| This is a summary of
computer virus/unauthorized computer access incident reports for
December, 2006 and its annual review of 2006 compiled by IPA.
Reminder for the Month:
“Be
Cautious with the Spyware (*1)
which Steal the Password for On-line Games!”
-
Many viruses targeting on-line games go round -
Towards to the year ends,
number of virus reports relevant to on-line games is rushed to IPA.
Since this virus steals the password for on-line game, the best
measure is to install anti-virus software in your computer and its
definition file is always up to dated.
Chart:
Example of Virus Infection by Downloaded Program
This virus is a variant of
W32/Looked (alias: W32/Phillis) and its original was emerged in
September 2006. The detection number of W32/Looked filed to IPA
was rapidly increased from 505 in October to about 0.37M in November
and about 0.23M is filed in December 2006. When W32/Looked virus
infects computer, the virus embeds the spyware to the computer which
steals the password for the on-line game named “Lineage II”r. If
you log-in to the “Lineage II” with the infected computer, the spyware
steals its ID and its password and sends them out to the virus trapper
via the Web or mail.
The virus trapper, then,
accesses to the game using the stolen ID and the password to acquire
hard-to-get items illegally and sell it to third person in the virtual
world (monetary dealing in the actual world), etc.
To prevent from the damages
caused by W32/Looked virus, be sure not to only rely on to anti-virus
software but also conduct following fundamental precautionary measures.
- Be sure
to solve the security holes (deficiencies on security) on OSs and
applications.
- Be sure
not to open any attachment files to e-mails received from unknown
address.
- Be sure not to downloads any programs blindly from suspicious
sites.
Chart:
Sample Screen of Billing Fraud
Most cases urging you to
pay is they pretend as if they already acquired your private information;
however, if you accessed to the malicious site incidentally while
you were netsurfing, the site where claiming that you'd signed up
with can only acquire limited information such as IP address, provider
name, OS and the version number of the Web browser, etc. now you
are using but not important information which can identify you or
specific individual. Even if the malicious site's owner who induced
you to the site requires the provider your private information,
the provider will never disclose the information without regard
whether your e-mail address is already known by them or not.
The
most important thing is to keep ignoring such fraudulent billing
screen without getting panic.
Never pay out or inquire
to the contact address written on the screen via an e-mail or a
phone.
Since most of all one-click
billing fraud use fake anime sites pretending as if malicious program
was executed: it is common that the billing screen is no longer
displayed after a computer is rebooted; there may be the cases that
the billing screen is again displayed after the
computer is rebooted or the billing screen is
appeared on and off several minutes of intervals. In that cases,
be sure to conduct “Restore the system to the sound state using
system restoration function”, the one of the default functions,
which is lately described in this report, as it is probable that
some malicious codes are embedded to your computer. It is necessary
to initialize your computer if the billing screen is insistently
displayed after you'd conducted above mentioned measures.
Countermeasures:
1. Restore the system to
the sound state using system restoration function
Windows voluntarily selects
a day and stores its system's state on that day automatically. Windows
has such “system restoration function” that can restore the sound
state based on the information previously stored when your computer
unstably behaves or it shows operational difficulties. The voluntary
day the sound state is stored can also be configured by the user
him/herself other than the one automatically configured as default
settings.
Be sure to restore the system
to the sound state using “system restoration function” referring
to the Microsoft's homepage described below. Please be noted that
you are to re-install/update the OSs and software in case you'd
installed/updated OSs or software in between the voluntary day being
selected to current as the information is erased. However, the documents,
the information sent/received via e-mail, accessing histories to
homepages and your favorites created in between the voluntary day
being selected to current will not be erased.
“How to Restore System”
http://www.microsoft.com/windowsxp/using/setup/support/sysrestore.mspx
2. Initialization
Restoration of your pc when
it was purchased. Be sure to follow to the procedures described
in the “restoration of default state” in the instructions attached
to your pc. Be sure to back up necessary data/information to removable/outside
media before you start restoration processes.
3. Others
Please feel free to consult
with IPA in case you cannot address how to conduct restoration procedures,
etc.
Note: Since 1 and 2 above
are the most general measures. If you deem that certain system restoration
and/or initialization is necessary, be sure to follow with the instructions
attached to your pc as we cannot be responsible for the difficulties,
losses or damages, etc. caused while conducting above measures.
