Font Size Change

HOMEIT SecurityIPA/ISEC in JAPAN:virus and UCA incident report for August2010

PRINT PAGE

IT Security

IPA/ISEC in JAPAN:virus and UCA incident report for August2010

September 13, 2010

IT Security Center
Information-technology Promotion Agency, Japan (IPA)

This is the summary of computer virus/unauthorized computer access incident report for August 2010, compiled by Information-technology Promotion Agency, Japan (IPA).

I. Reminder for the Month:

"A virus has emerged that spreads via USB thumb drive with a new attack method!"

In June and July 2010, respectively, Microsoft urgently released information about two vulnerabilities of Windows as well as countermeasures against attacks exploiting those vulnerabilities. This is because a computer virus was confirmed that spreads through the exploitation of those vulnerabilities (in the manner of what is called "Zero-Day Attack") and dangerous situation continued. IPA also released emergency countermeasures information* concerning those two vulnerabilities.

In July, a report was released on a virus that exploits the vulnerability MS10-046 that allows "processes to be executed remotely through the exploitation of Windows shell vulnerability (2286198)." This virus was found to spread mainly via USB thumb drive by using a method that has never been observed before.

To avoid falling victim to such virus, check carefully on a daily basis for information on vulnerability, security patches and countermeasures, and when countermeasures are released, apply them promptly.

(1)Newly Detected Virus and How it is Transmitted

W32/Stuxnet (hereinafter called Stuxnet) is a computer virus that spreads through the exploitation of the Windows shell vulnerability MS10-046. This vulnerability is related to the way Windows handles a shortcut file*. Specifically, when a PC user tries to display a shortcut-file icon using Windows Explorer, Windows does not accurately analyze the file to be referenced by the icon. For this reason, if a file containing malicious code is referenced instead of the file supposed to be referenced by clicking the shortcut-file icon, any program exploiting such vulnerability might be executed (See Figure 1-1).

*shortcut file : A file that serves as a reference to a file, folder, or application program. Though the referenced file is not there, on the surface, shortcut files can be handled in the same manner as that of the referenced file, thus allowing a simplified access to the referenced file.

Figure 1-1:Example of Opening a Folder from My Computer, which Results in Referencing Files Contained

IPA obtained a sample of Stuxnet virus and analyzed it. How it is transmitted is detailed below.

Distinctive feature of this virus is "the virus is activated only by opening a folder that contains a doctored shortcut file (lnk file) from Windows Explorer." This is a new attack method that has never been observed before.

For example, if a USB thumb drive containing a Stuxnet-virus file is inserted into a PC that has the Windows Shell Vulnerability MS10-046, and if the user opens the folder containing that virus file from Windows Explorer to refer to the files contained in the USB thumb drive, a Stuxnet virus attack is lunched without touching that file. (See Figure 1-1)

As for a virus that infects PCs via USB thumb drive, several viruses have been detected, including W32/Autorun (For the sake of convenience, we call them "Traditional USB-thumb-drive infection virus".) Traditional USB-thumb-drive infection virus can be prevented by disabling the "auto-execute" feature of Windows*. On the other hand, the new attack method that has been detected this time does not use the "auto-execute" feature and therefore, we cannot prevent Stuxnet virus attacks only by disabling the "auto-execute" feature.

*"Auto-execute" feature of Windows: A feature of Windows in which when a USB thumb drive is inserted into a PC or when the icon of a USB thumb drive is double-clicked, the files contained are automatically executed. Also called Autorun.

<Reference>

We found that Stuxnet virus infects PCs from other routes than USB thumb drive, including the following routes (see Figure 1-2):

(a)Infections via a shared folder on a network

If a virus file is placed in a shared folder on a network, opening the shared folder to display the folder contents leads to the virus infection of that PC.

(b)Saves a virus file attached to an e-mail and opens the folder containing it, for which the PC is infected

If a virus file is sent as an e-mail attachment and the recipient saves it in a folder, opening that folder to display the folder contents leads to the virus infection of that PC.

(c)Infected by opening a doctored document file

Opening a document file (e.g. Microsoft office's) containing a virus file leads to the virus infection of that PC.

(d)Infected by browsing a defaced Website

Browsing a trapping Website with a script to open a virus file embedded leads to the virus infection of that PC. The same can be said for browsing a legitimate Website that has been defaced by a person with malicious intent.

Figure 1-2:Image of virus Infections from Other Routes than USB Thumb Drive

(2)CounterMeasures

Eliminating Vulnerability

The only way to prevent Stuxnet-virus infection is to eliminate Windows vulnerability that can be exploited by this virus. A security patch for this vulnerability has already been released (Supported OS: Windows XP SP3, Windows Vista SP1 or later version, Windows 7). Let's apply them promptly.

<Reference>

In addition to the above-mentioned vulnerability, check for any other vulnerabilities you have not addressed yet and promptly apply countermeasures when available.

<Reference>

Fundamental Antivirus Measures

Be sure to install antivirus software and keep its pattern files up-to-date, which is one of the important countermeasures. It is recommended to use "Integrated" antivirus software that has a feature to block access to risky Websites, which is designed for general users.

(3)Countermeasures against Zero-Day Attack

The existence of Stuxnet virus had already been confirmed before the release of security patches to remedy this vulnerability, as well as countermeasures. In short, it had been in the state of "Zero-Day Attack" until such security patches were released.

"Zero-Day Attack" is an attack that exploits OS or application software vulnerability that has already been detected but not remedied yet.

To avoid receiving "Zero-Day Attack", you need to collect information from vendors in a timely manner so that you can adequately respond when information on vulnerability being exploited is released. It is recommended to subscribe to e-mail magazines transmitted by vendors and to check periodically for articles posted on news sites or portal sites.

<Reference>

IPA analyzes vulnerability information released by vendors and if deemed urgent, "emergency countermeasures information" is posted on its Website. Refer also to JVN or other portal sites that provide information on vulnerability of software products used in Japan as well as countermeasures.

<Reference>

For more details, refer to "(3) Points to Avoid Receiving 'Zero-Day Attack'" in the Web page below. If you feel that you have been under "Zero-Day Attack", refer to "(4) If you find that you have been under 'Zero-Day Attack'."

<Reference>

II. Reporting Status of Computer Virus – further details, please refer to the Attachment 1 –

(1)Reporting Status of Virus

While the virus detection count *1 in August was about 45,000, down 5.5 percent from about 47,000 in July, the virus report count *2 in August was 1,177, down 2.6 percent from 1,209 in July.

*1 Detection Number: virus counts (cumulative) found by a filer

*2 Aggregated virus counts.  Viruses of same type and their variants reported on the same day are counted as one case number regardless how many viruses or the actual number of viruses is found by the same filer on the same day.

* In August, the virus report count, which was obtained by consolidating about 45,000 virus detection reports, was 1,177.

W32/Netsky marked the highest detection count at about 29,000, followed by W32/Waledac at about 7,000 and W32/ Mydoom at about 6,000.

Figure 2-1: Virus Detection Count

Figure 2-2: Virus Report Count

(2)Malicious Programs Detected

For the number of malicious programs detected, we have seen a rapid increase in DOWNLOADER, FAKEAV and BACKDOOR in August. (See Figure 2-3)

This sort of malicious program is often contained in an e-mail attachment and distributed, and in some cases, Bot*3-infected PCs are used for the mail distribution.

Cyber Clean Center (CCC) *4 provides anti-Bot measures as well as online Bot-removal tools.  To avoid taking part in the e-mail distribution of malicious programs, check your PC for Bot infection, and then implement infection-prevention measures, including blocking the entry of malicious programs.

<Reference>

*3 Bot is designed to penetrate into a computer in the same manner as that of a computer virus and to remotely operate the victim's computer via the network.

*4 Cyber Clean Center is a Bot countermeasure project launched by the Ministry of Internal Affairs and Communications and the Ministry of Economy, Trade and Industry.
(Reference)What is Cyber Clean Center?
https://www.ccc.go.jp/en_ccc/index.html

Figure 2-3: Changes in Virus Detection Count for Malicious Programs

III. Reporting Status of Unauthorized Computer Access (includes Consultations) Please refer to the Attachment 2 for further details

Table 3-1: Reported Number for unauthorized computer access and the status of consultation
  Mar.'10 Apr. May Jun. Jul. Aug.
Total for Reported (a) 19 11 8 15 14 18
  Damaged (b) 13 10 5 13 9 12
Not Damaged (c) 6 1 3 2 5 6
Total for Consultation (d) 60 39 52 77 44 56
  Damaged (e) 23 16 22 50 23 16
Not Damaged (f) 37 23 30 27 21 40
Grand Total (a + d) 79 50 60 92 58 74
  Damaged (b + e) 36 26 27 63 32 28
Not Damaged (c + f) 43 24 33 29 26 46

(1)Unauthorized Computer Access Reported

The report count for unauthorized computer access in August was 18, 12 of which reportedly had certain damages.

