Font Size Change

HOMEIT SecurityIPA/ISEC in JAPAN:virus and UCA incident report for November2008

PRINT PAGE

IT Security

IPA/ISEC in JAPAN:virus and UCA incident report for November2008

December 18, 2008

IT Security Center
Information-technology Promotion Agency, Japan (IPA)

This is a summary of computer virus/unauthorized computer access incident reports for November, 2008 compiled by IPA.

I. Reminder for the Month:

“Be sure to Double-check of your Security Measures for Outside Memory Media, such as USB Memory, etc.!”

-There are some tricks behind any of convenient tools-

Among various virus reports rushed to IPA in November, of the detection number for the “virus which enlarges infection via USB memory” was significantly increased to 101,090 from 11,722 in September and 62,555 in October (See the Chart 1-1).  The one of potential causes of that significant increase may be that specific virus infection mechanism to outside memory media such as USB memory, etc. is going to be incorporated to those viruses already existed.  The mechanism that a virus infects to outside memory media and then enlarges infection to the other computers is very much similar to the boot-sector* type of virus was popular when MS-DOS was in mainstream.

USB memory, etc. is the one produced via well-advanced technology which realized them large storage capacity with low price: accordingly, they are frequently used in variety level of users nowadays.  However, lack of users seriously consider about the anti-virus measures on such outside media.  Thus, upon easily connecting the outside memory media being infected by virus to a computer, the computer will also be infected and the damage will be enlarged.

For your further security, be sure to review your anti-virus measures for outside memory media such as USB memory, etc. one more time by referring following descriptions.

* Boot-sector refers to the domain on hard disk or floppy disk in where the program whenever is executed upon starting up of OS is stored.  What if the domain is infected by virus, it is always executed upon starting up the computer so that the domain is one of convenient place for the virus to infect to.

(1) Latest Reports/Consultation Instance

Of the latest reports/consultation instances that “SD card was infected by virus when clicked the file that the reporter does not know on an USB memory with simple curiosity, and then connected his/her SD memory.”, another reporter was infected by virus with careless mistake when connected the other user’s USB memory to his/her computer to transfer data. The memory was already infected by virus.” were filed by IPA in November. 

Chart1-1

Another consultation was that different reporter detected virus upon connected USB memory in where some data was stored to the computer in his/her office: the data was copied to the USB memory using the computer furnished in a public computer school, etc.

This is the one of good instances that the reporter carried virus to reporter’s office because he/she mixed up private and public matters.

(2) General Description of the Virus which Enlarges Infection via Outside Memory Media

USB memory, memory card, USB external hard drive, etc. are the outside memory media that virus likely infects to: Thereafter, we pick up USB memory to describe their infection mechanism and also denotes the virus which infects to outside memory media such as USB memory, etc. as “USB memory infection type of virus”.

(a)

Infection Mechanism

Windows 2000 and its subsequent versions have such aspects that automatically run the program(s) in an USB memory when the memory is connected to the computer.  USB memory infection type of virus exploits this mechanism for its infection activities.

Upon infecting USB memory, the USB memory infection type of virus creates Autorun.inf file within the USB memory which is not identifiable via Windows explorer so that the virus is automatically executed.

Accordingly, the virus within the USB memory is run and the virus infects to your computer when you simply connect the USB memory to your computer or you double click the icon on your disk drive from “My Computer” (See the Chart 1-2(a)).

In addition, when different USB memory is connected to the computer being infected, the virus infects to that USB memory as well and then the USB memory infection type of virus is spread (See the Chart 1-2(b)).

Chart 1-2
(b)

Infection Mechanism

Depending on their types, the latest USB memory infection type of virus masquerades itself, interferes differently to make it harder to be removed or detected by users.  Follows, we introduce you the virus aspects of the several types of USB memory infection type of virus being parsed: They were the results based on the reports filed with IPA in November.

(i)Depending on virus types, the virus itself forges its icon and/or attribution so that at a glance, it can be seen a data file shown in the Chart 1-3.

(ii)The virus forcibly terminates anti-virus software, etc. which is in operation.

(iii)The virus interferes normal operation differently.

