Font Size Change

HOMEIT SecurityIPA/ISEC in JAPAN:virus and UCA incident report for July2010


IT Security

IPA/ISEC in JAPAN:virus and UCA incident report for July2010

August 13, 2010

IT Security Center
Information-technology Promotion Agency, Japan (IPA)

This is the summary of computer virus/unauthorized computer access incident report for July 2010, compiled by Information-technology Promotion Agency, Japan (IPA).

I. Reminder for the Month:

”When you see this window appear, you should be careful!”

-Never diminishing damages caused by one-click billing-

For the cases consulted with IPA regarding "One-Click Billing ", the accumulative number of such cases had exceeded 20,000 in June 2010. Since the beginning of 2010, the number of such cases for each month has constantly been over 600, showing no sign of decline. (See Figure 1-1) Almost all of those damages involved sexually explicit sites.

Figure 1-1: Trend in the Number of Cases Consulted Regarding "One-Click Billing" (Y2010)

One of the reasons why such incidents do not decrease is that, there are still a number of Websites that perform "One-Click Billing" as well as PC users who do not know the trap of such Websites.

In this section, we explain some points for not falling victim to "One-Click Billing".

(1)Current Status of "One-Click Billing"

In "One-Click Billing", for example, the victim attempts to watch a moving image on a sexually explicit site that clams to be free of charge and then without precautions, click on the items that appear. As a result, Malware* is embedded into his PC and a billing window similar to Figure 1-2 begins to appear every few minutes.


Figure 1-2: A Sexually Explicit Site's Billing Window

IPA confirmed that each month, about ten sexually explicit sites having such mechanism (including renewal) are opened, and that more than twenty Websites that perform "One-Click Billing" are in operation all the time.

There has been no significant change in the mechanism of such Websites and therefore, PC users' careless behavior is thought to be the cause of the unremitting succession of such incidents.

* Malware: general term of malicious software that causes the victim's computer to behave in an unexpected manner.

For the details of mechanism of, and countermeasures against, this threats, refer to:


(2)Minimum Precautions That Should be Exercised to Avoid Falling Victim

In most of the cases consulted with IPA, the consulters reportedly accessed a sexually explicit site that contains moving images and clicked on a link that appeared to guide them to a specific moving image and as a result, Malware was embedded into their PCs. However, such Malware would not have been embedded only by clicking one time. They must have gone through several characteristic windows before the Malware-embedding took place. In this section, we take the following two characteristic windows (Figure 1-3[A] and [B]) as an example.

PC users go through several Web pages on the sexually explicit site until they see the Figure 1-3[A] window, where they are prompted to select "Yes" or "No". The characteristic of this window is that, the "Yes" and "No" buttons are underscored. If you see a window like this, you should doubt "This could be a trap" and act prudently.

Characteristic windows of the nine representative sites confirmed by IPA are shown in the subsequent section. Not only in these windows, but also other windows, you should be careful not to click "Yes" without precaution; you should first confirm what is written on that window and if you think "suspicious", you should close that window by clicking on the "X" button on its upper-right corner.

Figure 1-4:Example of "Security Alert" Window(Enlarged View of Figure1-3[B])

If you click on "Yes" in the Figure 1-3[A] window and click further on the subsequent pages in an attempt to watch a moving image, the Figure 1-3[B] window appears. Figure 1-4 shows an enlarged view of the small window in Figure 1-3[B]. If it is an ordinary video site, clicking on the Play button in the window will start a moving image. If the Figure 1-4 window appears while you are trying to watch a moving image, you should doubt "This could be a trap."

If you take a close look at Figure 1-4, you will see the message "Security Alert". This message appears when a program has been downloaded and is going to be executed on that PC. If you ignore this alert and click on the "Run" button, Malware is embedded into your PC by your own action. If a window like this is displayed when you are just trying to watch a moving image, you should not press the "Run" or "Save" button.

(3)Websites for which consultation was made with IPA

Figure 1-5 shows the nine representative Website windows for which consultation was made with IPA. Similar Websites are expected to emerge in the future, so grasp the characteristics of these windows and refrain from taking careless actions.

Figure 1-5:Characteristic Windows of the Nine Representative Websites Confirmed by IPA


In case a billing window (Figure 1-2) appears on your PC and you cannot stop worrying about the payment, you should not make a contact with the site operator and instead, should consult institution such as a consumer life center in your locality.


II. Reporting Status of Computer Virus – further details, please refer to the Attachment 1 –

(1)Reporting Status of Virus

While the virus detection count*1 in July was about 47,000, up 15.9 percent from about 41,000 in June, the virus report count*2 in July was 1,209, down 2.9 percent from 1,245 in June.

*1 Detection Number: virus counts (cumulative) found by a filer

*2 Aggregated virus counts.  Viruses of same type and their variants reported on the same day are counted as one case number regardless how many viruses or the actual number of viruses is found by the same filer on the same day.

*  In July, the virus report count, which was obtained by consolidating about 47,000 virus detection reports, was 1,209.

W32/Netsky marked the highest detection count at about 31,000, followed by W32/ Autorun at about 9,000 and W32/ Mydoom at about 5,000.

Figure 2-1: Virus Detection Count

Figure 2-2: Virus Report Count

(2)Malicious Programs Detected

For the number of malicious programs detected, we have not seen a rapid increase in July as in the case of ADCLICKER in June but have seen a moderate increase in FAKEAV and DOWNLOADER. (See Figure 2-3)

This sort of malicious program is often contained in an e-mail attachment and distributed, and in some cases, Bot*3 -infected PCs are used for the mail distribution.

Cyber Clean Center (CCC)*4 provides anti-Bot measures as well as online Bot-removal tools. To avoid taking part in the email distribution of malicious programs, check your PC for Bot infection, and then implement infection-prevention measures, including blocking the entry of malicious programs.


*3 Bot is designed to penetrate into a computer in the same manner as that of a computer virus and to remotely operate the victim's computer via the network.

*4 Cyber Clean Center is a Bot countermeasure project launched by the Ministry of Internal Affairs and Communications and the Ministry of Economy, Trade and Industry.
(Reference)What is Cyber Clean Center?

Figure 2-3: Changes in Virus Detection Count for Malicious Programs

III. Reporting Status of Unauthorized Computer Access (includes Consultations) Please refer to the Attachment 2 for further details

Table 3-1: Reported Number for unauthorized computer access and the status of consultation
  Feb.'10 Mar. Apr. May Jun. Jul.
Total for Reported (a) 27 19 11 8 15 14
  Damaged (b) 17 13 10 5 13 9
Not Damaged (c) 10 6 1 3 2 5
Total for Consultation (d) 47 60 39 52 77 44
  Damaged (e) 28 23 16 22 50 23
Not Damaged (f) 19 37 23 30 27 21
Grand Total (a + d) 74 79 50 60 92 58
  Damaged (b + e) 45 36 26 27 63 32
Not Damaged (c + f) 29 43 24 33 29 26

(1)Unauthorized Computer Access Reported

The report count for unauthorized computer access in July was 14, 9 of which reportedly had certain damages.

(2)Unauthorized Computer Access and Other Related Problems Consulted

The consultation count for unauthorized computer access and other related problems was 44 (3 of which were also included in the report count). 23 of them reportedly had certain damages.

(3)Damages Caused

The breakdown of the damage reports were: intrusion (5); Dos Attack (1); spoofing (3).

Damages caused by "intrusion" were: a Web page being defaced (2) (with one case involving malicious code embedded and the other case involving the placement of contents to be used for phishing); a tool to attack external sites being embedded into a Web server, which in turn served as a stepping stone for attacking other sites (3). The cause of the intrusion has not been fully identified, but one case was suspected to have been caused by "Gumblar" and another case by the exploitation of phpMyAdmin vulnerability (the cause of the remaining cases were still unknown).

Damages caused by "spoofing" included: online service (online game (3)) being used by someone who successfully impersonated a legitimate user and logged on.

(4) Damage Instance


(i)phpMyAdmin vulnerability was exploited and a Web page that is used for Phishing was placed
  • –I received a phone call from a person outside my organization, saying "A Web page that is used for Phishing is placed on your Website."
  • –Through the inspection, I found that a department's Web page was defaced with the one similar to eBay sign-in page.
  • –CMS (Content Management System) was installed on that Web server and phpMyAdmin (A DB connection client for managing MySQL via a network) was used for its management.
  • –It is assumed that a php remote-controlled tool was embedded through the exploitation of phpMyAdmin vulnerability and then the Web page was defaced.
(ii)A tool to attack external sites was embedded and used as a stepping stone
  • –I received a phone call from a person outside my organization, saying "We've been receiving password cracking* attacks from your server to the port which is used for SSH*."
  • –Through the inspection, I found that the root privilege had been taken over and that several tools had been embedded, including a tool to attack the ports used for SSH for external servers, IRC server tool and Bots.
  • –There was a trace that the site was originally broken into by an attacker using an ordinary account and that after the penetration, the attacker successfully gained root privilege through the exploitation of Linux Kernel vulnerability.
  • –It seems that a log file has been altered but the cause of the penetration has yet to be identified.

*SSH (Secure Shell): a protocol that allows someone using one computer to communicate with a remote computer via the network.

*Password cracking: a process of finding out other person's password, e.g., through a password analysis. This includes Brute Force attack and Dictionary attack. There are also password-cracking programs.

IV. Unauthorized Computer Access Consulted

The total number of consultations in July was 2,133. 805 of which were related to "One-Click Billing" (compared to 755 in June); 5 to "Hard Selling of Security Software" (compared to 7 in June); 3 to "Winny" (compared to 2 in June); 1 to "A Suspicious E-Mail Sent to a Specific Organization to Collect Specific Information/Data" (compared to 0 in June)

Table 4-1: Total Number of Consultations Handled by IPA over the Past Six Months
  Feb.'10 Mar. Apr. May Jun. Jul.
Total 1,789 2,000 2,110 1,881 1,983 2,133
  Automatic Response System 977 1,057 1,197 1,091 1,022 1,142
Telephone 736 846 835 714 829 924
e-mail 70 92 81 76 129 66
Fax, Others 6 5 0 0 3 1

* IPA provides consultation/advises for computer virus, unauthorized computer access, problems related to Winny as well as overall information security.

Tel.: +81-3-5978-7509 (24-hour automatic response)
Fax: +81-3-5978-7518 (24-hour automatic response)

*”Automatic Response System”: Numbers responded by automatic response
*”Telephone”: Numbers responded by the Security Center personnel
*Total Number includes the number in the Consultation (d) column in the Table 3-1, “III. Unauthorized Computer Access Reported (including Consultations)”.

Figure 4-1: Changes in the Number of Consultation Regarding One-Click Billing

Major consultation instances are as follows:

(i)I think, even if the support for the OS has terminated, my PC is not vulnerable as long as antivirus software is installed. Am I right?

What was consulted:

I think, in general, even if the support for the OS has terminated, that PC is not vulnerable as long as antivirus software is installed and kept up-to-date …


In general, secure operation is not warranted for application software running on the OS whose support has terminated.  Antivirus software is no exception. However, if your antivirus software's specifications clearly state that it supports that OS even after the end of support, you may think that defense functions are still provided. Note, however, that the antivirus function which uses a traditional pattern matching method is essentially different from the function to detect and defend against attacks exploiting vulnerability. So you should remember that no antivirus software can provide iron-tight defense. It is also important to recognize that this is not a permanent countermeasure but transient one.


(ii)I lent my PC to a relative and it was returned with a billing message for a sexually explicit site displayed

What was consulted:

When a relative of mine came to my house, I lent him my PC. Then the PC was returned with a billing message for a sexually explicit site displayed. What's going on? Should I perform initialization to fix my PC?


Apparently, that relative was accessing a sexually explicit site when he was trapped in "One-Click Billing", which resulted in the virus infection. If the PC's OS is Windows XP/Vista/7, we recommend that you perform "System Restore" function to restore the PC's settings back to one day before lending it. If the billing message is displayed even after you perform system restoration, you need to perform initialization.

If the PC handles important information, in order to reduce virus infection risk, you should refrain from easily lending it to others, even if that person is your relative.


V. Access Status Captured by the Internet Fixed-Point Monitoring System (TALOT2) in July

According to the Internet Fixed-Point Monitoring System (TALOT2), 116,141 unwanted (one-sided) accesses were observed at ten monitoring points in July 2010 and the total number of sources* was 50,845.  This means on average, 375 accesses form 164 sources were observed at one monitoring point per day. (See Figure 5-1)

*Total number of sources:indicates how many accesses in total were observed by TALOT2.  If multiple accesses from the same source were observed at the same monitoring point/port on the same day, they are considered one access from the specific source on that day.

Since the environment of each monitoring point for TALOT2 is equivalent to that of general Internet connection, an equal number of such accesses are thought to be made in the Internet users’ system environment.

Figure 5-1: Daily, Averaged Number of Unwanted (One-Sided) Accesses and Sources at the Same Monitoring Point/Port per Month

The Figure 5-1 shows daily, averaged number of unwanted (one-sided) accesses and sources at the same monitoring point/port per month (from February 2010 to July 2010). As shown in this Figure, the number of unwanted (one-sided) accesses decreased in July compared to June.

The Figure 5-2 shows the July-over-June comparison results for the number of unwanted (one-sided) accesses, classified by destination (port type). As shown in this Figure, the number of access to 27649/udp and 5060/udp, which was not ranked high in the past, has been ranked high.

As for 27649/udp, access from a number of sources overseas has been observed at a single monitoring point for TALOT2 in early July. It has yet to be identified why this port was accessed as it is not the one used by a specific application.

As for 5060/udp, access to this port has been frequently observed at multiple monitoring points for TALOT2 since July 9. (See Figure 5-3) This phenomenon has also been observed by other organizations undertaking fixed point observations, indicating that such access was made in widely-scattered areas. 5060/udp is generally used by SIP* server and it is possible that such access was made by an attacker to carry out an attack against a SIP* server. So if you are operating a SIP server, it is recommend to check for any impacts such access might have had on it.

* SIP(Session Initiation Protocol): A communication protocol used for IP phone, etc.


Figure 5-2: July-over-June Comparison for the Number of Access, Classified by Destination (Port Type)

Figure 5-3: Number of Access for 5060/udp

For more detailed information, please also refer to the following URLs.

Variety of statistical Information provided by the other organizations/vendors is available at the following sites:


IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC)