| This is a summary of
computer virus/unauthorized computer access incident reports for
February, 2006 compiled by IPA.
Reminder
for the Month: “Risk in Information
Leakage which Hides in File Exchanging Software”
-
Do You Still Use
That? -
Currently, accidents
relevant to information leakage through file exchange software,
Winny, is being reported over and over. Most of these accidents
occurred are infected by W32/Antinny which spreads over infection
using file exchange software, Winny.
W32/Antinny is
distributed over the Winny network with such word which includes
“treasurable image” or “private information” in their file name
for which number of people are likely to interested in and accidents
relevant to information leakage is occurred when user executes such
files downloaded using Winny .
Those Winny users tend
to distribute multiple files collecting up to compress one file:
Some W32/Antinny virus masquerades to be such compressed file. The
virus attempts user not to feel suspicious that he/she cannot see
the contents of the compressed file unless he/she clicks the virus
file so that the virus displays following message shown in the Figure
1.1 below to have user not to realize infection.
Figure
1.1: A Sample of Fake Message which Virus Displays
When infected by the
virus, incoming- and outgoing- mails saved in computer, data files
prepared using Word or Excel are combined together and they are
copied to the folder for publication. This means that every user
who uses Winny can browse the files. As it is shown in the Figure
1.2, such data once distributed to the Winny network shall be possessed
by unspecified majority so that it is unavailable to take them up
naturally.
Figure 2: Mechanism
of Information Leakage via Winny
To prevent infection before
something happens, it is important to utilize anti-virus software
for which pattern file is up-to-dated. However, it may not be detected
as number of variants of the W32/Antinny is emerged over and over;
it is also necessary not to execute files downloaded easily (do
not unzip compressed files easily as well). The removal tool is
available by Microsoft; it is recommended to check with or without
of virus anyway if you are realized or in case you are not realized
infection.
Microsoft – The removal tool
for malicious software
http://www.microsoft.com/japan/security/malwareremove/default.mspx
From the viewpoint of private
information protection or security, use of file exchange software
is prohibited by number of corporations and taking out private information
and confidential information to the out side of the offices is also
prohibited. Although such rules are arranged, leakage accidents
are still happened frequently. Such concept that “I am safe” will
mislead you to big error! As for the penalty against the individual
who caused information leakage, such instances of suspension of
employment or salary cut charged are reported. In addition, the
influences to the casualty corporations/organizations are significant.
Be sure to understand the risks hided in the file exchange software
and do not have same accidents repeatedly. Further, illicit data
exchange using file exchange software is out of the question!
-
Notes When Using File Exchange Software -
1. Use condition of file
exchange software is determined?
1) Installed
because it is necessary for business?
2) The
use is upon approval basis?
3) Sufficiently
managed?
2. Status of anti-virus measures
on client PC is understood?
1) Anti-virus
software is implemented on client PC?
2) The
pattern file in the anti-virus software is up-to-dated?
<Reference>
IPA – Notes when using file
exchange software (in Japanese)
http://www.ipa.go.jp/security/topics/20050623_exchange.html
I.
Reporting Status for Computer Virus
– Please refer to Attachment 1 for further details –
The detection number [1]
of virus was about 2.56M : about 40% decreased
from 4.13M counted in January. This was because the W32/Sober's
variant which increased entire detection number of virus by sending
massive virus mails in December was completely terminated.
In addition, the reported number [2]
in February was 4,324: 3.9% decreased from
4,499 in January.
| [1]Detection
number: |
Reported
virus counts (cumulative) found by a filer. For January, the
reported number resulted in 4,324 upon aggregation of virus
detection counts reported about 2.56M. |
[2]Reported
number: |
Virus counts are
aggregated: viruses of same type and variants reported on
the same day are counted as one case number regardless how
many viruses or the actual number of viruses is found by the
same filer on the same day. In February, reported number was
4,324: aggregated virus detection number of about 2.56M.
|
The worst detection number
of virus was for W32/Netsky with about 1.84M and w32/Mytob
with about 0.3M and W32/Bagle with about 0.23M were subsequently
followed.
