Key Findings
Malware Activities
• 0.77 Million Infected Computers in Mainland China
• 3,118
• 73 Defaced Websites in Mainland China
Defaced gov.cn
• 2,334
• 80 Backdoored Websites in Mainland China
Backdoored gov.cn
• 7,410 Phishing Webpages Targeting Websites in
Mainland China
• 370
• 159 New Vulnerabilities Collected by CNVD
High-risk Vulnerabilities
0.22 million 0.55 million Conficker
Trojans or Botnet
Issue 30 2016 July 18-July 24
Weekly Report of CNCERT
CNCERT/CC
2.6%
11.6%
1.6%
The infected computers in mainland China amounted to about 0.77 million, among which about 0.55 million were controlled by Trojans or Botnets and about 0.22 million by Confickers.
marks the same number as last week; marks an increase from last week; marks a decrease from last week Good Fair Poor Very Poor
Excellent
21.4%
15.9%
3.1%
84.1%
54.4%
4.3%
10.1%
• about 76,000 (13.9%) Guangdong
province
• about 55,000 (10.0%) Jiangsu
province
• about 40,000 (7.3%) Zhejiang
province
Mainland China 59.8%
Overseas 38.5%
Unknown 1.7%
Malware-hosting Websites' Domains Registered Home and Abroad (July 18-July 24)
.COM 74.4%
.NET 10.3%
.CN 9.4%
.CC 1.7%
.ORG 1.7%
.TOP 0.9%
.INFO 0.9%
.HK 0.9%
TLD Distibution of the Malware-hosting Websites' Domains (July 18-July 24) The malware-hosting websites is the jumping-off place for malware propagation. The malware-hosting websites monitored by CNCERT this week involved 117 domains and 290 IP addresses. Among the 117 malicious domains, 38.5% were registered overseas and 74.4% of their TLDs fell into the category of.com. Among the 290 malicious IPs, 5.9% were overseas. Based on our analysis of the malware-hosting website’s URLs, the majority of them were accessed via domain names, and only 15 were accessed directly via IPs.
The map on the left illustrates distribution of the computers controlled by Trojans or Botnets in mainland China. The regions in red are most seriously affected. This week, the top 3 were Guangdong province, Jiangsu province and Zhejiang province.
Anti Network-Virus Alliance of China (ANVA) is an industry alliance that was initiated by Network and Information security Committee under Internet Society of China (ISC) and has been operated by CNCERT.
Website Security
7410 2334 3118
Phishing pages targeting websites in mainland China
Backdoored websits in mainland China Defaced websites in mainland
China
COM 74.0%
NET 6.4%
GOV 2.3%
ORG 2.3%
BIZ 0.1%
Others 14.8%
Domain Categories of the Defaced Websits in Mainland China (July 18-July 24)
COM 66.5%
NET 4.0%
GOV 3.4%
ORG 2.9%
EDU 1.5%
INFO 0.1%
Others 21.5%
Domain Categories of the Backdoored Websites in Mainland China (July 18-July 24) This week, CNCERT monitored
3,118 defaced websites, 2,334 websites planted with backdoors and 7,410 phishing web pages targeting websites in mainland China.
This week, the defaced government (gov.cn) websites totaled 73 (2.3%), an increase of 15.9% from last week. Backdoors were installed into 80 (3.4%) government (gov.cn) websites, which decrease by 10.1% from last week. The fake domains and IP addresses targeting websites in mainland China reached 1,458 and 514 respectively, with each IP address loading about 14 phishing web pages on average.
http://www.anva.org.cn/virusAddress/listBlack
In terms of the malicious domain names and IPs either monitored by CNCERT or sourced from the reporting members, CNCERT has actively coordinated the domain registrars and other related agencies to handle them. Moreover, the blacklist of these malicious domains and IPs has been published on the website of Anti Network-Virus Alliance of China (ANVA).
The URL of ANVA for Publishing the Blacklist of Malicious Domains and IPs.
1.6%
11.6%
21.4%
Vulnerabilities
http://www.cnvd.org.cn/webinfo/list?type=4
Incident Handling
159 178 33
High-risk vulnerability Medium-risk vulnerability Low-risk vulnerability
Application 63.8%
Web application
17.8%
Network device
7.8%
Operating system
6.2%
Database 2.2%
Security product 2.2%
Objectives Affected by the Vulnerabilities Collected by CNVD (July 18-July 24)
The Application was most frequently affected by these vulnerabilities collected by CNVD, followed by the Web application and the Network device.
This week, China National Vulnerability Database (CNVD) recorded 370 new vulnerabilities.
This week’s overall vulnerability severity was evaluated as medium.
This week, CNCERT has handled 427 network security incidents, 81 of which were cross-border ones, by coordinating ISPs, domain registrars, mobile phone application stores, branches of CNCERT and our international partners.
China National Vulnerability Database (CNVD) was established by CNCERT, together with control systems, ISPs, ICPs, network security vendor, software producers and internet enterprises for sharing information on vulnerabilities.
The URL of CNVD for Publishng Weekly Vulnerability Report
For more details about the vulnerabilities, please review CNVD Weekly Vulnerability Report.
114.5%
54.4%
120.0%
Phishing 78.0%
Vulnerabil ity 15.2%
Defaceme nt 5.9%
Malware 0.2%
Malicious program
0.2%
Backdoor 0.2%
Unauthori zed access
0.2%
Types of the Incidents Handled by CNCERT (July 18-July 24)
76 5 Domesticlly reported
incident handled by coordinating overseas
organizations Overseas reported incident handled by coordinating domestic
organizations
288
37
3 1 1 1 1 Phishing Incidensts Handled by CNCERT Based on Industries of the
Phishing Targets (July 18-July 24)
56 54 47
32 29 22
12
5 5 5 3 2 1 1 CNCERT Coordinated Domestic
to Handle Phishing Incidents (July 18-July 24) Specifically, CNCERT has coordinated domestic and overseas domain registrars, international CERTs and the other organizations to handle 332 phishing incidents. Based on industries that these phishing targets belong to, there were 288 banking phishing incidents and 37 ISP phishing incidents.
About CNCERT
The National Computer network Emergency Response Technical Team / Coordination Center of China (CNCERT or CNCERT/CC) is a non-governmental, non-profitable organization of network security technical coordination. Since its foundation in Sep.2002, CNCERT has dedicated to carrying out the work of preventing, detecting, warning and handling China network security incidents under the policy of “positive prevention, timely detection, prompt response, guaranteed recovery”, to maintain the safety of China public Internet and ensure the safe operation of the information network infrastructures and the vital information systems. Branches of CNCERT spread in 31 provinces, autonomous regions and municipalities in mainland China.
CNCERT is active in developing international cooperation and is a window of network security incidents handling to the world. As a full member of the famous international network security cooperative organization FIRST and one of the initiators of APCERT, CNCERT devotes itself to building a prompt response and coordination handling mechanism of cross-border network security incidents. By 2015, CNCERT has established
“CNCERT International Partners” relationships with 165 organizations from 66 countries or
13270
38 25 15 14 12 9 8 8 6 5 5 5 4 3 3 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 1 1
ctyunapi.cn qq.com anzhi.com baidu.com pconline.com.cn clouddn.com coolyun.com yiwan.com 25pp.com aliyuncs.com otkax.cn 1000su.com hicloud.com 189store.com iqiyi.com cmge.com aliyuncs.com lenovomm.com samsungapps.com weiyun.com uuserv30.net moguupd.com elevensky.net appchina.com mi-img.com appget.cn 91.com mypanda.cn 18.net sjwyx.com 7230.com hicloud.com hicloud.com aliyuncs.com 51eyun.com CNCERT Coordinated Mobile Phone Application Stores to Handle
Mobile Malware (July 18-July 24)
This week, CNCERT has coordinated 35 mobile phone application stores and malware-injected domains to handle 386 malicious URL of the mobile malware.
