| This is a summary of
computer virus/unauthorized computer access incident reports for
July, 2006 compiled by IPA.
Reminder for the Month:
“If
You Feel Something Suspicious, Be Sure to Get Back Where You Were
Before”
-
Do not come closer or do not get across to suspicious sites -
As of July 2006, there
were quite a few consultations relevant to one-click billing fraud
and on-line high pressured selling of security software as with
the previous months.
Status for the
consultation numbers (April to July 2006)
|
April
|
May
|
June
|
July
|
One-click
billing fraud |
161
|
210
|
211
|
159
|
On-line
high pressured selling of security software |
40
|
41
|
24
|
43
|
Gross
consultation numbers |
904
|
846
|
773
|
767
|
I n these instances,
number of sophisticated techniques is being used to deceive users
such as:
- Attempting
users saying that browsing images or moving images on an adult site
with free of charge. Then it has the users download malicious programs
while they do not know and displays bills on their screens on and
off over and over (please refer to the next pages for further details.).
-
Alerting “your computer is being infected by virus”
on banner (*1)
ads
(please refer to the next pages for further details.) and prompting
users to purchase THEIR security software products (please also
refer to the consultation instances on p9.), etc.
Approaches to
Mislead Users to Questionable/Suspicious Sites (extracted
from consultation instances.)
- Via spam
(*2)
mails:
Having users to click the
link on the body of the spam such as unsolicited ad mail, etc. and
locate them to questionable/suspicious sites.
- Via track
back (*3)
of a blog:
Such link which appending
on a blog by a track back mechanism is not actually related to the
article on the blog which may locate you to questionable/suspicious
site.
Any of these will not
causes you to trouble unless you click a link being appended on
a blog. In case you click a link unconsciously and it locates you
to unintended/strange site, you'd better to get back
(close the site) where you were immediately.
1 Advertisements
appended on Web sites. When you click it, you will be located to
the
designated advertiser's site.
2 It is also
referred as unsolicited mail which purposing to send ads or to harass
unspecified
number of users.
3 One of the
features of blog. This is the automatically communication mechanisms
to
inform
the other side of blogger that a blog writer is referring his/her
site via links
on
the blog.
You are to be cautious
when you are in a suspicious site that there hides such mechanism
to have users download malicious programs as if it only displays
images.
<Mechanism
Having Users Download Malicious Programs>
<Mechanism for
One-line High Pressured Selling of Software Products>
One-click billing fraud
and on-line high pressure selling of security software products
target monetary fraud. To deceive users, they use sophisticated
techniques to take advantage people's psychology. With only technical
measures such as implementation of legitimate security software
products and/or resolving security holes may not sufficiently
measure these malicious mechanisms.
In addition to the above
mentioned technical measures, following security postures such as
“ do not come closer to suspicious site ”, “ do
not easily download/run program ”, etc. are another important
factors to follow to.
I.
Reporting Status for Computer Virus
– for further details, please refer to the
Attachment 1
–
The detection number [1]
was about 1.54M and was decreased 5.9% from
1.64M in June. In addition, the reported number [2]
for July was 3,455 and was decreased 2.6%
from 3,547 in June.
| [1]Detection
number: |
Reported
virus counts (cumulative) found by a filer. |
[2]Reported
number: |
Virus counts are
aggregated: viruses of same type and variants reported on
the same day are counted as one case number regardless how
many viruses or the actual number of viruses is found by the
same filer on the same day. In March, reported number was
3,651: aggregated virus detection number was about 1.78M.
|
The worst detection number
was for W32/Netsky with about 1.24M ,
W32/Mytob with about 0.11M and
W32/Bagle with about 0.09M were
subsequently followed.
(Note: Numbers in parenthesis
are the Charts for the previous month)
II.
Large Number of Consultations and Damages Caused by Spyware
<Instances>
- You
will receive fraudulent bills . (Spyware (*4)
was embedded and user's mail address was stolen when the
user believed that the image and/or moving pictures were free and
downloaded them.)
- Money
in bank was fraudulently withdrawn by someone who spoofed to be
legitimate user his/herself. (Spyware was embedded and
the ID and its password for an on-line banking were stolen.)
To prevent confronting such
damages, you are to be cautious not to download easily, etc. as
well as to conduct following security measures.
1. Utilize
anti-spyware software to update definition files regularly
and run a spyware check.
2. Maintain
your computer always up-to-dated. (by utilizing
Windows Update, etc.)
3. Be
cautious with suspicious site and the mail from unknown
people.
4. Harden
up your computer's security (by enabling firewall
functionality for Windows XP, reconfiguring browser's
security level higher, etc.)
5. Back
up necessary files for your further security.
The above mentioned measures
should be adopted by those who can manage computer by the users
themselves. Never fail to enter important information such as your
private information in those computers that are uncertain (i.e.:
shared computers used in internet café, public place, etc.)
whether above mentioned measures are in place or not.
<Reference>
Brochure for Anti-Spyware
Measures (in Japanese)
http://www.ipa.go.jp/security/antivirus/shiori.html
If you are worry that your
computer may be infected by spyware, be sure to check that using
free on-line scans provided by following providers.
Free Online Scan
Services
Symantec security check
http://www.symantec.com/securitycheck/
Trendmicro On-line Scan
http://housecall.trendmicro.com/
McAfee Free Scan
http://us.mcafee.com/root/mfs/default.asp
Spyware Guide – On-line
Spyware Detection:
http://www.spywareguide.com/onlinescan.php
III.
Reporting Status for Unauthorized Computer Access (includes
consultation) – Please refer Attachment 2 for further details –
Report for unauthorized
computer access and Accepting Status of consultation
|
Feb.
|
Mar.
|
Apr.
|
May |
June |
Jul. |
Total
for Reported (a) |
26
|
38
|
15
|
13 |
22 |
15 |
| |
Damaged
(b) |
15
|
10
|
7
|
6 |
20 |
8 |
Not
Damaged (c) |
11
|
28
|
8
|
7 |
2 |
7 |
Total
for Consultation (d) |
42
|
24
|
27
|
23 |
32 |
31 |
| |
Damaged
(e) |
24
|
12
|
15
|
11 |
19 |
18 |
Not
Damaged (f) |
18
|
12
|
12
|
12
|
13 |
13 |
Grand
Total (a + d) |
68
|
62
|
42
|
36 |
54 |
46 |
| |
Damaged
(b + e) |
39
|
22
|
22
|
17 |
39 |
26 |
Not
Damaged (c + f) |
29
|
40
|
20
|
19 |
15 |
20 |
1. Reporting
Status of Unauthorized Computer Access
The reported number
for July was 15: of 8
was the number actually damaged .
2. Accepting Status of
Consultations relevant to Unauthorized Computer Access, etc.
Consultation counts relevant
to unauthorized computer access was 31: of 18 (of 5 was also counted
as reported number) was the actual number that some sort of damage
was reported.
3. Status for Damage
Breakdown of the damage
report included: intrusion with 5, DoS Attack
(*5) with
2 and Source
Address Spoofing with 3. Breakdown of
the report for intrusion included: alteration of Web pages with
1, takeover/destruction of data saved in computer with 2, etc.
Damage
Instances:
[Intrusion]
(i) Alteration of Home
Pages
<Instance>
-
Developed that own publicly opened home pages
are being altered.
- It supposedly
be intruded because of my negligence leaving vulnerabilities in
OS.
- Neglected
to apply modification program for vulnerabilities because
of lack of memories in the hard disk.
(ii) Intrusion to Wireless
LAN routers
<Instance>
- Realized that
someone already logged in to the wireless LAN routers (*6)
when I tried logging in from its set up screen.
- The IP address
used for logging in is not for this organization.
- The cause is
that the administrator password for the router is not configured
. It is hardly assumable accessing/logging in to the routers
from outsides.
[DoS Attack]
(iii) Attacks to Web Servers
<Instance>
- The Web server
which is run by its user continually requires to re-read Web pages
for about 2 hours.
- The server
is overloaded and eventually is unavailable to respond.
- As its countermeasure,
the page mainly be accessed is temporarily closed and the
source IP address is filtered.
VI.
Accepting Status of Consultation
The gross number of consultation
for July was 767. Of the consultation relevant
to “Online one click billing fraud” was for 159
(June: 211) the consultation relevant to “ High-pressured
selling of software for security measures ” with 43
(June: 24) and the consultation relevant to “ Winny
” with 12 (March: 196, April: 83, May: 28, June: 15), etc.
Movement in entire number
of consultation accepted by IPA
|
Feb.
|
Mar.
|
Apr.
|
May |
June |
July |
Total
|
834
|
1,056
|
904
|
846
|
773 |
767 |
| |
Automatic
Response System |
479
|
659
|
510
|
484 |
423 |
444 |
Telephone
|
258
|
296
|
206
|
295 |
283 |
257 |
e-mail
|
90
|
99
|
86
|
63
|
64 |
66 |
Fax,
Others |
7
|
2
|
2
|
4 |
3 |
0 |
*IPA consults/advises
for computer viruses/unauthorized computer accesses as well as the
other information concerning overall security issues
Mail: 
for virus issues,  for
crack issues.
Tel.: +81-3-5978-7509
(24-hour automatic response)
Fax: +81-3-5978-7518
(24-hour automatic response)
*The Total case number
includes the number in Consultation (d) column of the Chart in the
“III. Reported Status for Unauthorized Computer Access” and “IV.
Accepting Status of Consultation”.
*”Automatic Response System”:
Accepted numbers by automatic response
*“Telephone”:
Accepted
numbers by the Security Center personnel
Consultation
Number for One Click Billing Fraud
The major
consultations for the month are as follows.
(i)
Alerted when accessed to the site once I had been
frequently visited…?
Consultation:
Accessed to the site (in
Japanese) after a long intervals for which I have saved to my “favorites”
listing where I had accessed frequently; the site is turned to totally
different English site. In addition, an alerting message such as
“Your PC is infected by virus.” appeared on the screen which urges
me to install certain anti-virus software. Is it truly reliable
or not?
Response:
In this instance, the
said site has been high-jacked by a malicious user with
a certain reason. It may occur even the links from trustful
sites ; you are to be cautious not to click “Yes” or “OK”
easily in the sites you are located to.
However, legitimate
manufacturer and/or provider for security products never send the
threatening message one-sidedly which is similar to the instance
above : be cautious not to download it with hustle.
<Reference>
Reminder for the month: “Be
cautious with the High-Pressured Selling Activities of Software
for Security Measures!!”
http://www.ipa.go.jp/security/english/virus/press/200604/E_PR200604.html
(ii) My PC
is malfunctioned when installed so called security software which
is urged to install in the alert appeared on the screen…?
Consultation:
The screen is frozen
when I leave it as it even alerted saying that “Your PC is infected
by virus”. Reluctantly, I downloaded and purchased the anti-virus
software which was urged in the alert. Then the PC is getting unavailable
to start up.
Response:
It is hardly
assumable what would be happened in case you run unreliable software.
Therefore, it is necessary to confirm it totally before
installing it. When it malfunctions, it may be restored with system
recovery function if you are a Windows XP user; however it is preferable
to initialize your PC.
V.
Accessing Status Captured by the Internet Monitoring (TALOT2”)
in July
In the Internet Monitoring
(TALOT2), unwanted (one-sided) access in July totaled 336,361
cases using 10 monitoring points: unwanted (one-sided)
access captured at one monitoring point was about 1,085
accesses from about 298 sources per
day.
The environment for each
monitoring point in TALOT2 is nearly equal to general users' Internet
connection; it can be considered that the same amount of unwanted
(one-sided) access may be received by the general internet users.
In another words, your computer is being accessed 4 times
which considered unauthorized accesses from 298 unknown people (source)
everyday in average .
Chart
5.1: Unwanted (One-sided) Number of Access and Source Number of
Access/ Monitoring Point/Day
Chart 1 shows
the number of access and the source number of access in average
per monitoring point per day from January to July 2006. According
to this chart, unwanted (one-sided) access is increased from previous
month. It seems that the accessing status is being stabled.
Accessing
status in July is almost the same in June. Most of all accesses
seem to attempt accessing from those computers infected by bots.
In addition, you are to be cautious as the number of access tends
to increase as it comes closer to the end of the month.
