Font Size Change

HOMEIT SecurityIPA/ISEC in JAPAN:virus and UCA incident report for February2010

PRINT PAGE

IT Security

IPA/ISEC in JAPAN:virus and UCA incident report for February2010

March 15, 2010

IT Security Center
Information-technology Promotion Agency, Japan (IPA)

This is the summary of computer virus/unauthorized computer access incident reports for February, 2010 compiled by IPA.

I. Reminder for the Month:

”Be Sure to Manage Your ID and Password Adequately”

-As with your wallet-

Nowadays, monetary damages that caused by either ID or password or by both fraudulently used on online services are constantly reported via variety of media: herein IPA, such consultations are also rushed daily.  Relevant instances include that a simple password was assumed or may have been infected by virus by malicious intent: however, there is some instances for which cause has not yet been identified.

As you know, ID and password to be used for identity authentication are the crucial element upon using online services.  Accordingly, it is necessary to harden your password to be hardly analyzable by third person (i.e., malicious intent) and to manage it adequately.

Be sure to recognize that ID and password exclusively for online services are always targeted by someone who attempts to use them fraudulently and you are to manage them adequately.

(1)The Major Causes

As identified by the instances reported and consultation instances filed by IPA, following cases can be assumed as the major causes upon used online services:

  • Analyzed by malicious intent or by exhaustive search attack since simple password was configured
  • ID and password theft by virus infection
  • ID and password was stolen by phishing fraud (*1)
  • ID and password theft by social engineering (*2)

Chart1-1: ID and Password Theft Mechanism (Image)

Though the number of causes can be considered, but the most of them can be prevented with your due care.  Please review following items to manage your ID and password adequately.

(*1)phishing: One of fraudulent activities utilizing sophisticated e-mail technique, a user will be driven to a fake site (s) which masqueraded to be actual company/organization such as financial institution, credit card company, net auction, etc. thereby to steal (user’s) private information (i.e., password, etc.).

(*2)social engineering: The mean to obtain private information (i.e., password, etc.) without utilizing network/computer relevant technologies, but exploiting user’s psychology and/or socially-accepted idea (by sniffing confidential information from CD/DVD disposed, by spoofing to be an employee or an involved party (ies) to eavesdrop important information, etc.).

(2)The Pitfall in Password Authentication

The identity authentication with ID and password is not a comprehensive mechanism and has potential risk to be analyzed.  For example, if ID will be given in sequentially or the part of your e-mail address is used as your ID as it is, your ID may be known by a third person (i.e., malicious intent) easily: in that case, attacker can simply find out the password to be corresponded with by dictionary/exhaustive search attack, etc.  In case the password is configured only by physical numbers or the password is insufficiently managed, it is highly probable that your password will easily be broken (i.e., your password will easily authenticate the third person).

In the next section, we will describe important notes when you create your password and how you can securely operate/manage them.

(3)The Countermeasures

In this section, we will describe the countermeasures against those listed in the above (1) as the causes for fraudulent use.

When you create/configure your password, be sure not to use names (i.e., unique nouns, etc.), the words easily find out in a dictionary and to combine/use more than 8 alphabets (upper case letters, lower case letters), numbers and symbols as possible as you can.  It is possible that your password will be broken by dictionary attack (*3) in case you simply used the word (s) in a dictionary as it is.

(*3)dictionary attack: One of the attacking methods to be used to identify password or to analyze cipher, attempting all the words in a dictionary from the very beginning to its end thereby.

For your further security, be sure to be cautious not only how to create your password, but also how to operate/manage your password securely by referring the rules described below.

Do not use same password for different purposes.  Be sure to change your password routinely.

If you use same password for different online services, the potential risk will be enlarged in case your password is stolen.  To prevent enlarging damages to several online services, be sure to configure different passwords respectively.

Though you use hardly breakable password (s), potential risk will be increased if you leave not to change it for a long time.  Be sure to change your password routinely (i.e., by monthly, etc.).

Do not enter your password in the computer in public places such as an Internet café, etc. which cannot be managed by your own and to be used by unspecified majority of users

Even hardly breakable password is configured, your password will easily be stolen if the virus which steals information (i.e., password, etc.) was trapped in that computer.  Accordingly, be sure to refrain from using online services with the computers publicly available that require your ID and password.

There is the virus which monitors user’s login activities and steals his/her ID and password for the specific services such as online banking and online games, etc.  In the browser such as the Internet Explorer, etc. has such function which stores your ID and password, but the virus which steals information being stored is also identified.

To prevent your information stolen by such virus infected to your computer, be sure to install <legitimate> anti-virus software and to maintain its signature file always up-to-dated.  To lessen such risk that your password will be stolen, be sure not to store your password in a browser.

Phishing fraud and social engineering are the fraudulent methods to fool a user to obtain his/her ID and password.  Password is used for personal identification based on the knowledge that the identical person him/herself only knows his/her password.  Accordingly, you will not be asked your password by online service provider (s) and/or your system administrator (s).  When inquired “Please e-mail me of your password as system requires it to recover from troubles.” by someone, never, ever tell your password to the other person even his/her excuse sounds like reasonable.

