Font Size Change

HOMEIT SecurityIPA/ISEC in JAPAN:virus and UCA incident report for December2008

PRINT PAGE

IT Security

IPA/ISEC in JAPAN:virus and UCA incident report for December2008

January 21, 2009

IT Security Center
Information-technology Promotion Agency, Japan (IPA)

This is a summary of computer virus/unauthorized computer access incident reports for December, 2008 compiled by IPA.

I. Reminder for the Month:

“Be sure to realize that you are always facing risks relevant to infection of virus!”

- Their infection mechanism is further sophisticated so that your general knowledge about virus may be overwhelmed-

Looking back to the virus tendency in 2008, the one can be said that their infection mechanism is getting more and more sophisticated.  PDF (Portable Document Format) file and data files such as Word file, etc. that had been believed that they were secured; nowadays, it can be realized that some virus may have been hidden so that one of renowned businesses’ website was altered and the virus would be transferred to the computer once it browsed the website.  In the other instance, a computer was infected by virus via a general use USB memory.  As we mentioned above, our society is being shifted that everyone in the user community has chances to get infected by virus.

What if you are infected by virus, following damages can be considered: your account information for on-line games (i.e., your ID and password, etc.) may be stolen, your game items (coins, avatar, arms, etc.) may be abstracted*, the important files in your computer may be automatically deleted or your system may be destructed, etc.

Accordingly, to materialize your safe and secured computer use, it is utmost important to acknowledge newer infection mechanism(s) and to review the fundamental anti-virus measures.

* Many users may think that their damage is caused only in virtual world, however, coins can be actually cashed and arms can be actually traded with high prices in under ground society among enthusiastic game lovers, etc. so that coins, arms, etc. can be synchronized with actual valuables in the real world.

(1) Further Sophisticated Virus Infection Mechanism

Upon analyzing the tendency of virus infection mechanism over the 2008, infection targets such as files, web pages, outside memory media, etc. had been considered to be safe are no longer be safe as their infection mechanism is getting further sophisticated.  In the event, we have to have another infection target to be pay attention to so that there may be the case that they may not be able to be covered by single anti-virus measures.  Follows are the 3 major tendencies of the virus infection mechanism over 2008 for your further review.

(a) Both PDF file and Word file too, have potential to get infected!

Originally, risky file (i.e., those files readily get infected by virus) meant to be application files that have .exe extensions; nowadays, PDF files and Word files are, too, referred to be risky files as well as application files.

Past Data files such as PDP and Word are relatively safe.  It is necessary to be cautious if application file which had .exe extension is appended in your mail.
Current Some virus may be hidden in data files such as PDF and Word.

Most of us believed that the files that have .pdf and .doc were safe, but it was risky if a file for which extension is .exe.  However, there appeared newer technology to get infected even they have either .pdf or .doc: in this technology, vulnerability (ies) in the software used to browse data files can be exploited.  Actually, it is identified that some virus was used to conduct spear type of attack which targets specific businesses/organizations.

<Reference>

(b) Websites for renowned businesses and/or organization are altered and then get infected when simply accessed and browsed to their sites!

Nobody can imagine that they will be get infected by virus as their websites are believed to be well managed and enough trustful.  However, in 2008, there identified number of cases that some tricks embedded to have users get infected by virus upon accessed/browsed the website (s) in where we believed to be safe: they are risky to readily get infected if a user simply browsed the site (s).  The infection mechanism is that there is a vulnerability (ies) in the browser software used to browse website, i.e., Internet Explorer, etc. so that the virus exploits them to enlarge infection.

Past Those websites for renowned businesses/organizations are trustful and safe.  Users will not get infected by virus if they would not access/browse suspicious sites.
Current Even those websites for renowned businesses/organizations may have been altered so that users accessed/browsed may be infected by virus.
<Reference>

(c) Get infected via an USB memory!

Thanks for current technology that outside memory media such as USB memory, memory card, etc. can accommodate further great capacity with reasonably priced, they are frequently used for carrying/backups for amount of data.  In the last half of 2008, there increased such virus which exploits such convenient tool, USB memory.

We assume that there are number of users who still do not know about the risk that there hided some sort of virus in such a handy USB memory.  What if such users connect to the USB memory already infected by virus, the virus also infects to a computer.  In addition, someone attempts to connect the other USB memory to the computer already infected, his/her USB memory will also be infected.  Accordingly, virus infection will be enlarged via a USB memory over and over.

Past In 1990s, the virus which infects via a floppy disk was the mainstream.
Current The virus which infects via a USB memory is appeared so that there is some risk to get infected by virus when exchanging data with USB memory.
<Reference>

(2) Damage Instance caused by Virus Infection

As for the damage instance caused by virus infection, following cases can be identified.  The current behavioral tendencies of virus are: the virus steals information in the computer infected and/or exploits the computer for secondary use*, i.e., for different purposes.

* Virus may exploit the computer infected as a steppingstone server or as a relay point upon distributing virus mails, spams, etc.

[Case 1]: The symptoms appeared when conducted spear type of attack by virus

The virus infected to a computer automatically accesses to the server prepared by malicious intents on the Internet to send the server specific information such as the user ID, OS version, IP address, etc. In addition, the server can command to the computer infected as listed below, there may be caused information leakage and/or file (s) within the computer may be deleted.

- Sending out the lists for drivers, folders and files in the computer.

- Sending/receiving, alteration and deletion of arbitrary files.

- Execution of commands and sending out the outcome.

- Execution of programs.

[Case 2]: The major behaviors of the virus embedded in websites and the USB memory infection type of virus

When infected, following damages may be shown on the computer infected.

- System files necessary to properly behaves Windows will be destructed. In the event, Windows may request the system CD (s) to attempt to modify the system files.

- Account information (i.e., ID and password) for on-line game site (s) will be stolen. You may loose the coins and/or the hard to find items for on-line game (s) by someone fraudulently accessed to the on-line games with your account information such as ID and password previously stolen.

- Have different virus will be downloaded.You may have a chance to let further malicious virus be downloaded: at this point, what the virus will be downloaded is not clearly identified so that variety of damages can be assumed.

(3) Fundamental Measures

Leveraging of anti-virus software and resolving of vulnerability (ies) are the effective measures to prevent damages caused by virus before something happens.  Be sure to conduct these technical measures as the fundamental measures to ensure your security.

(a)  Leveraging of anti-virus softwar

When you use your computer, be sure to install anti-virus software, update your virus signature and then enables the function which can detect virus real-time.  In addition, we encourage you to check with or without of virus in your computer regularly such as once a week, etc. for your further security.

(b)   Resolving of vulnerability (ies)

If you infected by virus hidden in a PDF files and/or infected when simply accessed/browsed some web pages, you can review the existence of vulnerability (ies) in application software.  They can be mitigated/resolved by updating your application software used to browse PDF, software for browsers, etc. as possible as you can.  In addition, there is vulnerability (ies) in the OSs for Windows.  Accordingly, be sure to mitigate/resolve the vulnerability (ies) with the same manner described above by utilizing Windows Update.

(4) Countermeasures against newer infection mechanism (s)

With the fundamental measures described above, it is insufficient to fully prevent damages caused by newer infection mechanism (s) in the (1) above.  Be sure to be cautious with the following items daily and to conduct additional countermeasures against the newer infection mechanism (s) in addition to the technical measures to prevent the damages introduced in the (2) above.

(a) Never, ever open suspicious (i.e., untrustful) files and/or the files for which source is unknown

It is probable that there hided some sort of virus in the untrustful files such as the file appended to the mail from the sender who do not frequently communicated each other and/or the file (s) downloaded from suspicious website (s), etc.  There is no need to check the contents of that file (s) even you are not alerted by anti-virus software, so be sure not to open such files.

(b) Do not pass over alerts

Windows XP and Vista furnish the function that can display “security alert” when you attempt to execute applications.  You may cause damage such as infected by virus, etc. if you execute the applications by passing over the alerts upon unexpectedly be displayed.  When the “security alert” is displayed, be sure to check if the alert is for the application you are calling: be sure to cancel calling the application if you cannot determine the “security alert” is for.

(c)  Do not use the USB memory you do not manage

There increased infection by virus via outside memory media such as USB memory, etc.  As for the minimum mind-set to prevent infection by virus, be sure to be cautious with:

- Do not connect the USB memory which you do not manage or the USB memory whose owner is unknown to your computer.

- Do not connect the computer which you do not manage or the computer used by unspecified majority to your USB memory.

The countermeasures in the (3) and (4) mentioned above are restrictively effective when conducted separately.  In another words, they can respond against newer infection mechanisms when combined and conducted comprehensively.  Again, be sure to conduct countermeasures as possible as you can to prevent potential infection damage before something happens.

<Reference>

II. Reporting Status for Computer Virus – further details, please refer to the Attachment 1 –

The detection number of virus (*1) in December was about 173T: drastically decreased from about 256T or about -32.5% from November.  In addition, the reported number of virus (*2) in December was 1,795: decreased from 1,830 or about -1.9% from November.

*1 Detection Number: Reported virus counts (cumulative) found by a filer.

*2 Reported Number: Virus counts are aggregated: viruses of same type and variants reported on the same day are counted as one case number regardless how many viruses or the actual number of viruses is found by the same filer on the same day. In December, the reported number was 1,795 and the aggregated virus count was about 173T. (From the May ‘08 report, we will use “T (thousand)” instead of using “M (Million)” to present the detection number of virus).

The worst detection number of virus was W32/Netsky with about 144T: W32/Autorun with about 130T and W32/Mydoom with about 4T subsequently followed.

Chart2-1

Chart 2-1

Note: Numbers in parenthesis show the number in previous month (November).

Chart2-2

Chart 2-2

Note: Numbers in parenthesis show the number in previous month (November).

(2) The Status for the Detection of Malicious Codes

In September 2008, the detection number for malicious codes such as backdoor and spyware was drastically increased: they were shifted to October maintaining with high levels; however, in the last part of November, they were gotten back to previous level so that FAKEAV and LINEAGE were rarely detected (See the Chart 2-3.).

Though only few malicious codes can be detected, you are to be continually cautious handling of the files appended as it is unforeseeable when they drastically increase.

Chart2-3

Chart 2-3

III. Reporting Status of Unauthorized Computer Access (includes Consultations) Please refer to the Attachment 2 for further details

Report for unauthorized computer access and status of consultation
  Jun. Jul. Aug. Sep. Nov. Dec.
Total for Reported (a) 13 19 15 14 18 10
  Damaged (b) 11 18 10 12 12 7
Not Damaged (c) 2 1 5 2 6 3
Total for Consultation (d) 36 49 25 38 39 38
  Damaged (e) 15 26 13 20 19 19
Not Damaged (f) 21 23 12 18 20 19
Grand Total (a + d) 49 68 40 52 57 48
  Damaged (b + e) 26 44 23 32 31 26
Not Damaged (c + f) 23 24 17 20 26 22

(1)Reporting Status for Unauthorized Computer Access

Reported number in December was 10: Of 7 was the number actually damaged.

(2)Accepting Status for Consultation relevant to Unauthorized Access

The consultation number relevant to unauthorized computer access was 38 (of 5 was also counted as reported number): Of 19 was the number actually damaged.

(3) Status of Damage

The damage report included intrusion with 7, etc.

The major damages caused by intrusion were: data in a database was altered by SQL injection attack with 3, exploited vulnerability (ies) and executed commands in that server with 2, exploited as a steppingstone to attack to the other site (s) with 1 and embedded some contents to be exploited for phishing* with 1.  The causes of intrusion were: exploited vulnerability with 5, seemed to be conducted by password cracking attack to the port(s) used by SSH with 1.  As for the rest of 1, the cause was not yet clarified.

*SQL (Structured Query Language):The query language when used upon operating/defining data in the relational database management system (RDBMS).

*SQL Injection:One of attacking methods which exploits vulnerability (ies) in the program accessing to a database: this attack fraudulently browses and/or alters data within that database with the methods other than legitimate.

*Phishing:One of fraudulent activities which induces user to the fictitious web pages exploiting such mails masqueraded to be to a substantiated businesses such as legitimate banking corporation, etc. to steal the user’s ID and password who accessed/browsed that fictitious web pages.

*SSH (Secure Shell):One of the protocols to communicate to the computer remotely located via a network.

*Password Cracking:One of attacking methods to parses/analyzes the other user’s password. Brute Force or Exhaustive Search Attack and Dictionary Attack are recognized. The program exclusively for cracking is also existed.

(4) Damage Instance:

[Intrusion]

(i)Attacked to the port(s) used by SSH and then intruded…
<Instance>
  • –The web server being operated by this business cannot be accessed from outside so communicated.
  • –Accordingly the server was studied: it was realized that log-in activity (ies) was denied because the password for privileged user account was altered.
  • –With subsequent studies, it was additionally realized that the port used by SSH was conducted by password cracking attack so that weak password was analyzed and then intruded.  Bad to worse, SSH scanner was embedded.
  • –Normally, those IP addresses which allow connection to the port used by SSH was restricted: however, the server was tentatively available to get accessed by every IP addresses while conducting non-regular based operations.  The cause to be conducted password cracking attack was that the server had been left to be accessble by every IP addresses from outside.
(ii)Altered the data within an on-line game site…
<Instance>
  • –The manager for an on-line game site checked failure relevant to display in his site.  Accordingly, we checked that they were not sent from us.
  • –Study was conducted: it was realized that there embedded html tag (s) in the data within a database referred by the web application running in that site.
  • –In the event, users were automatically induced to the site in where some virus was embedded when they simply accessed to that game site.  The virus was designed to automatically induce users to the virus site when accessed to the other game site (s) linked to this game site.
  • –The cause was that there was vulnerability (ies) of SQL injection in the web application.

IV. Accepting Status of Consultation

The gross number of the consultation in December was 839.  Of the consultation relevant to One-click Billing Fraud” was 194  (November: 144), consultation relevant to “Hard selling of falsified anti-virus software” was 13 (November: 28), consultation relevant to “Winny” with 6 specific organization to collect specific information/data” was 0 (November: 3)).

Chart 4-1: All the Consultation Number Accepted by IPA over the Past 6 Months
  Jul. Aug. Sep. Oct. Nov. Dec.
Total 1387 1616 2165 1171 713 839
  Automatic Response System 817 994 1302 677 363 458
Telephone 500 548 755 441 288 331
e-mail 70 69 93 47 62 49
Fax, Others 0 5 4 6 0 1

*IPA consults/advises for computer viruses/unauthorized computer accesses as well as the other information concerning overall security issues

Mail: Please feel free to call at +81-3-5978-7517. for virus issues, Please feel free to call at +81-3-5978-7517.for crack issues.
Tel.: +81-3-5978-7509 (24-hour automatic response)
Fax: +81-3-5978-7518 (24-hour automatic response)

*”Automatic Response System”:    Responding numbers by automatic response
*“Telephone”:      Responding numbers by the Security Center personnel
*The Total case number includes the number in Consultation (d) column of the Chart in the “III. Reported Status for Unauthorized Computer Access” and “IV. Accepting Status of Consultation”.

Chart 4-1: One-click Billing Fraud/Consultation Number

Chart 4-1: One-click Billing Fraud/Consultation Number


The major consultation instances are as follows.

(i) Virus was detected by my home-use computer from the data stored/brought back in an USB memory …?

Consultation:

Copied some data to the USB memory managed by my computer school via the computer (anti-virus software by A provider was installed, but already expired.) furnished in the school.  Brought it back and connected it to my home-use computer (anti-virus software by B provider was installed, in valid duration), then virus was detected.  Why virus was not detected by the computer in the school?  Attempted to connect that USB memory to my home-use computer again, nothing was alerted thereafter.  What’s going on here?  I am not feel ease.

Response:

With the anti-virus software for which was not valid period, i.e., virus signature was not updated, cannot detect newer viruses emerged day by day.  In addition, as with the case above, the anti-virus software by B provider could detect the virus easily, while it may take certain time to be able to detect the same virus by the anti-virus software by A provider.  Further, the reason nothing can be alerted by your home-use computer thereafter is that the virus in the USB memory once detected was successfully removed.  Your home-use computer is not infected by virus so please feel ease.

<Reference>

(ii)The computer once fraudulently accessed should be initialized…?

Consultation:

I feel that my computer somewhat malfunctions and feel someone always monitors the contents of my computer.  Router is furnished and I make it a rule that the virus signature should always be up-to-dated: personal firewall is furnished as well.  However, a person who is familiar with computers told me that my computer probably be fraudulently accessed so that I’d better to initialize it.  Why?

Response:

Like newer viruses, etc., even anti-virus software may miss should be existed in every computer.  Those viruses infiltrated to computers passed by anti-virus software may halt the behavior of security related software, may download the other unknown viruses from outside, etc.

For this reason, your computer probably be infected by virus and/or manipulated from outside if your computer apparently behaves differently than before.  However, this is also true that it probably be difficult to determine the affected area with the other methods if such abnormalities cannot be clearly identified up to now.  Accordingly, it is the best measure to initialize your computer to be reset entirely

<Reference>

V. Accessing Status Captured by the Internet Monitoring (TALOT2”) in December

According to the Internet Monitoring (TALOT2), the total of unwanted (one-sided) number of access in December 2008 was 108,338 for the 10 monitoring points and the gross number of source* was 38,976.  That is, the number of access was 349 from 126 source addresses/monitoring point/day.

*Gross number of source:

the gross number of the source accessed to TALOT2.  In addition, the source will be counted as 1 if accessed from identical source in the same day to the same point/port

Since each monitoring environment for the TALOT2 is nearly equal to the general connection environment used for the Internet; it can be considered that the same amount of unwanted (one-sided) access can be monitored for the general Internet users’ connection environment.

Chart 5-1:

Chart 5-1:

Unwanted (One-sided) Number of Access and Source Number of Access/Monitoring Point/Day in Average

The Chart 5-1 shows the number of access (average) and the source number of access (average)/monitoring point/day from January to December in 2008.  According to this chart, both the unwanted (one-sided) number of accesses were subtly decreased compared with the ones in November.  Accordingly, it can be said that they are tending to decreasing over the year.

The Chart 5-2 shows the number of access (average)/monitoring point/day classified by destination ports for respective months in 2008.  According to this chart, accesses to the ports 135/tcp and 1026/udp, the most frequently accessed ports over the year seemed to be decreased: it can be said that they were affected entire accesses, accordingly.

The port 135/tcp is the port most frequently targeted when malicious intent conducts attack to the vulnerability (ies) in Windows: As with the port 1027/udp, the port 1026/udp is the port most frequently targeted when malicious intents attempt to send malicious messages such as virus mail, spam, etc. by exploiting the Messenger Service function in Windows.

Chart 5-2:

Chart 5-2:

(1)The increase of number of access to the port 445/tcp seemed to be the attack by the virus which exploits vulnerability (ies)

The Chart 5-3 shows the shift in number of access to the port 445/tcp over 2008.  Up to July 2008, accesses to the port 445/tcp tended to decrease: then it turned to increase thereafter, but moderately and that tendency was still continued at the end of December 2008.

Chart 5-3:

Chart 5-3: Number of Access to the Port 445/tcp Over 2008

The cause for the access increase has not yet been identified; however, as for the access increase around October, it may be affected by the attack relevant to the vulnerability (MS08-67) urgently publicized by Microsoft on October 24 (Japan time).  According to that information, the attack exploiting this vulnerability had been conducted from about 2 weeks before when the vulnerability information was publicized.

<Reference>

Since after this vulnerability information was publicized, the access increase to the port 445/tcp was also caught by the other organization (s) who does fixed-point observation: accordingly, it may have been some attempts to infection of virus which exploits this vulnerability.  Actually, there identified the presence of the virus which exploits this vulnerability and some attacking tool (s).

Again, all the users should be cautious with the vulnerability information daily: be sure to apply patches immediately to your supported applications as the fundamental security measures when vulnerability information is newly publicized.

<Reference>

(2)Accessing status from the time TALOT2 begun to December 2008

The Chart 5-4 shows the both number of access (average) and the source number of access (average)/monitoring point/day from June 2004, TALOT2 had just started, to December 2008. The ratio of the number of access (average) in December 2008 was of about 12% compared with the ones in January 2005.  As for the major cause of access decrease from December 2006  was that the anti-bot measures activities by Cyber Clean Center (CCC) just started around that time may have been worked out.

Alerting users whose computers seem to be infected by bot via the Internet service providers (ISPs) who participate CCC activities such as collecting/parsing bot specimens, preparing/distributing bot removal tool activities, etc. is the major activity of CCC.  In October 2007, the number of ISPs participating this activity was drastically increased from 8 to 65.  Because of this, both number of access (average) and source number of access (average) from domestic have been decreased from October 2007 and thereafter.

<Reference>

  •  Cyber Clean Center – the collaborative project in between the Ministry of Internal Affairs and Communications (MIC) and the Ministry of Economy, Trade and Industry (METI)
    https://www.ccc.go.jp/en_index.html

Chart 5-4:

Chart 5-4: Number of Access (Average) and Source Number of Access (Average)/Monitoring Point/Day
(June 2004 – December 2008)

The Chart 5-5 shows the shift in number of access (average) and source number of access (average) both from domestic and overseas from December 2006, when CCC was just started their activities, to December 2008. According to this chart, the number of access (average) and the source number of access (average) both from domestic and overseas were steadily decreasing; the more remarkable was the number of access decrease from domestic.

Because of this, activities of CCC, i.e., the bot removal activity within domestic seem to be worked out.

Chart 5-5:

Chart 5-5: Number of Access (Average) and Source Number of Access (Average)/Monitoring Point/Day (Domestic/Overseas) from December 2006 – December 2008

 

For further information, please also refer to the following URLs.

Variety of statistical Information provided by the other organizations/vendors is available in the following sites.

Contact

IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC)
Tel:+81-3-5978-7527
Fax:+81-3-5978-7518
E-mail: Please feel free to call at +81-3-5978-7517.