CCC DATAset 2009 によるマルウェア配布元の可視化

CCC DATAset 2009 105-0001 4-1-17 3F CCC DATAset 2009 1 URL Visualization of the Malware distribution by CCC DATAset 2009 Takahiro Matsuki Yuu Arai Risk Research Institute of Cyber Space, Little earth Corporation Co., Ltd. 4-1-17 Toranomon Minato-Ku Tokyo 105-0001 Japan takahiro.matsuki@lac.co.jp, y.arai@lac.co.jp Abstract The domestic BOTs infection decreases by continuation of the attention by the Cyber Clean Center. However, most undetectable malware are distributed from foreign countries. In this paper, promote the grasp of the actual situation by making the geographical distribution of the malware distribution visible with CCC DATAset 2009. Also downloader and infection to plural malware are increasing recently. Because make a URL list of the distribution of the malware and examine a method to prevent infection expansion with the downloader. 1 Web Web USB MWS 2008 [1]

CCC DATAset 2009 URL 2 CCC DATAset 2009 IP Geolocation GeoLite City [3] Google Maps API [4] 1 F-Secure [6] 2.1 IP 2008 11 2009 4 1,494 IP IP 357 IP 1 1 1: IP IP 1 274 2 5 45 6 10 17 11 25 11 26 50 5 51 100 2 101 200 3 76.8 % 274 IP 1 10 IP 94% IP 11 IP 21 51 IP 5 IP IP 1 1 IP 11 50 51 IP IP, 5 IP 577 38.6 % 2.2 1,494 IP 2 79.3 % 1 IP

1: 2: IP IP 1 1,185 2 50 268 51 100 21 101 500 13 501 1,000 3 1,001 5,000 4 IP TSPY KOLABC.CH TSPY KOLABC.CH 11 2,084 IP A 923 IP B 2 TSPY KOLABC.CH IP 2 A B 2008 12 29 2009 1 7 TSPY KOLABC.CH A 3 2009 3 4 B 2009 4 30 2: TSPY KOLABC.CH TSPY KOLABC.CH BKDR POEBOT.GN WORM SWTYMLAI.CD Web [7] BKDR POEBOT.GN 569 WORM SWTYMLAI.CD 1 IP TSPY KOLABC.CH KML Google Earth [5]

3: TSPY KOLABC.CH 2.3 Web 80 Web Web 2009 8 600 IP 4 Web CCC DATAset 2009 CCC DATAset 2009 Web IP 80 1 CCC DATAset 2009 1,494 80 1,066 71.4 % 5 X Y 6 80 200 2008 12 6 9 1 IP 1 8889 2008 12 BKDR PROTUX.AHB [2] 600 1000 80 80 80 HTTP HTTP 3 CCC DATAset 2009 80 894,517 372,165 41.6 % CCC DATAset 2008 2,942,221 1,157,101 39.3 % CCC DATAset 2008 80 5:

4: Web 4 URL 80 CCC DATAset 2009 HTTP URL URL URL 3 13 3 14 3 13 80 560 238 42.5 % 14 464 154 33.2 % HTTP GET URL 3 URL 2.2 TSPY KOLABC.CH URL ICQ AIM Firefox URL 4 PE BOBAX.AF-O [8] 3: HTTP GET URL 3/13 honeypot1 102 10 honeypot2 130 13 3/14 honeypot1 64 8 honeypot2 82 10 URL 1 10 2 URL 22 URL 4.1 DB Web Web IP URL

URL 4: URL http://205.188.226.xx/aim/win95/install AIM.exe http://209.170.96.xx/pub/icq Win95 98 NT4/ICQ 4/Lite Edition/icq4 setup.exe http://193.74.22.xxx/pub/mozilla.org/firefox/releases/1.0/win32/en-us/firefox%20setup%201.0.exe TSPY KOLABC.CH URL Stopbadware.org surbl.org Norton Safe Web Trend Micro Smart Protection Network 5 CCC DATAset 2009 URL NICT Telecom-ISAC Japan [1] (2008). Vol.2008. No.8 [2] 2008 12 https://www.ccc.go.jp/report/ 200812/0812monthly.html [3] MaxMind - GeoLite City http://www.maxmind.com/app/geolitecity [4] Google Maps API http://code.google.com/intl/ja/apis/maps [5] Google Earth API - Google Code http://code.google.com/intl/ja/apis/earth [6] F-Secure Weblog : News from the Lab http://www.f-secure.com/weblog/archives/ 00001606.html [7] Trend Micto TSPY KOLABC.CH http://www.trendmicro.co.jp/vinfo/grayware/ ve graywaredetails.asp?gname=tspy%5fkolabc %2ECH&VSect=Td [8] Avira Worm/Bobic.K.3 http://www.avira.com/jp/threats/section/ fulldetails/id vir/1189/worm bobic.k.3.html [9] StopBadware.org http://www.stopbadware.org [10] surbl.org http://www.surbl.org [11] Norton Safe Web http://safeweb.norton.com