| This is a summary of
computer virus/unauthorized computer access incident reports for
March, 2006 and 1st Quarter (January to March) compiled by
IPA.
Reminder
for the Month: “Are you aware of? Your private data in your computer
is may be shared among unspecified users if you use file exchange
software!”
-
Stop using that just for amusement!! -
Important
information leakage accidents in government and other public offices
and in large-scaled corporations via Winny, the file exchange
software are being reported unchangeably many. However, this is
not the current trends – dates back to 2 years from now, data
leakage accidents for middle/small sized corporations and private
information leakage accidents for individual users whom used Winny
were realized. Herein, let's review the mechanism of the file
exchange software, Winny, with us. Are you aware of? Such
files being shared by Winny network can be downloaded from someone
else's computers mean that the folders in your
computer are also can be shared by unspecified Winny users!
(It can be said that the current Winny users are over 500,000!).
That is, without regard with
or without of virus infection, your private data is released in
case you misplace private data to the folder for release or you
configure private data as “release” by mistake. If you
cannot understand the mechanism as the potential risk that the Winny,
the “tool” possesses, you should not use Winny at all.
Chart
1.1: Mechanism of the File Exchange Network by Winny
|
Once infected, your private files may be addressed as “release”
without regard how deliberately you'd managed the private
files. Such traditional Winny relevant virus (Antinny) copies
specific types of files (images, documents, spreadsheets,
mails, etc.) in computers to the Winny folders for “release”.
|
 |
Chart 1.2: Image in Information Leakage by Antinny
In March, 2006,
the new virus (Exponny) is developed which releases
most of all files kept in the folders in computers on
the Winny network when infected.
Chart
1.3: Image in Information Leakage by Exponny
To avoid infection, it
is the fundamental measure not to open unknown and untrustful
files easily . However, most of all files including
Winny being distributed in the current file exchanging networks
are indeed “unknown and untrustful files” ; actually number
of virus files which masqueraded with attractive file names is distributed.
That is, it is necessary to recognize that downloading and
opening files from file exchange network is very risky
and is necessary to strictly deliberate using Winny just
for amusement . Similar caution is also necessary upon
use of file exchange software other than Winny as well.
I.
Reporting Status for Computer Virus
– for further details, please refer to the
Attachment 1
–
The detection number [1]
of virus was about 2.56M : same level of movement
from about 2.56M counted in February. In addition, the reported
number [2] in March was 4,370:
1.2% decreased from 4,324 in February.
| [1]Detection
number: |
Reported
virus counts (cumulative) found by a filer. For January, the
reported number resulted in 4,324 upon aggregation of virus
detection counts reported about 2.56M. |
[2]Reported
number: |
Virus counts are
aggregated: viruses of same type and variants reported on
the same day are counted as one case number regardless how
many viruses or the actual number of viruses is found by the
same filer on the same day. In February, reported number was
4,324: aggregated virus detection number of about 2.56M.
|
The worst detection number
was for W32/Netsky with about 2.03M, the second was for W32/Mytob
with about 0.29M and the third was for W32/Bagle with about 0.09M.
(Note: Numbers in parenthesis
are the figures for the previous month)
II.
About Spyware
As the consulting instances
of spyware (*1)
, number of consultations that spyware is installed simply clicked
at the image on an adult site, etc. and his/her generally used mailing
address was taken out, etc.
When analyzing such damages,
it is realized that number of cases while spyware is installed by
the user his/herself ignoring certain alerts which may be generated.
Specific instances are being publicized in the following site: please
refer to the measure to prevent damages for your further security.
Reminder for the Month: “Malicious
Codes may be Installed if Ignores Alert!” – Don't you Neglect
an Alert, Do You? – (for January, 2006)
http://www.ipa.go.jp/security/english/virus/press/200601/E_PR200601.html
Also, please refer to the
following items for your further spyware measures.
1. Utilize
anti-spyware software to update definition files and check with
or
without of spyware.
2. Retain
your computer always up-to-dated.
3. Be
cautious with suspicious sites and/or questionable mails.
4. Enhance
your computer's security.
5. Back
up necessary files for further security.
Supplementary:
Do not input important private information using such
computer for which you cannot manage.
Brochure for Anti-Spyware
Measures (in Japanese)
http://www.ipa.go.jp/security/antivirus/shiori.html
III.
Reporting Status for Unauthorized Computer Access (includes
consultation) – Please refer Attachment 2 for further details –
Report for unauthorized computer
access and Accepting Status of consultation
|
Oct.
|
Nov.
|
Dec.
|
Jan.
‘06 |
Feb.
|
Mar.
|
Total
for Reported (a) |
22
|
24
|
25
|
50
|
26
|
38
|
| |
Damaged
(b) |
15
|
15
|
19
|
13
|
15
|
10
|
Not
Damaged (c) |
7
|
9
|
6
|
37
|
11
|
28
|
Total
for Consultation (d) |
35
|
30
|
25
|
43
|
42
|
24
|
| |
Damaged
(e) |
25
|
18
|
15
|
23
|
24
|
12
|
Not
Damaged (f) |
10
|
12
|
10
|
20
|
18
|
12
|
Grand
Total (a + d) |
57
|
54
|
50
|
93
|
68
|
62 |
| |
Damaged
(b + e) |
40
|
33
|
34
|
36
|
39
|
22
|
Not
Damaged (c + f) |
17
|
21
|
16
|
57
|
29
|
40
|
1. Reporting Status of
Unauthorized Computer Access
The reported number
for March was 38: of 10
was the number actually damaged .
2. Accepting Status of
Consultations for Unauthorized Computer Access, etc.
Consultation counts relevant
to unauthorized computer access was 24: of 12 (of 7 was also counted
as reported number) was the actual number that some sort of damage
was reported.
3. Status for Damage
Breakdown of the damage
report included: intrusion with 6
and others (damaged) with
4 . Breakdown of the intrusion report
included: other instances such as intruded into Web server and Web
contents were automatically set which would be exploited by phishing
(*2) with
1, intruded and eventually attacked to the port
(*3) used
for SSH (*4)
with 1, etc.
Damage
Instances:
[Intrusion]
(i) Phishing
site is established…?
<Instance>
“Our Web site is being
exploited as a steppingstone” so communicated from outside. In
the event of study, it is realized that some Web contents to exploit
phishing is automatically established. The server being intruded
is operated by MacOS X. It can be assumed that the intrusion was
allowed attacking from outside since security patch had not been
applied and unnecessary services were also being activated.
[Others
(Damaged)]
(ii) Although
router detects attack…?
<Instance>
Because of router's security
function, IP spoofing attack (*5)
and TCP SYN flood attack (*6)
are frequently being blocked. Thereafter, any of attacks has not
been detected, but the CPU load fully indicates 100% in a matter
of time after turning on power and the accessing lamp of the router
at the LAN side indicates on and off repeatedly. Any of accesses
to WAN side cannot be seen. Although shutting off the power of ADSL
modem, none of situation has been changed. Since the CPU load is
still indicates 100%, any of PCs cannot be available for use.
VI.
Accepting Status of Consultation
Herein IPA, the Emergently
Consultation Window for Winny ( Winny 119 *
) is newly established on our Web page on March 20, 2006 to
provide users information for precautionary and addressing measures
against information leakage accidents by the virus (i.e., W32/antinny),
etc. which infects via current file exchange software (Winny) network.
Because this may be worked out, the number of consultation for March
was drastically increased to 1,056. Of the consultation
relevant to Winny was 196
(February: 3) and the consultation relevant
to “One-click billing fraud” was 131
(February: 168).
*
It supposed to be “Winny 911” in the U.S.A
Movement in entire number of consultation accepted by IPA
|
Oct.
|
Nov.
|
Dec.
|
Jan.
