Font Size Change

HOMEIT SecurityIPA/ISEC in JAPAN:virus and UCA incident report for January2009

PRINT PAGE

IT Security

IPA/ISEC in JAPAN:virus and UCA incident report for January2009

February 13, 2009

IT Security Center
Information-technology Promotion Agency, Japan (IPA)

This is a summary of computer virus/unauthorized computer access incident reports for January, 2009 compiled by IPA.

I. Reminder for the Month:

“Is Vulnerability in your Computer Adequately Resolved?”

- Your Computer is always targeted by virus!-

It was caught that such access once moderately increased since last October 2008 was drastically increased in January 2009 by the Internet Monitoring System (TALOT2) (See the Chart 1-1.  Please also refer to the (1) for further details.).

This may have been the access which targeted the vulnerability in Windows (MS08-067) for which information emergently publicized by Microsoft in October 24, 2008 (Japan time).  According to Microsoft, such attack which exploits the vulnerability was initially identified about 2 weeks ago when the information was publicized.

There identified several viruses which conduct the attack by exploiting this vulnerability.   Exclusively in the end of December 2008, there developed the new virus so called Downadup.B which features to infect USB memory, etc.  The cause for drastic access increase in January may be the increase of gross number of access that can cause the attack to the other computers because of the virus newly/additionally featured to infect outside memory such as USB memory, etc. spread over.  To prevent your computer from the virus, it is necessary to ensure your anti-virus measures and to resolve any of vulnerabilities or security holes in your computer.

* TALOT2 is the Internet monitoring system being operated by IPA which monitors in- and out-bound accesses in the general Internet users’ environment: In this system, several lines subscribed from one of large ISPs (Internet Service Provider) in domestic are used.

Chart 1-1:

Chart 1-1: Number of Access to the Port 445/tcp (October 2008 - January 2009)

(1) General Overview of the Vulnerability in Windows (MS08-067)

MS08-067 is described as the “Vulnerability in Server Service Could Allow Remote Code Execution” by Microsoft upon specially crafted packet (communication data) one-sidedly sent to the targeted computers, arbitrary commands will be unintentionally executed in the server service used to share file (s) and/or printer (s) in Windows.

<Reference>

By sending fraudulent packet to the port 445/tcp used by the server service in Windows, attacker attempts to infect virus, to eavesdrop/modify/delete data in the targeted computer: this malicious intent also attempts to fraudulently access so that the virus newly creates administrator privileged account in the targeted computer as well.  Accordingly, what if unresolved vulnerability is being left in that computer, the attacker can successfully obtain access to the computer, and eventually, the computer will be damaged by virus.
The identified virus which exploits this vulnerability will be explained in the following section.

* Port refers the general service window which used as the channel for the information to be exchanged with the other computers outside.  Since ports are sequentially numbered from 0 to 65535, they are also called port numbers.

(2) General Overview of the Virus which Exploits the Vulnerability (MS08-067)

Of the virus which conducts attack by exploiting this vulnerability (MS08-067), there identified the virus so called Downadup.  This virus was initially detected in the end of November 2008 and subsequently Downadup.B, the variant of Downadup, was detected in the end of December 2008.  Follows, we will describe the virus feature based on the specimen of the Downadup.B parsed by IPA.
This virus initially infects to the computer via the Internet for which vulnerability has not yet resolved; then, the virus attempts infection to the other computers based on the initially infected computer as its hub. Because of this infection mechanism, even single computer on a LAN network is infected, the virus infection will be enlarged within that LAN environment, such as business/organization, school, etc. (See the Chart 1-2.).

Chart 1-2:

Chart 1-2: The Virus Mechanism which Exploits Vulnerability (MS08-067)

For your information, it can be considered that Downadup.B, the variant, additionally features to infect to the outside memory media, such as USB memory, etc.  The access increase to the port 445/tcp in January may be the cause that someone used such USB memory already infected by Downadup.B via his/her home computer in the LAN environment such as business/organization, school, etc.  This emergence of the variant as the source cause, those computers infected by this virus were drastically increased; and subsequently such gross number of access which attacks to the other computers may also be increased (See the Chart 1-1.).
It also identified that the virus attempts to download the other viruses by connecting malicious sites.  When you get infected by this virus, it can be considered that following symptoms may be appeared according to the result parsed by IPA (All the symptoms may not be appeared or the other symptoms may be appeared thereafter.).

- The virus automatically limits access to the website relevant to anti-virus software so that users will be intervened to update virus signatures.
- The virus automatically limits access to the Microsoft website so that users will be intervened to utilize Windows Update.

(3) Preventive Measures from Potential Damages

For your further security, we will provide some measures to prevent potential damages caused by this vulnerability (MS08-067) before something happens

(a) Vulnerability resolution

The fundamental and mandatory measures to prevent potential damages is to resolve this vulnerability. If you are not for sure whether this vulnerability is already resolved or not, simply attempt to conduct Windows Update to check if there remained unapplied security patches or not. If remained, be sure to apply them immediately to resolve this vulnerability. For your information, some anti-virus software providers may provide free on-line scan to check with or without of vulnerability in your computer. This is helpful to check your computer’s current status.

<Reference>

(b) Leveraging of Anti-virus Software

It is effective to leverage anti-virus software to prevent potential damages caused by virus. However, viruses and their variants newly emerge over and over so that it is paramount important to maintain your anti-virus software always be up-to-dated. If it doesn’t, be sure to update your anti-virus software NOW!

(c) Leveraging of Personal Firewall

Personal firewall is the function which blocks attacks (fraudulent accesses) from outside: it also blocks unauthorized communication (i.e., communication with the network outside by the computer infected) inside of a network. This function may be included in some of the integrated security software that furnishes the other functions as well as the function against virus. Be sure to remain it always up-to-dated if your anti-virus software furnishes this blocking function. If it is not furnished, be sure to enable Windows firewall function upon using your computer. However, in that case, you are to understand that the firewall function furnished in Windows XP does not support for the unauthorized communication to outside, accordingly, it is necessary to implement such product which blocks unauthorized communication sent to outside. It is utmost important to recognize that even single computer within a LAN environment is infected by virus, the infection will be spread over within that LAN environment in that business/organization in a short period of time.

(d) Anti-infection Measures via USB Memory

Be sure to be cautious to use USB memory to prevent infection by virus before something happens.

- Do not connect such USB memory you do not manage and/or such USB memory for which owner is not unknown to your computer
- Do not connect your USB memory to the computer you do not manage and/or the computer used by unspecified majority people.

(4) How to Recover your Computer when Infected by Virus

Once your computer is infected by virus, the system configuration altered by the virus cannot be automatically recovered as it was before even you can perfectly remove the virus.  If you afraid that the computer still malfunctions, be sure to conduct “system restoration”, the default function provided by Windows.  If the same symptom is remained, or the “system restoration” function is failed, the last resort is to initialize your computer.

(a) Recovery by “System Restoration” Function

Windows XP and Vista furnish “system restoration” function that can restore its configuration to the previous state as they worked properly when the computer unstably behaves and/or the computer has troubles for use.  This is the Windows default function which enables the computer to restore the previous state based on the system information for the date automatically and arbitrary selected and stored by Windows.  To conduct “system restoration”, please refer to the following Microsoft URL.

Please note that even you newly installed application software or you updated some application software in your computer during the arbitrary date automatically selected by Windows up to today, you are to re-install or to update them again as the information relevant to the application software will be vanished.

<Reference>

(b) Initialization of your Computer

Initialization is the effort to restore your computer to the initial state before you purchase your computer.  Since its procedure is slightly differed depending on the computer you are using so that be sure to check it based on the instruction manual attached to your computer.

Before you start initialization, do not forget to backup important data to virus-free outside media such as USB memory, CD-R and/or add-on HDD, etc.  Do not also forget to check with or without virus before restore the backup data to your computer successfully initialized.
<Reference>

II. Reporting Status for Computer Virus – further details, please refer to the Attachment 1 –

The detection number(*1) of virus in January was about 159T (December ’08: 173T): decreased about 8.0%.  In addition, the reported number(*2) of virus in January was 1,860 (December ’08: 1,795): increased about 3.6%.

*1 Detection Number: Reported virus counts (cumulative) found by a filer.

*2 Reported Number: Virus counts are aggregated: viruses of same type and variants reported on the same day are counted as one case number regardless how many viruses or the actual number of viruses is found by the same filer on the same day. In January, the reported number was 1,860 and the aggregated virus count was about 159T. (From the May ‘08 report, we use “T (thousand)” instead of using “M (Million)” to specifically present the detection number of virus.)

The worst detection number was W32/Netsky with about 137T: W32/Mytob with about 5T and W32/Downad with also about 5T subsequently followed.

Chart2-1

Chart 2-1

Note: Numbers in parenthesis show the number in previous month (December).

Chart2-2

Chart 2-2

Note: Numbers in parenthesis show the number in previous month (December).

III. Reporting Status of Unauthorized Computer Access (includes Consultations) Please refer to the Attachment 2 for further details

Report for unauthorized computer access and status of consultation
  Jul. Aug. Sep. Nov. Dec. Jan.'09
Total for Reported (a) 19 15 14 18 10 10
  Damaged (b) 18 10 12 12 7 7
Not Damaged (c) 1 5 2 6 3 3
Total for Consultation (d) 49 25 38 39 38 29
  Damaged (e) 26 13 20 19 19 13
Not Damaged (f) 23 12 18 20 19 16
Grand Total (a + d) 68 40 52 57 48 39
  Damaged (b + e) 44 23 32 31 26 19
Not Damaged (c + f) 24 17 20 26 22 20

(1)Reporting Status for Unauthorized Computer Access

Reported number in January was 10: Of 7 was the number actually damaged.

(2)Accepting Status for Consultation relevant to Unauthorized Access

The consultation number relevant to unauthorized computer access was 29 (of 3 was also counted as reported number): Of 13 was the number actually damaged.

(3) Status of Damage

The damage report included intrusion with 3, DoS attack with 1, source address spoofing with 1, others (damaged) with 2, etc.

The major damages caused by intrusion were: data in a database was altered by SQL injection attack with 2, system was damaged by OS command injection attack with 1.  The cause of intrusion was the vulnerability in server was exploited with 3.

*SQL (Structured Query Language):The query language when used upon operating/defining data in the relational database management system (RDBMS).

*SQL Injection:One of attacking methods which exploits vulnerability (ies) in the program accessing to a database: this attack fraudulently browses and/or alters data within that database with the methods other than legitimate.

(4) Damage Instance:

[Intrusion]

(i)Server was intruded with OS command injection attack…
<Instance>
  • –Upon checking the report mail from cron*, I realized that something other than logs was arrived.
  • –Accordingly, study was conducted: it was realized that some fraudulent command that was added to the cron configuration file was in error state when it was executed.
  • –With subsequent studies, it was further realized that there was vulnerability in Wiki* system so that the system was conducted OS command injection attack: because of this attack, some log files were deleted and backdoor was trapped.  Bad to worse, major commands were altered by rootkit and the presence of the malicious intents being intruded was covered.
  • –Though firewall and file alteration detection system were implemented, they were not effective for the attack.

*cron:This is the UNIX demon (program) which automatically execute configured command as scheduled in advance.

*Wiki:The system that enables to edit the contents on the web server via web browser.

 

(ii)Website is getting hard to browse because of the collective SQL injection attack…
<Instance>
  • –Study was conducted as it was recognized that there was some failure in the web server for public: according to the logs, there realized that the server was accessed collective fraudulent access attempts (SQL injection attack).
  • –Luckily, anti-SQL injection measures implemented was worked out and any of damages relevant to intrusion or alteration were not realized; however, the ratio for the fraudulent access attempts against the whole access took over about 75% at maximum (usually: less than 1%) so that there identified troubles when browsing website as the web server was significantly burdened.
  • –This situation was not improved even the IP address for the attack source was filtered by the firewall implemented in the server.
  • –Since the server was any way shutdown for the weekends, the fraudulent access attempts (SQL injection attack) were completely ceased in the very next Monday morning.

IV. Accepting Status of Consultation

The gross number of consultation in January was 960.  Of the consultation relevant to One-click Billing Fraud” was 249 (December: 194), consultation relevant to “Hard selling of falsified anti-virus software” was 11 (December: 13), consultation relevant to “Winny” with 8 (December: 6), were realized.  (The consultation relevant to “the suspicious mail sent to specific organization to collect specific information/data” was 0.

