| This is a summary of
computer virus/unauthorized computer access incident reports for
April, 2007 compiled by IPA.
Reminder for the Month:
“It
is RISKY if you are still using such OSs in which supporting period
has been terminated!!”
-
It is probable that you will face damages as their vulnerabilities
(*1)
in your computer cannot be resolved!!-
What is vulnerability?
In the area of information
security, vulnerability generally refers certain weakness in a computer
which may result unscheduled and/or unexpected events which lead
unsecured system network applications or relevant protocols, errors
in either designs or implementation. It also indicates insufficient
configuration on security. Generally, vulnerability is renowned
as “security hole” as well.
According to the status of
consultation acceptance relevant to virus/unauthorized computer
access summarized by IPA, we still advise/help about 10% of Windows
98/Me users, though the number of consultation is being lessened:
it is shown in the Chart 1 below. In addition, the reported number
of viruses aggregated by IPA shows that 2.5% of virus reports are
from Windows 98/Me users after its supporting period by the vendor
has been terminated: it is shown in the Chart 2 below.
Type
|
XP/Vista
|
98/Me
|
2000
|
Mac
OS |
Linux
|
Others
|
Apr.
– Jul. ‘06 |
82.5%
|
12.2%
|
3.2%
|
1.4%
|
0.0%
|
0.6%
|
Aug.'06
– Mar. ‘07 |
86.0%
|
9.0%
|
3.6%
|
1.2%
|
0.2%
|
0.1%
|
'06
year- round |
85.1%
|
9.8%
|
3.5%
|
1.3%
|
0.1%
|
0.3%
|
Chart
1: Consultation Status/OS for 2006
Type
|
XP/Vista
|
98/Me
|
2000
|
Mac
OS |
Linux
|
Others
|
Apr.
– Jul. ‘06 |
72.5%
|
1.3%
|
5.0%
|
2.5%
|
2.5%
|
16.3%
|
Aug.'06
– Mar. ‘07 |
89.3%
|
2.5%
|
8.2%
|
0.0%
|
0.0%
|
0.0%
|
'06
year- round |
83.7%
|
2.1%
|
7.1%
|
0.8%
|
0.8%
|
5.4%
|
Chart
2: Virus Reports/OS for 2006
There exists number of
malicious codes targeting vulnerabilities of OSs in the Internet:
they are targeting any of OSs inclusive of 98/Me; the malicious
codes which fraudulently behaves on 98/Me are still identified even
after its supporting period has been terminated.
In response to that
situation, we have decided to alert the user community about the
emergency of the problems of the 98/Me use for which supporting
period is terminated.
(Reference)
Information from Microsoft
Announcement of Termination
of Support for Windows 98 and Me (in Japanese)
http://www.microsoft.com/japan/windows/support/endofsupport.mspx
In case keep using such computer
in which OS's supporting period has been terminated, following troubles
will rise: -
1. Even newer
vulnerability is developed, its signatures will not be distributed
from vendors. Accordingly, as vulnerability is found every time,
weakness is accumulated in that OS and thus the vulnerable computer
will be in worsened.
2. Upon termination
of OS's supporting period, the vendor's support for the application
software which runs on that OS also terminates. Specifically, the
anti-virus software cannot address against newer viruses emerged
after the supporting period for the product itself is terminated
so that the virus signatures will not be updated either.
3. In case
of troubles, you are to address it by yourself as the “inquiry”
session is also unavailable along with the other supports at the
vendor side.
What if connecting such computer
to the Internet to run, following damages may be generated.
1. In case
you connect such “vulnerable computer” to the Internet, the computer
is penetrated by malicious codes from everywhere: naturally, the
computer will be faced variety of damages such as virus infection,
information leakage, etc. In addition to that, its virus signatures
implemented in the anti-virus software to protect your computer
from such damages cannot be updated so that the damages will be
mushroomed and open-ended.
2. Naturally,
current attacks on the Internet target to a computer that has vulnerability.
Additionally, the vicious method of attacks is to embedding fraudulent
programs to a vulnerable computer to exploit the computer as a steppingstone
to send spams number of computers being connected to the Internet.
Accordingly, any vulnerability in your computer is not only your
problems: you are to realize that connecting such computer to the
Internet will cause troubles to the other users as well.
Infection
by the attack which exploits vulnerability in the unsupported OS
Therefore, be sure to well
understand how risky that the use of the vulnerable computer in
which OSs are not being supported and it is ideal better not to
use such computer. In case you need to use the vulnerable computer,
we encourage you to use it as a local computer disconnected from
an intranet, LAN and the Internet environment.
I.
Reporting Status for Computer Virus
– further details, please refer to the
Attachment 1
–
The detection number [1]
of virus for April was about 0.62M and was
decreased about 5.4% from 0.66M reported in March.
In addition, the reported number [2]
of virus for April was 3,199 and was decreased
9.1% from 2,933 in March.
| [1]Detection
number: |
Reported
virus counts (cumulative) found by a filer. |
[2]Reported
number: |
Virus counts are
aggregated: viruses of same type and variants reported on
the same day are counted as one case number regardless how
many viruses or the actual number of viruses is found by the
same filer on the same day. In April, reported number was
3,199: aggregated virus detection number was about 0.62M.
|
The worst detection number
was for W32/Netsky with about 0.46M ,
W32/Looked with about 0.06M
and W32/Sality with about 0.02M
were subsequently followed.
Chart
1-1
Chart
1-2
II.
Reporting Status for Unauthorized Computer
Access (includes Consultations) –
Please refer to the Attachment 2 –
Report for unauthorized
computer access and status of consultation
|
Nov. |
Dec. |
Jan.'07 |
Feb. |
Mar. |
Apr. |
Total
for Reported (a) |
24 |
10 |
32 |
23 |
13 |
15 |
| |
Damaged
(b) |
8 |
9 |
22 |
14 |
9 |
12 |
Not
Damaged (c) |
16 |
1 |
10 |
9 |
4 |
3 |
Total
for Consultation (d) |
30 |
40 |
52 |
50 |
43 |
31 |
| |
Damaged
(e) |
20 |
23 |
25 |
28 |
20 |
20 |
Not
Damaged (f) |
10 |
17 |
27 |
22 |
23 |
11 |
Grand
Total (a + d) |
54 |
50 |
84 |
73 |
56 |
46 |
| |
Damaged
(b + e) |
28 |
32 |
47 |
42 |
29 |
32 |
Not
Damaged (c + f) |
26 |
18 |
37 |
31 |
27 |
14 |
(1) Reporting Status for
Unauthorized Computer Access
Reported number
for April was 15: of 12 was the number
actually damaged .
(2) Accepting Status for
Consultations relevant to Unauthorized Computer Access, etc.
Consultation counts relevant
to unauthorized computer access was 31: of 20 (of 4 was also counted
as reported number) was the actual number that some sort of damage
was reported.
(3) Status of Damage
Breakdown of the damage
report includes: Intrusion with 7, Source Address Spoofing
with 2 and others (damaged) with 3 .
The breakdown of the damage being reported relevant to intrusion
include: contents were embedded to be exploited for phishing (*2)
fraud with 3, alteration of data within sites with 2 and servers
were attempted to exploit as steppingstone servers to attack to
the other sites outside with 2. Of 5 were exploited vulnerability
within programs as the main cause of intrusion (OS with 1, SQL Injection
(*3)
with 1, FTP server with 1 and remotely operable computer software
with 2).
Damage
Instances:
[Intrusion]
(i) Intruded
and altered the Web pages by SQL Injection attack
<Instance>
- “Virus alert
is appeared when attempting to access to our Web site” so communicated
by a user.
- Study was conducted:
it is realized that our web pages were altered allowing intrusion
caused by an SQL injection attack on our web applications. Our web
pages were modified appending the links to the malicious sites which
includes virus. It was the virus which exploits the vulnerability
in processing of animation cursor of Windows (MS007-017: Vulnerability
in GDI could allow remote code execution).
- After successfully
intruded, it seemed that the intruder downloaded outside attacking
tools and executed root-kit (*4)
files; then he/she might have altered our Web pages.
- As for the
post-countermeasures, the servers were re-configured from the installation
of OSs and unnecessary stored procedures (*5)
were deleted and the privilege handling the database was minimized
as well.
(ii)
Embedded Phishing site…?
<Instance>
- “There was
a fraudulent site for phishing spoofing to be a certain banking
corporation being embedded in our Web site” so communicated from
the other organization.
- Since the fact
was confirmed so that the files were immediately removed. According
to the logs (*6)
, it is realized it had been passed more than 3 weeks since the
servers were initially intruded.
- The servers
were again studied as we communicated about further anomaly state
from another organization. In where we found that different phishing
contents were embedded. However, the contents could not be deleted
by the administrator privilege. Accordingly, the directory in where
the contents embedded was moved to different server as a tentative
measure.
- The cause was
that the FTP server was operated for which may not have been used.
Since the server had not been updated; it might have allowed intrusion
by execution of arbitrary codes exploited by its vulnerability.
III.
Accepting Status of Consultation
The gross number for
the consultation for April was 827 . Of the consultation
relevant to “ One-click Billing Fraud ” was 205
(March: 316), the consultation relevant to “
High-pressured selling of software for security measures
” with 17
(March: 23) and the consultation relevant to “ Winny ”
with 7 (March:
5), etc.
Movement in entire number
of consultation accepted by IPA
/method
|
Nov. |
Dec. |
Jan.
'07 |
Feb. |
Mar. |
Apr. |
Total
|
711 |
680 |
946 |
1019 |
1127 |
827 |
| |
Automatic
Response System |
423 |
394 |
582 |
603 |
697 |
486 |
Telephone
|
214 |
222 |
324 |
336 |
376 |
279 |
e-mail
|
72 |
59 |
39 |
75 |
54 |
58 |
Fax,
Others |
2 |
5 |
1 |
5 |
0 |
4 |
*IPA consults/advises
for computer viruses/unauthorized computer accesses as well as the
other information concerning overall security issues
Mail: 
for virus issues,  for
crack issues.
Tel.: +81-3-5978-7509
(24-hour automatic response)
Fax: +81-3-5978-7518
(24-hour automatic response)
*The Total case number
includes the number in Consultation (d) column of the Chart in the
“III. Reported Status for Unauthorized Computer Access” and “IV.
Accepting Status of Consultation”.
*”Automatic Response System”:
Accepted numbers by automatic response
*“Telephone”:
Accepted
numbers by the Security Center personnel
<Reference>
Shift
in Number of Consultation relevant to One-click Billing Fraud
Reporting Status of Computer
Virus and Unauthorized Computer Access for September and the 3 rd
Quarter
2. One-click Billing Fraud
http://www.ipa.go.jp/security/english/virus/press/200609/E_PR200609.html
Reporting Status of Computer
Virus and Unauthorized Computer Access for August
2. Consultation Number for
the Damages by One-click Billing Fraud is Unchangeably Many!!
http://www.ipa.go.jp/security/english/virus/press/200608/E_PR200608.html
<Reference>
Shift in the consultation
number for High-Pressured Selling of Security Software
As for the activities of
high-pressured selling of security software, please also refer to
the following link.
Reminder for the month
(for the month of April)
“Be Cautious with the High-pressured
Selling Activities of Software for Security Measures!!”
http://www.ipa.go.jp/security/english/virus/press/200604/E_PR200604.html
The major consultations
for the month are as follows.
(i)
Infected by unidentified virus
for which cannot be detected by anti-virus software?!
Consultation:
I realized anomaly state
on my computer that there appears unknown files and folders, etc.
so that I cannot update the virus signatures in my anti-virus software,
but it always halts in the middle of processing. What is the best
solution for the problems?
Response:
It is possible that your
computer has already infected by new virus. The first thing you
have to do is to use free on-line virus scans, spyware detection
service, bot removal tool to check with/without of virus in your
computer. However, if your computer is infected by the virus which
interfering anti-virus software operation, you may want to choose
to initialize your computer as the last resort.
<Reference>
Trendmicro (Virus buster
on-line scan) (in Japanese)
http://www.trendflexsecurity.jp/security_solutions/housecall_free_scan.php
Symantec (Security Check)
(in Japanese)
http://www.symantec.com/region/jp/securitycheck/
McAfee (Free Scan) (in Japanese)
http://www.mcafeesecurity.com/japan/mcafee/home/freescan.asp
Microsoft (Windows Live OneCare)
(in Japanese)
http://www.onecare.live.com/site/ja-JP/default.htm
Spyware Guide (Nextedge Technology)
(in Japanese)
http://www.shareedge.com/spywareguide/txt_onlinescan.php
Ciber Clean Center (collaboration
project by Ministry of Internal Affairs and Communications and Ministry
of Economy, Trade and Industry)
https://www.ccc.go.jp/
(ii) Infected
by virus from the file being downloaded using Winny…
Consultation:
Although I do not understand
Winny's features explicitly, I have anyway used it in the beginning
of April as I'd been interested in. After that, I had run a virus
check program; then, several types of Antinny viruses (incl. its
variants) were detected. Since the index file to be referred to
upload folders was not existed, I do not have to worry about information
deviation, am I correct?
Response:
It is still early to conclude
that there was not any of information deviation from the computer
at this moment. In case there was confidential information being
stored in the computer in where Winny was run, you should assume
that they might have been deviated. The first thing you have to
do is to identify how the virus behaves from its name and communicate
with the extent in where the deviation might have been affected
to take adequate/appropriate measures.
Originally, it is
very risky to use any of file exchange software without knowing
its core concept. Before you use it, you should recognize how it
behaves when it runs on a computer. It is too late to restore
information deviation after the incident happened.
<Reference>
IPA – to prevent from information
deviation by Winny (in Japanese)
http://www.ipa.go.jp/security/topics/20060310_winny.html
IV.
Accessing Status Captured by the Internet Monitoring (TALOT2”) in
April
According to the Internet
Monitoring (TALOT2), the total of unwanted (one-sided) number of
access in April 2007 was 431,643 for 10 monitoring
points. That is, the number of access was 1,439
from 350 source addresses/monitoring point/day.
Since each monitoring environment
for the TALOT2 is nearly equal to the general connection environment
used for the Internet; it can be considered that the same amount
of unwanted (one-sided) access can be monitored for the general
Internet users' connection environment. In another word, your
computer is being accessed from 350 unknown source addresses in
average/day or you are being accessed from 4 times from one source
address which considered unauthorized.
Chart
4.1: Number of Access and Source Number of Access/Monitoring Point/Day
The Chart 4.1 shows the
unwanted (one-sided) number of access and the source number of
access at one monitoring point per day from November 2006 to April
2007. According to this chart, both unwanted accesses were tended
slightly increased; however, it can be said that the contents
were stabilized entirely.
In April 13, 2007, there
publicized the vulnerability of server service relevant to DNS
(Domain Name System) equipped by Windows 2000 Server and Windows
Server 2003 as their default function from Microsoft. Subsequently,
the exploit code relevant to the vulnerability has been publicized
so that it is possible that such bot embedded newer worms and/or
attacking code targeting vulnerability is expanded.
<Reference>
Vulnerability in RPC on
the Windows DNS Server Could Allow Remote Code Execution (935964)
http://www.microsoft.com/technet/security/advisory/935964.mspx
The Chart 1.2 and the
1.3 show the shift in number of access to the ports 445/tcp and
139/tcp classified by source area respectively. According to these
charts, the source number of access from domestic was increased
on and after April 13 when the exploit code was publicized by
Microsoft.
Chart
4.2: Shift in Number of Access to the Port 445/tcp Classified
by Source Area for April 2007
Chart
4.3: Shift in Number of Access to the Port 139/tcp Classified
by Source Area for April 2007
On April 25, 2007, the
intermediate result for “anti-bot measures project”, the collaborative
project conducted by the Ministry of Internal Affairs and Communication
(MIC) and the Ministry of Economy, Trade and Industry (METI),
was announced. As the part of its project, alerting mails against
bot infection sent to about 6,000 users whose computers seem to
be infected via ISPs (Internet Service Providers) from December
2006 to the end of March 2007; as its result, of about 30% of
users downloaded bot removal tool via ISPs. It is realized that
the rest of about 70% of users still start up the computers infected
by bot.
Relevant to the above
information, please refer to the following site for further details.
Attachment 3_Observation
Status Captured by the Internet Monitoring (TALOT2)
http://www.ipa.go.jp/security/english/virus/press/200704/TALOT200704.html
“Various
Statistics Information Provided by Other Organizations/Vendors
are Publicized in the Following Sites”
@police: http://www.cyberpolice.go.jp/english/
Trendmicro: http://www.trendmicro.com/en/home/us/home.htm
McAfee: http://www.mcafee.com/us/
“Interpretation for Glossaries”
(*1)
Vulnerability
:
In the information security,
vulnerability typically refers the existence of weakness which
may result unscheduled and/or unexpected event which reduces secured
state from the protocols relevant to system, network or application,
or refers the errors in the design and/or implementation. It may
also refer the insufficient state of the configuration relevant
to security. Generally, vulnerability is also called as security
hole.
(*2)
Phishing :
Spoofing or masquerading
to be the mail or the web pages of existed businesses such as
banking, etc. to exploit legitimate user IDs and passwords who
opened or browsed such mails or web pages. “Fishing” is the
word origin of “phishing”, but there are several theories such
as “f” was exchanged by “ph” according to hackers' naming
convention, coined word for which origins were “sophisticated”
and “fish” or shortened word form of “password harvesting
fishing”, etc.
(*3)
SQL Injection
:
SQL statement is often
used to access to database means a series of escape procedure
might be included. In such case, a set of quotation marks is used
to designate value/data embedded inside an SQL statement. Improper
treatment results failure to properly execute SQL statement against
adequate data. What if such failure would be existed in the statement
where addressing letter string or to where improper letter string
is input with malicious intent; it leads to the vulnerability
relevant to security. Accordingly, an attacker intends to input
improper letter string which may include single quotation ( ‘
), etc. the program behaves differently than the legitimate developer
initially intended and the users will face damages such as database
alteration, information leakage, etc. These instances are referred
as SQL injection attack and the origin of the cause is called
vulnerability of SQL injection.
(*4)
Rootkit
:
A software collective package
used by an attacker after he/she intruded into a computer. Generally,
rootkit includes logs alteration tool, backdoor tool, a series
of system commands being altered, etc.
(*5)
Stored Procedure:
Procedures for database
being collected as a series of procedures and is stored within
a database management system.
(*6)
Log:
Status of a computer usage
or record for data communication. Generally, it records operator's
ID, time and date the computer is operated and the contents of
operation, etc.
The details are as follows:
- Attachment 1 Computer virus Incident
Report [Details]
- Attachment
2 Unauthorized Computer Access Incident Report [Details]
- Attachment
3 Observation Status by Internet Monitoring System (TALOT2)
|
Japanese