JPCERT/CC Blog

Hello this is Shikapon at the Incident Analysis Team at JPCERT/CC. I am managing a network threat monitoring system called "TSUBAME" which has been in operation since 2007.
With sensors distributed in 19 economies in the Asia Pacific Region, the system is providing a common platform for the TSUBAME Project member teams for monitoring, information sharing and analysis.
TSUBAME helps us to reveal hard to detect attacks that are on-going such as DDoS and/or signs of attack before the situation becomes critical.

Today, I would like to share with you my latest observation via TSUBAME and its analysis. It is about the sudden increase of packets to Port 23/tcp (Telnetd ) which the cause of the increase is suspected to be the home router bots in South Korea and some other economies.

What I first observed - Increase of Scans to Port 23/tcp

In early December, a sudden increase of packets to Port 23/tcp (Telnetd ) were observed on TSUBAME. Below are the figures of the actual scanning activities we’ve observed on our end.

Figure 1. Volume of Port23/TCP Scanning Activity

Figure 2. Excerpt of Port23/TCP Scanning Log

You can see from Figure 1 that packets to Port 23/tcp in December 2011 and January 2012 have gone up about 10 times more than that of November 2011.

Figure 2 shows that the scans occurred in 6 December 2011 were carried out by multiple IP addresses in South Korea (KR).

What interested me

Traffic surge to a specific port is not quite unusual. But for the following reasons, I thought this scanning case is very unique and something I should keep our eye on.

Firstly, comparing Figure 1 (Port23/TCP Scanning Activity) and Figure 3 (Port23/TCP Scanning Activity originated in South Korea) it would be easy to tell that the large amounts of packets were originated specifically from South Korea (KR) which is not so common. About 90% of packets come from IP range assigned to South Korea (KR). Scans from other economies were being observed as well, such as United States, Mainland China and Chinese Taipei.

Figure 3. Volume of Port23/TCP Scanning Activity originated in South Korea

Secondly, the scanning activities are conducted in a very organized manner. I’ve checked few hundreds of scan sources but it seems these IPs work together not to scan one target by multiple IP. It seems that they are a part of botnet and conduct telnet scan by a command from their master (C&C server).

Lastly, it seems that the sources of packets were neither from PCs nor servers, but mostly from home routers. Some of the packets were from DSL modems and set-top boxes such as media servers as well. I have attempted to trace several sources and found out that most of them are listening on Port 23/tcp. I found it interesting that most of the source IPs in South Korea prompts the "evb3.voip.com" banner. I hope the readers will help me to identify the manufacturer of this product. It should be a common product in their economy.

Figure 4. Telnet Login Banner (Scan Source IP)

Conclusion

Botnets are one of the most significant network security threats. Information security communities are currently working hard to eliminate infected PCs on the Internet. But we all should realize that it is not just PC - any IP reachable devices such as smartphones, tablets and even the home router could be controlled by malicious outsiders if once infected.

As I investigated further, I noticed that the free tools to turn a home router to a bot client are widely available online now. They support ARM and other architectures. I’ve actually encountered some devices that were compromised by using one of those tools. Once becoming a part of botnet, home routers starts to scan Port 23/tcp of their neighborhood.

As your home router (or DSL modem and set-top box) may be compromised without even noticing, I would like to encourage the readers to disable the telnet service on such devices.
If your find it difficult to configure so for reasons, try these:

• Filter source IP address that can connect to WAN interface of your router.


• Set a stronger password (Do not use default or easy-to-remember password like "admin", "root" and "linksys" )


• Update the firmware.

If you have any inquiries on this topic or TSUBAME, please contact me at tsubame-sec(at)jpcert.or.jp.

- Keisuke Shikano (Shikapon)

Hello again, this is Taki and I would like to tell you about training sessions that were conducted in Myanmar.

Sparky and I went to Myanmar to visit mmCERT (Myanmar Computer Emergency Response Team) in Yangon as the Japan Overseas Development Center (JODC) experts to conduct training sessions, mainly consisting of Network Forensics. Other sessions included cryptography basics and CSIRT tools.

mmCERT is the national CSIRT of Myanmar, hosted the training and participants not only included staff members of mmCERT but also staff from ISPs throughout Myanmar.

In the Network Forensics training, mainly using Wireshark, the students went through specially designed packet capture files that mimicked attack scenarios . They were then asked to answer questions about that particular scenario. Common questions included identifying the type of attack, the source of the attack, etc.

"The Training Room"

As this was not my first time conducting this training, I was able to navigate through most questions that came up throughout the sessions, but as is always the interesting thing about such training is that even as the instructor, we can always learn as well.

During the week, Sparky conducted a session on CSIRT tools, explaining some handy tools that can be used in CSIRT operations. Quite a few tools were described in the session, and I hope that the students were able to find some tools that may make their operations more efficient.

Group Photo

Before I finish, I would like to thank METI and JODC for the opportunity to go to Myanmar and conduct this training, and mmCERT for their wonderful hospitality. Without them we would not have been able to have such a smooth week. And for me personally, as this was my first time in Southeast Asia, being able to have such a wonderful experience has made me think about visiting not only Myanmar again, but also other countries in the area!

- Takayuki (Taki) Uchiyama

"Bula" every one!! You will probably find it easy to assume from the context that this word means “Hello”, but can you guess what language it is?

It is Fijian.

Mr. Koichiro (Sparky) Komiyama and I (Kaori Umemura), as the Japan International Cooperation Agency (JICA) experts, were given the opportunity to visit Suva, the capital city of Fiji, to support the preparation to kickoff the Pacific Islands Computer Emergency Response Team (PacCERT), under the JICA's technical cooperation project "USP-JICA ICT for Human Development and Human Security Project".

The PacCERT aims to be a trusted point of contact for information and Internet security response affecting 22 Pacific Island countries. Their office will be located in the Japan‐Pacific ICT Centre in the University of the South Pacific (USP) in Suva.

Japan‐Pacific ICT Centre

During our 2-week visit in mid to late July, we had meetings with parties of interest to PacCERT including the PacCERT Board chaired by USP, government officers, telco/ISP sector, banking sector etc., to draw up the supporting plan on PacCERT operation. Through the meetings with the parties, we learned that computer incidents in the region are coming to the surface and reaffirmed the need of PacCERT.

Sparky delivered a keynote speech entitled “Internet Security and Mission of PacCERT” at the Information Security Session of SPICTEX 2011, the first of its kind in Fiji and the region, and shared his views on the need of CSIRT and PacCERT. We believe that the speech helped expand the awareness of PacCERT’s existence to its potential constituency.

Sparky at the Podium

 History of PacCERT and its Partner Organizations

To briefly review the PacCERT’s history, the necessity of CSIRT in the Pacific Island was first advocated in 2007 by various groups in the region, including Pacific Islands Chapter of the Internet Society (PICISOC). After the idea of establishing PacCERT was endorsed by Pacific ICT Ministerial Forum 2009 held in Tonga, the Working Group and the partner organizations (the Australian Department of Broadband, Communications and the Digital Economy, AusCERT, ITU, IMPACT, JICA, JPCERT/CC, USP/Japan‐Pacific ICT Centre etc.) maintained close contact for consultation. And in 2010, with an extensive contribution by ITU, AusCERT and the Australian government, the PacCERT Business Plan was finalized and approved.

With such continuous efforts by the interested parties, the PacCERT will have their personnel and infrastructure very soon. Following the well-conceived business plan, JPCERT/CC as the JICA expert wishes to support PacCERT with what we are good at; to provide them with the system setup support, technical training and outreach activity support until the end of 2012.

A Flower Market in Suva

Challenges of PacCERT

The Pacific Island nations are geographically dispersed and have large variances in population size and Internet connectivity/penetration. There are only a handful of other regional CSIRTs in the world and as far as we know, none of them are operationally focused. This, combined with the large variations in population of the Pacific Island nations that are involved, makes PacCERT a unique situation.

In such a situation, we believe it is important to “think big, start small and start now”. PacCERT has already got their big goal in their business plan, so the next step is an immediate start in a small scale. A limited number of services being successfully delivered, will provide a strong foundation for the PacCERT and enable a smooth transition into a full CSIRT operation.

As one of the partner organizations of PacCERT, JPCERT/CC appreciates your close attention and cooperation to this new regional CSIRT!

A Palm Tree by the Seashore

- Kaori Umemura -