| This is a summary of
computer virus/unauthorized computer access incident reports for
November, 2007 compiled by IPA.
I.
Reminder for the Month:
“File Sharing Software: Do
You Still Use It?”
-
Is it impossible to eradicate
information leakage!?
-
Here in IPA, there rushed
relatively large number of consultations relevant to the information
leakage via a file sharing software constantly in every month such
as “My company information is leaked via Winny, what shall we do?”.
Most of these consultations are relevant to the infection of virus
so called W32/Antinny which enlarges infection exploiting Winny
file sharing software.
While corporative confidential
information and private information, etc. are leaked continuously,
yet the number of users for the file sharing software has not been
lessened. This is because the potential risks in the file sharing
software and the knowledge of the virus which leaks information
are not correctly understood by users. Accordingly, users are to
recognize that their careless activities induce such accidents and
to take due care as a computer user.
(1) What is file
sharing software?
The mostly used file sharing
software are: (i) Winny , (ii) Share ,
(iii) Cabos and (iv) LimeWire ,
etc. One survey reveals that those PCs installed Winny counted
about 0.34M and those PCs installed Share counted
about 0.15M at the end of August 2007 .
That is, files will be shared among such number of users.
In the environment for
the file sharing software, such folders which users wish to publicize
will often be set by users themselves (See the Chart 1-1).
Chart
1-1: Winny Network
Accordingly, a
user potentially publicizes the file which he/she does not want
to open to the public and eventually information is leaked by user's
operational/configuration mistakes. Since the files located
in the folder to be “opened” will be shared among unspecified number
of user whom uses some file sharing software so that it cannot be
traceable to where they are distributed. When the
file is downloaded by number of users, in the worse case, it is
practically impossible to retrieve the file.
As with the case, use
of a file sharing software carries certain risks. Consequently,
you are to absolutely refrain from using a file sharing software
with your simple curiosity.
(2) What is the
virus which leaks information?
Most of the virus which
leaks information exploiting file sharing software is walking
around with the following naming that most of people is interested
in: “images rare to find” , “private information”
, etc. Users download such files using
a file sharing software and open them, the virus which leaks
information will be infected the user's computer.
Chart
1-2: Information Leakage by a File Sharing Software
The virus infected the
computer summarizes all sorts of information such as in/outbound
e-mails, word/spreadsheet documents, images and animations as one
(1) file and copies them to the folder to be opened. In addition,
the virus covertly includes itself to the folder somewhere in this
process.
Thus, the virus
deviates variety of information to a file sharing network from the
computer which causes information leakage and the virus which leaks
information spreads out to the file sharing network as well.
(3) Assumable instances
result in the information leakage accident caused by file sharing
software
a) Took the data for work
to home by breaking company rules and copied the data
to my personal computer which I uses a file sharing software, the
data for work is deviated to outside.
b) Using a
file sharing software. I overly relied on the information saved
in the outside memories such as USB memory, portable hard disk,
etc.; information is leaked when I connected to my computer.
c) I believed
that we are safe as my family does not use a file sharing software
in a family computer. I worked with the computer because
I did not know that one of my family members covertly uses a file
sharing software. I left important files in that computer
after work and information is leaked.
d) When handing
over the computer once important information was saved, I
think I deleted the files for that information. However, the file
is remained in the temporary cache area, etc., the important information
I think I deleted is deviated by the successor user using
a file sharing software.
e) I am using
second hand computer. Since I do not know that its previous
user had not yet deleted a file sharing software and is being remained
in that computer so that important information is leaked.
As with the instances above,
it can be assumed that information leakage incident by a file sharing
software is accidentally happens. That is, as far as we use some
file sharing software, information leakage accident will not completely
be ceased.
To this end, IPA is always
calling for the users “Please do not use any of file sharing
software for your security”. We've alerted several times!
<Referential
Information>
To prevent information leakage
accident by Winny (in Japanese)
http://www.ipa.go.jp/security/topics/20060310_winny.html
Reminder
for the Month: Part 2
“Let's
Review How to Distinguish Virus”
-
Referential measures how to analyze virus deceiving engineering
-
As for the preventive measures
for virus infection, it is essential to conduct “anti-security
hole measures (update OSs and all sorts of applications)” ,
“use of anti-virus software and update virus signatures
regularly”. There exists number of virus variants: newer
virus is developed almost daily. Accordingly, you should
not feel ease even “none of virus is detected” when scanned the
files acquired from the Internet by an anti-virus software.
(1) How to distinguish
virus
There may be the case that
some sophisticated engineering is trapped to files which result
visual effects. At the first glance, the icon seems to be a folder,
but is actually a virus: the virus camouflages to be a file. To
catch out the camouflage, it is necessary to check the extension
of the file.
The Chart 1-3 shows normal
files that are not infected by virus. The second icon from the top
is “file folder” which does not carry any of extensions.
The extension for the third file from the top
presents “.doc” which indicates “Microsoft
Word document".
The Chart 1-4 shows some
virus files. The first file is a normal file which seems to be exactly
the same with the file in the Chart 1-3. As you can see, the second
and the third files from the top carry “.exe” extensions
which incorrectly indicate “applications”.
These two files are the
typical examples that the virus camouflages the icons to be a folder
and/or a Word document.
Unless you are aware of
how to distinguish the type of files correctly, it is possible that
you open virus files without knowing and get infected. However in
the initial environment of Windows, any of extensions is configured
to be hidden as default. Accordingly, to enable the extensions
visibly, you are to change the default settings with the following
procedures.
(a) If you are
a Windows XP user
Click “Tools” ,
“Folder Options” sequentially and choose “Display”
tab from the menu bar either in My Computer or Explorer
and remove the check from the column “Do not display the
extensions registered with OS” .
(b) If you are
a Windows Vista user
Click “Control Panel”
from the start button at the bottom of the left hand side
corner and go forward to “Customize Desktop” ,
“Folder Option” sequentially and choose “Display”
tab and remove the check from the column “Do not
display the extensions registered with OS”
Be sure to check the name
of the files immediately after changed the configurations; when
you developed such files that have the extensions shown with the
second and third files in the Chart 1-4, be sure to delete
them immediately (empty the trash can after the files are removed.).
II.
Reporting Status for Computer Virus
– further details, please refer to the
Attachment 1
–
The detection number [1]
of virus in November was about 0.60M : increased
18.5% from 0.50M reported in October.
In addition, the reported number [2]
of virus in November was 2,351 which maintained
almost the same level with 2,419 whith reported in October.
| [1]Detection
number: |
Reported
virus counts (cumulative) found by a filer. |
[2]Reported
number: |
Virus counts are
aggregated: viruses of same type and variants reported on
the same day are counted as one case number regardless how
many viruses or the actual number of viruses is found by the
same filer on the same day. In November, the reported number
was 2,351: aggregated virus detection number was about 0.60M.
|
The worst detection number
of virus was W32/Netsky with about 0.51M
, W32/Looked with about 0.02M
and W32/Mytob with about 0.018M
subsequently followed.
Chart
2-1
Chart
2-2
Note) Numbers in the parenthesis
are the Numbers for previous month.
III.
Reporting Status for Unauthorized Computer
Access (includes Consultations) –
Please refer to the Attachment 2 –
Report for unauthorized
computer access and status of consultation
|
June |
July |
Aug. |
Sept. |
Oct. |
Nov. |
Total
for Reported (a) |
41 |
10 |
16 |
10 |
10 |
15 |
| |
Damaged
(b) |
36 |
8 |
13 |
8 |
9 |
11 |
Not
Damaged (c) |
5 |
2 |
3 |
2 |
1 |
4 |
Total
for Consultation (d) |
27 |
25 |
23 |
27 |
37 |
31 |
| |
Damaged
(e) |
11 |
11 |
15 |
12 |
22 |
17 |
Not
Damaged (f) |
16 |
14 |
8 |
15 |
15 |
14 |
Grand
Total (a + d) |
68 |
35 |
39 |
37 |
47 |
46 |
| |
Damaged
(b + e) |
47 |
19 |
28 |
20 |
31 |
28 |
Not
Damaged (c + f) |
21 |
16 |
11 |
17 |
16 |
18 |
(1) Reporting Status for
Unauthorized Computer Access
Reported number
for November was 15: of 11 was the number
actually damaged .
(2) Accepting Status for
Consultations relevant to Unauthorized Computer Access, etc.
Consultation number relevant
to unauthorized computer access was 31: of 17 (of 1 was also counted
as reported number) was the actual number that some sort of damage
was reported.
(3) Status of Damage
The breakdown of damage
report was: Intrusion with 6, DoS Attack
with 1, Source Address Spoofing with
1 and Others (Damaged) with
3 . The breakdown of reported damage relevant to
the intrusion includes: server became a steppingstone server to
exploit external sites with 2, placing malicious contents to exploit
for phishing with 1, etc. The cause of intrusion was: password cracking
attack to servers with 3, leaving vulnerability of OSs on server
as it was with 3, etc.
*Phishing: One
of malicious engineering which induces users to fabulous web pages
spoofing to be actual business such as legitimate financial institution,
etc. to exploit users' IDs and passwords.
*SSH (Secure Shell):
A protocol which communicates with the computer remotely
via a network.
*Password Cracking:
The action to search/analyze legitimate user's password.
Password cracking includes Brute Force (Exhaustive Attack) and Dictionary
Attack. The program for cracking is also existed.
(4)
Damage Instances:
[Intrusion]
(i)
Data was altered by an SQL injection attack
<Instance>
- Error was detected
when retrieved data within a database on the web.
- Realized unidentified
letter strings in more than 1,000 data within the database.
- Detected the
following code ? <script src= http://(omitted).net/0.js
></script ? is
being appended.
- The information
to be up-dated only when legitimate procedure is taken has not
yet been up-dated. That is, the information has been re-written
with the other
means.
- The database
server is located in where direct access from outside (that is,
from
the Internet) is not allowed. Typically, it can be accessed via
the web applications
on the web server.
- The cause seemed
that SQL injection measures are not fully applied.
*SQL injection: One of
attacking methods which browses and/or up-dates data within a database
with unauthorized means by exploiting the failures in the programs
which access database.
IV.
Accepting Status of Consultation
The gross number of the
consultation in November was 911. Of the consultation
relevant to “ One-click Billing Fraud ” was 264
(October: 369); the consultation relevant to “
High-pressured selling of software for security measures
” with 14
(October: 16) and the consultation relevant to
“ Winny ” with 31
(October: 11), etc.
Movement in entire number
of consultation accepted by IPA
/method
|
June |
July |
Aug. |
Sept. |
Oct. |
Nov. |
Total
|
932 |
1162 |
1013 |
910 |
1128 |
911 |
| |
Automatic
Response System |
537 |
694 |
593 |
544 |
669 |
520 |
Telephone
|
339 |
403 |
374 |
310 |
397 |
337 |
e-mail
|
53 |
64 |
43 |
55 |
57 |
52 |
Fax,
Others |
3 |
1 |
3 |
1 |
5 |
2 |
*IPA consults/advises
for computer viruses/unauthorized computer accesses as well as the
other information concerning overall security issues
Mail: 
for virus issues,  for
crack issues.
Tel.: +81-3-5978-7509
(24-hour automatic response)
Fax: +81-3-5978-7518
(24-hour automatic response)
*The Total case number
includes the number in Consultation (d) column of the Chart in the
“IV. Reported Status for Unauthorized Computer Access” and “V. Accepting
Status of Consultation”.
*”Automatic Response System”:
Accepted numbers by automatic response
*“Telephone”:
Accepted
numbers by the Security Center personnel
<Reference>
Shift
in Number of Consultation relevant to One-click Billing Fraud
The major consultation
instances are as follows.
(i)
Antinny virus is detected…
Consultation:
Up to recently, I have
used Share, a file sharing software, with my computer. I used to
check the files downloaded with anti-virus software before I open
them. One day, when I have checked files with different anti-virus
software, some Antinny virus and its variants were detected. I have
deleted them immediately. I have removed the file sharing software
as well. My information is being leaked?
Response:
The virus detected was the
virus which leaks information exploiting the Winny behaviors. You
are not totally safe as it can be considered that your computer
was infected by the virus which was unable to be detected at that
time. If Share, the file sharing software, were not yet
deleted, it would have been possible to review with or without of
information leakage which exploits Share behaviors, as of now, there
is no way to do. It is expected to be ready to prevent secondary
damage.
<Reference>
IPA – Responding Tips for
Information Leakage Accident (in Japanese)
http://www.ipa.go.jp/security/awareness/johorouei/
(ii)
Spams (mails) are one-sidedly coming constantly
when I signed up with a dating site…
Consultation:
I have signed up with
a dating site on the Internet. I have deliberately reviewed it and
tried to revoke the sign-ups, but the site manager does not address
it. Since when quantity of mails come everyday. What should I do?
Response:
If the site were operated
by malicious intent, it will be hard to accept your request to revoke
the sign-ups. First of all, you have to sort all in-bound
e-mails using your computer's filtering function and ignore
the mails sorted as spam. As for the permanent
measures, you'd better to change your mail address.
Hereafter, the
best preventive measure is that you should not let unreliable site
managers know of your new mail address carelessly. If you
need to let them know of your mail address, you'd better to have
them the one you are going to change/delete shortly.
V.
Accessing Status Captured by the Internet Monitoring (TALOT2”) in
November
According to the Internet
Monitoring (TALOT2), the total of unwanted (one-sided) number of
access in November 2007 was 263,077 for 10 monitoring
points. That is, the number of access was 877
from 241 source addresses/monitoring point/day.
Since each monitoring
environment for the TALOT2 is nearly equal to the general connection
environment used for the Internet; it can be considered that the
same amount of unwanted (one-sided) access can be monitored for
the general Internet users' connection environment. In another word,
your computer is being accessed from 241 unknown source
addresses in average/day or you are being accessed from 4 times
from one source address which considered unauthorized.
Chart
5-1 Unwanted (One-sided) Number of Access and Source Number
of Access/Monitoring Point/Day
The Chart 5-1 shows the
unwanted (one-sided) number of access and the source number of
access/monitoring point/day in average from June to November 2007
respectively. According to this chart, the unwanted (one-sided)
accesses were in almost the same tendency with the one in October.
Accordingly, the accessing
status in November 2007 was almost the same with the one in October.
However, of the accesses which send pop-up messages exploiting
Windows Messenger Service, the access to the port 1028/udp was
increased.
(1) The status
of the source access which exploits Windows Messenger Service
The accesses which send
pop-up messages exploiting Windows Messenger Service typically
access to the ports 1026/udp, 1027/udp and 1028/udp; however,
in November, the access was focused onto the port 1028/udp.
Following to the largest
source access from China , most of access to the port 1028/udp
was from Canada and those accesses to the ports 1026/udp and 1027/udp
from Canada could also be seen many (see the Chart 5-2).
Chart 5-2 Status of Source
Access to the Ports 102x/udp from Canada
Chart
5-3 Shift in Number
of Access to the Port 1028/udp Classified by Source Area (10 Monitoring
Points)
These accesses are similar
to spams that send pop-up messages one-sidedly exploiting Windows
Messenger Service: the one of instances is deceiving user with
such message that “there is significant problem in your computer”
to have the user clicks certain URLs.
Absolutely, you can ignore
them as most of them seemed spams; it is possible to increment
its number as with spams.
As for the countermeasures
against such accesses, we suggest you to halt Windows Messenger
Service. However, in the case of the computer used by corporate
LAN, etc., you are to follow to the system administrators' instructions.
<Referential
Information>
Messenger Service Window
inclusive of the Internet ads is displayed
http://support.microsoft.com/kb/330904/ja
There publicized security
patches for the vulnerability of Windows Messenger Service; it
is helpful to check if it is applied or not in your computer as
additional measures.
<Referential
Information>
Buffer Overrun in Messenger
Service Could Allow Code Execution (828035) (MS03-043)
http://www.microsoft.com/technet/security/bulletin/ms03-043.mspx
- Attachment
3 Observation Status by Internet Monitoring System (TALOT2) |
Japanese