| This is a summary of
computer virus/unauthorized computer access incident reports for
June, 2007 and 1st Half (January to June) compiled by IPA.
I.
Reminder for the Month:
To
prevent virus infection from external memory devices such as USB
memory, etc., “Better
not to connect your USB memory to your computer easily!”
(1) Damage
Status
There are number of consultations
relevant to USB memory that “soon after a user threw in his/her
USB memory, anti-virus software detected virus” which filed with
IPA in June.
These indicate virus is
spreading from the USB memory infected which secondarily infects
to a computer from that infected USB memory. In addition, according
to the occurrence of computer virus in May and June, there existed
number of virus which infects via external memory devices, such
as USB memory, etc.
(2) USB Memory
USB memory is an easy
device to use in which you can simply connect to the USB port in
a computer. Accordingly, it is the most user-friendly memory device
among CDs,FDs (floppy disks), MOs (magnet optical disks) which does
not require read/write devices exclusively for them. USB memory
is relatively reasonable and portable: Some of them are likely to
accommodate over 1G memory, USB memory has been widely promulgated
among computer user community.
The features of the USB
memory is connectivity: it is easy to connect to any of computers
so that you can save/carry even larger size of files anywhere you
want. What if the USB memory itself is being infected by
virus, it easily turns over the mean which readily carries virus!
There is another risk to enlarge infection if you throw in the USB
memory to the other computers with ease.
(3) Countermeasures
When you use USB memory,
be sure to conduct certain security measures referring (A) and (B)
described below to prevent damages by virus infection via the USB
port.
(A) Security
measures of the computer which uses USB memory
Fundamentally, it means
to conduct anti-virus measures for your computer. Nowadays, there
also existed some viruses which search external memory device such
as USB memory, etc. for infection.
Accordingly, it
is VERY RISKY that the USB memory probably be infected by virus
if you throw in the USB memory to the computers publicly available
(i.e. those computers being provided in an Internet café,
etc.) as such computers may not have been conducted certain security
measures.
You should better to check
with or without of virus before you use that computer; if you cannot
check virus immediately, you should better not to throw in USB memory
with ease.
It is important to resolve
security holes (weakness relevant to security) by Windows Update/Microsoft
Update along with updating the virus signatures on your anti-virus
software upon use.
Typical viruses which
infect USB memory, etc. are as follows:
W32/SillyFD-AA:
This virus searches the
devices which connect to external memory such as USB memory, etc.,
to copy the virus itself to the external devices to create Autorun.inf
file, but built-in HDDs.
http://www.sophos.com/virusinfo/analyses/w32sillyfdaa.html
W32/LiarVB-A:
This virus infects the
devices which connect to external memory such as USB memory, etc.
The virus copies itself to the devices searched to create Autorun.inf
file. In addition, the virus stores such HTML files specifically
describes about AIDS and HIV in a computer.
http://www.sophos.com/virusinfo/analyses/w32liarvba.html
Autorun.inf file configures
the execution type of files which extension is .exe for which the
virus intends to run automatically within the Autorun.inf file.
When a computer loads the CDs and/or DVDs inclusive of the Autorun.inf
file, the virus can automatically start the execution type of file
previously configured.
Autorun.inf file typically
does not start up with USB memory, but default configuration of
Windows Vista; you cannot totally feel ease, however, as
there is some virus which infecting USB memory attempts to automatically
start up the virus itself by creating the Autorun.inf file.
Reference:
IPA – Seven anti-virus
requirements for computer users:
http://www.ipa.go.jp/security/antivirus/7kajonew.html
(in Japanese)
IPA – Five must-dos for
dealing with files attached to email:
http://www.ipa.go.jp/security/antivirus/spyware5kajyou.html
(in Japanese)
IPA – Anti-bot measures:
http://www.ipa.go.jp/security/antivirus/bot.html
(in Japanese)
Then, be sure to conduct
virus check within USB memory throwing it in your computer with
the following method securely.
As you already aware that
throwing in the USB memory for which source is unknown to
your computer is VERY RISKY . In case the USB memory is
being infected, you should not throw it in easily as your computer
will probably be infected.
(B) Security
measures on USB memory
Be sure to take following
procedures in advance to prevent running the execution file immediately
after throwing in the USB memory.
(i) if you are a Windows
Vista user…
In case your Windows Vista
is having been in default configuration, the execution file will
be immediately started up if there is Autorun.inf file in the USB
memory.
The execution file will
not be started immediately if you throw in the USB memory to your
computer by hitting the “shift” key on your keyboard; it is still
risky if the Vista is in its default configuration. For your further
security to ensure preventing the execution file automatically runs,
be sure to conduct following configuration.
“  ”
? “ Control Panel” ? “Hardware and Sound” ? “Automatic retrieve
of CDs and/or the other media”
Chart
1-1: Configuration Screen of “Automatic Retrieve of CDs and/or
the Other Media” on Windows Vista
The virus code (Autorun.inf)
is may be infected other than the execution file, we will encourage
you to configure your computer (Windows Vista) for the other files
(audio files, video files, DVD movies, etc.) with the same manner
by referring above mentioned procedures.
(ii) if you are a Windows
2000/XP user…
Although there are Autorun.inf
and execution file in the USB memory, the execution file will not
be started soon after you throw in the memory in your computer.
However, the execution file will be started if you double click
the drive on the “My Computer” screen which recognizing the USB
memory.
Chart
1-2: My Computer screen
Be sure to conduct virus
check the drive which recognizing the USB memory with your anti-virus
software before you double click to confirm with or without if there
is unknown suspicious file in the drive which recognizing the USB
memory.
To view your “Windows
Explorer” screen, you can click “View” ? “Explorer Bar” ? “Folder”
in turn from your “My Computer” screen. You can also view the
contents of the drive (Chart 1-4) if you can click the drive which
recognizing the USB memory from the left hand side part of the “Windows
Explorer” screen (Chart 1-3).
Chart
1-3: Windows Explorer screen – 1
Chart
1-4: Windows Explorer screen – 2
II.
Reporting Status for Computer Virus
– further details, please refer to the
Attachment 1
–
The detection number [1]
of virus for June was about 0.50M and was
increased about 35.5% from 0.62M reported in May.
In addition, the reported number [2]
of virus for June was 2,898 and was decreased
14.3% from 3,383 in May.
| [1]Detection
number: |
Reported
virus counts (cumulative) found by a filer. |
[2]Reported
number: |
Virus counts are
aggregated: viruses of same type and variants reported on
the same day are counted as one case number regardless how
many viruses or the actual number of viruses is found by the
same filer on the same day. In June, the reported number was
2,898: aggregated virus detection number was about 0.50M.
|
The worst detection number
was for W32/Netsky with about 0.42M ,
W32/Stration with about 0.02M
and W32/Mytob with 0.16M were
subsequently followed.
Chart
2-1
Chart
2-2
Note) #s in the parenthesis
are the #s for previous month.
III.
Reporting Status for Unauthorized Computer
Access (includes Consultations) –
Please refer to the Attachment 2 –
Report for unauthorized
computer access and status of consultation
|
Jan. |
Feb. |
Mar. |
Apr. |
May |
June |
Total
for Reported (a) |
32 |
23 |
13 |
15 |
19 |
41 |
| |
Damaged
(b) |
22 |
14 |
9 |
12 |
13 |
36 |
Not
Damaged (c) |
10 |
9 |
4 |
3 |
6 |
5 |
Total
for Consultation (d) |
52 |
50 |
43 |
31 |
37 |
27 |
| |
Damaged
(e) |
25 |
28 |
20 |
20 |
21 |
11 |
Not
Damaged (f) |
27 |
22 |
23 |
11 |
16 |
16 |
Grand
Total (a + d) |
84 |
73 |
56 |
46 |
56 |
68 |
| |
Damaged
(b + e) |
47 |
42 |
29 |
32 |
34 |
47 |
Not
Damaged (c + f) |
37 |
31 |
27 |
14 |
22 |
21 |
(1) Reporting Status for
Unauthorized Computer Access
Reported number
for June was 41: of 36 was the number
actually damaged .
(2) Accepting Status for
Consultations relevant to Unauthorized Computer Access, etc.
Consultation counts relevant
to unauthorized computer access was 27: of 11 (of 2 was also counted
as reported number) was the actual number that some sort of damage
was reported.
(3) Status of Damage
The breakdown of damage
report were: Intrusion with 6 ,
Source Address Spoofing with 2
and Others (Damaged) with 28 .
The breakdown of the damage being reported relevant to intrusion
include: alteration of web contents with 1, server was turned into
a steppingstone to attack to the other sites with 1, alteration
of data within server with 2, etc. The causes of intrusion were:
exploitation of vulnerability (*1)
within program with 3 (program for web server with 1 and for the
other applications with 2), and insufficient configuration settings
with 2, etc.
(4)
Damage Instances:
[Intrusion]
(i) Server
was used as a steppingstone to attack to the other site
<Instance>
- “We'd
been conducted password cracking attack (*3)
to the ports used by SSH (*2)
from the computers of your organization” so complained from the
outside of this organization.
• Explicitly
study was conducted and detected that 2 Linux machines were attempted
for intrusion. It is realized that certain password cracking tool
was embedded to one of them to be used as a steppingstone to attack
to the other sites. There were not any signs that password cracking
attack was conducted; however, both machines were successfully logged
into with single ID/password attempts.
• Additional
study was conducted on a Windows machine which connected to the
Linux machines used as a client, the Windows' security function
against virus was being disabled and the rootkit (*5)
including key logger (*4)
was having been embedded.
(ii)
Web site was having been altered because of the mis-configuration
of
WebDAV (*6)
<Instance>
- The top
page of our web pages was having been altered so communicated by
the out side of organization.
- Study was
conducted accordingly. It is realized that number of files in the
web server were altered and their related logs (*7)
were all deleted. In addition, another file replaced/altered by
some malicious codes was also embedded. The codes were executed,
but failed, though.
- WebDAV function
was employed for the server, but was being maliciously operated
by the user intruded from outside who'd not have privilege to connect
because of mis-configuration of user authentication.
IV.
Accepting Status of Consultation
The gross number for the
consultation for June was 932 . Of the consultation
relevant to “ One-click Billing Fraud ” was 285
(May: 185), the consultation relevant to “ High-pressured
selling of software for security measures ” with 12
(May: 19) and the consultation relevant to “
Winny ” with 11
(May: 6), etc.
Movement in entire number
of consultation accepted by IPA
/method
|
Jan. |
Feb. |
Mar. |
Apr. |
May |
June |
Total
|
946 |
1019 |
1127 |
827 |
814 |
932 |
| |
Automatic
Response System |
582 |
603 |
697 |
486 |
484 |
537 |
Telephone
|
324 |
336 |
376 |
279 |
254 |
339 |
e-mail
|
39 |
75 |
54 |
58 |
69 |
53 |
Fax,
Others |
1 |
5 |
0 |
4 |
7 |
3 |
*IPA consults/advises
for computer viruses/unauthorized computer accesses as well as the
other information concerning overall security issues
Mail: 
for virus issues,  for
crack issues.
Tel.: +81-3-5978-7509
(24-hour automatic response)
Fax: +81-3-5978-7518
(24-hour automatic response)
*The Total case number
includes the number in Consultation (d) column of the Chart in the
“III. Reported Status for Unauthorized Computer Access” and “IV.
Accepting Status of Consultation”.
*”Automatic Response System”:
Accepted numbers by automatic response
*“Telephone”:
Accepted
numbers by the Security Center personnel
<Reference>
Shift
in Number of Consultation relevant to One-click Billing Fraud
Computer Virus and Unauthorized Computer Access for September and
the 3 rd Quarter
2. One-click Billing Fraud
http://www.ipa.go.jp/security/english/virus/press/200609/E_PR200609.html
Computer Virus and Unauthorized
Computer Access for August
2. Consultation Number for
the Damages by One-click Billing Fraud is Unchangeably Many!!
http://www.ipa.go.jp/security/english/virus/press/200608/E_PR200608.html
<Reference>
Shift in the consultation
number for High-Pressured Selling of Security Software
As for the activities of
high-pressured selling of security software, please also refer to
the following link.
Reminder for the month
(for the month of April)
“Be Cautious with the High-pressured
Selling Activities of Software for Security Measures!!”
http://www.ipa.go.jp/security/english/virus/press/200604/E_PR200604.html
The main instances for
consultations are as follows.
(i)
Server is infected by
bot?
Consultation:
A mail came from CCC (
Cyber Clean Center ) via the provider I am signing with. The mail
said that “My computer is being infected by bot”. Then I have
downloaded bot removal tool and responded in accordance with the
procedure the mail specified. What will be the next step to be involved?
Response:
CCC's important role is to
communicate users by mail letting them know that “their
PCs are being infected by bot in cooperation with providers
to promote bot removal . Along with installing
anti-virus software and committing “ do not
come by suspicious site ”, “ do not open the
files which source is unknown ” as well as to “ keep
OSs always updated (to conduct Windows Update, etc.)”
as the foundation so that we can minimize the potentiality to get
infected by virus.
<Reference>
Cyber Clean Center (the collaboration
project in between the Ministry of Internal Affairs and Communications
(MIC) and the Ministry of Economy, Trade and Industry (METI))
https://www.ccc.go.jp/en_index.html
(ii)
There are unknown icons existed on the family use desktop…
Consultation:
Realized that there are
some unknown icons namely “ Gabos ”, “Setup”,
etc. existed on a family computer. Is this the virus work?
Response:
It can be assumed that the
other user (s) in your family member may have been installed them.
“ Gabos ” is one of file sharing software
. Those data stored in your computer will be disclosed
on the Internet in case you mis-operate . In addition,
data may be deviated if your computer is infected by virus. It
is necessary to share family users such potential risks .
To prevent data deviation while you do not know, file sharing
software should not be installed such a computer for family use
.
<Reference>
IPA – to prevent from information
deviation by Winny (in Japanese)
http://www.ipa.go.jp/security/topics/20060310_winny.html
V.
Accessing Status Captured by the Internet Monitoring (TALOT2”) in
June
According to the Internet
Monitoring (TALOT2), the total of unwanted (one-sided) number of
access in June 2007 was 293,252 for 10 monitoring
points. That is, the number of access was 1,086
from 277 source addresses/monitoring point/day.
Since each monitoring environment
for the TALOT2 is nearly equal to the general connection environment
used for the Internet; it can be considered that the same amount
of unwanted (one-sided) access can be monitored for the general
Internet users' connection environment. In another word, your
computer is being accessed from 277 unknown source addresses in
average/day or you are being accessed from 4 times from one source
address which considered unauthorized.
Chart
5.1: Unwanted (One-sided) # of Access and Source # of
Access/Monitoring Point/Day
The Chart 5.1 shows the
# of access and the source # of access in average/monitoring point/day
from January to June 2007. According to this chart, both unwanted
accesses seemed to be moderately decreasing.
The accessing status in
June 2007 is stabilized as it was in May. Accesses to the ports
135/tcp and 445/tcp are unchangeably many; in addition, such accesses
to the ports 1026/udp and 1027/udp which send popup mail exploiting
Windows Messenger service are increased.
Note) Please
be noted as for June, the monitoring data are only available from
June 4 to 30 as the TALOT2 system maintenance period was fallen
on June 1 to 3.
(1) Access Targeting
1026/udp and 1027/udp
Accesses to the ports 1026/udp and 1027/udp
in June 2007 are almost doubled compared with the one in May 2007.
Most of these accesses are from China .
The Chart 5.2 and the
Chart 5.3 shows the shift in # of access classified by source
area to the ports 1026/udp and 1027/udp for the last 2 months,
May and June 2007.
Chart
5.2: Shift in # of Access to the Port 1026/udp Classified
by Source Area from May to June 2007
Chart
5.3: Shift in # of Access to the Port 1027/udp Classified
by Source Area from May to June 2007
These accesses send popup
messages exploiting Windows Messenger service. There are some
requirements, however, to display such messages; they may not
be displayed on all computers.
Since most of them may
be harmless spams so that you can ignore them. However, there
is risk that some of them run malicious codes remotely if certain
security patches to the vulnerability of Windows Messenger service
are not applied. Accordingly, be sure to confirm that the security
patches are being applied one more time.
<Referential Information>
Buffer Overrun in Messenger
Service Could Allow Remote Code Execution (828035) (MS03-043)
http://www.microsoft.com/technet/security/bulletin/ms03-043.mspx
Nowadays, Messenger service
exploits to send such virus or you may be induced to phishing
sites. Accordingly, we encourage you to reconfirm the security
measures applied to your computer which uses the Messenger service.
For further details, please
refer to the following site.
Attachment3_Observation
Status Captured by the Internet Monitoring (TALOT2)
http://www.ipa.go.jp/security/english/virus/press/200706/TALOT200706.html
“Various
Statistics Information Provided by Other Organizations/Vendors
are Publicized in the Following Sites”
@police: http://www.cyberpolice.go.jp/english/
Trendmicro: http://www.trendmicro.com/en/home/us/home.htm
McAfee: http://www.mcafee.com/us/
“Interpretation for Glossaries”
(*1)
Vulnerability
:
In the information security,
vulnerability typically refers the existence of weakness which
may result unscheduled and/or unexpected event which reduces secured
state from the protocols relevant to system, network or application,
or refers the errors in the design and/or implementation. It may
also refer the insufficient state of the configuration relevant
to security. Generally, vulnerability is also called as security
hole.
(*2)
SSH (Secure Shell) :
A protocol or a program
used for log-in to another computer via the network, execute commands
by a computer remotely and transfer files to another computer.
Since data via the network is encrypted, a series of operations
through the Internet can be conducted safely.
(*3)
Password
Cracking
:
The approach to identify
anyone else's password by analyzing, etc. Approaches include brute-force
attack, dictionary attack, etc. and there is the code for exclusively
crack as well.
*Brute Force Attack:
One of attacking methods
that attempts to combination of letters exhaustively to analyze
password in accordance with a certain rule. It refers to forcible
attacking method.
*Dictionary Attack:
One of attacking methods
that attempts to every word listed on a dictionary from very beginning
to its end to analyze password.
(*4)
Key
Logger
:
The program which records
information input from keyboard.
(*5)
Rootkit :
A set of software used
by an attacker after intruded to a computer. Generally, a rootkit
includes log alteration tool, backdoor tool and a series of system
commands being altered.
(*6)
WebDAV (Web-based Distributed Authoring and Versioning)
:
The mechanism which expands
http (hypertext transfer protocol) that enables to edit/manage
files and folders and their versions on web server from web browser.
(*7)
Log :
Status of a computer
usage or record for data communication. Generally, it records
operator's ID, time and date the computer is operated and the
contents of operation, etc.
The details are as follows:
- Attachment 1 Computer virus Incident
Report [Details]
- Attachment 2 Unauthorized
Computer Access Incident Report [Details]
- Attachment
3 Observation Status by Internet Monitoring System (TALOT2)
- Attachment
4 Computer virus Incident Report for the 1st Half (January to June)
- Attachment
5 Unauthorized Computer Access Incident Report for the 1st Half
(January to June)
|
Japanese