Information-technology
Promotion Agency,
Japan
本文へ
IPA

TOP|Aplication|Contact us|Sitemap


Information-technology Promotion Agency, Japan
-japanese charactor-






IT Security Center

The Information-technology SEcurity Center (ISEC) is the center for promoting information security in Japan.









Japanese




Activities




Information Service Activities






Security Software Development Activities






CRYPTREC






IT SecurityAssurance







Organization







PGP key







RFCs







Mission Statement







Links







About IPA/ISEC







IPA TOP>IT Security Center Japanese TOP>IT Security Center English TOP>information




Computer Virus/Unauthorized Computer Access Incident Report March 2008


May 9, 2008
IT Security Center
Information-technology Promotion Agency, Japan (IPA)

This is a summary of computer virus/unauthorized computer access incident reports for March 2008 compiled by IPA.


I. Reminder for the Month:

Viruses are in the Document File Created by Office Software!?

- Be cautious with the viruses which exploit vulnerability in applications!! -

Early in March, there developed the virus which exploits vulnerability in spreadsheet applications as soon as specific information such as the Program for Peking Olympic Games was announced. This virus was somewhat different than the one that most of all PC users know: it was not an execution type of virus, but was the virus which infects spreadsheet applications.

Macro virus is the one traditionally renowned as the virus infecting spreadsheet applications.  The virus exploits specific program (macro) that was developed to automate/facilitate processes for spreadsheet application users.  The virus will not infect if the macro, the one of functions for spreadsheet applications, is being invalidated.  However, the virus currently discovered exploits vulnerability in spreadsheet applications so that users should be cautious with.

(1) The Profile of Virus

The mechanism of the virus so called “Peking Olympic Virus” is as follow:

Generally, virus is sent to users as an attachment file to e-mail.  When a user opens the file, spreadsheet software is automatically run and eventually the virus file is downloaded to the user’s computer.  By the time vulnerability in the spreadsheet software is notresolved, the virus is executed.  The virus shows fictitious information relevant to the Olympic game to call off user’s attention while the “Peking Olympic Virus” creates downloader (supporting tool for download) and conduct malicious activities such as information theft, etc. by downloading other malware (generic name for malicious programs inclusive of virus, etc.) from the server prepared by the attacker.  This type of virus used to be sent to limited businesses and/or organizations as an attachment file to e-mail by Spear type of attack.  What if the virus spread over indiscriminately, it is more difficult to address them as virus signature for anti-virus software requires certain time, accordingly.  Currently, such Spear type of attack tends to be increasing so that users should sufficiently aware the importance to conduct sufficient measures in advance.

<Reference>

The Research/Study relevant to Current Spear Type of Attack –Study Report-(in Japanese)

http://www.ipa.go.jp/security/fy19/reports/sequential/

(2) Vulnerability

As for the vulnerability in spreadsheet software, following viruses are currently identified according to the JVN iPedia (database for anti-vulnerability information) which publicizes responding status against vulnerability in applications, etc.

Vulnerability which Allows Memory Destruction in Microsoft Excel (JVNDB-2008-001031) (in Japanese)

Note:

letters and numbers combination in the parenthesis above is identical registration number for the vulnerability

http://jvndb.jvn.jp/contents/ja/2008/JVNDB-2008-001031.html

<Reference>

JVN iPedia (database for anti-vulnerability information) (in Japanese)

http://jvndb.jvn.jp/

This vulnerability was initially developed in January 15, 2008.  Up to March 12, the modification program (patch) against for this vulnerability was not yet publicized: that is, there had not been realized fundamental measures for almost 2 months.  This virus affected not only for the spreadsheet program for Windows, but also for the one for Macintosh.  In addition, the virus also affected Excel File Viewer software as well.

In the JVN iPedia, there have been stored vulnerability information relevant to word processor and/or PDF file viewer and their countermeasures as well as those for spreadsheet applications.

Table 1-1: Vulnerability relevant to Application (Extract)

(3) Countermeasures

As we mentioned above, there existed some vulnerabilities in those applications widelyused.  When detected vulnerability, a product developer tries to resolve it, then the patches developed will be publicized via the developer’s homepage and/or JVNiPedia, etc.  Accordingly, it is utmost important that users should routinely check vulnerability information for applications concerned and their patches provided by product developer and JVN iPedia for your applications always be up-to-dated to prevent infection from the “Peking Olympic Virus”, etc.

Along with the above mentioned, the Internet users should conduct following measures as well to prevent from potential damages.  Both Windows and Macintosh users need to conduct following measures.

(a)

Those files appended to suspicious mail should never, ever be opened: they may be an office document, PDF, image, sound clip, or executable file, whatever they are.  Those files downloaded from suspicious site should be handled with the same manner mentioned above.

(b)

Virus signatures for anti-virus software should always be up-to-dated before use.

(c)

Install personal firewall to block communication with other than those allowed applications and port numbers, etc.

<Reference>

Procedures for Microsoft Update and Windows Update (Microsoft)

http://www.microsoft.com/protect/computer/updates/mu.mspx

For the Office users in Macintosh environment [Mactopia download lot] (Microsoft)

http://www.microsoft.com/mac/downloads.mspx

Mac OS Service and Support (Apple)

http://www.apple.com/support/

II. Reporting Status for Computer Virus further details, please refer to the

   Attachment 1

The detection number*1 of virus in March was about 0.21M: decreased 18.3% from about 0.26M reported in February. In addition, the reported number*2 of virus was 1,854: also decreased 9.4% from 2,046 in February.

*1 Detection Number: Reported virus counts (cumulative) found by a filer.
*2 Reported Number: Virus counts are aggregated: viruses of same type and variants reported on the same day are counted as one case number regardless how many viruses or the actual number of viruses is found by the same filer on the same day. In March, the reported number was 1,651: aggregated virus detection number was about 0.21M.

The worst detected number of virus was W32/Netsky with about 0.20M, W32/Mytob with about 0.0056M and W32/Mydoom with about 0.0012M were subsequently followed.

Chart 2-1

 

Chart 2-2

Note) Numbers in the parenthesis are the Numbers for previous month's figures.

 

III. Reporting Status of Unauthorized Computer Access (includes Consultations) Please refer to the Attachment 2 for further details

Report for unauthorized computer access and status of consultation

 

Oct.

Nov.

Des.

Jan.'08

Feb.

Mar.

Total for Reported (a)

10

15

14

8

4

19

 

Damaged (b)

9

11

7

7

4

13

Not Damaged (c)

1

4

7

1

0

6

Total for Consultation (d)

37

31

21

24

29

35

 

Damaged (e)

22

17

16

15

10

15

Not Damaged (f)

15

14

5

9

19

20

Grand Total (a + d)

47

46

35

32

33

54

 

Damaged (b + e)

31

28

23

22

14

28

Not Damaged (c + f)

16

18

12

10

19

26

(1) Reporting Status for Unauthorized Computer Access

Reported number for March was 19 : 13 were the number actually damaged.

(2) Accepting Status for Consultations relevant to Unauthorized Computer Access

Consultation number relevant to unauthorized computer access was 35: of 15 (of 10 were also counted as reported number) was the actual number that some sort of damage was reported.

(3) Status of Damage

The breakdown of reported damage was: intrusion with 8 ,Dos with 1, source address spoofing with 1 and others (damaged) with 3 .

The reported damage for intrusion was for exploiting a server as a steppingstone to attack to the other sites with 4, etc.  The cause of intrusion was the password cracking* attack to the port used by SSH* with 5, etc.  As for the damages for others (damaged) included that someone spoofed to be a legitimate user in a net auction to act fraudulently with 1, when logging in to the site that has CSRF* vulnerability, the user’s name and address used for a membership site to sign up with was sent to a third person when the user incidentally clicked to a malicious URL with 1, etc.

*SSH (Secure Shell): A protocol which communicates with computers remotely via a network.
*Password Cracking: The action to search/analyze legitimate user’s password.  Password cracking includes Brute Force (Exhaustive) attack and Dictionary attack.  The program for cracking is also existed.
*CSRF (Cross-Site Request Forgeries): One of attacking methods exploiting vulnerability in website. While logging in to a member-only site, unintended request was sent to an adversary membership site upon the user induced to the adversary site. For example, unintended message was unintentionally/automatically sent to BBS, etc.

(4)Damage Instances:

[Intrusion]

(i)Attacked to the ports used by SSH and intruded…

<Instance>

- “We’ve been attacked from a computer you are managing” so communicated from outside.

- Study was conducted to the concerned server: then it was realized that the server was   conducted password cracking attack to the port used by SSH so that the server the   allowed intrusion eventually.

- In addition, it was also realized that a root-kit and the tools to attack to the other   sites were embedded and executed.

- The server for which account was configured with the user’s name as its password so   that it seemed that it was easily assumable for the intruder.

- The user acknowledged that his/her computer was not accessible to SSH from outside,   but actually it could be.

[Others (Damaged)]

(ii) Contents on a website was continually altered…

<Instance>

- The contents on the website I am managing is altered several hours of intervals.When I   access to that site; my computer detected/alerted virus.

- I tried to change the password for ftp access to be used for sending contents file to the   website, but the site is still altered over and over.

 

IV. Accepting Status of Consultation

The gross number of the consultation in March was 654 . Of the consultation relevant to One-click Billing Fraud with 157 (February ‘08: 25), drastically increased from continuum decreases over the past 3 months.  This may be the cause that the offender of the fraud was arrested in November last year and the things once had been calmed down was somewhat regained.  As for the others, the consultation relevant to Hard selling of phony security measures software with 9 (February ‘08: 11), and the consultation relevant to Winny with 6 (February ‘08: 9), etc. were also realized.

The movement in entire number of consultation accepted by IPA /means

 

Oct.

Nov.

Dec.

Jan.'08

Feb.

Mar.

Total

1128

911

389

408

350

645

 

Automatic Response System

669

520

222

219

192

373

Telephone

397

337

109

151

110

214

e-mail

57

52

56

38

47

 

Fax, Others

5

2

2

0

1

1

*IPA consults/advises for computer viruses/unauthorized computer accesses as well as the other information concerning overall security issues

Mail: ?????????? for virus issues, ????????????for crack issues.

Tel.: +81-3-5978-7509 (24-hour automatic response)

Fax: +81-3-5978-7518 (24-hour automatic response)

*The Total case number includes the number in Consultation (d) column of the Chart in the IV. Reported Status for Unauthorized Computer Access and V. Accepting Status of Consultation.

*Automatic Response System:   Accepted numbers by automatic response
*Telephone:                           Accepted numbers by the Security Center personnel

 

<Reference>

Shift in Number of Consultation relevant to One-click Billing Fraud

 

The major consultation instances are as follows.

(i)Infected by virus when I used Winny and personal information was deviated…

Consultation:

I have downloaded the data for a comic book using Winny.  There existed some files when I defrosted a compressed file and I clicked them in order.  I think one of them may be a virus file.  It was hard to realize as the icon was shown as a folder.  Thereafter, I had been connected to the Internet for a while.  Lately, I realized that there existed some files for personal information on a Winny network as I’ve never uploaded or I’ve never changed its configuration either.  Most of the files were the images I’d taken using my digital camera and in- and out-bound e-mails.  I immediately deleted Winny.  Can I think that the deviation of personal information is stopped?

Response:

This is a typical example of the damage caused by Winny: a user believed that he/she clicked a folder, but it was actually a virus masqueraded to be a harmless icon.  You are to be cautious that the virus may be hided in the files seemed to be illegally marketed copies from movies, music, books, etc.

In addition, even Winny is deleted, information deviation will not stop immediately.  Information deviation from your computer, as the initial source, will be stopped, it is difficult to stop for file deviation once downloaded to the other computers.

It is mandate to stop illegal activities, it is also necessary to re-acknowledge fundamental risks once you opened the file for which source is unknown.  You are to be refrain using file sharing software easily.

<Reference>

IPA To prevent from information leakage via Winny (in Japanese)

http://www.ipa.go.jp/security/topics/20060310_winny.html

 

(ii) Linux server is infected by virus…

Consultation:

We are publicizing the web server configured by Linux.  However, “Our computer is infected by bot” so pointed out and disconnected by one provider.  I have checked with logs, but I cannot find out either probe or attempt.

Response:

It seems that your server was intruded and bot was embedded by malicious intents.  Your server may have been exploited as one of computers which constructs a bot network to attack to the other computers.  Currently, there are number of reports that vulnerability in a server is exploited and intruded.  It is necessary to resolve vulnerability in your server OSs and/or applications and to conduct certain measures for further security.

<Reference>

How to Create Secured Websites (in Japanese)

http://ipa.go.jp/security/vuln.websecurity.html

 

V. Accessing Status Captured by the Internet Monitoring (TALOT2) in March

According to the Internet Monitoring (TALOT2), the total of unwanted (one-sided) number of access in March 2008 was 213,755 for 10 monitoring points.  That is, the number of access was690 from 206 source addresses/monitoring point/day.

Since each monitoring environment for the TALOT2 is nearly equal to the general connection environment used for the Internet; it can be considered that the same amount of unwanted (one-sided) access can be monitored for the general Internet users’ connection environment.  In another word, your computer is being accessed from 206 unknown source addresses in average/day or you are being accessed about 3 times from one source address which considered unauthorized.

Chart 5-1 Unwanted (One-sided) Number of Access and Source Number of Access/Monitoring Point/Day

The Chart 5-1 shows the number of access and the source number of access/monitoring point/day from October 2007 to March 2008.  According to this chart, unwanted (one-sided) access for March was subtly decreased than the one in February: however, the entire number of accesses is stabilized.

Accessing status in March 2008 was decreased from the one in February.  This was the cause that the both the number of access and the source number of access were decreased entirely.  Exclusively, those accesses to the ports 1026/udp and 1027/udp which send pop-up messages exploiting Windows Messenger service for which source area was China and the access to the port 1028/udp for which source area was Canada were decreased, but temporarily (See the Chart 5-2 and 5-3).

Chart 5-2: Accessing Status from China, the Source Area in March 2008

Chart 5-3: Accessing Status from Canada, the Source Area

The access to the port 5900/tcp (the default port used by RealVNC, the software which remotely operates computer) increased in the last part of February was continually increased up to the first part of March (See the Chart 5-4).  Though it is currently stabilized, you are to be continually cautious with.

<Reference>

Observation Status Captured by the Internet Monitoring (TALOT2) for February 2008

http://www.ipa.go.jp/security/english/virus/press/200802/documents/TALOT2-0802.pdf

Chart 5-4: Accesses to the Port 5900/tcp Classified by Source Area from February to March 2008

For further details, please refer to the following URL as well.

Attachment_3 Observation Status Captured by the Internet Monitoring (TALOT2)

http://www.ipa.go.jp/security/english/virus/press/200803/documents/TALOT2-0803.pdf

Please also refer to the following URLs for respective reports (summary/virus/crack)

Summary Reporting Status for Computer Virus/Unauthorized Computer Access for February

http://www.ipa.go.jp/security/english/virus/press/200803/documents/Summary0803.pdf

Attachment_1 Computer Virus Incident Report

http://www.ipa.go.jp/security/english/virus/press/200803/documents/Virus0803.pdf

Attachment_2 Unauthorized Computer Access Incident Report

http://www.ipa.go.jp/security/english/virus/press/200803/documents/Crack0803.pdf

Attachment_4 Computer virus Incident Report for the 1st Quarter (January to March)

http://www.ipa.go.jp/security/english/virus/press/200803/documents/virus2008-1Q.pdf

Attachment_5 Unauthorized Computer Access Incident Report for the 1st Quarter (January to March)

http://www.ipa.go.jp/security/english/virus/press/200803/documents/ua2008-1Q.pdf

 


Various Statistics Information Provided by Other Organizations/Vendors are Publicized in the Following Sites


@police:      http://www.cyberpolice.go.jp/english/
Trendmicro: http://us.trendmicro.com/
McAfee:      http://www.mcafee.com/us/

 


Contact
IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC)
Tel:+81-3-5978-7527

Fax:+81-3-5978-7518

E-mail:






Term of Use


Copyright(c) Information-technology Promotion Agency, Japan. All rights reserved 2005