(1) Damage Status

Currently, here in IPA, we are accepting number of consultations as follows: “Our kids started to use the Internet, but some billing displays are being stayed on the screen and there's no way to erase them.” from mothers and fathers whose children are in low grades. That is, those kids may visit harmful sites such as adult sites, dating sites, etc. with their simple curiosity, but not knowing how risky they are; in the event, certain malicious codes which showing us of the billing screen on computers are embedded.

(2) Prevention Measures

To prevent such damages, it is important to always put following MUSTS in your mind for your further security:

• a) Be sure to install anti-virus software. It is important that the signatures always be up to dated.
• b) Conduct Microsoft Update, Windows Update and the other updates regularly to resolve security holes.
• c) Do not visit harmful site easily. Do not click the images and movies in those sites easily.
• d) Even when a security alert is displayed in case you incidentally clicked the images and movies, it is important to thoroughly check the contents of alert to prevent malicious codes to be downloaded.

These are effective, but the most effective measure is to disable your computer accesses to any of harmful sites on the Internet in advance. Some of prevention methods are the use of security software (filtering software) that can block harmful information on the Internet, the harmful sites blocking service (filtering service) by providers, etc. Mothers and fathers do such prevention measures before kids use computers, their accesses to the harmful sites available on the Internet can be prevented before something is happened.

Chart 1: Filtering Software Protects Your Computer Before Something Happens

Filtering software is may be included in anti-virus software or you can buy it separately as single software. When you install it, be sure to consult with the software manufacturer now you are using or one of its retailers.

Most of schools are now in long summer vacation periods. That is, children get further chances to encounter computers in their home or to use the Internet. Accordingly, parents need to observe how your kids use computers/the Internet. In addition, please refer to the following sites to conduct security measures for the computer being used in your home. It is highly recommended that parents decide the activities that your kids can do or cannot do relevant to safer computer/the Internet use.

• “Seven anti-virus requirements for computer users” (in Japanese)
  http://www.ipa.go.jp/security/antivirus/7kajonew.html
• “Five anti-spyware requirements for computer users” (in Japanese)
  http://www.ipa.go.jp/security/antivurus/spyware5kajyou.html
• “Windows Update Solution Center (Microsoft)”
  http://support.microsoft.com/ph/6527
• “Countermeasures against illegally billed when simply clicked a site” (in Japanese)
  http://www.ipa.go.jp/security/ciadr/oneclick.html

(3) Resolution for Damage

Do not get panicked even a billing screen is appeared. You should never transfer money nor make any of inquiries via mail or telephone to the contact of the bill. Be sure to check if the bill is again appeared when reboot your computer. If not, you can forget what was happened. You are safe! If the bill is again appeared after rebooted your computer, it is likely that malicious codes are being embedded so that the computer needs to regain sound state using system restoration function, one of default functions, in your computer. Though the billing screen still appears, your computer needs to be initialized.

During summer vacation periods, it can be assumed that most of you including system administrators will be out of town; accordingly once your computers and computer systems encounter damages of Web alteration, unauthorized mail relay, etc. caused by viruses, worms and/or unauthorized accesses by malicious intents, the damages tend to enlarge open-ended.

System administrators should, therefore, formulate thoroughgoing safety measures by reviewing the contents of daily security and/or implementing necessary measures; i.e., adequate firewall configuration which enabling to detect/respond against attacks correctly, appropriate application of modification programs where necessary, etc.

In addition, it is also assumed that some users are likely to take their PCs home during the vacation: the things those users have to do initially is to up-to-date the virus signature of their anti-virus software before connect to the corporate LAN to check with or without virus when they get back to work after the long vacation periods. It also is necessary to collect information relevant to newer virus and/or its variants, existence of another security holes developed, etc.; if necessary, appropriate measures should be taken immediately as well as to thoroughly communicate to the personnel to share them enough information.

Please refer to the following site for further countermeasures to conduct adequate measures for well-stabled system establishment.

• “Practical Information Security Measures”
  http://www.ipa.go.jp/security/awareness/administrator/
  administrator.html (in Japanese)

The detection number [1] of virus was about 0.51M increased 3.4% from 0.50M detected in June. In addition, the reported number [2] of virus was 3,069 increased 5.9% from 2,898 in June.

[1]Detection number:

Reported virus counts (cumulative) found by a filer.

[2]Reported number:

Virus counts are aggregated: viruses of same type and variants reported on the same day are counted as one case number regardless how many viruses or the actual number of viruses is found by the same filer on the same day. In July, the reported number was 3,069: aggregated virus detection number was about 0.51M.

The worst detection number was for W32/Netwky with about 0.44M , W32/Mytob with about 0.01M and W32/Stration with about 0.01M were subsequently followed.

Chart 3-1

Chart 3-2

Note) Numbers in the parenthesis are the Numbers for previous month.

Report for unauthorized computer access and status of consultation

		Feb.	Mar.	Apr.	May	June	July
Total for Reported (a)		23	13	15	19	41	10
	Damaged (b)	14	9	12	13	36	8
	Not Damaged (c)	9	4	3	6	5	2
Total for Consultation (d)		50	43	31	37	27	25
	Damaged (e)	28	20	20	21	11	11
	Not Damaged (f)	22	23	11	16	16	14
Grand Total (a + d)		73	56	46	56	68	35
	Damaged (b + e)	42	29	32	34	47	19
	Not Damaged (c + f)	31	27	14	22	21	16

(1) Reporting Status for Unauthorized Computer Access

Reported number for July was 10: of 8 was the number actually damaged .

(2) Accepting Status for Consultations relevant to Unauthorized Computer Access, etc.

Consultation counts relevant to unauthorized computer access was 25: of 11 (of 1 was also counted as reported number) was the actual number that some sort of damage was reported.

(3) Status of Damage

The breakdown of damage report was: Intrusion with 3 and Others (Damaged) with 5. The breakdown of the reported damage relevant to intrusion include: servers were turned into steppingstone server to attack to the other site with 2, contents were embedded to exploit for phishing (*1) with 1. The causes of the intrusion were the password cracking attack (*2) with 2, etc.

(4) Damage Instances:

[Intrusion]

(i) The port (*4) used for SSH (*3) was attacked/intruded: then bot (*5) was embedded...

<Instance>

• Corporate network (intranet) was in anomaly state when I got to work in a morning. Study was conducted and it realized that a server was sending number of suspicious packets.
• The port used by SSH was conducted by password cracking attack and some malicious intent was intruded. In addition, bot codes were also embedded which communicated with outsides. Moreover, the contents of this business's web site were altered.
• Because of indispensable operational needs, ftp service was temporarily publicized to public: the cause may be that we should have only opened the port for ftp, but all the ports were released by mistake .

[Other [Damaged]]

(ii) SNS (*6) account was hijacked...

<Instance>

• I am using SNS service. One-day, logging-in to my computer was suddenly disabled.
• Though I could logged-in from my mobile, my user information was altered with the different password and mail address automatically which I do not know.

The gross number for the consultation for July was 1,162 . Of the consultation relevant to “ One-click Billing Fraud ” was 316 (June: 285), the consultation relevant to “ High-pressured selling of software for security measures ” with 16 (June: 12) and the consultation relevant to “ Winny ” with 19 (June: 11), etc.

Movement in entire number of consultation accepted by IPA /method

		Feb.	Mar.	Apr.	May	June	July
Total		1019	1127	827	814	932	1162
	Automatic Response System	603	697	486	484	537	694
	Telephone	336	376	279	254	339	403
	e-mail	75	54	58	69	53	64
	Fax, Others	5	0	4	7	3	1

*IPA consults/advises for computer viruses/unauthorized computer accesses as well as the other information concerning overall security issues

Mail: for virus issues, for crack issues.
Tel.: +81-3-5978-7509 (24-hour automatic response)
Fax: +81-3-5978-7518 (24-hour automatic response)

*The Total case number includes the number in Consultation (d) column of the Chart in the “III. Reported Status for Unauthorized Computer Access” and “IV. Accepting Status of Consultation”.
*“Automatic Response System”: Accepted numbers by automatic response
*“Telephone”: Accepted numbers by the Security Center personnel

<Reference>

Shift in Number of Consultation relevant to One-click Billing Fraud

• Computer Virus and Unauthorized Computer Access for September and the 3 rd Quarter
  2. One-click Billing Fraud
  http://www.ipa.go.jp/security/english/virus/press/200609/E_PR200609.html
• Computer Virus and Unauthorized Computer Access for August
  2. Consultation Number for the Damages by One-click Billing Fraud is Unchangeably Many!!
  http://www.ipa.go.jp/security/english/virus/press/200608/E_PR200608.html

<Reference>

Shift in the consultation number for High-Pressured Selling of Security Software

As for the activities of high-pressured selling of security software, please also refer to the following link.

Reminder for the month (for the month of April)

• “Be Cautious with the High-pressured Selling Activities of Software for Security Measures!!”
  http://www.ipa.go.jp/security/english/virus/press/200604/
  E_PR200604.html

The main instances for consultations are as follows.

(i) Virus alert was appeared when browsing financial information...

Consultation:

Anti-virus software suddenly alerted one-day when I browsed the renowned financial information site where I frequently visited... What was happened and what should I do?

Response:

Anyway, infection via virus should have been prevented because of anti-virus software being installed to the consulter's computer. However, he/she'd better to check with or without the computer manually for further security. In this case, the financial site had been intruded and altered to download virus to the computer accessed to that site. There is no problem , however, if the consulter conducted virus measures appropriately.

<Reference>

• IPA – Seven anti-virus requirements for computer users (in Japanese)
  http://www.ipa.go.jp/security/antivirus/7kajonew.html

(ii) Appears alert notifying that “The computer is being accessed illegally”...

Consultation:

Anti-virus software alerts that my computer is being accessed illegally. However, I do not know the way how to address it. I cannot connect to the Internet as well. I am using wireless LAN; this may be the cause?

Response:

It is necessary to be careful as wireless LAN tends to allow intrusion easily if the consulter neglected to configure enough security. Be sure to check the access oint of wireless LAN and the configuration of the wireless LAN adaptor of PC side. Do not use the adaptor as it was initially shipped out from the factory, you'd better to change its configuration by yourself. It is mandatory that the adaptor to be encrypted. In addition, you can lessen chance to encounter threats if you do not expose (this is referred as stealth configuration as well) the identifier of access point (service set ID) to public.

<Reference>

• IPA – Notes relevant to the security of wireless LAN (in Japanese)
  http://www.ipa.go.jp/security/ciadr/20030228wirelesslan.html

According to the Internet Monitoring (TALOT2), the total of unwanted (one-sided) number of access in July 2007 was 282,889 for 10 monitoring points. That is, the number of access was 913 from 277 source addresses/monitoring point/day.

Since each monitoring environment for the TALOT2 is nearly equal to the general connection environment used for the Internet; it can be considered that the same amount of unwanted (one-sided) access can be monitored for the general Internet users' connection environment. In another word, your computer is being accessed from 277 unknown source addresses in average/day or you are being accessed from 3 times from one source address which considered unauthorized.

Chart 6.1: Unwanted (One-sided) Number of Access and Source Number of Access/Monitoring Point/Day

The Chart 6.1 shows the Unwanted (One-sided) Number of Access and the Source Number of Access/Monitoring point/Day in Average from February to July 2007. According to this chart, unwanted (one-sided) accesses seemed to be moderately decreased.

Accessing status in July 2007 was entirely stabilized as it was in June. However, the accesses targeting vulnerability in application software were increased; i.e., the access to the port 1433/tcp targeting vulnerability in Microsoft SQL Server, the access to the port 2967/tcp targeting vulnerability in Symantec security software, etc. were some examples.

(1) Access Targeting Vulnerability in Application Software

From sometime in the last half of July, 2007, access to the port 1433/tcp was increased. This was the access mainly from China and Japan targeting vulnerability of Microsoft SQL Server.

Chart 6.2: Shift in Number of Access to the Port 1433/tcp Classified by Source Area in July 2007

Since there was the number of simultaneous accesses from Japan to the ports 135/tcp, 139/tcp and 445/tcp targeting vulnerability in Windows, these accesses seemed to be the infection activities (accessing activities which attempt to enlarge infection of bot) from the computers already infected by bot.

As for the accesses other than Japan , i.e., China , Korea , Hong Kong, etc., there were the simultaneous accesses; i.e., access to the port 2967/tcp targeting to the vulnerability of Symantec Security Software, access to the port 3306/tcp targeting the server where MySQL (Open Source SQL Database) runs (See the Chart 6.3 and 6.4) are the examples.

These accesses seemed to be the infection activities from the computer already infected by the bot with the one differed being spread in Japan . Accordingly, it seemed that there were number of computers being infected by bot were unchangeably many.

Bot is one of the viruses that users hardly recognize being infected. Accordingly, we encourage you to download the removable tool from the following sites and implement bot removals with the procedures provided.

(Referential Information)

• Removal Procedures for Bot
  https://www.ccc.go.jp/flow/index.html (in Japanese)
• Achievements of Activities of Cyber Clean Center for June 2007
  https://www.ccc.go.jp/report/200706/0706monthly.html (in Japanese)

Chart 6.3: Number of Access to the Port 2967/tcp Classified by Source Area in July 2007

Chart 6.4: Number of Access to the Port 3306/tcp Classified by Source Area in July 200

Other than the accesses to the ports 2967/tcp and 3306/tcp, the access to the port 5900/tcp which seemed to target to the vulnerability of RealVNC, the remote access tool, was also increased with the same timing (See the Chart 6.5).

These accesses attempt to intrude to the computers being attacked remotely so that those system administrators who operate the servers using such tools should not neglect rechecking the ways of operation and/or resolving of vulnerability in the servers.

(Referential Information)

• Authentication preventable vulnerability in JVNVU#117929 RealVNC Server
  http://jvn.jp/cert/JVNVU%23117929/index.html (in Japanese)

Chart 6.5: Number of Access to the Port 5900/tcp Classified by Source Area in July 2007

For further details, please refer to the following site.

• Attachment3_Observation Status Captured by the Internet Monitoring (TALOT2)
  http://www.ipa.go.jp/security/english/virus/press/200707/
  TALOT200707.html

• @police:     http://www.cyberpolice.go.jp/english/
• Trendmicro: http://www.trendmicro.com/en/home/us/home.htm
• McAfee:      http://www.mcafee.com/us/

(*1) Phishing :

Spoofing or masquerading to be the mail or the web pages of existed businesses such as banking, etc. to exploit legitimate user IDs and passwords opened or browsed such mails or web pages. “Fishing” is the origin word of “phishing”, but there are several theories such as “f” was exchanged by “ph” according to hackers' naming convention, coined word for which origins were “sophisticated” and “fish” or shortened word form of “password harvesting fishing”, etc.

(*2) Password Cracking :

The malicious approach to identify anyone else's password by analyzing, etc. Approaches include brute-force attack, dictionary attack, etc. and there is the code for exclusive crack as well.

*Brute Force Attack:
One of attacking methods that attempts to combination of letters exhaustively to analyze password in accordance with a certain rule. It refers to “be forcible” attacking method.

*Dictionary Attack:
One of attacking methods that attempts to every word listed on a dictionary from very beginning to its end to analyze password.

(*3) SSH (Secure Shell) :

A protocol or a program used for logging-in to another computer via a network, execute commands by a computer remotely and transfer files to another computer. Since data via the network is encrypted, a series of operations through the Internet can be conducted safer than the method communicated via a plain text. As for the use of SSH, it is possible to select some of authentication methods; however, it is recommended to use the Public Key Authentication since the Password Authentication is likely to be analyzed by a brute force attack, etc.

(*4) Port :

A window interfaces each service within a computer used for exchanging information with outsides. Since numbers from 0 to 65535 are used for the ports, they are also called Port Numbers.

(*5) Bot :

K ind of computer virus. It was created to manipulate an infected computer from outside through a network (the Internet).

(*6) SNS (Social Networking Service/Site) :

The service configured on the Internet which smoothes communication among users. Usually, SNS takes membership and is community type.

The details are as follows:

• Attachment 1 Computer virus Incident Report [Details]
• Attachment 2 Unauthorized Computer Access Incident Report [Details]
• Attachment 3 Observation Status by Internet Monitoring System (TALOT2)

IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC)
Tel:+81-3-5978-7527
Fax:+81-3-5978-7518
E-mail: