| This is a summary of
computer virus/unauthorized computer access incident reports for
May, 2006 compiled by IPA.
Reminder
for the Month: “Be Cautious with e-mails Masqueraded as Known
Organizations!!”
-
Do not Open Attachment Files to e-mails Easily!! -
It is possible
to spoof the sender's address shown in e-mails. Up to current,
there realized some instances that e-mails had been sent by virus
impersonated as legitimate sender. In May 2006, there consecutively
been reported that virus appended e-mails had been sent out specific
organizations spoofing to be known organizations such as the Defense
Agency, Nihon Keizai Shimbun Inc. etc.
In these
cases, the responses for anti-virus software had been delayed
since newly emerged viruses were sent. As with the case, virus
may not be detected even anti-virus software is up-to-dated. Further,
it may have been hard to realize that the e-mail is spoofed since
its subject and the mail body is written in Japanese. Although
the mail is seemed to be from trustful organizations, be cautious
and do not open the attachment files to e-mails easily.
More specific,
it is essential to confirm the names listed in the attachment
of e-mails (please refer to the charts below). For example, it
may be a virus mail if its extension is “.exe”; you should
not open the file in principal. In case there is a necessity to
open the file by any means, you are to check virus using anti-virus
software or to inquire the sender as there likely to be newer
virus which cannot be detected by existed anti-virus software.
Other than
these, you are to be cautious as they are too, likely to be viruses
in case the last part of their names are “.pif”, “.scr”,
“.bat” or “.com”, etc.
[Examples of attachment file
column included in e-mails]
Ex.1: Mailing Software (Outlook
Express) Ex.2:
Mailing Software (Thunderbird)
*
The latest version of Outlook Express has the features
that “Do not save/open the attachment files if it is likely
to be virus file” at the “Security” tab in “Option”
on “Tool” of its menu bar. If you are not the Windows XP
user (Windows ME/2000, etc.), we encourage you to update the latest
version of Outlook Express.
Please be cautious if
you have the chance to open the files which may be considered to
be virus files if you disable the feature. To update the Outlook
Express, you can go to the “Windows Update” from the “Start”
on the Windows Update site.
<Approaches to confirm
whether the files are spoofed by virus or not?>
As for the approach to
identify if icons (which show the contents of the files, etc. with
tiny pictures, etc. on the computer display) are being spoofed or
not, you can confirm it with the following procedures: tentatively
“save” the attachment files to “My Document” folder,
etc. by the right hand side button to check the type of the files
(you will not be infected if you simply save the files in your computer.).
For example, the virus
spoofed icon (application file) of Microsoft Word (document file)
can be identified with the following methods.
Display the file's property
saved in the computer by clicking the right hand side button. As
it is shown in the “Instances for the correct files”, the
file type is always displayed as “Microsoft Word Document”
if it is the legitimate Word document for the Microsoft Word (document
file) icon. As with the instances with the spoofed icon, the file
type may be displayed as “application”, etc. for the Microsoft
Word (document file); it is realized that the file is being spoofed.
You are not to open these files and they should be deleted immediately.
Following chart is for
frequently used “properties” other than those introduced above.
In case the correlation in between the icons and the file type differ
from the chart below, the icon is being spoofed; so that be sure
not to open the file easily. Exclusively, you are to be cautious
when the file type shown is “application”.
<Correlation
Chart for Icons, Type of Files and their Properties>
| Icon |
Type
of Files |
Property
|
| |
Image
file |
JPEG
image
Bitmap
image |
| |
Animation
file/Music file |
Movie
file
Windows
Media Audio/Video file *note) |
| |
Microsoft
Excel file |
Microsoft
Excel Worksheet |
*note) Other
than these, “Windows video/audio file”, “MP3 audio file”,
“MIDI file”, “AIFE audio file”, “AU audio file”
and “Microsoft TV recording file” are available in the default
settings.
I.
Reporting Status for Computer Virus
– for further details, please refer to the
Attachment 1
–
The detection number [1]
of virus for May was about 1.78M.
The number was shifted with almost the same level of 1.79M
reported in April.
The reported number [2]
for May was 3,651 : increased about 3.2% from 3,537
which was reported in April.
| [1]Detection
number: |
Reported
virus counts (cumulative) found by a filer. |
[2]Reported
number: |
Virus counts are
aggregated: viruses of same type and variants reported on
the same day are counted as one case number regardless how
many viruses or the actual number of viruses is found by the
same filer on the same day. In March, reported number was
3,651: aggregated virus detection number was about 1.78M.
|
The worst detection
number was w32/Netsky with about 1.38M and W32/Mytob with about
0.24M and W32/Mywife with about 0.05M subsequently followed.
(Note: Numbers in parenthesis
are the Charts for the previous month)
II.
About Spyware
There were number of consultations about
spyware (*1)
continually (more than 200 cases). The most of consultations were
for the spyware which was automatically installed simply clicked
at the image/animated image on an adult site, etc. so called one
click billing fraud.
In such damage instances, people (consultors) tend to install spyware
by themselves without realizing their computers' security alert
that may have been generated in advance. If you simply wish to browse
animated image or image, following security alert is not displayed
(the chart 2-1 is the first security alert appeared). When you choose
“run”, then the security alert in the chart 2-2 is appeared
to reconfirm it.). If you feel suspicious or questionable, be sure
to confirm the information of the file “type” and/or the file
“source” and do not click “run” or “exec” unless
otherwise its security is confirmed.
Chart:
2-1 ,Chart: 2-2
In the actual instances,
some users were fooled and induced to the malicious contents shown
below and were damaged. This is the one of approaches which prompts
user to choose run against the security alert generated by Windows
to automatically install malicious codes (spyware) masqueraded as
animated images. However, even user follows the procedures what
they say, none of animated images is replayed but user his/herself
installs spyware while he/she does not know.
<Approach
that the Malicious Codes to Have Users Ignore the Alert by Windows
to Install Spyware, etc.>
Chart:
2-3
The spyware introduced in the above
approach is embedded in the animated images themselves (the yellowed
part in the Chart: 2-3.). When you click the yellowed part, the
alert screen (chart 2-1) will be appeared by the Windows security
functionality. Malicious code prompts user to click “run” at the
alert screen. When user clicks “run”, the alert in the Chart 2-2
is again appeared by Windows in where the malicious code attempts
user to click “run” again. Here in, user clicks “run” again, spyware
is automatically installed by the user his/herself. This is one
of malicious methods since the Windows security functionality alerts
properly, but the malicious code exploits this mechanism adversely
showing user the procedures how to browse animated images securely
to induce them to click “run” without questionable feel.
<Reference>
Reminder for the Month:
“Malicious Codes may be Installed if Ignores Alert!” –
Don't you Neglect an Alert, Do You? – (for January, 2006)
http://www.ipa.go.jp/security/english/virus/press/200601/E_PR200601.html
Brochure for Anti-Spyware
Measures (in Japanese)
http://www.ipa.go.jp/security/antivirus/shiori.html
* Please also
refer to the consultation instances for 4. (i) <Damage instances
for intrusion>.
III.
Reporting Status for Unauthorized Computer Access (includes
consultation) – Please refer Attachment 2 for further details
–
Report for unauthorized
computer access and Accepting Status of consultation
|
Dec.
|
Jan.
‘06 |
Feb.
|
Mar.
|
Apr.
|
May |
Total
for Reported (a) |
25
|
50
|
26
|
38
|
15
|
13 |
| |
Damaged
(b) |
19
|
13
|
15
|
10
|
7
|
6 |
Not
Damaged (c) |
6
|
37
|
11
|
28
|
8
|
7 |
Total
for Consultation (d) |
25
|
43
|
42
|
24
|
27
|
23 |
| |
Damaged
(e) |
15
|
23
|
24
|
12
|
15
|
11 |
Not
Damaged (f) |
10
|
20
|
18
|
12
|
12
|
12
|
Grand
Total (a + d) |
50
|
93
|
68
|
62
|
42
|
36 |
| |
Damaged
(b + e) |
34
|
36
|
39
|
22
|
22
|
17 |
Not
Damaged (c + f) |
16
|
57
|
29
|
40
|
20
|
19 |
1. Reporting
Status of Unauthorized Computer Access
The reported number
for May was 13: of 6 was
the number actually damaged .
2. Accepting Status of
Consultations relevant to Unauthorized Computer Access, etc.
Consultation counts relevant
to unauthorized computer access was 23: of 11 (of 2 was also counted
as reported number) was the actual number that some sort of damage
was reported.
3. Status for Damage
Breakdown of the damage
report included: intrusion with 4, Dos Attack
with 1 and source
address spoofing with 1. Breakdown of
the report for intrusion included: intruded by attacks to the ports
(*3)
used for SSH (*2)
with 2, have the web contents set up to exploit
for phishing (*4)
with 1, ect.
Damage
Instances:
[Intrusion]
(i)
Attacks to the Port used by SSH
<Instance>
- Number of
access logs (*5)
was developed by the study in response to the communication that
“the server used in this organization is being attacked”.
- It was realized
that the password for a certain account (*6)
for testing which supposed to be deleted lately was being decoded
to log in to the server.
- A few days later since
when the server was intruded, the log showed that more than 10,000
mails were sent within an hour or so intensively from the server.
Most of them were returned as error mails for unknown addressee
and eventually the mail server of the organization was taken down.