Chart 4-1: All the Consultation Number Accepted by IPA over the Past 6 Months
  Aug. Sep. Oct. Nov. Dec. Jan.'09
Total 1616 2165 1171 713 839 960
  Automatic Response System 994 1302 677 363 458 529
Telephone 548 755 441 288 331 390
e-mail 69 93 47 62 49 39
Fax, Others 5 4 6 0 1 2

*IPA consults/advises for computer viruses/unauthorized computer accesses as well as the other information concerning overall security issues

mail_address
Tel.: +81-3-5978-7509 (24-hour automatic response)
Fax: +81-3-5978-7518 (24-hour automatic response)

*”Automatic Response System”:    Responding numbers by automatic response
*“Telephone”:      Responding numbers by the Security Center personnel
The Total case number includes the number in Consultation (d) column of the Chart in the “III. Reported Status for Unauthorized Computer Access” and “IV. Accepting Status of Consultation”.

Chart 4-1: One-click Billing Fraud/Consultation Number

Chart 4-1: One-click Billing Fraud/Consultation Number


The major consultation instances are as follows.

(i) Computer alerted virus when I got back to my desk area…?

Consultation:

The computer at my business.  Computer alerted virus when I was away awhile and got back to my desk area.
The name of virus: Mal_otorun 1
The file infected: Autorun.inf
I think I didn’t do anything specific on my computer.

Response:

Mal_otorun 1, the virus detected from your computer, is the virus which enlarges infection via USB memory.  It can be assumed that someone attempted to operate something with your computer using an USB memory which already infected by an USB memory infection-type of virus, but the virus was caught by the anti-virus software installed in your computer.
In this way, every computer has certain chances to get infected by virus when an USB memory was unintentionally connected even the other person (who attempted to connect the USB memory infected) do not have malicious intent. Accordingly, be sure to activate your screen saver function with your password for not allowing the other person use your computer while you are away from your desk area.

<Reference>

(ii)Infected by virus as I left to renew my anti-virus software expired…?

Consultation:

I left to renew my anti-virus software expired.  I knew that my computer alerted its expiration, but I was too busy so that I left it awhile.  Eventually, I could renew my subscription for the anti-virus software as I could take time after certain interval.  Accordingly, I immediately updated the virus signatures and then checked with or without of virus by manually, 42 viruses were caught…

Response:

With your anti-virus software expired, newer viruses which emerge over and over cannot detect.
New viruses are detected every day and every time. Accordingly, to detect new virus, latest virus signature is mandatory. To update your anti-virus software with latest virus signature, your anti-virus software MUST be in contract period. For your further security, you need to ensure that your virus signature is updated and do not leave anti-virus software expired as it is!

 

<Reference>

V. Accessing Status Captured by the Internet Monitoring (TALOT2”) in january '09

According to the Internet Monitoring (TALOT2), the total of unwanted (one-sided) number of access in January was 131,296 for the 10 monitoring points and the gross number of source* was 41,171.  That is, the number of access was 424 from 132 source addresses/monitoring point/day.

*Gross number of source:

the gross number of the source accessed to TALOT2.  In addition, the source will be counted as 1 if accessed from identical source in the same day to the same point/port

Since each monitoring environment for the TALOT2 is nearly equal to the general connection environment used for the Internet; it can be considered that the same amount of unwanted (one-sided) access can be monitored for the general Internet users’ connection environment.

Chart 5-1:

Chart 5-1:

Unwanted (One-sided) Number of Access and Source Number of Access/Monitoring Point/Day

The Chart 5-1 shows the unwanted (one-sided) number of access (average) and the source number of access (average)/monitoring point/day from August 2008 to January 2009.  Both the unwanted (one-sided) number of accesses (average) in January were increased compared with the last month (December ’08).

The Chart 5-2 shows the comparison of unwanted (one-sided) number of access classified by destination (port type) in December 2008 and January 2009.  The number of access to the both 445/tcp and 135/tcp ports were drastically increased in January.  These ports have high potential to be targeted by the attacks which exploit vulnerability in Windows.  The access increase for the port 445/tcp will be further described in the Internet Monitoring (Attachment 3).

For your information, the cause of access increase to the port 135/tcp has not yet clarified, however, we have to be cautious and to continually watch it for.

Chart 5-2:

Chart 5-2: Comparison in Number of Access Classified by Destination (Port Type) (Dec. ’08: Jan. ’09)

For more detailed information, please also refer to the following URLs.

Variety of statistical Information provided by the other organizations/vendors is available in the following sites.

Contact

IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC)
Tel:+81-3-5978-7527
Fax:+81-3-5978-7518
E-mail: Please feel free to call at +81-3-5978-7517.