| This is a summary of
computer virus/unauthorized computer access incident reports for
March, 2007 and 1st Quarter (January to March) compiled by IPA.
Reminder for the Month:
“Don't
You Disregard of Alerting Screen, Do You?”
-
Be sure not to go forward when alerted to prevent installing malicious
codes!! -
The number of consultation
of one-click billing fraud being reported to IPA from February 2007
was being maintained/updated the worst record: the number of consultation
for March is 316 (Please also refer to the Shift
in the Number of Consultation of One-click Billing Fraud on p7 for
further details.).
As for Windows, when images
and animated pictures on typical homepages are clicked, the software
which shows images and/or the media player which retrieves animated
pictures already installed in the computer are automatically started.
However, what if the viruses and malicious codes which show one-click
billing fraud are placed on the homepages spoofing to be images
and/or animated pictures, then, Windows displays alerting
screen (Chart a) whether the programs (viruses and/or
malicious codes) shall be continuously executed by downloading them.
In such a case, be sure to click “Cancel” and do not go forward .
Interpretation of the alerting
screen in the Chart a
Alerting screen includes
three columns such as the “name” of program file, “type” of program file and the “source” of program file. The instance in the following chart, the “type” refers “application” meaning to be a program. That is, the “type” of file should not be program if you wish to download images, etc. When alerted,
be sure to check the “type” of file and the “source” of file and do not hesitate to click “Cancel” if any of file attributions are differed with the one you'd requested .
Chart
a: Alerting Screen of Downloading Files in Windows Vista/Windows
XP
Upon clicking “ Run
” in the alerting screen in the Chart a above, then another alerting screen (Chart
b) is appeared and confirms whether the user wishes to “run” the program.
Windows leverages the automatic
mechanism which proves the source of program's legitimacy. If the
“source” of the program is being proved, the name of the “source”
should be appeared in the
alerting screens. However, in the instance b above, the source
is unknown ; so that you cannot trust the source. Therefore,
be sure to click “Cancel” for not going forward .
Chart
b: Alerting Screen of Internet Explorer in Windows Vista/Windows
XP
In Windows Vista, the new
function, “UAC: User Account (*1)
Control”, shows following screen in the Chart c to prevent starting up of the programs
run by an unintended user operation or an unwillingly allowed operation
by that function when installed the programs for word processor
and/or driver software and/or changed the configuration of its system.
Even accidentally clicked
“ Run ” in the alerting screen in the Chart b; the UAC will be appeared so that you can
check the “source” and the contents of alert with ease. As an instance, the column of the source
shows “unidentified”; be sure to click “Cancel” and do not “Run” in case the Chart c.
As an instance, the column
of the source shows “unidentified”; be sure to click “Cancel” and do not “Run” in the case of the Chart c.
Chart
c: Instance of Alerting Message of UAC
As it is shown in the above,
Windows Vista automatically prevents malicious codes such as viruses
and spyware, etc. by prompting the alert by the UAC function before
incident occurs even a user attempts to execute unauthorized programs
by mistake.
Since
the UAC function is being validated as the initial default setting,
be sure not to make it invalidated.
(Reference)
Windows Vista Developer Center
> Security (in Japanese)
http://www.microsoft.com/japan/msdn/windowsvista/security/
IPA – Responding procedure
in case billed when simply clicked images (in Japanese)
http://www.ipa.go.jp/security/ciadr/oneclick.html
IPA – Seven anti-virus
requirements for computer users
IPA – Five must-dos for
dealing with files attached to email
http://www.ipa.go.jp/security/english/virus/antivirus/shiori-e.html
I.
Reporting Status for Computer Virus
– further details, please refer to the
Attachment 1
–
The detection number [1]
of virus for March was about 0.66M and was
decreased about 4.6% from 0.69M reported in February.
In addition, the reported number [2]
of virus for March was 2,933 and was decreased
5.3% from 3,098 in February.
| [1]Detection
number: |
Reported
virus counts (cumulative) found by a filer. |
[2]Reported
number: |
Virus counts are
aggregated: viruses of same type and variants reported on
the same day are counted as one case number regardless how
many viruses or the actual number of viruses is found by the
same filer on the same day. In December, reported number was
3,212: aggregated virus detection number was about 1.31M.
|
The worst detection number
was for W32/Netsky with about 0.52M , VBS/Solow
with about 0.04M and W32/Sality with about 0.03M
were subsequently followed.
