| This is a summary of
computer virus/unauthorized computer access incident reports for
October, 2007 compiled by IPA.
I.
Reminder for the Month:
An
Easy and Careless Click will Cause You Trouble!!
-
Risky if you go far beyond with your simple curiosity!! -
| The
number of consultations in relation to One-click billing
fraud, the most consulted number filed with IPA, was marked
369 in October and became the worst one.
330, the one marked in August 2007 as the (previously) worst
consultation number was far exceeded.
Specifically, A
billing statement is appeared, it does not vanish at all and
is still remained on the screen is the major consultation
- This is caused by virus infection. As you go far beyond
clicking easily within risky sites, you may be infected by
virus which shows illegal billing statement relevant to porno
site, dating site, etc. Accordingly, you are to be cautious
with your behaviors and realize that the user's curiosity
itself leads such damage. |
Chart
1-1: Sample of Billing Screen
|
Following are the typical
examples of virus infection which shows billing statement.
| (1)
The alerting screen
If it is a normal
animated site, animation is shortly reproduced when you click
a button for retrieving on the screen. However, in some adult
sites reported by those users once damaged, download
of files security alert was displayed when he/she clicked
the retrieving button on the animated site. |
Chart 1-2: Alerting Screen Example |
Security alert is displayed
when you clicked the retrieving button to reproduce a free sample
animated image means that the developer of the animated image seemed
to have the users download some malicious codes. Accordingly, users
should click the Cancel button and do not go far beyond.
(2) Repeatedly
alerted
However, when you clicked
the Retrieving button by ignoring the alert
or by mistake, or tentatively Save the file
and reproduce the screen lately, Internet Explorer Security
Alert shown in the Chart 1-3 is displayed to confirm that
the user surely executes the software being downloaded.
Windows employs such mechanism
to authenticate if the source of the software downloaded is legitimate.
Accordingly, the Source of Issuance column on
the security alert will show the name of the source if its legitimacy
is authenticated.
In the Chart 1-3, the
Source of Issuance indicates Unknown and security
alert is also displayed underneath of the display so that users
cannot count on this source of issuance. In this case, be sure to
click Do not Retrieving button and do
not go far beyond.
Chart
1-3: Security Alert on the Internet Explorer
(3) Again
ignoring the alert
Again you ignore and
go far beyond by clicking the Retrieving button
shown in the Chart 1-3, a user's age requiring
screen and/or a final reminder screen for terms of service
will be appeared. If you still go forward by clicking
Yes on the user's age requiring screen and again by clicking
OK after following screen shown in the Chart
1-5 is displayed, you are infected by virus and the billing statement
similar to the Chart 1-1 will be retained.
Chart 1-4: User's Age Requiring Screen
Chart 1-5: Final Reminder for Terms of
Service
Some users claim that
it was automatically displayed when simply seeing the site
or did not do anything special other than easily
browsed the site , etc. Such users are supposed to click
at least 4 times before they reached to the similar screens shown
in the Chart 1-2 to 1-5.
As with the instance
above, users should realize that they'd clicked
several times before the billing statement similar to the Chart
1-1 is displayed: in such a case, the best measure that
the users have to take is to leave from the site immediately as
nobody knows in where he/she will be infected by virus.
(4) To avoid
getting damaged
The best measure to avoid
getting damaged from One-click billing fraud is Users
do not go to a porno or a dating site . However, nowadays,
there are number of reports that users induced to kinky sites: such
instances are a porno or dating site is automatically displayed
while users enjoy seeing companion animals' images , users
automatically sent to porno or dating site while browsing entertainers'
information , etc.
Though any of such
kinky sites is displayed while you are browsing normal/sound site,
do not click Yes or OK button easily with simple curiosity:
you are to realize that there are malicious sites as well and you
should never ever go far beyond.
(5) In case a billing
statement is appeared
Even the billing statement
similar to the Chart 1-1 is appeared, be sure not to get panicky.
You should not pay money via a bank transfer or
you should not inquire by mails or telephones to the contact
address of the billing statement. The first thing you have
to do is to check if the billing statement is again appeared when
you reboot your computer. If the statement is not appeared again,
you are safe! However, the billing statement is still appeared,
it is potential that some malicious codes are embedded and you have
to conduct certain measures. Be sure to restore the system
to the proper/sound state using system restoration function. Though
the statement is still remained in vain, your computer should be
totally initialized.
(a) Restoring
the system to the proper/sound state using system restoration function
You are to restore the system
state in the previous day before the billing statement is appeared
using system restoration function.
How to restore system
http://www.microsoft.com/windowsxp/using/setup/support/sysrestore.mspx
(b) Computer initialization
You are to restore your computer
with the system state when initially purchased. Be sure to follow
to the procedures of computer restoration with the system state
when initially purchased in the manual/instructions being attached
to the computer when purchased. Before you initiate your work, be
sure to back up necessary data, etc. to external media, etc.
In addition, be sure to
conduct following fundamental security measures as well.
- Resolve
security holes (updates of OSs and applications)
- Signature
updates of anti-virus software, etc.
IPA The responding
measures against the bill when simply clicked (in Japanese)
http://www.ipa.go.jp/security/ciadr/oneclick.html
Seven anti-virus requirements
for computer users
http://www.ipa.go.jp/security/english/E_7kajonew.html
Information relevant to
vaccine software (in Japanese)
http://www.ipa.go.jp/security/antivirus/vacc-info.html
Utilization procedure of
Microsoft Update and Windows Update (Microsoft)
http://www.microsoft.com/protect/computer/updates/mu.mspx
II.
Reporting Status for Computer Virus
further details, please refer to the
Attachment 1
The detection number [1]
of virus in October was about 0.50M : increased
15.2% from 0.44M reported in September.
In addition, the reported number [2]
of virus in October was 2,419 which maintained
almost the same level with 2,426 whith reported in September.
| [1]Detection
number: |
Reported
virus counts (cumulative) found by a filer. |
[2]Reported
number: |
Virus counts are
aggregated: viruses of same type and variants reported on
the same day are counted as one case number regardless how
many viruses or the actual number of viruses is found by the
same filer on the same day. In October, the reported number
was 2,419: aggregated virus detection number was about 0.50M.
|
The worst detection number
of virus was W32/Netsky with about 0.44M
, W32/Looked with about 0.025M
and W32/Mytob with about 0.015M
subsequently followed.
Chart
2-1
Chart
2-2
Note) Numbers in the parenthesis
are the Numbers for previous month.
III.
Reporting Status for Unauthorized Computer
Access (includes Consultations)
Please refer to the Attachment 2
Report for unauthorized
computer access and status of consultation
|
May |
June |
July |
Aug. |
Sept. |
Oct. |
Total
for Reported (a) |
19 |
41 |
10 |
16 |
10 |
10 |
| |
Damaged
(b) |
13 |
36 |
8 |
13 |
8 |
9 |
Not
Damaged (c) |
6 |
5 |
2 |
3 |
2 |
1 |
Total
for Consultation (d) |
37 |
27 |
25 |
23 |
27 |
37 |
| |
Damaged
(e) |
21 |
11 |
11 |
15 |
12 |
22 |
Not
Damaged (f) |
16 |
16 |
14 |
8 |
15 |
15 |
Grand
Total (a + d) |
56 |
68 |
35 |
39 |
37 |
47 |
| |
Damaged
(b + e) |
34 |
47 |
19 |
28 |
20 |
31 |
Not
Damaged (c + f) |
22 |
21 |
16 |
11 |
17 |
16 |
(1) Reporting Status for
Unauthorized Computer Access
Reported number
for October was 10: of 9was the number
actually damaged .
(2) Accepting Status for
Consultations relevant to Unauthorized Computer Access, etc.
Consultation counts relevant
to unauthorized computer access was 37: of 22 (of 3 was also counted
as reported number) was the actual number that some sort of damage
was reported.
(3) Status of Damage
The breakdown of damage
report was: Intrusion with 3, DoS Attack
with 1, Source Address Spoofing with
2 and Others (Damaged) with
3 . The breakdown of reported damage relevant to
the intrusion includes: server became a steppingstone server to
exploit external sites with1, placing malicious contents to exploit
for phishing* with 1, etc. The cause of intrusion was: password
cracking* attack to the port used by SSH* with 1, leaving vulnerability
of OSs on server as it was with 1, etc.
*Phishing: One
of malicious engineering which induces users to fabulous web pages
spoofing to be actual business such as legitimate financial institution,
etc. to exploit users' IDs and passwords.
*SSH (Secure Shell):
A protocol which communicates with the computer remotely
via a network.
*Password Cracking:
The action to search/analyze legitimate user's password.
Password cracking includes Brute Force (Exhaustive Attack) and Dictionary
Attack. The program for cracking is also existed.
(4)
Damage Instances:
[Intrusion]
(i)
Penetrated by the attack to the port used by SSH
<Instance>
- We've been
attacked from the server you are managing so communicated from
outside.
- Access log
was studied and realized that the port used by SSH was conducted
by
password cracking attack by unspecified majority of IP Addresses.
- Illegally
logged in with the account easily assumable password set. In addition,
the
account was escalated to administrative privilege.
- There remained
probes which executed attacking commands to the outside servers
in the operation logs*.
*Log: The
status of computer in use or the record of data communication.
(ii) Phishing site is
located
<Instance>
- There existed
some pages which spoofing to be a real financial institution so
communicated from the user who'd browsed website I manage.
- Study was
conducted and realized that some contents to exploit for phishing
was
placed.
- The cause
is that the modification program for the vulnerability in OSs had
not
been applied long time.
- The cause
also includes that the security policy ( OSs updates) provided by
this business had not been complied with.
IV.
Accepting Status of Consultation
The gross number of the
consultation in October was 1,128 . Of the consultation
relevant to One-click Billing Fraud was 369
(September: 270); it significantly worsened the
past record. Others were the consultation relevant to High-pressured
selling of software for security measures with 16
(September: 12) and the consultation relevant to
Winny with 11
(September: 4), etc.
Movement in entire number
of consultation accepted by IPA
/method
|
May |
June |
July |
Aug. |
Sept. |
Oct. |
Total
|
814 |
932 |
1162 |
1013 |
910 |
1128 |
| |
Automatic
Response System |
484 |
537 |
694 |
593 |
544 |
669 |
Telephone
|
254 |
339 |
403 |
374 |
310 |
397 |
e-mail
|
69 |
53 |
64 |
43 |
55 |
57 |
Fax,
Others |
7 |
3 |
1 |
3 |
1 |
5 |
*IPA consults/advises
for computer viruses/unauthorized computer accesses as well as the
other information concerning overall security issues
Mail: 
for virus issues,  for
crack issues.
Tel.: +81-3-5978-7509
(24-hour automatic response)
Fax: +81-3-5978-7518
(24-hour automatic response)
*The Total case number
includes the number in Consultation (d) column of the Chart in the
IV. Reported Status for Unauthorized Computer Access and V. Accepting
Status of Consultation.
*Automatic Response System:
Accepted numbers by automatic response
*Telephone:
Accepted
numbers by the Security Center personnel
<Reference>
Shift
in Number of Consultation relevant to One-click Billing Fraud
The main instances for
consultations are as follows.
(i)
Company information was deviated on a Winny network
Consultation:
There inserted that our
company information is deviated on a Winny network on one bulletin
board so communicated from outside anonymously. What should we do
as one of business entity?
Response:
The first priority is to
think of minimizing direct/indirect damages caused by information
leakage by following to:
- Unify/centralize
inquiries and claims from outsides.
- Verify reports
(obtaining/verifying deviated information itself)
(Better to ask security experts)
- Examine
the personnel engaged with
- Report/apology
to casualty.
Other than these,
please refer to the following tips for additional/complementary
responses.
<Reference>
IPA The responding tips
when occurred information leakage
http://www.ipa.go.jp/security/awareness/johorouei/
(in Japanese)
(ii)
Infected by Virus?
Consultation:
Up to yesterday, my computer
worked properly. However, today, nothing is displayed even powered.
The screen remains dark and beeps on and off continually. I believe
that my computer is infected by virus.
Response:
Checking with anti-virus
software is the first priority whether your computer is infected
by virus or not. We cannot properly determine with or without
of virus with the symptoms you have now as some mechanical
failure also leads computer improper starting ups. Do not
think of that everything is caused by virus and you'd better to
inquire your computer's manufacturer to explore another potential.
<Reference>
IPA Seven anti-virus requirements
for computer users
http://www.ipa.go.jp/security/antivirus/7kajonew.html
(in Japanese)
V.
Accessing Status Captured by the Internet Monitoring (TALOT2) in
October
According to the Internet
Monitoring (TALOT2), the total of unwanted (one-sided) number of
access in October 2007 was 278,497 for 10 monitoring
points. That is, the number of access was 898
from 233 source addresses/monitoring point/day.
Since each monitoring environment
for the TALOT2 is nearly equal to the general connection environment
used for the Internet; it can be considered that the same amount
of unwanted (one-sided) access can be monitored for the general
Internet users' connection environment. In another word, your
computer is being accessed from 233 unknown source addresses in
average/day or you are being accessed from 4 times from one source
address which considered unauthorized.
Chart
5-1 Unwanted (One-sided) Number of Access and Source Number
of Access/Monitoring Point/Day
The Chart 5-1 shows the
number of access and the source number of access/monitoring point/day
from May to October 2007 in average. According to this chart,
both the unwanted (one-sided) accesses were slightly increased
from September.
The accessing status
in October 2007 was slightly increased compared with the ones
in August and September. This was the cause that the accesses
to the ports 135/tcp and 445/tcp seemed to target the vulnerability
in Windows were increased.
(1) Accesses
targeting vulnerability in Windows
Accesses to the ports 135/tcp
and 445/tcp seemed to target previously publicized vulnerabilities
(MS-03-026, MS04-011) in Windows; these are the ports still frequently
accessed. Nowadays, it seems that the major access is to further
enlarge bot infection by those computers already infected by bot.
The major source area
is from Japan (See the Chart 5-2). In addition, it is realized
that the single source attempts to access to the ports 135/tcp
and 445/tcp several to hundreds of times concurrently (See the
Chart 5-3). As far as it shows, that there still remained number
of computers infected by bot in Japan .
Chart 5-2 Ratio in Number of
Access to the Ports 135/tcp, 445/tcp Classified by the Source
of Destination in October
Chart
5-3 Unwanted (One-sided)
Accessing Status (Number of Access) to the Ports 135/tcp and 445/tcp
in October 2007
<Referential Information>
Cyber Clean Project the
collaborative project in between the Ministry of Internal Affairs
and Communication and the Ministry of Economy, Trade and Industry
https://www.ccc.go.jp/en_index.html
The Procedure How to Remove
Bot (in Japanese)
https://www.ccc.go.jp/flow/index.html
- Attachment
3 Observation Status by Internet Monitoring System (TALOT2) |
Japanese