| This is a summary of
computer virus/unauthorized computer access incident reports for
December, 2005 and its annual review of 2005 compiled by IPA.
Reminder
for the Month: “Be Cautious with the Attachment Files to e-Mails
and the Files Downloaded!!”
-
How to Distinguish Suspicious Files -
I.
Detection Number of W32/Sober Variant Significantly Increased!!
In December, 2005, virus
detection number was exceeded more than 13M (November = about 5M)
because of W32/Sober virus , a massive mail sending type
virus, and was significantly increased about 2.6 times higher
than the previous month. Reported number for actual infection
for December was 16.
The virus reaches to respective
end-users as attachment files via e-mail and is infected once the
file is opened.
When infected, W32/Sober
virus collects mailing addresses from a computer and sends mails
to the acquired addresses by appending the virus. Those existed
mail sending type viruses send single or couple virus mails upon
starting up of a computer, etc.; W32/Sober virus is programmed
to send massive mails over and over as fur as a computer
is in operation: consequently, such cases receiving massive virus
mails frequently could be seen.
Since the virus sends
massive virus mails, it is likely to show symptoms lowering
performance with an infected computer and to cause the
other users trouble.
1. Organizational Countermeasures
In case mailing server
is being overloaded because of massive W32/Sober virus mails, such
loading can be lessened by filtering the virus mails as with the
same manner applied by the spam mail filtering at gateway. More
specific, filtering by subject or by file name attached which virus
send is the method.
<Reference>
Cautionary Alert in relation
to W32/Sober Variants <JPCERT/CC Alert 2005-11-25> (in Japanese)
http://www.jpcert.or.jp/at/2005/at050011.txt
2. Countermeasures taken
by general users
First of all, be sure to
utilize anti-virus software. Such software which is updated to the
latest definition files can prevent infection before something happens
as it displays alert upon receiving virus mails.
Even the virus cannot
be detected by anti-virus software, be sure not to open attachment
files to e-mail easily as it is likely to be virus or malicious
codes if file extension appended to mail is “exe”
(in general mail exchanges, it will never be happened to send files
for which extension is “exe”.
In case infected, however,
please refer to the following site: there publicizes the methods
how to restore your computer.
“Information for Emergent
Countermeasures” publicized by IPA (in Japanese)
http://www.ipa.go.jp/security/topics/newvirus/sober.html
II.
Be Fully Secured Virus Countermeasures!!
Be sure to prevent damages
caused by virus including W32/Sober virus to practice following
7 virus countermeasures to use comfortable internet environment
in 2006.
 |
Of
7 virus countermeasures, those exclusively to be cautious
items, 2. “attachment files to e-mail” and 3. “files downloaded”,
will specifically be explained.
E-mailing is a very
convenient system which enables to communicate wherever you
are in the world and you can exchange texts and files with
anybody. However, you may also receive virus as attachment
files to e-mail and/or malicious codes such as spyware, etc.
In addition, it is risky that the files downloaded may be
some of malicious codes masqueraded as if it is a certain
screen image or is a certain picture image.
To address such
risks, it is important to check up virus before opening
attachment files and the files downloaded , be
sure to know how to distinguish suspicious files by its extension.
|
| *Extension:
3-letter alphabets placed at the bottom of file name. |
List for Extensions
Necessary to be Cautious
Those files that have
extensions shown above will be conducted on a computer immediately
after the files are opened. In case they are some of virus or malicious
codes, they will be infected to your computer and thus, your private
information is stolen, content of your hard disk is destructed and
your computer may be hi-jacked in the worst case.
Further, some of virus
spoofs icon of the files to camouflage actual file type or assigns
doubled extensions.
Originally, correct Word
file is shown as the sample (i) above, without regard that the file
type is application but is forged as Word file is shown as the sample
(ii) above. Further, in case the extension is forged is shown as
the sample (iii) above.
If familiarize how to
distinguish suspicious files above, potential damage can be prevented
as risk can be determined adequately even obtained/received suspicious
files. Along with knowing the method described above, it
is important to remind not to open those files sent from unreliable
users or those files downloaded from unreliable site carelessly
.
*How to setup displaying
file extensions, please refer to the reminders for the following
site.