‘06 |
Feb.
|
Mar.
|
Total
|
606
|
673
|
653
|
748
|
834
|
1,056
|
| |
Automatic
Response System |
357
|
379
|
391
|
425
|
479
|
659
|
Telephone
|
165
|
220
|
194
|
228
|
258
|
296
|
e-mail
|
82
|
66
|
66
|
87
|
90
|
99
|
Fax,
Others |
2
|
8
|
2
|
8
|
7
|
2
|
*IPA consults/advises
for computer viruses/unauthorized computer accesses as well as the
other information concerning overall security issues
Mail: 
for virus issues,  for
crack issues.
Tel.: +81-3-5978-7509
(24-hour automatic response)
Fax: +81-3-5978-7518
(24-hour automatic response)
*The Total case number
includes the number in Consultation (d) column of the Chart in the
“III. Status for Reported Unauthorized Computer Access”.
*”Automatic Response System”:
Accepted numbers by automatic response
*“Telephone”:
Accepted
numbers by the Security Center personnel
The instances of FQA relevant to Winny are as follows.
(i)
Being infected by Antinny…?
Consultation:
Winny is being used. Since
information leakage is our main concern and wishes to check up if
our system is infected by virus such as Antinny.
Response:
Utilizing anti-virus
software to scan with or without of virus in your PC .
- The inventory of Web sites,
etc. for major anti-virus software vendors:
http://www.ipa.go.jp/security/antivirus/vender.html
(in Japanese)
- Security Check by Symantec:
http://www.symantec.com/securitycheck/
- Online Scan by Trendmicro:
http://housecall.trendmicro.com/
- McAfee Free Scan:
http://us.mcafee.com/root/mfs/default.asp
In addition, utilizing the
“removal tool for malware” provided by Microsoft, you can detect
and remove Antinny virus at one time.
- Removal tool for malware
by Microsoft:
http://www.microsoft.com/japan/security/malwareremove/
(in Japanese)
Please be noted that the
above mentioned approaches are only available against already existed
viruses. The approaches may not be responded to the unknown viruses:
in case you may be infected by that unknown viruses, it cannot be
definitely said “uninfected”. We encourage you to initialize
your PC in case you had opened unknown files without discretion.
(ii) Winny is being
installed…?
Consultation:
I do not think that If
had installed Winny in my computer, I want to make it sure Winny
is not installed.
Response:
Winny is not the
software which is automatically installed ; Winny is not
installed unless you think you had installed it. However, in case
you are sharing the PC with several users, it is possible that someone
else may be installed Winny. In that case, we recommend you to check
your PC with the tool that can detect Winny itself .
<Reference>
- About the detection tool
of Winny – Symantec
http://www.symantec.com/region/jp/winny/winny_tools.html
(in Japanese)
- Scan IF Winny responding
version – Ahkun
https://www.ahkun.jp/resource/dl.html
(in Japanese)
(iii) I do not
install Winny in my computer…?
Consultation:
Since it can be confirmed
that Winny is not installed, any of information leakage had not
been occurred, had it?
Response:
There are the other viruses
which occur information leakage other than Antinny. The virus commonly
known as “Yamada Alternative” virus which initially detected
in February 2006 occur information leakage with the computer for
which Winny is not installed. This virus infects without using Winny,
it is necessary to be cautious if you are not a Winny user. Be sure
to go back to the starting point for thorough anti-virus measures.
<Reference>
IPA – the 7 tips for anti-virus
measures for PC users:
http://www.ipa.go.jp/security/antivirus/7kajonew.html
(in Japanese)
Please refer to the following
sites for the FAQ and the measures relevant to Winny for your further
security.
IPA – To prevent information
leakage by Winny:
http://www.ipa.go.jp/security/topics/20060310_winny.html
(in Japanese)
IPA – FAQ relevant to Winny
and Antinny:
http://www.ipa.go.jp/security/virus/faq/winny_qa.html
(in Japanese)
V.
Accessing Status Captured by the Internet Monitoring (TALOT2”) in
March
In the Internet Monitoring
(TALOT2), unwanted (one-sided) access in March totaled 392,728
cases using 10 monitoring points: unwanted (one-sided)
access captured at one monitoring point was about 1,267
cases of accesses from about 301 sources
per day.
The environment for each
monitoring point in TALOT2 is nearly equal to general users' Internet
connection; it can be considered that the same amount of unwanted
(one-sided) access may be received by the general internet users.
In another words, your computer is being accessed by 4 times
which are considered to be unauthorized from 301 unknown people
(source) everyday in average .
Chart
5.1: Unwanted (One-sided) Number of Access and Source Number of
Access/1 Monitoring Point/Day in Average
The Chart 5.1 shows unwanted
(one-sided) number of access and source number of access/1 monitoring
point/day in average from October, 2005 to March, 2006 respectively.
According from this chart, both unwanted (one-sided) access including
source number of access are moderately decreasing. In addition,
it can be said that the contents of access is also stabled.
The accessing status in
March is almost the same with the one in February. It seems that
there are number of unauthorized access which target vulnerability
in Windows: most of these accesses seemed to send from such computers
infected by bots (*7)
. Accesses to the ports 135 (TCP) and 445 (TCP) that are frequently
accessed target vulnerability in Windows.
In addition, the accesses
to the ports 1026 (UDP) and 1027 (UDP) that exploit Windows Messenger
Service for pop-up spam messages also continues (moderately increasing).
Nowadays, there are varieties of pop-up messages which prompt
anti-virus measures and/or anti-unauthorized accessing measures
or pop-up ads, etc. by adware upon net-surfing; you are to be
cautious not to be fooled by these contents. As for the accessing
measures for the ports 1026 (UDP) and 1027 (UDP), it is recommended
to disable the Windows Messenger Service other than the managed
LAN environment (corporate LAN, etc.).
As for general users, we
encourage you to utilize anti-virus software, personal firewall,
etc. along with maintaining your computer always up-to-dated to
prevent such infection by these unauthorized accesses.
Further, as for the variety
types of software for protection measures used for virus measures
and/or unauthorized accessing measures (nowadays, it seems not
only anti-virus software but also such software which combining
personal firewalls function and the function for preventing personal
information leakage is increasing.), it is recommended to utilize
the software provided by trustful vendors.
In relation to the information
mentioned above, please also refer to the following site for further
details.
Attachment3_ Observation
Status Captured by the Internet Monitoring (TALOT2)
http://www.ipa.go.jp/security/english/virus/press/200603/TALOT200603.html
“Various
Statistics Information Provided by Other Organizations/Vendors
are Publicized in the Following Sites”
“Interpretation
for Glossaries”
(*1)
Spyware:
One of software which
acquires information by fraud such as user's individual information,
access archives, etc. to sends them out automatically to third
person, third party, etc.
(*2)
Phishing:
Activities which attempt
to exploit such users' IDs or their passwords who accessed to
the sites masqueraded as actual mailing address for certain groups
such as legitimate banking/financial institutions or their Web
pages. The origin of the word is fishing but there are several
theories as well: (i) “f” has been switched with “ph” based on
the hacker's naming convention, (ii) combined with the word “sophisticated”
and “fish”, (iii) the shortcut of “password harvesting fishing”,
etc.
(*3)
Port:
A window interfaces
each service within a computer used for exchanging information
with outsides. Numbers from 0 to 65535 are used for the ports
so that they are also called Port Number.
(*4)
SSH(Secure
Shell):
A protocol or a program
used for log-in to another computer via the network, execute commands
by a computer in remote and transfer files to another computer.
Since data via thenetwork is encrypted, a series of operations
through the Internet can be done safely.
(*5)
IP Spoofing Attack
:
One of attacking methods
which sends packets to the other side by spoofing source IP addresses.
(*6)
TCP SYN Flooding Attack
:
One of DoS (*8)
attacking methods that lowers or halts server functions. This
has been exploited TCP connection procedures.
(*7)
Bot :
A kind of computer virus.
It was created to manipulate an infected computer from outside
through a network (the Internet).
(*8)
DoS Attack (Denial of Services):
- Attachment
3 Observation Status by Internet Monitoring System (TALOT2)
- Attachment
4 Computer virus Incident Report for the 1st Quarter (January to
March)
- Attachment
5 Unauthorized Computer Access Incident Report for the 1st Quarter
(January to March)
|
Japanese