| This is a summary of
computer virus/unauthorized computer access incident reports for
September, 2006 and 3rd Half of 2006 (July to September) compiled
by IPA.
Reminder for the Month:
“Be
Cautious with the Virus Mails Masquerading
Distribution
of Modification Program!!”
-
Eliminate security holes by downloading the modification
program
from legitimate sites -
Currently, there can be
detected number of such mails so it claims distribution
of modification program to eliminate the security holes
(vulnerable parts on security) exclusively for Microsoft products
(please refer to the Chart below) . However, the
file attached to that mail was actually a virus mail ( W32/Stration
). When you click that file by mistake, you will be infected
by virus. Be sure not to click on it.
It is the typical procedure
that a user initially accesses to the vendor's site where provides
security software to download the modification program which suits
to the user's specification. Any of modification programs
will never be provided by the vendor as the attachment file to an
e-mail . It seems to be thoughtfulness, please be cautious
not to be fooled with such mails.
Be sure to download modification
program from legitimate site - if you are a Windows user, be sure
to access to the “Microsoft Update” (http://update.microsoft.com/
); if you are a Macintosh user, be sure to access to the “Software
Update” ( http://www.apple.com/support/downloads/
) respectively.
Chart:
The Mail Example Sent by W32/Stration Variant
Interpretation for
W32/Stration
You are to be cautious with
the W32/Stration emerged in August 2006 and number of its variants
emerged in September that are now being spread. This virus spreads
itself sending mails by appending itself. You will be infected if
you open the appended file and your computer gets to send the similar
virus mails to the addresses stored in the address book in your
computer.
Some of variants, in addition,
function to have you access to the sites provided by the virus author
to have infected computers download spyware, etc. automatically:
you may face damage of information leakage.
The variants identified by
IPA are provided such patterns as if the virus mail body and the
name of appended file seemed to be certain patches provided by Microsoft
which modify security holes. Once the appended file is opened, it
displays successful message like “Update successfully installed.”
which make it harder to realize that your computer is infected.
In addition, rootkit (*1)
installs itself to the computer secretly; it is harder to develop
infection after being infected. In addition, it does not show explicit
symptoms, you will be likely to spreading virus mails without knowing
that you are infected.
It is harder to address infection
after being infected as it is likely to enlarge damages; be sure
not to open the files appended to mails easily.
I.
Reporting Status for Computer Virus
– for further details, please refer to the
Attachment 1
–
The detection number [1]
of virus was about 1.05M: decreased from 4.6%
from 1.1M reported in August. In addition, the reported number [2]
of virus in September was 3,551: increased
from 3.4% from the 3,434 reported in August.
| [1]Detection
number: |
Reported
virus counts (cumulative) found by a filer. |
[2]Reported
number: |
Virus counts are
aggregated: viruses of same type and variants reported on
the same day are counted as one case number regardless how
many viruses or the actual number of viruses is found by the
same filer on the same day. In August, reported number was
3,435: aggregated virus detection number was about 1.1M.
|
The worst detection number
was W32/Netsky with about 0.84M
and W32/Stration with about 0.06M
and W32/Mytob with about 0.05M
were subsequently followed.
(Note: Numbers in the
parenthesis are the data based on previous month' figures.)
II.
One-click Billing Fraud
In September 2006, 223
consultations , the largest number ever we had
, about “one-click billing fraud”
were filed with IPA (April: 161, May: 210, June: 211, July: 159,
August: 204).
-
Risky sites are abundant; adult site is not single suspicious site
-
Such damages resulted by
one-click billing fraud is mainly caused at adult sites. However,
recently, almost the same methodology is identified not only in
adult sites but also in investment-relevant sites as well. Such
site urges to enroll the membership to attempt providing the member
only stock information which you can earn some profits with. In
case you click the membership button on the screen, it is being
configured to download certain malicious programs such as virus,
etc.
There were some consultation
instances filed by IPA in which the consulter faced certain damage
in relation to one-click billing fraud while he/she was searching
moving pictures or images of certain talents. Even you do not want
to browse adult sites, you too, be cautious and do not forget that
you are always facing certain risks.
Try not to access to the
suspicious sites or even accessed, try not to easily download to
prevent damages. When the security alert screen by Windows function
is displayed, be sure to click the “ cancel
” button not to go forward and never click the “execution”
button.
III.
Reporting Status for Unauthorized Computer Access (includes
consultation) – Please refer Attachment 2 –
Report for unauthorized
computer access and Accepting Status of consultation
|
Apr.
|
May |
June |
Jul. |
Aug. |
Sept. |
Total
for Reported (a) |
15
|
13 |
22 |
15 |
50 |
46 |
| |
Damaged
(b) |
7
|
6 |
20 |
8 |
30 |
21 |
Not
Damaged (c) |
8
|
7 |
2 |
7 |
20 |
25 |
Total
for Consultation (d) |
27
|
23 |
32 |
31 |
24 |
35 |
| |
Damaged
(e) |
15
|
11 |
19 |
18 |
13 |
26 |
Not
Damaged (f) |
12
|
12
|
13 |
13 |
11 |
9 |
Grand
Total (a + d) |
42
|
36 |
54 |
46 |
74 |
81 |
| |
Damaged
(b + e) |
22
|
17 |
39 |
26 |
43 |
47 |
Not
Damaged (c + f) |
20
|
19 |
15 |
20 |
31 |
34 |
1. Reporting
Status of Unauthorized Computer Access
The reported number
for September was 46: of 21
was the number actually damaged.
2. Accepting Status of
Consultations relevant to Unauthorized Computer Access, etc.
Consultation counts relevant
to unauthorized computer access was 35: of 26 (of 5 was also counted
as reported number) was the actual number that some sort of damage
was reported.
3. Status for Damage
Breakdown of the damage
report includes: Intrusion with 7, Infection w/Worms with
8 and Source Address Spoofing with 1, etc .
Breakdown of the reported damages caused by intrusion includes:
alteration of Web pages/data stored in server with 2, being to be
steppingstone to attack to the other site or to send spam (*2)
mails with 3. The cause of intrusion includes such instances that
the password was analyzed for which was attacked by the password
cracking (*5)
attack to the ports (*4)
used for SSH (*3)
with 1.
Damage
Instances:
[Intrusion]
(i) Exploited as a
Steppingstone to attack to the other sites…?
<Instance>
- The computer
for which IP address is managed by an organization is fraudulently
logging in to SSH in the servers outsides so informed by the provider
contracted with the organization.
- Study was conducted
and realized that the password was analyzed by dictionary attack
(*6)
through SSH and the servers were intruded. In addition, dictionary
attack tool for SSH was embedded in the servers to be the steppingstone
to attack the other sites. Since the log files (*7)
were already deleted and details could not be realized.
(ii) Alteration of
Home Pages…?
<Instance>
- “Your Home
Pages may have been altered…?”so informed from outside of the organization.
Study was conducted and realized and there placed some political
assertion written by English on their Home Pages.
- They used to
use the updated DNN (Dot Net Nuke) as the CMS (Contents Management
System) (*9)
on OSS (Open Source Software) (*8)
for their sites. In addition, they also added third-party (*10)
modules for DNN on their servers.
- It seemed that
the vulnerability on the third party modules for DNN was exploited.
Since the vulnerability was immediately addressed as its modification
program was already released.
Others
(iii) Accounts (*11)
were automatically used…?
<Instance>
- My own account
prepared in one of large portal sites was automatically used by
someone.
- Some goods
were listed on a net auction automatically and my own blog and my
registration information were also being altered.
- The cause was
that my password was analyzed.
VI.
Accepting Status of Consultation
The gross number for the
consultation for September was 933 . Of the consultation
relevant to “ One-click Billing Fraud ” was for
223 (August: 204),
the consultation relevant to “ High-pressured selling of
software for security measures ” with 23
(August: 33) and the consultation relevant to “
Winny ” with 9
(March: 196, April: 83, May: 28, June: 15, July:
12, August 14), etc.
Movement in entire number
of consultation accepted by IPA
|
Apr.
|
May |
June |
July |
August |
Sept. |
Total
|
904
|
846
|
773 |
767 |
793 |
933 |
| |
Automatic
Response System |
510
|
484 |
423 |
444 |
460 |
575 |
Telephone
|
206
|
295 |
283 |
257 |
280 |
302 |
e-mail
|
86
|
63
|
64 |
66 |
48 |
51 |
Fax,
Others |
2
|
4 |
3 |
0 |
5 |
5 |
*IPA consults/advises
for computer viruses/unauthorized computer accesses as well as the
other information concerning overall security issues
Mail: 
for virus issues,  for
crack issues.
Tel.: +81-3-5978-7509
(24-hour automatic response)
Fax: +81-3-5978-7518
(24-hour automatic response)
*The Total case number
includes the number in Consultation (d) column of the Chart in the
“III. Reported Status for Unauthorized Computer Access” and “IV.
Accepting Status of Consultation”.
*”Automatic Response System”:
Accepted numbers by automatic response
*“Telephone”:
Accepted
numbers by the Security Center personnel
[Reference]
Shift in the consultation number of one-click billing fraud
[Reference] Shift in the
consultation number of on-line high-pressured selling of security
software
The major
consultations for the month are as follows.
(i)
Anti-virus Software Detects “cookie (*12)”…?
Consultation:
Getting unavailable to
connect to the Internet. When scanned my computer by anti-virus
software, number of so called “cookies” were detected. Are there
some information being deviated?
Response:
Cookie is not virus
. Since cookie is not program either: cookie does not fraudulently
command for execution nor does high-jack your computer.
There may be other reasons
that you cannot connect to the Internet. Be sure to confirm
if your anti-virus software is not locking to connect to the Internet
as well as to review your configuration to the
Internet .
(ii) Information
will not be Leaked if Using File Sharing Software Other than Winny…?
Consultation:
I believed that the other
file sharing software other than Winny are not risky to use as I
misunderstood that the Winny is infected by virus to leak information.
I do not use the Winny now, but wish to know if the concept is true?
Response:
Number of viruses which cause
information deviation initially infect to computers to exploit Winny's
function. While the other viruses also leak information
by exploiting file sharing software's function . Accordingly,
it cannot be said that the other file sharing software other than
Winny is safe either.
It is almost impossible
to restore the data once deviated on the file sharing network .
You are to identify that using file sharing software is enough risky
activity.
In addition, there emerged
some viruses which do not use the mechanisms of file sharing software
upon information deviation. That is, security is not ensured even
you are not using file sharing software. The most important
thing is to prevent from infection by virus and thus,
it is the fundamental measure not to download suspicious
file easily or not open it .
(Reference)
IPA – To Prevent from Information
Deviation by Winny (in Japanese)
http://www.ipa.go.jp/security/topics/20060310_winny.html
IPA – The 7 Anti-Virus Requirements
for PC Users (in Japanese)
http://www.ipa.go.jp/security/antivirus/7kajonew.html
V.
Accessing Status Captured by the Internet Monitoring (TALOT2”) in
September
Accesses to the port 139
(TCP) began in the middle of August 2006 can be seemed to target
vulnerability in Windows (MS06-040). Such access increase seemed
to be terminated on or about September 15 (please refer to the Charts
5.1 and 5.2.).
Chart
5.1: Number of Access to the Port 139 (TCP) Classified by Source
Area
from
August to September 2006
Chart
5.2: Source Number of Access to the Port 139 (TCP) Classified
by Source
Area
from August to September 2006
To analyze the accesses
to the port 139 (TCP) based on the accesses from domestic as its
source area, there existed 2 types of accessing patterns: a) Accesses
only to the port 139 (TCP); and b) Combined accesses which target
to multiple ports.
As for a), there is high
potentiality that specific vulnerability was targeted by worms.
As for b), it is probable that accesses can be conducted by such
bots which contains several exploiting codes.
In addition, when studied
source area (source IP address) for these accesses, it is realized
that there are number of IP addresses provided to individual users
from each ISP. This can be considered that these individual users
infect bots; be sure to conduct certain anti-bots measures if
you are uncertain with the symptoms that your computer's performance
is getting lowered, etc.
