Looking
Back the Trace of 2004 from the Emergence of W32/Netsky
This is a
summary of computer Virus/Unauthorized Computer Access Incident
Reports for February 2005 compiled by IPA.
I.
Computer Virus Incident Reports (for further,
details, please refer to Attachment 1)
Reported Number [1]
for February was 4,150 for which decreased
15.0% from 4,880 counted in January. In addition, Detection Number
[2] for virus was about
2,460,000 for which decreased about 26.3% from about
3,340,000 counted in January.
As for W32/Netsky
, the reported numbers counted 1,064
for which exceeded more than 1,000 for the continuum of past 12
months. 458 for W32/Bagle
and 333 for W32/Mydoom were
subsequently followed.
1. Trend over the
Last Year since Emergence of W32/Netsky
W32/Netsky virus
which was initially reported to IPA on February 19,
2004 became the worst 1 virus over the last year since last March,
2004. (Please refer to the Chart 1 bellow.)
W32/Netsky
variants (Netsky.D, Netsky.P and Netsky.Q, etc.) emerged one after
another; it can be observed by internet monitoring conducted by
IPA that the virus spread over quite a few virus mails. (Please
refer to the Chart 2)
Chart
1: The Worst 5 of Virus Counts Reported to IPA
Chart
2: Initially Detected Status of Emergence of W32/Netsky
Captured
by IPA Internet Monitoring
[1]
Reported Number: Upon aggregation of virus counts,
same kind and its variants reported in a same day are counted
as 1 case even how many are found by a same filer in a same day.
[2]
Detection Number: Upon reporting virus detection
counts (cumulative) found by a filer. For February, the reported
numbers resulted 4,150 upon aggregation of virus detection counts
marked about 2,460,000.
Why W32/Netsky Virus is being
Spread Broadly…?
As for the cause that W32/Netsky
actively infect at high rate for over the past year, following
features can be assumed.
W32/Netsky
virus' feature:
- It does
not show visible symptoms on infected computer, that is, you
are not easily aware that your computer is being infected.
- Your
own mail address is presented as subject of your received mail
so that you may misunderstand with error message for your sent
out mail and open its attachment file without paying attention:
ex. MAIL DELIVERY ERROR ( virus-test@ipa.go.jp
).
- This
virus is mass mail type of virus which sends out volume of mails
to unspecified majority at one time; when infected, quite a
few virus mails are sent out and infection enlarges.
To Terminate W32/Netsky
Virus…
As the features described
above, the virus does not show apparent symptoms when being infected,
it can be assumed that virus mail is being spread over without
consciousness. Therefore, it is important that all computer users
should check their computers using either anti-virus software
or virus removal tool.
Even you are confident
that your computer is safe; we encourage you to check your computer
for just in case. Further, please let your friend or acquaintance
know about the virus.
How to Check Using
Removal Tool (Free of Charge):
(Available to check for
W32/Netsky virus' infection and clearance of the virus in case
infected.)
Trendmicro:
http://www.trendmicro.com/download/dcs.asp
McAfee:
http://vil.nai.com/vil/averttools.asp
Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky@mm.removal.tool.html
Microsoft:
http://www.support.microsoft.com/?kbid=890830
In addition, of some variants
for W32/Netsky exploit security holes of Windows, please apply
modification program from Windows Update and conduct necessary
countermeasures in place.
Microsoft:
http://windowsupdate.microsoft.com
2. W32/Netsky
Took over about 90% of Totally Detection Number!
Detection number of
W32/Netsky for February was about 2,160,000
for which decreased about 27.3% from about 2,970,000
counted in January. However, the ratio taken over against whole
of virus detection number still maintains about 90% and the virus'
spreading condition is ongoing overwhelmingly.
(Both numbers in parenthesis
are the reported numbers in the previous month and the %s are
the ratio taking over for the whole viruses.)
II. Status
for Reported Unauthorized Computer Access (for
further details, please refer to Attachment 2 & 3)
Reported numbers
for February was 63 for which became
almost double compared with 31 counted in January. However, the
damaged number was 9 and was kept similar level.
Breakdown of the damaged
number were; 5 for intrusion, 4 for others (3 for spoofing of using
duly user's ID by unauthorized user, 1 for forcing download of malicious
codes).
As for 5 for intrusion, there
is damage instance such as Web server high-jack to exploit
for Phishing again raised in February as it was happened
in January.
Damage
Instance:
- Penetrated by
exploiting vulnerability in Apache, the Web server software and
contents scope to exploit for Phishing was installed.
- Logged in auction
site by masqueraded third person as duly user, altered contact
address by strange mail address to put up product or placed a
bid without asking.
- Fraudulently
logged in to online game site on the Internet and money or item
used in the game were stolen.
- Penetrated by
dictionary attack against ID and password for SSH (Secure Shell),
changed over administrator authorized password or alteration of
file and executed attack against outside as steppingstone.
- Installation
is temporarily changed to make operation easier from remote; since
operation is conducted without putting the installation back as
it was before; top page of the Web server is altered.
To Avoid being Victimizer
or a part of Perpetrator of Crime
In case penetrated in to
your computer, you will not only suffer from damage such as file
deletion or alteration, but also your computer will be used as steppingstone
to attack the other computers, exploited for Phishing, illegal file
exchange, etc. and you will likely to be a part of cyber crime.
Such damages are not exception even those computers for home use.
As for Countermeasures Conducted
by Individual User:
1. Install
anti-virus software and personal firewalls
2. Set up
not easily assumable password and do not tell it to third person
3. Do not browse suspicious
site or do not download file carelessly from untrustful site,
etc.
are necessary to protect
your computer.
Further, as for Countermeasures
Conducted by System Administrator:
1. Conduct
adequate password installation and management
2. Solve
vulnerabilities (Be sure to solve not only those in OS, but also
those in Web application)
3. Conduct
adequate accessing authorization or security installation (Disable
unnecessary services), etc.
are necessary to conduct.
As we described them last
month, be sure to conduct adequate installation and manage passwords
by paying attention to following reminders.
As
for inadequate passwords are;
-
Same as ID;
-
Yourself and your family's information partially taken
from their names, telephone number, birth date, etc.;
-
Use of a word which is onto English dictionary;
-
Alignment of simple numeric characters or letters;
-
Length is inadequate;
-
Use of proper noun;
-
Reuse of previously used password, etc.
To
make your password not easily be assumable ,
combining upper/lower case letters, numeric/symbol characters, longer
password or unforgettable but not easily be assumable by third person,
etc. is necessary to set up.
Further,
to manage password adequately , do not
tell it, change it at certain intervals, do not write it down or
do not save it within your computer, etc. is necessary as its countermeasures.
In
addition, as for system administrator, never fail to conduct following
countermeasures such as setting up expiration date on password,
installation of one-time password, encryption of communication path,
encouraging end user to change their password given by the time
his/her ID initially be prepared.
Reference:
“Practical information
for information security countermeasures, pages for end-users/home
users” (in Japanese)
http://www.ipa.go.jp/security/awareness/end-users/end-users.html
“Practical information
for information security countermeasures, pages for system administrators”
(in Japanese)
http://www.ipa.go.jp/security/awareness/administrator/administrator.html
III. Accessing
Status for February Captured by the Internet Monitoring
(for further details, please refer to Attachment 3)
Unwanted (one-sided) access
for February could count 575,582 cases
for 10 monitoring points in total.
Gross accessing numbers are
significantly declined compared with the one counted in January;
this means that 1 monitoring point (same environment
with the one used by general Internet user) had about 2,370 per
day .
As for February, worm known
as bot series of worms (Trojan Horse) spread very badly as this
had happened in January; most of all access to the ports mentioned
in Attachment 3 can be assumed by the access of one of the bot series
of worms.
IV.
Reminder for This Month: “
Conduct Virus Check Right Now!
”
- Is your
computer safe? -
As you are already aware
of features of W32/Netsky, newer virus rarely show apparent symptoms
in case infected; it can be assumed that many virus mails are being
sent out without consciousness.
To confirm with or without
of virus infection; it is necessary to check using anti-virus software.
Even you do not have anything to remember, we encourage you to check
your computer one more time since it may be infected by virus without
knowing.
In case you cannot prepare
your latest anti-virus software right now, you can check your computer
using following service online.
Free
Virus Check Service Online : (available to
check for virus infection)
1. Trendmicro Virus Buster
Online Scan
http://housecall.trendmicro.com/
2. Symantec Security Check
http://www.symantec.com/cgi-bin/securitycheck.cgi
3. Mcafee Free Scan
http://us.mcafee.com/
In the event, in case
virus is detected from your computer, please confirm virus information
provided by each anti-virus software vendor since method for removal
vary from virus to virus. As for removal, please use removal tool
in case exclusive removal tool is provided. In addition, it is also
effective to install anti-virus software for which can be used as
prevention measures as well.
If you are not aware how
to remove virus, please consult with following IPA Security Center
as we are providing inquiry counter.
Inquiry
counter of computer virus in IPA Security Center :
e-mail: virus@ipa.go.jp
Tel: 03-5978-7509
Fax: 03-5978-7518
(Telephone consultation
service is available only in Japanese)
The details are as follows;
- Attachment 1 “Computer
virus Incident Report [Details]”
- Attachment 2 “Unauthorized
Computer Access Incident Report [Details]”
- Attachment
3 “ Observation Status by Internet Monitoring System (TALOT2)
”
|
Japanese