| This is a summary of
computer virus/unauthorized computer access incident reports for
May, 2007 compiled by IPA.
I.
Reminder for the Month:
“Aren't
there any of security holes in the application software you are
using?”
-
Apply anti-security hole measures not only Operating System (OS),
but also every application software!-
1) Security
hole in application software nowadays
There are NOT small number
of security holes (certain weakness relevant to security (*1)
) in the application software widely used in the public are being
reported. In addition, number of malicious intent sniffs the security
holes in application software on the computer being connected to
the Internet with variety of methods everyday in every minute.
One of remarkable instance
from the virus/unauthorized reports for April and May filed with
IPA was that “intruded to a computer from the security hole detected
by the application software which manages the computer and damaged”.
2) Security
hole hide in application software
Application software refer
to word-processing program, spreadsheet software, software for presentation,
mailing software, software to record/retrieve music/animated cartoons,
software to create/present PDF files, etc. These are being used
daily and are essential for our business/lives.
Accordingly, it is necessary
to recognize that not only Operating System (OS), but also application
software need certain anti-security hole measures including those
rarely used even they are installed in computers. Be sure to check
with or without of the information relevant to security holes on
application software daily; it is necessary to resolve the security
holes immediately applying patches (modification program), etc.
when developed any.
Chart
1: Measures for Application Software
3) Potential
damages may be caused by the security holes of application software
Based on the “Handling
Standard for the Information relevant to Vulnerability in Software,
etc.” announced by the Ministry of Economy, Trade and Industry,
IPA accepts files from variety of user community for the information
relevant to security holes of application software, etc. and informs
their statistic reports quarterly.
According to the report
for the First Quarter of 2007 (January – March), the number of files
relevant to security holes of application software is 36 (the cumulative
number is 455 from July 2004). The report also summarizes about
the potential damages caused by the security holes of application
software. Following are the assumable damage cases.
• Execution
of arbitrary scripting code (intentional operating procedure by
an
intruder)
• Execution
of arbitrary code (program for attack)
• Information
leakage
• ID/password
leakage
• Spoofing
• Disabling
of services, etc.
These damages lead not
only financial loss, lowering/disrupting business effectiveness,
but also YOU can be the victimizer by one of malicious intents of
“spoofing” while you do not know.
4) Anti-security
hole measures of application software
To prevent having damages
listed in the 3) above, it is necessary to resolve security holes.
To that end, it is important to manage the versions of the application
software now you are using. Following are the essential/necessary
measures to be taken to:
• Be
sure to acquire application software from trustful site. The information
relevant
to versions of the application software can be confirmed using “help”
function.
• While
using the application software, be sure to check the updated history
for the
versions of the application software with its original provider.
In case the
information for newer versions is released, you are to obtain it
by yourself for
secured use.
• There
are some application software which automatically informs the user
and up
dates when the newer version is released. By using such features,
you can always
maintain your computer further ensured/secured state. It is remarkable
that the
number of application software which provides automatically updating
features is
increasing.
5) Collection
of information relevant to security holes of application software
As for the framework for
the distribution of the information relevant to security holes of
application software, etc., the Ministry of Economy, Trade and Industry
constructs “Earlier Precautionary Partnership relevant to Information
Security (hereinafter refers to “the framework)” under the cooperation
of public and private sectors. The specific approaches are as follows.
The information relevant to security holes of application software
can be collected by activating these approaches.
a. Based
on the framework above, IPA and the JPCERT/CC ( Japan Computer
Emergency Response Team Coordination Center ) where jointly launch
JVN
(Japan Vulnerability Notes) site which publicizing responding status
of security
holes by domestic developers from July 2004.
Under the JVN, the information
relevant to security holes of application software, etc. filed based
on the framework above is widely publicized via its homepages. The
security holes information also includes the status of security
holes responded by domestic developers being registered with JVN.
The responding status encompasses a product which has security holes,
preventive measures and measures information, etc.
b. In
addition, “JVN iPedia the database for the information of anti-vulnerability
measures”, the information relevant to security holes
of application software,
etc. which developed daily from time to time adequately
collected and
accumulated, is being publicized within JVN.
Other than the information
relevant to security holes of application software, etc. publicized
on JVN; JVN iPedia is to publicize the information relevant to security
holes against those application software, etc. publicized other
than JVN and those widely used in domestic, as well.
JVN cumulates/stores about
3,500 cases (as of April 2007) of the information relevant to security
holes of application software and/or operating system (OS) developed
since 1998 and is continually cumulating the information heretofore.
The information relevant to security holes also includes “the
system would be affected”, “assumable affects/damages” and “their
countermeasures” information relevant to respective application
software, etc.
Other than the instances
mentioned above, we recommend you to collect the information relevant
to security holes, etc. of application software you are using checking
with the related sites such as IT and/or information security news
to enhance security measures of the application software.
< Referential URLs
>
JVN: http://jvn.jp/
JVN iPedia: http://jvndb.jvn.jp/
II.
Reporting Status for Computer Virus
– further details, please refer to the
Attachment 1
–
The detection number [1]
of virus for May was about 0.77M and was increased
about 24.3% from 0.62M reported in April.
In addition, the reported number [2]
of virus for May was 3,383 and was increased
5.8% from 3,199 in April.
| [1]Detection
number: |
Reported
virus counts (cumulative) found by a filer. |
[2]Reported
number: |
Virus counts are
aggregated: viruses of same type and variants reported on
the same day are counted as one case number regardless how
many viruses or the actual number of viruses is found by the
same filer on the same day. In May, reported number was 3,383:
aggregated virus detection number was about 0.77M.
|
The worst detection number
was for W32/Netsky with about 0.51M ,
W32/Sober with about 0.15M and
W32/Stration with 0.04M were
subsequently followed.
Chart
2-1
Chart
2-2
Note) #s in the parenthesis
are the #s for previous month.
III.
Reporting Status for Unauthorized Computer
Access (includes Consultations) –
Please refer to the Attachment 2 –
Report for unauthorized
computer access and status of consultation
|
Dec. |
Jan.'07 |
Feb. |
Mar. |
Apr. |
May |
Total
for Reported (a) |
10 |
32 |
23 |
13 |
15 |
19 |
| |
Damaged
(b) |
9 |
22 |
14 |
9 |
12 |
13 |
Not
Damaged (c) |
1 |
10 |
9 |
4 |
3 |
6 |
Total
for Consultation (d) |
40 |
52 |
50 |
43 |
31 |
37 |
| |
Damaged
(e) |
23 |
25 |
28 |
20 |
20 |
21 |
Not
Damaged (f) |
17 |
27 |
22 |
23 |
11 |
16 |
Grand
Total (a + d) |
50 |
84 |
73 |
56 |
46 |
56 |
| |
Damaged
(b + e) |
32 |
47 |
42 |
29 |
32 |
34 |
Not
Damaged (c + f) |
18 |
37 |
31 |
27 |
14 |
22 |
(1) Reporting Status for
Unauthorized Computer Access
Reported number
for May was 19: of 13 was the number
actually damaged .
(2) Accepting Status for
Consultations relevant to Unauthorized Computer Access, etc.
Consultation counts relevant
to unauthorized computer access was 37: of 21 (of 7 was also counted
as reported number) was the actual number that some sort of damage
was reported.
(3) Status of Damage
Breakdown of the damage
report includes: Intrusion with 5, Unauthorized Mail Relay
with 2, Source Address Spoofing with 1 and others
(damaged) with 5 . The breakdown of the damage being reported
relevant to intrusion include: contents were embedded to be exploited
for phishing(*2)
fraud with 2, servers were attempted to exploit as steppingstone
servers to attack to the other sites outside with 2 and destruction
of data stored in a server with 1. The cause were exploited vulnerability
in program with 3 (server managing tool with 2, remotely operable
computer software with 1), password cracking attack(*3)
with 2 (of 1 was for the attack to the port (*5)
used by SSH (*4)
).
(4)
Damage Instances:
[Intrusion]
(i) Attacked
and intruded by password cracking attack
<Instance>
- Any of communication
via server is getting unavailable, besides applications are also
unable to run.
- Log (*6)
is studied, accordingly. It is realized that the server for remotely
operable software allowing accesses from the Internet had been getting
password cracking attack since several months ago and the server
had been allowing any of inbound accesses.
- While we do
not know, variety of destruction activities from the Internet were
conducted; the system file for OS was destroyed, the firmware (*8)
for a router (*7)
was altered, etc.
- The cause
for the password cracking attack may be the password for the log-in
account (*9)
set for the remotely operable software which was easily assumable.
[Others]
(ii)
Private information leakage exploiting vulnerability in
web applications?!
<Instance>
- While checking
logs, it is realized that number of database errors was occurred
when accessing.
- Upon studying
the contents of the errors, it is also realized that the error display
includes clients' private information stored in that database along
with the error message.
IV.
Accepting Status of Consultation
The gross number for
the consultation for April was 814. Of the consultation
relevant to “ One-click Billing Fraud ” was 185
(April: 205), the consultation relevant to “
High-pressured selling of software for security measures ” with 19
(April: 17) and the consultation relevant to “ Winny ”
with 6
(April: 7), etc.
Movement in entire number
of consultation accepted by IPA
/method
|
Dec. |
Jan.
'07 |
Feb. |
Mar. |
Apr. |
May |
Total
|
680 |
946 |
1019 |
1127 |
827 |
814 |
| |
Automatic
Response System |
394 |
582 |
603 |
697 |
486 |
484 |
Telephone
|
222 |
324 |
336 |
376 |
279 |
254 |
e-mail
|
59 |
39 |
75 |
54 |
58 |
69 |
Fax,
Others |
5 |
1 |
5 |
0 |
4 |
7 |
*IPA consults/advises
for computer viruses/unauthorized computer accesses as well as the
other information concerning overall security issues
Mail: 
for virus issues,  for
crack issues.
Tel.: +81-3-5978-7509
(24-hour automatic response)
Fax: +81-3-5978-7518
(24-hour automatic response)
*The Total case number
includes the number in Consultation (d) column of the Chart in the
“III. Reported Status for Unauthorized Computer Access” and “IV.
Accepting Status of Consultation”.
*”Automatic Response System”:
Accepted numbers by automatic response
*“Telephone”:
Accepted
numbers by the Security Center personnel
<Reference>
Shift
in Number of Consultation relevant to One-click Billing Fraud
Computer Virus and Unauthorized Computer Access for September and
the 3 rd Quarter
2. One-click Billing Fraud
http://www.ipa.go.jp/security/english/virus/press/200609/E_PR200609.html
Computer Virus and Unauthorized
Computer Access for August
2. Consultation Number for
the Damages by One-click Billing Fraud is Unchangeably Many!!
http://www.ipa.go.jp/security/english/virus/press/200608/E_PR200608.html
<Reference>
Shift in the consultation
number for High-Pressured Selling of Security Software
As for the activities of
high-pressured selling of security software, please also refer to
the following link.
Reminder for the month
(for the month of April)
“Be Cautious with the High-pressured
Selling Activities of Software for Security Measures!!”
http://www.ipa.go.jp/security/english/virus/press/200604/E_PR200604.html
The major consultations
for the month are as follows.
(i)
Be cautious ! The accessing points
to one-click billing fraud are being hidden here and there!
Consultation:
While seeking information
for the roller coaster tragedy*
with a searching engine which was talked a lot in TV news,
there was one site where inserting the images of that tragedy. It
was the weblog site run by an individual. Read over the article
and clicked a link for more shocking images. Then I was sent to
a renowned posting site for animated pictures. Clicked a “play”
button, then the message “Would you like to sign up with us?”
was appeared. Clicked “yes” easily; then, I was shown
that the display as if data or something like that was automatically
downloaded and subsequently the billing screen in the amount of
50,000jpy for admission fee was appeared.
* This
tragedy was happened during the Golden Week, the Japan 's longest
holiday season, this year and a 19-year old girl who visited the
amusement park was involved and killed by the roller coaster.
Response:
There are too, number
of malicious sites for one-click billing fraud which tempts users
with such catches, i.e., “movie stars' gossips” or “shocking
images”, etc. other than adult sites. Accordingly, users
should recognize that there are not only secured sites when they
access. It is risky to go forward just your curiosity. There
should be displayed requesting to input your “age” and “sign-up”
screen before the billing screen is appeared where explicitly
describes that the site is a PAY site. To prevent any of
damages, it is important to thoroughly read the message being displayed
before you click to go forward.
(Reference)
IPA – “The Methods for
One-click Billing Fraud is Getting Sophisticated!!”
http://www.ipa.go.jp/security/english/virus/press/200510/E_PR200510.html
(ii)
Infected by virus from the files downloaded
by P2P software
Consultation:
1. I had installed
and used P2P software ( Winny and Share
) as one of my friends recommended me to. Since there showed
failure such as the animation player did not work or security software
halted and got errors; it was realized that about 600 of files were
infected by 3 types of viruses when checked with virus free scan.
2. It seemed
that my computer was intruded from outside and the configuration
was altered as I was unable to connect to the Internet. I use one
of P2P software Cabos ; was my computer infected
as I opened the files downloaded?
3. When I opened the files downloaded by Winny
, number of files (animations and programs) was altered by
image files of some animation characters. However, nothing was detected
with anti-virus software.
Response:
As for the threats using
P2P software, there are the viruses which disclose information
as well as destroy (alater) information . Accordingly,
it is risky to open suspicious files for which source is not cleared
enough from the viewpoint of anti-virus measures. To prevent infection
from virus, it is effective not to use P2P software. You cannot
get back before something already happened.
<Reference>
IPA – to prevent from information
deviation by Winny (in Japanese)
http://www.ipa.go.jp/security/topics/20060310_winny.html
V.
Accessing Status Captured by the Internet Monitoring (TALOT2”) in
May
According to the Internet
Monitoring (TALOT2), the total of unwanted (one-sided) number of
access in May 2007 was 209,499 for 10 monitoring
points. That is, the number of access was 1,164
from 321 source addresses/monitoring point/day.
Since each monitoring environment
for the TALOT2 is nearly equal to the general connection environment
used for the Internet; it can be considered that the same amount
of unwanted (one-sided) access can be monitored for the general
Internet users' connection environment. In another word, your
computer is being accessed from 321 unknown source addresses in
average/day or you are being accessed from 4 times from one source
address which considered unauthorized.
Chart
5.1: Number of Access and Source Number of Access/Monitoring Point/Day
The Chart 5.1 shows the
number of access and the source number of access in average at
one monitoring point per day from December 2006 to May 2007. The
accessing status in May has been stabilized as it was in April.
Note) Please be noted as
for May, the monitoring data was only available from May 1 to
18 as the TALOT2 system maintenance fell on the rest of periods.
(1) Access which
target vulnerability of NetBIOS*
Although there were not
enough monitoring data available in May, the accesses to the port
137/udp was remarkable. This seemed to be the access targeting
vulnerability in Windows of NetBIOS, the one of network relevant
services.
The Chart 5.2 shows the
shift in number of access to the port 137/udp classified by source
area for 2 months (April – May 2007).
<Referential Information>
Flow in NetBIOS Could Lead
to Information Disclosure (MS03-034) (824105)
http://www.microsoft.com/technet/security/bulletin/ms03-034.mspx
Chart
5.2: Shift in Number of Access to the Port 137/udp Classified
by Source Area from April to May 2007
* NetBIOS:
(Network Basic Input/Output System)
The
function used by the program on a network. In Windows, NetBIOS
is used in a small network environment combining NetBEUI (NetBIOS
Extended User Interface) protocol.
Relevant to the above
information, please refer to the following site for further details.
Attachment 3_Observation
Status Captured by the Internet Monitoring (TALOT2)
http://www.ipa.go.jp/security/english/virus/press/200705/TALOT200705.html
“Various
Statistics Information Provided by Other Organizations/Vendors
are Publicized in the Following Sites”
@police: http://www.cyberpolice.go.jp/english/
Trendmicro: http://www.trendmicro.com/en/home/us/home.htm
McAfee: http://www.mcafee.com/us/
“Interpretation for Glossaries”
(*1)
Vulnerability
:
In the information security,
vulnerability typically refers the existence of weakness which
may result unscheduled and/or unexpected event which reduces secured
state from the protocols relevant to system, network or application,
or refers the errors in the design and/or implementation. It may
also refer the insufficient state of the configuration relevant
to security. Generally, vulnerability is also called as security
hole.
(*2)
Phishing :
Spoofing or masquerading
to be the mail or the web pages of existed businesses such as
banking, etc. to exploit legitimate user IDs and passwords who
opened or browsed such mails or web pages. “Fishing” is the
word origin of “phishing”, but there are several theories such
as “f” was exchanged by “ph” according to hackers' naming
convention, coined word for which origins were “sophisticated”
and “fish” or shortened word form of “password harvesting
fishing”, etc.
(*3)
Password
Cracking
:
The approach to identify
anyone else's password by analyzing, etc. Approaches include brute-force
attack, dictionary attack, etc. and there is the code for exclusively
crack as well.
*Brute Force Attack:
One of attacking methods
that attempts to combination of letters exhaustively to analyze
password in accordance with a certain rule. It refers to forcible
attacking method.
*Dictionary Attack:
One of attacking methods
that attempts to every word listed on a dictionary from very beginning
to its end to analyze password.
(*4)
SSH
(Secure Shell)
:
A protocol or a program
used for log-in to another computer via the network, execute commands
by a computer remotely and transfer files to another computer.
Since data via the network is encrypted, a series of operations
through the Internet can be conducted safely.
(*5)
Port:
A window interfaces each
service within a computer used for exchanging information with
outsides. Numbers from 0 to 65535 are used for the ports so that
they are also called Port Number.
(*6)
Log:
Status of a computer
usage or record for data communication. Generally, it records
operator's ID, time and date the computer is operated and the
contents of operation, etc.
(*7)
Router:
Communication device
connects and/or relay networks in between.
(*8)
Firmware:
The program which embedded
in a device to provide computer and the other electrical devices
fundamental control.
(*9)
Account:
Privilege which allowing
legitimate user to use resources on computers and/or on the Internet.
The details are as follows:
- Attachment 1 Computer
virus Incident Report [Details]
- Attachment
2 Unauthorized Computer Access Incident Report [Details]
- Attachment
3 Observation Status by Internet Monitoring System (TALOT2) |
Japanese