Those error mails were supposedly be used for phishing fraud.
- Differing from
the original purpose, the rooter was set up to allow SSH access
from outsides which exposed for attacks and eventually the intrusion
was allowed. The cause may be failed to reset the router by the
time it had to be reset previously.
[Dos
Attack (*7)
]
(ii) Attacks which
Target Unauthorized Mail Relay?
<Instance>
- Developed frequent
accesses to the mail server while checking logs for the servers
being tested.
- The accesses
were determined as attacks since the volume of the logs was extremely
increased rapidly. Then the server's performance was significantly
lowered oppositely.
- The analysis
of the access contents indicated that the attacks seemed to attempt
unauthorized mail relay. In addition, attempting to log-in with
administrative authority was also realized (these activities were
all attempted.)
VI.
Accepting Status of Consultation
The gross number of consultation
for May was 846 which is moving unchangeably high
rate. Of remarkable consultation number was for “One
Click Billing Fraud” with 210
(April: 161) which was recorded highest consultation
number since when IPA began taking its statistics from last year.
In addition, the consultation in relation to “high-pressured
selling” with
41 (April:
40) continually been reported many from previous month. Others are
for the consultation about Winny
with 28 (March:
196, April: 83), etc.
Movement in entire number
of consultation accepted by IPA
|
Dec.
|
Jan.
‘06 |
Feb.
|
Mar.
|
Apr.
|
May |
Total
|
653
|
748
|
834
|
1,056
|
904
|
846
|
| |
Automatic
Response System |
391
|
425
|
479
|
659
|
510
|
484 |
Telephone
|
194
|
228
|
258
|
296
|
206
|
295 |
e-mail
|
66
|
87
|
90
|
99
|
86
|
63
|
Fax,
Others |
2
|
8
|
7
|
2
|
2
|
4 |
*IPA consults/advises
for computer viruses/unauthorized computer accesses as well as the
other information concerning overall security issues
Mail: 
for virus issues,  for
crack issues.
Tel.: +81-3-5978-7509
(24-hour automatic response)
Fax: +81-3-5978-7518
(24-hour automatic response)
*The Total case number
includes the number in Consultation (d) column of the Chart in the
“III. Reported Status for Unauthorized Computer Access” and
“IV. Accepting Status of Consultation”.
*”Automatic Response
System”: Accepted numbers by automatic response
*“Telephone”:
Accepted
numbers by the Security Center personnel
Consultation
Number for One Click Billing Fraud
Major consultations
for the month are as follows.
(i)
Simply clicked at an adult site…
Consultation:
Automatically be registered
when I clicked an image at an adult site where I have visited by
chance while I was net-surfing and the bill was appeared on my computer.
Since when the bill also sent by e-mails and was also appeared on
my computer with several minutes of intervals. Attempted to scan
using several anti-virus software, but none of virus is detected.
The last resort is to initialize my computer?
Response:
Current consultation tendencies
show that the characteristics of the malicious codes installed to
users are quite similar even from different adult sites. If
you can identify the “name of the site”, the “name of the service”
and the “contact” written on the bill, most of malicious codes can
be specified and deleted in case nothing can be detected
by anti-virus software. Never give up and ask IPA Security Center
for the consultation.
If you are a Windows XP and/or
Me user, you may be able to restore the status before you'd
visited the adult site using “System Restoration” function originally
provided in your computer.
i.e.: in Windows XP, you
can take following procedures:
“Start” – “All the Programs”
– “Accessory” – “System Tools” – “System Restoration” (As for the
measures to prevent damages before something happens, please refer
to the Summary report 2. About Spyware.)
(ii) In case clicked
the links appended in the questionable mail…
Consultation:
Had suspicious e-mail
from whom I do not know. Had clicked the link saying “You
won! Please click here.” In the mail anyway; suddenly,
I was taken to that site and the message “You are registered”
appeared on my computer. Since I wanted to withdraw from
the membership and tried to contact with them by mails, I cannot
hear from them up to current. Since when I have many unwanted (one-sided)
mails from dating sites.
Response:
Malicious Web sites are
hiding number of risks. To induce users to those sites, they tend
to send mails that have attractive subjects and/or contents people
may interested in to unspecified number of addresses. That is, not
only suspicious sites, but also suspicious mails compromise users.
You can check the contents of the “suspicious” mails from
whom you do not know, but you should never fail to click the link
appended to those mails. You may be induced to malicious
site to install malicious codes such as virus and/or spyware (relevant
information: Please refer to the top of the page, Reminder for the
Month.). You cannot stop to receive those unwanted (one-sided)
mails technically: you need to take certain approaches to have senders
stop sending unwanted (one-sided) mails. You have to identify
the source computer information from the mail header information
and require the network administrator (provider, etc.)
handling where the source computer is served.
In addition, according to
the “Law Concerning Appropriate Transmissions in Specific e-Mail
Communication” (Law #26 enacted in 2002), following organizations
have been assigned for consultations, inquiries and information
providing organizations.
<Reference>
- Consultation
relevant to Unwanted (One-sided) e-mails from dating sites, etc.
(Information providing, telephone consultation in relation to the
mails which conflict with mandatory information.).
Consulting Center
for Unwanted (One-sided) Mails, Nippon Information Communications
Association, designated organization by MIC: Ministry of Internal
Affairs and Communications
http://www.dekyo.or.jp/soudan/top.htm
(in Japanese)
- Consultation
relevant to Unwanted (One-sided) e-mails for Trades such as High-Pressured
Selling, etc.
(Providing information
for the mails which conflict with restriction in retransmission,
etc.)
Nihon Sangyo
Kyokai (:Nihon Industrial Association), designated organization
by METI: Ministry of Economy, Trade and Industry
http://www.nissankyo.or.jp/
(in Japanese)
V.
Accessing Status Captured by the Internet Monitoring (TALOT2”) in
May
In the Internet Monitoring
(TALOT2), unwanted (one-sided) access in May totaled 317,490
cases using 10 monitoring points: unwanted (one-sided) access captured
at one monitoring point was about 1,024 accesses
from about 324 sources per day.
The environment for each
monitoring point in TALOT2 is nearly equal to general users' Internet
connection; it can be considered that the same amount of unwanted
(one-sided) access may be received by the general internet users.
In another words, your computer is being accessed 3 times
which considered unauthorized access from 324 unknown people (source)
everyday in average .
Chart
5.1: Unwanted (One-sided) Number of Access and Source Number of
Access/1 Monitoring Point/Day in Average
The Chart 5.1 shows the
unwanted (one-sided) number of access and the source number of
access in average/monitoring point/day from January 2006 to May
2006. According to the Chart, these unwanted (one-sided)
number of access and source number of access seemed to be decreased
moderately and it can be said that the accessing status
is being stabled.
The accessing status in
May was almost the same with the one reported in April. It seemed
that there are number of unauthorized computer accesses which
seemed to target vulnerabilities in Windows: most of these accesses
seemed to send from the computers infected by bots (*7) . Accesses
to the ports 135 (TCP) and 445 (TCP) having remarkably many accesses
target vulnerabilities in Windows. In addition, accesses to the
ports 1026 (UDP)/1027 (UDP) for pop-up spam messages exploiting
Windows Messenger Services are being continued.
Please refer to the sites
for further details for the information above mentioned.
Attachment3_ Observation
Status Captured by the Internet Monitoring (TALOT2)
http://www.ipa.go.jp/security/english/virus/press/200605/TALOT200605.html
“Various
Statistics Information Provided by Other Organizations/Vendors
are Publicized in the Following Sites”
@police: http://www.cyberpolice.go.jp/english/
Trendmicro: http://www.trendmicro.com/en/home/us/home.htm
McAfee: http://www.mcafee.com/us/
“Interpretation
for Glossaries”
(*1)
Spyware:
One of software which
acquires information by fraud such as user's individual information,
access archives, etc. to sends them out automatically to third
person, third party, etc.
(*2)
SSH
(Secure Shell)
:
A protocol or a program
used for log-in to another computer via the network, execute commands
by a computer in remote and transfer files to another computer.
Since data via the network is encrypted, a series of operations
through the Internet can be done safely.
(*3)
Port :
A window interfaces each
service within a computer used for exchanging information with
outsides. Numbers from 0 to 65535 are used for the ports so that
they are also called Port Number.
(*4)
Phishing :
Activities which attempt
to exploit such users' IDs or their passwords who accessed to
the sites masqueraded as actual mailing address for certain groups
such as legitimate banking/financial institutions or their Web
pages. The origin of the word is fishing but there are several
theories as well: (i) “f” has been switched with “ph”
based on the hacker's naming convention, (ii) combined with the
word “sophisticated” and “fish”, (iii) the shortcut
of “password harvesting fishing”, etc.
(*5)
Log
:
Records for serving status
of a computer or the status of data communication. Generally,
operator's ID, time and date for the operation, contents of operation,
etc. are recorded.
(*6)
Account
:
The privilege which allow
a user to use resources on a computer or the network; it also
implies the ID necessary upon use.
(*7)
DoS Attack (Denial of Services)
:
The attack which sends
quantity of data to have the server excessive load to lower its
performance significantly or to have the server disables its function.
- Attachment
3 Observation Status by Internet Monitoring System (TALOT2)
|
Japanese
