Font Size Change

HOMEIT SecurityIPA/ISEC in JAPAN:virus and UCA incident report for October2008

PRINT PAGE

IT Security

IPA/ISEC in JAPAN:virus and UCA incident report for October2008

November 14, 2008

IT Security Center
Information-technology Promotion Agency, Japan (IPA)

This is a summary of computer virus/unauthorized computer access incident reports for October, 2008 compiled by IPA.

I. Reminder for the Month:

"Be sure to have the eyes that can identify falsified alerts!"

-Are you confident that your anti-virus software is a legitimate one?-

In September, the number of consultation relevant to "hard-selling of falsified anti-virus software" was drastically increased to 50: in October, the number of consultation was also counted up to 31. The "hard-selling of falsified anti-virus software" is the one of vicious activities: a malicious intent attempts to display "Warning!", "Virus is detected", etc. suddenly on to a general user´s computer to have the user urges to purchase falsified anti-virus software.

The alerts similar to above mentioned caused by the malicious codes (it can be viewed as a sort of virus in a broad sense) embedded to the computer in advance. Once such virus is embedded, the computer may unstably behave and in the worst case, the computer must be initialized as the last resort. Accordingly, the damage content is getting further significant. To examine whether your computer is sufficiently secured, please refer to the following descriptions.

(1) Virus infection mechanism

The consultation relevant to the “hard-selling of falsified anti-virus software” is not a newly existed consultation; however, the mechanism to which virus exploits is getting differed.  The traditional mechanism that borne number of casualties was that upon an innocent user clicked the banner ad. (image ad. automatically appeared on a homepage) on his/her computer in where some sort of virus was embedded in advance and the banner suddenly alerted that his/her computer was infected by virus, etc.

Current tendency is taking over that an innocent user carelessly opens the attachment file(s) to e-mail and then infected by some sort of virus already coded to the attachment file(s). The Chart 1-1 shows the contents of virus mail actually appended virus so reported to IPA.

Aggregated virus reports filed by IPA can also provide reasonable consequences that number of such virus is walked around (See the Chart 1-2).

Chart1-1

The virus relevant to "hard-selling of falsified anti-virus software" can almost be preventable if the user constantly uses updated legitimate security measures software from a trustful vendor as such virus can be easily detectable upon receiving mails. Accordingly, the fundamental measure to prevent infection is to use enough trustful security measures software as the first priority and its signature is to always be up-to-dated. However, some virus may bypass such security measures so that any of negligence must be prevented. It also is necessary to parse the nature that virus generally possesses.

(2) Virus’ properties relevant to “Hard-selling of falsified anti-virus software”

(a)

Major symptoms

In case you think that such virus relevant to “hard-selling of falsified anti-virus software” may be infected to the computer now you are using, you can determine (diagnosis) with or without of infection based on the following symptoms shown in your computer.

(i) An icon which you do not know is created on the task bar from where such alert that "your computer is infected by virus", etc. is displayed.

ex1
ex1
 

(ii) An anti-virus software which you do not know suddenly starts to check with or without of virus.

ex2
ex2

As for the other starting up screen relevant to "hard-selling of falsified anti-virus software", please refer to the following URL.
The instance of the starting up screen relevant to "Hard-selling of falsified anti-virus measures software"
http://www.ipa.go.jp/security/english/virus/press/200810/documents/infection_images.html

 

(iii) The wallpaper on the desktop was automatically changed.  It may not be able to be restored.

ex3
ex3
 

(iv) Others

-There created an icon on the desk top which I do not know.

-The Start up page initially appeared upon the web browser is started was altered, etc.

(b)

The name of the software relevant to “Hard-selling of falsified anti-virus software”

Of the consultations relevant to the “hard-selling of falsified anti-virus software” filed with IPA; the major names of the software having been identified by IPA are listed in the following chart.  However, they are only the “major software that CURRENTLY identified” by IPA.  Accordingly, even exactly the same name of (falsified) anti-virus software is not installed in your computer, that cannot tell that you are totally secured, so please be careful.

