| This
is a summary of computer virus/unauthorized computer access incident
reports for October 2005 compiled by IPA.
I. Computer Virus Incident Reports
- (For
further details, please refer to the attachment
1)
The detection number[1]
for virus was about 3.19M; 1.4%-decrease from about 3.23M compared
with the detection number reported in September. In addition, the
reported number[2] in
October was 4,071; 13.8%-decrease from 4,723 compared with the reported
number in September.
[1] Detection Number:
Reporting virus counts (cumulative) found by a filer: For October,
the reported number resulted in 4,071 upon aggregation of virus
detection counts marked about 3.19M.
[2] Reported Number:
Virus counts are aggregated: viruses of same type and variant reported
on the same day are counted as one case number regardless of how
many viruses or the actual numbers of viruses are found by the same
filer on the same day.
The worst 1 detection number was W32/Netsky that reached at about
2.46M that constituted about 80% against the whole detection number
for October; W32/Mytob, subsequently followed to W32/Netsky that
reached at about 0.59M and W32/Bagle reached at about 0.04M.
(1) Be Careful with the Virus that Exploits Security Holes!!
Those W32/Licum and W32/Fambot that were initially reported to IPA
in October exploit security holes in Windows to enlarge their infection.
It is likely to infect if those computers that have security holes
are simply connected to a network.
An image
that virus infects to another computer exploiting security holes
In addition, W32/Fanbot also functions as bots(*1):
when infected, the computer will be directed from outside and is
likely to be exploited as the source of spam(*2)
or as a steppingstone to attack specific sites.
IPA has revised the leaflet for the countermeasures against bots
that is already been publicized – please utilize it for your
further references of your bots countermeasures.
The leaflet for the countermeasures against bots
http://www.ipa.go.jp/security/antivirus/shiori.html
(in Japanese)
Number of security holes in Windows is being publicized in October:
it is likely that those attacks and/or viruses emerge that exploit
the security holes. As for the preventive measures to keep away
infection damages, be sure to solve security holes.
Information for the emergent countermeasures publicized by IPA
Cumulative security update for Internet Explorer (MS05-052)
http://www.ipa.go.jp/security/ciadr/vul/20051012-ms05-052.html
(in Japanese)
Vulnerability in DirectShow could allow remote code execution (MS-5-050)
http://www.ipa.go.jp/security/ciadr/vul/20051012-ms05-050.html
(in Japanese)
Microsoft: Windows Update
http://update.microsoft.com/
(2) Detection Number of W32/Netsky Constitutes 80% Agaisnt the
Whole Detection Number!
The detection number of W32/Netsky was about 2.46M: 3.9%-decrease
from the detection number of about 2.56M reported in September;
however, it still constitutes about 80% against the whole detection
number. As for the detection number of W32/Mytob was being decreased
awhile; however it turned to be increased about 16.2% from about
0.51M reported in September to about 0.59M reported in October.
 (Numbers
in the parenthesis are the reported number and the %s for the constitution
ratio against the whole reported number obtained from previous month.)
II. About Spyware
There has been spreading various types of spywares(*3);
i.e. one can be downloaded to a computer when simply clicking to
an image on an adult site, one can collect mailing addresses or
can steal IDs and/or passwords for on-line games, etc.
Generally
in most of cases, virus infection or spyware intrusion are not easily
recognizable as they do not show clearly viewable symptoms. To prevent
from such damages by spywares, be sure to conduct following countermeasures.
1. Utilize anti-spyware software to update definition files and
check with or without of spyware.
2. Retain your computer always up-to-dated by applying modification
programs frequently.
3. Be cautious with suspicious sites and/or questionable mails.
4. Enhance your computer’s security.
5. Back up necessary files for further security.
IPA has revised the leaflet for the countermeasures against spyware
that is already been publicized where above mentioned measures are
specifically interpreted – please utilize it for your further
references of your spyware countermeasures.
The leaflet for the countermeasures against spywares
http://www.ipa.go.jp/security/antivirus/shiori.html
(in Japanese)
III. Status
for Reported Unauthorized Computer Access (incl. consultation)
- (for further
details, please refer to the Attachment
2)
Status for Reported/Accepted
Unauthorized Computer Access
|
May
|
Jun.
|
Jul.
|
Aug.
|
Sept.
|
Oct.
|
Total
for Reported (a) |
94
|
24
|
53
|
41
|
31
|
22
|
| |
Damaged
(b) |
11
|
22
|
10
|
12
|
16
|
15
|
| |
Not
Damaged (c) |
83
|
2
|
43
|
29
|
15
|
7
|
Total
for Consultation (d) |
47
|
37
|
43
|
43
|
30
|
35
|
| |
Damaged
(e) |
25
|
22
|
24
|
23
|
16
|
25
|
| |
Not
Damaged (f) |
22
|
15
|
19
|
20
|
14
|
10
|
Grand
Total (a + d) |
141
|
61
|
96
|
84
|
61
|
57
|
| |
Damaged
(b + e) |
36
|
44
|
34
|
35
|
32
|
40
|
| |
Not
Damaged (c + f) |
105
|
17
|
62
|
49
|
29
|
17
|
(1) Status for Reported/Accepted
Unauthorized Computer Access
The reported number for unauthorized computer access for October
was 22; of 15 were the number for actually be damaged.
(2) Status for Acceptance of Consultation Relevant to Unauthorized
Computer Access
The number of consultation relevant to unauthorized computer access
was 35 (of 5 were also counted as the reported number); of 25
were the number for actually be damaged.
(3) Status for damage
The breakdown for the damage report were intrusion with 10, unauthorized
mail relay with 1 and others (damaged) with 4. Although any of
damages have not been realized this time, it should be cautious
as there counted 4 cases of attacks and/or intrusion attempt to
the port(*4)
used for SSH(*5).
Damage Instances:
<Intrusion>
(i) Account exploitation by an unauthorized user
Detected one code seemed to be a backdoor when checking the fact
of intrusion in the account(*6)
for the UPS (uninterruptible power supply system) management.
Further, existence of rootkit(*7)
was likely to be considered, but the details were unknown as the
logs(*8)
were tactfully manipulated and the proofs were deleted. It is
realized, however, that the administrative privilege was being
available for the intruder as the account and the password for
the UPS management have not yet been modified from the one initially
be set as its default.
(ii) Intrusion by exploiting known vulnerabilities
When tracking logs, detected suspicious processes that connect
to own servers. With subsequent study, it is realized that Perl
script was being set by exploiting the vulnerabilities in XML-RPC
libraries (PHP implementation) in the blog system being operated
on the own web servers. Responded by upgrading the versions automatically
prevent from such vulnerabilities.
(iii) Attacks to the port used for SSH (intrusion attempt)
Being conducted number of password cracking(*9)
attacks to the port used for SSH from both domestic and from overseas;
however, intrusion have never been allowed as the log-in for SSH
is being obliged to the public key authentication(*10)
system.
(iv) Unable to send mails as own mailing address is listed
on the black list for unauthorized mail relay
Communicated that own mails have not been received by the other
party. Study conducted and realized that the other party’s
mailing server rejects all the mails since own mailing server
had been allowing unauthorized mail relay.
IV. Status for Acceptance of Consultation
As with the October, there had been number of consultation relevant
to receiving of billing fraud mails rightly after browsing an
adult site so called “One-click billing-fraud” were
subsequently followed from September. The consultation/reporting
number is drastically increased in recent months <July: 28,
August: 83, September: 80, October: 108>.
All the consultation number accepted by IPA
|
May
|
Jun.
|
Jul.
|
Aug.
|
Sept.
|
Oct.
|
Total
|
461
|
511
|
554
|
629
|
554
|
606
|
| |
Automatic
Response System |
242
|
289
|
337
|
376
|
337
|
357
|
| |
Telephone
|
118
|
143
|
128
|
179
|
144
|
165
|
| |
e-mail
|
92
|
67
|
84
|
67
|
72
|
82
|
| |
Fax,
Others |
9
|
12
|
5
|
7
|
1
|
2
|
* IPA consults/advises
for computer viruses/unauthorized computer accesses as well as
the other information concerning overall security issues
Mail: 
for virus issues,  for
crack issues.