(2)Unauthorized Computer Access and Other Related Problems Consulted

The consultation count for unauthorized computer access and other related problems was 56 (8 of which were also included in the report count). 16 of them reportedly had certain damages.

(3)Damages Caused

The breakdown of the damage reports were: intrusion (7); spoofed address (1); spoofing (4).

Damages caused by "intrusion" were: credit card information being stolen from the database (2), a Web page being defaced (2) (with one case involving the placement of contents to be used for phishing*); a tool to attack external sites being embedded into a Web server, which in turn served as a stepping stone for attacking other sites (2), SQL injection* attack being carried out successfully (damage not identified) (1). The causes of the intrusion were: week password setting (2) (with one case involving password cracking* attack against a port used for SSH*)), Web application vulnerability being exploited (1), inappropriate settings for access limitation (1). (Causes of other cases not indentified).

Damages caused by "spoofing" included: online service (online game (1), Skype (1), free Web-based e-mail (1), etc.) being used by someone who successfully impersonated a legitimate user and logged on.

*Phishing: A fraudulent activity in which attackers use forged, authentic-looking e-mails or Web pages (of e.g., authoritative financial institutions and other existing enterprises) to obtain the site visitor痴 ID and passwords.

*SQL (Structured Query Language): a query language for data manipulation and definition in Relational Database Management System (RDBMS).

*SQL injection: an attack that views or alters data in a database in an unauthorized fashion by exploiting vulnerability of a program accessing that database.

*SSH (Secure Shell): a protocol that allows someone using one computer to communicate with a remote computer via the network.

*Password cracking: a process of finding out other person's password, e.g., through a password analysis. This includes Brute Force attack and Dictionary attack. There are also password-cracking programs.

(4) Damage Instance

[Intrusion]

(i)A tool to attack external sites was embedded and used as a stepping stone
    <Instance>
  • –Reduction in the service quality was confirmed in our server that provides service for external parties.
  • –Through the inspection, I found that an attack had been carried out against a port that is used for SSH for external sites
  • –I asked a security professional to undertake full investigation. The investigation revealed that a site-attacking tool had been embedded into two servers. Furthermore, "psyBNC" (IRC network bouncer), a type of backdoor that can be controlled from a remote site, had also been placed.
  • –The port that is used for our server's SSH had been under  password-cracking attack from an external party and the password was cracked. The fact that the password had not been changed from the vendor's default setting is attributable to this incident.

[Spoofing]

(ii)Account for Skype was stolen and I received a bill for telephone calls unknown to me
<Instance>
  • –I'm using Skype which is an IP phone service. Around April, I became unable to sign into my account. Out of necessity, I created another account and was using it.
  • –When I looked at my credit card statement which I received in July, I found a 30,000-yen bill for telephone calls made by using the account to which I became unable to sign in. Apparently, somebody used my account to make phone calls.
  • –I don't know how my account was stolen.

IV. Unauthorized Computer Access Consulted

The total number of consultations in August was 2,432, which was the largest ever. 935 of which were related to "One-Click Billing" (also the largest ever) (compared to 805 in July); 15 to "Hard Selling of Security Software" (compared to 5 in July); 4 to "Winny" (compared to 3 in July); 2 to "A Suspicious E-Mail Sent to a Specific Organization to Collect Specific Information/Data" (compared to 1 in July)

Table 4-1: Total Number of Consultations Handled by IPA over the Past Six Months
  Mar.'10 Apr. May Jun. Jul. Aug.
Total 2,000 2,110 1,881 1,983 2,133 2,432
  Automatic Response System 1,057 1,197 1,091 1,022 1,142 1,298
Telephone 846 835 714 829 924 1,053
e-mail 92 81 76 129 66 75
Fax, Others 5 0 0 3 1 6

* IPA provides consultation/advises for computer virus, unauthorized computer access, problems related to Winny as well as overall information security.

mail_address
Tel.: +81-3-5978-7509 (24-hour automatic response)
Fax: +81-3-5978-7518 (24-hour automatic response)

*”Automatic Response System”: Numbers responded by automatic response
*”Telephone”: Numbers responded by the Security Center personnel
*Total Number includes the number in the Consultation (d) column in the Table 3-1, “III. Unauthorized Computer Access Reported (including Consultations)”.

Figure 4-1: Changes in the Number of Consultation Regarding One-Click Billing


Major consultation instances are as follows:

(i)In the case of "One-Click Billing", will I be able to remove the billing screen by deleting the user account in question?

What was consulted:

A billing screen for sexually explicit site continues to be displayed on my PC. If I delete my user account for which the billing screen is displayed, will the screen disappear?

Response:

Consulter is suffering from "One-Click Billing" virus infection. If the PC's OS is Windows XP/Vista/7, we recommend that you perform "System Restore" function to restore the PC's settings back to one day before the billing screen began to appear. If you log onto your PC by using other accounts than your login user account and the billing screen is not displayed, you might be able to remove the billing screen by deleting your login user account. Note, however, that if you delete your account, files on the desktop and the contents of "My Document" folder are also deleted. So, be sure to back up important files before deleting your account.

<Reference>

(ii)In Messenger Service, when I clicked on a link that was contained in a message from my friend, my PC was suddenly shut down.

What was consulted:

I'm using Messenger Service. Because it was a message from my friend, without precaution, I clicked on a URL in the message and suddenly, my PC was shut down. Was my PC infected with a virus?

Response:

Because it was a message from his friend, consulter clicked on that link without confirming its URL. In this case, it is highly likely that his PC was infected a virus. If you are concerned about using it further, it is recommended to perform initialization. After the initialization, it is also recommended to change your password for logging onto Messenger Service as the possibility of your account being stolen cannot be ruled out. Should you not be able to log onto Messenger Service, check with the operator of Messenger Service.

Even if the sender was your friend, it is dangerous to click on any URLs in a message without precaution. This is because, a person with malicious intent that has stolen other person's account might have embedded a link to guide the victims to a malicious Website. The same can be said for e-mails. If you receive any suspicious messages, it is recommended to check first with the sender of such messages.

<Reference>

V. Access Status Captured by the Internet Fixed-Point Monitoring System (TALOT2) in August

According to the Internet Fixed-Point Monitoring System (TALOT2), 111,085 unwanted (one-sided) accesses were observed at ten monitoring points in August 2010 and the total number of sources* was 50,147.  This means on average, 358 accesses form 162 sources were observed at one monitoring point per day. (See Figure 5-1)

*Total number of sources:indicates how many accesses in total were observed by TALOT2.  If multiple accesses from the same source were observed at the same monitoring point/port on the same day, they are considered one access from the specific source on that day.

Since the environment of each monitoring point for TALOT2 is equivalent to that of general Internet connection, an equal number of such accesses are thought to be made in the Internet users’ system environment.

Figure 5-1: Daily, Averaged Number of Unwanted (One-Sided) Accesses and Sources at the Same Monitoring Point/Port per Month

The Figure 5-1 shows daily, averaged number of unwanted (one-sided) accesses and sources at the same monitoring point/port per month (from March 2010 to August 2010). As shown in this Figure, the number of unwanted (one-sided) accesses decreased in August compared to July.

The Figure 5-2 shows the August-over-July comparison results for the number of unwanted (one-sided) accesses, classified by destination (port type). As shown in this Figure, the number of access to 44274/udp, which was not ranked high in the past, has been ranked high. Access to this port was observed in the end of August at a single monitoring point for TALOT 2 and its source was a single point in the U.S. It has yet to be identified why this port was accessed as it is not the one used by a specific application.

Access to 9415/tcp, which has been ranked the 8th in August, was also addressed in the June report and such access continued to be observed. (See Figure 5-3) Access to this port has been made from multiple sources in oversea (mainly China) and observed at multiple monitoring points for TALOT2 as well as by other organizations undertaking fixed point observations. As for 9415/tcp, software program with the proxy feature that is posted on a Website in China was found to be waiting for this post to open. It is possible that a person with malicious intent was in search for a PC where this software program is installed so that he could use it as a stepping stone to carry out an attack against a Web server, etc.

<Reference>

Figure 5-2: August-over-July Comparison for the Number of Access, Classified by Destination (Port Type)

Figure 5-3: Number of Access for 9415/tcp

* For maintenance work, this system was shutdown from June 18-20.

For more detailed information, please also refer to the following URLs.

Variety of statistical Information provided by the other organizations/vendors is available at the following sites:

Contact

IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC)
Tel:+81-3-5978-7527
Fax:+81-3-5978-7518
E-mail: