| This is a summary of
computer virus/unauthorized computer access incident reports for
October, 2006 compiled by IPA.
Reminder for the Month:
“Be
sure to Discard (Delete) Unknown/Suspicious Mails Immediately!!”
-
To prevent damages caused by virus appended on e-mail, simply discard
them without opening it even it seems interested!! -
Currently, number
of consultation filed with IPA is that user his/herself introduced
virus, etc. This was initially caused receiving suspicious
mail from unknown sender and the user was fooled by fabulous home
page to import virus and malicious codes, etc. by clicking buttons
in accordance with the guidance. (Please refer to the instance (i),
consultation status on III. Accepting Status for Consultation
)
Opening the files appended
to e-mail curiously even knowing that there's no relevance and they
are spams, it is riskier that you will face damage such as infected
by virus, etc. In addition, their technology is getting
more sophisticated to have user clicks buttons to introduce virus,
spyware, etc. deceiving user as if they seem to be just advertisement
mails.
Once infected, your computer
will be high-jacked or your private information will be leaked etc.
Thus, it is essential measure to immediately discard (delete)
suspicious mails without even opening them.
Following are the variety
of suspicious mails. In case you will receive it, be sure
to discard (delete) them immediately without clicking its links
and/or files appended in principal.
The subjects actually used
for spam mails are as follws.
- Privileges as a VIP membership
- Up-to-dated industrial
news
- Looking for new monitors!
- We are urgently looking
for new companies! Go for it to earn $20.000.00 a month!
- You successfully won prizes!
You got a Coupon for $100.00…so on
Those spam mails you
must pay attention to are commonly classified by 4 categories by
its nature, etc. Following are the fundamental descriptions for
the 4 categories. In addition, you are to be cautious that some
of them include viruses, etc.
(1)
Spam such as indiscriminant ads, etc. |
Instance
|
-
Assuming from its subject, it may be an ad mail
not interested in.
- Such
mails continuously send from same address. |
Some
spam mails include home page address in its mail body. Once
you click it, you will be induced to home pages with no relevance
and you may face damage such as virus infection, etc. |
(2)
Sender is differed each time, but the contents are same |
Instance
|
- Sender
is differed, but the subject and its contents are always the
same.
- Sender
and the subject are differed, but its contents are always
the same.
|
These
can be virus mails which spread infection by sending amount
of mails: you are to be cautious as you will likely to be
infected by virus if you open them unconsciously. |
(3)
Both sender and contents are unknown |
Instance
|
- Ad
mails, etc. which you'd never signed up for subscription.
- Such
mails announcing you that you won a prize. |
These
mails fool user that they can obtain some prize free of charge.
Accordingly, they require user to input private information
so displays. Once the user input private information such
as own mail address, name or address, etc. they might take
private information fraudulently. |
(4)
Known sender, but its subject is strange or feel some difference
in its contents |
Instance
|
- The
sender with whom I exchange mails uses Japanese, but the
latest one received was written in foreign language.
- The sender
never append file to his/her e-mail, but the latest mail
I received was file appended. |
These
mails likely to be virus mail spoof to be source mail address
, and thus you will get damaged if you open the file appended.
Accordingly, if you receive such mail, make sender a phone
call to confirm security before you open it. |
In the instances above mentioned so called spam (advertisement)
mails, you may find following message saying “if you wish to stop
distribution, please contact us to the mail address below.” along
with the contact address. Trusting such message and sending the
mail back to stop for distribution allows spam sender know that
your mail address is existed and actually used. Thus the sender
will get another chance to use your mail address with malicious
intents and spam mails, etc. increase. It is important that you
should never try to send the mail back to spam sender and better
to ignore them.
I.
Reporting Status for Computer Virus
– for further details, please refer to the
Attachment 1
–
The detection number [1]
of virus was about 1.17M: decreased to 11.5%
from 1.05M reported in September. In addition, the reported number
[2] of virus in October was 3,696:
increased from 4.1% from 3,551 reported in September.
| [1]Detection
number: |
Reported
virus counts (cumulative) found by a filer. |
[2]Reported
number: |
Virus counts are
aggregated: viruses of same type and variants reported on
the same day are counted as one case number regardless how
many viruses or the actual number of viruses is found by the
same filer on the same day. In August, reported number was
3,435: aggregated virus detection number was about 1.1M.
|
The worst detection number was W32/Netsky with
about 0.78M and W32/Stration
with about 0.22M and W32/Mytob
with about 0.04M were subsequently followed.
Chart
1-1
Chart
1-2
Be Cautious with
the Spreading of W32/Stration:
It is necessary to be cautious
that the W32/Stration which emerged in August 2006 is continually
existing and spreading its variants in October following to September.
This virus spreads by files
appended to e-mails. When you open the files appended to e-mails,
you will be infected by virus and you will send similar virus mails
to the mail addresses saved in your computer.
Additionally, some of the
variants induce user to the site which may be prepared by virus
author to have the user downloads his/her computer spyware, etc.
and the user may face certain damage such as information leakage,
etc.
Furthermore, rootkit (*1)
is also installed to the computer simultaneously; it is hard to
develop the virus after its infection. Since this virus (variants)
does not show viewable symptoms, user tends to spread virus mails
without knowing that he/she is being infected.
It enlarges damages and is
hard to respond after being infected; be sure not to open file appended
to e-mail easily.
Following are the subjects
and the file names most frequently appended to e-mails by the variants
of W32/Stration which is currently spreading.
| |
Subject
|
File
names Mostly Appended to e-mails |
(
1 ) |
This
is not shown on TV. |
picture3135.zip
|
(
2 ) |
This
is not shown on TV. |
picture7484..gif.
exe |
(
3 ) |
Liven
War real pictures. |
picture2812..bmp.
exe |
(
4 ) |
This
must be seen by everyone. |
picture6720..jpg.
exe |
(
5 ) |
Server
Report |
text.txt.exe
|
(
6 ) |
URGENT
NEWS! |
last.exe
|
(
7 ) |
ATTN
|
about
me.exe |
(
8 ) |
NEWS!
|
latest
news.exe |
(
9 ) |
READ
AND RESEND ASAP! |
truth.exe
|
In the examples (2), (3)
and (4) above, the variant uses the file name that includes double
extensions and additional spaces behind the file name for which
the variant has the receiver not to realize the extension “.exe”
in the end of the name and it seems as if it is an image file.
In the other examples use
“News” to showcase subjects and their file names to collect
receivers' attention.
<Reference>
“Reporting Status for Computer
Virus/Unauthorized Computer Access for September and for the 3 rd
Quarter”
http://http://www.ipa.go.jp/security/english/virus/press/200609/E_PR200609.html
II.
Reporting Status for Unauthorized Computer Access (includes
consultation) – Please refer Attachment 2 –
Report for unauthorized
computer access and Accepting Status of consultation
|
May |
June |
Jul. |
Aug. |
Sept. |
Oct. |
Total
for Reported (a) |
13 |
22 |
15 |
50 |
46 |
22 |
| |
Damaged
(b) |
6 |
20 |
8 |
30 |
21 |
15 |
Not
Damaged (c) |
7 |
2 |
7 |
20 |
25 |
7 |
Total
for Consultation (d) |
23 |
32 |
31 |
24 |
35 |
53 |
| |
Damaged
(e) |
11 |
19 |
18 |
13 |
26 |
37 |
Not
Damaged (f) |
12
|
13 |
13 |
11 |
9 |
16 |
Grand
Total (a + d) |
36 |
54 |
46 |
74 |
81 |
75 |
| |
Damaged
(b + e) |
17 |
39 |
26 |
43 |
47 |
52 |
Not
Damaged (c + f) |
19 |
15 |
20 |
31 |
34 |
23 |
(1). Reporting
Status of Unauthorized Computer Access
The reported number
for October was 22: of 15
was the number actually damaged.
(2). Accepting Status
of Consultations relevant to Unauthorized Computer Access, etc.
Consultation counts relevant
to unauthorized computer access was 53: of 37 (of 11 was also counted
as reported number) was the actual number that some sort of damage
was reported.
(3). Status for Damage
Breakdown of the damage report
includes: Intrusion with 8, Infection w/Worms with 1
and Dos Attack with 1, etc . Breakdown of the reported
damages caused by intrusion included: alteration of Web pages with
3, being to be steppingstone to attack to the other site with 2
and malicious codes were embedded to exploit phishing with 1, etc.
The cause of intrusion included such instances that the password
was analyzed attacked by the password cracking (*4)
attack to the ports (*3)
used for SSH (*2)
with 1.
As for the other damages,
the instances that the accounts (*5)
used for web mails, etc. was used by someone without asking and
the user's private information was altered and/or his/her mails
were deleted, etc. with 3.
Damage
Instances:
[Intrusion]
(i) Attack
to the port which is used by SSH
<Instance>
- While configuring
server's operational environment, our work was stopped by some extra
factors.
- Study was conducted
and realized that the password cracking attack was conducted to
analyze the password for SSH used upon logging in to the port and
was intruded into the server.
- Additionally,
bot (*6)
programs and port scan tools (*7)
were also embedded in the server and they were being run. There
developed some attempts to embed the tool for DoS attack (*8)
to the outside servers as well. Moreover, some programs run within
the server were infected by virus and the infection was spread to
the other files in the server.
(ii) Account
was used without asking
<Instance>
- When trying
to log in to the major portal site using my account, such message
saying “your password is incorrect” was displayed and could
not log in to that site.
- Just to make
it sure, tried to access to the other free mail address signed up
as the secondary mail address when prepared the account for the
portal site, the message saying “confirmation of alteration for
your mail address signed up” was arrived.
- In addition,
realized that some items which I do not know were being listed on
the auction service provided by that site using my account.
III.
Accepting Status of Consultation
The gross number for the
consultation for October was 1,002. Of the consultation
relevant to “ One-click Billing Fraud ” was
for 236 (September:
223), the consultation relevant to “ High-pressured selling
of software for security measures ” with 41
(August: 23) and the consultation relevant to “ Winny
” with 12
(March: 196, April: 83, May: 28, June: 15, July: 12, August 14,
September: 9), etc.
Movement in entire number
of consultation accepted by IPA
|
May |
June |
July |
August |
Sept. |
Oct. |
Total
|
846
|
773 |
767 |
793 |
933 |
1,002 |
| |
Automatic
Response System |
484 |
423 |
444 |
460 |
575 |
580 |
Telephone
|
295 |
283 |
257 |
280 |
302 |
326 |
e-mail
|
63
|
64 |
66 |
48 |
51 |
93 |
Fax,
Others |
4 |
3 |
0 |
5 |
5 |
3 |
*IPA consults/advises
for computer viruses/unauthorized computer accesses as well as the
other information concerning overall security issues
Mail: 
for virus issues,  for
crack issues.
Tel.: +81-3-5978-7509
(24-hour automatic response)
Fax: +81-3-5978-7518
(24-hour automatic response)
*The Total case number
includes the number in Consultation (d) column of the Chart in the
“III. Reported Status for Unauthorized Computer Access” and “IV.
Accepting Status of Consultation”.
*”Automatic Response System”:
Accepted numbers by automatic response
*“Telephone”:
Accepted
numbers by the Security Center personnel
[Reference]
Shift in the consultation number of one-click billing fraud
As for the measures about
one-click billing fraud, please refer to the following sites.
Reminder for the month (for
the month of January) “Malicious Codes may be Installed if you
Ignore Alert!!”
http://www.ipa.go.jp/security/english/virus/press/200601/E_PR200601.html
Reporting Status of Computer
Virus and Unauthorized Computer Access for September and the 3 rd
Quarter
2. One-click Billing Fraud
http://www.ipa.go.jp/security/english/virus/press/200609/E_PR200609.html
Reporting Status of Computer
Virus and Unauthorized Computer Access for August
2. Consultation Number for
the Damages by One-click Billing Fraud is Unchangeably Many!!
http://www.ipa.go.jp/security/english/virus/press/200608/E_PR200608.html
[Reference] High-pressured
Selling of Software for Security Measures-Movement in Consultation
Number
As for the high-pressured
selling of software for security measures, please refer to the following
site.
Reminder for the month (for
the month of April)
“Be Cautious with the High-pressured
Selling Activities of Software for Security Measures!!”
http://www.ipa.go.jp/security/english/virus/press/200604/E_PR200604.html
The major consultations
for the month are as follows.
(i)
File is Appended to a Suspicious Mail
in Japanese...
Consultation:
Following mail was come.
Since the consulter has no personal acquaintance with the sender,
he/she is still leaving it without opening it. To make it sure,
he/she conducted virus check, nothing special was detected.
From: admin@
*. *.jp
To: *
@ *.co.jp
Subject: Your computer may
be infected by virus
Hello,
I am (Mr.) *** of **Co.,
Ltd., **Department.
When we were checking logs
for our server computer, we have realized some dozen times of unauthorized
computer access per second which maybe sent from your IP address
of your computer.
In fact, our server cannot
be operated properly and we think that this is the attack by the
virus programs embedded to your computer.
Accordingly, we will be highly
appreciated if you delete the virus immediately by using the delete_virus.exe
file appended to this e-mail.
For your further reminders,
if you leave your computer as it is now without taking certain measures,
we are considering to send this case to the lawsuit as the Prohibition
and Punishment of Unauthorized (Computer) Access and Forcible Obstruction
of Business.
We will again, highly be
appreciated your further consideration on this matter.
Sincerely,
How to remove virus:
1.Copy delete_virus.exe
to an arbitrary folder in a computer.
2. Double click on the
delete_virus.exe.
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
*** (Mr.)
** Co., Ltd., ¦¦ Department
Tel: XXX-XXX-XXXX (Main)
admin@
*.*.jp
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Response:
When rechecked the file
appended, Trojan Horse Type of virus was detected. In this case,
it is possible that someone attempted to trap by virus targeting
specific addressees with malicious intents. Be cautious with the
mails sent from unknown sender. More specific, if some file
is appended to suspicious mail, be sure not to open it and delete
the mail itself immediately. In many cases, sophisticated
wording technique is used in that mail to have the receiver open
the appended file, be cautious not to believe everything in there.
(ii) Is
it Possible to Check Whether Certain Information is Leaked by Winny…?
Consultation:
The consulter had quit
using Winny as he/she realized that his/her computer was infected
by Antinny virus when he/she previously used Winny. The virus itself
was already removed: however the consulter is seeking the method
to check if his/her private information is being leaked or not.
Response:
As for general users,
it is very hard to check with or without of information leakage.
There is an option to use professional service, it probably
be very much costly to pay by individual. Accordingly, the
best measure to be taken is to report the facts to the involved
personnel within your organization and/or relevant parties outside
to review for subsequent measures.
Data collection once
deviated on file sharing network is impossible. You are
to realize that you are the next neighbor to the risk each time
you use the file sharing network.
(Reference)
IPA – To Prevent from Information
Deviation by Winny (in Japanese)
http://www.ipa.go.jp/security/topics/20060310_winny.html
IPA – The 7 Anti-Virus Requirements
for PC Users (in Japanese)
http://www.ipa.go.jp/security/antivirus/7kajonew.html
IV.
Accessing Status Captured by the Internet Monitoring (TALOT2”)
in October
According to the Internet
Monitoring (TALOT2), the total of unwanted (one-sided) number of
access in October 2006 was 416,676 for 10 monitoring
points. The number of access was 1,437 from 305
source addresses/monitoring point/day.
Each monitoring environment
for the TALOT2 is nearly equal to the general connection environment
used for the Internet; it can be considered that the same amount
of unwanted (one-sided) access can be monitored for the general
Internet users' connection environment. In another word, your
computer is being accessed from 305 unknown source addresses in
average/day or you are being accessed from 5 times from one source
address which considered unauthorized.
Chart
1: Number of Access and Source Number of Access in Average/Monitoring
Point/Day
The Chart 1 shows the number
of access and the source number of access in average for 1 monitoring
point per day from April to October, 2006. According to this chart,
unwanted (one-sided) accesses were tending to increase
since July . The entire number of access was, however,
being stabled.
In October, there were
number of accesses which might have been considered to be file
exchange related: otherwise the accessing status in October was
almost the same with the one in September. Upon comparing with
the Chart 4.2 and the 4.3, it is realized that the number of access
relevant to file exchange was outstandingly many. As for the accesses
to the ports which may considered to be file exchange related
were eliminated from the statistic information, we have described
the status of these accesses underneath as the topics for this
month.
First, here describes about
file exchange. File exchange refers to directly exchange files
(data) in between specific computers using file exchange software.
There are number of methods to exchange files, but two major methods
are mainly used: one way is to establish a file exchange network
in which the server controlling information for file exchange
functions as its hub and the other is to establish a file exchange
network by number of computers via file exchange software.
Such computer exchanging
files is generally identified by the IP address that the computer
uses. Exchangeable file information and information for the IP
address, etc. are exchanged back and forth on the file exchange
network.
However, such computer
for general internet user is allocated an IP address available
on the network dynamically via the provider where the user signed
up with. Accordingly, such IP address used by the computer for
file exchange is differed each time it is connected to the network.
Consequently, even the computer exchanging files is disconnected
from the network; it is likely that the information for previous
IP address is remained on the file exchange network. This remained
IP address is allocated to the other user's computer via the same
provider; and the other computer for file exchange requests connection
(access) to that computer. It can be considered that the most
of accesses in the following graph may indicate such access in
the above mentioned conditions.
Chart
2: Transition in Number of Access which Considered to be File
Exchange Related in October 2006
Source areas for these
accesses are as follows:
- Most of source
area for the accesses to the port 4662 (TCP) is accessed from
Spain area
- Most of source
area for the accesses to the port 6346 (TCP/UDP) is accessed from
domestic (within Japan )
- Most of source
area for the accesses to the port 11418 (TCP/UDP) is accessed
from Taiwan
- Most of source
area for the accesses to the port 40007 (TCP) is accessed from
domestic (within Japan )
- Most of source
area for the accesses to the port 6881 (TCP) is accessed from
domestic (within Japan )
Since there are some malicious
users who exchange data with copyright illegally, some file exchange
network in which server functions as its kernel was driven to
close, those users who illegally exchanged data were arrested,
etc. In addition, it causes information leakage via file exchange;
the activity of file exchange itself tends to be a problem.
The port 4662 (TCP) with
highest number of access in the Chart 2 seemed to be the access
using the file exchange software called eDonkey. Since the server
for the eDonkey is closed or its software is stopped for distribution
mainly in Europe ; it seems that the accesses to the port is drastically
increased to download the file in haste.
(Reference)
International Federation
of the Phonographic Industry Sent 8,000 Cases of Illegal File
Exchanges to Lawsuit in the 17 Nations (October 18, 2006) (in
Japanese)
http://internet.watch.impress.co.jp/cda/news/2006/10/18/13661.html
Chart
3: Ratio for the Number of Access Classified by Source Area which
Considered Accessed by eDonkey
Upon concentrating such
accesses to specific IP address, it can be considered that the
port is conducted by DoS attack. These accesses mainly cause when
file exchange is automatically conducted: file exchange users
should understand such condition in advance and check the destination
for the file exchange upon accessing.
Furthermore, there causes
number of problems relevant to information leakage via file exchange;
users should understand the mechanism of file exchange and pay
further attention upon using.
For the additional information,
please refer to the following site.
Attachment 3_Observation
Status Captured by the Internet Monitoring (TALOT2)
http://www.ipa.go.jp/security/english/virus/press/200610/TALOT200610.html
“Various
Statistics Information Provided by Other Organizations/Vendors
are Publicized in the Following Sites”
@police: http://www.cyberpolice.go.jp/english/
Trendmicro: http://www.trendmicro.com/en/home/us/home.htm
McAfee: http://www.mcafee.com/us/
“Interpretation
for Glossaries”
(*1)
Root-kit
:
Set of software package
which is used by attacker after he/she intrudes a computer fraudulently.
Generally, the package includes log alteration tool, backdoor
tool, group of system commands being altered.
(*2)
SSH
(Secure Shell) :
A protocol or a program
used for log-in to another computer via the network, execute commands
by a computer remotly and transfer files to another computer.
Since data via the network is encrypted, a series of operations
through the Internet can be conducted safely.
(*3)
Port
:
A window interfaces each
service within a computer used for exchanging information with
outsides. Numbers from 0 to 65535 are used for the ports so that
they are also called Port Number.
(*4)
Password
Cracking :
The approach to identify
anyone else's password by analyzing, etc. Approaches include brute-force
attack, dictionary attack, etc. and there is the code for exclusively
crack as well.
(*5)
Account
:
Privilege which allowing
legitimate user to use resources on computers and/or on the Internet.
(*6)
Bot :
A kind of computer virus.
It was created to manipulate an infected computer from outside
through a network (the Internet).
(*7)
Port Scan Tool :
The tool seeks security
holes (vulnerabilities) from the information for applications,
OSs , etc. running in a server and is frequently used for preparatory
activities for intrusion.
(*8)
DoS Attack (Denial of Services Attack)
:
The attack which sends
quantity of data to have the server excessive load to lower its
performance significantly or to have the server disables its function.
The details are as follows:
- Attachment 1 Computer virus Incident
Report [Details]
- Attachment 2 Unauthorized
Computer Access Incident Report [Details]
- Attachment
3 Observation Status by Internet Monitoring System (TALOT2)
|
Japanese