Your Computer May be Infected by BOT
while You are not Realized!
This is a summary of computer
Virus/Unauthorized Computer Access Incident Reports for August 2005
compiled by IPA.
I.
Reporting Status of the Computer Virus
– (for further details, please refer to Attachment
1)
The detection number [1]
for virus was about 3.37M ; an 11.0% decrease
from about 3.79M compared with the detection number in July. In
addition, the reported number [2]
in August was 4,470 ; a 1.5% decrease from
4,536 compared with the reported number in July.
The detection number of
W32/Netsky reached about 2.67M
(Reported number = 999 ) which constituted about
80% against the whole detection number for August and
became the worst 1 virus for continuum of 18 months. W32/Mytob
with about 0.57M ( 536 ),
W32/Bagle with about 0.03M (303) and W32/Mydoom with about 0.03M
(352) subsequently followed.
Additionally,
in response to the emergence of multiple types of worms which
exploit vulnerabilities (security holes) in Windows, IPA emergently
announced “Information of Security Alert” on its home
page in August .
1. Multiple Types
of Worms which Exploit Vulnerabilities in Windows Emerged!
Those worms
( W32/Zotob , W32/IRCbot , W32/Bobax
) exploiting vulnerabilities in Windows
which publicized by Microsoft on August 10 emerged on after another.
These worms may infect if you simply connect to the Internet;
some of W32/Zotob and W32/Bobax variants may also infect through
attachment files to e-mails. In addition, these worms also
function as bots (*1) : when infected, your computer
conducts attack against specific sites by commands from remote,
being used as the source of spams or may be used as a steppingstone
to attack the other computers .
[1]
Detection Number: Reporting virus counts (cumulative)
found by a filer: For August, the reported number resulted in
4,470 upon aggregation of virus detection counts marked about
3.37M.
[2]
Reported Number: Virus counts are aggregated:
viruses of same type and variant reported on the same day are counted
as one case number regardless of how many viruses or the actual
numbers of viruses are found by the same filer on the same day.
Mechanism of
Bots (Example)
Source: “Computer Security
– The Tendency in 2004 and the Countermeasures in Future”
http://www.ipa.go.jp/security/vuln/20050331_trend2004.html
(in Japanese)
References:
Multiple Types Worms
Exploiting Vulnerability (MS05-039) in Windows of Microsoft Emerge!!
http://www.ipa.go.jp/security/ciadr/vul/20050817.html
(in Japanese)
Information of Bot Countermeasures
http://www.ipa.go.jp/security/antivirus/bot.html
(in Japanese)
The history of emergence
of worms that exploit vulnerabilities after announcement of the
vulnerabilities in Windows is as follows:
Time
and Date |
History
|
August
10, 2005 |
Announcement
of security modification program (MS05-039) for Windows.
|
on
or after
August
12, 2005 - |
Began
publicizing exploiting codes that exploit vulnerability
of MS05-039 on mailing lists and on the Internet. |
on
or after
August
15, 2005 |
The
worm which exploits vulnerability of MS05-039 emerged. |
As shown, the term for
the emergence of worms exploiting vulnerabilities after publication
of the vulnerabilities is getting significantly shortened. If
the vulnerabilities are being modified, however, the likelihood
of facing damage can be lowered. It is important to solve the
vulnerabilities by conducting Microsoft Update, etc. as earlier
as possible.
In addition, be sure to
prevent infection from outside by activating virus countermeasure
software and to confirm with or without of virus infection by
checking within your computer on once a week basis.
Reference
Information:
Microsoft:
Microsoft Update http://update.microsoft.com/
Symantec:
http://www.symantec.com/
Trendmicro:
http://www.trendmicro.com/vinfo/
McAfee:
http://vil.nai.com/VIL/newly-discovered-viruses.asp
2. The Detection Number
of W32/Netsky Constitutes about 80% Against the Whole Detection
Number!
The detection number
of W32/Netsky was counted about 2.67M
: a 5.8% decrease from about 2.84M reported in July.
In addition, the detection number of W32/Mytob
was counted about 0.57M : a 28.8% decrease from
about 0.8M reported in July.
 
(Both numbers in parenthesis are the
reported number for previous month; the %s are the ratio taking
over for the all viruses reported in this month.)
II. About Spyware
Not only viruses, but
also quite a few spyware (*2) (keylogger (*3) , etc.) or the other
malicious codes (backdoor, etc.) are being distributed: you are
to be careful by taking following tips not to introduce them from
attachment files to e-mails or from Home Pages by mistake.