Chart1-3
 

-The virus alters program files such as “Command Prompt”, “Task Manager”, “Registry Editor”, etc. that are the default function of Windows into different files and interferes virus removal, with or without infection check-up activities, etc.

-Several viruses are concurrently executed. Even of one virus can be terminated, the other viruses try to run that virus again so that the virus removal activities is interrupted.

-The virus alters its date information to make it hard to detect the virus via that information. In addition, the virus has its file attribution invisible as “hidden file”.

-The virus alters the specific file (hosts file) to be referred by a computer so that the computer is interfered to access to the anti-virus vendor site, etc.

(3) Major Damages

Currently, following damages are identified when a computer infected by the USB memory infection type of virus:

 

(i) The system files necessary for Windows normally behaves will be disrupted.

(ii) Account information (ID or password) for on-line games, etc. will be stolen.

(iii) The other viruses will be downloaded.

Please be noted that any symptoms may not be appeared, or the other symptoms may be appeared.

In the event of (i) above, Windows may request system CD following the dialog shown in the Chart 1-4 to restore its systems files.

Chart1-4

Because of (ii) above, you may loose the coins for on-line games, or the items hardly accessible by fraudulently accessed to the games with the account information being stolen.

What if (iii) is happened, your computer may be jeopardized as the virus leads you to download further malicious virus.

(4) Measures

(a)

Fundamental Measures

The fundamental measures to prevent your computer from infection of virus is that your virus signature in your anti-virus software should always be up-to-dated to have the virus detection function can work fully.

It is necessary to conduct regular check-ups of not only your computer but also USB memory. In addition, to prevent virus infection via vulnerabilities exploited, be sure your OS and applications are to be always up-to-dated to resolve potential vulnerabilities as far as possible.

(b)

Measures for USB Memory Use

As previously described in the column “(1) Latest Reports/Consultation Instances”, user’s careless mistake and misuse of outside memory media such as USB memory, etc. may cause virus infection and/or infection enlarges.  Accordingly, upon using USB memory, be sure to follow to the principles mentioned below.

(i)Those USB memories not managed by you or those for which owners are unknown should not connect to your computer.

(ii)Those computers not managed by you or those used by unspecified majority should not connect your USB memory to.

(iii)To avoid carrying the virus from your home computer to office computer, do not connect privately owned USB memory to your office computer. Do not connect the USB memory for your office use to your home computer either.

(5) Process How to Prevent Auto Run of USB Memory

As we previously described, USB memory infection type of virus exploits Windows auto-execute feature to enlarge infection.  It is indeed, a user friendly feature, but is very much risky once it is exploited by virus so that you’d better to configure the auto-execute feature to be disabled so that the USB memory will not automatically run.  It is somewhat inconvenient, but is an effective measure to prevent damage from virus infection.  Follows, we describe both the processes for Windows Vista users and for XP users separately.


(a)

If you are a Windows Vista User…

Click the “Start Button” icon, the button for advanced settings screen.  Select the “Control Panel” from the menu.  When you click the “Auto Play for CD or the other media” in the “Hardware and Sound” menu, the setting screen similar to the one shown in the Chart 1-5 will be appeared.

You may not find “USB memory” in the “Media” tab in the “Auto Play” screen, but it can be supported by the “Software and Games”. Accordingly, go for the “Software and Games” and select “No action” and then click the button to save your configuration.

Generally, any viruses may infect the other files such as audio file, video file, DVD movies, etc. other than executable files, we recommend to conduct above mentioned configuration on them as well.

Chart1-5

 

However, please be noted that there existed such “Vulnerability in Windows Explorer Cold Allow Remote Code Execution (MS08-038)” in Windows Vista which was publicized by Microsoft in July 2008.  If this vulnerability has not yet been resolved, executable files will run automatically when you connect USB memory that contains Autorun.inf and executable files to your computer.  That is, the above mentioned configuration will not be referred.

Accordingly, it is necessary to acquire modification program for that vulnerability from Microsoft to resolve it upon modifying your configuration. To disable executable files will run automatically, be sure to conduct Windows Update to resolve all the significant vulnerabilities being publicized now.

(b)

If you are a Windows XP User…

Even Autorun.inf file and executable files are in your USB memory, they won’t be immediately executed when you connect the USB memory to your computer.  However, when you double-click the drive which recognizes USB memory from “My Computer” screen, executable files will run.  That is, if your USB memory is already infected by virus, your computer will also be infected by virus.

Chart1-6

The modification program which resolves this vulnerability is publicized from Microsoft in September 2008.

By applying this modification program, the entire program in USB memory will be disabled to run automatically. If applied, even you double-click the drive which recognizes USB memory, any programs (See the Chart 1-6) will not auto play and you can only see the contents of the drive shown in the Chart 1-7.

Chart1-7

When you connect your USB memory to the computer you can successfully “Disabled” auto play, be sure to conduct virus check by your anti-virus software for those drives that your computer recognizes as “removable” drive and double-check it if there is any suspicious file or the file you do not know in that drive (that is, USB memory) via Windows Explorer screen. If suspicious file is there, be sure not to open and delete it immediately. If you cannot determine with or without, be sure to consult the person who is familiar with.

<Reference>

II. Reporting Status for Computer Virus – further details, please refer to the Attachment 1 –

(1) Reporting Status of Virus

The detection number of virus (*1) in November was about 256T: decreased from about 272T or about 6% from October.  In addition, the reported number of virus (*2) was 1,830: the reported number was shifted from 1,839, maintaining almost the same level in October.

*1 Detection Number: Reported virus counts (cumulative) found by a filer.

*2 Reported Number: Virus counts are aggregated: viruses of same type and variants reported on the same day are counted as one case number regardless how many viruses or the actual number of viruses is found by the same filer on the same day. In October, the reported number was 1,839 and the aggregated virus count was about 270T. (From the May ‘08 report, we will use “T (thousand)” instead of using “M (Million)” to present the detection number of virus in more specific)

The worst detection number of virus was W32/Netsky with about 140T: W32/Autorun with about 100T and W32/Mytob with about 4T subsequently followed.

Chart2-1

Chart 2-1

Note: Numbers in parenthesis show the number in previous month (October).

Chart2-2

Chart 2-2

Note: Numbers in parenthesis show the number in previous month (October).

(2) The Status for the Detection of Malicious Codes

The detection number for malicious codes such as backdoor, spyware, etc. was drastically increased in September.  This status was maintained in October, however, in November, the detection number for FAKEAV which was numerously reported in October was almost ceased and the detection number for the other malicious codes was significantly decreased as well (See the Chart 2-3).

The major cause of such significant decrease can be the source for such malicious codes was blocked by networks.

<Reference>

As of now, too many malicious codes were not detected; however, be sure taking care for handling of the file appended to e-mail as we cannot foresee when and how they will be increased.

Chart2-3

III. Reporting Status of Unauthorized Computer Access (includes Consultations) Please refer to the Attachment 2 for further details

Chart 3-1: Report for unauthorized computer access and status of consultation
  Jun. Jul. Aug. Sep. Oct. Nov.
Total for Reported (a) 13 19 15 14 17 18
  Damaged (b) 11 18 10 12 12 12
Not Damaged (c) 2 1 5 2 5 6
Total for Consultation (d) 36 49 25 38 58 39
  Damaged (e) 15 26 13 20 22 19
Not Damaged (f) 21 23 12 18 36 20
Grand Total (a + d) 49 68 40 52 75 57
  Damaged (b + e) 26 44 23 32 34 31
Not Damaged (c + f) 23 24 17 20 41 26

(1)Reporting Status for Unauthorized Computer Access

Reported number in November was 18: Of 12 was the number actually damaged.

(2)Accepting Status for Consultation relevant to Unauthorized Access

The consultation number relevant to unauthorized computer access was 39 (of 5 was also counted as reported number): Of 19 was the number actually damaged.

(3) Status of Damage

The damage reports contain the reports relevant to intrusion with 5, DoS attack with 1 and the others (damaged) with 6.  The damages caused by intrusion were: the server was exploited as a steppingstone server to attack to the other site(s) with 4, data in a database was altered by SQL injection attack with 1.  The causes of intrusion were: conducted by password cracking attack to the port(s) used by SSH with 2 and vulnerability in the server was exploited with 2.  As for the rest of 1, the cause was not yet clarified.

As for the others (damaged), someone spoofed to be the legitimate user logged in to use on-line services (on-line game with 4) with 4, etc.

*SQL (Structured Query/Language):The query language for data operation/definition in the relational database management system (RDBMS).

*SQL Injection:The attack which browses/alters data within a database fraudulently and exploits vulnerability in the program which accesses to that database.

*SSH (Secure SHell): One of the protocols to communicate to the computer remotely located via a network.

*Password Cracking:One of attacking methods that can parse/analyze the other users’ passwords.  Brute Force, that is, Exhaustive Attack and Dictionary Attack are recognized.  The program exclusively for cracking is also existed.

(4) Damage Instance:

[Intrusion]

(i)Attacked to the port(s) used by SSH and then intruded…
<Instance>
  • –The web server being operated by this organization was listed on a black list as the source of spams so communicated.
  • –Study on that server was conducted and it is realized that its logs were deleted and was differently configured as a mail server and was exploited as the source of spams.
  • –Other than this, some system commands were automatically deleted and some unauthorized processes were also worked.
  • –It may be intruded from the port(s) used by SSH.  It seemed that some program like bot was embedded: accordingly, the server was exploited as the steppingstone for the source which sends spams.
(ii)My account was hijacked in the on-line game site…
<Instance>
  • –When attempting to log in to the on-line game site, I was told that “Your password is differed.” so that I could not logged-in.
  • –Inquired to the site manage provider, it is realized that someone spoofed to be me was logged in and altered my password so that my account was hijacked.
  • –It also realized that the person spoofed to be me acquired paid contents in that game site without asking.
  • –looking back, I may have been infected by virus as I often clicked suspicious links and opened suspicious files while I was net surfing.

IV. Accepting Status of Consultation

The gross number of the consultation in November was 713.  Of the consultation relevant to One-click Billing Fraud” was 144 (October: 305),consultation relevant to “Hard selling of falsified anti-virus software” was 28 (October: 31), consultation relevant to “Winny” with 5 (October: 5) and the consultation relevant to “the suspicious mail to be sent to specific organization to collect specific information/data” was 3(October: 3), etc. were realized.

Chart 4-1: All the Consultation Number Accepted by IPA over the Past 6 Months
  Jun. Jul. Aug. Sep. Oct. Nov.
Total 1211 1387 1616 2165 1171 713
  Automatic Response System 693 817 994 1302 677 363
Telephone 456 500 548 755 441 288
e-mail 60 70 69 93 47 62
Fax, Others 2 0 5 4 6 0

*IPA consults/advises for computer viruses/unauthorized computer accesses as well as the other information concerning overall security issues

Mail: for virus issues, for crack issues, for the problem relevant to suspicious mail.
Tel.: +81-3-5978-7509 (24-hour automatic response)
Fax: +81-3-5978-7518 (24-hour automatic response)

*”Automatic Response System”:    Responding numbers by automatic response
*“Telephone”:      Responding numbers by the Security Center personnel
*The Total case number includes the number in Consultation (d) column of the Chart in the “III. Reported Status for Unauthorized Computer Access” and “IV. Accepting Status of Consultation”.

Chart 4-1: One-click Billing Fraud/Consultation Number

Chart 4-1: One-click Billing Fraud/Consultation Number


The major consultation instances are as follows.

(i) There is suspicious file which I do not know in my USB memory…?

Consultation:

Have found “sizhu.exe” file which I do not know in the USB memory I use in my office.  Is this virus?  Nothing can be picked up with my anti-virus software.

Response:

When questioned, be sure to check it with search engine immediately.  In this case, upon searching it as the keyword, you can easily find the existence of the virus named “sizhu.exe”.  According to the virus information provided by an anti-virus software provider, it seemed that the virus enlarges infection via an outside memory media such as USB memory.  That is, the file you’d find is probably a virus.  We recommend you to check the file using anti-virus software as many as possible, accordingly.  “VIRUS TOTAL” is the on-line service that can parse suspicious file.  This service is free: in this site, the file can be parsed by more than 30 types of anti-virus software simultaneously.

<Reference>

(ii)The file downloaded by a file sharing software was virus…?

Consultation:

Upon starting up my computer, I am realized that the wallpaper is getting blued and some English phrase starting with “Spyware…” is also appeared.  In addition, when Windows is ready for operation, such alerting screen which urges to purchase anti-virus software written in English is getting appeared.  As I did not any thing in my mind, I asked my kid who frequently uses this computer.  It is realized he/she downloaded some file using a file sharing software so called Cabos and then such symptoms were appeared after he/she opened the file.  Does the computer get infected?

Response:

The file downloaded by Cabos is the virus which conducting “hard-selling of forged security measures software”.  Rather than that, you should recognize the risk that the file sharing software was used on the computer shared by several users.  That is, if private information is kept in that computer without knowing the existence of such file sharing software, the private information may be deviated to a file sharing network unintentionally.  As a parent(s), it is necessary to let your children know how risky the file sharing software is.  Not only having them stops such illegal activities, but also prevents the computer get infected: users (in this case, the consulter and the children) should aware the fundamental risks behind the file for which source is unknown.  Using the file sharing software with simple curiosity should be strictly restrained.

<Reference>

V. Accessing Status Captured by the Internet Monitoring (TALOT2”) in November

According to the Internet Monitoring (TALOT2), the total of unwanted (one-sided) number of access in November 2008 was 113,906 for the 10 monitoring points and the gross number of source* was 34,179.  That is, the number of access was 380 from 114 source addresses/monitoring point/day.

*Gross number of source:

the gross number of the source accessed to TALOT2.  In addition, the source will be counted as 1 if accessed from identical source in the same day to the same point/port

Since each monitoring environment for the TALOT2 is nearly equal to the general connection environment used for the Internet; it can be considered that the same amount of unwanted (one-sided) access can be monitored for the general Internet users’ connection environment.

Chart 5-1: Unwanted (One-sided) Number of Access and Source  Number of Access/Monitoring Point/Day in Average

Chart 5-1: Unwanted (One-sided) Number of Access and Source Number of Access/Monitoring Point/Day in Average

The Chart 5-1 shows the unwanted (one-sided) number of access and the source number of access/monitoring point/day in average from June to November 2008.  According to this chart, both unwanted (one-sided) accesses in November were subtly decreased with the ones in October.  Looking back to the last 6 months, they tended to be decreasing.

(1)Access to the Port 22/tcp

There is such monitoring point which uses SSH (*1) in the TALOT2 as administrative reasons.  The source number of access (*2) to the port used by SSH (that is, the port 22/tcp) was significantly increased in November 20 and moderately decreased thereafter.

Since in TALOT2, we do not analyze any contents of attacks: accordingly one could assume that the access may be some preliminary survey to conduct attack exploiting vulnerability in SSH which was publicized in November 15 (Japan time).

<Reference>

The Chart 5-2 shows the shift in source number of access to the monitoring point, the port 22/tcp, used by SSH in our TALOT2 system.

(*1) SSH (Secure SHell): One of the protocols to communicate with the computer remotely via a network.

(*2) The monitoring data to the port 22/tcp obtained from the monitoring point used by SSH was excluded from this statistical information as they are differed from the other monitoring data that do not respond to any of accesses.


Chart 5-2

Chart 5-2: Shift in the Source Number of Access to the Monitoring
Point Used by SSH in the TALOT2 System (22/tcp)

When information relevant to vulnerability is publicized, accesses relevant to that vulnerability may be increased in short period of time.  Accordingly, server managers should check portal site where provides the information relevant to vulnerability, such as JVN, daily and be prepared to conduct necessary security measures immediately for the system currently you are managing.

<Reference>

  • JVN (Japan Vulnerability Notes) – Portal Site for the Information relevant to Anti-Vulnerability Measures (in Japanese)
    http://jvn.jp/
  • “JVN iPedia – the Database for Vulnerability Measures Information”(in Japanese)
    http://jvndb.jvn.jp/

For more detailed information, please also refer to the following URLs.

Variety of statistical Information provided by the other organizations/vendors is available in the following sites.

Contact

IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC)
Tel:+81-3-5978-7527
Fax:+81-3-5978-7518
E-mail: Please feel free to call at +81-3-5978-7517.