For further details, please
refer to the following links as well.
IPA “Countermeasures when
Billed from a Site Simply Clicked” (in Japanese)
http://www.ipa.go.jp/security/ciadr/oneclick.html
National Consumer Affairs
Center of Japan “Don't be Panicked with the Method which Immediately
Bills when Simply Clicked at a Site” (in Japanese)
http://www.kokusen.go.jp/soudan_now/click.html
National Consumer Affairs
Center of Japan “The Method to Automatically Appear Bills on your
Computer for Single Click” (in Japanese)
http://www.kokusen.go.jp/soudan_now/d_seikyu.html
National Consumer Affairs
Center of Japan – Nation-wide (in Japanese) (Following link is in
the center's homepage)
http://www.kokusen.go.jp/map/
I.
Reporting Status for Computer Virus
– further details, please refer to the
Attachment 1
–
The detection number [1]
of virus for December was about 1.31M and
was decreased 17.3% from 1.58M reported in November. In addition,
the reported number [2] of virus
was about 3,212
and was decreased 12.3% from 3,664 reported in November.
| [1]Detection
number: |
Reported
virus counts (cumulative) found by a filer. |
[2]Reported
number: |
Virus counts are
aggregated: viruses of same type and variants reported on
the same day are counted as one case number regardless how
many viruses or the actual number of viruses is found by the
same filer on the same day. In December, reported number was
3,212: aggregated virus detection number was about 1.31M.
|
The worst detection number
was for W32/Netsky with about 0.67M , W32/Looked
with about 0.23M and W32/Nuwar with about 0.17M
were subsequently followed. The W32/Nuwar
was the newly emerged virus in the end of December 2006 which sends
users the virus mail with the subject such as “Happy New Year!”,
etc. Its attachment is spoofed as if it is a new-year greeting,
but is actually a virus. Be sure not to open the attachment file
easily, accordingly.
Chart
1-1
Chart
1-2
II.
Recommendations of Anti-Bot Measures
Bot is a one of computer
viruses being coded to manipulate computers remotely by malicious
third party/person. Since it is hard to realize even being infected,
it further enlarges infection/damage such as it compromises the
entire Internet after bot-network is configured. In addition, there
are so many types of bots variants; it is harder to fully respond
with traditional computer virus removable methods. To materialize
enough secured Internet environment, the Ministry of Economy, Trade
and Industry (METI) and the Ministry of Internal Affairs and Communications
(MIC) established the portal site, “ Cyber Clean Center ”, on conjoint
basis to widely provide the Internet community countermeasures,
etc. as a part of their anti-bot business. IPA is also participating
to this business and challenging to further enhancing anti-bot measures
and preventing recurrence among general Internet users in collaboration
with security vendors. Please refer to the following web page for
more information.
Cyber Clean Center
http://www.ccc.go.jp/
(in Japanese)
<Reference>
Reminder for the Month in
February 2006: “Malicious Codes may be Installed if you Ignores
Alert!!”
http://www.ipa.go.jp/security/english/virus/press/200601/E_PR200601.html
Computer Virus and Unauthorized
Computer Access Report for September and for the 3 rd Quarter
2. One-click Billing Fraud
http://www.ipa.go.jp/security/english/virus/press/200609/E_PR200609.html
Computer Virus and Unauthorized
Computer Access Report for August
2. Consultation Number for
the Damages by One-click Billing Fraud is Unchangeably Many!!
http://www.ipa.go.jp/security/english/virus/press/200608/E_PR200608.html
Brochure for Spyware Measures
(in Japanese)
http://www.ipa.go.jp/security/antivirus/shiori.html
III.
Reporting Status for Unauthorized Computer
Access (includes Consultations) –
Please refer to the Attachment 2 –
Report for unauthorized
computer access and status of consultation
|
Jul. |
Aug. |
Sept. |
Oct. |
Nov. |
Dec. |
Total
for Reported (a) |
15 |
50 |
46 |
22 |
24 |
10 |
| |
Damaged
(b) |
8 |
30 |
21 |
15 |
8 |
9 |
Not
Damaged (c) |
7 |
20 |
25 |
7 |
16 |
1 |
Total
for Consultation (d) |
31 |
24 |
35 |
53 |
30 |
40 |
| |
Damaged
(e) |
18 |
13 |
26 |
37 |
20 |
23 |
Not
Damaged (f) |
13 |
11 |
9 |
16 |
10 |
17 |
Grand
Total (a + d) |
46 |
74 |
81 |
75 |
54 |
50 |
| |
Damaged
(b + e) |
26 |
43 |
47 |
52 |
28 |
32 |
Not
Damaged (c + f) |
20 |
31 |
34 |
23 |
26 |
18 |
(1). Reporting
Status of Unauthorized Computer Access
Reported number
for December was 10: of 9
was the number actually damaged.
(2). Accepting Status
of Consultations relevant to Unauthorized Computer Access, etc.
Consultation counts relevant
to unauthorized computer access was 40: of 23(of 1 was also counted
as reported number) was the actual number that some sort of damage
was reported.
(3). Status for Damage
Breakdown of the damage
report includes: Intrusion with 6, DoS Attack with 1
and others (damaged) with 2 . Breakdown of the
reported damages caused by intrusion included: alteration of files
with 5 and unauthorized log-in with 1. As for the cause of the intrusion,
there was 1 instance for which password was analyzed by the attack
to the
port
(*3)
used for SSH (*2).
Damage
Instances:
[Intrusion]
(i) Attack
to the port which is used by SSH
<Instance>
- When a network
administrator checked logs (*4)
of firewalls, some attempts to fraudulently access to their server
were developed.
- The server
was studied. Some illegal log-ins to embed malicious codes and to
alter the basic commands to fraudulent ones were realized.
- The causes
were the log-ins with administrator privileges to access from outside
via SSH was allowed and its easily assumable password. The domain
which authorizes connection via SSH had not been restricted.
(ii) Attacks
which Exploit Vulnerability of cgi
(*7)
<Instance>
- Study was conducted
as a network administrator informed the detection of altered web
pages; it was realized that a suspicious file was installed in the
“postmail (mail type cgi program which sends mails directly from
webs)” directory, the one of web applications, in the server managed
by this business.
- It is probable
that the server was used as a steppingstone to send spams (*6)
which include such links to the files automatically be set.
- The cause was
using older version of postmail in which vulnerability was not yet
resolved.
- OSs were immediately
updated as those OSs (Mac OS) used were older version.
(iii) Password Cracking
Attack (*5)
to Mail Server
<Instance>
- Study was conducted
since most accesses to mail server showed in error condition upon
receiving mails internally: there realized some fraudulent access
attempts to the server.
- The server
was conducted password cracking attack (dictionary attack) from
specific IP address.
- These fraudulent
access attempts were responded by filtering IP addresses and its
corresponded port numbers at firewalls.
IV.
Accepting Status of Consultation
The gross number for the
consultation for December was 680 . Of the consultation
relevant to “ One-click Billing Fraud ” was 130
(November: 155), the consultation relevant to “
High-pressured selling of software for security measures
” with 31
(November: 18) and the consultation relevant to “ Winny
” with 15
(November: 12), etc.
Movement in entire number
of consultation accepted by IPA
|
July |
August |
Sept. |
Oct. |
Nov. |
Dec. |
Total
|
767 |
793 |
933 |
1,002 |
711 |
680 |
| |
Automatic
Response System |
444 |
460 |
575 |
580 |
423 |
394 |
Telephone
|
257 |
280 |
302 |
326 |
214 |
222 |
e-mail
|
66 |
48 |
51 |
93 |
72 |
59 |
Fax,
Others |
0 |
5 |
5 |
3 |
2 |
5 |
*IPA consults/advises
for computer viruses/unauthorized computer accesses as well as the
other information concerning overall security issues
Mail: 
for virus issues,  for
crack issues.
Tel.: +81-3-5978-7509
(24-hour automatic response)
Fax: +81-3-5978-7518
(24-hour automatic response)
*The Total case number
includes the number in Consultation (d) column of the Chart in the
“III. Reported Status for Unauthorized Computer Access” and “IV.
Accepting Status of Consultation”.
*”Automatic Response System”:
Accepted numbers by automatic response
*“Telephone”:
Accepted
numbers by the Security Center personnel
[Reference]
Shift in the consultation number of one-click billing fraud
As for the countermeasures
for the One-click billing fraud, please refer to the following sites
for further details.
