Traps Hidden in File Exchange Software
!!
This is a summary of computer
Virus/Unauthorized Computer Access Incident Reports for June 2005
compiled by IPA.
I.
Reporting Status of the Computer Virus
– (for further details, please refer to Attachment
1)
The detection number
[1] of virus was about
3.85M : an increase of 8.5%, compared with about 3.55M
detected in May. In addition, the reported number [2]
was 4,928 : a slight decrease compared with
5,021 reported in May.
The detection number
of the W32/Netsky could count about
2.65M (reported number: 1,122 ) or
it constituted about 70% of whole detection
number which became the worst 1 virus for the continuum of past
16 months. W32/Mytob , a rapidly increasing
virus , counted about 0.94M ( 699
), W32/Sober with about 0.1M (54) and W32/Bagle with
about 0.04M (316) were subsequently followed.
Further, in response
to the frequently occurred incident of information leakage
via file exchange software , IPA posted the Security
Alert on its Home Page in June.
1. Be Careful
with the Sophisticated Methodology of the W32/Mytob Variant!
For
W32/Mytob virus, initially emerged in March for which variants
emerged over and over , there
has been detected another emergence of a newer type of variant.
This virus sends virus mail as follows: it masquerades that the
mail is sent from an administrator of a certain organization by
fabricating a sender's name as if it is a system administrator
and by pretending to provide information relevant to system administration
such as password renewal, etc.
[1]
Detection number: Reporting virus counts (cumulative)
found by a filer: For June, the reported number resulted in 4,928
upon aggregation of virus detection counts marked about 3.85M.
[2]
Reported number: Virus counts are aggregated: viruses
of same type and variant reported on the same day are counted as
one case number regardless of how many viruses or the actual numbers
of viruses are found by the same filer on the same day.
In case you received a mail like this:
- do
not open its attachment file easily;
- conduct
virus check to confirm with or without of virus;
- confirm
with the administrator of an organization if a mail is really
sent from that organization; etc.
by paying attention to the precautionary
measures mentioned above to prevent any damage before happens.
2. W32/Netsky Constituted about
70% of Whole Detection Number! W32/Mytob Increased Rapidly!
The detection number of W32/Netsky
was about 2.66M : a decrease of about
8.0% compared with the figure reported in May (about 2.89M). However,
the detection number of W32/Mytob for which
variants have emerged one after another became more than doubled:
about 0.45M reported in May went up to about 0.94M in June. Consequently,
the whole detection number (about 3.85M) itself increased 8.5%.
W32/Mytob
initially emerged in March and more than 70 types of its
variants emerged during a 4-month plus some
period of time . Correspondingly, in the case of W32/Netsky,
its variants emerged about 20 types in a
4-month period from its initial emergence: W32/Mytob
variants are more than tripled compared with W32/Netsky variants,
accordingly. It is necessary to be careful since emergence of
a number of variants in a short period of time in that way may
cause the virus' expansion and spreading all over.
| What
is a variant?
A variant is generated
by adding different functionalities or by altering its behaviors
against the prototype of virus (original) which initially
detected. An anti-virus software cannot address unless its
virus definition file (pattern file) is updated or most
of cases, the variant cannot be detected. Therefore, it
is important that your anti-virus software should always
be up-to-dated.
|
(Both numbers in parenthesis are the
reported number for previous month; the %s are the ratio taking
over for the all viruses reported in this month.)
II.
Reporting Status of Unauthorized Computer Access
– (for further details, please see Attachment
2)
The reported
number for June was 24 : decreased about 75% compared
with 94 reported in May. Of 22 was the number for actually
damaged which sharply doubled compared with 11 reported
in May. In addition, the number of consultation relevant to unauthorized
computer access was 37 (of 2 was counted as its reported number
as well) and the number of actually damaged was 22.
1. Status of
Damage
The breakdown for the
damage report were: intrusion with 10 , unauthorized
mail relay with 2 , infection by worm with 3
, DoS with 4 , source address
spoofing with 1 and others (damaged) with 2
. Five damage instances out of 10 intrusion cases were
the Web contents alteration by penetrating to the Web
servers . Of 2 out of 5 damage instances caused by intrusion
were such instances that a certain mechanism which infect
virus upon simply browsing Home Pages by a user was embedded
in to Web page again happened followed in May.
