Threats
by Spyware !!
This is a summary of computer
Virus/Unauthorized Computer Access Incident Reports for July 2005
compiled by IPA.
I.
Reporting Status of the Computer Virus
– (for further details, please refer to Attachment
1)
The detection number [1]
for virus was about 3.79M ; a 1.7% decrease
from about 3.85M compared with the detection number in June. In
addition, the reported number [2]
in July was 4,536 ; an 8.0% decrease from
4,928 compared with the reported number in June.
The detection number for
W32/Netsky reached about 2.84M
(reported number = 1,125 ) which constitutes
75% against the whole detection number and became the
worst 1 for the continuum of 17 months. W32/Mytob
with about 0.8M ( 638 ), W32/Bagle
with about 0.05M (284) and W32/Lovgate with about 0.04M (249)
subsequently followed. In response to the damage occurrence
by spyware, IPA publicized information in relation to security
alert in July on our Home Page.
1. A New Virus
W32/Reatle Emerged!!
A new virus, W32/Reatle
emerged in July. In addition to enlarge infection through
attachment files to e-mails, this virus also infects via network
by exploiting security holes in Windows.
When infected, this virus
conducts the following activities.
It causes that a certain
file is likely to be deleted or certain information is likely
to be theft by penetrating from outside.
ii) Performs
DoS attack to a specific site:
A casualty turns to
be a victimizer.
iii) Downloads
other malicious codes automatically:
A spyware, etc. may be
downloaded which may result a serious damage.
[1]
Detection Number: Reporting virus counts (cumulative)
found by a filer: For July, the reported number resulted in 4,536
upon aggregation of virus detection counts marked about 3.79M.
[2]
Reported Number: Virus counts are aggregated:
viruses of same type and variant reported on the same day are counted
as one case number regardless of how many viruses or the actual
numbers of viruses are found by the same filer on the same day.
2. W32/Netsky Constitutes
75% against the Whole Detection Number !
The detection number
for W32/Netsky was about 2.84M ;
an increase of about 6.8%; compared with the detection number
for about 2.66M in June. In addition, detection number for W32/Mytob
that had been increased every month since its initial
emergence in March was about 0.8M; an initial decrease from about
0.94M compared with the detection number in June.
The reason why W32/Netsky
remains higher ratio can be assumed that the virus spreads over
virus mails without having users realize its infection. Even you
are confident that you are safe; we encourage you to check by
utilizing a removal tool for just in case. In addition, please
inform your computer community such status.
How to check by
utilizing a removal tool (free):
(Available for checking
of with or without of infection by Netsky virus and for removals
incase infected.)
Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky@mm.removal.tool.html
Trendmicro:
http://www.trendmicro.com/download/dcs.asp
McAfee: Stinger
http://vil.nai.com/vil/averttools.asp
Microsoft:
http://support.microsoft.com/?kbid=890830
(Both numbers in parenthesis
are the reported number for previous month; the %s are the ratio
taking over for the all viruses reported in this month.)
II. About Spyware
Not only viruses but also
spyware which collect information saved in a computer and send
them out to outside are being distributed: they cause monetary
damages as well. Therefore, you are to be careful not to open
attachment files to e-mails by mistake or not to import them from
Home Pages.
For example, detection/damage
reports pertaining to the following spywares are being filed to
IPA.
Trojan/Lineage:
It collects login IDs and
passwords for online games and sends them outside.
Trojan/Myftu:
It acquires mailing addresses
and sends them outside.
As for Trojan/Myftu
, if you click an image on an adult site, etc., it will
be downloaded and your mail address is collected. It is confirmed
that those addresses collected are exploited by a billing
fraud . (To prevent from such damages, please refer to
5. The Interpretation and the Countermeasures: A Spyware could
be the Trigger for Unauthorized Computer Access?!” in the next
section.
III. Status for
Reported Unauthorized Computer Access (incl. consultation)
(for further details, please refer to the Attachment 2)
1. Status for Reported
Unauthorized Computer Access
The reported
number for unauthorized computer access in July was 53 :
of 10 was the number for actually damaged .
| |
Feb.
|
Mar.
|
Apr.
|
May
|
Jun.
|
Jul.
|
Damaged
|
9
|
14
|
24
|
11
|
22
|
10
|
Not
damaged |
54
|
45
|
24
|
83
|
2
|
43
|
Total
(Cases) |
63
|
59
|
48
|
94
|
24
|
53
|
2. Status for Acceptance
of Consultation Relevant to Unauthorized Computer Access
The number for consultation
relevant to unauthorized computer access was 42 (of 9 was also
counted as reported number): of 23 was the number for actually
damaged.
3. Status for Damage
The breakdown for the damage
reports were: intrusion with 3 ,
unauthorized mail relay with 1 ,
DoS with 2 , source
address spoofing with 1 and others
( damaged ) with 3 .
Further, some consultation includes such instance that a malicious
code was embedded to a computer, the mail address was stolen and
then a “billing fraud” mail came. <Please refer to the damage
instance (vi)>
Damage Instances:
<Intrusion>
(i) Investigation
was conducted as a server monitoring system detected high-intensity
in a mail server and realized from the server's logs that a number
of spam (*1) mails were being sent. Subsequent investigations
showed that an intruder penetrated from the server via the port
(*3) used by SSH (*2) and sent spam mails from inside. The cause
may be that the port was being opened for maintenance and thus
the password for an administrator privileged user account (*4)
was easily assumable. ( For the interpretation and the
countermeasures, please refer to III. 4 )
(ii) The
server being installed on the border between the Internet and
LAN was getting slower in operation. A few days later, an investigation
for access logs was conducted and realized that a password attack
was performed against an administrator privileged user account.
As the result, the password was taken over and penetration to
the server was allowed: further, web contents to exploit for phishing
fraud were also set up without asking. ( For the interpretation
and the countermeasures, please refer to III. 4 )
(iii) Since
a number of accesses which considered to be fraudulent were getting
centered on the #80 port on the Web server, browsing of the Web
contents from outside was tentatively unavailable for several
hours. The situation was recovered by restricting accesses from
specific IP addresses.
<Unauthorized
Mail Relay>
(iv) A mail
nothing to know was returned as unknown mail address error. According
from the study for the mail header, it was realized that the mail
was sent from the mail server in his/her own domain. The cause
was not yet clarified, but the settings of the mail server was
reconfirmed as it was likely to be exploited by an unauthorized
mail relay.
(v) The ID
and the password necessary for a bank online transaction seemed
to be fraudulently taken over and thus, the deposit was transferred
to the other accounts automatically. The subsequent investigation
showed that the spyware named key logger (*5) was embedded. Further,
the settings for the Web browser was automatically altered, files
saved in the computer were destroyed: it may be assumed that some
malicious codes other than key logger were also embedded. Eventually,
this situation was recovered by initializing the computer. ( For
the interpretation and the countermeasures, please refer to III.
5 )
(vi) A suspicious
mail came: just clicked the URL in the mail body, it jumped to
an adult site. When clicked an image in that site, a confirmation
screen asking for download files were displayed and then clicked
“OK” without considering. Double clicked the downloaded file,
a “debit note” icon was appended on the desktop. Upon looking
through it, a message saying “Thank you for your enrollment to
XXX site. Please remit us of
$ XX.xx no later than X
days.” could be read. Own mail address was not informed;
a number of mails prompting to remit the fee for enrollment came
in within minutes. The mails urging for remittance came in over
and over, almost every week. After that incident, had conducted
virus check and then detected a spyware which steals his/her own
mail addresses set in the mailing software. ( For the
interpretation and the countermeasures, please refer to III. 5
)
4. The Interpretation and the
Countermeasures: Reconfirm Intrusion Preventive Measures to Servers!!
In the damage instances
(i) and (ii), the cause for intrusion was password cracking
. It is mandatory to set up not easily assumable password,
however, if you open a port carelessly, the password will easily
be broken comparatively although it takes a certain time. In addition,
if an administrator privilege is given to a user account
which is accessible from outside; the risk will be higher in case
intruded . With the current cases, the casualty in each
case could consider to be a victimizer since his/her computer
is sending out spam mails outside or sites for phishing were set
after the intrusion. Those users and paths accessible
from outside should restrict to be minimum and confirm if an accessing
privilege is adequately given .
Reference:
“Security in Remotely Accessible
Environment” (in Japanese)
http://www.ipa.go.jp/security/awareness/administrator/remote/
5. The Interpretation
and the Countermeasures: A Spyware could be the Trigger for Unauthorized
Computer Access?!
As for the instances of
(v) and (vi), a spyware which features to steal information
had been embedded and the information for the banking account
and the mail address were leaked to outside . This could
be the cause that the banking account was fraudulently accessed,
deposit was withdrawn and the reporter was faced such damage to
receive a number of “billing fraud” e-mails. Be sure to
keep away from easily opening attachment files to e-mails which
nothing to know or prevent from opening/downloading suspicious
files from unknown source and to take certain damage preventive
countermeasures by placing an adequate security software, etc
. Even information is leaked, just in case, such
option restricting amount that can be withdrawn at one time is
being set for banking accounts or unnecessarily responding to
“billing fraud” e-mails easily, damages can be held back at minimum
. (As for the countermeasures for spyware, please also
refer to V. in this document.)
Reference:
National Consumer Affairs
Center of Japan : “The Methodology which Automatically Generates
Bills on a Computer Display when Clicks” (in Japanese)
http://www.kokusen.go.jp/soudan_now/d_seikyu.html
IV. Accessing
Status Captured by the Internet Monitoring in July
In the Internet Monitoring
(TALOT2), unwanted (one-sided) access in July totaled 448,232
cases using 10 monitoring points: unwanted (one-sided)
access captured at one monitoring point was about 1,450
cases of accesses from about 500 sources
per day.