Reminder for the month
(for the month of January) “Malicious Codes may be Installed if
you Ignore Alert!!”
http://www.ipa.go.jp/security/english/virus/press/200601/E_PR200601.html
Reporting Status of Computer
Virus and Unauthorized Computer Access for September and the 3 rd
Quarter
2. One-click Billing Fraud
http://www.ipa.go.jp/security/english/virus/press/200609/E_PR200609.html
Reporting Status of Computer
Virus and Unauthorized Computer Access for August
2. Consultation Number for
the Damages by One-click Billing Fraud is Unchangeably Many!!
http://www.ipa.go.jp/security/english/virus/press/200608/E_PR200608.html
<Reference>
Shift in the consultation number for High-Pressured Selling of Security
Software
As for the activities of
high-pressured selling of security software, please also refer to
the following link.
Reminder for the month
(for the month of April)
“Be Cautious with the High-pressured
Selling Activities of Software for Security Measures!!”
http://www.ipa.go.jp/security/english/virus/press/200604/E_PR200604.html
The major consultations
for the month are as follows.
(i)
My computer is targeted and attacked
by someone…?
Consultation:
When I connect to the
Internet, a security software alerts “access disconnection”. The
IP address so claimed its source access is displayed: the same phenomena
happens several times but the IP address is always differed from
the previous ones. Is my computer specifically targeted for attack
by someone?
Response:
When you connect to the Internet,
your computer is always accessed no matter it is malicious or benign.
Generally, access attempts are automatically conducted using some
tools (programs) frequently and indiscriminately whatever the targeted
access is an individual or a corporation. As far as you connect
to the Internet, your computer will likely be attempted such accesses.
Nowadays, there can be seen number of such access attempts targeting
vulnerability by virus. However, you don't have to worry if you
close unnecessary ports and frequently update the security software
and OSs (Windows, etc.) you are using. If you can read “blocked”
in the access logs of the security software you are using, your
computer is protected by firewalls. Further, by adding routers
(*8)
on, most of unnecessary accesses from outside
can be blocked.
<Reference>
IPA – the Column in February
2005 “Router”
http://www.ipa.go.jp/security/english/virus/press/200502/TALOT200502.html
(ii) Infected
by virus from the files acquired by file exchange (sharing) software…?
Consultation:
Ex. 1: There
is a text like file icon named “xxx.txt .scr” in the zip type music
file downloaded by Winny. When I clicked the icon, my computer is
automatically shut and rebooted continuously.
Ex. 2: Since
last Friday, when I start up my computer, it displays a skull and
crossbones mark and does not work properly. My family members are
using Limewire.
Ex. 3: Anntiny
virus was detected from the file obtained from a certain site. Although
I do not use file sharing software, the infected file was originally
downloaded by WinMX.
Ex. 4: Infected
by virus while I was using Winny. Each time I open such files created
by either Excel or Word, they are all shown by ASCII “cat” and some
Japanese letters meaning “Null Pointer”. Their original files are
completely lost.
Ex. 5: I was
using Winny on the Windows98 environment. When I opened .exe file
being downloaded, Antinny was detected, but deleted. Since when
such folders for upload files are increased in number although I'd
never used the folders for the uploaded files. Why?
Response:
To prevent from virus
infection, you should not download/open the file from unknown source.
It is totally impossible to identify the source from the
file downloaded from a file exchanging network where unspecified
majority is participating. Accordingly, to prevent any of
viruses , the unique and effective measure is not
to use file exchanging software. You are to realize that
you will compromise yourself once infected: i.e., the data
in your computer is destroyed, private information is deviated which
is uncollectible, etc.
Your friend or someone
whom you are sharing the computer with may use file exchange software
even you do not use any. Or your file from the other person
may have been downloaded by file exchange software. That is, you
should not feel easy even you are not using file exchange software.
Some of those viruses which
exploit file exchange software functions automatically alter the
configuration of file upload. It is very risky if you use file exchange
software without having enough knowledge.
Even you are not infected
by virus, there is certain risks that file exchange software discloses
confidential files by mistake because of its features. You
should not use file exchange software only pursuing advantages without
identifying the risks attached to file exchange software.
<Reference>
IPA – Reminder for the Month
(March)
“Are you Aware of? Your Private
Data in your Computer may be Shared Among Unspecified Users if you
Use File Exchange Software!”
http://www.ipa.go.jp/security/english/virus/press/200603/E_PR200603.html
V.
Accessing Status Captured by the Internet Monitoring (TALOT2”) in
December
According to the Internet
Monitoring (TALOT2), the total of unwanted (one-sided) number of
access in December 2006 was 441,658 for 10 monitoring
points. That is, the number of access was 1,425
from 344 source addresses/monitoring point/day.
Each monitoring environment
for the TALOT2 is nearly equal to the general connection environment
used for the Internet; it can be considered that the same amount
of unwanted (one-sided) access can be monitored for the general
Internet users' connection environment. In another word, your
computer is being accessed from 344 unknown source addresses in
average/day or you are being accessed from 4 times from one source
address which considered unauthorized.
Chart
5.1: Unwanted (One-sided) Number of Access and Source Number of
Access/Monitoring Point/Day
The Chart 1.1 shows the
number of access and source number of access/monitoring point/day
from January to December 2006. According to this chart, unwanted
(one-sided) accesses are slightly increasing compared with the
one in November. This is caused by the increase of Ping (CMP).
The entire accesses are
being stabled: however, most of these accesses seemed to be bot's
infection activities (such accesses attempt to enlarge bot's infection
targeting vulnerability of computers) from the computers already
infected by bot.
Access to the
2967/tcp Port
2967/tcp port is the default
port used by Symantec Client Security and Symantec AntiVirus.
It is probable that the vulnerability in Symantec Client Security
and Symantec AntiVirus which automatically elevate privilege (SYM06-010)
publicized on May 25, 2006 is targeted. There are some security
vendors who analyze the virus which exploits this vulnerability.
It is likely that such
attacking method targeting this vulnerability is exploited by
bot. Those Symantec Client Security and/or AntiVirus users should
immediately respond to the vulnerability referring the countermeasures
and/or mitigation measures provided by Symantec.
According to the Internet
monitoring (TALOT2), there emerge such accesses from domestic
businesses. Please be cautious with them as well.
Symantec Client Security
and Symantec AntiVirus Elevation of Privilege publicized on May
25, 2006
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2006052609181248
Chart
5.1.1: Accesses Seem to Target Vulnerability in Symantec
Products
For the additional information,
please refer to the following site.
Attachment 3_Observation
Status Captured by the Internet Monitoring (TALOT2)
http://www.ipa.go.jp/security/english/virus/press/200612/TALOT200612.html
“Various
Statistics Information Provided by Other Organizations/Vendors
are Publicized in the Following Sites”
@police: http://www.cyberpolice.go.jp/english/
Trendmicro: http://www.trendmicro.com/en/home/us/home.htm
McAfee: http://www.mcafee.com/us/
“Interpretation for Glossaries”
(*1)
Sypware
:
One of software which acquires
information by fraud such as user's individual information, access
archives, etc. to sends them out automatically to third person,
third party, etc.
(*2)
SSH (Secure Shell)
:
A protocol or a program
used for log-in to another computer via the network, execute commands
by a computer remotly and transfer files to another computer.
Since data via the network is encrypted, a series of operations
through the Internet can be conducted safely.
(*3)
Port
:
A window interfaces each
service within a computer used for exchanging information with
outsides. Numbers from 0 to 65535 are used for the ports so that
they are also called Port Number.
(*4)
Log :
Records for serving status
of a computer or the status of data communication. Generally,
operator's ID, time and date for the operation, contents of operation,
etc. are recorded.
(*5)
Password Cracking :
The approach to identify
anyone else's password by analyzing, etc. Approaches include brute-force
attack, dictionary attack, etc. and there is the code for exclusively
crack as well.
(*6)
cgi (Common Gateway Interface) :
Web server's mechanism
which sends client the outcome being processed by the program
on the web server remotely requested by the client.
(*7)
Spam :
Junk mail
and/or bulk mail or simply referred as “Unwanted (One-sided) mail”.
No matter it is commercial intent or not, spam is referred as
such mail sending to unspecified majority purposing advertisement
and/or harassment.
(*8)
Router :
Communication
device connects and/or relay networks in between.
The details are as follows:
- Attachment 1 Computer
virus Incident Report [Details]
- Attachment
2 Unauthorized Computer Access Incident Report [Details]
- Attachment
3 Observation Status by Internet Monitoring System (TALOT2)
- Attachment
4 “Report Status for Computer Virus 2006”
- Attachment
5 “Report Status for Unauthorized Computer Access 2006”
|
Japanese