1) Utilize
anti-spyware software (available from most of PC stores)
2) Avoid accessing
suspicious Web sites
3) Setup
higher security level on your browser
Damage
Instances (Example) |
Malicious
Codes Applied, etc. |
Collects
login IDs, passwords and/or mail addresses for online games
and send them outside. |
Trojan/Lineage
Trojan/Myftu |
Changes
browser start page to malicious Web site or connects to
a different site with the one tries to access. |
Trojan/StartPage
Trojan/Websearch
|
Downloads
malicious codes from a certain Web site and hijacks target
computer (s) by installing the codes. |
Trojan/Downloader
Trojan/Dropper |
Steals
system information and/or password from a penetrated computer
to send them outside. |
Trojan/PWSteal
Trojan/IRC |
As for Trojan/Myftu
, if you click certain images on one adult site, etc.
it will be automatically downloaded to your computer and your
mail address will be collected. When infected, it sends bill (s)
to the addresses collected. Such case is confirmed that it is
being used for billing fraud purpose.
Reference:
5 Points to Fight Against
Spyware for PC Users
http://www.ipa.go.jp/security/antivirus/spyware5kajyou.html
(in Japanese)
III. Status
for Reported Unauthorized Computer Access (incl. consultation)
(for further details, please refer to the Attachment
2)
Status for Reported/Accepted
Unauthorized Computer Access
| |
April
|
May
|
June
|
July
|
August
|
| Total
for Reported (a) |
48
|
94
|
24
|
53
|
41
|
| |
Damaged
(b) |
24
|
11
|
22
|
10
|
12
|
| |
Not
Damaged (c) |
24
|
83
|
2
|
43
|
29
|
| Total
for Consultation (d) |
28
|
47
|
37
|
43
|
43
|
| |
Damaged
(e) |
13
|
25
|
22
|
24
|
23
|
| |
Not
Damaged (f) |
15
|
22
|
15
|
19
|
20
|
| Grand
Total (a + d) |
76
|
141
|
61
|
96
|
84
|
| |
Damaged
(b + e) |
37
|
36
|
44
|
34
|
35
|
| |
Not
Damaged (c + f) |
39
|
105
|
17
|
62
|
49
|
Shift in Consultation
Number Accepted by IPA
| |
April
|
May
|
June
|
July
|
August
|
| Total
|
553
|
461
|
511
|
554
|
629
|
| |
Automatic
Response System |
374
|
242
|
289
|
337
|
376
|
| |
Telephone
|
115
|
118
|
143
|
128
|
179
|
| |
e-mail
|
61
|
92
|
67
|
84
|
67
|
| |
Fax,
Others |
3
|
9
|
12
|
5
|
7
|
* IPA consults/advises
for computer viruses/unauthorized computer accesses as well as
the other information concerning overall security issues (Tel.
# 03-5978-7509 (24-hour automatic response))
* ”Automatic
Response System”: Accepted numbers by automatic response
“Telephone”: Accepted
numbers by operators
1. Status for
Reported Unauthorized Computer Access
Number of reported for
August was 41: of 12 was the number for actually damaged.
2. Status for
Acceptance of Consultation Relevant to Unauthorized Computer Access
The number for consultation
relevant to unauthorized computer access was 43 (of 5 was also
counted as reported number): of 23 was the number for actually
damaged.
3. Status for
Damage
The breakdown for damage
report were intrusion with 8 , DoS Attack
with 2 and other (damaged) with 2 .
In addition, the consultation includes a number of such instances
that “billing fraud” e-mail was sent after browsed an adult site
which followed by previous month <please refer to the damage
instance (v)>.
Damage Instances:
<Intrusion>
i) Intrusion
into network devices
Password was being changed
without asking and/or log (*4) recording function was being disabled
by intrusion into several network devices includes router, etc.
Not only from internal network, but also from outside telnet (*5)
connection to a router from outside was available: moreover, the
password was used not only for login, but also was used as administrator
privilege, it can be assumed to allow intrusion by password attack
conducted to the telnet connection from outside and the router's
initial setup might have been changed by the administrator privilege.
ii) Intrusion to servers rented for a certain
period of time
A Web site was being
in operation by renting a lot within a commercial rental server.
One foreign site which was operated by a strange user was attacked
by exploiting vulnerability of cgi (*6) and the administrator
privilege for the rental server itself was stolen. As the result,
those Web contents of all users on that Web server were tampered.
About a month later, an IRC (*7) program was started using that
server's system administrator privilege. An investigation conducted
and realized that the server had been intruded several times.
It is likely that the users' administrative information was stolen
when initially intruded into that server and subsequently penetrated
by using a user's account from which relatively easily assumable
password was set. Such events were detected by alerts of the full-time
monitoring system for that server.
iii) Password attack
from both internal and outside networks
Being attacked by Password
attacks of several hundreds to several thousands of accesses for
some minutes from both internal and outside networks. Although
intrusion was prevented, a server was overloaded so that its performance
was tentatively, but significantly lowered.
Although installed an
anti-virus software, but sometimes encountered troubles in sending/receiving
e-mails or the anti-virus software was anomaly behaved. An investigation
conducted by using a packet monitoring software, it is realized
that some packets were sent out unnaturally from such computer
nothing in operation. Installed an anti-spyware software to scan
and several types of malicious codes were detected.
vi) Downloading of malicious codes at an adult
site
Visited a dating site
or an adult site by chance. When clicked an image on the screen,
it displayed age-confirmation asking if the reporter is 18 or
over. He/she clicked “yes”, again the display changed to the similar
one shown when some data is being downloaded. Further, it displayed
his/her mail address along with the message saying “thank you
for your sign up with us”. After that, a billing screen for the
site usage appeared several minutes of intervals and collection
mail for the bill came. Nothing was detected when scanned using
anti-virus software.
IV. Accessing
Status Captured by the Internet Monitoring in August
In the Internet Monitoring
(TALOT2), unwanted (one-sided) access in August totaled 497,340
cases using 10 monitoring points: unwanted (one-sided)
access captured at one monitoring point was about 1,604
cases of accesses from about 439 sources
per day.
The environment for each
monitoring point in TALOT2 is nearly equal to general users' Internet
connection; it can be considered that the same amount of unwanted
(one-sided) access may be received by the general internet users.
In another words, your computer is being accessed by 3
- 4 cases of accesses which are considered to be unauthorized
from 440 unknown people everyday in average .
Notes
for this Month
- Those unauthorized
accesses which may target vulnerability in Windows are unchangeably
many. Most of those accesses may consider to be accessed by computers
infected by certain worms. Considering that current status indicating
that the worm called bot is disseminated, it is probable that
those worms conducting such access should be bot.
- Those accesses to 135
(TCP) and 445 (TCP) that especially have a number of accesses
may target legacy vulnerabilities in Windows: most of those accesses
are sent out from domestic; it is, therefore, assumed that bot
infection within domestic is getting enlarged.
- System administrators
should confirm with or without of vulnerability in servers and
be sure to maintain them always up-to-dated.
- General computer users
should maintain their own computers always up-to-dated to prevent
from bot infection. We also encourage them to effectively use
anti-virus software, etc.
V. Reminder
for this Month: “Threat by BOT!!”
-
Have Your Computer Already been Penetrated While You are not Realized?
-
Bot is a kind of computer
virus (code) created to infect a computer to manipulate a targeted
computer from outside through network (the Internet).
When infected, the bot
virus itself communicates with controlling server outside through
the network and sends spam mails and/or conducts DoS attacks by
commands from outside. Further, it upgrades itself and it even
changes the controlling server.
Those multiple numbers
(it may become several thousands, several tens of thousands) of
bots under the same controlling server organize a network by centering
that controlling server, they are called a bot network.
If such bot network is
used to send massive spam mails purposing for phishing or to conduct
DDoS attacks to specific sites, it will become an enormous threat.
To prevent from infection
of viruses such as bot and to avoid being from a casualty to victimizer,
be sure to conduct following countermeasures:
1) Install
anti-virus/anti-spyware software, update definition files, etc.
and conduct virus checks regularly
2) Do
not easily open the attachment files to unknown mails
3) Refrain
from browsing suspicious Web sites
4) Effective
use of the internet options such as brower, etc.
5) Do
not click tempting links such as spam mails
6) Use
of routers/installation of personal firewalls for the internet
connection and their adequate setups/operations
7) Always
updates OSs and applications on a computer by conducting Windows
Update, etc.
For further details, please
refer to the following sites.
Information of Bot Countermeasures
http://www.ipa.go.jp/security/antivirus/bot.html
(in Japanese)
5 Points to Fight Against
Spyware for PC Users
http://www.ipa.go.jp/security/antivirus/spyware5kajyou.html
(in Japanese)
“Various
Statistics Information Provided by Other Organizations/Vendors
are Publicized in the Following Sites”
@police:
http://www.cyberpolice.go.jp/
(in Japanese)
Trendmicro:
http://www.trendmicro.com/jp/
(in Japanese)
McAfee:
http://www.mcafee.com/jp/default.asp
(in Japanese)
Glossary
Interpretation
(*1) bot
A kind of computer virus.
It was created to manipulate an infected computer from outside
through a network (the Internet).
(*2) spyware
One of software which acquires
information by fraud such as user's individual information, access
archives, etc. to sends them out automatically to third person,
third party, etc.
(*3) key logger
A program which records
information input from a keyboard.
(*4) log
Record of the use of a
computer or data communication. Generally, operator's ID, time
and date for the operation, contents of operation, etc. are recorded.
(*5) telnet
On a networking environment
such as the Internet, a program or a communication protocol which
is used to remotely manipulate a computer connected to a network
from a terminal at hand.
(*6) cgi (Common
Gateway Interface):
The mechanism that the
Web server operates outside programs on the server upon client's
request and sends back the client its outcome.
(*7) IRC
(Internet Relay Chat):
It refers to a chat system,
a real-time conversation session on-line between/among the Internet
users. By accessing to the IRC servers using exclusive software,
the users can be provided such services that exchange messages
among a number of the Internet users. It can also be used as file
communication.
- Attachment
3 “ Observation Status by Internet Monitoring System (TALOT2) ”
|
Japanese