The environment for each monitoring
point in TALOT2 is nearly equal to general users' Internet connection;
it can be considered that the same amount of unwanted (one-sided)
access may be received by the general internet users. In another
words, your computer is being accessed by 3 cases of accesses
which are considered to be unauthorized from 500 unknown people
everyday in average .
Notes
for this Month
- Unauthorized
accesses targeting at SQL servers are increasing. System administrators
should confirm with or without of vulnerabilities in servers and
always try to maintain servers in up-to-date condition. However,
it is not necessary to directly publicize SQL servers on the Internet.
In case publicized, we encourage the system administrators to
review the system.
- Such accesses which prompt
to enhance security and solicit to specific Web sites by displaying
a message (please see the example provided below) on a computer
screen are increasing. There is a direction how to follow is written,
but you should not do that: please terminate it by clicking “x”
button to close the display. For your information, these messages
will not longer be appeared on your screen if you enable firewall
function provided by OS if you are a Windows XP user.
- Such
accesses targeting at file sharing are still large in number.
There is not any reason to publicize file sharing against the
Internet, please be sure to address with a robust environment
by enhancing passwords and by resolving vulnerabilities, etc.
For further details
relevant to the above mentioned, please refer to the following
site.
Attachment
3_The Internet Monitoring Captured by TALOT2 July 2005
V. Reminder for this Month:
“ Threat by Spyware !”
-
Have Your Computer Already been Penetrated While You are not Realized?
-
There were such damage
instances caused by a spyware that a deposit had been fraudulently
remitted/transferred by targeting the Internet banking users;
caused by another spyware that steal mail address, a user had
been automatically enrolled with an adult site and received e-mails
which prompt to pay bill for the site usage.
Other than above mentioned
instances, there are a number of spyware which collects login
password for online games or which automatically changes computer's
setting, etc. are being distributed.
Please conduct following
countermeasures by referring the 5 tips for the countermeasures
against spyware to prevent the above mentioned damages.
1. Utilize
the software for anti-spyware and conduct updates for definition
files regularly and check with or without of spyware.
2. Always
maintain your computer up-to-dated.
3. Be cautious
for suspicious sites and questionable e-mails.
4. Enhance
security of your computer.
5. Just in
case, copy necessary files for back up.
For further details, please
refer to the following sites.
The 5 Tips for the Countermeasures
Against Spyware for PC Users (in Japanese)
http://www.ipa.go.jp/security/antivirus/spyware5kajyou.html
Reference:
Reminder for Preventing
Damages from Spyware (in Japanese)
http://www.ipa.go.jp/security/topics/170720_spyware.html
Please
Conduct Certain Countermeasures in Place Prior to Your Summer
Vacation!!
In those corporations/organizations
where providing longer day-offs as the Obon [3]
holidays or the summer vacation, there is likely to confront larger
damages because of delay in taking certain countermeasures in
case there would occur troubles during that day-offs.
We encourage you to reconfirm
security settings before longer day-offs by referring “Conduct
Certain Countermeasures in Place Prior to Your Summer Vacation”
described below.
“Conduct Certain Countermeasures
in Place Prior to Your Summer Vacation” (in Japanese)
http://www.ipa.go.jp/security/topics/alert170804.html
[3] The
one of old customs in Japan and that period, family members reunion
to welcome back their ancestors' spirits from heaven.
“Various Statistics
Information Provided by Other Organizations/Vendors are Publicized
in the Following Sites”
@police:
http://www.cyberpolice.go.jp/
(in Japanese)
Trendmicro:
http://www.trendmicro.com/jp/
(in Japanese)
McAfee:
http://www.mcafee.com/jp/default.asp
(in Japanese)
Glossary Interpretation
Spam (*1) :
It is called junk mail,
bulk mail or is simply called “unsolicited mail”. It refers to
mass mails including personal or religious issues to be sent unspecified
majority for advertising and/or harassing purposes irrespective
of commercial intent.
SSH(Secure Shell)
(*2) :
A protocol or a program
used for log-in to another computer via the network, execute commands
by a computer in remote and transfer files to another computer.
Since data via the network is encrypted, a series of operations
through the Internet can be done safely.
Port (*3) :
A window interfaces each
service within a computer used for exchanging information with
outsides. Numbers from 0 to 65535 are used for the ports so that
they are also called Port Number.
Account (*4)
:
The privilege which allow
a user to use resources on a computer or the network; it also
implies the ID necessary upon use.
Key Logger (*5)
:
The program which records
information input via a keyboard device.
- Attachment
3 “ Observation Status by Internet Monitoring System (TALOT2) ”
|
Japanese