| This is the summary of computer virus/unauthorized computer access incident report for April 2008 compiled by IPA.
I.
Reminder for the Month:
- Be cautious with the mail masquerading to be a public organization!!
-
Currently, such mails for which source are from government offices and/or from police departments are being reported. In addition, it was realized that someone sent specific organization the virus file appending to an e-mail spoofing to be IPA in April 2008.
In both cases, the malicious intents masqueraded to be one of public organizations attempt to have the receiver opens the virus file appended to the mail forcibly. Accordingly, it is necessary to be cautious even you’d received a mail from a public organization for which mail address was ended with “.go.jp”.
The instance mentioned above is called “Spear type of attack” which sends specific organization malicious mails including virus, etc. All users, are to understand the method used in the Spear type of attack and to conduct the countermeasures described in this report.
(1) The Method of Spear Type of Attack
The method used for the Spear type of attack using IPA’s name was exploited by someone in April 2008.
In this method, the vulnerability in the PDF file creation/browsing software(hereinafter referred to as “PDF software”)(http://jvndb.jvn.jp/contents/ja/2008/JVNDB-2008-001090.html(in Japanese))  publicized on our information database for vulnerability countermeasures on February 26, 2008 was exploited by an adversary so that a user opens the PDF file appended to an e-mail with a Windows version of PDF software, certain virus would be immediately executed.
The chart 1-1 shows the mechanism of the PDF file appended to the mail.
What if a user attempts to open the PDF file on a Windows environment, a PDF software within a user’s computer is initially run to identify the (a) in red part as a PDF document.
This document is seemed to be a typical PDF document such as given presentation material, etc. so that the user is hard to realize it is harmful.
However, in the (a) PDF document, there embedded malicious codes using JavaScript (one of simple programs): if the PDF software has vulnerability, the malicious codes will be executed exploiting the vulnerability while the software presents (a) PDF document and the (b) program will be created within the user’s computer.
When the (b) program in the user’s computer is executed, (c) virus and (d) PDF document will be copied/executed so that the user’s computer will be infected by virus.
The virus has following features:
(i) |
The virus will be executed in the WidowsNT, 2000, XP, 2003 Server, Vista (32-bit only) environments.
However, the vulnerability developed in the PDF software in the above mentioned instance may cause damage not only to the Windows environment, but also to the Macintosh, Solaris and Linux environments as well so that it is ideal that those users using the OSs other than Windows should amend their vulnerabilities in advance.
|
(ii) |
When the virus is executed, each time the virus is executed upon starting up the OS as the virus is registered in the computer as one of the default Windows programs. |
(iii) |
The virus executed will send user’s information such as the user’s computer name, OS version, IP address, etc. to access to the server on the Internet prepared by the attacker. The server will be able to command following activities to the user’s computer. It can be expected that there will be variety of damages on the computer infected by the virus.
- Sending out the inventories for the drives, folders and files within the computer;
- Sending/receiving, modification and deletion of arbitrary files;
- Execution of commands and sending out the outcomes within the computer;
- Execution of programs, etc. |
The original (d) PDF document is not directly involving the virus infection activity; however, the virus infects upon presenting this PDF document, the user will be hard to realize that his/her computer is infected.
(2) Countermeasures
Since the “Spear type of attack” is targeting to limited organization, individual, etc. and the engineering is sophisticated so that the attack itself remains unreported.
If you feel you get a mail like a Spear type of attack, be sure to inquire the involved organization the authenticity of the mail before opening the appended file.
Conducting following countermeasures can prevent quite a few number of damages caused by the Spear type of attack.
(i) |
For General Computer Users
General computer users carry lower probability to be conducted by the Spear type of attack, we encourage you to implement following countermeasures for your further security.
(a) Fundamental Measures
Be sure to update your computer’s OS, applications and anti-virus software to lessen vulnerability as much as possible.
(b) It is possible that you may receive mails spoofing to be banking corporation, card company or member-only site, etc.: in case you receive suspicious mails, do not click the URLs included in the mail body or do not open the files appended to an e-mail with ease and be sure to check the contents by communicating with the source of the mails.
(c) Fundamental Measures
Be sure to update your computer’s OS, applications and anti-virus software to lessen vulnerability as much as possible. |
(ii) |
For System Administrators in a Corporation/Organization
(a) Fundamental Measures
Be sure to update computer’s OS, applications, anti-virus software, etc. to lessen vulnerability as much as possible.
(b) Checking Error Mails
The Spear type of attack was initially discovered when a mail being spoofed was returned to the legitimate source of the mail as an error mail. Of those returned mails, you may able to find the probe of the Spear type of attack.
(c) Reviewing of Corporative Network Environment
There reported the instances that the post-infected virus exploits HTTP, HTTPS in the “Study/Research Report relevant to the Current Spear Type of Attacks ((http://www.ipa.go.jp/security/fy19/reports/sequential/(in Japanese))” summarized by IPA in where it describes how you can prevent virus activities by implement following measures in advance.
- Disable all of unnecessary TCP ports to be used for the communications/accesses to outside;
- Block communications/accesses when you detect other than HTTP, HTTPS communications/accesses at the ports 80/tcp and 443/tcp, respectively. However, HTTP which uses the port 80 and HTTPS which uses the port 443 should be allowed only when communications/accesses to outside through a proxy server.
|
System administrator has all the users within organization/corporation know the “countermeasures” and locates communication windows for outsides, etc. immediately when your organization/corporation is targeted by the Spear type of attack.
<Reference>
“Security updates available for Adobe Reader and Acrobat”
http://www.adobe.com/support/security/advisories/apsa08-01.html
“Procedures How to Use Microsoft Update and Windows Update” (Microsoft)
http://www.microsoft.com/protect/computer/updates/mu.mspx
Office Use in Macintosh Environment [Lot for Mactopia Downloads] (Microsoft)
http://www.microsoft.com/mac/downloads.mspx
Mac OS Service and Support (Apple)
http://www.apple.com/support/
II.
Reporting Status for Computer Virus
– further details, please refer to the
Attachment 1
–
The detection number of virus (*1) was about 0.21M which was shifted from the same level reported in March (0.21M). In addition, the reported number of virus in April was 1,703, increased 3.1% from the reported number in March (1,651).
| *1 Detection Number: |
Reported virus counts (cumulative) found by a filer. |
| *2 Reported Number: |
Reported Number: Virus counts are aggregated: viruses of same type and variants reported on the same day are counted as one case number regardless how many viruses or the actual number of viruses is found by the same filer on the same day. In April, the reported number was 1,703: aggregated virus detection number was about 0.21M. |
The worst detection number of virus was W32/Netsky with about 0.19M: W32/Mytob with about 0.0053M and W32/Mimail with about 0.0014M followed.
Chart 2-1
Chart
2-2
Note) Numbers in the parenthesis
are the Numbers for previous month's figures.
III. Reporting Status of Unauthorized Computer Access (includes Consultations) – Please refer to the Attachment 2 for further details–
Chart 3-1: Report for unauthorized computer access and status of consultation
|
Nov. |
Des. |
Jan.'08 |
Feb. |
Mar. |
Apr. |
Total
for Reported (a) |
15 |
14 |
8 |
4 |
19 |
14 |
| |
Damaged
(b) |
11 |
7 |
7 |
4 |
13 |
10 |
Not
Damaged (c) |
4 |
7 |
1 |
0 |
6 |
4 |
Total
for Consultation (d) |
31 |
21 |
24 |
29 |
35 |
56 |
| |
Damaged
(e) |
17 |
16 |
15 |
10 |
15 |
31 |
Not
Damaged (f) |
14 |
5 |
9 |
19 |
20 |
25 |
Grand
Total (a + d) |
46 |
35 |
32 |
33 |
54 |
70 |
| |
Damaged
(b + e) |
28 |
23 |
22 |
14 |
28 |
41 |
Not
Damaged (c + f) |
18 |
12 |
10 |
19 |
26 |
29 |
(1) Reporting Status for
Unauthorized Computer Access
Reported number for April was 14 : 10 were the number actually damaged.
(2) Accepting Status for
Consultations relevant to Unauthorized Computer Access
Consultation number relevant to unauthorized computer access was 56: of 31 (of 6 were also counted as reported number) was the actual number that some sort of damage was reported.
(3) Status of Damage
The breakdown of damage reports were intrusion with 3, source address spoofing with 3 and others (damaged) with 4.
The reported damage for intrusion was for the information leakage relevant to credit card conducted by an SQL infection attack with 1 and for the exploitation of a steppingstone server to attack to the other site with 2. The major cause of intrusion was the vulnerability of web applications with 1 and password cracking* attack to the port used by SSH* with 2.
The damages for others (damaged) included that someone logged in to an on-line game spoofed to be a legitimate user to takeover the items used in the game with 2 and some virus was embedded with certain means to exploit as a steppingstone server to attack to the other site with 2.
| *SSH (Secure Shell): |
A protocol which communicates with computers remotely via a network. |
| *Password Cracking: |
The action to search/analyze legitimate user’s password. Password cracking includes Brute Force (Exhaustive) attack and Dictionary attack. The program for cracking is also existed. |
(4)Damage Instances:
[Intrusion]
(i)The port used by SSH was attacked and intruded
<Instance>
- |
While checking the logs for firewalls, developed suspicious accesses to outside from the server operated by this organization. |
- |
The server was studied, then it was realized that the port used by SSH was conducted by password cracking attack and thus the server was allowed intrusion. |
- |
In that server, the password for the administrator account was modified and some tools to attack to the other site was embedded: in addition, partial system commands were altered by malicious ones. It seemed that the probes in the logs for firewalls may have been the communications conducted by the tools to attack to the other site. |
- |
This organization/system administrator configured easily assumable password carelessly/temporarily since this is the new server being in configuration. |
- |
However, the damage could be limited in minimum as the organization employed IDS (intrusion detection system) which allowed detecting intrusion quickly. |
| *Rootkit:: |
The package for a series of software used by an attacker after he/she successfully intruded in a targeted computer. Generally, log alteration tool, backdoor tool, a series of systems commands being altered are included in that package. It enables the processes/files in operation, system information invisible to hide their existence from the legitimate user. |
[Others (Damaged)]
(ii) Deceived by an individual met in an on-line game site?
<Instance>
- |
When I chatted with the person met in an on-line game site, he/she insistently recommended me to download some software as it was very handy tool. Ultimately, I downloaded/installed the software losing of patience |
- |
The software (tool) was actually a virus. Accordingly, my password used for logging in to the on-line game was stolen. |
- |
The password was exploited and the data for avatars which I used in the on-line game was stolen. |
IV.
Accepting Status of Consultation
The gross number of the consultation in April was 938. Of the consultation relevant to “One-click Billing Fraud” with 267 (March : 157), further increased from March. As for the others, the consultation relevant to “Hard selling of phony security measures software” with 2 (March : 9), and the consultation relevant to “Winny” with 8 (March: 6), etc. were also realized.
Chart 4-1: All the Consultation Number Accepted by IPA over the Past 6 Months
|
Nov. |
Dec. |
Jan.'08 |
Feb. |
Mar. |
Apr. |
Total
|
911 |
389 |
408 |
350 |
645 |
938 |
| |
Automatic
Response System |
520 |
222 |
219 |
192 |
373 |
514 |
Telephone
|
337 |
109 |
151 |
110 |
214 |
335 |
e-mail
|
52 |
56 |
38 |
47 |
66 |
87 |
Fax,
Others |
2 |
2 |
0 |
1 |
1 |
2 |
*IPA consults/advises
for computer viruses/unauthorized computer accesses as well as the
other information concerning overall security issues
Mail: 
for virus issues,  for
crack issues.
Tel.: +81-3-5978-7509
(24-hour automatic response)
Fax: +81-3-5978-7518
(24-hour automatic response)
*”Automatic Response
System”: Accepted numbers by automatic response
*“Telephone”:
Accepted
numbers by the Security Center personnel
*The Total case number includes the number in Consultation (d) column of the Chart in the “III. Reported Status for Unauthorized Computer Access” and “IV. Accepting Status of Consultation”.
<Reference>
Shift
in Number of Consultation relevant to One-click Billing Fraud
The major consultation
instances are as follows.
(i)Undelivered error mails were returned, but they were the mails that we’d never sent out…
Consultation:
Hundreds of undelivered error mails were returned to our company’s mail server. The sender of the error mails were configured as our company’s mail address, but the account was not actually existed. Though we’d checked the logs for the mail server, it was apparent that they were not the mails sent out from us. Why such mystery was happened?
Response:
The sender of the mail can be spoofed easily. It can be assumed that someone sent out spams using the sender’s mail address spoofed. In engineering perspective, the activity receiving spams cannot be stopped, it is hard to conduct fundamental measures.
When the address for a business was spoofed, you may have complaints from outsides. To prevent being considered that your company was the source of the spams, we encourage you to conduct following measures as the operational/administrative measures.
- Centralize the inquiry window;
- Publicize that your company’s mails address was spoofed on web, etc.
<Reference>
IPA – “Countermeasures to prevent spoofing of IP address, mail address, etc.”(in Japanese)
http://www.ipa.go.jp/security/ciadr/cm01.html#spoofing
(ii) Spams came after I applied prize site…
Consultation:
I have accessed some prize site to win a prize. Then I had several tens of spams from dating sites. It there any way to stop them?
Response:
In technical aspect, receiving spams cannot be stopped. Accordingly, the use of spam filter function provided by providers, mail software, security measures software is the actual, but may be temporarily solutions for. Changing your mail address is the permanent solution being left.
In some malicious sites, they are seemed to be one of prize sites, but are actually collecting individual information such as mail address, etc. to divert for different purposes. Therefore, the best preventive measures is not to telling suspicious providers/site managers your private information including mail address, etc. hereafter. In case you need to tell them your mail address, you’d better to tell them such address for which you are going to change/delete shortly.
<Reference>
Spam Consultation Center, Nippon Information Communications Association(in Japanese)
http://www.dekyo.or.jp/soudan/
V.
Accessing Status Captured by the Internet Monitoring (TALOT2”)
in April
According to the Internet Monitoring (TALOT2), the total of unwanted (one-sided) number of access in April 2008 was 206,970 and the gross number for the sources was 77,804 for 10 monitoring points. That is, the number of access was 690 from 259 source addresses/monitoring point/day.
Since each monitoring environment for the TALOT2 is nearly equal to the general connection environment used for the Internet; it can be considered that the same amount of unwanted (one-sided) access can be monitored for the general Internet users’ connection environment. In another word, your computer is being accessed from 259 unknown source addresses in average/day or you are being accessed about 3 times from one source address which considered unauthorized.
Chart
5-1 Unwanted (One-sided) Number of Access and Source Number of Access/Monitoring Point/Day
The Chart 5-1 shows the unwanted (one-sided) number of access and the source number of access in average/monitoring point/day from November 2007 to April 2008 respectively. According to this chart, both the unwanted (one-sided) accesses were in almost the same level with the ones reported in March: the entire contents of access were stabilized, accordingly.
Last part of April, there observed that the accesses to the ports 139/tcp and 445/tcp were temporarily increased. Since the longest holiday season in the year so called the Golden Week was fallen on April and May (starting from April 29 and ending on May 6), the population of home computer users were temporarily increased: if their computers had been already infected by bot, accesses to that ports may have been increased, accordingly.
These 2 ports carry somewhat high probability to be targeted if they are used by the file (network) sharing insufficiently protected or by the Windows for which vulnerability has not yet been resolved.
The Chart 5-2 and 5-3 are the shift in number of accesses to the ports 139/tcp and 445/tcp classified by source area.
|
Japanese
