HOME >> IT Security >> information

Computer Virus / Unauthorized Computer Access Incident Report [Summary]

May 23, 2005

IT Security Center
Information-technology Promotion Agency, Japan (IPA)

A Large Number of W32/Mytob Virus' Variants Emerge!!

This is a summary of computer Virus/Unauthorized Computer Access Incident Reports for April 2005 compiled by IPA.

I. Reporting Status of the Computer Virus
– (for further details, please refer to Attachment 1)

The reported number [1] in April was 4,440 , a decrease of 8.4%, compared with 4,846 reported in March. The virus detection number [2] was about 3.38M , an increase of 29.0%, compared with about 2.62M reported in March.

The reported number for the W32/Netsky was 1,009 : in each of the past 14 months running, the virus became the worst one. W32/Bagle with 330, W32/Mytob with 302 subsequently followed.

[1] Reported Number:
Virus counts are aggregated: viruses of the same type and variant reported on the same day are counted as one case number regardless of how many viruses or the actual number of the viruses are found by the same filer on the same day.
[2] Detection Number:
Reporting virus counts (cumulative) found by a filer: For April, the reported number resulted in 4,440 upon aggregation of virus detection counts marked about 3,380,000.

1. A Large Number of W32/Mytob Virus' Variants Emerge!!

The W32/Mytob virus, initially reported virus in March, a large number of its variants emerged in a short period of time: the number of variants can count more than 70 kinds now (as of May 10.). It can be said that one variant emerges/day in simple calculation: however, most of all the variants had emerged in April; about 50 kinds (a larger number of W32/Mytob variants emerged in a short period of time than the initial emergence of the W32/Netsky which constitutes a large reported number.). Among a large number of the W32/Mytob variants, IPA detected the largest number of detection for Mytob.X variant which initially emerged in the beginning of April.

Mytob detection number
Detection Number Classified by each Mytob Variant per Day

When variants emerge in short period of time, the potentiality to receive a new virus' variants becomes higher before a virus definition file (pattern file) responds in advance . Although a virus is not detected by anti-virus software, a virus infects if you open the attachment file to e-mail. Please be sure to conduct prevention measures continually such as update your anti-virus software frequently, do not open the attachment file to e-mail, etc.

explanation of virus variant

In addition to such function which enlarges infection through the attachment files to e-mail, the W32/Mytob virus exploits security holes in Windows ; the virus infects if you simply connect to the network . The virus conducts following activities. Specifically, if the virus penetrates from a backdoor, there is likely to be such risks that cause various damages ; deletion of files , embedding malicious codes , etc.

  1. Sends a large quantity of virus mails;
  2. Traps backdoors to have PCs remotely operable;
  3. Blocks browsing Home Pages for anti-virus software vendors', etc.

Please be sure to conduct the following precautionary measures:

  1. Do not open suspicious attachment files to e-mail;
  2. Maintains anti-virus software in up-to-date condition;
  3. Solves security holes (conducts Windows Update); etc.

to prevent from infection of W32/Mytob virus .

In case an infection is discovered while checking by anti-virus software, be sure to remove the virus: Free removal tools online are being provided at the following sites. In case you are unavailable to access the sites mentioned above because of the W32/Mytob virus , we encourage you to take the following procedures: downloads removal tool utilizing uninfected computer, copy it on FD or to USB memory, then execute it on the infected computer.

The checking/removal method using free removal tools:

(Available for check-ups with or without W32/Mytob virus infection and for removal in case of infection)

2. W32/Netsky Constitutes about 90% of Whole Detection Number!!

The detection number of W32/Netsky reported was about 3.08M , an increase of 33.9%, from the detection number of 2.3M reported in March. Further, the whole detection number reported was about 3.38M, an increase of 29%, compared with the whole detection number of 2.6M reported in March.

Virus detection number

Virus reported number

(Both numbers in parenthesis are the reported number for previous month; the %s are the ratio taking over for the all viruses reported in this month.)

II. Reporting Status of Unauthorized Computer Access
– (for further details, please see Attachment 2)

The total reported number in April was 48 , a decrease of about 19%, compared with 59 reported in March. Of actual damaged number was 24 , an increase of about 71%, compared with 14 reported in March.

1. Status of Damage

The breakdown of the reported number for damage were intrusion with 8 , DoS with 8 , spoofing of mail address with 1 and others with 7 (masquerading with 1, embedding malicious codes (attempt) with 4 and suspicion of unauthorized network monitoring with 2.)

Of intrusion (8), there were 3 actual damage instances that altering the Web contents by penetrating the Web server. Of one could be assumed a cyber attack in relation to the Japan-China condition.

Damage Instances:
<Intrusion>
  1. Penetrates a server by exploiting vulnerabilities in OS (Windows and/or Linux, etc.) and sets up files in unauthorized manner and/or alters the registries.
  2. Creates an unauthorized account within a server and sets up files of malicious codes to manipulate the computer.
  3. Penetrates a Web server by fraudulently taking away administrative authority and sets up files illegally and/or alters the Web pages: it is caused by an SQL (*1) injection attack (*2) against a database system.
<DoS>
  1. Since a number of unauthorized access to the port (*4) used by an SSH (*3) occurs, the server is downed.
<Spoofing>
  1. Uses legitimate user's ID and/or password on the internet auction by spoofing to be the user and places a successful bid to purchase goods illicitly.
<Embedding malicious codes (Attempt)>
  1. Malicious codes are embedded without realizing and an unintended internet connection is being attempted. Configuration is changed and unknown folders are created.

2. Be Cautious to Operate Web Applications!!

The fundamental cause of damage instance which alters Web pages by taking away administrative authority by an SQL injection attack against database system was following vulnerability: incompleteness of sanitizing inquiry data (query) from users. This might be assumed that the attacker intentionally mixed up malicious SQL statement into the inquiry data which alters the password of the user ID for the administrator. Not apply only to this instance, in such Web applications which require inputs from users upon sign-up, be sure to reconfirm legitimacy of sanitizing users' inputs.

<Reference>

3. Be Sure not to be Stolen Your ID and Password!!

In the damage instance that an ID and a password fraudulently used for an Internet auction , it might be assumed that individual information such as user's address, name and online payment information, etc. were also acquired: further damage enlargement might be occurred. Other than the reasons such as insufficient installation/management of user's ID/password; nowadays, it might be caused that a user's key operation can be read out by malicious codes. To prevent from such risks as far as possible, it should be refrained to input private information and/or browse such Home Pages which require you to input ID and/or password in advance by using such computers you do not use routinely . Using such computers that are furnished in public place; specifically, an Internet café is an example; it is better to refrain browsing the Home Pages which require you to sign-up in advance .

4. Never Fail to Manage the Web Servers!!

Damages by penetrating the Web servers to alter the contents and/or to embed malicious codes are repeatedly reported. It is likely to derive subsequent damages by installing fake contents to exploit phishing. Specifically nowadays, potentiality to receive indiscriminate cyber attacks is escalating because of political causes.

However, most of the damages introduced here can be blocked by fundamental countermeasures such as adequate ID/password management by an administrator, application of security patches for OSs and Web applications . Be sure to reconfirm server management to prevent from damage enlargement.

<References>

III. Accessing Status Captured by the Internet Monitoring in April
– (for further details, please refer to attachment 3)

In the Internet Monitoring (TALOT2), unwanted (one-sided) access in April totaled 476,320 cases using 10 monitoring points: Unwanted (one-sided) access captured at one monitoring point was about 1,600 cases of accesses per day.

The environment for each monitoring point in TALOT2 is nearly equal to general users' Internet connection; it can be considered that the same amount of unwanted (one-sided) access may be received by the general internet users.

Accessing number at each monitoring point

Followings are the countermeasures effective for general internet users' environment.

  • Continual blocking by routers and firewalls;
  • Application of patches (Windows Update, etc.) to maintain computers in up-to-date condition and/or version upgrading applications used daily;
  • Regular virus check by an anti-virus software or virus check online provided by an anti-virus software vendor;
  • Disables unnecessary services in case you are using servers, etc. (for further details, please refer to the Manual for Information Security Countermeasures for SOHO/Home Users (Ver1.20)” (in Japanese)

IV. Reminder for this Month: “Be Sure to Solve Security Holes!!”
- Prevent Damages Before Something Happens!! -

Current tendency shows that the developmental period for vicious methods which exploit security holes are getting shortened since when security holes (defects in security) are disclosed. The developmental periods taken were 6 months to several years around 2001, 10 days to several weeks around 2003.

Actually, vicious methods exploiting security holes of Windows (vulnerability of TCP/IP (MS05-019): publicized on April 13) have already appeared on April 28: in case you do not place certain countermeasures such as applying modification program, etc., you may suffer damage anytime.

Immediate application of modification programs and/or taking adequate preventive measures are the key countermeasures to prevent from damages before something happens when security holes are publicized. Please refer to the following sites to maintain your computer in up-to-date condition.

<References>

Terminologies:

(*1) SQL (Structured Query Language)
Query language to operate data and/or define data in the Relational Database Management System (RDBMS). It is also called a structured query language. Originally, this language was developed by IBM; as of now, it has been standardized by American National Standards Institute (ANSI) and by Japanese Industrial Standards (JIS). A global standard.
(*2) SQL Injection Attack
An attacking method. An attacker intentionally mixed up SQL commands to query data against database and illicitly executes the commands within an SQL server.
(*3) SSH (Secure Shell)
A protocol or a program used for log-in to another computer via the network, execute commands by a computer in remote and transfer files to another computer. Since data via the network is encrypted, a series of operations through the Internet can be done safely.
(*4) Port
A window interfaces each service within a computer used for exchanging information with outsides. Numbers from 0 to 65535 are used for the ports so that they are also called Port Number.
The details are as follows;

Contact

IT Security Center, Information-technology Promotion Agency (IPA/ISEC)
Tel:+81-3-5978-7527
Fax:+81-3-5978-7518
E-mail: Please feel free to call at +81-3-5978-7517.

Top Page