Tel.: +81-3-5978-7509 (24-hour automatic response)
Fax: +81-3-5978-7518 (24-hour automatic response)
*"Total": Includes "Total for Consultation(d)"
of the Chart in the “III. Status for Reported Unauthorized
Computer Access”.
* “Automatic
Response System” : Accepted numbers by automatic response
* “Telephone” : Accepted numbers by the Security Center
personnel
The instances for the main consultations were as follows:
(i) What if clicked at an adult site by mistake…? - Part1
Consultation:
Message saying “Thank you for your registration with us”
is displayed when clicked an image on an adult site, and the “billing
statement” icon was appended on the desktop screen. Since
when the screen that prompts payment appears on and off with several
minutes of intervals that interrupting the other operations. Is
this the symptom of virus?
Response:
It can be considered that sort of malicious codes such as virus
and/or spyware, etc. are embedded. Check with or without of virus
to scan your computer by updating definition files of anti-virus
software or by free-on-line-scan. If something unusual/suspicious
is detected, be sure to delete it.
(ii) What if clicked at an adult site by mistake…? -
Part2
Consultation:
While netsurfing, message saying “Thank you for your registration
with us” is displayed when clicked an image on an adult
site: did not pay attention to that as I have not registered.
After that, a mail urges to pay came to my mailing address. Is
my private information stolen by fraudulently be accessed as I
have never communicated my mailing address to the party?
Response:
It can be considered that sort of malicious codes such as virus
and/or spyware that steal mailing address information that is
being set to your computer. This is not an unauthorized computer
access activity. Conduct virus check and/or spyware check as its
first step.
(iii) Unable to delete virus…?
Consultation:
Virus is detected while utilizing anti-virus software. Unable
to delete the files which may be infected by virus and an error
message saying “unable to delete as the file you’d
designated are in use.” is displayed. How should I address
with this situation?
Response:
Reason that you cannot delete the files is that the virus is currently
in operation. Shut off the virus operation by utilizing the task
manager, etc. first or restart the computer with safer mode; then
try to delete it one more time.
(iv) Although virus has not yet been detected…?
Consultation:
My computer behaves obviously anomaly as each time I start my
computer, it displays an alerting window written in English which
I have never known and there is a tool bar on the Web browser
I have never installed. Investigated with up-to-dated anti-virus
software, but nothing is being detected. How should I address
with this situation?
Response:
If your computer is one of Windows XP or Me types of computers,
you may set back the status before that the computer behaves differently
by utilizing “Restore System” functions. In case of
Windows XP, you can conduct following processes: “Start”
– “All the Programs” – “Accessories”
– “System Tools” – “Restore System”.
V. Accessing Status Captured by the Internet Monitoring
in October
- (for further details, please refer to the Attachment
3)
In the Internet Monitoring System (TALOT2), unwanted (one-sided)
access in October totaled 544,645 cases using 10 monitoring points:
unwanted (one-sided) access captured at one monitoring point was
about 1,757 cases of accesses from about 402 sources per day.
Since the environment for each monitoring point in TALOT2 is nearly
equal to general users’ Internet connection; it can be considered
that the same amount of unwanted (one-sided) access may be received
by the general internet users. In another words, your computer
is being accessed by 4 to 5 cases of accesses which are considered
to be unauthorized from 402 unknown people everyday in average.
Compared with the statistics resulted in September, the graph
shows increase in number of access and decrease in source number
of access as below.
Notes for this Month
- Those unauthorized accesses which may target vulnerability in
Windows are unchangeably many. Most of those accesses may be considered
to be accessed by computers infected by bots. Accesses to port
135 (TCP) and port 445 (TCP) that have significantly large number
in access target to vulnerabilities in Windows.
- System administrator should confirm if there are any of vulnerabilities
or not and always ensure the system to be up-to-dated.
- As for general computer users, we encourage you to utilize anti-virus
software, etc. to prevent from bots infection and to maintain
your computer always up-to-dated.
- Those accesses that forcibly display spam-like pop-up messages
to the computer screen are increasing; it is considered it may
not be caused of actual damages, however. They can be prevented
by router set ups and/or firewalls (personal firewalls), be sure
to review your network connection environment one more time if
such messages are displayed.
VI.
Reminder for This Month: “Methodology for One-Click Billing
Fraud is Getting Sophisticated!!”
-
Are you sure you can count on your click?! -
You will
be billed when you simply clicked an image at an adult site so
called “One-click billing fraud” damages are drastically
been increasing in the past months. Consultations relevant to
such “One-click billing fraud” rushed to IPA are eventually
exceeded 100 cases per month. <July: 28, August: 83, September:
80, October: 108>
The methodologies are approximately separated into two types:
A: One case which simply displays threat wordings on the screen
such as “Thank you for your registration with us. The charge
for the site is XXjpy. Your IP address is X.X.X.X. and your provider
is XX.”, etc.
B: Another case is displaying a billing statement on the desktop
screen on and off with the several minutes of intervals caused
by malicious codes being embedded.
Currently, such sophisticated methodologies described in B above
are very much remarkable for which are not able to be detected
by anti-virus software and/or anti-spyware. In that case, it is
probably be difficult to explore and delete the malicious codes:
in the worst case, therefore, the last resort is to thoroughly
initialize your computer. Then, is there any way that we can protect
invasion of such codes? To tell you the truth, in many cases,
those malicious codes are allowed by you to download.
Do not easily click “OK” or “Execute”
to the inquiry screen. If you do, a “Billing Statement”
screen may be appended on your screen rightly after you clicked.
Be sure to read what the message says before you will be trapped;
if you had “suspicious feel” even a bit, it is wise
not to go forward. Click an “X” at the upper right
hand side corner and close the window.
Reference:
IPA - Response in case you are billed for your simple click
http://www.ipa.go.jp/security/ciadr/oneclick.html
(in Japanese)
IPA - 7 tips for virus countermeasures for PC users
http://www.ipa.go.jp/security/antivirus/7kajonew.html
(in Japanese)
IPA - 5 tips for spyware countermeasures for PC users
http://www.ipa.go.jp/security/antivirus/spyware5kajyou.html
(in Japanese)
“Various Statistics Information Provided by Other Organizations/Vendors
are Publicized in the Following Sites”
@police: http://www.cyberpolice.go.jp/
(in Japanese)
Trendmicro: http://www.trendmicro.com/jp/
(in Japanese)
McAfee: http://www.mcafee.com/jp/default.asp
(in Japanese)
Interpretation for Glossaries
(*1)
bot :
A kind of computer virus. It was created to manipulate an infected
computer from outside through a network (the Internet).
(*2) spam :
It is called junk mail, bulk mail or is simply called “unsolicited
mail”. It refers to mass mails including personal or religious
issues to be sent unspecified majority for advertising and/or
harassing purposes irrespective of commercial intent.
(*3) spyware :
One of software which acquires information by fraud such as user’s
individual information, access archives, etc. to sends them out
automatically to third person, third party, etc.
(*4) Port :
A window interfaces each service within a computer used for exchanging
information with outsides. Numbers from 0 to 65535 are used for
the ports so that they are also called Port Number.
(*5) SSH(Secure Shell)
:
A protocol or a program used for log-in to another computer via
the network, execute commands by a computer in remote and transfer
files to another computer. Since data via the network is encrypted,
a series of operations through the Internet can be done safely.
(*6) Account :
The privilege which allow a user to use resources on a computer
or the network; it also implies the ID necessary upon use.
(*7) rootkit :
It refers to a software package used by an attacker after he/she
had penetrated to a computer. Generally, a log alteration tool,
a backdoor tool and an altered system command group are included.
(*8) log :
Record of the use of a computer or data communication. Generally,
operator’s ID, time and date for the operation, contents
of operation, etc. are recorded.
(*9) Password Cracking
:
Searching of anyone else’s password by conducting observational
study, etc. The methods include exhaustive search attack, dictionary
attack and there exist certain codes for cracking as well.
(*10) Public Key Authentication
:
Methodology to authenticate individual user by a pair of public
key and secret key. The public key is managed by a server side
and the secret key is managed individually to authenticate user’s
legitimacy.
- Attachment
3 Observation Status by Internet Monitoring System (TALOT2)
|
Japanese