Font Size Change

HOMEIT SecurityIPA/ISEC in JAPAN:virus and UCA incident report for September2010

PRINT PAGE

IT Security

IPA/ISEC in JAPAN:virus and UCA incident report for September2010

October 15, 2010

IT Security Center
Information-technology Promotion Agency, Japan (IPA)

This is the summary of computer virus/unauthorized computer access incident report for September 2010, compiled by Information-technology Promotion Agency, Japan (IPA).

I. Reminder for the Month:

"A new virus has emerged that spreads through various routes, including unsolicited e-mails!"

At the beginning of September 2010, several security-related organizations issued security alert, saying "A new virus is going around that spreads through unsolicited e-mails". This new virus is also called "mass-mailing virus" and spreads through e-mails sent to unspecified PC users. It can also spread to other PCs through other routes than e-mails. This virus was going around observes for a while but now it is in the stage of convergence.

In the past, there were many cases involving e-mail-borne viruses, but because of advanced technical countermeasures, this time we saw an early resolution of the situation. However, it is the fact that this virus did spread albeit temporally; so PC users need to check for any missing countermeasures and implement them accordingly.

This section describes outline and behavior of this new virus, as well as fundamental countermeasures that should be taken by PC users.

(1)Outline of This New Virus

Though this once-epidemic new virus has many different names, we call it "VBMania" throughout this document*1.

VBMania attempts to spread through the mechanism shown in Figure 1-1.

Figure 1-1:VBMania Virus Infection Mechanism

*1 A virus may have many different names as it may be named differently by each security vendor. For example, VBMania is also called: "Win32/Swisyn.worm.290816", "Email-Worm.Win32.VBMania.a", W32.Imsolk.B@mm, "EmailWorm(0019e4ae1)", "WORM_MEYLME.B", "Worm:Win32/Visal.B", or "W32/VBMania@MM". All of these names refer to the same virus.

(2)Details of VBMania

This section describes the behavior of a VBMania sample that was analyzed by IPA.

<1>Virus infection via an e-mail containing a trappy link

At first, a user receives an e-mail containing a trappy link in its body message (i.e., trappy e-mail). That link is designed to look like a link to a PDF file*2 or a video file (Figure 1-2). The addresses of the e-mail sender might also be that of an acquaintance of the user.

If the user clicks on that trappy link, VBMania download is activated*3. In this case, a warning dialogue box may be displayed by Windows or e-mail software and if the user ignores it and performs further operations, his PC is infected with that virus.

This time, we confirmed that the English words such as "Here you have", "Just for you" and "hi" were used for the e-mail subject and the body message was also written in English.

*2 PDF file: a type of document file that can be viewed with software products such as "Adobe Reader".

*3 As of Oct. 5, 2010, the download site had already been made inaccessible and it remains unworkable. However, the possibility of the download site being made accessible again cannot be ruled out, so it is not secured enough.

Figure 1-2:Example of VBMania Trappy E-mail (In the Screen of "Windows Live Mail")

We found that, using a PC that is infected with VBMania in this way, VBMania carries out an activity to spread its infection as described in [2] to [4] below.

<2>Virus infection via USB thumb drive

If a USB thumb drive or other devices are connected to a virus-infected PC, that virus might replicate itself in those devices and doctor them so that they exploits the "auto-execute" feature of Windows.

If that USB thumb drive is connected to another Windows PC whose "auto-execute" feature is not disabled, that PC is also infected with the virus.

<3>Virus infection via a shared folder on a LAN

If a virus-infected PC is connected to other PCs over a home or corporate LAN, virus file replication may take place. In such cases, the replicated virus file is forged so that it looks like a PDF file or other benign files.

By double-clicking the replicated virus files on other PCs that were placed without their users noticing it, those PCs are also infected with that virus.

<4>Virus infection via a trappy e-mail sent to unspecified PC users

Without the user's intent, a trappy e-mail (described in [1]) might be sent to the e-mail addresses registered in the address book of e-mail software*4 on the virus-infected PC. In such cases, the user's e-mail address that is registered in the e-mail software can be used as that of the e-mail sender. Through this repeated infection process, a large number of such trappy e-mail is distributed.

*4 Through an analysis, we confirmed that data in "Outlook" - e-mail software that comes with Microsoft Office product - is abused. However, other e-mail software may also be targeted for an attack.

Other malicious activities

This virus also carries out the following malicious activities:

●Attempts to impede operations performed by antivirus software or other security-related software that is installed on the user's PC, and to disable them in the end.

●Attempts to download other viruses via the Internet and to infect the user's PC*5

*5 As of Oct. 5, 2010, as in [*3], the download site had already been made inaccessible.

For technical information on this virus, refer to the following Web pages provided by security software vendors:

<Reference>

(3)Proactive Action

A computer virus that uses e-mails to spread its infection (as in the case of VBMania) is not at all new and this sort of virus might emerge any time in the future. As shown in Figure 1-3, it is effective to implement fundamental, multistep antivirus/anti-unsolicited-e-mails measures.

Figure 1-3:Multistep Countermeasures against Unsolicited E-mails, etc

(I)Unsolicited-e-mail filtering service provided by ISPs

Some Internet Service Providers (ISPs) provide a service called "unsolicited-e-mail filtering service" that might be effective in blocking e-mails for advertisements, solicitation to dating site, etc., as well as e-mails carrying the risk of virus infection.

For the details on available services, contact your ISP and consider their use.

(II)Defense by Antivirus Software

Antivirus software cannot be good at everything, but it is one of the important countermeasures. By installing antivirus software and keeping its virus definition files updated, you can prevent the entry of viruses and clean the viruses that have already been penetrated. Most of the recent viruses are designed in such that users cannot recognize their infection only by looking at their PC screen; therefore, antivirus software is indispensable to detect and clean such viruses.

For general users, it is recommended to use "Integrated" antivirus software that can not only detect and clean the viruses, but also block access to risky Websites, resulting from clicking on a link in a trappy e-mail.

(III)Use of unsolicited-e-mail blocking feature of e-mail software

Some e-mail software have "unsolicited-e-mail blocking" feature. As in the case of "unsolicited-e-mail filtering service" provided by ISPs, it is effective in blocking trappy e-mails.

"Unsolicited-e-mail blocking" feature is a feature to sort unsolicited or trappy e-mails into such folders as "Unsolicited E-mail" or "Spam Mail". For information on how to make this feature's settings, refer to the manual or help information of your e-mail software.

Note that if you enable this feature, benign e-mails (non-unsolicited e-mails) can also be sorted as "Unsolicited E-mails", for which the user might miss important e-mails, so cautions should be exercised.

(IV)Do not open, or click on, any suspicious e-mails

Even if you have many different countermeasures in place, a trappy e-mail could still arrive at your e-mail box. A basic measure is: not opening any e-mails unknown to you and not clicking on any suspicious attachments or links contained in an e-mail.

There has also been a case in which Japanese words were used for the subject of a trappy e-mail, so you cannot drop your guard just because Japanese words are used. Trappy e-mails typically employ attractive contents, appearance of a billing message, and inquiring words such as "Is this your picture?" to trick people into clicking on such links.

If a security alert window is displayed while you are performing operations on your e-mails, read carefully what is written and if you sense the danger, click the "x" button in the window and do not proceed further.

[Supplementary Information] Countermeasures against "USB-thumb-drive infection virus"

As described in [2] in Section (2), VBMania can spread through USB thumb drive, so it is also a type of "USB-thumb-drive infection virus". By disabling the "auto-exec" feature of Windows, you can avoid the risk of "your PC being infected as a result of connecting a virus-infected USB thumb drive to it."

Disabling this "auto-exec" feature also serves as a countermeasure against other "USB-thumb-drive infection virus", so if you are using Windows XP or Windows Vista, implemtent it by referring to the Web page below *6.

*6 For Windows 7, "auto-exec" feature is disabled by default, so no action is required.

