Font Size Change

HOMEIT SecurityIPA/ISEC in JAPAN:virus and UCA incident report for September2008

PRINT PAGE

IT Security

IPA/ISEC in JAPAN:virus and UCA incident report for September2008

October 14, 2008

IT Security Center
Information-technology Promotion Agency, Japan (IPA)

This is a summary of computer virus/unauthorized computer access incident reports for September, 2008 compiled by IPA.

I. Reminder for the Month:

釘e sure to check your password(s) one more time!�

-Are you confident that your password(s) won’t be analyzed maliciously?-

In the consultations/reports rushed to IPA in September, there included number of damage reports that the consulter’s account(*1) was used by someone fraudulently: one instance was that “there listed some items with this consulter’s ID while he/she does not know in the auction site he/she signed up with, etc.

In the other consultation, there were some cases that it can be assumed that the consulter痴 account was fraudulently used simply analyzed by malicious intent(s) as some users used combination only by numbers or a simple English word in a dictionary as their passwords. In the Internet services involving money such as auction service, etc., it is much more likely that the users will face such risk that their passwords may be exploited maliciously. To prevent having such damage, it is necessary that users have to be cautious when creating, handling and managing their passwords.

(1) Damage Contents and the Cause

The damage reports filed by IPA were taken up by newspapers several times.  According to them, there identified number of damages that the legitimate users’ accounts in an auction site were fraudulently used. Bad to worse, there were such instance that someone listed number of items for buy/sell in that auction site without having legitimate user’s permission so that the user was subsequently charged handling fee from the auction site (See the Chart 1-1).  It can be assumed that the major cause of the damage was that users set easily analyzable password.  It can be viewed that there was many “combination only by numbers” and “a simple word in an English dictionary” password in our consultations as well.  Simple password is very much easily analyzable by “dictionary attack”(*2), etc. with short period of time so that it is likely to lead that your account will be exploited by someone with ease.

The mechanism that the legitimate user痴 account is dropping to adversary痴 wrong hands

(*1)  Account:One of privileges allowed for a specific user to use information system (services).  In the information system, issuing ID (user ID) and password will determine the user’s extent how far and what services are allowed.  The user is authenticated by that password.

(*2)  Dictionary Attack:One of attacking methods which attempts to search specific words in a dictionary from the very beginning to the end.

 

(2) What is the Strong (Secured) Password?

You can frequently be viewed the note saying “be sure to use more than 8 letters combined inclusive of alphabets, numbers and symbols upon creating your password” in the web site which provides auction service, etc.  This is the tip how you can create strong (that is, hardly analyzable) password.

That is, if it takes several thousands of years to analyze password even with current computing technology, it can be meant that the password is “NOT ANALYZABLE”.  Accordingly, it can be said that the strong (hardly analyzable) password can be achieved using several types of characters or the password should be enough long in its digits.

The Table 1-1 shows the computation results using a password analysis tool.  According to this table, it took about 50 years at maximum to analyze 8-digit password combined by alphabets and numbers (inclusive of capital letters and lower case letters) when attempt to compute all of the potential combination.  Accordingly, the password’s security is enough if you create 8-digit password combined by 3 types of characters (62 characters in total: capital letters, lower case letters and numbers).  We encourage you to create your hardly analyzable password by referring the following table 1-1 to review how differ depending on characters’ type or the number of characters in use.

The maximum time required to analyze password by characters and/or the number of characters in use

Be sure to prevent using easily assumable password such as the password which is identical with ID, the combination only by numbers, or the combination by the words in the dictionary, etc. even they have longer than 8 digits.

(3) The Way to Do

Be sure to implement your account management adequately by referring following tips.

(a)

The tips how to create your password

Though some service provider where provides auction service, etc., may limit usable type of characters, number of characters, etc.: Be sure to set strong password with usable characters as many as possible (in principal, it should be more than 8 characters in total) by referring the Table 1-1 in (2).

(b)

The tips how to manage your password

Password storage

Generally, it is hard to memorize the password when you create long and complex one.  In that case, you may take notes, but better to keep your ID and your password separately.  Even your password is known by someone, there is no mean that which ID the password will work with.

ID-Password

 

Change your password constantly

Even you believe that your password is strong enough (providing adequate security), there may be some risks that it will be compromised as the time passing by; accordingly, we strongly recommend you to change your password constantly (i.e., once a month, etc.).  Even you are changing your password constantly in practice, there’s no mean if you use 2 of your passwords one after the other.

(c)

The tips relevant to the use of your password

Checking of log-in history

Depending on the service(s) being provided, you may be able to check the log-in history from the past upon you are logging-in.  If you can recognize fraudulent accesses in earlier chance such as there may be some logs that you do not remember, etc., you can prevent that the damage would be enlarged.  Accordingly, we encourage you to check your log-in history constantly and in where you can find suspicious logs, be sure to communicate with the site manager immediately to require necessary procedures such as disabling your current account, etc.

Do not enter your ID or password to the computer used by unspecified majority (i.e., Internet café, etc.)

Even you’d set complex password, it can be easily stolen in case some spyware software was embedded to the computer in advance.  You should avoid using such service(s) which requires your ID and password in advance such as auction site, etc. in the computers located in an Internet cafe, etc. that you cannot manage.

Phishing measures

Phishing refers to obtaining private information such as individual’s (physical) address, name, banking account, credit card #, etc. fraudulently by sending mail(s) masquerading to be financial organizations (specific bank, credit card company, etc.).  Nowadays, there identified such instance that someone (malicious intent) attempts to take up legitimate user’s ID and password for auction service spoofing to be an Internet service provider.  Accordingly, upon logging-in, be sure to check the site(s) you are now associating with.

In addition, if you received inquiries such as identification confirmation, etc. via e-mail, do not click the link included in that mail easily and be sure to check the authenticity by directly calling the provider you are signing up with, etc.

<Reference>

II. Reporting Status for Computer Virus – further details, please refer to the Attachment 1 –

The detection number of virus (*1) in September was about 220T: increased about 15.1% (about 191T) in August.  In addition, the reported number of virus (*2) in September was 1,875: 3.5% increased (1,811) from the one in August.

*1 Detection Number: Reported virus counts (cumulative) found by a filer.

*2 Reported Number: Virus counts are aggregated: viruses of same type and variants reported on the same day are counted as one case number regardless how many viruses or the actual number of viruses is found by the same filer on the same day.  In September, the reported number was 1,875: aggregated virus detection number was about 220T (From the May ‘08 report, we will use “T (thousand)” instead of using “M (Million)” to present the detection number of virus).

The worst detection number was for W32/Netsky with about 190TW32/Autorun with about 10.2T and W32/Virut with about 9T were subsequently followed.

Chart2-1

Chart 2-1

Chart2-2

Chart 2-2

III. Reporting Status of Unauthorized Computer Access (includes Consultations) Please refer to the Attachment 2 for further details

Report for unauthorized computer access and status of consultation
  Apr. May Jun. Jul. Aug. Sep.
Total for Reported (a) 14 4 13 19 15 14
  Damaged (b) 10 4 11 18 10 12
Not Damaged (c) 4 0 2 1 5 2
Total for Consultation (d) 56 37 36 49 25 38
  Damaged (e) 31 18 15 26 13 20
Not Damaged (f) 25 19 21 23 12 18
Grand Total (a + d) 70 41 49 68 40 52
  Damaged (b + e) 41 22 26 44 23 32
Not Damaged (c + f) 29 19 23 24 17 20

(1)Reporting Status for Unauthorized Computer Access

Reported number in September was 14: Of the number actually damaged was 12.

(2)Accepting Status for Consultation relevant to Unauthorized Access

The total number of consultation relevant to unauthorized computer access was 38 (of 5 were counted as reported number as well): Of 20 was the number actually damaged.

(3) Status of Damage

The breakdown of the damage report included intrusion with 6, DoS attack with 1, source address spoofing with 1 and the others (damaged) with 4.