Computer Virus/Unauthorized
Computer Access Incident Report – November, 2005
http://www.ipa.go.jp/security/english/virus/press/200511/E_PR200511.html
<Reference>
Revised “Brochure for Anti-Virus
Measures” which describes 7 anti-virus measures for PC users is
being publicized on our HP. Please utilize for your further anti-virus
countermeasures and your security.
Brochure for Anti-Virus
Measures (in Japanese)
http://www.ipa.go.jp/security/antivirus/shiori.html
IPA – “5 Hints How to
Handle Attachment Files to E-mails” (in Japanese)
http://www.ipa.go.jp/security/antivirus/attach5.html
IPA – “7 Items for Virus
Countermeasures for PC Useers” (in Japanese)
http://www.ipa.go.jp/security/antivirus/7kajonew.html
IPA – “5 Items for Spyware
Countermeasures for PC Users” (in Japanese)
http://www.ipa.go.jp/security/antivirus/spyware5kajyou.html
III.
Reporting Status for Computer Virus
– Please refer to Attachment 1 for further details –
The detection number [1]
of virus for December was about 13.44M ; a
significant increase of about 2.6 times higher than about 5.1M reported
in November. This was the cause that the detection number of W32/Sober
variant significant increase; from 2.0M in November to
10.8M in December. In addition, reported number [2]
in December was 4,293 : a 12.5% of increase
from 3,816 in November.
The worst detection number
was for W32/Sober with about 10.75M. Among those reporters who possessing
number of clients could prevent actual damages by checking the virus
at their gateways; however, the entire detection number was large
as it includes such detection number as if the virus was checked
at the clients but not checked at the gateways was also aggregated
and the virus has such nature that it sends mails over and over.
As for other reporters mentioned
above, the virus's significant increase was also observed in December.
In addition, from end of November to middle of December, it was
reported that there were number of W32/Sober virus infections in
some nations ( U.S.A. and Germany ).
<Reference>
Infection Status WORM_SOBER.AG
http://www.trendmicro.com.au/smb/vinfo/encyclopedia.php?LYstr=VMAINDATA&VName=WORM_SOBER.AG
| [1]Detection
number: |
Reported
virus counts (cumulative) found by a filer. For December,
the reported number resulted in 4,293 upon aggregation of
virus detection counts reported about 13.44M. |
[2]Reported
number: |
Virus counts are
aggregated: viruses of same type and variants reported on
the same day are counted as one case number regardless how
many viruses or the actual number of viruses are found by
the same filer on the same day. In December, reported number
was 4,293: aggregated virus detection number of about 13.44M
reported. |
Second worst place was
for W32/Netsky with about 2.08M: a 7.5% of decrease from about 2.25M
in November, however, it still moved at higher level. The third
worst place was for W32/Mytob with about 0.47M.
IV.
About Spyware
Currently, some of fraudulent
activities for money utilizing spyware (*1)
can be observed to exploit accounting information and password used
for on-line banking. Please be cautious not to suffer damages by
utilizing variety of security measures (software keyboard (*2)
, random number table, etc.) provided by banks along with conducting
following countermeasures.
1. Utilize
anti-spyware software to update definition files and check with
or without of spyware.
2. Retain
your computer always up-to-dated by applying modification
programs frequently.
3. Be cautious
with suspicious sites and/or questionable mails.
4. Enhance
your computer's security.
5. Back
up necessary files for further security.
The leaflet for the countermeasures
against spywares (in Japanese)
http://www.ipa.go.jp/security/antivirus/shiori.html
V.
Reporting Status for Unauthorized Computer Access (includes
consultation) – Please refer Attachment 2 for further details
–
Report for unauthorized computer
access and Accepting Status of consultation
|
Jul.
|
Aug.
|
Sept.
|
Oct.
|
Nov.
|
Dec.
|
Total
for Reported (a) |
53
|
41
|
31
|
22
|
24
|
25
|
| |
Damaged
(b) |
10
|
12
|
16
|
15
|
15
|
19
|
Not
Damaged (c) |
43
|
29
|
15
|
7
|
9
|
6
|
Total
for Consultation (d) |
43
|
43
|
30
|
35
|
30
|
25
|
| |
Damaged
(e) |
24
|
23
|
16
|
25
|
18
|
15
|
Not
Damaged (f) |
19
|
20
|
14
|
10
|
12
|
10
|
Grand
Total (a + d) |
96
|
84
|
61
|
57
|
54
|
50
|
| |
Damaged
(b + e) |
34
|
35
|
32
|
40
|
33
|
34
|
Not
Damaged (c + f) |
62
|
49
|
29
|
17
|
21
|
16
|
1. Reporting Status of
Unauthorized Computer Access
The reported number
for December was 25: of 15 was
the number actually damaged .
