The reported number [1] in May was 5,021 : it was 6-month interval from November 2004 that the reported number which exceeded more than 5,000. In addition, the virus detection number [2] was about 3.55M : an increase of 5.3%, compared with about 3.38M in April.

The reported number for the W32/Netsky was 1,128 : in each of the past 15 months running, the virus became the worst one. W32/Mytob with 584, W32/Mydoom with 446 and W32/Bagle with 336 subsequently followed.

[1] Reported Number:

Virus counts are aggregated: viruses of the same type and variant reported on the same day are counted as one case number regardless of how many viruses or the actual numbers of the viruses are found by the same filer on the same day.

[2] Detection Number:

Reporting virus counts (cumulative) found by a filer: For March, the reported number resulted in 5,021 upon aggregation of virus detection counts marked about 3,550,000.

1. A New Virus W32/Wurmark Emerged!!

The W32/Wurmark virus which initially reported in May expands infection through attachment files to e-mails: the infection source is the same as the already known viruses. However, when infected, it embeds codes called “keylogger” which records inputs from keyboards. This will enable that the private information being input from keyboard and electronically recorded likely to be leaked outside .

The W32/Netsky and W32/Mytob , the worst 2 viruses in the reported number have a potentiality to penetrate from outside after infection and there may be a risk that the information saved in a computer would be stolen since they have such function to trap a backdoor.

The damages by the already known viruses were such that they spread over virus mails or lowered infected computer's performance. However, when infected by those currently emerged viruses, the risk relevant to information leakage is raised.

When leaked information is exploited; maliciously logged-in on-line games to sell your item without asking and/or unauthorized trades are conducted at the net banks: you will likely be faced monetary damages.

To prevent from such damages by virus:

• Do not open suspicious attachment files to e-mails;
• Anti-virus software should be used in updated condition;
• Solve security holes by conducting Windows Update, etc.

never fail to conduct above mentioned preventive measures.

• Information relevant to anti-virus software (in Japanese)
  http://www.ipa.go.jp/security/antivirus/vacc-info.html
• Windows Update (Microsoft)
  http://windowsupdate.microsoft.com

2. W32/Netsky Constitutes about 80% of Whole Detection Number!!
W32/Mytob is Rapidly Increased!!

The detection number of W32/Netsky was about 2.89M : a decrease of 6.2%, from its detection number of about 3.08M reported in April. While, the detection number of W32/Mytob was about 0.45M: quintuplicated from its detection number of 0.09M reported in April. In addition, the whole detection number (about 3.55M) was also increased 5.3%.

(Both numbers in parenthesis are the reported number for previous month; the %s are the ratio taking over for the all viruses reported in this month.)

The total reported number of unauthorized computer access for May was 94 which became almost doubled compared with 48 reported in April. Of 11 was the actual damage reported – decreased almost by half compared with 24 reported in April.

1. Status of Damage

The breakdown for the actual damage reported were intrusion with 10 , DoS with 1 . Of 7 out of intrusion (10) were such damages that the Web contents were altered by penetrating to the Web server . Of the 1 instance out of the above mentioned Web contents alteration (7) was that a certain mechanism to infect virus was being embedded upon user simply tries to browse the Home Pages and another 3 instances were setting of fake contents to be exploited for phishing .

Damage Instances:

<Intrusion>

1)   Detected penetration to the Web server and a certain mechanism to download malicious codes upon a user simply browses the Web pages was being embedded. Alteration and recovery processes were repeatedly conducted. While conducting the study for the altered parts, probes of alteration on database have been detected and eventually, the sites should have been closed tentatively. The causes have not yet been realized (the study is being conducted continually by reporter's side.).

2)   Penetrated to the Web server and malicious contents (fake sites which masquerade to be a certain on-line remittance service) to exploit for phishing was being set. Further, the server was being exploited as the steppingstone for spam (*1) sending. It was revealed by outsides. The causes have not yet been realized.

3)   Detected penetration to the Web Server and malicious contents and/or files were being set. Further, the probe which tried to send data outside using the IRC (*2) was also detected. Operation of security tools for the server had been halted. Because of insufficient setting for log transmission by syslog (*3) , logs at the firewalls have not been ensured. Investigating the causes are being interfered.

4)   Study was conducted with suspicious feel as there were automatic messages saying that the “router setting is being changed”; then, penetration to the server to alter files was detected. Along with the rootkit (*4) detection; confirmed that the files for the router settings were changed and unauthorized processes were also in operation. The causes have not yet been realized, but the damage could be held back at minimum since information security controls were being conducted in accordance with the ISMS (*5) so that the detection and the incident responses could be addressed in earlier stages.

5)   Study was conducted with the information that “You are attacking outside sites.” and detected penetration to the server to create the user account which has an administrative authority. Not only files were reworded partially/logs were being deleted, but also a packet monitoring tool was being set. An insufficient password management for the users' accounts and not yet applied any of security patches may be the causes.

<DoS>

6)   Detected that the log data which indicates that there was an SYN flood attack (*6) against the router. Fortunately, the router's downing was able to be kept away as they were being blocked by self blocking functionality and the frequency of accessing rate was low.

2. Reconfirm the Operation of Web Application!!

In the damage instance 1) above: Although the application of security patches or the server attack diagnosis from outsides were adequately conducted; in the event, penetration to the servers were being allowed . Further, in this site, not only contents to simply publicize information, but also certain mechanism (the BBS and/or application forms for certain services) to accept user's writing is provided. In this kind of sites, it is necessary to conduct not only countermeasures for OS or the server software against vulnerabilities, but also such mechanism to check up appropriateness of the processing method for the Web application which accepts users' inputs : there may be many cases that the scopes for the countermeasures will be extensive. Please be sure to reconfirm the area and its contents that the security countermeasures to be in place .

References:

• “ Reminders for Operation of e-Commercial Dealings for Consumer (User) ” (in Japanese)
  http://www.ipa.go.jp/security/vuln/20050304_ec_security.html
• “Secured Programming Course” (in Japanese)
  http://www.ipa.go.jp/security/awareness/vendor/programming/
• “Computer Security – The Trends for 2004 and the future countermeasures –“ (in Japanese)
  http://www.ipa.go.jp/security/vuln/20050331_trend2004.html

3. Be Sure to Manage/Maintain Log Data!!

In the damage instance 3) above; syslog is used as the log management method which records logs on the firewalls and there structured a certain mechanism to transfer the log data to the syslog server which is in operation on other computers. In this method, following merits such as integrated management and alteration prevention for logs are available; while, the demerit is that the log transfer may be failed. This time, such demerit is being exposed; however, regularly analyzing logs saved can be the important countermeasures to detect unauthorized computer access and/or investigate the cause upon the occurrence of incidents. Please be sure to reconfirm log-data management and/or its operation to check if there is any mistake for setting, etc.

References:

• “Secured Web Server Construction and Operation” (in Japanese)
  http://www.ipa.go.jp/security/awareness/administrator/secure-web/

4. Reconfirm Current Information Security Management!!

In the damage instance 4) above, penetration to the servers is allowed; however, such penetration can be detected in earlier stages since such mechanism to detect penetration or alteration in the servers is being installed . Other than such mechanisms, certain countermeasures are in places in advance in accordance with the rules of the Information Security Administration which holds back damages at minimum: confirmation of with or without anomaly status by referring logs regularly, confirmation and application of security patches released, assignment of adequate accessing authority, installation of computers in the server room which monitors entering/leaving, etc. Taking this opportunity, please reconfirm the current information security management such as the contents of information asset to be protected and/or its countermeasures.

References:

• “Information Security Countermeasures: Practical Information Classified by Readership” (in Japanese)
  http://www.ipa.go.jp/security/awareness/awareness.html
• Japan Information Processing Development Corporation – Information Security Management System (ISMS) Promotion Office
  http://www.isms.jipdec.jp/en/index.html

In the Internet Monitoring (TALOT2), unwanted (one-sided) access in May totaled 594,960 cases using 10 monitoring points: Unwanted (one-sided) access captured at one monitoring point was about 1,900 cases of accesses per day.

The environment for each monitoring point in TALOT2 is nearly equal to general users' Internet connection; it can be considered that the same amount of unwanted (one-sided) access may be received by the general internet users.

Unwanted (One-sided) Access at each Monitoring Point (Average)/Day

In the middle of May, the port scan trying to access to the destination port 1433 (TCP) which scopes to search for SQL Servers that can operate on the Microsoft Windows is increased in extensive area: fourfold – fivefold than usual. It has not yet been publicized as the Internet monitoring data, password cracking access to the port 22 (TCP) which tries to penetrate to computers through SSH (Secure Shell) is still remained.

It is obvious that these accesses target to penetration to computers, so far. As it is previously mentioned in the “ II. Reporting Status for Unauthorized Computer Access ”, we encourage computer administrators to recheck computers that are being managed.

As for the damage instance of May, we introduced automatic downloading of malicious codes upon browsing altered Home Pages. This implies that there are risk factors to have your computer taking in malicious codes without knowing even from the sites you usually browse.

The causes for such damage refer that there are security holes in the browsers such as the Internet Explorer, etc. and they are already exploited .

As its preventive measures, it is mandatory to solve such security holes . Please refer to the following sites and immediately apply modification programs or conduct the workaround on-line when newer security holes are being publicized.

References:

• Windows Update (Microsoft)
  http://windowsupdate.microsoft.com/
• Software Update (Apple Computer)
  http://www.apple.com/support/downloads//
• Linux Information in Japan
  http://www.linux.or.jp/en/index.html

Glossary Interpretation

(*1) spam:

It is called junk mail, bulk mail or is simply called “unsolicited mail”. It refers to mass mails including personal or religious issues to be sent unspecified majority for advertising and/or harassing purposes irrespective of commercial intent.

(*2) IRC (Internet Relay Chat):

It refers to a chat system, a real-time conversation session on-line between/among the Internet users. By accessing to the IRC servers using exclusive software, the users can be provided such services that exchange messages among a number of the Internet users. It can also be used as file communication.

(*3) syslog:

It refers to the formatting and/or communication protocol relevant to log data .

(*4) rootkit:

It refers to a software package used by an attacker after he/she had penetrated to a computer. Generally, a log alteration tool, a backdoor tool and an altered system command group are included.

(*5) ISMS (Information Security Management System):

It refers to a scheme to operate PDCA cycle of the information security management continually. To ensure and maintain their information security, an organization such as a corporation determines necessary security level based on the security policies in advance to establish their own security administrative structure, conduct regular auditing and review their countermeasures when necessary.

(*6) SYN Flooding Attack:

It refers to one of DoS attacking methods to lower or halt servers' functionalities which exploit TCP connecting procedures.

The details are as follows;

• Attachment 1 “Computer virus Incident Report [Details]”
• Attachment 2 “Unauthorized Computer Access Incident Report [Details]”
• Attachment 3 “ Observation Status by Internet Monitoring System (TALOT2) ”

IT Security Center, Information-technology Promotion Agency (IPA/ISEC)
Tel:+81-3-5978-7527
Fax:+81-3-5978-7518
E-mail: