Information-technology
Promotion Agency,
Japan
本文へ
IPA

TOP|Aplication|Contact us|Sitemap


Information-technology Promotion Agency, Japan
-japanese charactor-






IT Security Center

The Information-technology SEcurity Center (ISEC) is the center for promoting information security in Japan.









Japanese




Activities




Information Service Activities






Security Software Development Activities






CRYPTREC






IT SecurityAssurance







Organization







PGP key







RFCs







Mission Statement







Links







About IPA/ISEC







IPA TOP>IT Security Center Japanese TOP>IT Security Center English TOP>information




Computer Virus/Unauthorized Computer Access Incident Report February 2008


March 18, 2008
IT Security Center
Information-technology Promotion Agency, Japan (IPA)

This is a summary of computer virus/unauthorized computer access incident reports for February 2008 compiled by IPA.


I. Reminder for the Month:

Virus Alerts!? on the site where I use to visit

- Be cautious with the traps hided in Websites!! -

Such instances that business or individual site (s) to where a user used to visit is suddenly alerted by virus software having been increasing. The main cause for the instance is that there is vulnerability* in that website (s) to where fraudulently accessed/exploited by malicious intents so that the web pages are altered/designed to be infected by that virus.

*vulnerability

In the IT security field, vulnerability usually refers potential weakness which disables security functions on system network applications and/or protocols, potential weakness which cause unexpected events or the errors on design/implementation. It also immediately refers to be insufficient state of security configuration. Vulnerability generally refers to be security holes.

(1) The mechanism of infection via vulnerability

Following, what and how an attacker infects virus to the website users will be briefly explained.

(i)

The first step is that the attacker explores the website (s) that has vulnerability via the Internet and then alters the site (s) exploiting the security holes.

(ii)

For example, the attacker covertly hides such commands the web page which will induce a user to the site in where virus is being embedded without having realized.

(iii)

The user visits the website being altered and browses the page in where virus command is hided.  As its result, the command is automatically executed: Since the user does not know that he/she is accessing malicious web pages so that the his/her computer is infected by virus.  Bad to worse, the web pages in where virus is embedded is designed to be invisible on the display screen so that it is hard to realize that the user is infected.

(2) Countermeasures

Since it is difficult for a website user to check whether the site has vulnerability or not, it is expected that website developer and/or manager has to screen out such malicious sites.

(i) Website developer

Since most of web pages are individually created by respective websites so that how far security issue is considered is depending on the developers engineering ability. When vulnerability is developed, it is difficult to apply patches to the web pages already being in operation: accordingly, it is necessary to address preventive approaches against vulnerability in its initial stage. Please refer to the following site how to create enough secured website.

<Reference>

How to Create Secured Websites (in Japanese)

http://www.ipa.go.jp/security/vuln/websecurity.html

SECURE PROGRAMMING COURSE (in Japanese)

http://www.ipa.go.jp/security/awareness/vendor/programmingv2/

(ii) Website Manager

As for a website manager, it is mandatory to conduct following measures.

(a)

Web pages (html*) in website, fundamental software for web servers (OSs), those application software being installed and the software for network server should always be maintained/up-to-dated and resolve any of vulnerabilities in there.

(b)

Check the web pages regularly whether the pages are in sound state (We encourage you to install off-the-shelf alteration detection tool, etc.)

(c)

The web server which operates the website should be properly managed to prevent from fraudulent access.


*html:

Acronym of Hyper Text Markup Language to be used to code web pages.

<Reference>

Vulnerability Are you aware of? The threats and the mechanism hided in web pages (animated for easily understanding) (in Japanese)

http://www.ipa.go.jp/security/vuln/vuln_contents/

The Guidance how to address vulnerability for Website managers (in Japanese)

http://www.ipa.go.jp/security/fy19/reports/vuln_handling/

JVN iPedia, the database for vulnerability countermeasures information (in Japanese)

http://jvndb.jvn.jp/

(iii) Countermeasures for Users

Website users SHALL conduct following measures to prevent potential damages.

(a)

Fundamental software (OSs) for your computer and the application software (for word processor, spreadsheet, music replay function and animation browsing software, etc.) should always be maintained/up-to-dated and resolve potential vulnerability in there.

(b)

Signatures for virus within anti-virus software should always be up-to-dated upon using.

<Reference>

Utilization Procedure for Microsoft Update and Windows Update (Microsoft)

http://www.microsoft.com/protect/computer/updates/mu.mspx

Currently, when we search specific site using searching engines by entering certain keyword, some malicious sites lurked are also appeared among candidate websites. This is the one of malicious approaches exploiting the function of searching engines so called SEO Poisoning (Search Engine Optimization Poisoning) which exploit users psychology; i.e. Users likely to click the site (s) listed on upper pages and/or Users perceives that those sites listed upper pages are safe and induce a user clicks to the website linked to malicious site (s).

Searching engines (providers) strives to conduct certain measures to prevent retrieving malicious sites, it is necessary that users too, should confirm the links before easily click URLs.

When feels suspicious upon browsing the links, it is necessary to get back and/or close the pages and do not go forward.

Actually, this is differs from such engineering which alters web pages by exploiting vulnerability in legitimate site (s); be sure to remember that there is some potential to infect virus.

 

II. Reporting Status for Computer Virus further details, please refer to the

   Attachment 1

The detection number*1 of virus was about 0.26M: decreased 16.6% from about 0.31M reported in January. In addition, the reported number*2 of virus was 1,854: also decreased 9.4% from 2,046 in January.

*1 Detection Number: Reported virus counts (cumulative) found by a filer.
*2 Reported Number: Virus counts are aggregated: viruses of same type and variants reported on the same day are counted as one case number regardless how many viruses or the actual number of viruses is found by the same filer on the same day. In January, the reported number was 2,046: aggregated virus detection number was about 0.31M.

The worst detection number of virus was W32/Netsky with about 0.24M, W32/Mytob with about 0.0056M and W32/Fujacks with about 0.0045M subsequently followed.

Chart 2-1

 

Chart 2-2

Note) Numbers in the parenthesis are the Numbers for previous month.

 

III. Reporting Status of Unauthorized Computer Access (includes Consultations) Please refer to the Attachment 2 for further details

Report for unauthorized computer access and status of consultation

 

Sept.

Oct.

Nov.

Des.

Jan.'08

Feb.

Total for Reported (a)

10

10

15

14

8

4

 

Damaged (b)

8

9

11

7

7

4

Not Damaged (c)

2

1

4

7

1

0

Total for Consultation (d)

27

37

31

21

24

29

 

Damaged (e)

12

22

17

16

15

10

Not Damaged (f)

15

15

14

5

9

19

Grand Total (a + d)

37

47

46

35

32

33

 

Damaged (b + e)

20

31

28

23

22

14

Not Damaged (c + f)

17

16

18

12

10

19

(1) Reporting Status for Unauthorized Computer Access

Reported number for February was 4: all of them were for actually damaged.

(2) Accepting Status for Consultations relevant to Unauthorized Computer Access

Consultation number relevant to unauthorized computer access was 29: of 10 was the actual number that some sort of damage was reported.

(3) Status of Damage

The breakdown of reported damage was: intrusion with 1 ,Dos with 4, and others (damaged) with 2. The reported damage for intrusion was for exploiting a server as a steppingstone to attack to the other sites.  The cause of intrusion was the password cracking* attack to the ports used by SSH*.  As for the damage for others (damaged), legitimate user’s items for avatar and virtual money for RPG (role playing game) were missing with 1.

*SSH (Secure Shell): A protocol which communicates with computers remotely via a network.
*Password Cracking: The action to search/analyze legitimate user’s password.  Password cracking includes Brute Force (Exhaustive) attack and Dictionary attack.  The program for cracking is also existed.

(4)Damage Instances:

[Intrusion]

(i)Attacked to the ports used by SSH and intruded…

<Instance>

-  “We’ve been accessed which seemed to be preliminary survey for fraudulently     accesses from the computer you are managing.” so communicated from outside.

-   The server was carefully examined and it is realized that the ports used by SSH was     conducted by password cracking attack: in the event, the server allowed intrusion     and the manager privilege was taken over.

-   In addition, it is realized that such tools to attack to outside were embedded and     executed.

-   Since the server was made for a test installation so that necessary level of security     was not configured and lack of monitoring status was provided so that it took time     to realize the intrusion.

*Public key authentication: One of authentication method using public key and private key pair to identify user his/herself identification.

[Others (Damaged)]

(ii) Items/money to be used on online games was missing…

<Instance>

-   I am a membership of a RPG (Role Playing Game).

-   When I was realized, the items that my avatar had and the virtual money to be     used in the games were missing.

-   When I tracked back my memory, such event might be initially happened when I     clicked the URL provided by the other side of user upon chatting with him/her within     the games.

 

IV. Accepting Status of Consultation

The gross number of the consultation in February was 350. Of the consultation relevant to One-click Billing Fraud with 25 (January ‘08: 28), the consultation relevant to Hard selling of phony security measures software with 11 (January ‘08: 10), and the consultation relevant to Winny with 9 (January ‘08: 17), etc. were also realized.

The movement in entire number of consultation accepted by IPA /means

 

Sept.

Oct.

Nov.

Dec.

Jan.'08

Feb.

Total

910

1128

911

389

408

350

 

Automatic Response System

544

669

520

222

219

192

Telephone

310

397

337

109

151

110

e-mail

55

57

52

56

38

47

Fax, Others

1

5

2

2

0

1

*IPA consults/advises for computer viruses/unauthorized computer accesses as well as the other information concerning overall security issues

Mail: ?????????? for virus issues, ????????????for crack issues.

Tel.: +81-3-5978-7509 (24-hour automatic response)

Fax: +81-3-5978-7518 (24-hour automatic response)

*The Total case number includes the number in Consultation (d) column of the Chart in the IV. Reported Status for Unauthorized Computer Access and V. Accepting Status of Consultation.

*Automatic Response System:   Accepted numbers by automatic response
*Telephone:                           Accepted numbers by the Security Center personnel

 

<Reference>

Shift in Number of Consultation relevant to One-click Billing Fraud

The major consultation instances are as follows.

(i)I had used to Winny previously…

Consultation:

I had used to Winny several years ago. Such files Id downloaded are still in my hard-disk drive. Is it possible that these files were already infected virus? Is it possible that I can open them?

Response:

The source for the most of those files distributed on a file sharing network inclusive Winny are unknown and it is probable that they are likely to be infected by virus.  Some virus camouflages visual effect of its icon, you may be infected by virus when you unconsciously open it deceived by its appearance.

In addition, there are some viruses that anti-virus software cannot detect: it is reasonable to immediately delete those files for which source is unknown without conduct virus check.

<Reference>

IPA – The Seven Anti-Virus Requirements for Computer Users

http://www.ipa.go.jp/security/english/virus/antivirus/7RulesV.html

 

(ii) I’d used Winny after Initialized my Computer…

Consultation:

I’d used Winny after I’d initialized my computer previously.  What the potential that I may be infected by virus?  What if I’d infected by virus, is it possible that the data stored before I initialized my computer would be deviated?

Response:

If you had such knowledge to identify file type appropriately, the potential to get infected by virus would be somewhat lessened.  However, in case you’d opened the files randomly, it is probable that your computer would have been infected by virus.

Currently, one of exposure type of viruses such as Antinny, etc. do not carry such function to deviate those data stored in a computer before being initialized.  However, if you feel fear about “data deviation”, you should not use any type of file sharing software, such as Winny.  It is too late to get it back before something happened.

<Reference>

IPA – To Prevent Information Leakage Accident via Winny (in Japanese)

http://www.ipa.go.jp/security/topics/20060310_winny.html

 

V. Accessing Status Captured by the Internet Monitoring (TALOT2) in February

According to the Internet Monitoring (TALOT2), the total of unwanted (one-sided) number of access in February 2008 was 189,006 for 10 monitoring points.  That is, the number of access was 700 from 196 source addresses/monitoring point/day.

Since each monitoring environment for the TALOT2 is nearly equal to the general connection environment used for the Internet; it can be considered that the same amount of unwanted (one-sided) access can be monitored for the general Internet users’ connection environment.  In another word, your computer is being accessed from 196 unknown source addresses in average/day or you are being accessed about 4 times from one source address which considered unauthorized.

Chart 5-1 Number of Access and Source Number of Access/Monitoring Point/Day in Average

The Chart 5-1 shows the number of access and the source number of access/monitoring point/day in average from September 2007 to February 2008.  According to this chart, both unwanted (one-sided) accesses in February were subtly decreased with the one in January: the entire contents of access were stabilized.

Accessing status in February was subtly decreased with the on in January: this indicated that the entire accesses themselves were decreased.  However, such accesses to the ports 135/tcp and 445/tcp which target vulnerability in Windows, to the ports 1026/udp and 1027/udp which send pop-up messages exploiting Windows Messenger Service having been shifted in almost the same level with the one in January.

*

Because of system maintenance program for TALOT2 was fallen on February 2 and 3 so that the monitoring data for this period was not available.  Kindly understand that the TALOT2 report for February is prepared by excluding those data during this period.

(1) Access Targeting the Port 5900/tcp

In the last part of February, there increased such access to the port 5900/tcp.  This is the default port used by RealVNC client when it connects to a RealVNC server.  The most of source area were from Japan (see the Chart 5-2).

Chart 5-2: Shift in Number of Access to the Port 5900/tcp Classified by Source Area

RealVNC referred above is the software which enables to operate a computer remotely; in May 2006, the “vulnerability which allows remotely access to a client without authentication” is publicized.  Its single countermeasure is to conduct upgrading its version.

<Referential Information>

JVNVU#117929 Vulnerability which allows to bypass authentication in RealVNC Server (in Japanese)

http://jvn.jp/cert/JVNVU%23117929/

As of now, none of vulnerability information relevant to RealVNC is announced since JVNVU#117929 was publicized; however, such remote access service is still effective for attackers who conduct fraudulent accesses.

In the TALOT2, along with the access to the port 5900/tcp, there could be seen number of accesses to the ports 135/tcp and 445/tcp as well.  Accordingly, these unauthorized accesses were probably conducted by certain tools so that it is also possible to attack further extensive area.

Those user who use remote access tool such as RealVNC, please be sure to check its source information one more time: we encourage you to ensure that the tool being used is the lately upgraded.

For further details, please refer to the following URL as well.

Attachment_3 Observation Status Captured by the Internet Monitoring (TALOT2)

http://www.ipa.go.jp/security/english/virus/press/200802/documents/TALOT2-0802.pdf

Please also refer to the following URLs for respective reports (virus/crack)

Summary Reporting Status for Computer Virus/Unauthorized Computer Access for February

http://www.ipa.go.jp/security/english/virus/press/200802/documents/Summary0802.pdf

Attachment_1 Computer Virus Incident Report

http://www.ipa.go.jp/security/english/virus/press/200802/documents/Virus0802.pdf

Attachment_2 Unauthorized Computer Access Incident Report

http://www.ipa.go.jp/security/english/virus/press/200802/documents/Crack0802.pdf

 


Various Statistics Information Provided by Other Organizations/Vendors are Publicized in the Following Sites


@police:      http://www.cyberpolice.go.jp/english/
Trendmicro: http://us.trendmicro.com/
McAfee:      http://www.mcafee.com/us/

 


Contact
IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC)
Tel:+81-3-5978-7527

Fax:+81-3-5978-7518

E-mail:






Term of Use


Copyright(c) Information-technology Promotion Agency, Japan. All rights reserved 2005