| This is a summary of
computer virus/unauthorized computer access incident reports for
November, 2005 compiled by IPA.
Reminder
for the Month: “Don't be Fooled by Spyware!!”
-
How to Distinguish Suspicious Files -
In November, a criminal
is arrested who stole private banking information by sending spyware
to the other side and fraudulently transmitted money. Number of
instance are being reported from those people who generally take
care of handling attachment files to e-mails, but opened that files
carelessly and then infected by viruses and spywares. Why that happens?
That is, opened
that files without confirming what type of files are attached to
an e-mail; to tell you the truth, the files themselves are viruses
and/or spywawres . Then, is there any way to distinguish
how the attachment files are safe? The method for the measure is
to “ confirm extension of the files ”.
In the case of Windows,
you can distinguish the type of the files by their extensions and
icons (please refer to the chart in right hand side.)
Most of unauthorized programs
such as viruses and spywares, etc. have “exe” extensions executable
file formats. However, in general communication through mails, they
merely append “exe” files.
|
File Type
|
Icon
|
File
Name + Sample Extension |
Zip
Compression File |
|
compression
file.zip |
Image
File |
|
image.jpg
|
Document
File |
|
document.doc
|
Animation
File |
|
animation.wmv
animation.mpg |
Text
File |
|
text.txt
|
Executable
Format File |
|
executable
file.exe |
That is, if the
extension of the files attached to an e-mail is “exe”, it must
be the easy and best way to prevent from infection to immediately
delete the files without opening the files .
By the way, how to distinguish
those files downloaded from one web site in the Internet
? As with the case mentioned above, the file type can be
distinguished with their extensions and icons. However, in
the initial set ups for Windows, the extensions are designed not
to be displayed ; you are to display extension by
unckeck the button for “do not display
extensions registered”
select from My Computer 
or “Tool – Folder Option” from the menu bar of Explorer
.
For here, the instance
how the icon and the file name look like in case downloaded an animated
file (like) is shown (please refer to the next table). Meanwhile,
as with the instance, the visual effect of the file (icon)
is may be masqueraded ; it is risky to assess the
contents of the file simply viewing the icon .
If it is actually an animated
file, the extension should be “.wmv” or “.mpg”. If the
extension is “.exe”, the file may be a virus or spyware .
In addition, if doubled extensions are given to one file
as with the Ex. 3 in the table, it is particularly
necessary to be careful as you may be fooled by the visual effect
of the extension .
Meanwhile, when
you open the files appended to an e-mail and/or downloaded files
from the Internet , be sure to conduct virus check
in advance . Even any of viruses or spywares are not detected,
it may be newer malicious codes: it is necessary such mind-set
not to open those files sent from unreliable sides (senders) and/or
those files downloaded from unreliable sites carelessly .
<References>
IPA – “5 Hints How to
Handle Attachment Files to E-mails” (in Japanese)
http://www.ipa.go.jp/security/antivirus/attach5.html
IPA – “7 Items for Virus
Countermeasures for PC Useers” (in Japanese)
http://www.ipa.go.jp/security/antivirus/7kajonew.html
IPA – “5 Items for Spyware
Countermeasures for PC Users” (in Japanese)
http://www.ipa.go.jp/security/antivirus/spyware5kajyou.html
I.
Computer Virus Incident Report -
Please refer to Attachment 1 for further details -
The detection number [1] of virus
for November was about 5.10M ; significantly raised
60.1% compared with about 3.19M reported in October. This was the
cause that the reports for the detection number for the variant
of W32/Sober were rushed – 2.02M. Further, the reported number [2]
of virus for November was 3,816 for which
6.3%-decrease from the 4,071 reported in October.
The worst one detection
number in November was W32/Netsky with about
2.25M and W32/Sober with about
2.02M and W32/Mytob with about
0.72M followed.
1. Variant of
the W32/Sober was Rapidly Enlarged!
The variant of W32/Sober
emerged in November 22 catapulted to the 2 nd place of the detection
number of virus for only a week or so which send out a large amount
of virus mails more than overwhelmed pacing in the case of W32/Netsky.
Chart:
Status Detected by IPA
This virus is sent to
users as the attachment files to e-mails; once the file is opened,
your PC is infected. As its sophisticated method, the virus prompts
the receiver to open the attachment files to masquerade
as if the mail is come from FBI or CIA . Those receivers
who had read the mail misunderstand that they are something alerted
and carelessly opened the attachment files to an e-mail to confirm
contents of the mail; consequently, they are infected.
“Information for Emergent
Countermeasures” publicized by IPA (in Japanese)
http://www.ipa.go.jp/security/topics/newvirus/sober.html
| [1]Detection
number: |
Reported
virus counts (cumulative) found by a filer. For November,
the reported number resulted in 3,816 upon aggregation of
virus detection counts reported about 5.10M. |
[2]Reported
number: |
Virus counts are
aggregated: viruses of same type and variant reported on the
same day are counted as one case number regardless how many
viruses or the actual numbers of viruses are found by the
same filer on the same day. |
Some of attachment files
to e-mails, number of virus/malicious codes are being trapped, be
sure to take care of handling these attachment files.
“5 Hints How to Handle
Attachment files to E-mails” (in Japanese)
http://www.ipa.go.jp/security/antivirus/attach5.html
2. Detection Number
of W32/Sober is Rapidly Increased!
Because of the variant
of W32/Sober emerged in November sent out quite a large
number of virus mails in a short period of time, about 2.02M
reports were rushed to IPA. Although the reported number
of W32/Netsky was about 2.25M
which was 8.4%-decreased from about 2.45M reported in October, the
reported number overall is remaining certain high rate.
(Numbers
in the parenthesis are the reported number and the %s for the constitution
ratio against the whole reported number obtained from previous month.)
II.
About Spywares
Currently, fraudulent
activities for money by utilizing spywares (*1)
, etc. to exploit users' accounting information, passwords, etc.
used for on-line baking can be seen. Please be sure to utilize respective
security measures (software keyboard (*2)
, random number table, etc.) provided by banks as well as to conduct
following countermeasures listed underneath to prevent to be a casualty.
1. Utilize
anti-spyware software to update definition files and check with
or without of spyware.
2. Retain
your computer always up-to-dated by applying modification
programs frequently.
3. Be cautious
with suspicious sites and/or questionable mails.
4. Enhance
your computer's security.
5. Back
up necessary files for further security.
The leaflet for the countermeasures
against spywares (in Japanese)
http://www.ipa.go.jp/security/antivirus/shiori.html
III.
Status for Reported Unauthorized Computer Access (including consultations)
– Please refer
to Attachment 2 for further details –
Status for Reported/Accepted
Unauthorized Computer Access and their Consultations
|
Jun.
|
Jul.
|
Aug.
|
Sept.
|
Oct.
|
Nov.
|
Total
for Reported (a) |
24
|
53
|
41
|
31
|
22
|
24
|
| |
Damaged
(b) |
22
|
10
|
12
|
16
|
15
|
15
|
| |
Not
Damaged (c) |
2
|
43
|
29
|
15
|
7
|
9
|
Total
for Consultation (d) |
37
|
43
|
43
|
30
|
35
|
30
|
| |
Damaged
(e) |
22
|
24
|
23
|
16
|
25
|
18
|
| |
Not
Damaged (f) |
15
|
19
|
20
|
14
|
10
|
12
|
Grand
Total (a + d) |
61
|
96
|
84
|
61
|
57
|
54
|
| |
Damaged
(b + e) |
44
|
34
|
35
|
32
|
40
|
33
|
| |
Not
Damaged (c + f) |
17
|
62
|
49
|
29
|
17
|
21
|
1. Reporting Status
of Unauthorized Computer Access
The reported number
for November was 24 : of 15 was
the number actually damaged .
2. Accepting Status
of Consultations for Unauthorized Computer Access, etc.
The number of consultation
in relation to unauthorized computer access was 30 (of 6 was also
counted as the reported number): of 18 was the number claimed for
certain damages.
3. Status for
Damage
Breakdown for the damage
report included: intrusion with 11 , source
address spoofing with 1 , others (damaged) with
3 . Meanwhile, it should be continually cautious
as there reported for attacks to the port (*3)
used for SSH (*4) and intruded
as its result with 4 .
Damage
Instances:
<Intrusion>
(i) Intrusion from
the port used by SSH
Study was conducted in
response to the reports from outsides, it was realized that the
log-in trials to some non-administrative privileged accounts (*5)
were successfully conducted. As its result, our servers were intruded,
embedded some port scan tools (*6)
and SSH scan tools (*7):
then our computer had been attacking to outsides. The cause was
that the passwords were easily assumable by the third parties/persons;
for some causes, it also allowed to promote to administrative authorities
after the intrusion. Those trials of unauthorized computer access
had been continually conducted a month ago before the intrusion;
however, the administrator did not aware of.
(ii) Attacks to
the computers in default status
With administrative privilege,
logged in to a computer for which our system has just installed
and left the computer awhile: it was realized that the computer
was frozen (*8)
displaying a skull and crossbones on its screen. Rescue disks were
being prepared but they did not worked out at all; eventually, the
system should again be installed.
(iii) Attacks
by SQL Injections
Operate an on-line shop
system on an entrusted basis: log analytical study was conducted
in response to the inquiries that there may be the abuse of the
credit cards used for the settlements; then, certain probe of unauthorized
computer accesses could be confirmed. There was no information relevant
to clients' names in the information leaked, certain abuses were
confirmed in the on-line game sites for where were able to be settled
only by credit card's number and its expiration date. In the subsequent
studies, it is realized that the unauthorized computer access was
caused by SQL injections.
<Others>
(iv) Suspects in
embedded malicious codes
My computer was tried to
connect to unknown hosts, send/receive mails and execute defrag
automatically. In addition, sudden virus execution has been alerted
automatically. Studied here and there in various ways and realized
that some of files were deleted. Anti-virus software was already
been installed.
IV.
Accepting Status of Consultations
The number of consultations
in November was 673 . Of 165
, more than 1.5 times of consultations compared
with the one realized in October was for the mails relevant to “billing
fraud” after browsing an adult site so called “ One-click
Billing Fraud ”. In addition, more than 80%
of consultations relevant to the “One-click Billing Fraud” are
the cases for which malicious codes such as spywares are
being embedded . <movement in number of consultation
for One-click Billing Fraud…July: 28, August: 83, September:
80, October: 108, November: 165 >
Movement in Number of Consultation Accepted by IPA
|
Jun.
|
Jul.
|
Aug.
|
Sept.
|
Oct.
|
Nov.
|
Total
|
511
|
554
|
629
|
554
|
606
|
673
|
| |
Automatic
Response System |
289
|
337
|
376
|
337
|
357
|
379
|
| |
Telephone
|
143
|
128
|
179
|
144
|
165
|
220
|
| |
e-mail
|
67
|
84
|
67
|
72
|
82
|
66
|
| |
Fax,
Others |
12
|
5
|
7 |
1
|
2
|
8
|
*IPA consults/advises
for computer viruses/unauthorized computer accesses as well as the
other information concerning overall security issues
Mail: 
for virus issues,  for
crack issues.
Tel.: +81-3-5978-7509
(24-hour automatic response)
Fax: +81-3-5978-7518
(24-hour automatic response)
*The Total case number
includes the number in Consultation (d) column of the Chart in the
“III. Status for Reported Unauthorized Computer Access”.
*”Automatic
Response System”: Accepted numbers by automatic response
*“Telephone”:
Accepted
numbers by the Security Center personnel
The instances for the main consultations were as follows:
(i) What if clicked
at an adult site by mistake…?
Consultation:
Fooled by such site for One-click
billing fraud and a billing statement icon is being appended automatically.
After that, such display urging to pay is appeared on and off with
certain intervals. Deleted some of viruses (files) detected when
scanned manually since anti-virus software is up-to-dated daily.
However, as of now, the billing statement display is continually
appeared on and off…
Response:
Number of newer type of the
malicious codes used for “One-click Billing Fraud” method is being
emerged over and over. Accordingly, there are number of
cases that cannot be detected even by anti-virus software continuing
. Most of times, such cases can be detected when
re-scanned by leaving several days of intervals . It
may be detected , if you want to pursue the cause as early
as possible, by downloading free on-line scan provided by
the other providers or the trial version of concerned products .
(ii) Newer One-click
Billing Fraud…?
Consultation:
A spam entitled “You
can Earn $xx.xx/Month is not Just a Dream!!!” came. In that mail
body, such URL titled “instances” was introduced. There trapped
the Trojan Horse type of malicious codes at the end of the links
and was designed to start downloading when clicked.
Response:
Those methods try to embed
malicious codes such as spywares used for stealing private information
are getting sophisticated day by day. Exclusively, number of methods
that exploit people's mentality in very sophisticated ways can be
seen recently. When you received suspicious mail ,
you should not neglect easily even there is not any attachment
files appended : delete them immediately
without deceived by its titles and the contents of the mails. You
should not click the URLs in the mail body easily even by mistake
.
(iii) Spams
Consultation:
Spams relevant to dating
sites and adult sites tend to come frequently. Checked the spams
thoroughly and realized that the address for the sender is myself.
What one can be assumed is that the same type of spams masqueraded
as if the sender is myself may be received by my friends and acquaintances.
Response:
It is likely that the
spam sender spoofs receiver's address to be sender's address
upon receiving mails for the purpose that the spams will hardly
be caught by spam mail filters . Therefore, it is unlikely
that those mails received by your friends and acquaintances show
your address as sender's address.
V.
Accessing Status Captured by the Internet Monitoring in November
In the Internet Monitoring
(TALOT2), unwanted (one-sided) access in November totaled 543,415
cases using 10 monitoring points: unwanted (one-sided)
access captured at one monitoring point was about 1,811
cases of accesses from about 404 sources
per day.
The environment for each
monitoring point in TALOT2 is nearly equal to general users' Internet
connection; it can be considered that the same amount of unwanted
(one-sided) access may be received by the general internet users.
In another words, your computer is being accessed by 4 -
5 cases of accesses which are considered to be unauthorized from
404 unknown people (source) everyday in average .
Remarkable accesses captured
in November were those accesses to the ports 102x (UDP)/103x (UDP)
for which continually occurred from October. Correlations in between
number of access and source number of access in November shown in
the Chart 1, the number of access is many despite that the source
number of access is lowered compared with the figures captured in
the current months. The reasons can be considered is the increased
access numbers to the ports 102x (UDP)/103x (UDP).
In the October reports,
those accesses to the port 1026 (UDP)/1027 (UDP) sending pop-up
messages using Windows messenger functions were reported, it is
also realized that the accesses to the port 102x (UDP)/103x (UDP)
have same features in the subsequent studies. If those pop-up messages
simply display messages, they are just obstacles when operate computers
and are not risky accesses at all: however, they allow executing
codes by buffer overrun in messenger service (828035: MS03-043);
in case certain patches are not being applied, it is risky that
the codes will be executed remotely.
Chart
5.1: Unwanted (One-sided) Number of Access and Source Number of
Access/
1
Monitoring Point/Day
Chart
5.2: Accessing Status to the Port 102x (UDP)/103x (UDP) for October/November
Chart
5.3: Sample of Pop-up Message
If pop-up messages are
displayed frequently, the pop-ups can be restrained by taking
following procedures.
- If you
are a Windows XP user, start up “Service” in the “Management
tool” by selecting “Performance and Maintenance” tab from the
“Control Panel” in the “Start” button at the left hand side
corner.
- If you
are a Windows 2000 user, start up “Service” in the “Management
tool” by selecting “Control Panel” option from the “Set ups”
in the “Start” button at the left hand side corner.
- Find Messenger
option in the “Service” screen: select the option if the status
indicates “start”; then display “property” option by clicking
right button of your mouse.
- You will
find that the Messenger option is in default status; the “Type
of Start ups” is in auto and the “Service Status” is in “Start”.
- Change
“Start” in the “Type of Start ups” to “Nullity” in the “Messenger
Property” screen (local computer) (you can change it over by selecting
? at the right hand side.).
- Hit “Stop”
button at the “Service Status”.
- In case
you are a Windows XP user, be sure to validate the firewalls functions
as well.
- If your
computer is used by corporate LAN, etc., however, be sure to follow
the system advisor's directions.
For the information mentioned
above, please refer to the following site for further details.
Observation Status Captured
by the Internet Monitoring _Attachment 3 (in Japanese)
http://www.ipa.go.jp/security/txt/2005/documents/TALOT2-0512.pdf
“Various
Statistics Information Provided by Other Organizations/Vendors
are Publicized in the Following Sites”
“Interpretation
for Glossaries”
(*1)
Spyware:
One of software which
acquires information by fraud such as user's individual information,
access archives, etc. to sends them out automatically to third
person, third party, etc.
(*2)
Software keyboard:
Software which enables
to input letters, numbers, symbols, etc. by clicking your mouse
instead of using your keyboard. It is also referred as “virtual
keyboard”, “screen keyboard” or “keyboard emulator”.
(*3)
Port:
A window interfaces each
service within a computer used for exchanging information with
outsides. Numbers from 0 to 65535 are used for the ports so that
they are also called Port Number.
(*4)
SSH(Secure
Shell):
A protocol or a program
used for log-in to another computer via the network, execute commands
by a computer in remote and transfer files to another computer.
Since data via the network is encrypted, a series of operations
through the Internet can be done safely.
(*5)
Account:
The privilege which allow
a user to use resources on a computer or the network; it also
implies the ID necessary upon use.
(*6)
Port
Scan Tool:
A tool which explores security
holes from the applications being operated in servers or from
the OS type of information. In many cases, it is used for preparatory
activities for intrusion.
(*7)
SSH
Scan Tool:
A tool which checks whether
SSH service in servers is in operation. Some of the tools furnish
such function to break passwords.
(*8)
Freeze:
Computer's operation is
stopped and is no longer available to input keys and/or to queue
by a mouse.
- Attachment
3 Observation Status by Internet Monitoring System (TALOT2)
|
Japanese