Damages relevant to the intrusion report included: server was exploited as a steppingstone server to attack to the other site with 4, data in database(s) was altered with 1, etc.  The cause of intrusion was password cracking attack to the port(s) used by SSH with 3, etc.

As for “the others (damaged)”, someone logged-in to the on-line service site(s) to use the service that should be provided only for legitimate user without asking with 2 (net auction with 1, on-line game with 1), etc.

*SSH (Secure Shell):The one of protocol to communicate with the remote computer(s) via a network.

*Password Cracking:The one of activity to parse the other user’s password.  Brute Force (Exhaustive Search attack) and Dictionary attack are realized.  The program exclusively for crack is also existed.

(4) Damage Instance:

[Intrusion]

(i)Server was intruded by attacking to the port (s) used by SSH�
<Instance>
  • –Upon checking the server in my business, it was realized that the general account was fraudulently logged-in by password cracking attack via the port(s) used by SSH.
  • –Though the privilege was not stolen, there embedded 4 different types of malicious codes and the server was exploited as the steppingstone server to attack to the other site(s).
  • –The malicious codes being embedded were: 1. DoS attacking tool to the other site(s), 2. backdoor tool (server/client), 3. attacking tool to the vulnerability in SSH and 4. the tool which deprives privilege by exploiting kernel vulnerability in the server after intruded.
  • In principal, the server in my business used be managed/operated based on the strict rule sets; however, the manager for the server did not know about the rule sets so that he/she placed server(s) wherever he/she wanted.  Bad to worse, the password being set was easily assumable.
(ii)Spoofed mail as if it is sent from my business is walking around…
<Instance>
  • –It is realized that suspicious mail as if its sender is spoofed to be the public relations office in my business was distributed to the parties involved.  Accordingly, we checked that they were not sent from us.
  • –The contents included that the “Users should be cautious with the mails being spoofed.” by citing actual alerts used in the past by my business.  In addition, such message that “To harden the countermeasures, please open the file attached.” Was addedThe mail supposed to be some virus.
  • –We’d checked the mail header and realized that the true source was from overseas.

IV. Accepting Status of Consultation

The gross number of the consultation in September was 2,154.  Of the consultation relevant to One-click Billing Fraud” was 651 (August: 545),continually increased over the continuum of 4 past months and was in somewhat crisis situation.  As for others, consultation relevant to “Hard selling of phony security measures software” was 50 (August: 18) the worst case ever up to current (August: 18) and the consultation relevant to “Winny” with 4 (August: 5), etc. were also realized.

Chart 4-1: All the Consultation Number Accepted by IPA over the Past 6 Months
  Apr. May Jun. Jul. Aug. Sep.
Total 938 1080 1211 1387 1616 2165
  Automatic Response System 514 649 693 817 994 1302
Telephone 335 379 456 500 548 755
e-mail 87 48 60 70 69 93
Fax, Others 2 4 2 0 5 4

*IPA consults/advises for computer viruses/unauthorized computer accesses as well as the other information concerning overall security issues

Mail: Please feel free to call at +81-3-5978-7517. for virus issues, Please feel free to call at +81-3-5978-7517.for crack issues.
Tel.: +81-3-5978-7509 (24-hour automatic response)
Fax: +81-3-5978-7518 (24-hour automatic response)

*”Automatic Response System”:    Responding numbers by automatic response
*“Telephone”:      Responding numbers by the Security Center personnel
*The Total case number includes the number in Consultation (d) column of the Chart in the “III. Reported Status for Unauthorized Computer Access” and “IV. Accepting Status of Consultation”.

Chart 4-1: One-click Billing Fraud/Consultation Number

Chart 4-1: One-click Billing Fraud/Consultation Number


The major consultation instances are as follows.

(i) Wishing the provider(s) to conduct additional unauthorized computer measures to the auction site(s)…?

Consultation:

In the net auction site I’d signed up with, I can check log-in history for my account (ID).  According to that history, it was realized that someone was attempting to logging-in to my ID continually from some specific IP address within domestic over the several months (All logging-in attempts were failed, anyway.)  If I leave this situation as it is, my password would be analyzed shortly; accordingly, I’d asked the auction site manager to provide certain restriction on my account, but my request was totally denied.  To prevent potential damage, I need to conduct certain measures.  Can you tell me what measures are effective?  Also can you tell me what I can do by my self to prevent damages in the future?

Response:

As for the request to the site, we encourage you to require the site to prevent password exhaustive attack as minimum.  For example, your account shall be temporarily locked if your password is entered differently in 3 times continually.
As for the things you can do is to set robust password as well as you need to be cautious when you store it: in addition, changing your password constantly will also be effective to prevent potential damages.
*Please refer to the “1. Reminder for the Month” in this report.

<Reference>

(ii)Transferred money believing the site for money-making idea on the Internet…?

Consultation:

I’d found such site in where describing about money-making idea on the Internet.  To obtain the information about the idea, I’d transferred money, but eventually, I cannot make money.  What should I do?

Response:

It must be one of fraudulent activity selling fictitious money-making idea without justifiable reason.  Accordingly, you have lack of chance to take your money back.

In this real world, such convenient idea is rarely lying down in front of you.  Therefore, you need to be cautious not to be deceived.  On the Internet, number of adversaries with sophisticated methods are always targeting to unspecified majority of users.  Be sure to behave cautiously reminding that the “virtual world” is the part of “real world”.

<Reference>

V. Accessing Status Captured by the Internet Monitoring (TALOT2”) in September

According to the Internet Monitoring (TALOT2), the total of unwanted (one-sided) number of access in September 2008 was 119,926 for the 10 monitoring points and the gross number of source* was 47,248.  That is, the number of access was 400 from 157 source addresses/monitoring point/day.

*Gross number of source:

the gross number of the source accessed to TALOT2.  In addition, the source will be counted as 1 if accessed from identical source in the same day to the same point/port

Since each monitoring environment for the TALOT2 is nearly equal to the general connection environment used for the Internet; it can be considered that the same amount of unwanted (one-sided) access can be monitored for the general Internet users’ connection environment.  In another word, your computer is being accessed from 157 unknown source addresses in average/day or you are being accessed about 3 times respectively from one source address which considered unauthorized.

Chart 5-1: Unwanted (One-sided) Number of Access and Source  Number of Access/Monitoring Point/Day in Average

Chart 5-1: Unwanted (One-sided) Number of Access and Source Number of Access/Monitoring Point/Day in Average

The Chart 5-1 shows the unwanted (one-sided) number of access and the source number of access/monitoring point/day in average from April to September 2008.  According to this chart, the both unwanted (one-sided) number of accesses were subtly decreased from the ones in August.  They also tended to decrease over the past 6 months.

(1)Such access which seeks such proxy server*1 for which configuration is insufficient

From September 13 to 17, there monitored such accesses to the port 8080/tcp and 6588/tcp were drastically increased of the 7 monitoring points used by TALOT2 (See the Chart 5-2).

All the sources were the specific IP addresses in China.  The ports 8080/tcp and 6588/tcp were the ports often used by certain proxy services.

These accesses may seek such proxy server so called “open proxy” that can be used to send spams from outside.  In addition, they attempted to access to the same monitoring point several hundreds of times within short period of time: accordingly, it is also possible that they were testing the tool for seeking.  Such proxy server that it is an open proxy determined by an attacker via the access(s) may be used as the steppingstone server to send spams.

Accordingly, system administrator who runs some proxy server(s) should reconfirm the configuration one time to prevent the server to be exploited by outsides (malicious intents).

Chart 5-2: Accessing Status Classified by Port in August 2008

Chart 5-2: Accessing Status Classified by Port in August 2008

 

For further information, please also refer to the following URLs.

Variety of statistical Information provided by the other organizations/vendors is available in the following sites.

Contact

IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC)
Tel:+81-3-5978-7527
Fax:+81-3-5978-7518
E-mail: Please feel free to call at +81-3-5978-7517.