| This is a summary of
computer virus/unauthorized computer access incident reports for
February 2008 compiled by IPA.
I.
Reminder for the Month:
“Virus Alerts!? on the site where I use to visit”
- Be cautious with the traps hided in Websites!!
-
Such instances that “business or individual site (s) to where a user used to visit” is suddenly alerted by virus software having been increasing. The main cause for the instance is that there is vulnerability* in that website (s) to where fraudulently accessed/exploited by malicious intents so that the web pages are altered/designed to be infected by that virus.
*vulnerability |
In the IT security field, vulnerability usually refers potential weakness which disables security functions on system network applications and/or protocols, potential weakness which cause unexpected events or the errors on design/implementation. It also immediately refers to be insufficient state of security configuration. Vulnerability generally refers to be security holes. |
(1) The mechanism of infection via vulnerability
Following, what and how an attacker infects virus to the website users will be briefly explained.
(i) |
The first step is that the attacker explores the website (s) that has vulnerability via the Internet and then alters the site (s) exploiting the security holes. |
(ii) |
For example, the attacker covertly hides such commands the web page which will induce a user to the site in where virus is being embedded without having realized. |
(iii) |
The user visits the website being altered and browses the page in where virus command is hided. As its result, the command is automatically executed: Since the user does not know that he/she is accessing malicious web pages so that the his/her computer is infected by virus. Bad to worse, the web pages in where virus is embedded is designed to be invisible on the display screen so that it is hard to realize that the user is infected. |
(2) Countermeasures
Since it is difficult for a website user to check whether the site has vulnerability or not, it is expected that website developer and/or manager has to screen out such malicious sites.
(i) Website developer
Since most of web pages are individually created by respective websites so that how far security issue is considered is depending on the developer’s engineering ability. When vulnerability is developed, it is difficult to apply patches to the web pages already being in operation: accordingly, it is necessary to address preventive approaches against vulnerability in its initial stage. Please refer to the following site how to create enough secured website.
<Reference>
How to Create Secured Websites (in Japanese)
http://www.ipa.go.jp/security/vuln/websecurity.html
SECURE PROGRAMMING COURSE (in Japanese)
http://www.ipa.go.jp/security/awareness/vendor/programmingv2/
(ii) Website Manager
As for a website manager, it is mandatory to conduct following measures.
(a) |
Web pages (html*) in website, fundamental software for web servers (OSs), those application software being installed and the software for network server should always be maintained/up-to-dated and resolve any of vulnerabilities in there. |
(b) |
Check the web pages regularly whether the pages are in sound state (We encourage you to install off-the-shelf alteration detection tool, etc.) |
(c) |
The web server which operates the website should be properly managed to prevent from fraudulent access. |
*html: |
Acronym of Hyper Text Markup Language to be used to code web pages. |
<Reference>
“Vulnerability – Are you aware of? The threats and the mechanism hided in web pages (animated for easily understanding)” (in Japanese)
http://www.ipa.go.jp/security/vuln/vuln_contents/
“The Guidance how to address vulnerability for Website managers” (in Japanese)
http://www.ipa.go.jp/security/fy19/reports/vuln_handling/
“JVN iPedia, the database for vulnerability countermeasures information” (in Japanese)
http://jvndb.jvn.jp/
(iii) Countermeasures for Users
Website users SHALL conduct following measures to prevent potential damages.
(a) |
Fundamental software (OSs) for your computer and the application software (for word processor, spreadsheet, music replay function and animation browsing software, etc.) should always be maintained/up-to-dated and resolve potential vulnerability in there. |
(b) |
Signatures for virus within anti-virus software should always be up-to-dated upon using. |
<Reference>
“Utilization Procedure for Microsoft Update and Windows Update” (Microsoft)
http://www.microsoft.com/protect/computer/updates/mu.mspx
Currently, when we search specific site using searching engines by entering certain keyword, some malicious sites lurked are also appeared among candidate websites. This is the one of malicious approaches exploiting the function of searching engines so called SEO Poisoning (Search Engine Optimization Poisoning) which exploit user’s psychology; i.e. “Users likely to click the site (s) listed on upper pages” and/or “Users perceives that those sites listed upper pages are safe” and induce a user clicks to the website linked to malicious site (s).
Searching engines (providers) strives to conduct certain measures to prevent retrieving malicious sites, it is necessary that users too, should confirm the links before easily click URLs.
When feels suspicious upon browsing the links, it is necessary to get back and/or close the pages and do not go forward.
Actually, this is differs from such engineering which alters web pages by exploiting vulnerability in legitimate site (s); be sure to remember that there is some potential to infect virus.
II.
Reporting Status for Computer Virus
– further details, please refer to the
Attachment 1
–
The detection number*1 of virus was about 0.26M: decreased 16.6% from about 0.31M reported in January. In addition, the reported number*2 of virus was 1,854: also decreased 9.4% from 2,046 in January.
| *1 Detection Number: |
Reported virus counts (cumulative) found by a filer. |
| *2 Reported Number: |
Virus counts are aggregated: viruses of same type and variants reported on the same day are counted as one case number regardless how many viruses or the actual number of viruses is found by the same filer on the same day. In January, the reported number was 2,046: aggregated virus detection number was about 0.31M. |
The worst detection number of virus was W32/Netsky with about 0.24M, W32/Mytob with about 0.0056M and W32/Fujacks with about 0.0045M subsequently followed.
Chart 2-1
Chart
2-2
Note) Numbers in the parenthesis
are the Numbers for previous month.
III. Reporting Status of Unauthorized Computer Access (includes Consultations) – Please refer to the Attachment 2 for further details–
Report for unauthorized
computer access and status of consultation
|
Sept. |
Oct. |
Nov. |
Des. |
Jan.'08 |
Feb. |
Total
for Reported (a) |
10 |
10 |
15 |
14 |
8 |
4 |
| |
Damaged
(b) |
8 |
9 |
11 |
7 |
7 |
4 |
Not
Damaged (c) |
2 |
1 |
4 |
7 |
1 |
0 |
Total
for Consultation (d) |
27 |
37 |
31 |
21 |
24 |
29 |
| |
Damaged
(e) |
12 |
22 |
17 |
16 |
15 |
10 |
Not
Damaged (f) |
15 |
15 |
14 |
5 |
9 |
19 |
Grand
Total (a + d) |
37 |
47 |
46 |
35 |
32 |
33 |
| |
Damaged
(b + e) |
20 |
31 |
28 |
23 |
22 |
14 |
Not
Damaged (c + f) |
17 |
16 |
18 |
12 |
10 |
19 |
(1) Reporting Status for
Unauthorized Computer Access
Reported number for February was 4: all of them were for actually damaged.
(2) Accepting Status for
Consultations relevant to Unauthorized Computer Access
Consultation number relevant to unauthorized computer access was 29: of 10 was the actual number that some sort of damage was reported.
(3) Status of Damage
The breakdown of reported
damage was: intrusion with 1 ,Dos with 4, and others (damaged) with 2. The reported damage for intrusion was for exploiting a server as a steppingstone to attack to the other sites. The cause of intrusion was the password cracking* attack to the ports used by SSH*. As for the damage for others (damaged), legitimate user’s items for avatar and virtual money for RPG (role playing game) were missing with 1.
| *SSH (Secure Shell): |
A protocol which communicates with computers remotely via a network. |
| *Password Cracking: |
The action to search/analyze legitimate user’s password. Password cracking includes Brute Force (Exhaustive) attack and Dictionary attack. The program for cracking is also existed. |
(4)Damage Instances:
[Intrusion]
(i)Attacked to the ports used by SSH and intruded…
<Instance>
- “We’ve been accessed which seemed to be preliminary survey for fraudulently accesses from the computer you are managing.” so communicated from outside.
- The server was carefully examined and it is realized that the ports used by SSH was conducted by password cracking attack: in the event, the server allowed intrusion and the manager privilege was taken over.
- In addition, it is realized that such tools to attack to outside were embedded and executed.
- Since the server was made for a test installation so that necessary level of security was not configured and lack of monitoring status was provided so that it took time to realize the intrusion.
| *Public key authentication: |
One of authentication method using public key and private key pair to identify user his/herself identification. |
[Others (Damaged)]
(ii) Items/money to be used on online games was missing…
<Instance>
- I am a membership of a RPG (Role Playing Game).
- When I was realized, the items that my avatar had and the virtual money to be used in the games were missing.
- When I tracked back my memory, such event might be initially happened when I clicked the URL provided by the other side of user upon chatting with him/her within the games.
IV.
Accepting Status of Consultation
The gross number of the consultation in February was 350. Of the consultation relevant to “One-click Billing Fraud” with 25 (January ‘08: 28), the consultation relevant to “Hard selling of phony security measures software” with 11 (January ‘08: 10), and the consultation relevant to “Winny” with 9 (January ‘08: 17), etc. were also realized.
The movement in entire number
of consultation accepted by IPA
/means
|
Sept. |
Oct. |
Nov. |
Dec. |
Jan.'08 |
Feb. |
Total
|
910 |
1128 |
911 |
389 |
408 |
350 |
| |
Automatic
Response System |
544 |
669 |
520 |
222 |
219 |
192 |
Telephone
|
310 |
397 |
337 |
109 |
151 |
110 |
e-mail
|
55 |
57 |
52 |
56 |
38 |
47 |
Fax,
Others |
1 |
5 |
2 |
2 |
0 |
1 |
*IPA consults/advises
for computer viruses/unauthorized computer accesses as well as the
other information concerning overall security issues
Mail: 
for virus issues,  for
crack issues.
Tel.: +81-3-5978-7509
(24-hour automatic response)
Fax: +81-3-5978-7518
(24-hour automatic response)
*The Total case number
includes the number in Consultation (d) column of the Chart in the
“IV. Reported Status for Unauthorized Computer Access” and “V.
Accepting Status of Consultation”.
*”Automatic Response
System”: Accepted numbers by automatic response
*“Telephone”:
Accepted
numbers by the Security Center personnel
<Reference>
Shift
in Number of Consultation relevant to One-click Billing Fraud 
The major consultation
instances are as follows.
(i)I had used to Winny previously…
Consultation:
I had used to Winny several years ago. Such files I’d downloaded are still in my hard-disk drive. Is it possible that these files were already infected virus? Is it possible that I can open them?
Response:
The source for the most of those files distributed on a file sharing network inclusive Winny are unknown and it is probable that they are likely to be infected by virus. Some virus camouflages visual effect of its icon, you may be infected by virus when you unconsciously open it deceived by its appearance.
In addition, there are some viruses that anti-virus software cannot detect: it is reasonable to immediately delete those files for which source is unknown without conduct virus check.
<Reference>
IPA – The Seven Anti-Virus Requirements for Computer Users
http://www.ipa.go.jp/security/english/virus/antivirus/7RulesV.html
(ii) I’d used Winny after Initialized my Computer…
Consultation:
I’d used Winny after I’d initialized my computer previously. What the potential that I may be infected by virus? What if I’d infected by virus, is it possible that the data stored before I initialized my computer would be deviated?
Response:
If you had such knowledge to identify file type appropriately, the potential to get infected by virus would be somewhat lessened. However, in case you’d opened the files randomly, it is probable that your computer would have been infected by virus.
Currently, one of exposure type of viruses such as Antinny, etc. do not carry such function to deviate those data stored in a computer before being initialized. However, if you feel fear about “data deviation”, you should not use any type of file sharing software, such as Winny. It is too late to get it back before something happened.
<Reference>
IPA – To Prevent Information Leakage Accident via Winny (in Japanese)
http://www.ipa.go.jp/security/topics/20060310_winny.html
V.
Accessing Status Captured by the Internet Monitoring (TALOT2”)
in February
According to the Internet Monitoring (TALOT2), the total of unwanted (one-sided) number of access in February 2008 was 189,006 for 10 monitoring points. That is, the number of access was 700 from 196 source addresses/monitoring point/day.
Since each monitoring environment for the TALOT2 is nearly equal to the general connection environment used for the Internet; it can be considered that the same amount of unwanted (one-sided) access can be monitored for the general Internet users’ connection environment. In another word, your computer is being accessed from 196 unknown source addresses in average/day or you are being accessed about 4 times from one source address which considered unauthorized.
Chart
5-1 Number of Access and Source Number
of Access/Monitoring Point/Day in Average
The Chart 5-1 shows the number of access and the source number of access/monitoring point/day in average from September 2007 to February 2008. According to this chart, both unwanted (one-sided) accesses in February were subtly decreased with the one in January: the entire contents of access were stabilized.
Accessing status in February was subtly decreased with the on in January: this indicated that the entire accesses themselves were decreased. However, such accesses to the ports 135/tcp and 445/tcp which target vulnerability in Windows, to the ports 1026/udp and 1027/udp which send pop-up messages exploiting Windows Messenger Service having been shifted in almost the same level with the one in January.
* |
Because of system maintenance program for TALOT2 was fallen on February 2 and 3 so that the monitoring data for this period was not available. Kindly understand that the TALOT2 report for February is prepared by excluding those data during this period. |
(1) Access Targeting the Port 5900/tcp
In the last part of February, there increased such access to the port 5900/tcp. This is the default port used by RealVNC client when it connects to a RealVNC server. The most of source area were from Japan (see the Chart 5-2).
Chart 5-2: Shift in Number of Access to the Port 5900/tcp Classified by Source Area
RealVNC referred above is the software which enables to operate a computer remotely; in May 2006, the “vulnerability which allows remotely access to a client without authentication” is publicized. Its single countermeasure is to conduct upgrading its version.
“Various
Statistics Information Provided by Other Organizations/Vendors
are Publicized in the Following Sites”
@police: http://www.cyberpolice.go.jp/english/
Trendmicro: http://us.trendmicro.com/
McAfee: http://www.mcafee.com/us/
|
Japanese