Damage
Instances:
[Intrusion]
1. Detected
a certain mechanism embedded which leads a user such site to have
him/her download malicious codes when the user only browses the
Web contents by penetrating to the Web server. The Web contents
are once modified, detected again the same type of alteration
is being conducted. The cause unfolding is proceeded with difficulty
since rental servers are being used; it may be the cause that
the vulnerability in e-bulletin board “phpBB” which is being
operated on that server is exploited. (For further interpretation
and its countermeasures, please refer to II. 2.)
2. Detected a backdoor
is trapped when something suspicious was found and checked in
the process list on the Web server. It may be the cause that the
vulnerability in cgi which is being operated on the server is
exploited. (For further interpretation and its countermeasures,
please refer to II. 2.)
3. Penetrated to the Web
server with the privilege for a general user; in addition, deprived
the privilege for an administrator within that server and altered
files. All the logs traceable have been deleted and the attacker's
activities after the intrusion are not yet realized. The first
cause allowed to such penetration was insufficient log-in ID and
password management. The deprivation of the privilege for the
administrator may be caused by exploiting the existed vulnerability
in Linux. (For further interpretation and its countermeasures,
please refer to II. 3.)
4. Study
has been conducted in response to the communication failure; it
is realized to encounter the SYN Flood Attack with more than 1M
of packets per second at minimum. The router usage rate is reached
to 100% and communication became unavailable. It could not be
completely addressed although the router's countermeasures against
DoS was fully utilized: in the event, by asking providers discard
all the packets to the corresponding IP addresses: then the communication
was recovered.
5. Study
has been conducted in response to the complaint of spam mails;
it is realized that a number of unwanted mails were distributed
by spoofing as if it sent from the reporter organization. In addition,
many of these mails were returned to that organization with “addressee
unknown” errors.
6. On an
online game which is being in operation on the Web server, incorrect
data (scoring information for the game) was sent to cgi. In the
event, the incorrect score is displayed on the e-ranking board
for which a general user is able to browse. Fortunately, even
single intrusion was not detected. When exchanges scoring information
back and forth, the data is being encrypted and comparison check
is conducted, however it may be the cause that the logic had been
analyzed. (For further interpretation and its countermeasures,
please refer to the II, 2.)
2. Reconfirm Your
Web Application Operation!
In the damage instances
of 1, 2, and 3, the damages were caused by exploiting
vulnerabilities in the Web applications . When vulnerabilities
in the Web application are exploited, it may cause large damages
such as database alteration and/or private information leakage,
etc. Never fail to conduct, therefore, not only security
countermeasures for the Web servers and security countermeasures
for network where the servers themselves are being installed but
also for those security countermeasures for the Web applications
which operates on the servers.
Reference:
“Reconfirm your security
countermeasures on the Web sites – Tips to check your vulnerability
countermeasures” (in Japanese)
http://www.ipa.go.jp/security/vuln/20050623_websecurity.html
3. Reconfirm
your ID, Password and User Management!
In the damage instance
3, penetration to the servers could easily be allowed
since a general user had set simple password . In addition,
by exploiting vulnerability in OS within their network, the privilege
for administrator was taken away. In this way, if there
is even a single security hole remains, the other security countermeasures
soon become meaningless . Therefore, you should also
pay attention to the settings of an ID and/or a password for a
general user who is connectable from outside: such mechanism to
conduct complexity check for password and/or to prompt updates
of password regularly, implement encryption for communication
paths will be the effective countermeasures.
Reference:
“Just a matter of password,
but password” (for general users) (in Japanese)
http://www.ipa.go.jp/security/crack_report/20020606/0205.html
“Password management
and its warning” (for system administrator) (in Japanese)
http://www.ipa.go.jp/security/fy14/contents/soho/html/chap1/pass.html
“Linux information
in Japan – bug/security information”
http://www.linux.or.jp/en/index.html
4. Reconfirm
the Response Upon Receiving DoS Attack!
In the damage instance
4, despite using comparatively high-performance router which equips
function against DoS, there was only way to request packet discard
to the upper level providers which manage circuits. Other than
this instance, there realized such reports that a number of (unwanted)
mails were sent in a short period of time and a Smurf attack was
performed, etc. Such instances show that it is important to assume
a certain responses upon receiving attacks on a routine basis.
Further, installation of the security system such as IDS and/or
IPS will be the effective countermeasures as well.
Reference:
CERT Advisory CA-1996-21
TCP SYN Flooding and IP Spoofing Attacks
http://www.cert.org/advisories/CA-1996-21.html
CERT Advisory CA-1998-01
Smurf IP Denial-of-Service Attacks
http://www.cert.org/advisories/CA-1998-01.html
III. Accessing
Status Captured by the Internet Monitoring in June
– for further details, please refer to the Attachment 5
In the Internet Monitoring
(TALOT2), unwanted (one-sided) access in June totaled 454,153
cases using 10 monitoring points: unwanted (one-sided) access
captured at one monitoring point was about 1,500 cases of accesses
per day.
The environment for
each monitoring point in TALOT2 is nearly equal to general users'
Internet connection; it can be considered that the same amount
of unwanted (one-sided) access may be received by the general
internet users.
When you directly connected
to the Internet without placing necessary countermeasures (your
computer is in vulnerable status without protected by any of router
and/or firewall devices.) in your computer, these unwanted (one-sided)
access turns to the threat maximizing.
In case you have to
connect your computer directly to the Internet unavoidably, never
fail to conduct countermeasures described below:
- If
a firewall function is loaded onto the OS, have the function
operate properly;
- If
a firewall function is not loaded onto the OS, install a personal
firewall application and have it operate properly as far as
possible;
- Have
the OS and/or applications in your computer up-to-date (i.e.:
conduct Windows Update)
- Remove
unnecessary file sharing settings.
IV. Reminder
for this Month: “Traps Behind in File Exchange Software!”
- Is your information
management perfect? -
Information leakage
by file exchange software represented by Winny is frequently happened.
The most cause for that leakage is infection by W32/Antinny
which exploits Winny.
W32/Antinny enlarges
its infection through file exchange software. When infected with
the virus, Word and/or Excel files, etc. saved in the computer
are exposed. Herewith, any file exchange software user can easily
obtain files (information) from third party's computers: consequently,
information leakage happens.
Taking a certain countermeasures
against virus is mandatory; in the meantime, you should
realize a certain risk that information saved in a computer can
be easily browsed by unspecified majority : therefore,
we encourage you to confirm utilization of file exchange software
if there are any problems around.
Reference:
“Notes upon utilization
of file exchange software” (in Japanese)
http://www.ipa.go.jp/security/topics/20050623_exchange.html
“Statistics
Information Provided by Other Organizations/Vendors is Publicized
Following Sites.”
Glossary
Interpretation
*1 phpBB:
Program for e-bulletin
board developed by the script language PHP. One of the Web applications.
*2 cgi (Common
Gateway Interface):
The mechanism that
the Web server operates outside programs on the server upon
client's request and sends back the client its outcome.
*3 SYN Flooding
Attack:
It refers to one of
DoS attacking methods to lower or halt servers' functionalities.
It exploits TCP connecting procedures.
*4 spam:
It is called junk mail,
bulk mail or is simply called “unsolicited mail”. It refers
to mass mails including personal or religious issues to be sent
unspecified majority for advertising and/or harassing purposes
irrespective of commercial intent.
*5 Smurf
Attack:
One of DoS attacks.
It exploits “directed broadcast” function in ICMP. It sets
up target IP address to a source IP address of ICMP echo requiring
packets: sends out by setting the broadcast address to addressees,
a number of hosts received the packet sends ICMP echo replay
packet back to the target host all together and leads the network
band traffic jam. It is referred as Smurf attack taking from
one of attacking programs used by attackers.
*6 IDS (Intrusion
Detection System):
A detection/alert mechanism
for intrusion/violation against the system. The scope is to
monitor the system; when it detects certain activities which
breach security policies, it alerts that activities to the administrator
as soon as possible and to save/provide necessary information
to support the study/analytical activities.
*7 IPS (Intrusion
Prevention System):
A block mechanism for
intrusion/violation against the system. It holds a halt function
which automatically blocks communication upon detection of anomaly
state: it generally be referred as enhanced IDS.
- Attachment
3 “ Observation Status by Internet Monitoring System (TALOT2)
”
|
Japanese