Table1-1: The major name of the software relevant to "Hard-selling of falsified anti-virus measures software"

AdvancedPrivacyGuard Alphawipe AntiSpyware
AntiSpywareExpert AntiVirus2008 AntiVirusXP2008
Doraibuhogo DriveCleaner HadodoraiBugado
NetTurboPro SpyDajaba SpywareRemover
SupaShuri VirusRemover2008 VirusVanguard
WinAntiSpyware WinAntiVirus WinAntivirusPro2006
WinAntivirusPro2007 WinFixer WinXProtector 2.1
XPAntivirus XPSecurityCenter  

(c)

The activities of “Hard-selling of falsified anti-virus software” (instance)

For your further reference, following chart will show you the mechanism how the virus will be infected from the activity that an innocent user to have urged to purchase such falsified anti-virus software by malicious intent(s).

Chart1-3


(d)

The alerts other than viruses

The reminder for October is the alerts to the virus relevant to “hard-selling of falsified anti-virus software”; besides, you are to be cautious with one more thing other than the virus you may be involved.  As you may be know, in many cases, that the final target by that malicious intent(s) who spreads virus relevant to “hard-selling of falsified anti-virus software” is to fraudulently earn money from innocent users to have them urged to purchase “unreliable anti-virus software”.

In the case of "reliable anti-virus software", it will never virus-alert suddenly or it does not automatically check with or without of virus unlike the instance shown in the (c) above. Accordingly, even your computer suddenly virus-alerts, you are to ask assistance who is familiar with virus/security or you need to consult at the National Consumer Information Center, etc. before settling by money (by transferring money from bank or by settling by your credit cards, etc.).

Of the consultation filed with IPA, there were such instance that a user settled by his/her credit; in the other case, the other user believed that the (falsified) anti-virus software was legitimate and really worked properly. Such activities are getting sophisticated as IT technologies are advanced: "An ounce of prevention is worth a pound of cure".

(3) Computer Recovery from Virus Infection

Once your computer is infected, the system configuration altered by virus cannot be restored even you removed the virus by reliable anti-virus software. If you faced that case, be sure to conduct "system restoration" by referring the following procedure. Though the symptom is not remedied or the "system restoration" is failed, be sure to conduct initialize your computer.

(a)

The recovery by system restoration

Both in Windows XP and Vista have the “system restoration” function that recover system configuration to the sound state when a user realizes some failure such as the computer unstably behaves, etc.  This is the one of default functions provided by Windows: with this function, Windows can restore its system configuration to the sound state based on the system information on an arbitrary (time and) date automatically selected and memorized by Windows.

To conduct "system restoration", please refer to the following Microsoft homepage. However, if you additionally installed/updated application software in between the arbitrary date to memorize sound system configuration for Windows you´d specified up to current; they will be totally vanished so that you need to conduct them again after the system will be restored successfully.

(b)

Computer initialization

To initialize the computer (system configuration) to the original state upon initially purchased, please follow to the “restoring to the state when initially purchased the computer” procedure in its instruction manual.

Before conduct initialization, be sure to back up your important data/information to outside media such as USB memory, CD-R, add-on HDD, etc.

(4) Precautious measures to prevent damage

To prevent any of damages thereafter, following measures should always be minded.

(a)

Handling of spams

To prevent from infection by virus, it is utmost important not to open the attachment file to spam carelessly.  In addition, it also is effective to utilize spam mail filtering function that can identify spam to block/delete them before something will be happened.  Spam mail filtering function is provided by either way: it is furnished in the mail software as a default function or it will be provided by the provider (*1) you are signed up with.  If the both ways do not work, be sure to completely delete them (i.e. they must go to trash).

(b)

Vulnerability (*2) resolution

To prevent from infection by virus exploited by vulnerability, you are to always up-to-date the application you are using to resolve the vulnerability as possible as you can.

(c)

Computer initialization

If you are not for sure whether the anti-virus software you are using is enough trustful, be sure to check it either by referring "(2) the nature of the virus relevant to "hard-selling of falsified anti-virus software" above mentioned or ask consultation by someone who is familiar with virus/security. In case you cannot determine what anti-virus software is most suitable for your computer, please also ask consultation from a computer shop staff: we recommend you to purchase a boxed edition.

(*1) Provider: ISP (Internet Service Provider).  The business where provides the service necessary to connect to the Internet.

(*2) Vulnerability: It generally specifies the weakness relevant to security residing in software, etc.  It also is referred as security holes.

<Reference>

II. Reporting Status for Computer Virus – further details, please refer to the Attachment 1 –

(1) Reporting Status of Virus

The detection number of virus (*1) for October was about 270T: increased from about 220T or about 23.7% from September.  In addition, the reported number of virus (*2) was 1,839: contrarily decreased from 1,875 or about 1.9% from September.

*1 Detection Number: Reported virus counts (cumulative) found by a filer.

*2 Reported Number: Virus counts are aggregated: viruses of same type and variants reported on the same day are counted as one case number regardless how many viruses or the actual number of viruses is found by the same filer on the same day. In October, the reported number was 1,839 and the aggregated virus count was about 270T. (From the May ‘08 report, we will use “T (thousand)” instead of using “M (Million)” to present the detection number of virus in more specific)

The worst detection number was W32/Netsky with about 190T: W32/Autorun with about 60T and W32/Mytob with about 4T were respectively followed.

Chart2-1

Chart 2-1

Chart2-2

Chart 2-2

(2) The Status for the Detection of Malicious Codes

The detection number of malicious codes such as backdoor, spyware, etc. tended to increase since September 2008 (See the Chart 2-3). As we mentioned earlier, the virus named "FAKEAV" relevant to "hard-selling of falsified anti-virus software" was drastically increased in October. This may be the cause that the infection methodology has been significantly changed from the traditional one which leads an innocent user click a banner ad. to induce to the URL(s) in where virus is previously embedded to the such sophisticated one which leads an innocent user to have open an attachment files to an e-mail in where virus is already coded. When infected FAKEAV, almost of all computers have to be initialized; accordingly, we decided to alert innocent user community that there drastically increased variety type of malicious codes.

As it is shown in the Chart 2-3, number of malicious codes is walked around as the attachment file to e-mail. It can be viewed that they behave unnaturally as they drastically increase during specific/limited time and date. This is the sign that such virus attachment files may be distributed by bot, etc. as one of the means for infection. All users, therefore, be sure to be cautious that never, ever install such malicious codes. It will also be effective to check with or without bot in your computer.

<Reference>

Chart2-3

III. Reporting Status of Unauthorized Computer Access (includes Consultations) Please refer to the Attachment 2 for further details

Report for unauthorized computer access and status of consultation
  May Jun. Jul. Aug. Sep. Oct.
Total for Reported (a) 4 13 19 15 14 17
  Damaged (b) 4 11 18 10 12 12
Not Damaged (c) 0 2 1 5 2 5
Total for Consultation (d) 37 36 49 25 38 58
  Damaged (e) 18 15 26 13 20 22
Not Damaged (f) 19 21 23 12 18 36
Grand Total (a + d) 41 49 68 40 52 75
  Damaged (b + e) 22 26 44 23 32 34
Not Damaged (c + f) 19 23 24 17 20 41

(1)Reporting Status for Unauthorized Computer Access

Reported number in October was 17: Of the number actually damaged was 12.

(2)Accepting Status for Consultation relevant to Unauthorized Access

The total number of consultation relevant to unauthorized computer access was 58 (of 7 were counted as reported number as well): Of 22 was the number actually damaged.

(3) Status of Damage

The breakdown of the damage report included intrusion with 4, source address spoofing with 1 and the others (damaged) with 7.

Damages relevant to the intrusion report included: server was exploited as a steppingstone server to attack to the other site with 3, data in database(s) was altered resulted by an SQL injection attack with 1, etc.  The cause of intrusion was password cracking attack to the port(s) used by SSH with 2, the vulnerability in the server was exploited with 2, etc.

As for “the others (damaged)”, someone logged-in to the on-line service site(s) without asking to use the service that should be provided only for legitimate user with 5 (net auction with 2, on-line game with 1, web mail with 1 and others with 1), etc.

*SQL (Structured Query/Language):A sort of query language to operate/define data in the relational database management system (RDBMS).

*SQL Injection:A sort of attacking method that can browse/alter data within a database fraudulently by exploiting vulnerability in the program which accesses to the database.

*SSH (Secure Shell): One of the protocols necessary to communicate with the computer remotely via a network.

*Password Cracking:One of attacking activities that can parse/analyze third party/person’s password.  Brute Force (Exhaustive Search) attack and Dictionary attack are identified.  Besides of these, the program exclusively for cracks is also existed.

(4) Damage Instance:

[Intrusion]

(i)Database was altered by SQL injection attack…
<Instance>
  • –A user who browsed the site (i.e. a client) communicated that when he/she accessed to this business’ “Product” page on its web, some letter stream that is not related to the product is appeared and then he/she automatically sent to an adult site where he/she does not know.
  • –The logs in the server were studied and it is realized that the server allowed intrusion as it was conducted by an SQL injection attack:  In the event, the data (product master information) within the database was altered.
  • –In that database, there embedded some JavaScript codes that can automatically send a user (who browsed the product information) to an adult site.
  • –The cause can be assumed that there had been some vulnerability in the web application that works on that server.
(ii)Someone spoofed to be a legitimate user listed the items for sale on a net auction…
<Instance>
  • –“Your main mail address has been changed” so communicated from the net auction site via a mail where I properly signed up with.
  • –Accordingly, I checked the logs as I felt suspicious.  In where, I realized that there registered different mail address which I am not familiar with.
  • –Continually, I checked my log-in history and identified the probe that someone browsed my auction page; accordingly, I reviewed the sell/buy history under my account.  In that event, I was realized that some items that I do not know were listed for sell/buy.
  • –I immediately cancelled to list sell/buy items and changed log-in password as well.  However, several thousands of yen is charged as the listing fee.

IV. Accepting Status of Consultation

The gross number of the consultation in October was 1,174.  Of the consultation relevant to One-click Billing Fraud” was 305 (September: 651), consultation relevant to “Hard selling of falsified anti-virus software” was 31 (September: 50), consultation relevant to “Winny” with 5 (September: 4) and “the suspicious mail to be sent to specific organization to collect specific information/data” was 3, etc. were realized.

Chart 4-1: All the Consultation Number Accepted by IPA over the Past 6 Months
  May Jun. Jul. Aug. Sep. Oct.
Total 1080 1211 1387 1616 2165 1171
  Automatic Response System 649 693 817 994 1302 677
Telephone 379 456 500 548 755 441
e-mail 48 60 70 69 93 47
Fax, Others 4 2 0 5 4 6

*IPA consults/advises for computer viruses/unauthorized computer accesses as well as the other information concerning overall security issues

Mail: for virus issues, for crack issues, for the problem relevant to suspicious mail.
Tel.: +81-3-5978-7509 (24-hour automatic response)
Fax: +81-3-5978-7518 (24-hour automatic response)

*”Automatic Response System”:    Responding numbers by automatic response
*“Telephone”:      Responding numbers by the Security Center personnel
*The Total case number includes the number in Consultation (d) column of the Chart in the “III. Reported Status for Unauthorized Computer Access” and “IV. Accepting Status of Consultation”.

Chart 4-1: One-click Billing Fraud/Consultation Number

Chart 4-1: One-click Billing Fraud/Consultation Number


The major consultation instances are as follows.

(i) My computer malfunctions since I purchased anti-virus software via the Internet…?

Consultation:

I’d net-surfed (searched) here and there to purchase newer anti-virus software.  Since I found the one that may be suit to my computer so that I downloaded and installed and then settled it by my credit card.  Since when such message “Warning! Spyware is detected on your computer…” is appeared, the computer requires longer time to start it up and even it sometimes getting unstably behaves and/or disabling to use.

Response:

According from your symptoms, you probably purchased unreliable anti-virus software by mistake.  Though it can be read it is one of anti-virus software, it may be a malicious codes, so please be careful before downloading/installing any of software (See the I. The Reminder for the Month.).
If you are not for sure what anti-virus software will be suitable for your computer, be sure to ask consultation with the shop staff to buy a boxed edition, but download edition to prevent any of falsified software easily.

(ii)My computer malfunctions when I opened the file(s) downloaded via a file sharing software…?

Consultation:

I’d downloaded several music data using a file sharing software named Cabos.  When I clicked of the one (file), some unfamiliar window written in English was appeared.  I attempted to close the window over and over, but it didn’t gone in vain.  Moreover, the wallpaper was also automatically changed.  Accordingly, I tried to reboot the computer, but it starts rebooting over and over before the initial rebooting process was not yet completed.  In the event, my computer is getting unavailable to use.

Response:

In this situation, it is hard to identify to which extent the damage would be influenced; therefore, we encourage you to initialize you computer.  The file seemed to be a music file supposed to be a virus.  Exclusively, among those file names that can be viewed (i.e. mimicked) from movies, music and/or books illegally distributed tend to include virus, so please be careful.

Illegal activities themselves must be stopped and the users, each of you, too, to re-identify the fundamental risks what will be happened if you once opened the file for which source is unknown.  In addition, using a file sharing software easily just with your curiosity should definitely be refrained.

<Reference>

V. Accessing Status Captured by the Internet Monitoring (TALOT2”) in October

According to the Internet Monitoring (TALOT2), the total of unwanted (one-sided) number of access in October 2008 was 128,667 for the 10 monitoring points and the gross number of source* was 34,926.  That is, the number of access was 415 from 1113 source addresses/monitoring point/day.

*Gross number of source:

the gross number of the source accessed to TALOT2.  In addition, the source will be counted as 1 if accessed from identical source in the same day to the same point/port

Since each monitoring environment for the TALOT2 is nearly equal to the general connection environment used for the Internet; it can be considered that the same amount of unwanted (one-sided) access can be monitored for the general Internet users’ connection environment.

Chart 5-1: Unwanted (One-sided) Number of Access and Source  Number of Access/Monitoring Point/Day in Average

Chart 5-1: Unwanted (One-sided) Number of Access and Source Number of Access/Monitoring Point/Day in Average

The Chart 5-1 shows the unwanted (one-sided) number of access and the source number of access/day/monitoring point from May to October 2008.  According to this chart, both unwanted accesses were subtly increased with the ones in September.  Unwanted (one-sided) number of access tended to decreasing over the continuum of past 5 months (May to September), but it was slightly increased in October.

(1)Accesses to the ports 135/tcp, 139/tcp and 445/tcp

The Number of access was entirely increased from October 14 to 22: as for the accesses to the ports 135/tcp, 139/tcp and 445/tcp, it is probable that there included some attacks which target to Windows security holes based on the vulnerability information publicized by Microsoft on October 15.  The Chart 5-2 shows the shift in number of access to the ports 135/tcp, 139/tcp and 445/tcp.

Chart 5-2: Accessing Status Classified by Port in August 2008

Chart 5-2: Accessing Status Classified by Port in August 2008

The principal security measure is to resolve any of vulnerability in OSs and applications and maintain them up-to-dated.

Windows furnishes such configuration function (automatically up-to-date function) communicating user the information that it to be updated. Be sure to conduct updating activities if you are the user who leverages such function which communicates you the updated information is getting available. Those users whose computer does not communicate you that the updated information is getting available should also leverage them as far as possible by referring to Microsoft homepage as follow.

Though the server is hard to be halted even temporarily as it is used for business; be sure to save the time for its maintenance to modify the vulnerability being identified.

<Reference>

In addition, those applications that do not communicate the user its updated information is getting available, be sure to check vulnerability information frequently at its exclusive site: please be cautious that the information won´t be staled.

<Reference>

  • “JVN iPedia, the database for anti-vulnerability measures information”(in Japanese)
    http://jvndb.jvn.jp/

For more detailed information, please also refer to the following URLs.

Variety of statistical Information provided by the other organizations/vendors is available in the following sites.

Contact

IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC)
Tel:+81-3-5978-7527
Fax:+81-3-5978-7518
E-mail: Please feel free to call at +81-3-5978-7517.