Font Size Change

HOMEIT SecurityIPA/ISEC in JAPAN:virus and UCA incident report for May2008


IT Security

IPA/ISEC in JAPAN:virus and UCA incident report for May2008

June 16, 2008

IT Security Center
Information-technology Promotion Agency, Japan (IPA)

This is a summary of computer virus/unauthorized computer access incident reports for May, 2008 compiled by IPA.

I. Reminder for the Month:

-Unauthorized Computer Access Caused by SQL Injection Frequently Occurred!!-

Your Website, too, is Targeted!!  Your Security Measures are Sufficiently Equipped?

On or around of March 2008, there frequently occurred the damages caused by SQL (Structured Query Language) injection, the one of unauthorized accesses, targeting such website that has vulnerability*.  Such tendency had been continued up to May: as the result, number of damage reports and asking consultations relevant to the information leakage and the website being modified caused by SQL injection as well as the reports for the detection of the websites being altered were rushed to IPA continually.

Users may be infected by virus when he/she simply browsed the altered websites so that the damages caused by this unauthorized access are being enlarged.

Herein IPA, we are calling for users to conduct sufficient security measures: however, as of now, there can be seen lack of websites sufficiently addressed to fight against the vulnerability of SQL injection so that number of users is still facing certain risks.  Accordingly, those website developers and managers should conduct sufficient vulnerability measures and to perceive the significance which may be caused by SQL injection.

* Vulnerability generally refers the weakness of security and is called “security hole” as well.

(1) General description of SQL injection

SQL injection is the command consisting of some SQLs (SQL statements) that are used to control information within a database.  Such website which referring certain database(s) applies this mechanism: in such a website, web applications will return the user the results dynamically reflected when the applications request to the database according to a user’s inputs.

What if the web application has vulnerability relevant to SQL injection, an adversary may “inject” malicious SQL statement(s) so that the information within that database may be manipulated fraudulently.  This malicious accessing method is specifically referred as SQL injection attack.

When SQL injection successfully conducted, the adversary will be able to manipulate information within that database freely so that the website may be compromised.  As its result, there will cause serious damages such as information alteration, deletion, deviation, etc. may be occurred.

Since SQL injection attack is still being continued, it is probable that your website is, too, still targeted!  According to the analytical result acquired from the “iLogScanner”, the edgy SQL injection vulnerability detection tool developed by IPA, the SQL injection attack could be observed on the website managed by IPA as well.

According to the current reports, there can be seen number of cases that the traps for which induce users to the website being infected by virus eventually cause information leakage by SQL injection.  Those users browsed the websites being altered are likely to be infected by virus while they do not know which may introduce/enlarge secondary damages.

As described previously, damages by SQL injection will not only be the problems in that website, but also users and their information assets will be affected.  That is, a casualty from SQL injection will be a victimizer simultaneously.

(2) Measures to be conducted by web application developers

Generally, it is troublesome to cease the services on the website once started, and it needs extra cost to modify vulnerability in the application being detected after it is completed.  That is, upon developing web application(s), it is utmost important to solve/consider security relevant matters in the design phase to prevent introduce vulnerability.

When you outsource web application development, you need to conduct equivalent measures as with the development conducted within your organization.

Please refer to the following URLs not to introduce vulnerability for your further web application development.  In addition, we encourage you to conduct vulnerability checkouts by third party/person.


(3) Measures to be conducted by website managers

(i) Preliminary measures to prevent unauthorized computer access

As for the fundamental measures to prevent unauthorized computer access by SQL injection as far as possible, please conduct following measures:

(a)Fundamental software (OS) of web server and application software being installed are to be constantly updated to resolve potential vulnerabilities.

(b)Identify potential vulnerabilities being hided in the website by security audits before newly services will be publicized: it should be modified if necessary.

(ii) Operational measures to develop unauthorized computer access

The most important thing to limit the damages caused by unauthorized access is to detect such fraudulent activities earlier as possible.  To that end, we recommend you to conduct following measures.

(a)Website real-time monitoring - to check up whether or not that web pages, access logs and/or database are altered.  As for the means, implementation of alteration detection tool is effective.

(b)To detect intrusion, IDS* and/or IPS should be implemented.  Nowadays, WAF*, a specialized for communication monitoring via web applications, is also available.  In case, one of these means is not available at your work place, outsourcing should also be considered.

(c)Constantly audit website to check up with or without of the existence of newer vulnerabilities (it may be a chance to find out new type of attacking method, as well)

* IDS (Intrusion Detection System), IPS (Intrusion Prevention System), WAF (Web Application Firewall)


Herein IPA website, we are publicizing “iLogScanner”, an edgy tool to detect the probe of SQL injection.  By utilizing this tool, you can check with or without of problems in the website your organization is running.

(iii) Post-measures after the damages caused by unauthorized access

You need to specify/modify the cause of unauthorized access as well as to realize magnitude of damages, areas may be affected, etc.  In case it takes time to modify the cause of damage, we encourage you to temporarily interrupt the website publication.

Note: Since professional knowledge and engineering are necessary to comprehend/recover from damages, it will be necessary to outsource the checkouts if your organization does not provide sufficient efforts on them immediately.

In case personal information is stored in the database is damaged, it is also possible that they may be leaked.  Accordingly, it is necessary to specify the area that the information may be leaked when you address your clients, business partners, etc.

Moreover, if the website is hacked and altered to link in where virus pages are included, it is likely that the damages by virus infection may be enlarged among those users who browse the website.  It can be assumed that there will be some users who do not realize that they are infected; it is expected to announce the time and date that the website is compromised, availability of checking method, etc. via website and/or using adequate communication tool.

  • “JVN iPedia, the database for vulnerability countermeasures” (in Japanese)

II. Reporting Status for Computer Virus – further details, please refer to the Attachment 1 –

The detection number of virus[*1]was about 200T which was subtly decreased (3.3%) from 206T in April.  In addition, the reported number of virus[*2]was 1,737 which was subtly increased from 1,703 in April.

*1 Detection Number: Reported virus counts (cumulative) found by a filer.

*2 Reported Number: Virus counts are aggregated: viruses of same type and variants reported on the same day are counted as one case number regardless how many viruses or the actual number of viruses is found by the same filer on the same day.  In May, the reported number was 1,737: aggregated virus detection number was about 200T (From the May ‘08 report, we will use “T (thousand)” instead of using “M (Million)” to present numbers reported).

The worst detection number of virus was fallen on W32/Netsky with about 180T; W32/Mywife with about 0.6T and W32/Mytob with about 0.47T were ranked the second and the third, respectively.

Chart 2-1

Chart 2-2

III. Reporting Status of Unauthorized Computer Access (includes Consultations) Please refer to the Attachment 2 for further details

Report for unauthorized computer access and status of consultation
  Des. Jan.'08 Feb. Mar. Apr. May
Total for Reported (a) 14 8 4 19 14 4
  Damaged (b) 7 7 4 13 10 4
Not Damaged (c) 7 1 0 6 4 0
Total for Consultation (d) 21 24 29 35 56 37
  Damaged (e) 16 15 10 15 31 18
Not Damaged (f) 5 9 19 20 25 19
Grand Total (a + d) 35 32 33 54 70 41
  Damaged (b + e) 23 22 14 28 41 22
Not Damaged (c + f) 12 10 19 26 29 19

(1) Reporting Status for Unauthorized Computer Access

Reported number of May was 4: All of them were the number actually damaged.

(2) Accepting Status for Consultation relevant to Unauthorized Access

The consultation number relevant to unauthorized computer access was 37: of 18 was the number that had some damage.

(3) Damage Status

The breakdown of the damage reports were consisted of: intrusion with 2, DoS attack with 1 and others (damaged) with 1.  The damage instance caused by intrusion was that the contents of web pages were altered as the damage caused by an SQL attack conducted with 1, suspicious files were embedded by exploiting the remotely operable software in a server from outside with 1.  The cause of intrusion was the vulnerability in web application with 1 and insufficient router configuration with 1.

As for the damages for others (damaged), someone spoofed to be the legitimate user logged in to a net auction site to list the items that the adversary wished to sell without asking with 1.

(4) Damage Instance:


(i) Database was altered caused by an SQL injection attack…
  • –   The self-managed web page was configured with encrypted communication via https for browsing.  One day, upon accessed to the site, I was altered that there are some contents that are not protected by certain security means.  Do you still wish to display them?  That is, the server allowed unencrypted, normal communication via http as well.
  • –   Study was conducted and it was realized that upon accessing to the self-managed site via https, the server also allowed accessing to the other sites via http.
  • –   According to the further study results, there realized vulnerability relevant to SQL injection in the web application to access to the database run by the web server.  Caused by the SQL injection attack exploiting vulnerability, the database was altered and number of link codes to malicious sites was embedded (more than 4M codes.)
  • –   Since the web page contents would be “structured” dynamically with the use of the data stored in the database, the web pages for users included malicious codes embedded as well when they were altered.  As its result, quite a few users (about 3,000) who’d browsed the web pages were induced to malicious sites by the previously described communication via http.
  • –   For your further information, those users who’d induced to malicious site with the computer for which vulnerability had not yet resolved, users may have been infected by virus in that sites.
(ii) Someone listed items spoofing to be myself (legitimate user) in a net auction…
  • –   An “auction listing confirmation mail” came to my mobile phone for which I do not know.
  • –   Logged in to the auction for checking purpose, there listed some items using my ID while I do not know.
  • –   I could respond it immediately by communicating with the site manager, so that my damage could be restricted at minimum.

IV. Accepting Status of Consultation

The gross number of the consultation in May was 1,080 . Of the consultation relevant to “ One-click Billing Fraud ” was 320 (April: 268), which was the thirdly worse result since IPA started to aggregation.  As for the others, consultation relevant to “Hard selling of phony security measures software” with 1 (April: 2) and the consultation relevant to “ Winny ” with 8 (April: 8), etc. were also realized.

All the Consultation Number Accepted by IPA over the Past 6 Months
  Des. Jan.'08 Feb. Mar. Apr. May
Total 389 408 350 654 938 1080
  Automatic Response System 222 219 192 373 514 649
Telephone 109 151 110 214 335 379
e-mail 56 38 47 66 87 48
Fax, Others 2 0 1 1 2 4

*IPA consults/advises for computer viruses/unauthorized computer accesses as well as the other information concerning overall security issues

Mail: Please feel free to call at +81-3-5978-7517. for virus issues, Please feel free to call at +81-3-5978-7517.for crack issues.
Tel.: +81-3-5978-7509 (24-hour automatic response)
Fax: +81-3-5978-7518 (24-hour automatic response)

*”Automatic Response System”:    Responding numbers by automatic response
*“Telephone”:      Responding numbers by the Security Center personnel
*The Total case number includes the number in Consultation (d) column of the Chart in the “III. Reported Status for Unauthorized Computer Access” and “IV. Accepting Status of Consultation”.

The major consultation instances are as follows.

(i) Virus was detected when inserted my USB memory to the other person’s computer…


Virus is detected (by anti-virus software A) when inserted my USB memory to the other person’s computer.  I immediately checked with or without of virus (by anti-virus software B) using my computer, but nothing is detected.  Is there virus or not in the USB memory?


The criteria whether it is virus or not may depend the anti-virus software you are using.  In this case, you should remove virus as some virus is detected when you checked virus with anti-virus software A.

When you check with or without virus in suspicious files, we recommend you using anti-virus software as many as possible.  “VIRUS TOTAL” is the on-line service which diagnoses suspicious files.  It is free and you can check with more than 30 types of anti-virus software simultaneously.


(ii) Those mails that I’d never sent returned as undeliverable error mails…


More than 2,000 mails were returned as undeliverable error mails.  The sender is my mail address, but the actual sender is differed whom I do not know.  The content of mail is that he/she offers Viagra medication with bargain price.  What shall I do?


This may be the case that an adversary who acquired your mail address via certain mean spoofing to be you as the sender to send number of spams.  In terms of current technology, there is no way to stop sending such mails.  Accordingly, using spam mail filtering function served by providers, similar functions furnished with mailing software and security measures software is the realistic solutions for.  In this case, it is effective to use the partial error message within a mail body returned as the keyword when you filter spams.

Changing your mailing address will be the last resort.


V. Accessing Status Captured by the Internet Monitoring (TALOT2”) in May

According to the Internet Monitoring (TALOT2), the total of unwanted (one-sided) number of access in May 2008 was 186,435 and the gross number for the sources was 74,936 for 10 monitoring points.  That is, the number of access was 612 from 248 source addresses/monitoring point/day.

Since each monitoring environment for the TALOT2 is nearly equal to the general connection environment used for the Internet; it can be considered that the same amount of unwanted (one-sided) access can be monitored for the general Internet users’ connection environment.  In another word, your computer is being accessed from 248 unknown source addresses in average/day or you are being accessed about 2 times from one source address which considered unauthorized.

Chart 5-1: Unwanted (One-sided) Number of Access and Source Number of Access/Monitoring Point/Day in Average

The Chart 5-1 shows the unwanted (one-sided) number of access and the source number of access in average/monitoring point/per day from December 2007 to May 2008 respectively.  According to this chart, both the unwanted (one-sided) accesses in May were subtly decreased from the ones reported in April: as for the entire contents of access, they are gradually decreasing.

(1) The Access Targeting the Port 22/tcp

The access to the port 22/tcp can be considered such activity that it searches SSH* server to analyze vulnerable password authentication.

There realized that some periods in May for which accesses to the port 22/tcp, the one of monitoring points** using SSH for the maintenance purposes for TALOT2, were drastically increased temporarily (See the Chart 5-2).

*SSH (Secure Shell): One of remotely executable command tools for which communication path is encrypted to realize its sturdier security.

**These accesses are for specific monitoring points: Since they are outside of statistical purposes so that they are excluded from the aggregation.

Chart 5-2: Number of Access to the Port 22/tcp Classified by Source Area (1 Monitoring Point in where Uses SSH)

In addition, there detected the vulnerability relevant to SSH in the middle of May.  This vulnerability allows to generate predictable random within OpenSSL[*1], so that it will indirectly affect OpenSSH[*2] as well.  The key generated by that OpenSSL package will expose vulnerability in applications.  It is possible that the system which uses vulnerable applications will be conducted Brute Force attack[*3] by an adversary.  It can be assumed that the key information will be analyzed, accordingly.

Should those server managers who use the system may be affected update their applications and regenerate key(s) immediately.

*1: An open source tool kit which implements SSL v2/v3 and TLS v1 by OpenSSL group.

*2: A client/server program which implements SSH (Secure Shell) by OpenBSD group.

*3: Brute Force attack refers Exhaustive Search attack as well: This is the one of attacking methods using variety of analytical means to break password.

<Referential Information>
  • Vulnerability which allows to generate predictable random within OpenSSL package of JVNVU#925211Debian and Ubuntu (in Japanese)


For further information for the above mentioned information, please refer to the following URLs as well.

Variety of statistical Information provided by the other organizations/vendors is available in the following sites.


IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC)
E-mail: Please feel free to call at +81-3-5978-7517.