HOME >> IT Security >> information
Computer Virus / Unauthorized Computer Access Incident Report [Summary]
January 19, 2005
IT Security Center
Information-technology Promotion Agency, Japan (IPA)
Quite a Few Variants Have Emerged in 2004, Spreading Status Remains!
This is a summary of computer Virus/Unauthorized Computer Access Incident Reports for December, 2004 and its annual review of 2004 compiled by IPA.
I. Computer Virus Incident Reports
1.1 Annual Reporting Status for 2004 – W32/Netsky Have Been Spread All Over –
Annual reporting number for 2004 could count 52,151 which drastically increased about triples compared with 17,425 reported in 2003. Cumulative detection numbers reported were about 29.3M cases within 9 months, from April to September since aggregation of detection numbers started from April, 2004.
2004 Topics:
- (1) Virus which sending
massive mail drastically spread
Specifically, W32/Netsky drastically spread and the reported numbers became the worst 1 for continuum of 10 months from March.
- (2) Viruses' variants emerge
in a stream
Since more than 30 variants emerged in a stream for W32/Netsky , W32/Bagle , W32/Mydoom respectively and enlarging infection could be seen before countermeasure by anti-virus software release. In addition, status of total detection numbers by above three viruses taking over about 90% against over all of virus detection counts had been maintained from April.
- (3) Malicious virus increase
which steal user's private information
Phishing and/or malicious virus which try to steal user's private information by trapping backdoor got increased. In addition, not only attachment file to virus mail, but also emergence of W32/bofra virus which infects simply click a link, etc., that make their tactics to fool users have become further ingenuity.
The Yearly Worst 10 Viruses Reported
| Name of Virus | 2004 | 2003 | Exploits Mail Function |
Exploits Security Holes |
|---|---|---|---|---|
| W32/Netsky | 15,895 | - | Yes | Yes |
| W32/Bagle | 4,838 | - | Yes | Yes |
| W32/Mydoom | 4,388 | - | Yes | Yes |
| W32/Klez | 3,498 | 4,538 | Yes | Yes |
| W32/Lovgate | 2,569 | 165 | Yes | Yes |
| W32/Swen | 1,776 | 1,673 | Yes | Yes |
| W32/Bugbear | 1,727 | 1,602 | Yes | Yes |
| W32/Mimail | 1,629 | 883 | Yes | Yes |
| W32/Zafi | 1,557 | - | Yes | Yes |
| VBS/Redlof | 1,162 | 803 | Yes | Yes |
| Other Viruses | 13,112 | 7,761 | ||
| Total | 52,151 | 17,425 |
Note: Numbers above contain variants reported.
For further details, please refer to Attachment 1 “Report Status for Computer Virus 2004”.
1.2 Reporting Status for December
The reported number [1] for December was 4,905 which was decreased 7.6% from 5,308 reported in November for which below 5,000 levels. In addition, virus detection number [2] was about 2.6M for which also decreased 10.9% from about 2.92M reported in November.
The three worse viruses were namely W32/Netsky , W32/Bagle and W32/Mydoom and their reported numbers were 1,296 , 488 and 314 respectively.
(Both numbers in parenthesis are the reported numbers in the previous month and the %s are the ratio taking over for the whole viruses.)
[1] Reported Number: Upon aggregation of virus counts, same kind and its variants reported in a same day are counted as 1 case even how many are found by a same filer in a same day.
[2] Detection Number: Upon reporting, virus detection counts (cumulative) found by a filer. For December, the reported numbers resulted 4,905 upon aggregation of virus detection counts of about 2,600,000.
II. Status for Reported Unauthorized Computer Access
2.1 Annual Reporting Status for 2004
Annual reported numbers for 2004 was 594 which again turn to increase 45.9% compared with the one (407) reported in 2003. However, actual damaged number was 72 for which further decreased from 225 for 2002, 126 for 2003.
As for the cause of the reported number increase, one can assume that variety of attacks have been performed indiscriminately whomever the user is a corporation or an individual user. As for the reason of the damaged number decrease in that situation mentioned above, it can be assumed that taking certain security countermeasure became common from corporate users.
While, many consultations in relation to the damage such as alteration of browser starting page, etc. from individual user rushed to came in; it can be assumed that security countermeasures for individual user level is still insufficient .
Breakdown for reported numbers of 594 reported to IPA are as follows.
| Type | 2004 | 2003 |
|---|---|---|
| Intrusion | 43 (43) | 64 (64) |
| Access Probe (Attempt) | 515 | 239 |
| Infection w/Worm | 0 | 5 (5) |
| Worm Probe | 7 | 39 |
| Unauthorized Mail Relay | 3 (3) | 9 (9) |
| Source Address Spoofing | 11 (11) | 18 (18) |
| DoS | 4 (4) | 8 (8) |
| Other | 11 (11) | 25 (22) |
| Total | 594 (72) | 407 (126) |
* Numbers in parenthesis presents actual damaged numbers.
For further details, please refer to Attachment 2 “Report Status for Unauthorized Computer Access 2004”.
2.2 Reporting Status for December
Reported number for December 2004 was 55 for which increased with the one reported in November (28) and was again surpassed more than 50. However, reported number for damage was 4 for which decreased with the one reported in November (8). All the reported number for the damage was for intrusion that show 2 for Web alteration and another 2 for server abuse as its breakdown.
III. Reminder for This Month: “Be Sure to Manage Updates!!”
- Anti-Virus Software, Windows, etc. -
When you start up your PC, be sure to conduct updates such as anti-virus software, Windows, etc. to prevent infection.
In 2004, viruses mainly as W32/Netsky, etc. enlarging infection through mail have been spread badly. Together with typical viruses for which infect by opening attachment file to e-mail, newer viruses for which infect by simply clicking link in mail body have also emerged; we are still in cautious situation when handling mail.
In 2005 as well, publicizing newer security holes, and emergence of newer viruses that exploit the security holes likely to be considered.
To prevent infection from damage before occurring, be sure to conduct continual countermeasures by activating anti-virus software , solving security holes , etc.
Information in Relation to Anti-Virus Countermeasures
- “In relation to anti-virus software” (in Japanese)
http://www.ipa.go.jp/security/antivirus/vacc-info.html - “5 Tips for Handling
Attachment File to e-Mail” (in Japanese)
http://www.ipa.go.jp/security/antivirus/attach5.html - “7 Items for Anti-Virus
Countermeasures” (in Japanese)
http://www.ipa.go.jp/security/antivirus/7kajonew.html
Information in Relation to Solving Security Holes
- “Procedure for Windows Update Utilization” (Microsoft)
http://www.microsoft.com/japan/security/square/guard/a04g11.asp - “Software Update” (Apple
Computer) (in Japanese)
http://www.apple.co.jp/ftp-info/ - “Linux Information in
Japan ” (in Japanese)
http://www.linux.or.jp/
The details are as follows;
Contact
IT Security Center, Information-technology Promotion Agency (IPA/ISEC)
Tel:+81-3-5978-7527
Fax:+81-3-5978-7518
E-mail: 