Information-technology
Promotion Agency,
Japan
本文へ
IPA

TOP|Aplication|Contact us|Sitemap


Information-technology Promotion Agency, Japan
-japanese charactor-






IT Security Center

The Information-technology SEcurity Center (ISEC) is the center for promoting information security in Japan.









Japanese




Activities




Information Service Activities






Security Software Development Activities






CRYPTREC






IT SecurityAssurance







Organization







PGP key







RFCs







Mission Statement







Links







About IPA/ISEC







IPA TOP>IT Security Center Japanese TOP>IT Security Center English TOP>information




Computer Virus/Unauthorized Computer Access Incident Report April 2008


May 14, 2008
IT Security Center
Information-technology Promotion Agency, Japan (IPA)

This is the summary of computer virus/unauthorized computer access incident report for April 2008 compiled by IPA.


I. Reminder for the Month:

 

- Be cautious with the mail masquerading to be a public organization!! -

Currently, such mails for which source are from government offices and/or from police departments are being reported.  In addition, it was realized that someone sent specific organization the virus file appending to an e-mail spoofing to be IPA in April 2008.

In both cases, the malicious intents masqueraded to be one of public organizations attempt to have the receiver opens the virus file appended to the mail forcibly.  Accordingly, it is necessary to be cautious even you’d received a mail from a public organization for which mail address was ended with “.go.jp”.

The instance mentioned above is called “Spear type of attack” which sends specific organization malicious mails including virus, etc.  All users, are to understand the method used in the Spear type of attack and to conduct the countermeasures described in this report.

(1) The Method of Spear Type of Attack

The method used for the Spear type of attack using IPA’s name was exploited by someone in April 2008.

In this method, the vulnerability in the PDF file creation/browsing software(hereinafter referred to as “PDF software”)(http://jvndb.jvn.jp/contents/ja/2008/JVNDB-2008-001090.html(in Japanese)) publicized on our information database for vulnerability countermeasures on February 26, 2008 was exploited by an adversary so that a user opens the PDF file appended to an e-mail with a Windows version of PDF software, certain virus would be immediately executed.

The chart 1-1 shows the mechanism of the PDF file appended to the mail.

What if a user attempts to open the PDF file on a Windows environment, a PDF software within a user’s computer is initially run to identify the (a) in red part as a PDF document.

This document is seemed to be a typical PDF document such as given presentation material, etc. so that the user is hard to realize it is harmful.

However, in the (a) PDF document, there embedded malicious codes using JavaScript (one of simple programs): if the PDF software has vulnerability, the malicious codes will be executed exploiting the vulnerability while the software presents (a) PDF document and the (b) program will be created within the user’s computer.

When the (b) program in the user’s computer is executed, (c) virus and (d) PDF document will be copied/executed so that the user’s computer will be infected by virus.

The virus has following features:


(i)

The virus will be executed in the WidowsNT, 2000, XP, 2003 Server, Vista (32-bit only) environments.
However, the vulnerability developed in the PDF software in the above mentioned instance may cause damage not only to the Windows environment, but also to the Macintosh, Solaris and Linux environments as well so that it is ideal that those users using the OSs other than Windows should amend their vulnerabilities in advance.

(ii)

When the virus is executed, each time the virus is executed upon starting up the OS as the virus is registered in the computer as one of the default Windows programs.

(iii)

The virus executed will send user’s information such as the user’s computer name, OS version, IP address, etc. to access to the server on the Internet prepared by the attacker.  The server will be able to command following activities to the user’s computer.  It can be expected that there will be variety of damages on the computer infected by the virus.

- Sending out the inventories for the drives, folders and files within the computer;

- Sending/receiving, modification and deletion of arbitrary files;

- Execution of commands and sending out the outcomes within the computer;

- Execution of programs, etc.

The original (d) PDF document is not directly involving the virus infection activity; however, the virus infects upon presenting this PDF document, the user will be hard to realize that his/her computer is infected.

(2) Countermeasures

Since the “Spear type of attack” is targeting to limited organization, individual, etc. and the engineering is sophisticated so that the attack itself remains unreported.

If you feel you get a mail like a Spear type of attack, be sure to inquire the involved organization the authenticity of the mail before opening the appended file.

Conducting following countermeasures can prevent quite a few number of damages caused by the Spear type of attack.

(i)

For General Computer Users

General computer users carry lower probability to be conducted by the Spear type of attack, we encourage you to implement following countermeasures for your further security.

(a) Fundamental Measures

Be sure to update your computer’s OS, applications and anti-virus software to lessen vulnerability as much as possible.

(b) It is possible that you may receive mails spoofing to be banking corporation, card company or member-only site, etc.: in case you receive suspicious mails, do not click the URLs included in the mail body or do not open the files appended to an e-mail with ease and be sure to check the contents by communicating with the source of the mails.

(c) Fundamental Measures

Be sure to update your computer’s OS, applications and anti-virus software to lessen vulnerability as much as possible.

(ii)

For System Administrators in a Corporation/Organization

(a) Fundamental Measures

Be sure to update computer’s OS, applications, anti-virus software, etc. to lessen vulnerability as much as possible.

(b) Checking Error Mails

The Spear type of attack was initially discovered when a mail being spoofed was returned to the legitimate source of the mail as an error mail.  Of those returned mails, you may able to find the probe of the Spear type of attack.

(c) Reviewing of Corporative Network Environment

There reported the instances that the post-infected virus exploits HTTP, HTTPS in the “Study/Research Report relevant to the Current Spear Type of Attacks ((http://www.ipa.go.jp/security/fy19/reports/sequential/(in Japanese))” summarized by IPA in where  it describes how you can prevent virus activities by implement following measures in advance.

- Disable all of unnecessary TCP ports to be used for the communications/accesses to outside;

- Block communications/accesses when you detect other than HTTP, HTTPS communications/accesses at the ports 80/tcp and 443/tcp, respectively.  However, HTTP which uses the port 80 and HTTPS which uses the port 443 should be allowed only when communications/accesses to outside through a proxy server.


System administrator has all the users within organization/corporation know the “countermeasures” and locates communication windows for outsides, etc. immediately when your organization/corporation is targeted by the Spear type of attack.

<Reference>

“Security updates available for Adobe Reader and Acrobat”

http://www.adobe.com/support/security/advisories/apsa08-01.html

“Procedures How to Use Microsoft Update and Windows Update” (Microsoft)

http://www.microsoft.com/protect/computer/updates/mu.mspx

Office Use in Macintosh Environment [Lot for Mactopia Downloads] (Microsoft)

http://www.microsoft.com/mac/downloads.mspx

Mac OS Service and Support (Apple)

http://www.apple.com/support/


II. Reporting Status for Computer Virus further details, please refer to the

   Attachment 1

The detection number of virus (*1) was about 0.21M which was shifted from the same level reported in March (0.21M).  In addition, the reported number of virus in April was 1,703, increased 3.1% from the reported number in March (1,651).

*1 Detection Number: Reported virus counts (cumulative) found by a filer.
*2 Reported Number: Reported Number: Virus counts are aggregated: viruses of same type and variants reported on the same day are counted as one case number regardless how many viruses or the actual number of viruses is found by the same filer on the same day. In April, the reported number was 1,703: aggregated virus detection number was about 0.21M.

The worst detection number of virus was W32/Netsky with about 0.19M: W32/Mytob with about 0.0053M and W32/Mimail with about 0.0014M followed.

Chart 2-1

 

Chart 2-2

Note) Numbers in the parenthesis are the Numbers for previous month's figures.

 

III. Reporting Status of Unauthorized Computer Access (includes Consultations) Please refer to the Attachment 2 for further details

Chart 3-1: Report for unauthorized computer access and status of consultation

 

Nov.

Des.

Jan.'08

Feb.

Mar.

Apr.

Total for Reported (a)

15

14

8

4

19

14

 

Damaged (b)

11

7

7

4

13

10

Not Damaged (c)

4

7

1

0

6

4

Total for Consultation (d)

31

21

24

29

35

56

 

Damaged (e)

17

16

15

10

15

31

Not Damaged (f)

14

5

9

19

20

25

Grand Total (a + d)

46

35

32

33

54

70

 

Damaged (b + e)

28

23

22

14

28

41

Not Damaged (c + f)

18

12

10

19

26

29

(1) Reporting Status for Unauthorized Computer Access

Reported number for April was 14 : 10 were the number actually damaged.

(2) Accepting Status for Consultations relevant to Unauthorized Computer Access

Consultation number relevant to unauthorized computer access was 56: of 31 (of 6 were also counted as reported number) was the actual number that some sort of damage was reported.

(3) Status of Damage

The breakdown of damage reports were intrusion with 3, source address spoofing with 3 and others (damaged) with 4.

The reported damage for intrusion was for the information leakage relevant to credit card conducted by an SQL infection attack with 1 and for the exploitation of a steppingstone server to attack to the other site with 2.  The major cause of intrusion was the vulnerability of web applications with 1 and password cracking* attack to the port used by SSH* with 2.

The damages for others (damaged) included that someone logged in to an on-line game spoofed to be a legitimate user to takeover the items used in the game with 2 and some virus was embedded with certain means to exploit as a steppingstone server to attack to the other site with 2.

*SSH (Secure Shell): A protocol which communicates with computers remotely via a network.
*Password Cracking: The action to search/analyze legitimate user’s password.  Password cracking includes Brute Force (Exhaustive) attack and Dictionary attack.  The program for cracking is also existed.

(4)Damage Instances:

[Intrusion]

(i)The port used by SSH was attacked and intruded

<Instance>

-

While checking the logs for firewalls, developed suspicious accesses to outside from the server operated by this organization.

-

The server was studied, then it was realized that the port used by SSH was conducted by password cracking attack and thus the server was allowed intrusion.

-

In that server, the password for the administrator account was modified and some tools to attack to the other site was embedded: in addition, partial system commands were altered by malicious ones.  It seemed that the probes in the logs for firewalls may have been the communications conducted by the tools to attack to the other site.

-

This organization/system administrator configured easily assumable password carelessly/temporarily since this is the new server being in configuration.

-

However, the damage could be limited in minimum as the organization employed IDS (intrusion detection system) which allowed detecting intrusion quickly.


*Rootkit:: The package for a series of software used by an attacker after he/she successfully intruded in a targeted computer. Generally, log alteration tool, backdoor tool, a series of systems commands being altered are included in that package. It enables the processes/files in operation, system information invisible to hide their existence from the legitimate user.

[Others (Damaged)]

(ii) Deceived by an individual met in an on-line game site?

<Instance>

-

When I chatted with the person met in an on-line game site, he/she insistently recommended me to download some software as it was very handy tool. Ultimately, I downloaded/installed the software losing of patience

-

The software (tool) was actually a virus.  Accordingly, my password used for logging in to the on-line game was stolen.

-

The password was exploited and the data for avatars which I used in the on-line game was stolen.

 

IV. Accepting Status of Consultation

The gross number of the consultation in April was 938. Of the consultation relevant to One-click Billing Fraud with 267 (March : 157), further increased from March.  As for the others, the consultation relevant to Hard selling of phony security measures software with 2 (March : 9), and the consultation relevant to Winny with 8 (March: 6), etc. were also realized.

Chart 4-1: All the Consultation Number Accepted by IPA over the Past 6 Months

 

Nov.

Dec.

Jan.'08

Feb.

Mar.

Apr.

Total

911

389

408

350

645

938

 

Automatic Response System

520

222

219

192

373

514

Telephone

337

109

151

110

214

335

e-mail

52

56

38

47

66

87

Fax, Others

2

2

0

1

1

2

*IPA consults/advises for computer viruses/unauthorized computer accesses as well as the other information concerning overall security issues

Mail: ?????????? for virus issues, ????????????for crack issues.

Tel.: +81-3-5978-7509 (24-hour automatic response)

Fax: +81-3-5978-7518 (24-hour automatic response)

*Automatic Response System:   Accepted numbers by automatic response
*Telephone:                           Accepted numbers by the Security Center personnel

*The Total case number includes the number in Consultation (d) column of the Chart in the “III. Reported Status for Unauthorized Computer Access” and “IV. Accepting Status of Consultation”.

 

<Reference>

Shift in Number of Consultation relevant to One-click Billing Fraud

 

The major consultation instances are as follows.

(i)Undelivered error mails were returned, but they were the mails that we’d never sent out…

Consultation:

Hundreds of undelivered error mails were returned to our company’s mail server.  The sender of the error mails were configured as our company’s mail address, but the account was not actually existed.  Though we’d checked the logs for the mail server, it was apparent that they were not the mails sent out from us.  Why such mystery was happened?

Response:

The sender of the mail can be spoofed easily.  It can be assumed that someone sent out spams using the sender’s mail address spoofed.  In engineering perspective, the activity receiving spams cannot be stopped, it is hard to conduct fundamental measures.

When the address for a business was spoofed, you may have complaints from outsides.  To prevent being considered that your company was the source of the spams, we encourage you to conduct following measures as the operational/administrative measures.

- Centralize the inquiry window;

- Publicize that your company’s mails address was spoofed on web, etc.

<Reference>

IPA – “Countermeasures to prevent spoofing of IP address, mail address, etc.”(in Japanese)

http://www.ipa.go.jp/security/ciadr/cm01.html#spoofing

 

(ii) Spams came after I applied prize site…

Consultation:

I have accessed some prize site to win a prize.  Then I had several tens of spams from dating sites.  It there any way to stop them?

Response:

In technical aspect, receiving spams cannot be stopped.  Accordingly, the use of spam filter function provided by providers, mail software, security measures software is the actual, but may be temporarily solutions for.  Changing your mail address is the permanent solution being left.

In some malicious sites, they are seemed to be one of prize sites, but are actually collecting individual information such as mail address, etc. to divert for different purposes.  Therefore, the best preventive measures is not to telling suspicious providers/site managers your private information including mail address, etc. hereafter.  In case you need to tell them your mail address, you’d better to tell them such address for which you are going to change/delete shortly.

<Reference>

Spam Consultation Center, Nippon Information Communications Association(in Japanese)

http://www.dekyo.or.jp/soudan/

 

V. Accessing Status Captured by the Internet Monitoring (TALOT2) in April

According to the Internet Monitoring (TALOT2), the total of unwanted (one-sided) number of access in April 2008 was 206,970 and the gross number for the sources was 77,804 for 10 monitoring points.  That is, the number of access was 690 from 259 source addresses/monitoring point/day.

Since each monitoring environment for the TALOT2 is nearly equal to the general connection environment used for the Internet; it can be considered that the same amount of unwanted (one-sided) access can be monitored for the general Internet users’ connection environment.  In another word, your computer is being accessed from 259 unknown source addresses in average/day or you are being accessed about 3 times from one source address which considered unauthorized.

Chart 5-1 Unwanted (One-sided) Number of Access and Source Number of Access/Monitoring Point/Day

The Chart 5-1 shows the unwanted (one-sided) number of access and the source number of access in average/monitoring point/day from November 2007 to April 2008 respectively.  According to this chart, both the unwanted (one-sided) accesses were in almost the same level with the ones reported in March: the entire contents of access were stabilized, accordingly.

Last part of April, there observed that the accesses to the ports 139/tcp and 445/tcp were temporarily increased.  Since the longest holiday season in the year so called the Golden Week was fallen on April and May (starting from April 29 and ending on May 6), the population of home computer users were temporarily increased: if their computers had been already infected by bot, accesses to that ports may have been increased, accordingly.

These 2 ports carry somewhat high probability to be targeted if they are used by the file (network) sharing insufficiently protected or by the Windows for which vulnerability has not yet been resolved.

The Chart 5-2 and 5-3 are the shift in number of accesses to the ports 139/tcp and 445/tcp classified by source area.

Chart 5-2: Number of Access to the Port 139/tcp Classified by Source Area

Chart 5-3: Number of Access to the Port 445/tcp Classified by Source Area

For further details, please refer to the following URL as well.

Attachment_3 Observation Status Captured by the Internet Monitoring (TALOT2)

http://www.ipa.go.jp/security/english/virus/press/200804/documents/TALOT2-0804.pdf

Summary Reporting Status for Computer Virus/Unauthorized Computer Access for April

http://www.ipa.go.jp/security/english/virus/press/200804/documents/Summary0804.pdf

Attachment_1 Computer Virus Incident Report

http://www.ipa.go.jp/security/english/virus/press/200804/documents/Virus0804.pdf

Attachment_2 Unauthorized Computer Access Incident Report

http://www.ipa.go.jp/security/english/virus/press/200804/documents/Crack0804.pdf

 


Various Statistics Information Provided by Other Organizations/Vendors are Publicized in the Following Sites


@police:      http://www.cyberpolice.go.jp/english/
Trendmicro: http://us.trendmicro.com/
McAfee:      http://www.mcafee.com/us/

 


Contact
IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC)
Tel:+81-3-5978-7527

Fax:+81-3-5978-7518

E-mail:






Term of Use


Copyright(c) Information-technology Promotion Agency, Japan. All rights reserved 2005