Your
Computer May be Infected by BOT while You are not Realized!
This is a summary of computer
Virus/Unauthorized Computer Access Incident Reports for September
2005 compiled by IPA.
I.
Computer Virus Incident Reports
- (for further details, please refer to Attachment 1)
The detection number[1]
for virus was about 3.23M; a 4.2% decrease from about 3.37M
compared with the detection number reported in August. In addition,
the reported number[2]
in September was 4,723; a 5.7% increase from 4,470 compared with
the reported number in August.
The worst 1 detection
number was W32/Netsky reaching about 2.56M that constituted about
80% against the whole detection number for September; the 2nd
place was W32/Mytob that reached about 0.51M : the whole detection
number for September was decreased in the event of both viruses'
detection number were decreased. However, the reported number
was increased since new virus emerged one after the other as it
stated below.
1. The
Virus Possessing Bot Functionality Spread!
Those viruses named
W32/Bobax , W32/Zotob and W32/IRCbot emerged in August which exploit
security holes in Windows and W32/Mytob for which number of variants
are having been emerged possess bot(*1)
functions. When infected, they are likely to be used as the source
of spam and/or the steppingstone to attack specific sites by directed
from outsides.
When a computer is used
as the steppingstone for an attack, you will turn to be a victimizer
who conducts attack from a casualty for whom computer is being
infected by virus. To prevent from being victimizer who attacks
third individuals or third parties, it is important to conduct
certain virus countermeasures.
IPA has recently prepared
the brochure which summarizes about bot by organizing its features
and behaviors as well as its countermeasures as the part of the
informatization monthly activities. Please refer it for your further
countermeasures against bot.
The brochure for the
countermeasures against bot
http://www.ipa.go.jp/security/antivirus/shiori.html
(in Japanese)
[1]
Detection Number: Reporting virus counts (cumulative)
found by a filer: For September, the reported number resulted
in 4,470 upon aggregation of virus detection counts marked about
3.37M.
[2]
Reported Number: Virus counts are aggregated: viruses of same
type and variant reported on the same day are counted as one case
number regardless of how many viruses or the actual numbers of
viruses are found by the same filer on the same day.
2. W32/Netsky Constitutes about
80% of the Whole Detection Number!
The detection number of W32/Netsky
was about 2.56M ; it maintains to constitute
about 80% against the whole detection number. However, the number
was decreased 4.4% from about 2.56M reported in August. In addition,
the detection number of W32/Mytob was also decreased 11.3% from
about 0.57M reported in August to about 0.51M.
 
(Numbers in the parenthesis are the
reported number and the %s for the constitution ratio against
the whole reported number obtained from previous month.)
II. About
Spyware
There have been spreading
variety of malicious codes such as spyware(*2),
etc. which are downloaded to a computer by clicking the image
on an adult site which collects mailing addresses or modifies
the starting pages of the Internet Explorer, etc.
To prevent such damages
from malicious codes other than viruses, following measures are
effective to be applied to.
1) Utilize anti-spyware
software (available from most of PC stores)
2) Avoid accessing
suspicious Web sites
3) Setup higher
security level on your browser
IPA recently prepared the brochure which
summarizes countermeasures by defining spywares with the Japan
Network Security Association (JNSA) on a conjoint basis. Please
refer it for your further countermeasures
against spywares.
The Brochure for the
Countermeasures against Spywares
http://www.ipa.go.jp/security/antivirus/shiori.html
(in Japanese)
III. Status
for Reported Unauthorized Computer Access (incl. consultation)
(for further details, please refer to the Attachment
2)
Status for Reported/Accepted
Unauthorized Computer Access
|
Apr.
|
May
|
Jun.
|
Jul.
|
Aug.
|
Sept.
|
Total
for Reported (a) |
48
|
94
|
24
|
53
|
41
|
31
|
| |
Damaged
(b) |
24
|
11
|
22
|
10
|
12
|
16
|
| |
Not
Damaged (c) |
24
|
83
|
2
|
43
|
29
|
15
|
Total
for Consultation (d) |
28
|
47
|
37
|
43
|
43
|
30
|
| |
Damaged
(e) |
13
|
25
|
22
|
24
|
23
|
16
|
| |
Not
Damaged (f) |
15
|
22
|
15
|
19
|
20
|
14
|
Grand
Total (a + d) |
76
|
141
|
61
|
96
|
84
|
61
|
| |
Damaged
(b + e) |
37
|
36
|
44
|
34
|
35
|
32
|
| |
Not
Damaged (c + f) |
39
|
105
|
17
|
62
|
49
|
29
|
Shift in Consultation
Number Accepted by IPA
|
Apr.
|
May
|
Jun.
|
Jul.
|
Aug.
|
Sept.
|
Total
|
553
|
461
|
511
|
554
|
629
|
554
|
| |
Automatic
Response System
|
374
|
242
|
289
|
337
|
376
|
337
|
| |
Telephone
|
115
|
118
|
143
|
128
|
179
|
144
|
| |
e-mail
|
61
|
92
|
67
|
84
|
67
|
72
|
| |
Fax,
Others |
3
|
9
|
12
|
5
|
7
|
1
|
* IPA consults/advises for computer
viruses/unauthorized computer accesses as well as the other information
concerning overall security issues (Tel. # +81-3-5978-7509 (24-hour
automatic response))
* "Automatic Response
System": Accepted numbers by automatic response
* "Telephone":
Accepted numbers by the Security Center personnel
* The Grand Total in
the "Status for Reported/Accepted Unauthorized Computer Access"
includes the number of "Total for Consultation (d)"
as well.
1.
Status for Reported Unauthorized Computer Access
Number
of reported for September was 31: of 16 was the number for actually
damaged.
2.
Status for Acceptance of Consultation Relevant to Unauthorized
Computer Access
The
number for consultation relevant to unauthorized computer access
was 30 (of 6 was also counted as reported number): of 16 was the
number for actually damaged.
3.
Status for Damage
The
breakdown for damage report were intrusion with 8 , worm infection
with 2 , DoS Attack with 2 , Mailing address spoofing with 2 and
others (damaged) with 2 . Of 5 out from 8 (intrusion) was constituted
by the attacks to the port(*3)
used for SSH(*4) as
its cause : it should be watched out further <please refer
to the damage instance (i)> . In addition, such instances that
number of consultations relevant to "one click fraud"
which sent out "billing fraud" mails rightly after browsing
an adult site were subsequently followed from previous month <July:
28, August: 83, September: 80>.
Damage
Instances:
<Intrusion>
(i)
Attack to the port used by SSH
Intruded
a server conducted by password cracking(*5)
attack to the port used by SSH. As the result, such account(*6)
exploiting for intrusion was created, IRC(*7)
service was started up and the server was exploited as a steppingstones
to conduct SSH password cracking attack to the other servers.
In the event, virus infected to the system and the computer became
inoperable. Security patches to the OS (Linux) had not been applied.
<Worm
Infection>
(ii)
Embedding of malicious codes and attacks to outside
Tracked
logs(*8) when firewall
software rejected attacks conducted by malicious codes such as
worms or Trojan Horses. As the result, it is realized that those
rejected in- and out-communications' source was my computer and
its destinations were for outbound communication. To conclude,
several malicious codes were embedded in my computer and it is
probable that they conducted attacks to outside of computers.
The cause has not yet been realized.
<Others>
(iii)
Spoofing at a net auction
Investigated
when a billing statement for own credit which never known came:
it has been realized that his/her ID was used by spoofing to be
the owner of the ID in the net auction where he/she registered
and where there were some probes that someone placed goods for
sale. The goods made successful bid and the system utilization
fee was charged.
IV. Accessing
Status Captured by the Internet Monitoring in September
In
the Internet Monitoring System (TALOT2), unwanted (one-sided)
access in September totaled 462,928 cases using 10 monitoring
points: unwanted (one-sided) access captured at one monitoring
point was about 1,543 cases of accesses from about 440 sources
per day.