2. Accepting Status of
Consultations for Unauthorized Computer Access, etc.
Consultation counts relevant
to unauthorized computer access was 25: of 15 was the actual number
some sort of damage reported.
3. Status for Damage
Breakdown for the damage
report included: intrusion with 12, intrusion
with 12 , unauthorized mail relay with 1 ,
worm infection with 3 , DoS attack with
1 and others (damaged) with 2 .
The reports relevant to intrusion after
attacked to the ports (*3)
used for SSH (*4)
, which can be seen frequently, was reported 5 cases. You
are to be continually cautious.
Damage
Instances:
<Intrusion>
(i) Attacks to the
port used for SSH
Due to password cracking
(*5) attack to
the SSH service allowed penetration by decoding the IDs and passwords
for the accounts (*6)
that have not been used for a long time. As its chain reaction,
being damaged after penetrated successfully. Consequently, 4 types
of accounting information were fraudulently acquired from 4 devices
totally. In addition, malicious codes were embedded and executed;
it is confirmed that IRC (*7)
connected to some suspicious sites.
(ii) Embedding
of malicious codes and attacks to outsides, theft of account information
Study was conducted as
massive and suspicious packets having been sent so reported by a
network administrator: it is realized that DNS server, Web server
and mail server operated by the organization were being penetrated.
Every server was penetrated using same user ID. Some tools obtaining
administrator privilege and/or server attacking tool were embedded
and the servers were infected by virus. Further, all users' IDs
and passwords were taken over. It is realized that the massive and
suspicious packets were the attacks to the servers outside. The
initial penetration could be assumed it was happened more than 2
months ago from the date of detection; however, specific cause could
not be investigated as its logs were maintained for only 4 weeks.
(iii) Penetration
from Web mailing system
Study on log was conducted
as suspicious mail from outsides came so claimed from outside. It
was realized that someone logged in to Web mailing system, operated
by the organization, spoofing to be one of legitimate users. As
its result, the system was being used as the steppingstone to send
spams from overseas. In addition, not only the mails for the accounts
fraudulently logged in, but also all user information (mailing address,
affiliation, appointment/position, etc.) for which is accessible
by logging in to the Web mailing system were likely to be browsed.
[Unauthorized
Mail Relay]
(iv) System Failure
Caused by Massive Attempts of Unauthorized Mail Relay
Study was conducted as
communication by mails was unavailable. It is realized that the
mailing server operated by the organization having been overloaded
and responded service denials as it received number of unauthorized
mail relay requests. Setup was corrected immediately since unauthorized
mail relay were actually conducted for some mails; unauthorized
mail relay requests were addressed to have them not to return any
of responses.
VI.
Accepting Status of Consultation
The number of consultations
in December was 653 . Of 138
was the consultation relevant to so called “
One Click Billing Fraud ” such as receiving
mails after browsing some adult sites were unchangeably many. In
addition, more than 90% of consultation relevant
to the one click billing fraud was such cases that malicious
codes such as spyware, etc. were embedded . <movement
in one click billing fraud… July: 28, August: 83, September: 80,
October: 108, November: 165>
Entire Consultation Status Accepted by IPA
|
Jul.
|
Aug.
|
Sept.
|
Oct.
|
Nov.
|
Dec.
|
Total
|
554
|
629
|
554
|
606
|
673
|
653
|
| |
Automatic
Response System |
337
|
376
|
337
|
357
|
379
|
391
|
Telephone
|
128
|
179
|
144
|
165
|
220
|
194
|
e-mail
|
84
|
67
|
72
|
82
|
66
|
66
|
Fax,
Others |
5
|
7 |
1
|
2
|
8
|
2
|
*IPA consults/advises
for computer viruses/unauthorized computer accesses as well as the
other information concerning overall security issues
Mail: 
for virus issues,  for
crack issues.
Tel.: +81-3-5978-7509
(24-hour automatic response)
Fax: +81-3-5978-7518
(24-hour automatic response)
*The Total case number
includes the number in Consultation (d) column of the Chart in the
“III. Status for Reported Unauthorized Computer Access”.
*”Automatic
Response System”: Accepted numbers by automatic response
*“Telephone”:
Accepted
numbers by the Security Center personnel
The instances for the main consultations were as follows:
(i) What if clicked
at an adult site by mistake…?
Consultation:
Fooled by one of “One
Click Billing Fraud” site by mistake and a billing statement
icon was appended on my desktop automatically. After that, display
which urging payment was appeared on and off several minutes of
intervals. The situation is unchanged even all suspicious files
(virus) detected by anti-virus software were totally deleted. Screen
can be read that the “display would not be appeared if I input
the ID which will be issued after I remit the charge”, I am afraid
is it real…? Is there any idea to address the problem other than
remit money?
Response:
If it is a malicious site,
it is likely not to be issued your ID even you remit the charge.
The virus deleted after detected may have not been directly related
to the one click billing fraud. To have the display urging
payment disappear, it is necessary to identify the program caused
and delete it, however, number of cases were unavailable to detect
the program by anti-virus software . In case that the program
cannot be detected by the anti-virus software, it may be
able to return to the previous status where the display urging payment
appeared by using “system recovery” function if you are a Windows
XP or Me user .
<Reference>
Method to Recovery Windows
XP Using System Recovery Function (in Japanese)
http://support.microsoft.com/kb/306084/ja
(ii) Spyware Hoaxed
to be an Anti-Spyware Software…?
Consultation:
A message “You have
an error on your computer. Please download this program if you wish
to fix.” was popped up. Since it seemed to be an anti-spyware
software, processed purchase by entering my credit card number and
the program was installed. Several days later, it was realized that
the anti-virus software was probable to be a spyware hoaxed. Is
it possible to cancel purchase? How do I remove the program?
Response:
It seemed to be a malicious
approach to have users purchase anti-spyware software to users prompt
fears. In case such message that cannot be decided immediately;
be sure to avoid to click “yes” with ease or to avoid to process
application/admission, etc. If you wish to uninstall the program,
be sure to try if the program can be deleted by “Addition and
Deletion of Programs” (in case it is Windows XP) function from
the control panel. It may be possible to delete it by anti-virus
software as well. As for the cancellation of purchase, be sure to
consult with your card company or a consumer center near you.
<Reference>
Consumer Centers (in Japanese)
http://www.kokusen.go.jp/map/
National Consumer Information
Center (in Japanese)
http://www.kokusen.go.jp/
(iii) Tends to
Receive Number of Spams…?
Consultation:
It tends to receive number
of spams relevant to dating sites or adult sites. Is there any way
to stop them?
Response:
These spam mails are
unable to stop sending technically: it is necessary to take certain
methods to have them stop. The first step is to identify source
computer information based on spam mail header information to require
the network (provider) administrator where source computer is attributed
to have them stop. In accordance with the “Law Concerning Proper
Communication by Electronic Mails (Law 2002, #26)”, following
organizations are assumed to be a consultation, inquiry and information
providing facilities.
<Reference>
- Consultations
relevant to the spam mails for dating sites, etc.
(Information providing,
telephone consultation relevant to those mails breached against
mandatory information)
Spam Mail Consultation
Center , Nippon Information Communications Association (designated
facility by MIC: Ministry of International Affairs and Communications)
(in Japanese)
http://www.dekyo.or.jp/soudan/top.htm
- Consultations
relevant to the spam mails for commercial trading such as commodity
sales, etc.
(Information providing
relevant to those mails breached against prohibited resending, etc.)
Japan Industrial Association
(designated facility by METI: Ministry of Economy, Trade and Industry)
(in Japanese)
http://www.nissankyo.or.jp/
In addition, “the Law which
Rectify a Partial Law Concerning Proper Communication by Electronic
Mails (Law 2005, #46)” is enforced on November 1, 2005. Herewith,
“Inhibition to send mail forging sender's information” is newly
set out (Article #6) so that is seems that oversight against illegitimate
mails like in the consultation will be enhanced.
<Reference>
MIC – Countermeasures
against Spam Mails (in Japanese)
http://www.soumu.go.jp/joho_tsusin/d_syohi/m_mail.html
VII.
Accessing Status Captured by the Internet Monitoring (TALOT”)
in December
In the Internet Monitoring
(TALOT2), unwanted (one-sided) access in December totaled 474,526
cases using 10 monitoring points: unwanted (one-sided)
access captured at one monitoring point was about 1,531
cases of accesses from about 387 sources
per day.
The environment for each
monitoring point in TALOT2 is nearly equal to general users' Internet
connection; it can be considered that the same amount of unwanted
(one-sided) access may be received by the general internet users.
In another words, your computer is being accessed by 4 cases
of access which are considered to be unauthorized from 387 unknown
people (source) everyday in average .
Chart 7.1 shows the number
of access/day/monitoring point in average and the source number
of access/day/monitoring point in average from January to December,
2005. It can be seen that both the number of access and the source
number of access were moved in same level in the last part of 2005.
It can be said that the status is stabled.
Chart
7.1: Unwanted (One-sided) Number of Access and Source Number of
Access//Day/Monitoring Point from January to
December, 2005
Remarkable
accesses captured in December were those accesses to the ports
1025 (TCP) from the source port 6000 caused by the worm called
Dasher . These accesses target vulnerabilities
in Windows (MS05-051): it may be infected if a computer is directly
connected to the internet without applying any of patches relevant
to that vulnerability. Actually, however, the number of access
was being tended to decrease towards to the end of the month (please
refer to the Chart 7.2); countermeasures to avoid damage are as
follows.
-
Remove vulnerabilities in Windows by Windows Update
(Microsoft Update)
- Implement
router device, etc. if your computer directly connects to the
Internet
- Enable
firewall setups if you are a Windows XP user
- Implement
personal firewalls
Chart
7.2: Accessing Status to the Port 1025 (TCP) from the
Source Port 6000
In addition,
accesses to the ports 102x (UDP)/103x (UDP) that pop up spam message
by exploiting Windows Messenger service were slightly decreased
compared with October/November, but still remained (please refer
to the Chart 7.3). As for the countermeasures to the access to
the ports 102x (UDP)/103x (UDP), it is recommended to disable
Windows Messenger service (please refer to http://www.ipa.go.jp/security/english/virus/press/200511/TALOT200511.html)
Chart
7.3: Number of Access to the Ports 102x (UDP)/103x (UDP)
In relation
to the above information, please refer to the following site for
your further reference.
Attachment
3_Monitoring Status Captured by the Internet Monitoring (TALOT2)
http://www.ipa.go.jp/security/english/virus/press/200512/TALOT200512.html
“Various
Statistics Information Provided by Other Organizations/Vendors
are Publicized in the Following Sites”
“Interpretation
for Glossaries”
(*1)
Spyware:
One of software which
acquires information by fraud such as user's individual information,
access archives, etc. to sends them out automatically to third
person, third party, etc.
(*2)
Software keyboard:
Software which enables
to input letters, numbers, symbols, etc. by clicking your mouse
instead of using your keyboard. It is also referred as “virtual
keyboard”, “screen keyboard” or“keyboard emulator”.
(*3)
Port:
A window interfaces each
service within a computer used for exchanging information with
outsides. Numbers from 0 to 65535 are used for the ports so that
they are also called Port Number.
(*4)
SSH(Secure
Shell):
A protocol or a program
used for log-in to another computer via the network, execute commands
by a computer in remote and transfer files to another computer.
Since data via thenetwork is encrypted, a series of operations
through the Internet can be done safely.
(*5)
Password
Cracking:
Searching of anyone
else's password by conducting observational study, etc. The methods
include exhaustive search attack, dictionary attack and there
exist certain codes for cracking as well.
(*6)
Account:
The privilege which allow
a user to use resources on a computer or the network; it also
implies the ID necessary upon use.
(*7)
IRC
(Internet Relay Chat):
It refers to a chat
system, a real-time conversation session on-line between/among
the Internet users. By accessing to the IRC servers using exclusive
software, the users can be provided such services that exchange
messages among a number of the Internet users. It can also be
used as file communication.
- Attachment
3 Observation Status by Internet Monitoring System (TALOT2)
- Attachment
4 “Report Status for Computer Virus 2005”
- Attachment
5 “Report Status for Unauthorized Computer Access 2005”
|
Japanese