| This is a summary of
computer virus/unauthorized computer access incident reports for
February, 2007 compiled by IPA.
Reminder for the Month:
“You
are Constantly Targeted by Someone from Somewhere”
-
Be sure to conduct fundamental measures using security functions
such as OSs , etc. -
According to the TALOT2
(Internet monitoring system by IPA), such access which might exploring
the computer whose security holes on the Internet have not yet been
measured are getting increased from the last half of 2006.
The one can be considered
is the purpose of such access might be attempting to infect computers
malicious codes such as bot, worm, etc. It is necessary to recognize
that your computer is likely to be fraudulently accessed upon connecting
to the Internet as there is variety of threats which attempting
to access your computer illegally.
To protect your computer
from such unexpected events, we encourage you to resolve security
holes (updates of software in your OSs or Software you are using)
as well as to use of firewall such as Windows firewall embedded
in that OSs , etc. If your Windows firewall is configured as [disabled]
because of the use of online games (this is not recommended configuration,
though), be sure to get it back to [valid].
Note) Of 10 large Internet
Service Providers (ISPs) share 80% of the Internet connection in
Japan: here in IPA, we are monitoring in- and out-bound accesses
on the Internet via ADSL which is nearly equal to the general Internet
users' connection environment and to analyze illegal attempts which
exploiting vulnerabilities. For further details, please refer to
page 4 in the Attachment 4.
http://www.ipa.go.jp/security/english/virus/press/200702/TALOT200702overview.html
Please refer to the fundamental
configuration to validate Windows firewall described as below.
- As
for Windows XP
Procedures: “Start” -
“Configuration” - “Control Panel” - “Windows Security Center” -
“Windows Firewall”
- As
for Windows Vista
Procedures: “  ”
- “Control Panel” - “Security” - “Va lidates or Disables Windows
Firewall”
Features for the
Month
1. For the
main instances of damages caused by unauthorized computer accesses,
please refer to the “3. Reporting Status for Unauthorized Computer
Access” on
page 5 in this report for further details.
- Attack to the port used by SSH
- Phishing site is set illegally
2. For the
main instances of consultation (accessing status of consultation
and
instances of consultation), please refer to the “5. Accepting Status
of
Consultation” on page 7 in this report for further details.
- Bill for adult sites came while searching entertainers'
information
- Phishing mails came
3. Internet
monitoring (for further details, please refer to the Attachment
4)
This is the initial intent to comprehensive and detailed interpretation
of the
Internet monitoring (TALOT2) having been conducted by IPA.
I.
Reporting Status for Computer Virus
– further details, please refer to the
Attachment 1
–
The detection number [1]
of virus for February was about 0.69M and
was decreased about 32.3% from 1.02M reported in January. In addition,
the reported number [2] of virus
for February was 3,098 and was decreased 11.8%
from 3,513 in January.
| [1]Detection
number: |
Reported
virus counts (cumulative) found by a filer. |
[2]Reported
number: |
Virus counts are
aggregated: viruses of same type and variants reported on
the same day are counted as one case number regardless how
many viruses or the actual number of viruses is found by the
same filer on the same day. In December, reported number was
3,212: aggregated virus detection number was about 1.31M.
|
The worst detection number
was for W32/Netsky with about 0.51M , W32/Nuwar
with about 0.06M and W32/Sality with about 0.04M
were subsequently followed.
Chart
1-1
Chart
1-2
II.
W32/Nuwar Virus
Spreading
W32/Nuwar virus was initially
reported to IPA in last December 2006: since when number of its
reports having been filed with IPA in the following January and
February as well which indicate that the virus is continually spreading.
This virus enlarges infection by distributing a large quantity of
virus mails from infected computers. When infected, computer is
hijacked or the user's private information is stolen, etc.
The Virus'
Profile
W32/Nuwar is the virus
which enlarges infection by distributing a large quantity of virus
mails. The virus creates such file which introduces the other malicious
codes named trojan_small in an infected computer. Then the trojan_small
functions to introduce spyware from the Internet: accordingly it
is likely that private information is stolen and/or important files
are deleted, etc.
McAfee:
http://vil.nai.com/vil/content/v_140835.htm
Symantec:
http://www.symantec.com/security_response/writeup.jsp?docid=2006-122917-0740-99
Trendmicro:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NUWAR.EL
Measures:
To prevent from damages and/or
to avoid enlarging any of damages caused by virus, be sure to conduct
following measures.
- Resolve
security holes (by updating OSs and applications)
- Update
virus signatures in anti-virus software/conduct scans regularly
- Do not
open attachment file to suspicious e-mail
Information
relevant to Anti-virus Measures:
“Information relevant to
vaccine software” (in Japanese)
http://www.ipa.go.jp/security/antivirus/vacc-info.html
“Five must-dos for dealing
with files attaches to e-mail” (in Japanese)
http://www.ipa.go.jp/security/antivirus/attach5.html
“Seven anti-virus requirements
for computer users” (in Japanese)
http://www.ipa.go.jp/security/antivirus/7kajonew.html
Information
relevant to Resolving Security Holes:
“Procedures of Using Windows
Update” (Microsoft)
http://www.microsoft.com/windowsxp/using/security/expert/russel_installsp2.mspx
III.
Reporting Status for Unauthorized Computer
Access (includes Consultations) –
Please refer to the Attachment 2 –
Report for unauthorized
computer access and status of consultation
|
Sept. |
Oct. |
Nov. |
Dec. |
Jan.'07 |
Feb. |
Total
for Reported (a) |
46 |
22 |
24 |
10 |
32 |
23 |
| |
Damaged
(b) |
21 |
15 |
8 |
9 |
22 |
14 |
Not
Damaged (c) |
25 |
7 |
16 |
1 |
10 |
9 |
Total
for Consultation (d) |
35 |
53 |
30 |
40 |
52 |
50 |
| |
Damaged
(e) |
26 |
37 |
20 |
23 |
25 |
28 |
Not
Damaged (f) |
9 |
16 |
10 |
17 |
27 |
22 |
Grand
Total (a + d) |
81 |
75 |
54 |
50 |
84 |
73 |
| |
Damaged
(b + e) |
47 |
52 |
28 |
32 |
47 |
42 |
Not
Damaged (c + f) |
34 |
23 |
26 |
18 |
37 |
31 |
(1). Reporting
Status of Unauthorized Computer Access
Reported number
for February was 23: of 14 was
the number actually damaged.
(2). Accepting Status
of Consultations relevant to Unauthorized Computer Access, etc.
Consultation counts relevant
to unauthorized computer access was 50: of 28 (of 8 was also counted
as reported number) was the actual number that some sort of damage
was reported.
(3). Status for Damage
Breakdown of the damage report
includes: Intrusion with 6, DoS Attack with 1, Source Address
Spoofing with 1 and others (damaged) with 6 .
Breakdown of the reported
damages caused by intrusion included: exploited as a steppingstone
server to attack to external sites with 5, locating some contents
to exploit phishing (*1)
with 1. The cause of intrusion included: the password for the port
used by SSH was analyzed and vulnerabilities in OSs and server software
were exploited.
Damage
Instances:
[Intrusion]
(i) Attack
to the Port (*3)
Used by SSH (*2) …?
<Instance>
- “We've been
attempted to access illegally from your site” so communicated by
an outside of organization via e-mail.
- Study for the
site was conducted; then it was recognized that the server was attacked
and intruded to the port used by SSH. In addition, malicious code
was embedded to that server to exploit as a steppingstone
server to attack to outsides .
- The main causes
were the connection authorized domain by SSH was
not restricted and the password for the SSH log-in
was easily assumable .
(ii)
Phishing site was located…?
<Instance>
- When I access
to your site, I am unexpectedly sent to such site seemed
to be a financial institution in overseas” so communicated
by a user who'd browsed the site run by this company.
- Study for the
site was conducted and then some contents data exploiting for phishing
in that server were developed. We'd tried to check
its access logs (*4),
but they were all deleted
- The cause was
that we'd not updated OSs regularly so that vulnerabilities may
have been exploited.
IV.
Accepting Status of Consultation
The gross number for
the consultation for February was 1019 . Of the
consultation relevant to “ One-click Billing Fraud ”
was 287 (January:
233), the consultation relevant to “ High-pressured selling
of software for security measures ” with 22
(January: 17) and the consultation relevant to
“ Winny ” with 14
(January: 13), etc.
Movement in entire number
of consultation accepted by IPA
|
Sept. |
Oct. |
Nov. |
Dec. |
Jan.
'07 |
Feb. |
Total
|
933 |
1,002 |
711 |
680 |
946 |
1019 |
| |
Automatic
Response System |
575 |
580 |
423 |
394 |
582 |
603 |
Telephone
|
302 |
326 |
214 |
222 |
324 |
336 |
e-mail
|
51 |
93 |
72 |
59 |
39 |
75 |
Fax,
Others |
5 |
3 |
2 |
5 |
1 |
5 |
*IPA consults/advises
for computer viruses/unauthorized computer accesses as well as the
other information concerning overall security issues
Mail: 
for virus issues,  for
crack issues.
Tel.: +81-3-5978-7509
(24-hour automatic response)
Fax: +81-3-5978-7518
(24-hour automatic response)
*The Total case number
includes the number in Consultation (d) column of the Chart in the
“III. Reported Status for Unauthorized Computer Access” and “IV.
Accepting Status of Consultation”.
*”Automatic Response System”:
Accepted numbers by automatic response
*“Telephone”:
Accepted
numbers by the Security Center personnel
<Reference>
Shift in the consultation number of one-click billing fraud
As for the measures against
one-click billing fraud, please refer to the following site.
Reminder for the month
(for the month of January) “Malicious Codes may be Installed if
you Ignore Alert!!”
http://www.ipa.go.jp/security/english/virus/press/200601/E_PR200601.html
Reporting Status of Computer
Virus and Unauthorized Computer Access for September and the 3 rd
Quarter
2. One-click Billing Fraud
http://www.ipa.go.jp/security/english/virus/press/200609/E_PR200609.html
Reporting Status of Computer
Virus and Unauthorized Computer Access for August
2. Consultation Number for
the Damages by One-click Billing Fraud is Unchangeably Many!!
http://www.ipa.go.jp/security/english/virus/press/200608/E_PR200608.html
<Reference>
Shift in the consultation number for High-Pressured Selling of Security
Software
As for the activities of
high-pressured selling of security software, please also refer to
the following link.
Reminder for the month
(for the month of April)
“Be Cautious with the High-pressured
Selling Activities of Software for Security Measures!!”
http://www.ipa.go.jp/security/english/virus/press/200604/E_PR200604.html
The major consultations
for the month are as follows.
(i)
I am simply searching the
information for entertainer, but the bill for an adult site came!
Why…?
Consultation:
While checking the information
for an entertainer, I have found some blogs which may have been
created by his/her fan. When I accessed, there pasted some images
of the entertainer. Then I have clicked the link for “View more”,
I was suddenly sent to an adult site. Amazed, but clicked the link
for “free images” as I was curious about. Then there displayed the
policy for membership and required my age for the sign-up. Clicked
“OK” without reading thoroughly, then the billing screen for the
site usage fee was appeared.
Response:
Do not get panicking.
The first thing you have to do is to re-boot your computer.
In most of cases, you do not have to necessarily worry with such
event if the billing screen is not appeared at all after re-booted
your computer. Of about 30% of the consultation about one-click
billing fraud filed with IPA in February were such cases. In addition,
such cases which were induced from the other sites are rapidly increased.
Accordingly, you have to always be cautious what will be happened
to next? Even you are unexpectedly sent to an adult site,
be sure to refrain going forward with curiosity. In most cases,
there clearly be stated that the services hereinafter provided are
paid-for. Accordingly, it is important to read out entire
message displayed before you click to prevent damage in advance.
(ii) Phishing
mail came…?
Consultation:
Following mail came. Since
neither its address nor the link in the content are from Yahoo,
I' d refrained to click them.
From:
“Yahoo JAPAN” < *488700@pp.love*.jp>
To:
**@yahoo.co.jp
Subject: Yahoo!
JAPAN – Procedure for User Account Continuity
-------------------------------------------------------------------------------
Yahoo! JAPAN – Procedure
for User Account Continuity
-------------------------------------------------------------------------------
This message is automatically
sent from Yahoo! JAPAN.
--- omitted ---
To continually use the Yahoo!
Auction, it is necessary to renew your Yahoo! JAPAN ID user account.
For further details, please refer to the pages for the user account
continuity.
http:// *488700.love*.jp/
Response:
As with the instance above,
be sure to be cautious with such phishing method to have users click
links in the content believing that the messages are from service
providers or financial institutions, etc. Upon clicking, you will
be induced to the entry pages for private information imitated with
the legitimate pages.
Even you are not enough familiar
whether the address is legitimate or fake , it
is still effective not to click the links within a mail content
easily or to make it sure to call up to service providers, etc.
<Reference>
Ministry of Economy, Trade
and Industry – CHECK PC! Campaign (by March 31, 2007) (in Japanese)
http://www.checkpc.go.jp/
IPA – Security Alert Towards
the Damage Prevention by Spyware (in Japanese)
http://www.ipa.go.jp/security/topics/170720_spyware.html
V.
Accessing Status Captured by the Internet Monitoring (TALOT2”) in
February
According to the Internet
Monitoring (TALOT2), the total of unwanted (one-sided) number of
access in February 2007 was 330,685 for 10 monitoring
points. That is, the number of access was 1,378
from 345 source addresses/monitoring point/day.
Since each monitoring environment
for the TALOT2 is nearly equal to the general connection environment
used for the Internet; it can be considered that the same amount
of unwanted (one-sided) access can be monitored for the general
Internet users' connection environment. In another word, your
computer is being accessed from 345 unknown source addresses in
average/day or you are being accessed from 4 times from one source
address which considered unauthorized.
Chart
5.1: Unwanted (One-sided) Number of Access and Source Number of
Access/Monitoring Point/Day in Average
The Chart 5.1 shows the
number of access and the source number of access/monitoring point/day
for the respective months from August 2006 to February 2007. According
to this chart, unwanted (one-sided) accesses were tending subtle
decrease compared with the one in January and was gotten back
to the one in December 2006. Such tendency might have been caused
by the stability of Ping (ICMP*) access and the stability
of access targeting vulnerability in computers.
As for the entire access
contents, it seemed that the most of accesses were the infection
activities of bot (such accesses which attempt to enlarge infection
of bot targeting vulnerabilities in computers) from the computers
having been infected by bot.
* Internet Control
Message Protocol: such protocol which checks if the other side
of computers are being operated or not.
The accessing status in
February 2007 was almost the same with the one in January 2007;
it could be considered that the infection activities by bot might
have been peaked as it could be seen in the viewpoint of the stability
of Ping (ICMP) access and the tendency of access (such access
targeting to the port 2967/tcp) decrease targeting to the vulnerabilities
in Symantec Client Security and Symantec AntiVirus as they were
described previously.
Because of the system maintenance
periods for TALOT2 were turned to the beginning of February 2007,
its monitoring data could not be recorded from February 2 to 5:
it seemed that the above mentioned accesses were stabilized during
that period.
Since TALOT2 monitors unwanted
in- and out-bound accesses on the Internet one-sidedly, it does
not respond to Ping (ICMP) accesses. Accordingly, TALOT2 cannot
monitor the following accesses in case it would respond to Ping
(ICMP); it can be the access confirming that the targeted computer
for attack is in operation.
Chart
5.2: Ping (ICMP) Accesses from October 2006 to February 2007
The Chart 5.2 shows the
shift in number of access classified by source area of Ping (ICMP)
accesses. The graph also shows the access increase after November
2006 and temporary access increase from China area. As it can
be seen that the access increase from China monitored in January
was solved after February 6. Along with such accesses from the
other source area, tendencies in increase were gradually stabilized.
The causes of these accesses were not yet clarified and threats
were still continued.
Relevant to the above information,
please refer to the following site for further details.
Attachment 3_Observation
Status Captured by the Internet Monitoring (TALOT2)
http://www.ipa.go.jp/security/english/virus/press/200702/TALOT200702.html
As for the new intent,
“General Information of Internet Monitoring in IPA”, please refer
to the following site.
http://www.ipa.go.jp/security/english/virus/press/200702/TALOT200702overview.html
“Various
Statistics Information Provided by Other Organizations/Vendors
are Publicized in the Following Sites”
@police: http://www.cyberpolice.go.jp/english/
Trendmicro: http://www.trendmicro.com/en/home/us/home.htm
McAfee: http://www.mcafee.com/us/
“Interpretation for Glossaries”
(*1)
Phishing
:
Spoofing or masquerading
to be the mail or the web pages of existed businesses illegally
such as banking, etc. to exploit legitimate user IDs and passwords
who previously opened or browsed such mails or web pages. “Fishing”
is the word origin of “phishing”, but there are several theories
such as “f” was exchanged by “ph” according to hackers' naming
convention, coined word for which origins were “sophisticated”
and “fish” or shortened word form of “password harvesting fishing”,
etc.
(*2)
SSH (Secure Shell)
:
A protocol or a program
used for log-in to another computer via the network, execute commands
by a computer remotely and transfer files to another computer.
Since data via the network is encrypted, a series of operations
through the Internet can be conducted safely.
(*3)
Port
:
A window interfaces each
service within a computer used for exchanging information with
outsides. Numbers from 0 to 65535 are used for the ports so that
they are also called Port Number.
(*4)
Log
:
Records for the status
of service for a computer or the status of data communication.
Generally, operator's ID, time and date for the operation, contents
of operation, etc. are recorded.
The details are as follows:
- Attachment 1 Computer virus Incident
Report [Details]
- Attachment 2 Unauthorized
Computer Access Incident Report [Details]
- Attachment
3 Observation Status by Internet Monitoring System (TALOT2)
- Attachment
4 General Information of Internet Monitoring in IPA
|
Japanese