CNCERT/CC
Issue 5 2017
Jan 23-Jan 29
Weekly Report of CNCERT
Key Findings
Excellent
Good
Poor
Fair
Very Poor
• 0.30 Million
22.6%
Defaced Websites in Mainland China
Defaced gov.cn
• 2,848
• 92
14.3%
20.7%
Backdoored Websites in Mainland China
Backdoored gov.cn
• 1,115
•9
15.8%
Phishing Webpages Targeting Websites in
Mainland China
• 151
Infected Computers in Mainland China
marks the same number as last week;
55.0%
marks an increase from last week;
76.8%
marks a decrease from last week
Malware Activities
The infected computers in mainland
China amounted to about 0.30
Trojans or
Botnet
million, among which about 0.15
million were controlled by Trojans or
Botnets and about 0.15 million by
35.7%
0.15 million
Conficker
2.1%
0.15 million
Confickers.
1
The
map
on
the
left
illustrates
distribution of the computers controlled
by Trojans or Botnets in mainland
China. The regions in red are most
seriously affected. This week, the top 3
were Guangdong province, Shandong
province and Henan province.
The malware-hosting websites
Guangdong
province
• about 19,000
(12.6%)
Shandong
province
• about 15,000
(9.9%)
Henan
province
• about 11,000
(7.1%)
is the jumping-off place for malware propagation.
The
malware-hosting websites monitored by CNCERT this week involved 74 domains and 198 IP
addresses. Among the 74 malicious domains, 36.5% were registered overseas and 77.0% of their
TLDs fell into the category of.com. Among the 198 malicious IPs, 8.6% were overseas. Based on our
analysis of the malware-hosting website’s URLs, the majority of them were accessed via domain
names, and only 11 were accessed directly via IPs.
Malware-hosting Websites' Domains Registered
Home and Abroad (Jan 16-Jan 22)
TLD Distibution of the Malware-hosting
Websites' Domains (Jan 16-Jan 22)
Mainland
China
63.5%
Overseas
36.5%
.COM
77.0%
.HK
1.4%
.CC
1.4% .CN
4.1%
.NET
16.2%
2
In terms of the malicious domain names and IPs either monitored by CNCERT or sourced from the
reporting members, CNCERT has actively coordinated the domain registrars and other related
agencies to handle them. Moreover, the blacklist of these malicious domains and IPs has been
published on the website of Anti Network-Virus Alliance of China (ANVA).
The URL of ANVA for Publishing the Blacklist of Malicious Domains and IPs.
http://www.anva.org.cn/virusAddress/listBlack
Anti Network-Virus Alliance of China (ANVA) is an industry alliance that was initiated by Network and
Information security Committee under Internet Society of China (ISC) and has been operated by CNCERT.
Website Security
This week, CNCERT monitored
2,848 defaced websites, 1,115 Defaced websites in mainland
China
websites planted with backdoors
and 151 phishing web pages
targeting websites in mainland
China.
14.3%
2848
Backdoored websits in
mainland China
15.8%
1115
Phishing pages targeting
websites in mainland China
76.8%
151
This week, the defaced government (gov.cn) websites totaled 92 (3.2%), a decrease of 20.7% from
last week. Backdoors were installed into 9 (0.8%) government (gov.cn) websites, which decrease by
55.0% from last week. The fake domains and IP addresses targeting websites in mainland China
reached 121 and 71 respectively, with each IP address loading about 2 phishing web pages on
average.
Domain Categories of the Defaced Websits in
Mainland China (Jan 16-Jan 22)
Domain Categories of the Backdoored
Websites in Mainland China (Jan 16-Jan 22)
COM
74.7%
Others
14.0%
BIZ ORG GOV NET
0.1%1.7% 3.2% 6.4%
COM
65.6%
Others
23.8%
NET
ORG 5.4%
BIZ GOV EDU 3.0%
0.2% 0.8% 1.3%
3
About CNCERT
The National Computer network Emergency Response Technical Team / Coordination
Center of China (CNCERT or CNCERT/CC) is a non-governmental, non-profitable
organization of network security technical coordination. Since its foundation in Sep.2002,
CNCERT has dedicated to carrying out the work of preventing, detecting, warning and
handling China network security incidents under the policy of “positive prevention, timely
detection, prompt response, guaranteed recovery”, to maintain the safety of China public
Internet and ensure the safe operation of the information network infrastructures and the
vital information systems. Branches of CNCERT spread in 31 provinces, autonomous
regions and municipalities in mainland China.
CNCERT is active in developing international cooperation and is a window of network
security incidents handling to the world. As a full member of the famous international
network security cooperative organization FIRST and one of the initiators of APCERT,
CNCERT devotes itself to building a prompt response and coordination handling
mechanism of cross-border network security incidents. By 2015, CNCERT has established
“CNCERT International Partners” relationships with 165 organizations from 66 countries or
regions.
Contact us
Should you have any comments or suggestions on the Weekly Report of CNCERT, please
contact our editors.
Duty Editor: LI Lei
Website: www.cert.org.cn
Email: [email protected]
Tel: 010-82990158
4