| This is a summary of
computer virus/unauthorized computer access incident reports for
April, 2006 compiled by IPA.
Reminder
for the Month: “Be Cautious with the High-Pressured Selling Activities
of Software for Security Measures!!”
-
Do not Believe Suspicious Alerts
Seriously!! -
In April,
the reports of the consultation about the high-pressured selling
activities of software for security measures were rapidly increased
with 40 from 4 in previous month. The methodology, etc. which
prompting you to download so called “software for security measures”
is suddenly appeared on your display. Once you download the “software
for security measures”, the message will urge you to purchase
it insistently and it will be continued until you pay it off with
your credit card. Because of the insistency, some users lost his/her
patience and purchased it since these messages prevented the users'
daily operations.
<Instance
1>
<Instance
2 >
<Instance
3 >
As the Instance 1, there
is the case to sell so called “software for security measures” by
displaying somewhat peculiar Japanese message (in grammatically
incorrect and with improper conjunctions.). Actually, in most cases,
none of PCs are not infected by virus even such message is displayed.
This must be a type of high-pressured selling to threaten users.
There reported failures occurred in some of PCs when installed the
software in accordance with the message.
As you already aware
of that neither legitimate vender nor seller of security products
will send you threatening messages like the Instances one-sidedly.
Please be cautious not to download it in haste. However,
if you still worry that “My PC may have been infected…?”, we encourage
you to check up your PC using free on-line scan provided by following
vendors' sites.
On-line Scan (Virus Check-up
Service)
- Symantec security check:
http://www.symantec.com/securitycheck/
- Trendmicro On-line Scan:
http://housecall.trendmicro.com/
- McAfee Free Scan:
http://us.mcafee.com/root/mfs/default.asp
In addition, in case that
such message is displayed frequently, it is likely that some unauthorized
software may have been downloaded which displays Ads similar to
this case; be sure to check with on-line scans in the same manner.
Spyware Guide – On-line Spyware
Detection:
http://www.spywareguide.com/onlinescan.php
I.
Reporting Status for Computer Virus
– for further details, please refer to the
Attachment 1
–
The detection number [1]
of virus was about 1.79M decreased about
30% compared with the previous month from about 2.56M counted in
March. Exclusively, the detection number of W32/Netsky has been
greatly contributed to lessen the number of 0.67M from about 2.03M
in March and resulted about 1.36M in April. In addition, the reported
number [2] in April was 3,537
which decreased about 17.4% from 4,270 counted in March.
| [1]Detection
number: |
Reported
virus counts (cumulative) found by a filer. |
[2]Reported
number: |
Virus counts are
aggregated: viruses of same type and variants reported on
the same day are counted as one case number regardless how
many viruses or the actual number of viruses is found by the
same filer on the same day. In March, reported number was
3,537: aggregated virus detection number was about 1.79M.
|
The worst detection
number was for W32/Netsky with about
1.36M , the second was for W32/Mytob
with about 0.27M and the third
was for W32/Bagle with about
0.06M .
(Note: Numbers in parenthesis
are the Charts for the previous month)
II.
About Spyware
As the consulting instances
of spyware (*1)
, number of consultations that spyware is installed simply clicked
at the image on an adult site, etc. and his/her generally used mailing
address was taken out, etc.
In such damage instances,
most of all consultors have already installed spyware by themselves
with disregard the alerts that may have been generated by your computer
in advance. If you feel questionable, be sure to check the “type”
of the file or the “source” of the file and do not click to
execute easily unless enough security is confirmed.
<Reference>
Reminder for the Month: “Malicious
Codes may be Installed if Ignores Alert!” – Don't you Neglect
an Alert, Do You? – (for January, 2006)
http://www.ipa.go.jp/security/english/virus/press/200601/E_PR200601.html
Brochure for Anti-Spyware
Measures (in Japanese)
http://www.ipa.go.jp/security/antivirus/shiori.html
III.
Reporting Status for Unauthorized Computer Access (includes
consultation) – Please refer Attachment 2 for further details –
Report for unauthorized computer
access and Accepting Status of consultation
|
Nov.
|
Dec.
|
Jan.
‘06 |
Feb.
|
Mar.
|
Apr.
|
Total
for Reported (a) |
24
|
25
|
50
|
26
|
38
|
15
|
| |
Damaged
(b) |
15
|
19
|
13
|
15
|
10
|
7
|
Not
Damaged (c) |
9
|
6
|
37
|
11
|
28
|
8
|
Total
for Consultation (d) |
30
|
25
|
43
|
42
|
24
|
27
|
| |
Damaged
(e) |
18
|
15
|
23
|
24
|
12
|
15
|
Not
Damaged (f) |
12
|
10
|
20
|
18
|
12
|
12
|
Grand
Total (a + d) |
54
|
50
|
93
|
68
|
62
|
42
|
| |
Damaged
(b + e) |
33
|
34
|
36
|
39
|
22
|
22
|
Not
Damaged (c + f) |
21
|
16
|
57
|
29
|
40
|
20
|
1. Reporting Status of
Unauthorized Computer Access
The reported number
for April was 15: of 7 was
the number actually damaged .
2. Accepting Status of
Consultations for Unauthorized Computer Access, etc.
Consultation counts relevant
to unauthorized computer access was 27: of 15 (of 3 was also counted
as reported number) was the actual number that some sort of damage
was reported.
3. Status for Damage
Breakdown of the damage
report included: intrusion with 5, Dos Attack
with 1 and others
(damaged) with 1. Breakdown of the intrusion
report included: system highjack by SQL (*2)
Injection Attack (*3)
with 1, the Web contents set up to exploit for phishing
(*4)
intruded into Web servers with 1, eventually intruded by attacks
to the ports (*5)
used for SSH (*6)
with 1, etc.
Damage
Instances:
[Intrusion]
(i)
Intrusion by SQL Injection Attack
<Instance>
System was high-jacked by
SQL Injection Attack via Web servers. The tool to be used as steppingstone
for attacks is embedded.
Even implemented certain
workarounds against the SQL Injection Attack: Attacks to the Web
servers had been insistently continued and the network load was
getting considerably heavy.
(ii) Home Page Alteration
<Instance>
Developed that the top page
of the Home Pages being operated by our organization was altered.
Date back before it was happened,
hard disk memory was expanded and data was transferred when our
server was in trouble. In that occasion, accessing authority was
not properly set up and the cause considered may be that those users
who'd not been given the authority could accessed.
[Others
(Damaged)]
(iii) Spoofing
<Instance>
Unable to log-in to the free
mail site where I used to use. It seemed that my password may have
been altered.
I was known by my friend's
mail to my cell-phone that “I used to send many questionable
mails” to the friend. Tried to listen to his/her explanation,
it seemed that my private information registered to the free mail
(*7) site,
contents of the mails being exchanged, etc. having been sent out
most of all addresses saved in the address book.
Other than this,
the accounts for the other sites were also fraudulently used and
number of mails was sent automatically.
VI.
Accepting Status of Consultation
The gross number of consultation
for April was 904 which was moving unchangeably
at high rate. Of remarkable consultation was for high-pressured
selling of “software for security measures” with 40
(March: 4). Others were for consultation
in relation to the “One Click Billing Fraud” with
161 (March: 131)
and consultation in relation to Winny with 83
(March: 196), etc.
Movement in entire number
of consultation accepted by IPA
|
Nov.
|
Dec.
|
Jan.
‘06 |
Feb.
|
Mar.
|
Apr.
|
Total
|
673
|
653
|
748
|
834
|
1,056
|
904
|
| |
Automatic
Response System |
379
|
391
|
425
|
479
|
659
|
510
|
Telephone
|
220
|
194
|
228
|
258
|
296
|
206
|
e-mail
|
66
|
66
|
87
|
90
|
99
|
86
|
Fax,
Others |
8
|
2
|
8
|
7
|
2
|
2
|
*IPA consults/advises
for computer viruses/unauthorized computer accesses as well as the
other information concerning overall security issues
Mail: 
for virus issues,  for
crack issues.
Tel.: +81-3-5978-7509
(24-hour automatic response)
Fax: +81-3-5978-7518
(24-hour automatic response)
*The Total case number
includes the number in Consultation (d) column of the Chart in the
“III. Status for Reported Unauthorized Computer Access”.
*”Automatic Response System”:
Accepted numbers by automatic response
*“Telephone”:
Accepted
numbers by the Security Center personnel
Major consultation instances relevant to high-pressured
selling of “software for security measures” activities
are as follows.
(i)
Sudden Alert when Browsing Home Pages…?
Consultation:
When netsurfing, following
message saying that “Your PC may be infected by “Black
Worm ”” is displayed. Further, it also says that “
the anti-virus now you are using cannot prevent to spread
your private information. To prevent your PC from all possible threats,
please download the program now you are viewing. ” Should
I download the program?
( Reminder for
the Month: please refer to the [Instance 1] )
Response:
You are to aware that the
display is “suspicious” when you are alerted one-sidedly
while simply browsing Home Pages. If the product
is legitimate security product, it will never display such threatening
message similar to the instance. If you read the information
displayed carefully, you will understand that the message was written
by somewhat incorrect Japanese. If you feel “suspicious”,
be sure not to click “go next”, “OK” or “download”
button easily. If you worry whether your PC is infected
by virus and/or spyware, please check with or without of infection
using on-line scan (free) in the following sites.
- Security Check by Symantec:
http://www.symantec.com/securitycheck/
- Online Scan by Trendmicro:
http://housecall.trendmicro.com/
- McAfee Free Scan:
http://us.mcafee.com/root/mfs/default.asp
In addition, the message
is still displayed frequently, there may have been embedded unauthorized
software which displays the ads similar to this case: please check
with or without of infection using on-line scan as with the same
manner introduced above.
- Spyware Guidance –
On-line Spyware Detection:
http://www.spywareguide.com/onlinescan.php
(ii) Purchased
as I was told and installed…?
Consultation:
While using the Internet,
the ad of “software for security measures” is displayed. Purchased
it by entering my credit card number and then installed. Since when
my PC does not work properly. Is this a legitimate product? And
can I return it?
Response:
According to the consultant's
information, we have studied the Home Page that might be the vendor's;
however the corporate information of the manufacturer/seller
and the contact, etc. are uncertain and it come to our
decision that the reliability of the product is low .
If this is one of fraud activities, it seems that returning
the product is difficult . In the meantime, you
are to change your credit card number immediately . As
for the payment, please consult your credit card company and/or
one of National Consumer Affair Center of Japan near your area .
In addition, if the security
product cannot be installed successfully or it continues that your
PC does not work properly, the last resort to settle this problem
is to initialize your PC (if you are a Windows Me or XP user, you
may be able to restore the PC with its “system restoration”
function”.
<Reference>
- National Consumer Affairs
Center of Japan
http://www.kokusen.go.jp/map/
(in Japanese)
- Contacts for Cyber Crime
of Prefectural City Police Headquarters
http://www.npa.go.jp/cyber/soudan.htm
(in Japanese)
V.
Accessing Status Captured by the Internet Monitoring (TALOT2”) in
April
In the Internet Monitoring
(TALOT2), unwanted (one-sided) access in April totaled 349,562
cases using 10 monitoring points: unwanted (one-sided) access captured
at one monitoring point was about 1,165 cases of
accesses from about 305 sources per day.
The environment for each
monitoring point in TALOT2 is nearly equal to general users' Internet
connection; it can be considered that the same amount of unwanted
(one-sided) access may be received by the general internet users.
In another words, your computer is being accessed by 4 times
which are considered to be unauthorized from 305 unknown people
(source) everyday in average .
Chart
5.1: Unwanted (One-sided) Number of Access and Source Number of
Access/1 Monitoring Point/Day in Average
Chart 5.1 shows the number
of access and the source number of access at 1 monitoring point
per day for respective months from November 2005 to April 2006.
The Chart shows that the unwanted (one-sided) accesses
seem to be decreased moderately . It can be said that
the contents of accesses are being stabled (please also refer
to the statistic information described lately.), those accesses
excluded from the statistic information because of their peculiarity
are still many from previous month.
- The accesses which target
SSH (Secure Shell)
- Attempts of the SYN FLOOD
Attack which target the other computers
- The accesses which may
consider to be the connection requests of P2P file exchange
The accessing status in
April is almost the same with the one in March. It seems that
there are number of unauthorized accesses which can be considered
to target vulnerabilities in Windows: most of these accesses can
be considered to send from the computers infected by bots. Accesses
to the ports 135 (TCP) and 445 (TCP) having remarkably many accesses
target vulnerabilities in Windows.
In addition, accesses
to the ports 1026 (UDP) and 1027 (UDP) for the pop-up messages
which exploiting Windows Messenger Service are still continued,
they are tending to decrease at the last half of the month. However,
accesses to the ports 1028 (UDP), 1029 (UDP) and 103x (UDP) are
seemed to be increased in that same periods. Contents of the accesses
are seemed to be same. Nowadays, there are number of pop-up messages
and/or pop-up ads by add-wares upon net-surfing which prompt anti-virus
measures and/or anti-spyware measures; please be cautious not
being fooled by these contents easily. As for the accessing measures
to the 102x (UDP) and 103x (UDP), we encourage you to disable
the Windows Messenger services other than in the well-managed
LAN environment (i.e., corporate LAN, etc.).
Chart
5.2: Accessing Status Exploiting Windows Messenger Service
As for general computer
users, to prevent your PC from the infection by such unauthorized
computer accesses, we recommend you to maintain your computer
always up-to-dated using anti-virus software and/or personal firewalls,
etc. effectively.
Further, as for the variety
types of software for protection measures used for virus measures
and/or unauthorized accessing measures (nowadays, it seems not
only anti-virus software but also such software which combining
personal firewalls function and the function for preventing personal
information leakage is increasing.), it is recommended to utilize
the software provided by trustful vendors.
In relation to the information
mentioned above, please also refer to the following site for further
details.
Attachment3_ Observation
Status Captured by the Internet Monitoring (TALOT2)
http://www.ipa.go.jp/security/english/virus/press/200604/TALOT200604.html
“Various
Statistics Information Provided by Other Organizations/Vendors
are Publicized in the Following Sites”
“Interpretation
for Glossaries”
(*1)
Spyware:
One of software which
acquires information by fraud such as user's individual information,
access archives, etc. to sends them out automatically to third
person, third party, etc.
(*2)
SQL
(Structured Query Language) :
One of query languages
used for data operation and/or data definition in the Relational
database management system (RDBMS). It also referred as Structured
query language. This language was originally developed by IBM
and is now internationally standardized by the American National
Standards Institute (ANSI) and Japanese Industrial Standards (JIS),
etc.
(*3)
SQL Injection Attack :
Attacking method for which
attacker intentionally includes SQL statement in the query data
for database in advance to execute the SQL command fraudulently
within the SQL server.
(*4)
Phishing :
Activities which attempt
to exploit such users' IDs or their passwords who accessed to
the sites masqueraded as actual mailing address for certain groups
such as legitimate banking/financial institutions or their Web
pages. The origin of the word is fishing but there are several
theories as well: (i) “f” has been switched with “ph” based on
the hacker's naming convention, (ii) combined with the word “sophisticated”
and “fish”, (iii) the shortcut of “password harvesting fishing”,
etc.
(*5)
SSH (Secure
Shell) :
A protocol or a program
used for log-in to another computer via the network, execute commands
by a computer in remote and transfer files to another computer.
Since data via the network is encrypted, a series of operations
through the Internet can be done safely.
(*6)
Port
:
A window interfaces each
service within a computer used for exchanging information with
outsides. Numbers from 0 to 65535 are used for the ports so that
they are also called Port Number.
(*7)
Free Mail :
E-mail exchanging service
via the Internet with free of charge.
- Attachment
3 Observation Status by Internet Monitoring System (TALOT2)
|
Japanese