<Reference>

(4)How to Respond to Infection

If VBMania infection is suspected, antivirus software might also have been disabled. Furthermore, VBMania might have replicated itself on such devices as USB thumb drive, external hard disk, and portable music prayer that are connected to the virus-infected PC, as well as a home/corporate network to which the virus-infected PC is connected.

Some security software vendors provide free online removal tools, so tray to clean the virus first.

Note that even if VBMania was removed, the destroyed system might not be restored fully (for example, the disabled antivirus software might not become normal again.) Once the virus has been removed, it is recommended to obtain the backup of important data and to perform initialization (i.e., restoring default settings) on your PC.

For removal tools provided by security software vendors, refer to the following Websites:

<Reference>
  • "Kaspersky Virus Removal Tool 2010" (Kaspersky)
    http://support.kaspersky.com/viruses/avptool2010
  • * By clicking on the link "Installation Guide of Kaspersky Virus Removal Tool 2010", you can move to a Web page that provides explanation on the removal tool"

II. Reporting Status of Computer Virus – further details, please refer to the Attachment 1 –

(1)Reporting Status of Virus

While the virus detection count*1 in September was about 34,000, down 23.1 percent from about 45,000 in August, the virus report count*2 in September was 1,082, down 8.1 percent from 1,177 in August.

*1 Virus detection count: indicates how many times a specific virus appeared in the reports submitted, or the aggregate virus detection counts for a specific period.

*2 Virus report count: indicates how many reports on a specific virus were submitted. If the same type of viruses were reported by the same person with the same detection day, they are counted as one report regarding the virus of that sort.

* In September, the virus report count, which was obtained by consolidating about 34,000 virus detection reports, was 1,082.

W32/Netsky marked the highest detection count at about 27,000, followed by W32/ Mydoom at about 4,000 and W32/Waledac at about 1,000.

Figure 2-1: Virus Detection Count

Figure 2-2: Virus Report Count

(2)Malicious Programs Detected

For the number of malicious programs detected, we have seen a rapid increase in FAKEAV and MALSCRIPT (this is a tentative name and refers to any detected malicious scripts embedded in HTML files for Web pages.) (See Figure 2-3) If you browse such HTML files using a PC having vulnerabilities, the embedded virus is automatically downloaded to that PC, resulting in the virus infection. It is recommended to implement countermeasures against vulnerabilities in your PC on a routine basis.

FAKEAV refers to fake antivirus software.

<Reference>

Figure 2-3: Changes in Virus Detection Count for Malicious Programs

III. Reporting Status of Unauthorized Computer Access (includes Consultations) Please refer to the Attachment 2 for further details

Table 3-1: Reported Number for unauthorized computer access and the status of consultation
  Apr.'10 May Jun. Jul. Aug. Sep.
Total for Reported (a) 11 8 15 14 18 15
  Damaged (b) 10 5 13 9 12 10
Not Damaged (c) 1 3 2 5 6 5
Total for Consultation (d) 39 52 77 44 56 47
  Damaged (e) 16 22 50 23 16 8
Not Damaged (f) 23 30 27 21 40 39
Grand Total (a + d) 50 60 92 58 74 62
  Damaged (b + e) 26 27 63 32 28 18
Not Damaged (c + f) 24 33 29 26 46 44

(1)Unauthorized Computer Access Reported

The report count for unauthorized computer access in September was 15, 10 of which reportedly had certain damages.

(2)Unauthorized Computer Access and Other Related Problems Consulted

The consultation count for unauthorized computer access and other related problems was 47 (6 of which were also included in the report count). 8 of them reportedly had certain damages.

(3)Damages Caused

The breakdown of the damage reports were: intrusion (5); DoS attack (2); Malicious code embedded (2); Others (with damage) (1).

Damages caused by "intrusion" were: a Web page being defaced (3); a tool to attack external sites being embedded into a Web server, which in turn served as a stepping stone for attacking other sites (2). The causes of the intrusion were: week password setting (1) (with one case involving password cracking* attack against a port used for SSH*)), Web application vulnerability being exploited (1). (Causes of other cases not indentified).

Damages caused by "spoofing" included: online service (online game (1), Skype (1), free Web-based e-mail (1), etc.) being used by someone who successfully impersonated a legitimate user and logged on.

Damages caused by "Malicious code embedded" included: a PC that was connected to an organization's LAN was infected with a virus, which in turn was attempting to access an external network.

* SSH (Secure SHell): a protocol that allows someone using one computer to communicate with a remote computer via the network.

* Password cracking: a process of finding out other person's password, e.g., through a password analysis. This includes Brute Force attack and Dictionary attack. There are also password-cracking programs.

(4) Damage Instance

[Intrusion]

(i)Vulnerability in Web application was exploited and Web contents were altered
    <Instance>
  • –I found a trace of Web contents alteration. An iframe tag that refers automatically to an external site was embedded without my knowing it.
  • –Through the inspection, I found that a vulnerability in the plug-in of Contents Management System (CMS) that was used for that Website had been exploited by an attacker to alter Web contents.
  • –I'm planning to install Web Application Firewall (WAF) to enhance security.
(ii)Ftp account information was stolen and Web contents were altered
<Instance>
  • –When I was browsing my company's Web contents, I found some characters unknown to me (which looks like a foreign language but may also be garbled characters) in some parts.
  • –At the same time, the alert message "Trojan House was detected" was displayed by Antivirus Software.
  • –Through the inspection, I found a trace of a suspicious access in a log created by an ftp server for Web contents alternation. Given the time relation (before and after the occurrence of that incident), it is assumed that this access was made by an attacker to alter the Web contents.
  • –I deleted all the Web contents and uploaded them again.
  • –I don't know how the ftp account information was stolen.

IV. Unauthorized Computer Access Consulted

The total number of consultations in September was 2,102. 820 of which were related to "One-Click Billing" (compared to 935 in August); 13 to "Hard Selling of Security Software" (compared to 15 in August); 3 to "Winny" (compared to 4 in August); 2 to "A Suspicious E-Mail Sent to a Specific Organization to Collect Specific Information/Data" (compared to 2 in August)

Table 4-1: Total Number of Consultations Handled by IPA over the Past Six Months
  Apr.'10 May Jun. Jul. Aug. Sep.
Total 2,110 1,881 1,983 2,133 2,432 2,102
  Automatic Response System 1,197 1,091 1,022 1,142 1,298 1,142
Telephone 835 714 829 924 1,053 873
e-mail 81 76 129 66 75 85
Fax, Others 0 0 3 1 6 3

* IPA provides consultation/advises for computer virus, unauthorized computer access, problems related to Winny as well as overall information security.

mail_address
Tel.: +81-3-5978-7509 (24-hour automatic response)
Fax: +81-3-5978-7518 (24-hour automatic response)

*”Automatic Response System”: Numbers responded by automatic response
*”Telephone”: Numbers responded by the Security Center personnel
*Total Number includes the number in the Consultation (d) column in the Table 3-1, “III. Unauthorized Computer Access Reported (including Consultations)”.

Figure 4-1: Changes in the Number of Consultation Regarding One-Click Billing


Major consultation instances are as follows:

(i)A screen of the software "Security Tool" is displayed and PC does not work properly

What was consulted:

When I was browsing a shopping site on the Internet that I visit regularly, an English balloon message appeared in the bottom right corner of the screen. I wondered "What is it?" and clicked on that message. Then a screen of  unknown software "Security Tool" was displayed and each time I restart my PC, it is displayed. This message also appears when I brows Web pages, causing my PC to stop working properly. How can I remove this software?

Response:

Consulter is suffering from what is called "Fake Antivirus Software virus". On September 24th, an incident took place in which an advertisement distribution server was compromised and altered by an attacker through unauthorized access, and those who have browsed Websites subject to this distribution may also have acquired this virus; obviously, this is the case of the consulter. If the PC's OS is Windows XP/Vista/7, we recommend that you perform "System Restore" function to restore the PC's settings back to one day before the Security Tool screen began to appear. (for more information, visit the Website below) If the system restoration was completed normally, scan your PC for viruses by using legitimate antivirus software. If the "System Restore" function does not work properly even in the Safe Mode, you need to perform initialization on your PC. Legitimate antivirus software can prevent the virus infection caused by most of fake antivirus software, so keep it updated and make use of it.

<Reference>

(ii)My son browsed a sexually explicit site, for which a billing screen began to appear .

What was consulted:

-My son accessed a sexually explicit site through a video site and as he clicked on the OK button several times, a billing message began to appear.

-Out of curiosity, my son accessed a sexually explicit site and clicked on the OK button several times in a blind way. Then a billing message began to appear and it remains on the screen.(There have been a number of similar cases.)

Response:

Advice for solving one-click billing has been sought by many people, irrespective of age or sex. Even a minor can access a sexually explicit site and if, out of curiosity, he proceeded by clicking the OK button, he might well fall in this situation. If the PC's OS is Windows XP/Vista/7, we recommend that you perform "System Restore" function to restore the PC's settings back to one day before the billing screen began to appear.

For PCs used by minors, their parents may install software or services that can block access to hazardous sites, so that they could prevent their children from accessing such sites. Generally, "Integrated" antivirus software has various functions, including blocking access to hazardous sites, and it is a good option for those planning to purchase antivirus software.

<Reference>

V. Access Status Captured by the Internet Fixed-Point Monitoring System (TALOT2) in September

According to the Internet Fixed-Point Monitoring System (TALOT2), 115,566 unwanted (one-sided) accesses were observed at ten monitoring points in September 2010 and the total number of sources* was 48,095.  This means on average, 385 accesses form 160 sources were observed at one monitoring point per day. (See Figure 5-1)

*Total number of sources:indicates how many accesses in total were observed by TALOT2.  If multiple accesses from the same source were observed at the same monitoring point/port on the same day, they are considered one access from the specific source on that day.

Since the environment of each monitoring point for TALOT2 is equivalent to that of general Internet connection, an equal number of such accesses are thought to be made in the Internet users’ system environment.

Figure 5-1: Daily, Averaged Number of Unwanted (One-Sided) Accesses and Sources at the Same Monitoring Point/Port per Month

The Figure 5-1 shows daily, averaged number of unwanted (one-sided) accesses and sources at the same monitoring point/port per month (from April 2010 to September 2010). As shown in this Figure, the number of unwanted (one-sided) accesses increased in September compared to August.

The Figure 5-2 shows the September-over-August comparison results for the number of unwanted (one-sided) accesses, classified by destination (port type). As shown in this Figure, the number of access to 17500/udp and 9415/tcp increased significantly in September compared to August. As for 17500/udp, we saw one-time increase around April 2010 and as in the past, access was made from multiple IP addresses within the same segment at a regular interval against a single monitoring point for TALOT 2. Because the existence of software for general users that sends broadcast has been confirmed, this access might have been made by a user of a PC running that software. What was thought to be from multiple IP addresses has turned out to be from one PC which used different IP addresses each time it was connected to the network. Because the rest of the monitoring points were configured to prevent broadcast from reaching the terminal, such access was not detected.

As for 9415/tcp, we saw one-time increase around May 2010 but the number of such access had been decreasing until late August 2010 when it started increasing again. Access to this port has mainly been made from multiple sources in oversea (mainly China) and observed at multiple monitoring points for TALOT2. (See Figure 5-3)  As for this port, software program with the proxy feature that is posted on a Website in China was found to be waiting for this post to open. It is possible that a person with malicious intent was in search for a PC where this software program is installed so that he could use it as a stepping stone to carry out an attack against a Web server, etc.

Figure 5-2: September-over-August Comparison for the Number of Access, Classified by Destination (Port Type)

Figure 5-3: Number of Access for 9415/tcp

* For maintenance work, this system was shutdown from June 18-20.

For more detailed information, please also refer to the following URLs.

Variety of statistical Information provided by the other organizations/vendors is available at the following sites:

Contact

IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC)
Tel:+81-3-5978-7527
Fax:+81-3-5978-7518
E-mail: