November 11, 2011
IT Security Center
Information-technology Promotion Agency, Japan (IPA)
This is the summary of computer virus/unauthorized computer access incident report for October 2011, compiled by Information-technology Promotion Agency, Japan (IPA).
"Watch out for a virus with a falsified file name"
~A technique to trick PC users with a benign appearance~
In September 2011, IPA received a large number of virus detection reports regarding a virus called "RLTrap" (about 50,000 reports). This virus's file name is crafted in a way that PC users take it for a benign file from its appearance (mainly the file extension) and open it. A technique like this is not totally new and had already been confirmed around 2006.
Here, we explain how its file name is falsified, so that PC users can avoid being tricked and suffering from the virus infection, and introduce countermeasures to forestall the damage from the virus infection,
This virus falsifies its file name extension by using a Unicode control character, so that such a malignant file looks like benign one. Unicode refers to a standard for consistent encoding, representation and handling of text expressed in languages in the world. Control characters are characters that are defined in character code but are not displayed on the screen, and used to control devices such as printers and communication devices.
The control character used by this virus is RLO (Right-to-Left Override). This control character is designed to reverse a character sequence from "left-to-right" to "right-to-left". This function is used by the people who want to read a language like Arabic that is read from right to left in reverse sequence (i.e., left-to-right), as they would in the case of Japanese and English.
Here, we briefly explain how RLO is used. Let's take a file named "ABCDEF.doc" as an example. Assume that RLO is inserted in front of the file name's first character (i.e., "A") (Note: RLO itself is not displayed). As a result, the character sequence of the file name (including the extension) is reversed from rightward to leftward, which should result in: "cod.FEDCBA" (see Figure 1-1).
Figure 1-1:Usage Example of RLO
By exploiting this function, the file extension "exe" can be spoofed as "pdf".
Here, we introduce a virus mail that IPA has confirmed. Having been zipped, the virus arrived at a user's mailbox as a file attachment, as shown in Figure 1-2.
Figure 1-2:Massage Body of an Actually-Used Virus Mail
Unzipping this file attachment (zipped file) creates an executable file that is spoofed as "HP_SCAN_FORM_N90952011___Collexe.pdf" (see Figure 1-3).
Figure 1-3:Content of a File Attached to a Virus Mail
Note that the content of this file may not be displayed properly with some compression/decompression software. Figure 1-4 shows a display example in such case.
Figure 1-4:Where the content is not displayed properly
IPA conducted an analysis of the RLTrap virus. This virus was found to work only in the Windows 7 environment and to take the following actions on the infected PC:
・Attempts to communicate with a website in Russia. However, as of our analysis, the website in question had already gone away and no communication had been performed. If such communication is performed, another virus might be downloaded and that PC infected with the virus.
・Creates its copy with the name "csrss.exe" and place in a specific Windows folder.
・Deletes its copy once executed.
Basic two measures to forestall the damage from the virus infection are: "making use of antivirus software" and "anti-vulnerability measures". Be sure to implement them.
<i>Make use of antivirus software
By installing antivirus software and keeping its virus list up-to-date, you can prevent the invasion of viruses and clean any viruses already entered. If antivirus software has already been installed, the virus that is used in the aforementioned case could also be detected as it checks for viruses when the PC receives an e-mail, saves an attached file, or opens a file.
It is important to eliminate vulnerabilities in your operating system (e.g., Windows) and applications. In general, applications that have many users tend to be targeted, so they need to have their vulnerabilities eliminated and be kept up-to-date. IPA provides "MyJVN Version Checker", a tool with which PC users can, with simple operations, check whether software products installed on their PC are the latest version.
<iii>Countermeasures against a virus that exploits RLO
In addition to the above-mentioned basic measures, the following measures are also effective in preventing the infection of RLTrap or other virus that exploit Unicode control characters. Specific steps for Windows 7 are as follows:
Enter "secpol.msc" below the Start menu and press the Enter key (see Figure 1-5). For Windows XP, select "Run…" from the Start menu and enter "secpol.msc" in the entry field in the window displayed, and then press the Enter key. Step1 for Widows Vista is similar to that for Windows 7.
Figure 1-5:Step1 for the Countermeasures against RLO
When the Local Security Policy window appears, right-click "Software Restriction Policy" in the left pane of the window, and click "New Software Restriction Policy (S)" in the menu displayed (see Figure 1-6). A similar step applies to Widows XP and Vista.
Figure 1-6:Step2 for the Countermeasures against RLO
In the right pane of the Local Security Policy window, right-click "Add New Rule", and click "New Path Rule (P)" in the menu displayed (see Figure 1-7). A similar step applies to Widows XP and Vista.
Figure 1-7:Step3 for the Countermeasures against RLO
When the "New Path Rule" window appears, enter two asterisks in the entry field titled "Path (P)", place the cursor between the two asterisks and press the right mouse button, and then click "Insert Unicode Control Characters" in the menu displayed and "RLO Start of right-to-left override" in the submenu displayed (see Figure 1-8). A similar step applies to Widows XP and Vista.
Figure 1-8:Step4 for the Countermeasures against RLO
Set the Security Level (S) filed to "Do not allow" and then click the OK button (see Figure 1-9). A similar step applies to Widows XP and Vista.
Figure 1-9:Step5 for the Countermeasures against RLO
Reboot your PC.
By implementing the above-mentioned measures, if you click a file whose name is falsified using RLO, a warning message is displayed (e.g., as shown in Figure 1-10) and thus the execution is deterred.
These measures are also effective in protecting all the PCs within an organization, provided that the organization configures their systems as such (i.e., as group policy).
Measures introduced in this section should not be applied to a PC handling a language read in the "right-to-left" order.
Figure 1-10:A warning message that appears when a file with falsified name is clicked after the countermeasures against RLO are implemented (For Windows 7)
While the virus detection count*1 in October was about 20,409, down 4.1 percent from about 21,291 in September, the virus report count*2 in October was 795, down 12.3 percent from the September level (906).
*1 Virus detection count: indicates how many times a specific virus appeared in the reports submitted, or the aggregate virus detection counts for a specific period.
*2 Virus report count: indicates how many reports on a specific virus were submitted. If the same type of viruses were reported by the same person with the same detection day, they are counted as one report regarding the virus of that sort.
* In October, the virus report count, which was obtained by consolidating about 20,409 virus detection reports, was 795.
W32/Netsky marked the highest detection count at about 11,079, followed by W32/Mydoom at about 7,227 and W32/ Autorun at about 439.
Figure 2-1: Virus Detection Count
Figure 2-2: Virus Report Count
In October, there was no noticeable change. RLTRAP that showed a significant increase in September was detected in large quantity only one day in the second half of October (See Figure 2-3).
Figure 2-3: Malicious Program Detection Count
|Total for Reported (a)||7||9||8||10||7||15|
|Not Damaged (c)||1||0||3||2||2||7|
|Total for Consultation (d)||55||32||47||37||31||46|
|Not Damaged (f)||41||25||32||24||23||39|
|Grand Total (a + d)||62||41||55||47||38||61|
|Damaged (b + e)||20||16||20||21||13||15|
|Not Damaged (c + f)||42||25||35||26||25||46|
The report count for unauthorized computer access in October was 15, 8 of which reportedly had certain damages.
The consultation count for unauthorized computer access and other related problems was 46. 7 of them reportedly had certain damages.
The breakdown of the damage reports were: intrusion (4); Spoofing (3), DoS (1).
Damages caused by "intrusion" were: a web page being defaced (3); personally identifiable information was stolen from a database (1). Causes of "intrusion" were: a vulnerability in a web application being exploited (1); improper WebDAV settings (1) (other cases remain unknown).
Damages caused by "spoofing" were: spam e-mails being sent by someone who successfully impersonated a legitimate user and logged on to a system (3).
*WebDAV: Extended version of HTTP. It enables the edition of files or folders on a web server from a web browser, and/or version control from a web browser.
The total number of consultations in October was 1,496. 419 of which were related to "One-Click Billing" (compared to 477 in September); 7 to "Fake Security Software" (compared to 2 in September); 12 to "Winny" (compared to 19 in September); 9 to "A Suspicious E-Mail Sent to a Specific Organization to Collect Specific Information/Data" (compared to 2 in September)
|Automatic Response System||950||999||889||958||936||865|
* IPA set up "Worry-Free Information Security Consultation Service" that provides consultation/advises for computer virus, unauthorized computer access, problems related to Winny as well as overall information security.
*”Automatic Response System”: Numbers responded by automatic response
*”Telephone”: Numbers responded by the Security Center personnel
*Total Number includes the number in the Consultation (d) column in the Table 3-1, “III. Unauthorized Computer Access Reported (including Consultations)”.
Figure 4-1: Changes in the Number of Consultation Regarding One-Click Billing
Major consultation instances are as follows:
While browsing a book selling company's website, my PC was infected with a virus and fake security software began to be launched.
Is it possible for one to suffer damages like this during a visit to even a leading company's website? If so, what sort of cautions should general users take to prevent damages like this?
We have also confirmed this kind of case in a security-related news site. From several years ago, there have been cases where an enterprise's website was defaced by an external entity who gained unauthorized access to it and a malicious code/trap embedded to infect the site visitors' PC with a virus.
To prevent a virus infection by visiting a defaced website like this, general users need to keep their antivirus software up-to-date and to eliminate vulnerabilities in their OS and applications, which are effective, basic countermeasures.
For Website operators: Security alert on Website alteration
For general users: Security alert on virus-infection via an altered Website
http://www.ipa.go.jp/security/topics/20091224.html (in Japanese)
When I was using a PC that I bought recently, unfamiliar security software began to be launched.
Looking back, I was browsing websites on the Internet without waiting for the completion of the initial Windows Update process. Was this wrong?
Since you did not wait for the completion of the Windows Update process and browsed a malicious website, an unremedied vulnerability in your PC was apparently exploited and your PC was infected with the virus. When you use a new PC, it is recommended to apply all the updates available and bring antivirus software up-to-date and then perform other tasks.
For information on how to deals with an infected PC, refer to the following web page.
Reminder for the June 2010 issue, "Serious Damages Caused by False Antivirus Software" (IPA)
According to the Internet Fixed-Point Monitoring System (TALOT2), 109,390 unwanted (one-sided) accesses were observed at ten monitoring points in October 2011 and the total number of sources* was 42,844. This means on average, 352 accesses form 138 sources were observed at one monitoring point per day. (See Figure 5-1)
*Total number of sources:indicates how many accesses in total were observed by TALOT2. If multiple accesses from the same source were observed at the same monitoring point/port on the same day, they are considered one access from the specific source on that day.
Since the environment of each monitoring point for TALOT2 is equivalent to that of general Internet connection, an equal number of such accesses are thought to be made in the Internet users’ system environment.
Figure 5-1: Daily, Averaged Number of Unwanted (One-Sided) Accesses and Sources at the Same Monitoring Point/Port per Month (May 2011 to October 2011)
The Figure 5-1 shows daily, averaged number of unwanted (one-sided) accesses and sources at the same monitoring point/port per month (from May 2011 to October 2011). As shown in this figure, the number of unwanted (one-sided) accesses in October was almost the same level as that of September.
The Figure 5-2 shows the October-over-September comparison results for the number of unwanted (one-sided) accesses, classified by destination (port type). As shown in this figure, access to 445/tcp has significantly decreased while access to 51499/udp, 80/tcp, and 8612/udp has increased.
As for 51499/udp and 8612/udp, it has yet to be identified why these ports were accessed as they are not the ones used by a specific application, but access to both ports was observed only at a single monitoring point.
As for 80/tcp, access from many sources in the U.S and several other countries to multiple monitoring points for TALOT2 has increased temporarily in the second half of October (See Figure 5-3). This port is used mainly by HTTP that is a protocol for web access, but it has yet to be identified why access to this port has increased at this time of year.
Figure 5-2: October-over-September Comparison for the Number of Access, Classified by Destination (Port Type)
Figure 5-3: Access to 80/tcp (Total Number of Accesses Observed at Ten Monitoring Points)
For more detailed information, please also refer to the following URLs:
IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC)