Information-technology
Promotion Agency,
Japan
本文へ
IPA

TOP|Aplication|Contact us|Sitemap


Information-technology Promotion Agency, Japan
-japanese charactor-






IT Security Center

The Information-technology SEcurity Center (ISEC) is the center for promoting information security in Japan.









Japanese




Activities




Information Service Activities






Security Software Development Activities






CRYPTREC






IT SecurityAssurance







Organization







PGP key







RFCs







Mission Statement







Links







About IPA/ISEC







IPA TOP>IT Security Center Japanese TOP>IT Security Center English TOP>information




Computer Virus/Unauthorized Computer Access Incident Report January 2008


February 22, 2008
IT Security Center
Information-technology Promotion Agency, Japan (IPA)

This is a summary of computer virus/unauthorized computer access incident reports for January 2008 compiled by IPA.


I. Reminder for the Month:

Be Minded, Idleness is the VIRUS Workshop *

- Be cautious with Harada Virus so called a destructive type of virus!! -

  *The 3rd Information Security Catch-phrase for October 2007 (The prize went to Mr. HAYASHI, Takuya, Junior High School in Toyama Pref. when IPA solicited for the catch-phrases from Japan wide among those children from low grade schools to high schools.)  

 

Herein after the offender who developed Harada Virus was arrested in the end of January, number of consultations and inquiries were rushed to here in IPA. The Harada Virus is spread via the network which uses file sharing software, such as Winny, etc. This is the one of destructive types of virus which deletes files: as with Antinny, one of exposure types of virus which leaks information, Harada virus is enough malicious as much as Antinny. Accordingly, users should be aware that those files distributed on networks for file sharing software are always exposed to potential risks.

(1) The Features of Harada Virus*

Harada virus usually masquerades to be the image files which contain renowned animation titles and the name of the characters as its files. The intent is to target those users who look for the said images for infection using file sharing software networks. When infected, the image shown in the Chart 1-1 is appeared on your computer display. Some of its variants may show images of animated characters instead of people. As soon as they are shown, the virus replaces all the still image files and moving image files in your computer to the image file shown in the Chart 1-1 so that the files are all destructed. Accordingly, Harada Virus is also referred to as Destructive type of virus from the viewpoint of its behavioral features.

(2) How to Prevent from Infection

Harada virus masquerades to be image files. In this case, you can identify the files spoofed by checking the file extensions with the following manner. The extension indicates data type stored by that file.

Then it prompts you to click the button shown at the chart 1-1 (b) if you wish to know further details of the problems. To tell you the truth, it induces you to download phony security measures software when you click the button. The phony software often functions differently with typical legitimate security measures software. The phony security measures software being installed in your computer continually displays message on the screen to prompts you to purchase the software over and over until you settle it with your credit card.

(a) Extension display

As with the default configuration of Windows, the extension of files will not be shown.  Please be sure to change the default configuration that the file extensions to be displayed with the following procedures.

(i) If you are a Windows XP user

Select Tool, Folder Option and then Display tabs subsequently from the pull-down menu either in My Computer or Explorer and remove the check mark from the item Do not display extensions being registered.

*Harada Virus: The developers actual name is not Harada. This malicious inventor used one of his friends name for his creation without asking.

(ii) If you are a Windows Vista user

Select Control Panel, Desktop Customize, Folder Option and then Display tabs subsequently from Starting Button and remove the check mark from the item Do not display extensions being registered.

 

(b) How to check extensions

The Chart 1-2(i) and the Chart 1-2(ii) are the example of adequate files. The extensions for the file in the chart 1-2(i) is avi which indicates moving image. However, in the Chart 1-2(ii), the last part of the file name is replaced by and you cannot see what the extension for the file is. This means that the file name is too long to display the entire file name. In Windows, those file names longer than the ones defined as default, the rest part of the name is displayed as . The actual name for the file in the Chart 1-2(ii) is Oldest sons sports festival at the athletic field of his elementary school in October 2007.avi and is adequate moving image file.
The Chart 1-2(iii) and the Chart 1-2(i) are nearly the same at a glance; if you are closely looking at, there is some following to the name of the file in the Chart 1-2(iii). That is, the name of the file in the Chart 1-2(iii) is too long to display entirely. The actual name of the file in the Chart 1-2(iii) is Moving Images.avi (----- blank -----).exe. As you know, its actual extension is .exe. Yes, this is an application program, not a moving image file at all! Because of the several spacing inserted in between .avi and .exe, the name of the file is not displayed entirely so that most of you misunderstand that the extension is .avi, but .exe. What if the file in the Chart 1-2(iii) is a virus file and if you double click the file believing that it is a moving image file, you will be immediately infected by virus. If you encountered such a file, do not double click easily and immediately identify the type of the file in accordance with the manner (c) below.

(c) Property identification of the file

To identify what the extension of the file in the Chart 1-2(iii) is, you are to click the right-hand side button on the icon of the file shown in the Chart 1-3(i). When the pull-down menu similar to 1-3(ii) is shown, choose property at the bottom of the menu. When displayed the one similar to the Chart 1-3(iii), you can see the entire file name at the upper part of the Overall Property tab. In this case, There are several spacing followed to .avi, you can see the actual extension of this file at the very end, which is .exe and indicates that this is an executable type file. Further, in case of application (an adequate moving image file), it carries video crip as its file type so that you can easily see that this is an executable type file, but moving image file in this case. This is the example of typical virus which camouflages its appearance.

(d) How to prevent infection

As with the Harada virus, be sure to aware that there are some viruses which camouflage their appearance. If you feel somewhat suspicious with the file you wish to use, be sure to check the type of the file by referring to one of the above mentioned methods in advance. This enables to lower infection from the Harada virus, etc. If you detected such file featuring Harada virus, be sure to delete it immediately. In the case of Windows, those files deleted will be moved to Trash: we will encourage you to empty the Trash after the files are moved for your further security.

(3) Get Infected

In case you are infected by Harada virus, application programs, private information such as image data, pictures taken by digital camera, etc. stored in the computer are all destructed as described in the (1) The Features of Harada Virus above and, unfortunately, there is not any method for restoration.
The last resort to restore the destructed information is to recover from the information stored in the memory media outside such as hard disk, DVD, CD, etc. Since nobody can tell when you will get damage, we strongly recommend you to backup your important information routinely.

<Reference>

IPA Seven Virus Requirements for Computer Users

http://www.ipa.go.jp/security/english/virus/antivirus/7RulesV.html

IPA Five Anti-spyware Requirements for Computer Users (in Japanese)

http://www.ipa.go.jp/security/antivirus/spyware5kajyou.html

 

II. Reporting Status for Computer Virus further details, please refer to the

   Attachment 1

The detection number*1 of virus was about 0.31M: decreased 8.5% from about 0.34M reported in December 07. In addition, the reported number*2 of virus was 2,046: also decreased 8.7% from 2,239 in December 07.

*1 Detection Number: Reported virus counts (cumulative) found by a filer.
*2 Reported Number: Virus counts are aggregated: viruses of same type and variants reported on the same day are counted as one case number regardless how many viruses or the actual number of viruses is found by the same filer on the same day. In January, the reported number was 2,046: aggregated virus detection number was about 0.31M.

The worst detection number of virus was W32/Netsky with about 0.29M, W32/Mytob with about 0.01M and W32/Mydoom with about 0.0025M subsequently followed.

 

Chart 2-1

Chart 2-2

Note) Numbers in the parenthesis are the Numbers for previous month.

 

III. Reporting Status of Unauthorized Computer Access (includes Consultations) Please refer to the Attachment 2 for further details

Report for unauthorized computer access and status of consultation

 

Aug.

Sept.

Oct.

Nov.

Des.

Jan.'08

Total for Reported (a)

16

10

10

15

14

8

 

Damaged (b)

13

8

9

11

7

7

Not Damaged (c)

3

2

1

4

7

1

Total for Consultation (d)

23

27

37

31

21

24

 

Damaged (e)

15

12

22

17

16

15

Not Damaged (f)

8

15

15

14

5

9

Grand Total (a + d)

39

37

47

46

35

32

 

Damaged (b + e)

28

20

31

28

23

22

Not Damaged (c + f)

11

17

16

18

12

10

(1) Reporting Status for Unauthorized Computer Access

Reported number for November was 8 : of 7 was the number actually damaged .

(2) Accepting Status for Consultations relevant to Unauthorized Computer Access

Consultation number relevant to unauthorized computer access was 24: of 15 (of 3 was also counted as reported number) was the actual number that some sort of damage was reported.

(3) Status of Damage

The breakdown of reported damage was: intrusion with 3 ,others (damaged) with 4 . The damage for intrusion being reported was 3: all of them were exploited as the steppingstone server to attack to the other sites. The cause of intrusion were the password cracking* attack to the ports used by SSH* with 2, attacks to the vulnerability of ftpd (programs of ftp server) with 1. As for the damage for others (damaged), legitimate users items for avatar and virtual money for RPG (role playing game) were missing with 1.

*SSH (Secure Shell): A protocol which communicates with computers remotely via a network.
*Password Cracking: The action to search/analyze legitimate user’s password.  Password cracking includes Brute Force (Exhaustive) attack and Dictionary attack.  The program for cracking is also existed.

(4)Damage Instances:

[Intrusion]

(i) Web site was altered

<Instance>

-   Weve been attacked by the server you manage so communicated from outside.

-   The server was carefully examined and it is realized that the ports used by SSH

    was conducted password cracking attack and it eventually allowed intrusion.

-   In addition, it is realized that such tools to attack to outside was embedded and

    executed.

-   Since it is the rule set for this business that upon operating SSH, users should

    be identified via public key authentication*, but users are authenticated

    by their password actually.

*Public key authentication: One of authentication method using public key and private key pair to identify user his/herself identification.

[Others (Damaged)]

(ii) Items to be used on online games were missing

<Instance>

-   I am a membership of a RPG (Role Playing Game).

-   One day, I started up my computer at home, the log, the line is disconnected.

    was displayed.

-   Study was conducted with suspicious feel; I am realized that some items and

    virtual money for my avatar on the game were missing. The cause is not yet

     clarified.

 

IV. Accepting Status of Consultation

The gross number of the consultation in January 08 was 408. Of the consultation relevant to One-click Billing Fraud with 28 (December: 43), the consultation relevant to Winny with 17 (December: 19), the consultation relevant to Hard selling of phony security measures software with 10 (December: 11), etc. were also realized.

The movement in entire number of consultation accepted by IPA /method

 

Aug.

Sept.

Oct.

Nov.

Dec.

Jan.'08

Total

1013

910

1128

911

389

408

 

Automatic Response System

593

544

669

520

222

219

Telephone

374

310

397

337

109

151

e-mail

43

55

57

52

56

38

Fax, Others

3

1

5

2

2

0

*IPA consults/advises for computer viruses/unauthorized computer accesses as well as the other information concerning overall security issues

Mail: ?????????? for virus issues, ????????????for crack issues.

Tel.: +81-3-5978-7509 (24-hour automatic response)

Fax: +81-3-5978-7518 (24-hour automatic response)

*The Total case number includes the number in Consultation (d) column of the Chart in the IV. Reported Status for Unauthorized Computer Access and V. Accepting Status of Consultation.

*Automatic Response System:   Accepted numbers by automatic response
*Telephone:                           Accepted numbers by the Security Center personnel

 

<Reference>

Shift in Number of Consultation relevant to One-click Billing Fraud

The major consultation instances are as follows.

(i)Infected by Harada virus with the file (s) downloaded by Winny

Consultation:

I had opened the file (s) downloaded by Winny as I believed that it was a moving image file; “Harada virus OO” was displayed on my computer.  The icon was seemed to be a moving image file and its extension was seemed to be .scr, meaning screen saver; but actual extension, .exe was attached at the very end of the file name followed to lots of spacing.  All the programs and image files I’d saved in that computer were appended/destructed with the image of “Harada virus OO”.  I’d used anti-virus software, but nothing could be detected.  Fortunately, the programs and image files could be recovered for an hour or so from back up files.

Response:

It is difficult to restore data/information once destructed by virus so that it can be the effective measure to maintain your important data/information as back up files routinely for potential risks.

In addition, as for the file sharing network such as Winny, there distributed number of vicious viruses such as Antinny, the “exposure” type of virus, etc. other than Harada virus, the “destructive” type of virus.  Accordingly, you are to aware that certain risks will be attached to the file sharing network in where unspecified majority are participated.  It is reasonable not to use a file sharing software if you do not want to get infected by virus.

<Reference>

IPA To prevent information leakage accident by Winny (in Japanese)

http://www.ipa.go.jp/security/topics/20060310_winny.html

 

(ii)Being Infected by Virus with the file downloaded by Cabos?

Consultation:

My computer was suddenly shut off when I opened the file downloaded by Cabos, the one of file sharing software. Again I turned on power, some English phrases including In God We Trust, etc. were appeared, but the computer was totally disabled. My computer was infected by virus? The anti-virus software detected nothing. What should I do?

Response:

It is probable that your computer is infected by a newly emerged virus for which your anti-virus software could not detect.  Moreover, it is difficult to remove virus if your computer does not behave properly.  In case of Windows XP, you can restore the computer with its “Restoration Option”.  If it does not work out, you have to initialize your computer.

 

For your further information, it is the most risky activity to open up the file for which source is unknown from the viewpoint of anti-virus measures.  Not only you, but all users must aware about the risks attached to file sharing network in where such risky files are being distributed.

<Reference>

Microsoft – Starting up computer using the configuration functions previously started properly

http://support.microsoft.com/kb/307852/en-us

 

V. Accessing Status Captured by the Internet Monitoring (TALOT2) in January

According to the Internet Monitoring (TALOT2), the total of unwanted (one-sided) number of access in January 2008 was 244,657 for 10 monitoring points.  That is, the number of access was 789 from 227 source addresses/monitoring point/day.

Since each monitoring environment for the TALOT2 is nearly equal to the general connection environment used for the Internet; it can be considered that the same amount of unwanted (one-sided) access can be monitored for the general Internet users’ connection environment.  In another word, your computer is being accessed from 227 unknown source addresses in average/day or you are being accessed about 3 times from one source address which considered unauthorized.

Chart 5-1 Number of Access and Source Number of Access/Monitoring Point/Day in Average

The Chart 5-1 shows the unwanted (one-sided) number of access and the source number of access/monitoring point/day from August 2007 to January 2008.  According to this chart, both unwanted (one-sided) accesses in January were subtly increased than the one in December 2007, but were stabilized entirely.

The accessing status in January 2008 was slightly increased than the one in December 2007.  This was the cause that the accesses to the port 135/tcp which seemed to target vulnerability in Windows were increased.  In addition, there were number of accesses which send pop-up messages exploiting Windows Messenger Services in December 2007: of the accesses to the port 1028/udp (the main source area was Canada) were decreased.

(1) Access which Target the Port 135/tcp

In January, such access which targeting the port 135/tcp was increased. This was the access which seemed to target the vulnerability in Windows: the access to the port 135/tcp for which source area of access was mainly from Japan was tending to increase since Microsoft alerted security information relevant to MS07-058 in October 2007.

<Referential Information>

Observation Status Captured by the Internet Monitoring (TALOT2) in October 2007

http://www.ipa.go.jp/security/english/virus/press/200710/TALOT200710.html

Security Information by Microsoft (MS07-058): Vulnerability in RPC Could Allow Denial of Service (933729)

http://www.microsoft.com/technet/security/bulletin/MS07-058.mspx

In November and December 2007, access to the port 135/tcp was being decreased; however, in January 2008, the access for which source area of access from China was moderately increasing (Please refer to the Chart 5-2.).

Chart 5-2: Source Number of Access to the Port 135/tcp from China/Day

It seemed that such access was mainly from bot. It is probable that such access will further increase; all users should conduct necessary anti-bot and unauthorized computer access measures by referring following URLs.

<Referential Information>

Brochure for anti-bot/unauthorized computer access measures

http://www.ipa.go.jp/security/english/virus/antivirus/shiori-e.html

CCC (Cyber Clean Center), the collaboration project by MIC (Ministry of Internal Affairs and Communications) and METI (Ministry of Economy, Trade and Industry)

https://www.ccc.go.jp/en_index.html

Knowledge how to prevent infection (CCC) (in Japanese)

https://www.ccc.go.jp/knowledge/

For further details, please refer to the following URL as well.

Attachment_3 Observation Status Captured by the Internet Monitoring (TALOT2)

http://www.ipa.go.jp/security/english/virus/press/200801/documents/TALOT2-0801.pdf

Please also refer to the following URLs for respective reports (virus/crack)

Summary Reporting Status for Computer Virus/Unauthorized Computer Access for January

http://www.ipa.go.jp/security/english/virus/press/200801/documents/Summary0801.pdf

Attachment_1 Computer Virus Incident Report

http://www.ipa.go.jp/security/english/virus/press/200801/documents/Virus0801.pdf

Attachment_2 Unauthorized Computer Access Incident Report

http://www.ipa.go.jp/security/english/virus/press/200801/documents/Crack0801.pdf

 


Various Statistics Information Provided by Other Organizations/Vendors are Publicized in the Following Sites


@police:      http://www.cyberpolice.go.jp/english/
Trendmicro: http://us.trendmicro.com/
McAfee:      http://www.mcafee.com/us/

 


Contact
IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC)
Tel:+81-3-5978-7527

Fax:+81-3-5978-7518

E-mail:






Term of Use


Copyright(c) Information-technology Promotion Agency, Japan. All rights reserved 2005