| This is a summary of
computer virus/unauthorized computer access incident reports for
September, 2007 and 3rd Half of 2007 (July to September) compiled
by IPA.
I.
Reminder for the Month:
“Do
you have adequate knowledge about the threat caused by bot?”
-
Be cautious with the bot, a type of computer virus!! -
In
September, there were number of reports and consultations from those
consulters who'd been infected by bot. The example of consultation
was as follows: “Your computer is being infected by bot so that
you need to take certain measures, so communicated from the provider
whom the consulter signed up with.” All computer users, now is the
time that you are to realize the threat caused by bot and be sure
to conduct bot preventive measures, their earlier detection and
removal for your computer's secured state.
(1) Threat
by bot
Bot is the code being
developed with the scope to manipulate computers from outside via
a network. Those infected computers are automatically connected
to the directive server, etc. embedded by a malicious intent as
the part of the network which made up with several to hundreds of
thousands of infected computers so called “bot network”.
Those computers embedded
with the bot network is remotely operated from the directive server,
etc. by the malicious intent and is used to send number
of spams and/or to conduct DoS (Denial of Services)
to certain sites .
Nowadays, such activities
exploiting criminal activities from hourly leasing of the bot network
and/or selling private information exploited by bot, etc. to gain
benefits can be seen.
(2) Features
of bot infection
The major infection path
for the conventional bot was caused by opening of appended
file to email and/or by the attack exploiting
vulnerability .
However, recently, such
damage by browsing the web pages in which bot is being embedded
is getting majore d for which infection path is getting
invisible from general computer users.
In addition, the bot engineering
is getting sophisticated and, in most of time, its characteristic
symptoms are not shown up so that infected users hardly recognize
that they are infected, and the users can use own computer as usual
just before they are infected.
| (3)
The tips of bot countermeasures for general users
(a) Implementation
of anti-virus and anti-spyware software and periodic updates
those signatures used by the software (Since bot is upgraded
in relatively shorter period of time, updating of signatures
is extremely important.).
(b) Do
not easily open the appended files to unknown emails.
(c) Refrain
browsing of suspicious websites.
(d) Configure
higher security for browsers, etc.
(e) Do
not click the links appended on spams (It is ideal to discard
them without seeing.)
(f) Use
routers and firewalls upon connecting to the Internet.
(g) Always
keep OSs and applications on your computer up-to-dated (Implements
Microsoft update, etc.).
For further details,
please also refer to the “Brochure for Anti-bot Measures,
ver.5, June 1, 2007”.
http://www.ipa.go.jp/security/english/virus/antivirus/pdf/Bot_
measures_eng.pdf |
|
In case your computer
is infected by bot, removal of bot is the unique measures
or the last resort . In addition, general users hardly
recognize that they are infected by bot: number of instances shows
that it is realized communicated by third party such as providers,
etc. In case you receive the mails alerting bot infection
from providers, etc., be sure to conduct bot removals by following
to the contents of the mails and remove them with the tools provided
by the Cyber Clean Center (CCC) introduced in (5) .
(4) The
tips of bot countermeasures for web operation managers, etc.
Nowadays, such damages
that website is hi-jacked exploiting the attacking tools so called
MPack is increased. ( http://www.jpcert.or.jp/at/2007/at070016.txt
) (in Japanese)
Web operation managers
and server managers need to conduct following measures to avoid
being that their servers are used as the base of infection activities
of bot, etc. while they do not know.
(a) Check with
or without of vulnerability on applications to eliminate the chance
to allow malicious intents to exploit (embedding of virus, etc.)
them for bot infection.
(b) Keep OSs
and applications on webservers free from vulnerability.
(c) Take reasonable
measures to prevent enlarging damages such as closing websites immediately
in case developed anomaly state on websites: i.e. when inquired
from one of users that his/her anti-virus software is warned while
browsing sites.
| (5)
Approaches to the bot measures by IPA
IPA cooperates to
the operation of the Cyber Clean Center (CCC: https://www.ccc.go.jp/en_index.html
) established/started by the Ministry of Internal
Affairs and Communications (MIC) and the Ministry of Economy,
Trade and Industry (METI) on December 2006 to eradicate “bot”
under their collaboration project “anti-bot measures business”.
CCC offers users
such tools to remove bot from their computers/necessary information
and as well as analyzes the characteristics of bots that can
be the threat of the Internet. |
|
In addition, IPA provides
the vendors of anti-infection measures sample of bot as the “Bot
Infection Prevention Promotion Group” to promote prevention of infection
and its recurrence.
The achievement of CCC
activities is publicized on the “Achievement of CCC Activities,
August 2007 ( https://www.ccc.go.jp/report/200708/0708monthly.html
) (in Japanese) for your further reference.
II.
Introduction of the Information relevant
to the Approaches of Anti-virus
Measures Conducted by IPA
| -Responding
keys when occurred information leakage
-What you have to do
when information is leaked!!-
This booklet allows
not only incident-responding personnel but also managements
of SMEs whose manuals which handling information leakage incidents
is not provided easily comprehend what they have to do/pay
attention to, etc. in a short period of time for immediate/adequate
responses when information leakage accident occurs.
Index
1. Fundamental
Concept
2. Typical
Procedures to Respond Information Leakage |
 |
| 3.
Responding Keys for Information Leakage by Type
3.1 The Response in case of Information
Missing/Information Theft
3.2 The Response in case Information is
Transmitted to/is Publicized on Web by
Mistake
3.3 The Response in case Information is
Leaked by Inside Criminal
3.4 The Response in case Information is
Leaked via Winny/Share, etc.
3.5 The Response in case Information is
Leaked by Malicious Codes, such as
Virus/Spyware,
etc.
3.6 The Response in case Information is
Leaked by Illegal Accesses
3.7 The Response in case Information is
Rumored/Publicized on Blogs, etc.
4. Responding
Keys upon Development/Reporting of Information Leakage (Internally)
5. Responding
Keys upon Communication/Reporting/Publication of Information
Leakage (Outside)
6. Referential
Information
The 1 st edition
(issued on August 2007) (in Japanese)
URL http://www.ipa.go.jp/security/awareness/johorouei/
|
III.
Reporting Status for Computer Virus
– further details, please refer to the
Attachment 1
–
The detection number [1]
of virus in September was about 0.44M : decreased
11.4% from 0.49M detected in August.
In addition, the reported number [2]
of virus is September was 2,426 : also decreased
13.5% from 2,806 in August.
| [1]Detection
number: |
Reported
virus counts (cumulative) found by a filer. |
[2]Reported
number: |
Virus counts are
aggregated: viruses of same type and variants reported on
the same day are counted as one case number regardless how
many viruses or the actual number of viruses is found by the
same filer on the same day. In September, the reported number
was 2,426: aggregated virus detection number was about 0.44M.
|
The worst detection number of virus
was W32/Netsky with about 0.40M ,
W32/Mytob with about 0.015M and
W32/Bagle with about 0.005M subsequently
followed.
Chart
3-1
Chart
3-2
Note) Numbers in the parenthesis
are the Numbers for previous month.
IV.
Reporting Status for Unauthorized Computer
Access (includes Consultations) –
Please refer to the Attachment 2 –
Report for unauthorized
computer access and status of consultation
|
Apr. |
May |
June |
July |
Aug. |
Sept. |
Total
for Reported (a) |
15 |
19 |
41 |
10 |
16 |
10 |
| |
Damaged
(b) |
12 |
13 |
36 |
8 |
13 |
8 |
Not
Damaged (c) |
3 |
6 |
5 |
2 |
3 |
2 |
Total
for Consultation (d) |
31 |
37 |
27 |
25 |
23 |
27 |
| |
Damaged
(e) |
20 |
21 |
11 |
11 |
15 |
12 |
Not
Damaged (f) |
11 |
16 |
16 |
14 |
8 |
15 |
Grand
Total (a + d) |
46 |
56 |
68 |
35 |
39 |
37 |
| |
Damaged
(b + e) |
32 |
34 |
47 |
19 |
28 |
20 |
Not
Damaged (c + f) |
14 |
22 |
21 |
16 |
11 |
17 |
(1) Reporting Status for
Unauthorized Computer Access
Reported number
for September was 10: of 8 was the number
actually damaged .
(2) Accepting Status for
Consultations relevant to Unauthorized Computer Access, etc.
Consultation counts relevant
to unauthorized computer access was 27: of 12 (of 4 was also counted
as reported number) was the actual number that some sort of damage
was reported.
(3) Status of Damage
The breakdown of damage
report was: Intrusion with 2, Source Address
Spoofing with 1 and Others (Damaged)
with 5 . The breakdown of reported damage
relevant to the intrusion include: placing malicious contents to
exploit for phishing* with 1, etc. The cause of intrusion was leaving
vulnerability of OSs on server as it was with 1, etc.
*Phishing: One
of malicious engineering which induces users to fabulous web pages
spoofing to be actual business such as legitimate financial institution,
etc. to exploit users' IDs and passwords.
(4)
Damage Instances:
[Intrusion]
(i)
Malicious contents exploiting for phishing were located…
<Instance>
- “Virus
file is being located” so communicated from the contents creator
of this business' website.
- After thoroughly
examined this business' server, it is realized that some script
files and illegal contents files for phishing were located.
- The cause
is not yet identified.
[Accept
Probe [Attempt]]
(ii) Server is being
attempted by illegally logging-ins…
<Instance>
- The server
publicized for outside is being attempted by illegally logging-ins
from one of IP addresses of overseas.
- Though we
have not yet been accessed, there still have potentials to be accessed.
Is there any measures/suggestions?
- We wish
to restrict accesses from domestic only.
V.
Accepting Status of Consultation
The gross number for the
consultation in September was 910 . Of the consultation
relevant to “ One-click Billing Fraud ” was 270
(August: 330), the consultation relevant to “
High-pressured selling of software for security measures
” with 12
(August: 13) and the consultation relevant to “
Winny ” with 4
(August: 6), etc.
Movement in entire number
of consultation accepted by IPA
/method
|
Apr. |
May |
June |
July |
Aug. |
Sept. |
Total
|
827 |
814 |
932 |
1162 |
1013 |
910 |
| |
Automatic
Response System |
486 |
484 |
537 |
694 |
593 |
544 |
Telephone
|
279 |
254 |
339 |
403 |
374 |
310 |
e-mail
|
58 |
69 |
53 |
64 |
43 |
55 |
Fax,
Others |
4 |
7 |
3 |
1 |
3 |
1 |
*IPA consults/advises
for computer viruses/unauthorized computer accesses as well as the
other information concerning overall security issues
Mail: 
for virus issues,  for
crack issues.
Tel.: +81-3-5978-7509
(24-hour automatic response)
Fax: +81-3-5978-7518
(24-hour automatic response)
*The Total case number
includes the number in Consultation (d) column of the Chart in the
“IV. Reported Status for Unauthorized Computer Access” and “V.
Accepting Status of Consultation”.
*”Automatic Response System”:
Accepted numbers by automatic response
*“Telephone”:
Accepted
numbers by the Security Center personnel
<Reference>
Shift
in Number of Consultation relevant to One-click Billing Fraud
The main instances for
consultations are as follows.
(i)
Virus alerts when clicked the link included in the mail body!
Consultation:
Virus mail sent to the
most of all addressees within a business. The sender is spoofing
to be the personnel in that business, but is not actually existed.
The mail contents and the files appended seemed to be relevant to
their business. Those computers on which some mails were opened
are attempting somewhat fishy accesses to specific IP addresses
outside continually.
Response:
This must be the Spear
type of attack targeting specific organization. In this
case, it is utmost important to warn entire organization with the
message such as “Be cautious if you got such mails!”
along with typical anti-virus measures. In addition, other
than the execution type of viruses , you have to be also
cautious with some virus codes which may be added to some
document files created by a word processor, etc .
<Reference>
IPA – Seven anti-virus
requirements for computer users
http://www.ipa.go.jp/security/antivirus/7kajonew.html
(in Japanese)
(ii)
Information is leaked via Winny…
Consultation:
“Your company's internal
information is deviated on the Winny network” so communicated from
outside. In-house investigation was conducted and then it was realized
that one of Winny user within that business dealt company data with
his/her own computer and the data was deviated when a exposure type
of virus is infected that computer. Are there any remedies or measures
to be taken?
Response:
In
case of information leakage incident, it is the utmost priority
to “minimize the damages directly/indirectly caused by information
leakage” . Wrong response will enlarge damages: be sure
to conduct adequate responses by referring following URL.
<Reference>
IPA – Tips when information
leakage incident occurred
http://www.ipa.go.jp/security/awareness/johorouei/
(in Japanese)
VI.
Accessing Status Captured by the Internet Monitoring (TALOT2”) in
September
According to the Internet
Monitoring (TALOT2), the total of unwanted (one-sided) number of
access in September 2007 was 242,378 for 10 monitoring
points. That is, the number of access was 808
from 243 source addresses/monitoring point/day.
Since each monitoring environment
for the TALOT2 is nearly equal to the general connection environment
used for the Internet; it can be considered that the same amount
of unwanted (one-sided) access can be monitored for the general
Internet users' connection environment. In another word, your
computer is being accessed from 243 unknown source addresses in
average/day or you are being accessed from 3 times from one source
address which considered unauthorized.
Chart
6-1 Unwanted (One-sided) Number of Access and Source Number
of Access/Monitoring Point/Day
The Chart 6-1 shows the
unwanted (one-sided) number of access and the source number of
access/day/monitoring point in average from April to September
2007 for the respective months. This chart also shows that the
both unwanted (one-sided) accesses indicating less than 1,000
for the continuum of past 3 months: it seems that both accesses
tend to moderately be decreasing.
The accessing status
in September 2007 was decreasing as with the pacing seen in July
and August: this maintains from January 2007. However, such access
targeting those computers that can remotely access to the other
could be seen many.
(1) Accesses
targeting such servers that use SSH
The accesses to the computers
which use SSH (Secure Shell: the command execution tool for which
security is enough strengthened to which communication path is
encrypted for remotely accesses.) seemed such accesses targeting
those computers with simple/easily breakable passwords.
The Chart 6.2 shows the
number of access to the port 22/tcp in the TALOT2 system which
uses SSH for the system maintenance purposes.
Chart 6-2 Number of Access to the Port 22/tcp
Classified by Source Area (One Monitoring Point which uses SSH)
As it shows in the above
graph, there may be accessed several tens of thousands and several
millions of accesses *1 per day. Those computers responding to
such accesses are conducted by Brute Force attack *2 which analyzes
their passwords.
*1: Since
these accesses are for specific monitoring point; these data are
excluded from statistic information as they are not suit for the
purposes to publicize for general users. The accesses which use
P2P file sharing software are also excluded with the same reason.
Though the entire number of accesses seemed being decreased;
you can realize that this is not always true when including such
accesses observed in such specific monitoring point.
*2: Brute
Force attack is also referred as Exhaustive attack which uses
variety means to break passwords.
In the information
of unauthorized access reported to IPA, such access instances
caused by insufficient IDs and/or passwords being set are increasing
consecutive years. Accordingly, system administrators should thoroughly
check IDs and passwords used for applications one more time and
conduct enforcing connection authentication. It is also important
to check with or without of vulnerability in servers.
- Attachment
3 Observation Status by Internet Monitoring System (TALOT2)
- Attachment
4 Computer virus Incident Report for the 3rd Quarter (July to September)
- Attachment
5 Unauthorized Computer Access Incident Report for the 3rd Quarter
(July to September)
|
Japanese