Exclusively,
the ports 135 (TCP) and 445 (TCP) having large number of access
target vulnerabilities in Windows. In addition, accesses to the
ports 1025 (UDP) /1027 (UDP) for pop-up spam messages exploiting
Windows Messenger Service are being continued.
Moreover,
such password cracking attack (Description_1)
which targets the port 22 (TCP) from a network
and the accesses to the port 5900 (TCP) which may target vulnerabilities
in RealVNC (Description_2), the remote access tool (please
refer to the special note for June (Attachment 3) are also continually
conducted. Both accesses attempt to intrude to destination computers
remotely: those system administrators who run servers using such
tools should review operational standards and not neglect resolving
vulnerabilities.
Specifically,
the password cracking attack targeting the port 22 (TCP) recorded
remarkable figure in the TALOT2 in July. Duing 3 days in the latter
half of the month, following accesses were observed in the TALOT2
and the port 22 (TCP) was intensively conducted by DoS attacks.
- source
accesses were from U.S.A. , 242,511 times of accesses within 10
hours or
6.7 times/sec.
- source
accesses were from Korea , 63,098 times of accesses within 4.5
hours or
3.9 times/sec.
- source
accesses were from U.S.A., 33,959 times of accesses within 1 and
3/4
hours or 5.4 times/sec.
(Description_1)
the Password Cracking Attack Targeting the Port 22 (TCP)
The access
to the port 22 (TCP) which targets SSH (Secure Shell: the command
execution tool with encrypted communication path which is highly
secured for remote access) which attempts to intrude to a system
continually logging in by changing log in ID and its password.
In the TALOT2,
the SSH is used to study actual status of the attacks to SSH.
The port scan against the port 22 (TCP) which is used by the SSH
and actual password cracking attack along with the other unauthorized
accesses can be monitored in the TALOT2.
Upon finding
opened (responding) port 22, attackers continually try to log
in changing IDs and passwords.
Please be
noted that the accesses targeting password cracking at the observation
point for SSH is excluded from the regular data observed by the
TALOT2 as these attacks are for specific observation point.
(Description_2)
the Vulnerabilities in RealVNC
There exist
the vulnerabilities which allow users to bypass client authentication
in the RealVNC Server, the remotely operational software.
Vulnerability
which allows user to bypass authentication activities in the VU#117929
RealVNC Server
http://www.kb.cert.org/vuls/id/117929
Please also
refer to the following site for further information.
Attachment3_Observation
Status Captured by the Internet Monitoring (TALOT2)
http://www.ipa.go.jp/security/english/virus/press/200607/TALOT200607.html
“Various
Statistics Information Provided by Other Organizations/Vendors
are Publicized in the Following Sites”
@police: http://www.cyberpolice.go.jp/english/
Trendmicro: http://www.trendmicro.com/en/home/us/home.htm
McAfee: http://www.mcafee.com/us/
“Interpretation
for Glossaries”
(*1)
Banner advertisement
:
Advertisement
images being appended on Web sites. It is designed to locate you
to the advertiser's Web site by clicking one of advertisement
images.
(*2)
Spam
:
Junk mail
and/or bulk mail or simply referred as “Unwanted (One-sided)
mail”. No matter it is commercial intent or not, spam is referred
as such mail sending to unspecified majority purposing advertisement
and/or harassment.
(*3)
Track back :
One of blog
functions. The mechanism which automatically communicates that
a blog writer is “linking” to the other side of blogger's
site to refer it within the writer's blog.
(*4)
Spyware :
One of software which acquires
information by fraud such as user's individual information, access
archives, etc. to sends them out automatically to third person,
third party, etc.
(*5)
DoS Attack (Denial of Services Attack)
:
The attack which sends
quantity of data to have the server excessive load to lower its
performance significantly or to have the server disables its function.
(*6)
Route :
Communication device
connects and/or relay networks in between.
The details are as follows:
- Attachment 1 Computer virus Incident
Report [Details]
- Attachment 2 Unauthorized
Computer Access Incident Report [Details]
- Attachment
3 Observation Status by Internet Monitoring System (TALOT2)
|
Japanese