Chart
1-1
Chart
1-2
II.
Reporting Status for Unauthorized Computer
Access (includes Consultations) –
Please refer to the Attachment 2 –
Report for unauthorized
computer access and status of consultation
|
Oct. |
Nov. |
Dec. |
Jan.'07 |
Feb. |
Mar. |
Total
for Reported (a) |
22 |
24 |
10 |
32 |
23 |
13 |
| |
Damaged
(b) |
15 |
8 |
9 |
22 |
14 |
9 |
Not
Damaged (c) |
7 |
16 |
1 |
10 |
9 |
4 |
Total
for Consultation (d) |
53 |
30 |
40 |
52 |
50 |
43 |
| |
Damaged
(e) |
37 |
20 |
23 |
25 |
28 |
20 |
Not
Damaged (f) |
16 |
10 |
17 |
27 |
22 |
23 |
Grand
Total (a + d) |
75 |
54 |
50 |
84 |
73 |
56 |
| |
Damaged
(b + e) |
52 |
28 |
32 |
47 |
42 |
29 |
Not
Damaged (c + f) |
23 |
26 |
18 |
37 |
31 |
27 |
(1) Reporting Status for
Unauthorized Computer Access
Reported number for
March was 13 : of 9 was the number
actually damaged .
(2) Accepting Status for
Consultations relevant to Unauthorized Computer Access, etc.
Consultation counts relevant
to unauthorized computer access was 43: of 20 (of 4 was also counted
as reported number) was the actual number that some sort of damage
was reported.
(3) Status of Damage
Breakdown of the damage report
includes: Intrusion with 2, DoS Attack with 1, Source Address
Spoofing with 1 and others (damaged) with 4 .
Breakdown of the reported
damages caused by intrusion included: exploited as a steppingstone
server to attack to external sites with 1 and destruction of data
within server with 1. The cause of intrusion included: the password
for the port (*3)
used by SSH (*2)
was broken by password cracking attack (*4)
and the vulnerabilities were exploited.
Damage
Instances:
[Intrusion]
(i) Data
was destructed by the intrusion exploited by the vulnerability in
cgi (*5)
…?
<Instance>
- The web server
which operates database was suddenly stopped.
- According from
the study, it was realized that the file for database was destructed.
- The cause was
the intrusion by the OS command injection attack exploiting vulnerability
of cgi program being operated by the web server to run unauthorized
codes.
(ii)
Confronted by Phishing (*6)
fraud…?
<Instance>
- When attempted
to placing bids to the goods listed on an auction site, it is realized
that my auction account was being halted. The reason being appended
was “listing of illegal goods”, but I'd never known.
- Way back to
2 weeks ago, I received a mail confirming continual use of the current
auction account and I easily input my ID, password and credit card
number where I was led by the mail. Accordingly, I again checked
the mail, it is realized that the sender was not relevant to the
auction.
III.
Accepting Status of Consultation
The gross number for
the consultation for March was 1127. Of the consultation
relevant to “ One-click Billing Fraud ” was 316 (February: 287), the
consultation relevant to “ High-pressured selling of software
for security measures ” with 23 (February: 23) and the
consultation relevant to “ Winny ” with 5 (February: 14), etc.
Movement in entire number
of consultation accepted by IPA
|
Oct. |
Nov. |
Dec. |
Jan.
'07 |
Feb. |
Mar. |
Total
|
1,002 |
711 |
680 |
946 |
1019 |
1127 |
| |
Automatic
Response System |
580 |
423 |
394 |
582 |
603 |
697 |
Telephone
|
326 |
214 |
222 |
324 |
336 |
376 |
e-mail
|
93 |
72 |
59 |
39 |
75 |
54 |
Fax,
Others |
3 |
2 |
5 |
1 |
5 |
0 |
*IPA consults/advises
for computer viruses/unauthorized computer accesses as well as the
other information concerning overall security issues
Mail: 
for virus issues,  for
crack issues.
Tel.: +81-3-5978-7509
(24-hour automatic response)
Fax: +81-3-5978-7518
(24-hour automatic response)
*The Total case number
includes the number in Consultation (d) column of the Chart in the
“III. Reported Status for Unauthorized Computer Access” and “IV.
Accepting Status of Consultation”.
*”Automatic Response System”:
Accepted numbers by automatic response
*“Telephone”:
Accepted
numbers by the Security Center personnel
<Reference>
Shift
in the consultation number of one-click billing fraud
As for the measures against
one-click billing fraud, please refer to the following site.
Reporting Status of Computer
Virus and Unauthorized Computer Access for September and the 3 rd
Quarter
2. One-click Billing Fraud
http://www.ipa.go.jp/security/english/virus/press/200609/E_PR200609.html
Reporting Status of Computer
Virus and Unauthorized Computer Access for August
2. Consultation Number for
the Damages by One-click Billing Fraud is Unchangeably Many!!
http://www.ipa.go.jp/security/english/virus/press/200608/E_PR200608.html
<Reference>
Shift in the consultation
number for High-Pressured Selling of Security Software
As for the activities of
high-pressured selling of security software, please also refer to
the following link.
Reminder for the month
(for the month of April)
“Be Cautious with the High-pressured
Selling Activities of Software for Security Measures!!”
http://www.ipa.go.jp/security/english/virus/press/200604/E_PR200604.html
The major consultations
for the month are as follows.
(i)
Though I searched secured adult site…?
Consultation:
Since I had heard that there
are number of fraudulent activities in adult sites nowadays, I attempted
to search secured one so I had accessed to one of the sites
being met with the keywords such as “porno” and “not phishy” from a search via a major provider. I had clicked “OK” button with ease even it required to input my “age” when I clicked a file presumed to be animated pictures. As its result, there
appeared billing screen with the message “Thank you for your registration
with our site” .
Response:
Currently, number of people
is being fooled with the traps of one-click billing fraud easily
opposite to their intents. It is likely that those malicious site
managers establish their sites to be met with the key words such
as “porno” and/or “not phishy”, etc. Accordingly, be cautious when you access to the sites being met
by the key words in your search which may contain unsecured sites
as well.
<Reference>
IPA – Reminder for December
2006 “Do not easily tempted, there are many traps hiding on the
Internet!!”
http://www.ipa.go.jp/security/english/virus/press//200611/E_PR200611.html
IPA – Reminder for August
2006 “If you feel something suspicious, be sure to get back where
you were before!!”
http://www.ipa.go.jp/security/english/virus/press//200607/E_PR200607.html
(ii) Phishing
mail came…?
Consultation:
Way up from several days
ago, my computer suddenly started to display “Your computer is
likely to be damaged by forged software.” My computer is infected by some virus? My computer was customized by myself which
was given over from one of my acquaintances.
Chart
3- 2: Alerting Screen
Response:
The message displayed on
your computer is the measuring program to prevent any of software
from illegally copying activity provided by Microsoft (Windows Genuine
Advantage Notifications) from February 2007. In addition, this feature
is already embedded in Windows Vista released on January 2007. The
message above actually meant that the Windows being installed
in your computer is unlikely a legitimate one and may be an illegally
copied version or pirated version . It is better to inquire
it to the source where you'd obtained your computer. In case the
Windows is not a legitimate version, you need to obtain legitimate
license.
<Reference>
Microsoft – Overview of
Windows Genuine advantage Notifications
http://www.microsoft.com/genuine/About.Notifications.aspx
IV.
Accessing Status Captured by the Internet Monitoring (TALOT2”) in March
According to the Internet
Monitoring (TALOT2), the total of unwanted (one-sided) number of
access in March 2007 was 402,140 for 10 monitoring
points. That is, the number of access was 1,297
from 327 source addresses/monitoring point/day.
Since each monitoring environment
for the TALOT2 is nearly equal to the general connection environment
used for the Internet; it can be considered that the same amount
of unwanted (one-sided) access can be monitored for the general
Internet users' connection environment. In another word, your
computer is being accessed from 327 unknown source addresses in
average/day or you are being accessed from 4 times from one source
address which considered unauthorized.
Chart
4.1: Number of Access and Source Number of Access/Monitoring Point/Day
The Chart 4.1 shows the
number of access and the source number of access in average/day
from October 2006 to March 2007. According from this chart, the
status of unwanted (one-sided) accesses were subtle decreased
compared with the one in February 2007 and getting back to the
one in November 2006. Accordingly, the accessing status is stabilized
entirely.
The accessing status in
March 2007 is almost the same with the one in February 2007. However,
such access exploiting vulnerabilities in computer being operated
remotely was even press reported its incidents
(*7)
: you are to be further
cautious with such accesses.
The access to the port
22/tcp is likely to search SSH (Secure Shell) to analyze vulnerable
password authentication. Against those computers which respond
to such access were trapped by the brute force attack or dictionary
attack to break password. Accordingly, it would be probable to
be broken if you configured vulnerable (easy) password.
Those organizations/corporations
where use SSH (Secure Shell) should enforce its monitoring system
as well as review administrative structure of servers, etc. and
policies relevant to security.
<Reference>
IPA – Configuration and
Operation of Secured Web servers – User Authentication (in Japanese)
http://www.ipa.go.jp/security/awareness/administrator/secure-web/chap6/6_userauth-1.html
Chart
4.2: Shift in Number of Access Classified by Source Area/9 Points
Relevant to the above
information, please refer to the following site for further details.
Attachment 3_Observation
Status Captured by the Internet Monitoring (TALOT2)
http://www.ipa.go.jp/security/english/virus/press/200703/TALOT200703.html
“Various
Statistics Information Provided by Other Organizations/Vendors
are Publicized in the Following Sites”
@police: http://www.cyberpolice.go.jp/english/
Trendmicro: http://www.trendmicro.com/en/home/us/home.htm
McAfee: http://www.mcafee.com/us/
“Interpretation for Glossaries”
(*1)
Account
:
Privilege
which allowing legitimate user to use resources on computers and/or
on the Internet.
(*2)
SSH (Secure Shell)
:
A protocol or a program
used for log-in to another computer via the network, execute commands
by a computer remotely and transfer files to another computer.
Since data via the network is encrypted, a series of operations
through the Internet can be conducted safely.
(*3)
Port
:
A window interfaces each
service within a computer used for exchanging information with
outsides. Numbers from 0 to 65535 are used for the ports so that
they are also called Port Number.
(*4)
Password Cracking
:
The approach to identify
anyone else's password by analyzing, etc. Approaches include brute-force
attack, dictionary attack, etc. and there is the code for exclusively
crack as well.
*Brute Force Attack:
One of attacking methods
that attempts to combination of letters exhaustively to analyze
password in accordance with a certain rule. It refers to forcible
attacking method.
*Dictionary Attack:
One of attacking methods
that attempts to every word listed on a dictionary from very beginning
to its end to analyze password.
(*5)
cgi
(Common Gateway Interface):
The mechanism which transmits
a client the results being processed upon the server runs a program
on it requested by a client.
(*6)
Phishing:
Spoofing or masquerading
to be the mail or the web pages of existed businesses illegally
such as banking, etc. to exploit legitimate user IDs and passwords
who previously opened or browsed such mails or web pages. “Fishing” is the word origin of “phishing”, but there are several theories such as “f” was exchanged by “ph” according to hackers' naming convention, coined word for which origins were “sophisticated” and “fish” or shortened word form of “password harvesting fishing”, etc.
(*7)
Incident:
The events caused by expression/materialization
of information security risks in the information security fields.
The details are as follows:
- Attachment 1 Computer
virus Incident Report [Details]
- Attachment
2 Unauthorized Computer Access Incident Report [Details]
- Attachment
3 Observation Status by Internet Monitoring System (TALOT2)
- Attachment
4 Computer virus Incident Report for the 1st Quarter (January to
March)
- Attachment
5 Unauthorized Computer Access Incident Report for the 1st Quarter
(January to March)
|
Japanese