| This is a summary of
computer virus/unauthorized computer access incident reports for
August, 2006 compiled by IPA.
Reminder for the Month:
“Update
Immediately when Weakness (Vulnerability*)
of Security is Publicized”
-
Frequently check the information for vulnerability and/or modification
program -
In August 2006, such instance
that there developed number of cases exploiting codes against vulnerability
shortly after the vulnerability (security holes) was publicized
by Microsoft: some of them broke out virus which exploited the security
holes 4 days later from the publication.
Typically, when security
holes are publicized, modification program which resolves the security
holes are also publicized. Microsoft is providing their modification
programs available on their website.
Microsoft
Update
http://update.microsoft.com/
It is risky if security holes
are not resolved; your computer tends to be left in unsecured state
in where virus may be penetrated. As you can see the chart below,
currently, the period for breaking out of virus which follows to
the information for the publication of security holes is getting
shortened*. To prevent any of damages by virus, etc., be sure to
resolve it immediately when information of security holes is publicized.
The period for breaking out of virus was several weeks or several
months in 2003
and 2004; the period is drastically shortened to several days since
when 2005.
The instances shown here
are broken out of virus after the information of security holes
publicized and they are announced in the emergency information column
on the IPA's Web pages.
* Vulnerability is the
weakness causing unexpected events that loose security from their
existing system,
application, etc. It also refers as security holes.
As for the computers furnished
in corporations/organizations, be sure to conduct vulnerability
measures in accordance with their system administrators. It may
cause, however, it may presents failure in their daily system such
as groupware, etc. upon applying modification programs; be sure
to confirm the information relevant to the vendors in advance. In
case it is difficult to apply the modification programs, you can
flexibly apply preventive measures, etc. as substitution.
Utilization of
OSs for which supporting periods being expired.
Since the product supporting
period for Windows 98/Me is already expired, any of modification
programs will not be provided in case their vulnerability may be
found. However, it is risky that you may face certain damage when
connecting to the Internet or communicating by mails if vulnerability
is still retained in your computer. Please refer to the following
site for your further security.
Information from Microsoft
Announcement for the end
of support for Windows 98 and Windows Me
http://www.microsoft.com/windows/support/endofsupport.mspx#EZ
(4)
Brochure How to Prevent from Unauthorized Computer Access and (5)
Brochure How to Prevent from Information Leakage are currently
added to IPA's “Measures against variety of fraudulent activities”
series of brochures and they are available on our homepages as well.
Please be sure to activate them to protect corporative/organizational
security as well as to protect your private security.
“Measures against
variety of fraudulent activities” series of brochures:
(1) Anti-virus Measures,
(2) Anti-spyware Measures, (3) Anti-bots Measures, (4) How to Prevent
from Unauthorized Computer Access and (5) How to Prevent from Information
Leakage
http://www.ipa.go.jp/security/antivirus/shiori.html
(in Japanese)
I.
Reporting Status for Computer Virus
– for further details, please refer to the
Attachment 1
–
The detection number [1]
of virus was about 1.1M and was decreased
28.4% from 1.54M in July. In addition, the reported number [2]
of virus was 3,434 and was decreased 0.6%
from 3,455 in July.
| [1]Detection
number: |
Reported
virus counts (cumulative) found by a filer. |
[2]Reported
number: |
Virus counts are
aggregated: viruses of same type and variants reported on
the same day are counted as one case number regardless how
many viruses or the actual number of viruses is found by the
same filer on the same day. In August, reported number was
3,435: aggregated virus detection number was about 1.1M.
|
The worst detection number
was W32/Netsky with about 0.92M; W32/Mytob with about 0.06M
and W32/Bagle with about 0.05M were subsequently followed.
(Note: Numbers in the
parenthesis are the data based on previous month' figures.)
II.
Consultation Number for the Damages by One-click Billing
Fraud is Unchangeably Many!!
Unchangeably many consultations
relevant to “ One-click Billing Fraud ” are being
filed by IPA up to current. Some consultation for actual damage
includes that user is billed simply he/she clicked an image displayed,
billing screen is displayed each time user starts up his/her computer
or is displayed on and off continually with certain intervals, etc.
As for similar approach charging
bill realizes as “High-pressured On-line Selling”. In August 2006,
newer approaches of “High-pressured On-line Selling” were also realized.
[The Newer Approaches
of High-pressured On-line Selling]
Have user to download the
(exclusive) player software which is necessary to browse moving
images. Once the user downloaded the software, billing screen is
automatically appeared on and off with certain intervals.
To prevent such damages,
be sure to keep downloading away easily if you are uncertain with
the site. In case you encountered any of damages, be sure to contact
with us for its countermeasures as we can provide you free consultations.
(Please also refer to the page 7 for consultation accepting status.)
<Reference>
Brochure for Anti-Spyware
Measures (in Japanese)
http://www.ipa.go.jp/security/antivirus/shiori.html
III.
Reporting Status for Unauthorized Computer Access (includes
consultation) – Please refer Attachment 2 –
Report for unauthorized
computer access and Accepting Status of consultation
|
Mar.
|
Apr.
|
May |
June |
Jul. |
Aug. |
Total
for Reported (a) |
38
|
15
|
13 |
22 |
15 |
50 |
| |
Damaged
(b) |
10
|
7
|
6 |
20 |
8 |
30 |
Not
Damaged (c) |
28
|
8
|
7 |
2 |
7 |
20 |
Total
for Consultation (d) |
24
|
27
|
23 |
32 |
31 |
24 |
| |
Damaged
(e) |
12
|
15
|
11 |
19 |
18 |
13 |
Not
Damaged (f) |
12
|
12
|
12
|
13 |
13 |
11 |
Grand
Total (a + d) |
62
|
42
|
36 |
54 |
46 |
74 |
| |
Damaged
(b + e) |
22
|
22
|
17 |
39 |
26 |
43 |
Not
Damaged (c + f) |
40
|
20
|
19 |
15 |
20 |
31 |
1. Reporting
Status of Unauthorized Computer Access
The reported number
for August was 50 : of 30
was the number actually damaged.
2. Accepting Status of
Consultations relevant to Unauthorized Computer Access, etc.
Consultation counts relevant
to unauthorized computer access was 24: of 13 (of 3 was also counted
as reported number) was the actual number that some sort of damage
was reported.
3. Status for Damage
Breakdown of the damage report included:
intrusion with 17, DoS Attack (*1)
with 2
and Source Address
Spoofing with 1, etc . Breakdown of the reported damages
caused by intrusion includes: alteration of Web pages with 9, being
to be steppingstone to attack to the other site or to send spam
(*2)
mails with 6. The cause of intrusion includes such instances that
the password was analyzed for which was attacked by the password
cracking (*5)
attack to the ports (*4)
used for SSH (*3)
with 5.
Damage
Instances:
[Intrusion]
(i) Exploited as a
Steppingstone…?
<Instance>
- Developed the
connecting records from the IP addresses that are not allowed to
connect to the secondary DNS (*7)
servers operated by an organization while checking communication
logs (*6)
.
- When the study
was conducted to the servers, it is realized that the IRC (*9) server
environment was configured by placing such file which considered
to be rootkit (*8)
file.
- The cause for
the intrusion likely to be insufficient filtering for IP addresses
which allow/refuse connection configured upon updating server machines
were directly attacked from outside; in addition, it also caused
that its log-in passwords were easily assumable.
(ii) Alteration of
Home Pages…?
<Instance>
- Web site had
been operated by using certain hosting services; however, the homepages
on the site was altered unexpectedly.
- The hosting
services (*9)
company communicated saying that the vulnerability of the Web applications
stored in the common server along with the other users' Web sites
were exploited and the some files on the servers were being operated
from outside fraudulently.
(iii) Number of Mails
was Returned as Error Mails that I'd Never Sent…?
<Instance>
- Number of error
mails as “unknown addressee” was returned.
- The error mails
seemed to be spam mails including unnecessary ads and/or flyers.
Though the source address was designated as my mail address, I'd
never sent these mails.
- Because too
many error mails are returned, it causes that the mail server performs
slower in responding.
VI.
Accepting Status of Consultation
The gross number of consultation
for August was 793. Of the consultation relevant
to “Online one click billing fraud” was for 204
(July: 159) the consultation relevant to “ High-pressured
selling of software for security measures ” with 33
(July: 43) and the consultation relevant to “ Winny
” with 14 (March:
196, April: 83, May: 28, June: 15, July: 12), etc.
Movement in entire number
of consultation accepted by IPA
|
Mar.
|
Apr.
|
May |
June |
July |
August |
Total
|
1,056
|
904
|
846
|
773 |
767 |
793 |
| |
Automatic
Response System |
659
|
510
|
484 |
423 |
444 |
460 |
Telephone
|
296
|
206
|
295 |
283 |
257 |
280 |
e-mail
|
99
|
86
|
63
|
64 |
66 |
48 |
Fax,
Others |
2
|
2
|
4 |
3 |
0 |
5 |
*IPA consults/advises
for computer viruses/unauthorized computer accesses as well as the
other information concerning overall security issues
Mail: 
for virus issues,  for
crack issues.
Tel.: +81-3-5978-7509
(24-hour automatic response)
Fax: +81-3-5978-7518
(24-hour automatic response)
*The Total case number
includes the number in Consultation (d) column of the Chart in the
“III. Reported Status for Unauthorized Computer Access” and “IV.
Accepting Status of Consultation”.
*”Automatic Response System”:
Accepted numbers by automatic response
*“Telephone”:
Accepted
numbers by the Security Center personnel
Consultation
Number for One Click Billing Fraud
The major
consultations for the month are as follows.
(i)
This may be a newer one-click billing
fraud…?
Consultation:
When I clicked a link,
the link took me to an adult site. I was eventually billed
as I went forward to click without checking. Though I restarted
up my computer, the billing screen is still appeared with several
minutes of intervals. I am not willing to pay as I do not intend
to register with the site and I want to delete the billing screen
itself.
Response:
Upon accessed to the site
we'd communicated, we are realized that the “site is pay
site”; in addition, it leads user to register with the site by clicking
several checking sessions. If you are not willing to pay,
you should not go ahead beyond its top pages. In such cases, the
user may not excuse even he/she'd never intended to register with
the site.
(ii) The security
software which was forcibly sold may have been deleted…?
Consultation:
Since my computer alerted
that “my computer is infected by virus”, I downloaded and installed
the anti-virus software urged in that site as indicated. However,
one TV news focused on the anti-virus software and now I know that
the software was not enough reliable. I, then, tried to uninstall
the software from “addition/deletion of programs” option in the
control panel, there still remains the software icon and the screen
prompting me to purchase the software still appears constantly.
*10 cases of similar consultation were filed with IPA for
August. Response:
Even if you'd tried to
uninstall the software from the “addition/deletion of programs”
option, the name of the software would be disappeared from
the program listing, but it seems that the software itself would
still be remained in your computer. However, if the software was
installed to the folder in where uninstaller program is also existed,
you may be uninstall the software by executing the program file
directly. Please contact IPA's consultation window with
the issue.
V.
Accessing Status Captured by the Internet Monitoring (TALOT2”) in
August
In the Internet Monitoring
(TALOT2), unwanted (one-sided) access in August totaled 387,534
cases using 10 monitoring points: unwanted (one-sided)
access captured at one monitoring point was about 1,250
accesses from about 321 sources per
day.
The environment for each
monitoring point in TALOT2 is nearly equal to general users' Internet
connection; it can be considered that the same amount of unwanted
(one-sided) access may be received by the general internet users.
In another words, your computer is being accessed 4 times
which considered unauthorized accesses from 321 unknown people (source)
everyday in average.
Chart
5.1: Unwanted (One-sided) Number of Access and Source Number of
Access/ Monitoring Point/Day
The Chart 5.1 shows the
number of access and the source number of access in average/monitoring
point/day from January to August 2006. According to this chart,
unwanted (one-sided) accesses were increased from the
previous month . As for the entire contents of accesses
were stabled; please be cautious as another accesses which seemed
to target Windows newer vulnerability were emerged.
Accessing status in August
was almost the same in July; newer accesses to the port
139 (TCP) which seemed to target Windows newer vulnerability were
emerged . Those unauthorized accesses to Windows existed
vulnerabilities were unchangeably many and most of them seemed
to send from those computers infected by bots. In addition, the
tendency in number of access increase continued from the end of
July: those accesses to the port 22 (TCP) which targeted to intrude
to computers by conducting password cracking attack were also
increased.
The accesses to the port
139 (TCP) were considered to target Windows newer vulnerability
(MS06-040). Since the exploiting (validation) code against the
vulnerability was already publicized; it is likely that such bots
in where newer worms and/or exploiting code embedded may be promulgated.
The Chart 5.2 and the Chart
5.3 show the transition in the number of access and the source
number of access to the port 139 (TCP) classified by source area.
According to these charts, source accesses from domestic were
increased on or after August 18; source accesses from Korea were
also increased from August 23. Since none of damages or inquiries
was reported to IPA, we could not realize how bad the actual damages
in domestic were; however, those source computers in domestic
seemed to be infected either by worm or bots. It is risky that
the number of access in domestic was tending to increase. From
the viewpoint of the source number of access, the source accesses
from Korea were tending to terminate. According to the accessing
tendency (number of access against identical monitoring point),
the source accesses from domestic and the source accesses from
Korea were slightly differed; it seemed that they may have been
different exploiting code (either worm or bots (*10)
).
There would be no problem
if those corporations (organizations) who are explicitly preventing
unauthorized computer accesses from outside, those who are using
Windows computers directly connecting with the Internet via modem,
etc. should apply patches to resolve Windows vulnerability publicized
by Microsoft on August 10 and to utilize firewall functions as
well to prevent from having any of damages.
Those individual computer
users should conduct unauthorized computer access measures by
referring materials available from the following site.
- Brochure for the Measures
against Unauthorized Computer Access (in Japanese)
http://www.ipa.go.jp/security/antivirus/shiori.html
Chart 5.2: Transition
in the Number of Access to the Port 139 (TCP) Classified by Source
Area in August 2006
Chart 5.3: Transition
in the Source Number of Access to the Port 139 (TCP) Classified
by Source Area in August 2006
Relevant to the information
above, details are available from the following site.
Attachment_3 Observation
Status Captured by the Internet Monitoring (TALOT2).
http://www.ipa.go.jp/security/english/virus/press/200607/TALOT200608.html
“Various
Statistics Information Provided by Other Organizations/Vendors
are Publicized in the Following Sites”
@police: http://www.cyberpolice.go.jp/english/
Trendmicro: http://www.trendmicro.com/en/home/us/home.htm
McAfee: http://www.mcafee.com/us/
“Interpretation
for Glossaries”
(*1)
DoS Attack (Denial of Services Attack)
:
The attack which sends
quantity of data to have the server excessive load to lower its
performance significantly or to have the server disables its function.
(*2)
Spam
:
Junk mail
and/or bulk mail or simply referred as “Unwanted (One-sided) mail”.
No matter it is commercial intent or not, spam is referred as
such mail sending to unspecified majority purposing advertisement
and/or harassment.
(*3)
SSH (Secure Shell)
:
A protocol or a program
used for log-in to another computer via the network, execute commands
by a computer remotly and transfer files to another computer.
Since data via the network is encrypted, a series of operations
through the Internet can be conducted safely.
(*4)
Port
:
A window interfaces each
service within a computer used for exchanging information with
outsides. Numbers from 0 to 65535 are used for the ports so that
they are also called Port Number.
(*5)
Password Cracking
:
The approach to identify
anyone else's password by analyzing, etc. Approaches include brute-force
attack, dictionary attack, etc. and there is the code for exclusively
crack as well.
(*6)
Log :
Records for serving status
of a computer or the status of data communication. Generally,
operator's ID, time and date for the operation, contents of operation,
etc. are recorded.
(*7)
DNS (Domain Name System) :
The system which maps
host names on the Internet and IP addresses. This is the hierarchical
and distributed type of database system for which DNS servers
on the Internet all over the globe work in coordination.
(*8)
Root-kit :
Set of software package
which is used by attacker after he/she intrudes a computer fraudulently.
Generally, the package includes log alteration tool, backdoor
tool, group of system commands being altered.
(*9)
Hosting Service :
A service that a partial
disk contents in the Web server being connected to the Internet
and publicized which is loaned to a client by business. It also
refers to be a rental server.
(*10)
bot :
A kind of computer virus.
It was created to manipulate an infected computer from outside
through a network (the Internet).
The details are as follows:
- Attachment 1 Computer virus Incident
Report [Details]
- Attachment 2 Unauthorized
Computer Access Incident Report [Details]
- Attachment
3 Observation Status by Internet Monitoring System (TALOT2)
|
Japanese