jp/security/fy24/reports/ishiki/) (in Japanese). (in (http://www.ipa.go.jp/security/fy24/reports/ishiki/) FY2012” for Threats Security Information of Awareness on “Survey IPA, *78 by stolen was PCs on stored information account FTP 2009, in Japan in environment Web the on asignifi had impact cant which attacks, the In *77 2013 in Disclosed Access Unauthorized and Login Unauthorized to due Leaks Account Major 1: Table *The informationinthetableisbasedon detailspublishedbyaffected serviceproviders. August 12 August 8 August 8 July 26 July 24 July 19 July 17 July 10 July 9 July 5 June 19 June 3 May 29 May 25 May 17 May 17 May 8 April 22 April 17 April 10 April 6 April 5 April 4 April 4 April 3 Date Disclosure Gumblar Malware” in Vol.4 of this report (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol04_EN.pdf) for more information. more for Stealing “ID/Password See incidents. (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol04_EN.pdf) report alteration this of Vol.4 in website new in Malware” Gumblar repeatedly used information account this and download, drive-by via spread that malware Social content Travel service Social content Point-related service Communications-related service News portal Communications-related service E-commerce service Game related Game related E-commerce service E-commerce service E-commerce service E-commerce service Search portal Beauty service E-commerce service Payment service Transit service Communications-related service E-book service Point-related service Search portal Communications-related service Search portal Service Type 78 . In light of this, list-based attacks can be a very effective technique. effective avery be can attacks list-based this, of light . In Company V Company U Company T Company D Company S Company R Company Q Company P Company O Company N Company M Company L Company K Company J Company C Company I Company H Company G Company F Company B Company E Company D Company C Company B Company A April 6to August 3 June 3toJune 15 February 16, February 14 to July 25to August 5 July 15 July 26 Up toJuly 23, July 17 toJuly 18 July 14 toJuly 16 May 10 toJuly 8 June 13 toJuly 7 June 9toJuly 4 June 18 April 24toMay31 Until May13 May 6to23 Until May16 May 6to12 May 4to8 April 18 to April 19 March 31 April 9to April 10 April 2to April 5 March 26 2 Until April April 4 April 1to April 9 Period Incident Type Unauthorized loginattempts Unauthorized loginattempts Unauthorized loginattempts Unauthorized loginattempts Unauthorized access Unauthorized access Unauthorized loginattempts Unauthorized loginattempts Unauthorized loginattempts Unauthorized loginattempts Unauthorized loginattempts Unauthorized loginattempts Unauthorized loginattempts Unauthorized loginattempts Unauthorized access Unauthorized loginattempts Unauthorized loginattempts Unauthorized loginattempts Unauthorized loginattempts Unauthorized loginattempts Unauthorized loginattempts Unauthorized loginattempts Unauthorized access Unauthorized loginattempts Unauthorized loginattempts Accounts Logins /Leaked No. ofUnauthorized Approximately 15,000 9,609 (upto16,808) Up to4,000,000 1,486,000 1,692,496 243,266 108,716 39,590 35,252 23,926 21,184 27,620 2,382 8,289 5,450 682 779 299 126 27 97 77 30 — 0 Notes Credit cardinformationmayhaveleaked Credit cardinformationmayhaveleaked mayhaveleaked only 1,486,000 were collectedontheserver, but ofthese Up to22millionsetsofaccountinformation Credit cardinformationmayhaveleaked Points were usedfraudulently information confi rmedtobedeleted Attacker was identifi edandtheleaked Points were usedfraudulently not leak were collectedontheserver, butdid 1.27 millionsetsofaccountinformation Points wereusedfraudulently 77 (Figure 15). (Figure

25 Infrastructure Security 26 Infrastructure Security the nature of the service provided. service the of nature the on based detected, is behavior suspicious when take to response the and thresholds, their monitor, to items the consider to necessary is It basis. address IP source and account aper on logins, simultaneous of number the and time, of unit per attempts login of number the for athreshold setting by behavior suspicious blocking and on reporting for systems to refers (5) Item damages. suffered have they confi not or whether rm to able are logins unauthorized by affected directly been have who users infl that been has damage important is It icted. confi to want you when for or no that rm caused, been has damage case in implemented also is (4) that We recommend year. the of beginning the since authentication step two for support added have SNS and sites portal many fiAdditionally, some for provided services. already is nancial tokens hardware using Multifactor now. authentication occurring those as such attacks, list-based via login unauthorized prevent effectively can (3) for Support dictionary. the in found commonly phrases contain that or used), types character the (in enough complex not short, too are that passwords of registration the prohibiting consider should providers service Policies similar to (1) and (2) were repeatedly recommended by online service providers in around 2008* around in providers service online by recommended repeatedly were (2) (1) to and similar Policies following. the include consider should providers service that login unauthorized against measures fundamental The Side Provider Service the on Countermeasures Login I Unauthorized future. the in refi more for attacks prepare ned and vigilant stay must we case, any In care. not do simply attackers the whether or made, were attacks the which in manner the behind agenda hidden some is there whether diffi is It guess to cult confi of changed. trouble being the to rming gone have they combination password and ID valid the to lead could behavior their that considered haven’t attackers the means This password. their change request users can that services online of providers exposed, are attacks When time. of space short acomparatively in repeated sources attack of number asmall from attempts login unauthorized of number alarge with detected, being attacks the about not are worried they suggest to seems behavior attackers’ the cases, several in disclosed information to according Furthermore, service. online target the with works tested combination password and ID the that checking simply are attackers that appears it reason, this For information. card credit leaked of use fraudulent the to due damages of reports no been have there 2013, August of as and viewed, been have could information card credit that indicates merely this However, leaked. been have may information card credit that stated is it incidents, several For itself. in logging of act the than other damages no caused incidents login unauthorized of series this services, exchange point and services shopping certain with fraudulently used were points which in cases three Excluding known. not are logins unauthorized of series this behind attackers the of intentions the Meanwhile, right away in unauthorized login attempts (list-based attacks and dictionary attacks* dictionary and attacks (list-based attempts login unauthorized in away right exploited been have also Table in 1may listed access unauthorized of incidents the through stolen information account The *80 NIFTY Corporation, “Stop Using the Same Passwords!” (http://support.nifty.com/support/information/1114_pass.htm) (in Japanese), Rakuten, “Take “Take Rakuten, Japanese), (in (http://support.nifty.com/support/information/1114_pass.htm) Passwords!” Same the Using “Stop using Corporation, NIFTY attacks dictionary *80 obtained, be cannot passwords text plain when as-is, passwords and IDs stolen of pairs use that attacks list-based to addition In *79 (5) Detect and protect against unauthorized login attempts login unauthorized against protect and Detect (5) procedures purchase and confi to away history Provide login rm (4) authentication /multifactor step two Provide (3) service each for passwords different use to Tell users (2) possible as long and complex as is that apassword (1) Use “Use Different Passwords for each Site!” (http://security.yahoo.co.jp/attention/password/) (in Japanese). (in JAPAN, Yahoo! Japanese), (in (http://security.yahoo.co.jp/attention/password/) Site!” each for Passwords Different “Use (http://www.rakuten.co.jp/com/faq/information/20081029.html) Passwords” and IDs User Rakuten Managing when Care out. carried be may passwords typical of dictionaries and obtained IDs of lists 79 ). 80 . For (1) in particular, (1) particular, in . For 1.5 self-preservation. of interest the in importance, particular of services shopping and fi to regard services with (4) nancial check periodically to desirable is it perspective, auser’s From malware. advanced and techniques, engineering social and refi using tokens phishing ned security or passwords of theft the through login unauthorized of risk the eliminate completely to possible not still is it this, as such passwords advanced of use the implementing when even that noted be also should It strain. undue without (2) achieve and together, passwords complex keep to way effective an is tool management apassword of Use tool. generation apassword using password a complex create should they ideally as ideas, own their with up come to need not do users (1), For above. mentioned (4) (1) items through particular in and providers, service by provided functions the utilizing actively involve countermeasures User-side Side User the on Login Unauthorized for I Countermeasures monitoring. resource through discovered are attempts login in so unauthorized cases attempts, some attack large-scale by overloaded often are servers incidents, recent the by demonstrated as Furthermore, Offi ce of Emergency Response and Clearinghouse for Security Information, Service Operation Division, IIJ Division, Operation Service Information, Security for Clearinghouse and Response OffiEmergency of ce Masahiko Kato, Yuji Suga, MasafumiNegishi, Tadashi Kobayashi, Yasunari Momoi, Seigo Saito Contributors: IIJ Division, Operation Service Information, Security for Clearinghouse and Response OffiEmergency of ce Hisao Nashiwa Saito Mamoru Takahiro Haruyama Hirohide Tsuchiya, Hiroshi Suzuki Hirohide Tsuchiya Authors: Internet. the of use secure and safe the allow to countermeasures necessary the provide to striving continue will IIJ this. as such reports in responses associated and incidents publicizing and identifying by usage Internet of dangers the about public the inform to effort every makes IIJ incidents. login unauthorized of aspate into looked and routers, home vulnerable of impact the examined malware, ZeroAccess for detecting techniques discussed we time This responded. has IIJ which to incidents security of asummary provided has report This Conclusion several industry groups, including Telecom-ISAC Japan, Nippon CSIRT Association, Information Security Operation providers Group Group providers Operation Security others. Information and Japan, Association, CSIRT Nippon Japan, Telecom-ISAC of member including groups, committee industry asteering as several serves Mr. Saito CSIRTs. of group response international an emergency FIRST, in Group IIJ the of participating 2001, in representative IIJ-SECT the team, became Mr. Saito customers, working enterprise for After IIJ. development Division, services Operation security in Service Information, Security for Clearinghouse and Response Offi the Emergency of of ce Manager Mamoru Saito (1.4.2 Home Router Security) Router Home (1.4.2 (1.4.3 A Spate of Unauthorized Login Incidents) Login Unauthorized of ASpate (1.4.3 (1.2 Incident Summary) Incident (1.2 (1.4.1 An Examination of ZeroAccess and its IOC) its and ZeroAccess of Examination (1.4.1 An (1.3 Incident Survey) Incident (1.3

27 Infrastructure Security