New
Variant for W32/Bagle Emerged !
This is a
summary of computer Virus/Unauthorized Computer Access Incident
Reports for January 2005 compiled by IPA.
I.
Computer Virus Incident Reports (for further,
details, please refer to Attachment 1)
The reported number [1]
for January 2005 was 4,880 for which moved
from similar level of 4,905 marked in December. However, virus
detection number [2] was
about 3,340,000 for which increased 28.5% from
about 2,600,000 marked in December.
Reported numbers for
W32/Netsky was 1,179 for which
more than 1,000 cases were reported continuum of 11 months. 348
for W32/Mydoom and 334 for W32/Bagle subsequently followed.
[1]
Reported Number: Upon aggregation of virus counts, same kind
and its variants reported in a same day are counted as 1 case
even how many are found by a same filer in a same day.
[2]
Detection Number: Upon reporting virus detection counts (cumulative)
found by a filer. For January, the reported numbers resulted 4,880
upon aggregation of virus detection counts marked about 3,340,000.
1. New Variant
for W32/Bagle Emerged
Since new variant
for W32/Bagle emerged on January 28
was spread over within domestic before definition file for anti-virus
software was provided; such cases could be seen that many damages
realized since they could not be detected.
This virus infects by
opening attachment file to e-mail. If you receive following e-mail
combined with following subject and mail body, please stay not
opening attachment file and simply delete them from your mail
box.
Subject: Delivery
service mail, Delivery by mail, Registration is accepted, Is
delivered mail, You are made active
Mail body: Thanks
for use of our software, Before use read the help
When infected by this
virus, it collects addresses from your files such as address book,
etc., and sends out virus mail to acquired addresses. In addition,
it creates backdoor on infected computer to penetrate
from outside .
Further, it tries to enlarge
infection activities using file sharing software or to halt functionalities
for security countermeasures product (i.e., anti-virus software,
personal firewall, etc.).
In case your computer is
infected, it would unlikely be inspected/deleted with virus countermeasures
software and need to work around by utilizing dedicated removal
tool.
Symantec (W32/Beagle@mm
removal tool) (in Japanese)
http://www.symantec.com/region/jp/avcenter/venc/data/jp-w32.beagle@mm.removal.tool.html
Trendmicro (damage clean-up
service) (in Japanese)
http://www.trendmicro.co.jp/esolution/solutionDetail.asp?solutionId=4700
McAfee (AVERT virus removal
tool) (in Japanese)
http://www.mcafeesecurity.com/japan/security/stinger.asp
2. Increased
Detection Number for W32/Netsky
Detection number for
W32/Netsky was about 2,970,000 increased from
2,140,000 marked in December. Of about 89% of whole detection
numbers were taken over by W32/Netsky, it remained to be in careful
state.
As you can see, the whole
virus detection number tended to decrease; for November was 2,910,000
and for December was 2,600,000; however, for January, it marked
3,340,000 and was again exceeded more than 3,000,000. Since new
variant for W32/Bagle has emerged in January as well, you are
to be careful when handling suspicious e-mail.
(Both numbers in parenthesis
are the reported numbers in the previous month and the %s are
the ratio taking over for the whole viruses.)
II. Status
for Reported Unauthorized Computer Access (for
further details, please refer to Attachment 2 & 3)
Reported numbers
for January was 31
for which 44% decreased compared with 55 marked in December, 2004.
However, damage reported number was 9 adversely
increased compared with 4 marked in last December.
Breakdown for the damage
reported numbers were 4 for intrusion, 2 for unauthorized mail relay,
1 for DoS ( Denial
of Service ) and 2 for
other cause (source address spoofing using duly ID user by unauthorized
duly ID user).
Instance
for damage to be specially mentioned is that Web server was hi-jacked
for exploitation of phishing.
Instance
for damage:
- Penetrated
into Web server and set up contents to be exploited for phishing.
- Logged
in auction site by spoofing duly user ID and his/her password
and sent out mail and/or deleted his/her ID without minding.
- Logged
in a certain individual's Home Page by spoofing user ID and password
hosted by service provider and its contents, images, etc. are
tampered/deleted.
- Penetrated
by dictionary attack against ID and its password for SSH (Secure
Shell) and embedded malicious codes to exploit for steppingstone
attack against external sites.
Be Careful for Exploitation
of Phishing!!
Phishing masquerades as those
e-mails from banks or certain corporations, etc. to have e-mail
recipient access to fake Home Pages; then, let recipient input individual
financial information such as credit card no., its ID, its password,
etc. to acquire private information in unauthorized manner. It
also discovered such cases that some domestic Web sites are being
exploited by “phishing”.
It is not only a case that
a certain Web is penetrated/tampered, but fake
information is also likely to be presented on genuine sites by vulnerabilities
of Web application, etc. ; it can be assumed that
such cases exploited by phishing would drastically be increased
from now on.
Those Web site managers should
conduct certain countermeasures fully by solving security holes,
etc. to prevent those Web sites for where you are managing from
being a part in criminal offense.
Reference:
“Reporting Status in relation
to vulnerability related information for software, etc. (the fourth
quarter 2004 (October – December)” (in Japanese)
http://www.ipa.go.jp/security/vuln/report/vuln2004q4.html
Conduct Adequate
ID/Password Installation/Management!!
There are quite a few damage
reports and consultations rushed to IPA/ISEC for which assumed to
be caused by inadequate ID/password installation/management, etc.
Inadequate passwords are
named as follows:
- For which
is same as ID;
- Yourself
and your family information partially taken from names, telephone
number, birth dates, etc.;
- Use of
a word which is onto dictionary;
- Alignment
of simple numeric characters or letters;
- For which
length is inadequate;
- Use of
proper noun;
- Reuse of
previously used password, etc.
To
make your password unlikely to be assumed , those
combined by capital letters, small letters and numeric/symbol characters,
longer password, unforgettable but not easily assumable by third
person, etc. should necessarily be set.
Further, to manage your password
adequately, those countermeasures, i.e.; do not tell it to third
person, change it on certain intervals, do not write it down and/or
do not save it within your computer are necessary.
As for system administrator,
never fail to conduct following countermeasures such as setting
up password expiration date, installing onetime password, encrypting
communication path, encouraging end user to change those password
given by the time his/her ID was initially prepared.
Reference:
“Just a matter of password,
but password” (for end users – in Japanese)
http://www.ipa.go.jp/security/crack_report/20020606/0205.html
“Password management and
reminders” (for system administrators – in Japanese)
http://www.ipa.go.jp/security/fy14/contents/soho/html/chap1/pass.html
III. Reminder
for This Month: “ Much Dangers Hide in
such Operations ”
- Trigger of Damage Lurked Behind Man
-
In those damage cases
such as infected by virus, altered browser settings (Internet Explorer,
etc.), following operations might be considered as their cause.
- Opening
of attachment file to e-mail for which subject and its body written
in English or clicking such link in the mail body.
- Clicking
link on unknown Home Page.
- Downloading
free software for which provider is unknown.
- Downloading variety of files using P2P file sharing
software.
It is likely to face damage
caused by those operations done routine basis without much attention.
In another words, if you pay attention to such operations, it is
unlikely to face damage easily. You are to always remind that there
is much danger hidden in such operations upon using the Internet.
Further, those things which
should minimally be conducted are to update software (OS, browser,
mail software, etc.) you are using and to maintain them in healthy
state without any defect (security holes, etc.). If it is in defective
state, it is likely that malicious codes would automatically be
executed even you are taking care of.
Please refer to following
information. We encourage you to update such software you are using
with certain intervals to keep them in healthy state.
“Windows Update Users' Guidance”
(Microsoft)
http://www.microsoft.com/japan/security/square/guard/a04g11.asp
“Software Update” (Apple
Computer) (in Japanese)
http://www.apple.co.jp/ftp-info/
“Linux Information in Japan
” (in Japanese)
http://www.linux.or.jp/
The details are as follows;
- Attachment 1 “Computer virus
Incident Report [Details]”
- Attachment 2 “Unauthorized Computer
Access Incident Report [Details]”
- Attachment
3 “ Observation Status by Internet Monitoring System (TALOT2)
”
|
Japanese