| This is a summary of
computer virus/unauthorized computer access incident reports for
November, 2006 compiled by IPA.
Reminder for the Month:
“Do not Easily be Tempted,
there are many Traps Hiding on the Internet!!”
-
Variety of traps is targeting
you!!!
-
Currently, there are number
of consultations that user his/herself unconsciously installed suspicious
so claimed security countermeasures software by directly accessing
advertiser's home page via banner (*1)
ads, encountered by on-line fraud, etc. filed with IPA.
More specific, following
ad is placed on home page and user faces damage easily believing
the contents.
As you can see that the banner
indicates that you are the 999,999 th visitor to the site: if you
click on it, it requires you to enter your name, address and your
mail address, etc. If you unconsciously input your private information,
you will receive winning mail for sweepstake, etc. to your mail
address you'd signed-up, but any awards will be sent to you. Adversely,
you are getting riskier that your private information may be exploited
maliciously.
Thus, it is necessary to
be cautious not to input your private information easily believing
the information provided on home page. (please refer to the IV.
Accepting Status for consultation instances, too.)
The Chart 3 is an example
that a banner ad masquerading as a security countermeasures software
so called “Drive Cleaner” saying that “error is detected”
in your computer”. You are surprised with the unexpected message
and click on the “correct now” button on the banner, you will
be urged to “install the security countermeasures software”
and required to purchase the software to correct the errors by settling
your credit card.
Similarly, you will be induced
to suspicious site by clicking on the link appended on mail body
or is provided in blog. It is the best countermeasures that you
do not go forward by clicking if you feel something suspicious.
In case you face damage,
please consult with IPA, a national consumer affairs center near
your area or your credit card company.
I.
Reporting Status for Computer Virus
– further details, please refer to the
Attachment 1
–
The detection number [1]
of virus for November was about 1.58M and
was increased 34.7% from 1.17M reported in October. In addition,
the reported number [2] of virus
was about 3,664
and was decreased 0.9% from 3,696 reported in October.
| [1]Detection
number: |
Reported
virus counts (cumulative) found by a filer. |
[2]Reported
number: |
Virus counts are
aggregated: viruses of same type and variants reported on
the same day are counted as one case number regardless how
many viruses or the actual number of viruses is found by the
same filer on the same day. In November, reported number was
3,664: aggregated virus detection number was about 1.58M.
|
The worst detection number of virus was W32/Netsky with
about 0.8M ; W32/Looked with about 0.37M
and W32/Stration with about 0.24M were respectively
followed.
Chart
1-1
Chart
1-2
Description
of W32/Looked :
The W32/Looked variant (alias:
W32/Philis) emerged in September 2006 for which detection number
505 reported in October was drastically increased about 0.37M in
November.
This virus is file infection
type so that if you open the file appended to e-mail, the file downloaded
by file exchange software, etc. already infected; you too, will
be infected by the W32/Philis virus. When infected, the virus adds
virus codes to the execution type of file within your computer and
your password for the online games on the Internet is stolen, spyware
is generated, etc.
Once infected, it is hard
to measure it and is afraid to enlarge damages; please be sure to
take the fundamental measures such as not to open appended file
to mail easily, not to go to suspicious web site, etc. As for supplemental
measures, be sure to update your virus pattern file in your anti-virus
software to prevent infection.
II.
One-click Billing Fraud for Unchangeably Many Consultations
being Filed with IPA
As for November 2006, number
of consultation (155 cases) about one-click billing fraud is filed
with IPA. These consultations are mainly for the damage instance
that user is led to download malicious codes automatically which
charge bills when he/she simply clicks image or animated pictures
on an adult site believing that they are free.
In that instance, most of
all users ignore the security alert shown below and download malicious
codes by themselves.
Please be noted that when
you simply display images or animated pictures on your screen, following
security alert is not displayed (Firstly the alerting screen shown
like the Chart 2-1 is displayed. When you select “Run” for execution,
the alerting screen shown like the Chart 2-2 is displayed.)
In case security alert
is displayed, be sure to check the “type” of file, the “source”
information of the file, etc. and do not click “run” or “execution”
unless enough security is ensured.
<Reference>
Reminder for the Month in
February 2006: “Malicious Codes may be Installed if you Ignores
Alert!!”
http://www.ipa.go.jp/security/english/virus/press/200601/E_PR200601.html
Computer Virus and Unauthorized
Computer Access Report for September and for the 3 rd Quarter
2. One-click Billing Fraud
http://www.ipa.go.jp/security/english/virus/press/200609/E_PR200609.html
Computer Virus and Unauthorized
Computer Access Report for August
2. Consultation Number for
the Damages by One-click Billing Fraud is Unchangeably Many!!
http://www.ipa.go.jp/security/english/virus/press/200608/E_PR200608.html
Brochure for Spyware Measures
(in Japanese)
http://www.ipa.go.jp/security/antivirus/shiori.html
III.
Reporting Status for Unauthorized Computer
Access (includes Consultations) –
Please refer to the Attachment 2 –
Report for unauthorized computer
access and status of consultation
|
June |
Jul. |
Aug. |
Sept. |
Oct. |
Nov. |
Total
for Reported (a) |
22 |
15 |
50 |
46 |
22 |
24 |
| |
Damaged
(b) |
20 |
8 |
30 |
21 |
15 |
8 |
Not
Damaged (c) |
2 |
7 |
20 |
25 |
7 |
16 |
Total
for Consultation (d) |
32 |
31 |
24 |
35 |
53 |
30 |
| |
Damaged
(e) |
19 |
18 |
13 |
26 |
37 |
20 |
Not
Damaged (f) |
13 |
13 |
11 |
9 |
16 |
10 |
Grand
Total (a + d) |
54 |
46 |
74 |
81 |
75 |
54 |
| |
Damaged
(b + e) |
39 |
26 |
43 |
47 |
52 |
28 |
Not
Damaged (c + f) |
15 |
20 |
31 |
34 |
23 |
26 |
(1). Reporting
Status of Unauthorized Computer Access
Reported number
for November was 24: of 8
was the number actually damaged.
(2). Accepting Status
of Consultations relevant to Unauthorized Computer Access, etc.
Consultation counts relevant
to unauthorized computer access was 30: of 20(of 4 was also counted
as reported number) was the actual number that some sort of damage
was reported.
(3). Status for Damage
Breakdown of the damage
report includes: Intrusion with 4, Unauthorized Mail Relay
with 1 and Dos Attack with 1 and Source Address
Spoofing with 2 . Breakdown of the reported damages caused
by intrusion included: alteration of files with 1, placing contents
file to exploit phishing with 2, etc. As for the cause of the intrusion,
there was 1 instance for which password was analyzed by the attack
to the port
(*3)
used for SSH (*2).
Damage
Instances:
[Intrusion]
(i) Attack
to the port which is used by SSH
<Instance>
- Realized
that a server administrator cannot log-in by SSH.
- Study was
conducted and errors were detected in the configuration file for
the SSH. According to the account user logged-in (*4)
by the SSH when the file was updating, the user did not access to
the server. Accordingly, it is realized that the file for SSH was
altered by an unauthorized computer access by a third party or a
third person other than this organization.
- The account
being analyzed was seemed to be analyzed easily as simple
default password was being set and was not changed to more complicate
one .
- As for the
initial countermeasures, accessing by the SSH from the outside of
the organization was restricted by using firewalls.
(ii) Password
Cracking Attack (*5)
to Site
<Instance>
- Upon log checking
for online securities trading site being operated by this organization,
more than 10 times larger log-in access was realized: it suspected
unauthorized computer access and study was initiated accordingly.
- It is realized
that the simple passwords configured for 26 accounts were all analyzed
and logged-in illegally.
- Since password
entry retry upon logging-in was restricted up to 9 times, such accounts
in which weak passwords (4 digits ea.) for legacy systems
were being used without changing allowed to unauthorized
computer access from out of the organization.
IV.
Accepting Status of Consultation
The gross number for
the consultation for November was 711 . Of the
consultation relevant to “ One-click Billing Fraud ”
was 155 (September:
236), the consultation relevant to “ High-pressured selling
of software for security measures ” with 18
(September: 41) and the consultation relevant to
“ Winny ” with 12
(October: 12), etc.
Movement in entire number
of consultation accepted by IPA
|
June |
July |
August |
Sept. |
Oct. |
Nov. |
Total
|
773 |
767 |
793 |
933 |
1,002 |
711 |
| |
Automatic
Response System |
423 |
444 |
460 |
575 |
580 |
423 |
Telephone
|
283 |
257 |
280 |
302 |
326 |
214 |
e-mail
|
64 |
66 |
48 |
51 |
93 |
72 |
Fax,
Others |
3 |
0 |
5 |
5 |
3 |
2 |
*IPA consults/advises
for computer viruses/unauthorized computer accesses as well as the
other information concerning overall security issues
Mail: 
for virus issues,  for
crack issues.
Tel.: +81-3-5978-7509
(24-hour automatic response)
Fax: +81-3-5978-7518
(24-hour automatic response)
*The Total case number
includes the number in Consultation (d) column of the Chart in the
“III. Reported Status for Unauthorized Computer Access” and “IV.
Accepting Status of Consultation”.
*”Automatic Response System”:
Accepted numbers by automatic response
*“Telephone”:
Accepted
numbers by the Security Center personnel
[Reference]
Shift in the consultation number of one-click billing fraud
As for the countermeasures
for the One-click billing fraud, please refer to the following sites
for further details.
Reminder for the month (for
the month of January) “Malicious Codes may be Installed if you
Ignore Alert!!”
http://www.ipa.go.jp/security/english/virus/press/200601/E_PR200601.html
Reporting Status of Computer
Virus and Unauthorized Computer Access for September and the 3 rd
Quarter
2. One-click Billing Fraud
http://www.ipa.go.jp/security/english/virus/press/200609/E_PR200609.html
Reporting Status of Computer
Virus and Unauthorized Computer Access for August
2. Consultation Number for
the Damages by One-click Billing Fraud is Unchangeably Many!!
http://www.ipa.go.jp/security/english/virus/press/200608/E_PR200608.html
<Reference>
Shift in the consultation number for High-Pressured Selling of Security
Software
Please also refer to the
following site for the high-pressured selling of security software.
Reminder for the month (for
the month of April)
“Be Cautious with the High-pressured
Selling Activities of Software for Security Measures!!”
http://www.ipa.go.jp/security/english/virus/press/200604/E_PR200604.html
The major consultations
for the month are as follows.
(i)
Infected soon after virus is eliminated…?
Consultation:
It seemed that my computer
was infected by virus when I received a mail. My anti-virus
software detected and removed the virus; soon after it alerted another
virus detection upon receiving another mail. Does it mean
that the previously mentioned virus was not yet removed? How can
I sweep away the viruses completely?
Response:
Be sure to read
the message generated by your anti-virus software carefully. In
this case, the message must be read that your anti-virus software
detected and removed virus just before the mailing software in you
computer receives mail. That is, the anti-virus software
did not detect virus infection within your computer, but eliminated
the virus before it intrudes in your computer: this must be a good
news! Please be eased.
(ii) Online
Fraud on YouTube site…?
Consultation:
When I was watching VCR
on the YouTube site, I found following banner saying “ Congratulations!
You are the 999,999 th visitor for our site! ” in one corner
of the site written in English so that I tried to clicked on it
unconsciously. Since it is necessary when I request some
awards, it forcibly let me enter my private information such as
my name, address, e-mail address, etc. ; then it sent me
to a free lotto site. Since I felt suspicious, I did not enter my
credit card number when it prompted me to enter my credit card number
after I played lotto games several times there. However, some mails
came from the free lotto site. I will be billed?
Response:
Since your mail address is
already known by that site, it is likely that you will receive spam
mails. Whether bill is sent or not is depending on that site. The
first thing you should do is to change your current mail address
and wait to see what will be happened to next . Originally,
you should not have entered your private information unconsciously
unless you had been assured that the site was enough secured .
Even the site is well-known, it cannot be said that the banner is
also trustworthy. You have to realize that sweet dealings not infrequently
accompanying awful traps. Even it is the things happened
in a virtual world, do not neglect and you should not tempted by
such sweet dealings . Be sure to consult the national consumer
center near your area if you are involved with troubles relevant
to such contracts.
<Reference>
IPA – Reminder for the Month
in July 2006:
“If You Feel Something
Suspicious, Be sure to Get Back Where You were Before!!”
http://www.ipa.go.jp/security/english/virus/press/200607/E_PR200607.html
National Consumer Affairs
Center of Japan – Regional Centers Japan-wide (in Japanese)
http://www.kokusen.go.jp/map/
(iii) Virus Infection
+ Information Leakage by a File Sharing Software…?
Consultation:
Some file sharing software
such as “Lime Wire”, “cabos”, “Share” and “WinMx”
are being used . A couple days ago, a skull and
crossbones mark was displayed upon starting up . Since
when none of operations are available . Restoring activities
are conducted by changing new hard disks. It is realized that was
caused by Anntiny or its variants later time, but nothing can be
detected by an anti-virus software. Some files being used
for business were saved in that computer . What should
I do from now on?
Response:
It is quite high probability
that your computer is infected by the virus which exposes private/important
information to public. The first thing you have to do is
to identify the files that may have been deviated and to inform
to the relevant parties immediately that will be impacted to take
necessary measures . Even you are not infected by virus,
you may have risks that you would publicize unintended files by
mistake such as your operational failure, etc. You should not use
file sharing software if you want to pursuit only for your benefit
and you cannot realize risks. It is outrageous to run file
sharing software with the computer where your business files are
saved . You have to realize about the risks that always
accompanying with the use of file sharing software.
<Reference>
IPA – To Prevent Information
Leakage by Winny (in Japanese)
http://www.ipa.go.jp/security/topics/20060310_winny.html
IPA – Seven Antivirus Requirements
for Computer Users (in Japanese)
http://www.ipa.go.jp/security/antivirus/7kajonew.html
V.
Accessing Status Captured by the Internet Monitoring (TALOT2”) in
November
According to the Internet
Monitoring (TALOT2), the total of unwanted (one-sided) number of
access in November 2006 was 380,054 for 10 monitoring
points. The number of access was 1,267 from 307
source addresses/monitoring point/day.
Each monitoring environment
for the TALOT2 is nearly equal to the general connection environment
used for the Internet; it can be considered that the same amount
of unwanted (one-sided) access can be monitored for the general
Internet users' connection environment. In another word, your
computer is being accessed from 307 unknown source addresses in
average/day or you are being accessed from 4 times from one source
address which considered unauthorized.
Chart
5.1: Unwanted (One-sided) Number of Access and Source Number of
Access/Monitoring Point/Day
The
Chart 1 shows the number of access and the source number of access
in average for 1 monitoring point per day from June to November,
2006. According to this chart, unwanted (one-sided) accesses
were tending to increase since July, but in November, it was decreased
and reached almost the same level in August . The entire
number of access is being stabled.
In November, the entire
accessing status was almost the same in October, those accesses
to the port that might have been considered to be file exchange
related was decreased (Chart 5.1.1.).
First, here describes about
file exchange. File exchange refers to directly exchange files
(data) in between specific computers using file exchange software.
There are number of methods to exchange files, but two major methods
are mainly used: one way is to establish a file exchange network
in which the server controlling information for file exchange
functions as its hub and the other is to establish a file exchange
network by number of computers via file exchange software. The
computer which exchanging files is generally specified by the
IP address used by that computer. Exchangeable file information
and the information for the IP address are traded back and forth
on a file exchanging network.
Meanwhile, the computers
for general Internet users are usually allocated the IP address
which is available on the network dynamically via the provider
where the user is subscribing. Accordingly, the IP address allocated
to the computer which exchanging files should have different IP
address each time when it is connected to the network. Therefore,
even the computer which exchanging files is disconnected from
the network; there residual information for previously used IP
address may be left on the file exchanging network. When the residual
information for the IP address is allocated to a different user
(computer) who subscribes to the above mentioned provider and
this user (computer) is requested to connect (accessed) for file
exchange from the other user (computer) who uses the same file
exchange software. Most of all accesses shown in the Chart 5.1.1.
can be considered that the accesses generated by the condition
above mentioned.
Please be noted that those
accesses can be considered peculiar accesses in a specific monitoring
point, they are being excluded from each statistic data aggregated
for this report.
Chart
5.1.1: Shift in Number of Access which Considered to be File Exchange
Related from October to November 2006
Those file exchange software
and their sources that can be considered the accesses to the ports
are as follows.
- The source
access to the port 4662 (TCP), a default port for file exchange
software so called eDonkey was mostly accessed from Spain area;
however, in November, none of source access was observed.
- The source
access to the port 6346 (TCP/UDP), a default port for file exchange
software for gnutella series was mostly accessed from domestic.
- The source
access to the port 11418 (TCP/UDP) for which file exchange software
could not be identified was mostly accessed from Taiwan area.
- The source
access to the port 40007 (TCP) for which file exchange software
could not be identified was mostly accessed from domestic.
- The source
access to the port 6881 (TCP), a default port for file exchange
software for BitTorrent series was mostly accessed from domestic.
- The source
access to the port 13909 (TCP/UDP) for which file exchange software
could
not be identified was mostly
accessed from Netherlands area and was initially observed from
November.
Since there are some malicious
users who exchange data with copyright illegally, some file exchange
network in which server functions as its kernel was driven to
close and those users who illegally exchanged data were arrested.
In addition, it causes information leakage via file exchange;
the activity of file exchange itself tends to be a problem. Currently,
internal information for the Air Self-Defense Force was leaked
via the file exchange software called Winny was reported on TVs
and newspapers, etc. Accordingly, those who uses file exchange
software should understand the mechanism of the file exchange
and pay further attention when use.
In case, above mentioned
accesses to a specific IP address get focused, the computer to
which the IP address allocated is seemed as if the computer is
likely to be accessed by DoS attack. Most of those accesses are
seemed to be generated when the file exchange software is being
used automatically. Those file exchange users should understand
the aspects of file exchange software: it is necessary to confirm
to where it is going to access in advance.
For the additional information,
please refer to the following site.
Attachment 3_Observation
Status Captured by the Internet Monitoring (TALOT2)
http://www.ipa.go.jp/security/english/virus/press/200611/TALOT200611.html
“Various
Statistics Information Provided by Other Organizations/Vendors
are Publicized in the Following Sites”
@police: http://www.cyberpolice.go.jp/english/
Trendmicro: http://www.trendmicro.com/en/home/us/home.htm
McAfee: http://www.mcafee.com/us/
“Interpretation for Glossaries”
(*1)
Banner
:
An advertisement image
which is appended on the Web site. When you click a banner, it
sends you to the ad owner's site instantly.
(*2)
SSH (Secure Shell)
:
A protocol or a program
used for log-in to another computer via the network, execute commands
by a computer remotly and transfer files to another computer.
Since data via the network is encrypted, a series of operations
through the Internet can be conducted safely.
(*3)
Port
:
A window interfaces each
service within a computer used for exchanging information with
outsides. Numbers from 0 to 65535 are used for the ports so that
they are also called Port Number.
(*4)
Log :
Records for serving status
of a computer or the status of data communication. Generally,
operator's ID, time and date for the operation, contents of operation,
etc. are recorded.
(*5)
Password Cracking :
The approach to identify
anyone else's password by analyzing, etc. Approaches include brute-force
attack, dictionary attack, etc. and there is the code for exclusively
crack as well.
*Brute Force Attack:
One of attacking methods
that attempts to combination of letters exhaustively to analyze
password in accordance with a certain rule. It refers to forcible
attacking method.
*Dictionary Attack:
One of attacking methods
that attempts to every word listed on a dictionary from very beginning
to its end to analyze password.
The details are as follows:
- Attachment 1 Computer virus Incident
Report [Details]
- Attachment 2 Unauthorized
Computer Access Incident Report [Details]
- Attachment
3 Observation Status by Internet Monitoring System (TALOT2)
|
Japanese