(Note: Numbers in parenthesis
are the figures for the previous month)
In February, OSX/Inqtana
which subject to Macintosh is reported . The virus can
be said that it was created to prove that virus can function even
in Macintosh environment but the infection is not expanded. However,
virus does not imply that it function only in Windows environment:
in another words, it is likely to spread infection in any of environment
such as Macintosh, Linux, etc. so that users should realize virus
information daily and conduct certain anti-virus measures.
II.
About Spyware
Damage instances caused
by spyware (*1)
are as follows:
- Mailing
address leakage;
- Leakage in
account number and its password used for on-line banking, etc.
- Leakage in
private information such as credit card number, etc.
As
the secondary damage, monetary accidents caused by spoofing, etc.
exploiting above mentioned information are reported by mass media.
As for the counseling, such instances that spyware is installed
simply clicking on an image in an adult site and the mailing address
which is used daily is stolen, etc. can be seen frequently.
When you face
damage by spyware, above mentioned leakage accidents are happened
while you do not know. To prevent having any of damages, be sure to
conduct following measures and be sure to take care not to download
files or images easily.
1. Utilize
anti-spyware software to update definition files and check with
or
without of spyware.
2. Retain
your computer always up-to-dated.
3. Be
cautious with suspicious sites and/or questionable mails.
4. Enhance
your computer's security.
5. Back
up necessary files for further security.
Supplementary:
Do not input important private information using such
computer for which you cannot manage.
Brochure for Anti-Spyware
Measures (in Japanese)
http://www.ipa.go.jp/security/antivirus/shiori.html
Reminder for this month:
“Don't be Fooled by Spyware!” – How to distinguish suspicious files
– (in Japanese)
http://www.ipa.go.jp/security/txt/2005/12outline.html
III.
Reporting Status for Unauthorized Computer Access (includes
consultation) – Please refer Attachment 2 for further details –
Report for unauthorized computer
access and Accepting Status of consultation
|
Sep.
|
Oct.
|
Nov.
|
Dec.
|
Jan.
‘06 |
Feb.
|
Total
for Reported (a) |
31
|
22
|
24
|
25
|
50
|
26
|
| |
Damaged
(b) |
16
|
15
|
15
|
19
|
13
|
15
|
Not
Damaged (c) |
15
|
7
|
9
|
6
|
37
|
11
|
Total
for Consultation (d) |
30
|
35
|
30
|
25
|
43
|
42
|
| |
Damaged
(e) |
16
|
25
|
18
|
15
|
23
|
24
|
Not
Damaged (f) |
14
|
10
|
12
|
10
|
20
|
18
|
Grand
Total (a + d) |
61
|
57
|
54
|
50
|
93
|
68
|
| |
Damaged
(b + e) |
32
|
40
|
33
|
34
|
36
|
39
|
Not
Damaged (c + f) |
29
|
17
|
21
|
16
|
57
|
29
|
1. Reporting Status of
Unauthorized Computer Access
The reported number
for February was 26: of 15
was the number actually damaged .
2. Accepting Status of
Consultations for Unauthorized Computer Access, etc.
Consultation counts relevant
to unauthorized computer access was 42: of 24 (of 5was also counted
as reported number) was the actual number that some sort of damage
was reported.
3. Status for Damage
Breakdown
of the damage report included: intrusion with 9, DoS attack
with 2, spoofing of mailing address with 1 and others
(damaged) with 3 . The reports relevant
to intrusion after attacked
to the ports
(*2) used
by SSH (*3) was
reported 7 which is unchangeably many and it is necessary to be
cautious continuously. Other instances such as intruded
into Web server and Web contents were automatically set which would
be exploited by phishing with 1 was also reported.
Damage
Instances:
[Intrusion]
(i) Attacks to the
port used for SSH
<Instance>
“Suspicious communication
is observed”, a network administrator was so reported from outside.
Outcome of study realized that the port used by SSH was attacked
and intruded from outside using such account (*4)
that its ID and password were same . Malicious code which
seemed to be bot (*5)
was set. In addition, that malicious code had been communicated
in between the IRC (*6)
outside and the server.
[DoS]
(ii) Connectivity
Failure Occurred because of Massive Unauthorized Access Attempts
<Instance>
Failure in sending/receiving
of messages in the server which is operated privately is occurred.
It was realized that some attempts to connect to the server from
the Internet using one user account which is not actually existed.
Although intrusion could be prevented, the mailing service was intercepted
since the server was overloaded.
VI.
Accepting Status of Consultation
The number of consultations
in January was 834. Of 168
was the consultation so called “One-click billing fraud”
such as receiving “billing fraud” mails after browsing an adult
site were unchangeably many. In addition, nearly 90%
of the consultation relevant to one-click billing fraud
was for the cases that some malicious codes such as
spyware, etc. were embedded. <movement in one-click billing
fraud… July: 28, August: 83, September: 80, October: 108, November:
165 and December: 138 and January: 174 >
(There was an error for
the number of consultation in relation to the “One-click billing
fraud” for January which is publicized last month. The correct figure
was 174. We are sorry to make you feel inconvenience on this matter.)
Movement in entire number of consultation accepted by IPA
|
Sep.
|
Oct.
|
Nov.
|
Dec.
|
Jan.
‘06 |
Feb.
|
Total
|
554
|
606
|
673
|
653
|
748
|
834
|
| |
Automatic
Response System |
337
|
357
|
379
|
391
|
425
|
479
|
Telephone
|
144
|
165
|
220
|
194
|
228
|
258
|
e-mail
|
72
|
82
|
66
|
66
|
87
|
90
|
Fax,
Others |
1
|
2
|
8
|
2
|
8
|
7
|
*IPA consults/advises
for computer viruses/unauthorized computer accesses as well as the
other information concerning overall security issues
Mail: 
for virus issues,  for
crack issues.
Tel.: +81-3-5978-7509
(24-hour automatic response)
Fax: +81-3-5978-7518
(24-hour automatic response)
*The Total case number
includes the number in Consultation (d) column of the Chart in the
“III. Status for Reported Unauthorized Computer Access”.
*”Automatic Response System”:
Accepted numbers by automatic response
*“Telephone”:
Accepted
numbers by the Security Center personnel
The instances for the main consultations were as follows:
(i)
About Password
Consultation:
Upon logging in to member
only site, my password is displayed as “* * * * *” in the password
window while I am entering. Is there any chance that my password
is sneaked to glance at by the third person/party?
Response:
Generally, even your
password is displayed as “* * * * *” while you are entering, the
password is actually written in plaintext, not covert text on the
network so that the password can be decrypted. In
case of encrypted communication, however, it cannot be decrypted
even it can be read on the network .
In
case of encrypted communication, there displays “key” mark
on the right lower part in the Internet Explorer screen. In
addition, site address is generally started with http:// ;
if it is encrypted communication (SSL communication), the
site address
is address is started with
|
 |
https://
.
Although your password is not sneaked a glance at
on the network, it can be broken with relatively easy way if you
are setting up simple password . To set up hardly breakable
password, please refer to the following information.
<Reference>
“Just a password, but the
password” (for general users) (in Japanese)
http://www.ipa.go.jp/security/crack_report/20020606/0205.html#spel
(ii) What if my
computer displays “Computer may be exposed to hazardous state.”
Consultation:
While I am using computer,
it displays “Your computer may be exposed to hazardous state”. Is
my computer infected by virus?
Response:
This is the alert
generated by Windows XP in case any of anti-virus software is not
installed in your computer. This message does not imply that your
computer is necessarily being infected by virus even you are alerted.
However, it is strongly recommended to install anti-virus
software to prevent virus infection before something happens.
<Reference>
About the message “Your computer
may be exposed to hazardous state.” (in Japanese)
http://support.microsoft.com/default.aspx?scid=kb;JA;883807
Further, information about
the measure against “One-click billing fraud” for which still has
number of consultation, please refer to the following site.
IPA – How to respond in case
bill is charged when simply clicked at a site (in Japanese)
http://www.ipa.go.jp/security/ciadr/oneclick.html
V.
Accessing Status Captured by the Internet Monitoring (TALOT2”) in
February
In the Internet Monitoring
(TALOT2), unwanted (one-sided) access in February totaled 316,533
cases using 10 monitoring points: unwanted (one-sided) access captured
at one monitoring point was about 1,318 cases of
accesses from about 328 sources per day.
The environment for each
monitoring point in TALOT2 is nearly equal to general users' Internet
connection; it can be considered that the same amount of unwanted
(one-sided) access may be received by the general internet users.
In another words, your computer is being accessed by 4 times
which are considered to be unauthorized from 328 unknown people
(source) everyday in average .
Chart
5.1: Unwanted (One-sided) Number of Access and Source Number of
Access/Monitoring Point/Day
Chart 5.1 shows the
number of access and source number of access/monitoring point/day
in average from October, 2005 to February, 2006. According from
this chart, it seems that unwanted (one-sided) accesses including
source number of accesses tend to moderately decrease.
In addition, it can be said that the contents of access is also
stabled (please refer to the statistic information which will
be described lately).
The accessing status
in February is almost the same as with the one in January. There
are number of unauthorized access which may target vulnerabilities
in Windows; those significant number of access to the ports 135
(TCP) and 445 (TCP) target to vulnerabilities in Windows. Although
it is tentative phenomena, the access (access to the port 1433
(TCP)) which targets such server where Microsoft SQL Server [A]
is in operation is increased. It is not presented in the
statistic information, etc, however, such access (access to the
port 3306 (TCP)) which may target the server where MySQL [B]
is in operation to attempt to invade the system or such access
(access to the port 22 (TCP)) which targets SSH can also be seen.
System administrators should,
therefore, always confirm with or without of vulnerabilities in
their servers and maintain them always up-to-dated: further, never
fail to enhance passwords to be used for their applications, connectivity
authentication, etc.
As for general users,
to prevent such infection by these unauthorized accesses, we encourage
you to utilize anti-virus software, personal firewall, etc. along
with maintaining your computer always up-to-dated.
[A]
SQL Database of Microsoft
[B]
Open Source SQL Database
|
Special Notes:
Of actually monitored
data for February, 2006, there was a certain access generated
focusing onto a specific monitoring point. The monitored
data is excluded because the data is not appropriate to
our original scope to include the statistic information:
the monitored data excluded was the access which is used
by so called P2P file exchange software.
In the TALOT2, those
IP addresses for monitoring points are irregularly changed
to monitor the Internet connection environment which is
nearly equal to the general Internet users'. Those previous
IP address users may be used P2P file exchange software:
it seemed that access request from the other users to these
IP address may be sent to the monitoring point (s).
Of above mentioned
access monitored in the TALOT2 this time; the remarkably
access which repeatedly access 3 times with 30 seconds of
intervals to the IP address in the specific monitoring point
(s) and such access was continued for 4 days. It can be
considered that the P2P file exchange software was automatically
operated to continue access.
The potentiality
of such situation is raised and number of access that can
be considered to be P2P file exchange software can be seen.
It seems that those who use the P2P file exchange software
are increasing.
Those users who
use P2P file exchange software should aware that such situation
arise and be sure to confirm that the other side of communication
is legitimate when using the software. In some cases, it
can be considered to be DoS attack. Please be cautious.
|
For further details about
the above information, please refer to the following site:
Attachment 3_Observation
Status Captured by the Internet Monitoring (TALOT2)
http://www.ipa.go.jp/security/txt/2006/documents/TALOT2-0603.pdf
“Various
Statistics Information Provided by Other Organizations/Vendors
are Publicized in the Following Sites”
“Interpretation
for Glossaries”
(*1)
Spyware:
One of software which
acquires information by fraud such as user's individual information,
access archives, etc. to sends them out automatically to third
person, third party, etc.
(*2)
Port:
A window interfaces each
service within a computer used for exchanging information with
outsides. Numbers from 0 to 65535 are used for the ports so that
they are also called Port Number.
(*3)
SSH(Secure
Shell):
A protocol or a program
used for log-in to another computer via the network, execute commands
by a computer in remote and transfer files to another computer.
Since data via thenetwork is encrypted, a series of operations
through the Internet can be done safely.
(*4)
Account :
The privilege which
allow a user to use resources on a computer or the network; it
also implies the ID necessary upon use.
(*5)
DoS Attack (Denial of Services)
:
The attack which sends
quantity of data to have the server excessive load to lower its
performance significantly or to have the server disables its function.
(*6)
IRC (Internet Relay Chat):
It refers to a chat system,
a real-time conversation session on-line between/among the Internet
users. By accessing to the IRC servers using exclusive software,
the users can be provided such services that exchange messages
among a number of the Internet users. It can also be used as file
communication.
- Attachment
3 Observation Status by Internet Monitoring System (TALOT2)
|
Japanese