Font Size Change

HOMEIT SecurityIPA/ISEC in JAPAN:virus and UCA incident report for August2008

PRINT PAGE

IT Security

IPA/ISEC in JAPAN:virus and UCA incident report for August2008

September 19, 2008

IT Security Center
Information-technology Promotion Agency, Japan (IPA)

This is a summary of computer virus/unauthorized computer access incident reports for August, 2008 compiled by IPA.

I. Reminder for the Month:

Those mails you do not know should be thrown away to the trash immediately:Never, ever open them with your simple curiosity!

-There increase various damages caused by spams-

Of the consultations rushed to IPA in August, there were number of consultations relevant to virus infections via e-mails such as “anti-virus software was alerted when the consulter clicked the link in the mail from the renowned news site in overseas”, “such alert that “your computer is infected by virus” was continually displayed when the other consulter clicked the link to the images of famous movie star sent via a mail”, etc.

You are potentially facing high risks to get infected either by virus or spyware or both if you easily click the link to the current news or the articles relevant to the gossips for famous personality (ies) even you do not know about the mail (See the Chart 1-1).  To prevent having such damage, discarding such suspicious mail immediately without opening it will be the effective measure if you do not know about the sender or you think you are not related to.

Chart1-1 Example of Spams

(1) Recent Damage Instances

Using spams as the means to infect virus is the traditional method having been existed up to current.  Of immediately appending virus files to an e-mail and embedding virus files to the linked URL (s) in the mail body received were the major methods.  However, such methods are getting more sophisticated in these days so that multiple methods may be combined even for an evil scheme.

Chart1-2 Virus Infection Spoofing to be Application Updates

One instance is that an adversary spoofs to be the sender of the renowned corporation/organization actually existed and he/she sends an e-mail (s) in HTML (Hyper Text Markup Language, the one of typical formats often used in websites.) format.  Since the corporation/organization is actually existed, a user simply trusts and easily clicks the URL (s) in the mail body.  When clicked, the user, then, is induced to the fictitious site masquerading to be the corporation/organization to have the user downloads a player software to view the images relevant to the news or executes a program to update application software, etc. (See the Chart 1-2).

However, they are virus, not legitimate programs at all.  Accordingly, depending on the virus downloaded may function as a downloader (a download supporting tool) that will link to malicious site (s): of some may download different virus/spyware additionally.  Since those viruses located to malicious site (s) can be flexibly altered by the adversary his/herself, what virus will be embedded may be differed depending on the adversary’s mood what virus he/she wants to infect to.  One of current trends is financial exploitation.  The instance is that a user induced to download bogus software as security-measures software and urged to settle the purchase money via his/her credit card.


(2) How to Distinguish Spams

Those mails including spams to be cautious can be classified by approximately in 4 types.  Follows, we provide the major attributions for respective mail types.  When you identified such mail that has the one of attributions we provide below, you should never, ever open it and immediately discard it for your further security.

(a)

Indiscriminate advertisements

・Those mails repeatedly sent via same sender

(b)

Sender is differed, but the mail body is always the same

Sender is differed, but the mail subject/body is always the same

Sender and the subject are differed, but the mail body is always the same
(c)

Neither sender nor the contents are known

Those mails including ads from unknown address that the user does not sign up with

Those mails which communicate that the user won a prize/award, etc.
(d)

Sender is a friend/acquaintance, but the subject is queer or feels something differed

The sender always uses Japanese when he/she sends me mail, but the mail body lately received was in the different language other than Japanese

The sender never attached files appended some files to the mail lately received

However, with visual check outs, such spams may be slipped over.  Accordingly, we recommend you to use spam mail filtering function furnished in your computer as one of default functions.  The filtering function automatically blocks and deletes when it detects spams.  We also encourage you to use either off-the-shelf anti-spam mail filtering software or the spam mail filtering service served by the provider (*1) you’d signed up with along with the default filtering function.

(*1) Provider refers ISP (Internet Service Provider): a business which provides users the Internet connection services.

(3) Anti-Virus Measures

The fundamental measures how to prevent from virus infection is to update the virus signature file in your anti-virus measures software regularly.  Current tendency is that as the frequency in emerging virus variants(*2) increases and it requires certain time to include the variants’ information in virus signature, anti-virus software may not detect them.  Accordingly, we provide you the some alternative measures as follows.

Anti-virus software is not almighty as it may not detect virus even it is updated.  To that end, it is mandate to resolve vulnerability residing in your computer.  Be sure to check your Flash Player by referring the procedures 4) and 5).

(*2) Variant refers those the original virus to which certain function (s) is added and/or its original behaviors having been subtly altered.

 

(a)

Fundamental measures

As for the method to propagate virus infection, some vulnerability (ies) (*3) in OS and/or application may be exploited.  Accordingly, be sure to lessen/resolve such vulnerability (ies) as possible as you can by updating the OSs and the applications you are currently using.

(b)

Changing in mailing software configuration

Though your mail body is configured as HTML format, we recommend you to change the configuration such as: the mail body should only be shown in text format and/or those files appended to e-mail seem to be virus should not be opened by utilizing the Outlook Express function, etc. (Outlook Express automatically deletes suspicious file by defining file’s extension.)

 

(*3) Vulnerability generally refers the security weakness in software, etc.  It also is referred as Security Holes.

In addition, to prevent from virus infection from spams, it is important not to click the URLs in the files appended or the one included in the mail body easily.  When you accidentally clicked the link, however, following alert screen in the Chart 1-3 may be appeared.  This screen means that someone inducing the user to download somewhat wrongful program (s): accordingly, you should always click “Cancel” immediately when such alerting screen is appeared.

Chart1-3 Alerting Screen Upon Attempting to Download Suspicious ProgramIn the Windows Vista/Windows XP Environments

(4) The Countermeasures against Some Sort of Hard Selling Activity relevant to Security Measures Software, etc.

Upon clicking the URL induced by spam, following alerts “Virus is detected in your computer”, “Your computer is in error state”, etc. may be appeared and you may be urged to purchase the “security software” listed in your window.

In many cases, such messages are fictitiously alerted by malicious intent to have you urges to pay the purchase money for the (bogus) security measures software though your computer is not in anomaly state (Chart 1-4).  As you already aware that such security measures software with wrongful method is not enough trustful, you should never, ever purchase it.

Chart1-4 Hard-selling of Security Measures Software

In case, you’d installed such “security measures software” by mistake or the screen which urges to purchase the software cannot be gone, be sure to conduct following system restoration activity (ies) in the following descriptions.  Be sure to initialize your computer if the symptoms still appear over and over.

(a)

Restoring the system to the sound state with system restoration function

“System restoration function” refers the function to restore the Windows in the sound state.  Windows furnishes such function that it automatically selects arbitrary date to store the system state in that date so that you can restore the Windows to the sound state based on the information being stored in that arbitrary date in case it behaves unstably or it has certain failure for the normal use.  The arbitrary date can also be configured by the user his/herself.  In addition, when newer software is installed, the Windows automatically stores its state immediately before that the software is installed.  Please refer to the following information to restore the previous (sound) state before the Windows unstably behaves or malfunctions utilizing the “system restoration function”.
You need to be noted that when you installed/updated application software during the arbitrary date selected up to current, such activities will be canceled so that you need to do that again after the system is restored.
However, those documents created, the logs for in- and out-bound mails, access histories and favorites stored from the arbitrary date up to current will be maintained.

(b)

Computer initialization

“Initialization” refers the activity to restore its state to the default state, that is, the initial state when you purchased the computer.  Though some virus is infected, you can eliminate all of them by this initialization activity.
When you need to initialize your computer, be sure to follow to the instructions being attached to the computer upon purchased.
Never fail to take necessary backups for important data/information in outside memories such as USB, CD-R and external HDD, etc.) before you start to initialize your computer.

<Reference>

II. Reporting Status for Computer Virus – further details, please refer to the Attachment 1 –

The detection number of virus (*1) in August was about 191T: transitioned from about 191T in July with the same level.  In addition, the reported number of virus (*2) in August was 1,811: 25.1% increased (1,448) from the one in July.

*1 Detection Number: Reported virus counts (cumulative) found by a filer.

*2 Reported Number: Virus counts are aggregated: viruses of same type and variants reported on the same day are counted as one case number regardless how many viruses or the actual number of viruses is found by the same filer on the same day.  In August, the reported number was 1,811: aggregated virus detection number was about 191T (From the May ‘08 report, we will use “T (thousand)” instead of using “M (Million)” to present the detection number of virus).

The worst detection number was W32/Netsky with about 180T, W32/Mytob with about 3.5T and W32/Mydoom with about 3.4T followed.

Chart 2-1

  

Chart 2-2  

III. Reporting Status of Unauthorized Computer Access (includes Consultations) –Please refer to the Attachment 2 for further details–

Report for unauthorized computer access and status of consultation
  Mar. Apr. May Jun. Jul. Aug.
Total for Reported (a) 19 14 4 13 19 15
  Damaged (b) 13 10 4 11 18 10
Not Damaged (c) 6 4 0 2 1 5
Total for Consultation (d) 35 56 37 36 49 25
  Damaged (e) 15 31 18 15 26 13
Not Damaged (f) 20 25 19 21 23 12
Grand Total (a + d) 54 70 41 49 68 40
  Damaged (b + e) 28 41 22 26 44 23
Not Damaged (c + f) 26 29 19 23 24 17

(1)Reporting Status for Unauthorized Computer Access

Reported number in August was 15: Of the number actually damaged was 10.

(2)Accepting Status for Consultation relevant to Unauthorized Access

The total number of consultation relevant to unauthorized computer access was 25 (of 4 were counted as reported number as well): Of 13 was the number actually damaged.

(3) Status of Damage

The breakdown of the damage report included intrusion with 4, DoS attack with 1, source address spoofing with 1 and the others (damaged) with 4.

The damages caused by intrusion were: the server was exploited to attack to the other site with 3, the web page contents located on a leased server was altered with 1.  The cause of the intrusion was password cracking attack* to the port used by SSH* with 3, etc

As for others (damaged), someone logged-in to the on-line site exclusively for the legitimate user and acquired the services available only for the identical user signed up with: the services include on-line games with 1, web mail with 1, etc.

*SSH (Secure Shell):A protocol to communicate with the computer (s) remotely via a network (s).

*Password Cracking:One of parsing activities to search the other users’ passwords.  Password cracking includes Brute force attack and Dictionary attack and the program (s) exclusively for cracking is also identified.

(4) Damage Instance:

[Intrusion]

(i)Intruded to the port (s) used by SSH by an attack (s)�
<Instance>
  • – Upon checking system logs, there detected such alerts that the server attempts to attack to a network (s) outside.
  • – Study was conducted: it is realized that the server was conducted Password cracking attack to acquire the password.Accordingly, it allowed intrusion to the port (s) used by SSH.
  • – Further, there embedded site attacking tool to that server so that it was exploited as the steppingstone server to attack to the other site (s).
  • – The account actually analyzed was “postgres”, the password for the database, and it was altered to easily assumable one.
  • – The user usually configures hardly-assumable password, but the password attached to that server befalls easily assumable one.
(ii)My account was hacked on an on-line game site�
<Instance>
  • – Logged-in to the on-line game site I’d signed up with after a week of intervals and realized that the avatar I used to use in that game was located differently in where I finally logged-out.  I also realized that some items that the avatar previously had and its money was missing.
  • – I asked the fellow in that game, accordingly: he/she remembered that someone (the fellow must have thought that it was me!) logged-in and my avatar was acting while I was working.
  • – I conduct Windows Update and anti-virus measures, update virus signature files regularly.

IV. Accepting Status of Consultation

The gross number of the consultation in August was 1,616.  Of the consultation relevant to One-click Billing Fraud” with 545 (July: 457),increased drastically and be the worst result since IPA started to aggregate the numbers.  As for others, consultation relevant to “Hard selling of phony security measures software” with 18 (July: 14) and the consultation relevant to “Winny” with 5 (July: 4), etc. were also realized.

Chart 4-1: All the Consultation Number Accepted by IPA over the Past 6 Months
  Mar. Apr. May Jun. Jul. Aug.
Total 654 938 1080 1211 1387 1616
  Automatic Response System 373 514 649 693 817 994
Telephone 214 335 379 456 500 548
e-mail 66 87 48 60 70 69
Fax, Others 1 2 4 2 0 5

*IPA consults/advises for computer viruses/unauthorized computer accesses as well as the other information concerning overall security issues

Mail: Please feel free to call at +81-3-5978-7517. for virus issues, Please feel free to call at +81-3-5978-7517.for crack issues.
Tel.: +81-3-5978-7509 (24-hour automatic response)
Fax: +81-3-5978-7518 (24-hour automatic response)

*”Automatic Response System”:    Responding numbers by automatic response
*“Telephone”:      Responding numbers by the Security Center personnel
*The Total case number includes the number in Consultation (d) column of the Chart in the “III. Reported Status for Unauthorized Computer Access” and “IV. Accepting Status of Consultation”.

Chart 4-1: One-click Billing Fraud/Consultation Number

The major consultation instances are as follows.

(i) Infected by virus from USB memory…?

Consultation:

It is possible that most of all computers in my business are affected by the virus which infects USB memory.  The major symptoms are as follows.  Are there adequate measures to be taken?

- None of behavioral failure is identified while using it locally.

- Such data retrieved by one of them via USB memory turns to weird “exe” file.

- Those publicly available computers sometimes do not function when attaches such USB memory used in my business.

- Nothing is detected though I scanned using the anti-virus software for which virus signature is lately updated.

Response:

Since anomaly state usually happened when you want to retrieve data via USB memory, it is probable that all the computers in your business have already been infected by some sort of virus.  In addition, those publicly available computers you used to retrieve data via the USB memory are also likely to be infected by virus.  To remove virus, it is necessary to identify the file (s) which seems to be virus.  When identified at a certain extent, we encourage you to check the file (s) with anti-virus software as many as possible.  “VIRUS TOTAL” is the on-line service to parse such suspicious file (s) using more than 30 types of different anti-virus software concurrently.  It is free of charge.

However, in the case that number of computers for business use seems to be infected, it may be the shorter way to consult with one of security providers to address them.

<Reference>

(ii)Wish to store important data though my computer improperly behaves since virus was detected…?

Consultation:

I am a Windows XP user.  One day, my anti-virus software detected virus and my computer was frozen thereafter.  Accordingly, I forcibly terminated the computer by hitting the power button longer.  Since when my computer is automatically shutdown immediately before that the Windows is ready to operation.  I need to store important data to outside media for further use before I initialize my computer.  Is there any idea what shall I do?

Response:

Following are the coping process when your Windows does not start up properly.

1.Start it up with Safe Mode.  It may be properly started when you select the “Last Known Good Configuration (Your most recent settings that worked)” from the “Windows Start-Up Menu”.

2.It may be available to retrieve data from the Windows XP restoration console.

<Reference>

3.The alternative method is to remove HDD from the Windows and connect it to different one to retrieve/restore data when it improperly behaves.

V. Accessing Status Captured by the Internet Monitoring (TALOT2”) in August

According to the Internet Monitoring (TALOT2), the total of unwanted (one-sided) number of access in August 2008 was 139,174 for the 10 monitoring points and the gross number of source* was 53,451.  That is, the number of access was 449 from 172 source addresses/monitoring point/day.

*Gross number of source:

the gross number of the source accessed to TALOT2.  In addition, the source will be counted as 1 if accessed from identical source in the same day to the same point/port

Since each monitoring environment for the TALOT2 is nearly equal to the general connection environment used for the Internet; it can be considered that the same amount of unwanted (one-sided) access can be monitored for the general Internet users’ connection environment.  In another word, your computer is being accessed from 172 unknown source addresses in average/day or you are being accessed about 3 times respectively from one source address which considered unauthorized.

Chart 5-1: Unwanted (One-sided) Number of Access and Source Number of Access/Monitoring Point/Day in Average

The Chart 5-1 shows the number of access and the source number of access/monitoring point/day in average from March to August 2008.  According to this chart, both unwanted (one-sided) number of accesses in August were subtly decreased with the ones in July: They were tending to decrease over the continuum of past 6 months.

(1) Access to the Port 135/tcp

Temporal access increase was monitored on August 27.  This was because the access to the port 135/tcp targeting to the Windows vulnerability was increased.  Of about 60% of the source number of access to the port 135/tcp was from Japan and the reminder of 40% of the source number of access was from China on that day.  Besides, the source number of access to the other ports was also subtly increased compared with the one in the other days in August.  The cause of their temporal increase was not yet realized (See the Chart 5-2.).

Chart 5-2: Accessing Status Classified by Port in August 2008

 

For further information, please also refer to the following URLs.

Variety of statistical Information provided by the other organizations/vendors is available in the following sites.

Contact

IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC)
Tel:+81-3-5978-7527
Fax:+81-3-5978-7518
E-mail: Please feel free to call at +81-3-5978-7517.