| This is a summary of
computer virus/unauthorized computer access incident reports for
August, 2007 compiled by IPA.
I.
Reminder for the Month:
“
What in there? It's too late
once it is opened. *1
”
Do
not click spams *2 : have them go to trash box!!
*1
Information Security Catch-phrase (The Second Prize
2007 went to Miss. Tomomi, ITOH, Junior High School in Chiba pref.
when IPA solicited for the catch-phrases from Japan wide among those
children in low grade school to high school.)
*2
UBE (Unsolicited Bulk Email). Generally it is referred
as spams or spam mails.
<The
original was in Japanese, and was conventionally translated into
English for NON-Japanese audiences.>
In August, IPA accepted
following consultations that number of consulters nearly came across
to have damages of virus infection via spams such as “when one consulter
clicked the link included in a spam, his/her anti-virus software
alerted.”, etc. Luckily, this was the instance that the consulter
could avoid infection since he/she had equipped anti-virus software
on his/her computer: if none of anti-virus software alerted, he/she
would get infected easily without knowing the presence of virus.
(1) Why Spams
Come?
Spam refers those “ unintentionally
received mails without regard how the receivers feel whether they
wish to have it or not. ” It tends to send out from those
computers being infected by virus such as bot, etc. There is such
mechanism that mails automatically send unspecified majority users
using the tool which automatically generates destination mail address
randomly. To this end, users are likely to receive number of spams
even their mail address is not informed to the other side of person/party.
(2) What If Clicked
a Spam…
The major case of getting
infected by virus via spams is as follow.
- Clicked
the attached file to a spam for which contents was virus.
- Clicked
the link/image included in the spam body which induces to the website
embedded virus.
Following are the instances
that you will get infected via spam mails.
Chart
1-1: The Body of Spam
The Chart 1-1 is the example
of the website where virus is embedded: accordingly, when you click
the link included in a spam body, you will be induced to the website
in where virus is embedded..
In the mail body (please
refer to the Chart 1-1), the malicious intents attempt to have you
click the link included in the mail body saying that “ OMG,
What are you doing, man? This video of you is all over the net!
Here is the link I got. ”, etc. which attracts the receiver
of the spam.
This destination link
masquerades to be the URL a) of well-linked movie site; however,
once you click it, you will be induced to the completely different
site (please refer to the Chart 1-2), but spoofing to be a well-linked
movie site. If you further click the link b) there
ignoring alerts, then virus is downloaded and you will get
infected.
Chart
1-2: Malicious Website on a Destination Link
According
to the analysis conducted by IPA, we confirmed that the virus possesses
stealth features which hide itself from anti-virus software. To
this end, once a computer is infected, it is hard to realize that
they are infected.
As
you already know that when virus is infected, your personal information
stored in your computer is stolen, or your computer is exploited
as a steppingstone to third person/party send spams, etc.
(3) Response to
Spams
Current Internet provider
services include some of anti-spam mail measures for their users,
though the measures cannot perfectly remove spams. Accordingly,
some of spams may still be received.
Spam mail includes the
subject and the mail body in which the receiver is likely to be
interested in to open or the sender names the spam that the receiver
wishes to open what are there in its attached files: accordingly
you should better to ignore them.
Following are the reasons
that the receiver wishes to open the spam the most.
-
There is some description in the subject and/or the
contents of the spam that I
may be interested in so that I easily opened
it and clicked the link appended
with curiosity.
-
The name of the sender was the exactly the same with
my firiend's so that I simply
clicked the file appended with none of
suspicious feel.
-
Easily clicked the link intentionally as I just wanted
to look it at what are there in
the file appended.
The best countermeasure
against spams or the suspicious mails seemed to be spam is to send
them to trash (in another word to “delete” them).
As it described previously
that the spam sender anyway tries to send large quantity of mails
to unspecified majority of user concurrently, this person should
not be a trustworthy at all. Accordingly, you should never respond
to the mail address followed to the messages such as “click here
for denial of receiving mails”, or “click here for stopping subscription
of mails”, etc. Once you responded, your mail address is specified
by the spam sender and the chance that you will receive spams may
be increased.
As for the other countermeasures,
if HTML format (Hyper Text Markup Language: such mails which use
certain website display format, etc.) is used in the mail body,
it is also effective to configure that the mail software cannot
implement HTML, the mail software does not open the attachment file
to e-mail if the presence of virus is suspected, etc.
Additionally, be sure
to conduct the fundamental countermeasures as follows.
- Security
hole measures (updates of OSs and variety of application software
you
are using)
- Update virus
signature of anti-virus software
“Five anti-spyware requirements
for computer users” (in Japanese)
http://www.ipa.go.jp/security/antivurus/spyware5kajyou.html
“Seven anti-virus requirements
for computer users” (in Japanese)
http://www.ipa.go.jp/security/antivirus/7kajonew.html
“IPA – anti-bot measures”
(in Japanese)
http://www.ipa.go.jp/security/antivirus/bot.html
“Information relevant
to vaccine software” (in Japanese)
http://www.ipa.go.jp/security/antivirus/vacc-info.html
“Utilization procedure
of Microsoft Update and Windows Update” (Microsoft)
http://www.microsoft.com/japan/athome/security/mrt/wu.mspx
“Anti-spam measures” (METI:
Ministry of Economy, Trade and Industry) (in Japanese)
http://www.meti.go.jp/policy/consumer/tokusyuu/meiwakumail-main.htm
“Information desk for
spams” (Japan Industrial Association) (in Japanese)
http://www.nissankyo.or.jp/spam/index.html
II.
Approaches relevant to Anti-virus Measures Conducted
by IPA
1) The tips upon
information leakage occurs
-The things you have to do
first when information leakage occurred?-
This booklet explains the
things you have to do first and the things you have to be taken
care of, etc. when information leakage occurred in the SMEs in where
information leakage incident response manual is not readily available.
This booklet provides the incident response teams as well as their
management easily understandable information for immediate and adequate
incident handling.
URL: http://www.ipa.go.jp/security/awareness/johorouei/
(also available as a booklet) (in Japanese)
2) The Survey
Report for the Damages/Incidents relevant to Information Security
within Domestic 2006
This survey summarizes/comprehends
the promulgation rate of countermeasures against damages/incidents
relevant to information security. This was a questionnaire survey
via mailing service subjected to corporations and municipal governments,
etc. The results are available at the following URL.
URL: http://www.ipa.go.jp/security/fy18/reports/virus-survey/press.html
(in Japanese)
3) The awareness
study against newer threats relevant to information security (The
2 nd Study, 2006)
Currently, not only computer
viruses, but also newer threats such as phishing fraud, spyware,
bot, etc. exist and cause variety of damages. In response to this
situation, IPA studies actual state of the awareness, understanding,
promulgation rate of countermeasures, etc. against newer threats
via questionnaires on web to the Internet users. The results are
available at the following URL.
URL: http://www.ipa.go.jp/security/fy18/reports/ishiki02/index.html
(in Japanese)
4) iPedia Virus
information based on ZHA (Zero Hour Analysis)
IPA conducts behavioral analysis
against the virus collected as a sample. The summarized results
are widely publicized on our website as the “Virus information iPedia”.
URL: https://isec.ipa.go.jp/zha-virusdb/web/Top.php
(in Japanese)
III.
Reporting Status for Computer Virus
– further details, please refer to the
Attachment 1
–
The detection number [1]
of virus was about 0.49M : decreased 4.3%
from 0.51M detected in July.
In addition, the reported number [2]
of virus was 2,806 : also decreased 8.6% from
3,069 in July.
| [1]Detection
number: |
Reported
virus counts (cumulative) found by a filer. |
[2]Reported
number: |
Virus counts are
aggregated: viruses of same type and variants reported on
the same day are counted as one case number regardless how
many viruses or the actual number of viruses is found by the
same filer on the same day. In August, the reported number
was 2,806: aggregated virus detection number was about 0.49M.
|
The worst detection number
of virus was W32/Netsky with about 0.42M
, W32/Zhelatin with about 0.03M
and W32/Mytob with about 0.02M
subsequently followed.
Chart
3-1
Chart
3-2
Note) Numbers in the parenthesis
are the Numbers for previous month.
<Reference>
The detection number reported
from January is getting decreased: it can be considered that the
activity (“Anti-bot Business *1 ”, the collaborative project initiated
by MIC (=Ministry of Internal Affairs and Communications) and METI
since last December) is somewhat influenced. Since this project
was established to eradicate “bot”, the one of major causes which
spread over number of virus in virtual community. Accordingly, we
believe that the activity is getting effective.
Chart
3-3 Shift in the Detection Number of Virus/Month
*1) Anti-bot Business
Cyber Clean Center ( https://www.ccc.go.jp/en_index.html
) operates the Anti-bot Business, the collaborative project
initiated by MIC and METI. The Center analyses the features of bot,
the one of significant threats against the Internet and provides
users community effective information to remove bot from their computers.
More specific, they call for attention to those users infected by
bot via mail, publicize the procedures how to remove bot on their
homepages, etc. Users can download the most effective removal tool
to the bot being infected.
IPA participates the activity
of Cyber Clean Center as the “Bot Infection Prevention Promotion
Group” to strengthen bot infection preventive measures and to fight
against its recurrence in the user community in collaboration with
security vendors. Such bot collected for the project is provided
to the security vendors as the sample to promote/update the signatures
for respective anti-virus software. Accordingly, the updated anti-virus
software will be able to detect the same bot collected for the project
so that the function of infection prevention can be further increased.
Achievements
- The Achievements
for July is as follow.
Number of infected users
called for attention:
July: 8,681, accumulated
number of 27,329 from the activity started on December 15, 2006
- The gross
numbers the removal tool being downloaded from generally publicized
site:
July: 32,788, cumulative
number of 164,561 from the activity started
- The number
of samples collected for the project:
July: 13,437, cumulative
number of 83,240 from the activity started
The updated ratio for
the virus signature collected for the project and provided to the
participated security vendors were averaged 98.7%.
IV.
Reporting Status for Unauthorized Computer
Access (includes Consultations) –
Please refer to the Attachment 2 –
Report for unauthorized
computer access and status of consultation
|
Mar. |
Apr. |
May |
June |
July |
Aug. |
Total
for Reported (a) |
13 |
15 |
19 |
41 |
10 |
16 |
| |
Damaged
(b) |
9 |
12 |
13 |
36 |
8 |
13 |
Not
Damaged (c) |
4 |
3 |
6 |
5 |
2 |
3 |
Total
for Consultation (d) |
43 |
31 |
37 |
27 |
25 |
23 |
| |
Damaged
(e) |
20 |
20 |
21 |
11 |
11 |
15 |
Not
Damaged (f) |
23 |
11 |
16 |
16 |
14 |
8 |
Grand
Total (a + d) |
56 |
46 |
56 |
68 |
35 |
39 |
| |
Damaged
(b + e) |
29 |
32 |
34 |
47 |
19 |
28 |
Not
Damaged (c + f) |
27 |
14 |
22 |
21 |
16 |
11 |
(1) Reporting Status for
Unauthorized Computer Access
Reported number
for July was 16 : of 13 was the number
actually damaged .
(2) Accepting Status for
Consultations relevant to Unauthorized Computer Access, etc.
Consultation counts relevant
to unauthorized computer access was 23: of 15 (of 5 was also counted
as reported number) was the actual number that some sort of damage
was reported.
(3) Status of Damage
The breakdown of damage
report was: Intrusion with 9, Source Address
Spoofing with 1 and Others (Damaged)
with 3 . The breakdown of the reported
damage relevant to intrusion include: servers were turned into steppingstone
server to attack to the other site with 8, etc. The cause of intrusion
were the password cracking attack* to the port* used for SSH* with
6, etc.
*SSH
(Secure Shell): One of the protocols to communicate
with the computers remotely via a network.
*Port:
Respective servicing windows within a computer used
for exchanging information with outsides.
*Password
Cracking: One of approaching method to analyse third person/party's
password. Brute Force Attack (Exhaustive Search Attack) and Dictionary
Attack are widely recognized. Program for cracking is also exited.
(4)
Damage Instances:
[Intrusion]
(i)
The port used for SSH was attacked and intruded…
<Instance>
- IDS *1 detected
the access of SSH scan to the outside of organization.
- Study was
conducted and realized that the server within the organization was
illegally logged in exploiting the port used by SSH. SSH scan tool
was also embedded.
- The
SSH connection was principally configured by Public
Key Authentication Method *2 , but Password Authentication
Method was also available .
*1
IDS (Intrusion Detection System): The system which
detect/alert intrusion/violation against information system.
*2
Public Key Authentication: Encryption/decrypting
method using secret key and public key pair.
[Other
[Damaged]]
(ii)
The account for on-line games was hi-jacked
by someone…
<Instance>
- When I attempted
to log in to one of on-line game sites I used to play with, I cannot
log in with the error message saying that “the password is differed”.
- Accordingly,
I requested the game manager re-issue my password, but all the game
items I possessed was vanished when I logged in with the new password.
- I requested
the game manager to study what was happened in this virtual world,
and realized that someone attempted to log in spoofing to be myself
(legitimate user). The cause why the previous password was analyzed
was not yet realized.
V.
Accepting Status of Consultation
The gross number for the
consultation for August was 1,013 . Of the consultation
relevant to “ One-click Billing Fraud ” was 330
(July: 316), the consultation relevant to “ High-pressured
selling of software for security measures ” with 13
(July: 16) and the consultation relevant to “ Winny
” with 6
(July: 19), etc.
Movement in entire number
of consultation accepted by IPA
/method
|
Mar. |
Apr. |
May |
June |
July |
Aug. |
Total
|
1127 |
827 |
814 |
932 |
1162 |
1013 |
| |
Automatic
Response System |
697 |
486 |
484 |
537 |
694 |
593 |
Telephone
|
376 |
279 |
254 |
339 |
403 |
374 |
e-mail
|
54 |
58 |
69 |
53 |
64 |
43 |
Fax,
Others |
0 |
4 |
7 |
3 |
1 |
3 |
*IPA consults/advises
for computer viruses/unauthorized computer accesses as well as the
other information concerning overall security issues
Mail: 
for virus issues,  for
crack issues.
Tel.: +81-3-5978-7509
(24-hour automatic response)
Fax: +81-3-5978-7518
(24-hour automatic response)
*The Total case number
includes the number in Consultation (d) column of the Chart in the
“IV. Reported Status for Unauthorized Computer Access” and “V. Accepting
Status of Consultation”.
*”Automatic Response System”:
Accepted numbers by automatic response
*“Telephone”:
Accepted
numbers by the Security Center personnel
<Reference>
Shift
in Number of Consultation relevant to One-click Billing Fraud
The main instances for
consultations are as follows.
(i)
Virus
alert was appeared when clicked a link included in a mail body…?
Consultation:
Have received a mail which
I know nothing. It seemed from a membership site saying that my
log-in information will be ineffective within 24 hours and it requires
me to update my information. When I clicked the link included in
that mail body, my anti-virus software detected virus.
+-----the sample mail
received-----+
“MP3 World” *****@***.***.***
Sender: User ***** *****@***.**.**.*****.net
2007/08/22 08:03
Greetings,
We are so happy you joined
MP3 World.
Member Number: 272761797951
Your Login ID: user6104
Password ID: du556
Your temporary Login Info
will expire in 24 hours. Please login and change it.
Use this link to change
your Login info: http://***.***.193.70/
Enjoy,
New Member Services
MP3 World
Response:
It may be the case that
virus is embedded to the destination site being linked. Accordingly,
do not click the link included in the mail from unknown sender or
spams carelessly. You will be infected simply you click
the link in case Windows and/or anti-virus software is not up-to-dated.
<Reference>
IPA – Seven anti-virus requirements
for computer users
http://www.ipa.go.jp/security/antivirus/7kajonew.html
(in Japanese)
(ii)
May I open the file gifted from my friend…?
Consultation:
There stored number of
files in the CD-ROM my friend gifted me in another day. To make
it sure, I have checked it with my anti-virus software, but nothing
is detected. Is it OK that I can open the files?
Response:
The problem is from where
does your friend get that files? Opening the files for which
source is unknown is the most risky activity from the viewpoint
of anti-virus measures. To prevent from infection by virus,
be sure not to open the files with ease. It will be too late when
problem is occurred. FYI, there existed some viruses that cannot
be detected by anti-virus software. It is worthy to delete
those files for which source is unknown rather check with or without
of virus unnecessarily.
<Reference>
IPA - Seven anti-virus requirements
for computer users
http://www.ipa.go.jp/security/antivirus/7kajonew.html
VI.
Accessing Status Captured by the Internet Monitoring (TALOT2”) in
August
According to the Internet
Monitoring (TALOT2), the total of unwanted (one-sided) number of
access in August 2007 was 263,940 for 10 monitoring
points. That is, the number of access was 851
from 323 source addresses/monitoring point/day.
Since each monitoring environment
for the TALOT2 is nearly equal to the general connection environment
used for the Internet; it can be considered that the same amount
of unwanted (one-sided) access can be monitored for the general
Internet users' connection environment. In another word, your
computer is being accessed from 323 unknown source addresses in
average/day or you are being accessed from 3 times from one source
address which considered unauthorized.
Chart
6-1 Unwanted (One-sided) Number of Access and Source Number
of Access/Monitoring Point/Day
The Chart 6-1 shows the
unwanted (one-sided) number of access and the source number of
access/monitoring point/day from March to August 2007 respectively.
According to this chart, unwanted (one-sided) accesses seemed
to be moderately decreased.
The accessing status
for August was almost the same with the one in July – entirely
stabilized. However, the gross number of accesses to the ports
1026/udp, 1027/udp and 1028/udp which send pop-up messages exploiting
Windows Messenger services constituted one fourth of entire accesses.
In addition, such accesses which targeted vulnerability of server
version of anti-virus software by Trend Micro were increased temporarily.
(1) The
Access which Targeted Vulnerability of Server ver. of anti-Virus
Software by Trend Micro
Since when the signature
for the server version of anti-virus software was publicized from
Trend Micro, such accesses to the port 5168/tcp used by the software
for controlling purposes were temporarily increased.
Chart 6-2 Shift in Number of Access to the Port 5168/tcp
Classified by Source Area in August 2007
This seemed such access
which targeted vulnerability in the server version of anti-virus
software by Trend Micro: however, it seemed that it calmed down.
However, once such vulnerability
information was publicized, it is likely that the same vulnerability
will be attacked again leaving certain intervals; accordingly,
we will encourage those users who use relevant software should
take certain measures as early as possible by referring following
information.
Since the relevant software
is used for the servers, you are to follow to the system administrator's
direction for responding.
<Reference>
Application of Security
Patch 2 (Build_1185) for ServerProtect for Windows/NetWare 5.58
(Trend Micro) (in Japanese)
http://www.trendmicro.co.jp/support/news.asp?id=1003
Call for attention to the
increased number of scan to the port 5168/tcp (JPCERT/CC) (in
Japanese)
http://www.jpcert.or.jp/at/2007/at070019.txt
Multiple vulnerabilities
in JVNTA07-235A Trend Micro ServerProtect (in Japanese)
http://jvn.jp/cert/JVNTA07-235A/
(2) Introduction
of MUSTAN (Multi Sensor Traffic Analysis), The Newer Internet
Monitoring System
MUSTAN provides information
of those accesses currently attacking on the Internet. MUSTAN
works as the system which automatically detect/report those widely
promulgated newer, active and getting active accesses that the
network users should exclusively watch.
Chart
6-3 MUSTAN Top page
Features
The Internet Monitoring
System MUSTAN monitors promulgated attacks with the sensors allocated
on the Internet. The subject to monitoring is restricted to following
4 types of accesses.
- Unauthorized
access to ports
- Unauthorized
web access by HTTP
- Unauthorized
log-in attempts to SSH account
To analyze monitored
information and to detect the increment of source number of access
in earlier chance, MUSTAN enables to check promulgation of access
and its trend. In addition, it also provides information about
the trends of the source of the attack and the status of respective
attacks way back to past 10 days.
(1) Cautionary monitoring
status
In the cautionary information,
MUSTAN analyses the source of unauthorized access subjected to
be monitored and picks up such accesses significantly
increasing . Those unauthorized accesses alerted here
should be extremely paid attention with the current Internet
usage in your site in relation to the ports and relevant
URLs. Using the “Details” tab, you can check the number of relevant
unauthorized accesses and their promulgation status of the sources.
(2) Status of risk
Status of risk indicates
those unauthorized accesses increasing and newly monitored unauthorized
accesses. They are lower in severity than the category of cautionary,
you can check the promulgation status over the “MUSTAN map”.
(3) Newer web attack
This indicates the status
of newly monitored web access. This also shows newer attack
variations against web applications . According to the
information, you can check the URLs, etc. of web applications
being used on your site so that you can see with or without of
the attacks against them.
(4) Newer attack account
This indicates the SSH
account being used by newly monitored attacks. You can check with
or without of relevant attacks by inputting the account name for
the SSH you are using on your site.
(5) Detection feature
With this feature, you
can detect the name of the SSH account, the URLs of web applications,
and port numbers.
(6) XML output of cautionary
information
You can acquire such information
of attacks extremely extending larger area monitored and analyzed
by MUSTAN as the XML file.
IPA has started its operation
from June 29. Please activate them to understand the status of
unauthorized access occurring on the Internet.
http://mustan.ipa.go.jp/mustan_web/
(in Japanese)
For further details,
please refer to the following site.
Attachment3_Observation
Status Captured by the Internet Monitoring (TALOT2)
http://www.ipa.go.jp/security/english/virus/press/200708/TALOT200708.html
“Various
Statistics Information Provided by Other Organizations/Vendors
are Publicized in the Following Sites”
@police: http://www.cyberpolice.go.jp/english/
Trendmicro: http://www.trendmicro.com/en/home/us/home.htm
McAfee: http://www.mcafee.com/us/
- Attachment
3 Observation Status by Internet Monitoring System (TALOT2) |
Japanese