Since
the environment for each monitoring point in TALOT2 is nearly
equal to general users' Internet connection; it can be considered
that the same amount of unwanted (one-sided) access may be received
by the general internet users. In another words, your computer
is being accessed by 3.5 cases of accesses which are considered
to be unauthorized from 440 unknown people everyday in average
.
Notes
for this Month
- Those
unauthorized accesses which may
target vulnerability in Windows are unchangeably many. Most
of those accesses may be considered to be accessed by computers
infected by certain worms. Considering that current status indicating
that the worm called bot is disseminated, it is probable that
those worms conducting such access should be bot.
-
Those accesses to port 135 (TCP) and port 445 (TCP)
that especially have a number of accesses may target legacy
vulnerabilities in Windows: most of those accesses are sent
out from domestic; it is, therefore, assumed that bot infection
within domestic is spreading .
- System
administrators should confirm with or without of vulnerability
in servers and be sure to maintain them always up-to-dated.
- General
computer users should maintain their own computers always up-to-dated
to prevent from bot infection. We also encourage them to effectively
use anti-virus software, etc.
V. Reminder
for this Month: "Conduct Virus Checks Regularly!"
-
Isn't Your Computer being Infected without Realizing? -
Consultation
Instances Reported to IPA:
1) Conducted virus check
when his/her computer was almost
dying and realized that the computer was being infected by virus
about a year ago .
2)
Scrambled to conduct virus check when a billing statement was
displayed on his/her desktop and realized that the computer was
being infected by the spyware which collects mailing addresses
from computers and by the mass-mailing virus .
As with the cases above,
if you use computer without conducting any of virus checks regularly,
you will likely to be a victimizer who spreads viruses and/or
is being exploited as the source of spams without realizing.
Conduct with or without
of infection by conducting virus check at least once a week basis
to ensure if your computer is being intruded by bots, spywares
and/or infected by viruses.
You can mitigate
risks to encounter damages by resolving any of security
holes in your computer. Be sure to conduct countermeasures routinely;
if you are a Windows user, conduct Microsoft Update regularly.
References:
Microsoft: Microsoft
Update http://update.microsoft.com/
Symantec: http://www.symantec.com/region/jp/
(in Japanese)
Trendmicro: http://www.trendmicro.co.jp/home/
(in Japanese)
McAfee: http://www.mcafee.com/jp/default.asp
(in Japanese)
Various Statistics
Information Provided by Other Organizations/Vendors are Publicized
in the Following Sites:
@police: http://www.cyberpolice.go.jp/
(in Japanese)
Trendmicro: http://www.trendmicro.com/jp/
(in Japanese)
McAfee: http://www.mcafee.com/jp/default.asp
(in Japanese)
Interpretation for Glossaries
(*1)
bot:
A kind of computer virus.
It was created to manipulate an infected computer from outside
through a network (the Internet).
(*2)
spyware:
One of software which
acquires information by fraud such as user's individual information,
access archives, etc. to sends them out automatically to third
person, third party, etc.
(*3)
Port:
A window interfaces each
service within a computer used for exchanging information with
outsides. Numbers from 0 to 65535 are used for the ports so that
they are also called Port Number.
(*4)
SSH(Secure Shell):
A protocol or a program
used for log-in to another computer via the network, execute commands
by a computer in remote and transfer files to another computer.
Since data via the network is encrypted, a series of operations
through the Internet can be done safely.
(*5)
Password Cracking:
Searching of anyone else's
password by conducting observational study, etc. The methods include
exhaustive search attack, dictionary attack and there exist certain
codes for cracking as well.
(*6)
Account:
The privilege which allow
a user to use resources on a computer or the network; it also
implies the ID necessary upon use.
(*7)
IRC (Internet Relay Chat):
It refers to a chat system,
a real-time conversation session on-line between/among the Internet
users. By accessing to the IRC servers using exclusive software,
the users can be provided such services that exchange messages
among a number of the Internet users. It can also be used as file
communication.
(*8)
log:
Record of the use of a
computer or data communication. Generally, operator's ID, time
and date for the operation, contents of operation, etc. are recorded.
- Attachment
3 Observation Status by Internet Monitoring System (TALOT2)
|
Japanese