- Anti-bots
Measures: (in Japanese)
http://www.ipa.go.jp/security/antivirus/shiori.html
As it can be seen from
the Chart 5.3, the averaged number of access for August and September
were increasing: it seemed that the cause can be considered by
these accesses.
Chart
5.3: Unwanted (One-sided) Number of Access and Source Number of
Access/ Monitoring Point/Day
According from the Internet
Monitoring (TALOT2), unwanted (one-sided) number of access for
September 2006 was totaled 402, 772 for 10 monitoring
points. This means that 1,366 accesses were
observed at the single monitoring point from 291
source areas within single day.
It won't lead damages if
those corporations (organizations) who explicitly prevent unauthorized
computer accesses from outsides; those individual users who use
Windows computers by connecting to the Internet directly through
a modem, etc., be sure to resolve any of vulnerabilities on your
computer and to use firewalls, etc. to prevent damages.
Those Individual users
should refer to the following sites and be sure to conduct appropriate
unauthorized computer measures.
- Brochure
for Unauthorized Computer Access Measures (in Japanese)
http://www.ipa.go.jp/security/antivirus/shiori.html
For further details for
the information above, please refer to the following sites.
Attachment 3_Observation
Status Captured by the Internet Monitoring (TALOT2) (in Japanese)
http://www.ipa.go.jp/security/english/virus/press/200609/TALOT200609.html
“Various
Statistics Information Provided by Other Organizations/Vendors
are Publicized in the Following Sites”
@police: http://www.cyberpolice.go.jp/english/
Trendmicro: http://www.trendmicro.com/en/home/us/home.htm
McAfee: http://www.mcafee.com/us/
“Interpretation
for Glossaries”
(*1)
Root-kit
:
Set of software package
which is used by attacker after he/she intrudes a computer fraudulently.
Generally, the package includes log alteration tool, backdoor
tool, group of system commands being altered.
(*2)
Spam
:
Junk mail
and/or bulk mail or simply referred as “Unwanted (One-sided) mail”.
No matter it is commercial intent or not, spam is referred as
such mail sending to unspecified majority purposing advertisement
and/or harassment.
(*3)
SSH (Secure Shell)
:
A protocol or a program
used for log-in to another computer via the network, execute commands
by a computer remotly and transfer files to another computer.
Since data via the network is encrypted, a series of operations
through the Internet can be conducted safely.
(*4)
Port
:
A window interfaces each
service within a computer used for exchanging information with
outsides. Numbers from 0 to 65535 are used for the ports so that
they are also called Port Number.
(*5)
Password Cracking
:
The approach to identify
anyone else's password by analyzing, etc. Approaches include brute-force
attack, dictionary attack, etc. and there is the code for exclusively
crack as well.
(*6)
Dictionary Attack :
Attacking method attempting
to look for specific word in a dictionary to analyze given password.
(*7)
Log :
Records for serving status
of a computer or the status of data communication. Generally,
operator's ID, time and date for the operation, contents of operation,
etc. are recorded.
(*8)
OSS (Open Source Software) :
Freely re-distributable
software as its source codes is already publicized.
(*9)
CMS (Contents Management System)
:
One of site configuration
supporting tool which enables user to send/receive information
on the web that does not require technical knowledge if the user
can prepare the contents (texts, images, etc.) that he/she wishes
to publicize. CMS is able to manage contents information such
as texts, images and layouts, etc. centrally. In a broad sense,
CMS can also be referred as the software that can be used for
digital contents management, generic name of system, etc.
(*10)
Third Party (3rd Party) :
Manufacturer who produces
products compatible with the other manufacturers' software/hardware.
(*11)
Account :
Privilege which allowing
legitimate user to use resources on computers and/or on the Internet.
(*12)
Cookie:
Mechanism which enables
user to send/receive user information and/or accessing information
in between web servers and browsers.
The details are as follows:
- Attachment 1 Computer virus Incident
Report [Details]
- Attachment 2 Unauthorized
Computer Access Incident Report [Details]
- Attachment
3 Observation Status by Internet Monitoring System (TALOT2)
- Attachment
4 Computer virus Incident Report for the 3rd Quarter (July to September)
- Attachment
5 Unauthorized Computer Access Incident Report for the 3rd Quarter
(July to September) |
Japanese