  • How to create hardly breakable password:
  • Install anti-virus software to prevent virus infection:
  • Do not be fooled by phishing fraud and/or social engineering:

(4)Leveraging the Services Provided by Online Service Provider (s)

You may be able to use the other measures against ID/password fraudulent use described in the (3) above provided by online service providers.  Leveraging such services will ensure you further secured online services.

Depending on the service (s) you are using, of some may be able to provide you login history upon you are login.  In case you can recognize that there is (are) some logins other than you in earlier, you may be able to block enlarging damage (s).  Be sure to communicate with the consultation window for an online service (s) and to request to stop the use of your account in case you find suspicious logins when you check your login history routinely.

Some online service may provide such function which alert user fraudulent login via e-mail upon he/she logged in.  If alerted when someone other than you is logged in, you are able to recognize fraudulent login earlier and to prevent potential damage (s).

Some online banking may provide “one-time password” service which will issue its user the password only valid for his/her single use.  Since the password is valid for “one-time only”, even the computer is infected by the virus which steals ID and password, the user won’t be necessarily afraid of.  Even stolen, there will be none of subsequent risks/damages.

  • Login history is served, be sure to check that someone other than you is not logged in:
  • Utilizing the service (s) which automatically alerts user fraudulent login:
  • Utilizing one-time password service:

(5)In Case You are Get Damaged…

As described above, countermeasures for ID/password fraudulent use require certain time and efforts; though single countermeasure may be of help; be sure to conduct all of them to prevent from enlarging damages effectively.

For your information, though you thoroughly conduct the countermeasures above mentioned, the potential risks by unanticipated causes cannot be perfectly resolved: there may be some issues in online service provider (s) and information will be leaked thereby.  In some online services, there provides the function which facilitates the procedures required by online settlement by maintaining user’s credit card information; it directly leads monetary damages if ID and password are stolen/used fraudulently.

What if you get damaged; for example, there appeared some online services which you do not know is charged in your credit card statement which you’d signed up for some online services, etc.; we recommend you to claim the facts to your credit card company and online service provider (s) immediately that your card may have been fraudulently used by someone and to require them to take necessary actions against it.  It is also helpful to ask consultation with the National Consumer Affairs Center of Japan near your area.

<Reference>

II. Reporting Status of Computer Virus – further details, please refer to the Attachment 1 –

(1)Reporting Status of Virus

The detection number of virus(*1) in February was about 55T: decreased about 23.8% from about 72T in January.  However, the reported number of virus(*2) in February was 1,436: 24.4% increased from 1,154 in January.

*1 Detection Number: virus counts (cumulative) found by a filer.

*2 Aggregated virus counts.  Viruses of same type and their variants reported on the same day are counted as one case number regardless how many viruses or the actual number of viruses is found by the same filer on the same day.  In February, the reported number was 1,436 and the aggregated virus count was about 55T.

The worst detection number was for W32/Netsky with about 37T; W32/Numu with about 7T and W32/Mydoom with about 5T subsequently followed.

Chart2-1

Chart 2-1: Detection Number of Virus

Note: Numbers in parenthesis are for the previous month

Chart2-2

Chart 2-2: Reported Number of Virus

Note: Numbers in parenthesis are for the previous month

(2)Detection Status for the Falsified Program

According to the detection number for “Falsified Security Measures Software” type of virus (FAKEAV), the number was tending to decrease since middle of November 2009; however it was again rapidly increasing since end of January 2010 (See the Chart 2-3).  Since we cannot foresee when and how the number of such fraudulent program will drastically be increased, you are to pay attention to the attachment file (s) to e-mail continually.

For your information, The Cyber Clean Center (CCC) provides anti-bot measures as well as its removal tools online.  Accordingly, be sure not to be a part of victimizer who distributes fraudulent program while you do not know: to that end, it is important to conduct infection preventive measures thoroughly.  Checking with or without bot in your computer routinely, try not to download/install the program if you feel somewhat suspicious or you do not know (i.e., fraudulent program), etc. are the effective anti-bot measures.

<Reference>

Chart2-3

Chart 2-3: Detection Number of Falsified Program by Week

III. Reporting Status of Unauthorized Computer Access (includes Consultations) –Please refer to the Attachment 2 for further details–

Chart 3-1: Reported Number for unauthorized computer access and the status of consultation
  Sep. Oct. Nov. Dec. Jan.‘10 Feb.
Total for Reported (a) 11 21 11 9 20 27
  Damaged (b) 8 14 6 6 12

17

Not Damaged (c) 3 7 5 3 8

10

Total for Consultation (d) 44 34 34 22 67 47
  Damaged (e) 13 11 14 14 34 28
Not Damaged (f) 31 23 20 8 33 19
Grand Total (a + d) 55 55 45 31 87 74
  Damaged (b + e) 21 25 20 20 46 45
Not Damaged (c + f) 34 30 25 11 41 29

(1)Reporting Status for Unauthorized Computer Access

Reported number in February was 27: Of 17 was the number actually damaged.

(2)Accepting Status for Consultation relevant to Unauthorized Access

The consultation number relevant to unauthorized computer access was 47 (of 11 were also counted as reported number): Of 28 was the number actually damaged.

(3) Status of Damage

The breakdown of the damage reports included: intrusion with 6, DoS attack with 2, masquerading with 7 and embedding of malicious program with 2.

The actual damage relevant to “intrusion” were: insertion of evil codes on web pages with 3, locating fraudulent program within web servers that can attack/probe the other site (s) with 2, stolen of private information such as credit card information, etc. stored within web server by SQL * injection ** attack with 1.  The cause has not yet been specifically identified, but the one can be assumed by “Gumblar” mechanism with 3, the one supposed to be insufficient ID/password management with 2 and the one exploited vulnerability in web application with 1.

The actual damage relevant to “masquerading” included: online services (online game with 3, blog site with 2, etc.) were fraudulently used by someone who masqueraded to be the legitimate user logged in to the site.

* SQL (Structured Query Language): One of query language to operate/define data in relational database management system (RDBMS).

** SQL injection: One of attacking methodologies to browse/alter data within a database with the ways other than legitimate by exploiting failure (i.e., vulnerability) in the program which accesses to database.

(4) Damage Instance:

[Intrusion]

(i)Once recovered from the damage caused by “Gumblar”, but again damaged…
    <Instance>
  • –“When I browsed your website, some virus was detected.” so communicated by one of our clients.
  • –The cause (s) was studied: it was realized that there embedded some evil scripts that can drive the user who browsed the site to malicious site (s).  It seemed to be caused by “Gumblar”.
  • –Accordingly, we changed the password for ftp account and deleted entire data on our website.  Then uploaded/recovered virus-free data on our hand.
  • –However, several days later, we again communicated from one of our clients with exactly the same matter we had in another day so that we had to close our website again.
  • –Even now, we cannot identify the source terminal that directly caused “Gumblar”.
(ii)My credit card information, etc. was stolen by SQL injection attack…
<Instance>
  • –I am running an online shopping site.  One day, I was pointed out about the potentiality of information leakage relevant to card information so that I requested security provider to study the facts.
  • –As its results, it is identified that more than 10 thousands of my clients’ card information stored in my server was seized by SQL injection attack.
  • –I DO conduct the countermeasures against SQL injection attack, but the measures were insufficient.

IV. Accepting Status of Consultation

The gross number of consultation in February was 1,789. Of the consultation relevant to One-click Billing Fraud” was 637 (January: 638).  The consultation relevant to “Hard selling of falsified anti-virus software” with 26 (January: 37), the consultation relevant to “Winny” with 1 (January: 1), the consultation relevant to “the suspicious mail sent to specific organization to collect specific information/data” with 0 (January: 0), etc.

Table 4-1: All the Consultation Number Accepted by IPA over the Past 6 Months
  Sep.‘09 Oct. Nov. Dec. Jan.'10 Feb.
Total 1,653 2,049 2,315 1,794 2,150 1,789
  Automatic Response System 915 1,157 1,340 1,138 1,160 977
Telephone 676 843 918 602 910 736
e-mail 60 45 53 52 78 70
Fax, Others 2 4 4 2 2 6

*IPA consults/advises for computer viruses/unauthorized computer accesses as well as the other information concerning overall security issues

mail_address
Tel.: +81-3-5978-7509 (24-hour automatic response)
Fax: +81-3-5978-7518 (24-hour automatic response)

 

*”Automatic Response System”:    Responding numbers by automatic response
*“Telephone”:      Responding numbers by the Security Center personnel
*The Total case number includes the number in Consultation (d) column of the Chart in the “III. Reported Status for Unauthorized Computer Access” and “IV. Accepting Status of Consultation”.

Chart 4-1

Chart 4-1: One-click Billing Fraud/Consultation


The major consultation instances are as follows.

(i) Inserted an USB memory picked up on my way back home to my computer …?

Consultation:

I picked up an USB memory when I was on my way back home.  I inserted it to my computer, but I could not see any of its contents.  Though my computer still works as usual, I am worry what if it has been infected by virus.  I used anti-virus software, but I didn’t update my signature file in it.  Couple of days later, I filed the USB memory to the police station near my area.

Response:

In case the USB memory was previously infected by “USB memory infection” type of virus, your computer may be infected by virus simply you inserted it.  Though none of symptom can be viewed, the USB memory may have been infected by virus previously, so you’d better to initialize your computer for your further security.

To prevent from virus infection, be sure to comply with the following rules as the fundamental anti-virus measures from now on:
1)Your anti-virus software shall always be up-to-dated, and
2)Never, ever insert such file (USB memory, in this case) for which source is unknown to your computer.
<Reference>

(ii) My computer was infected by virus …?  I am using a file sharing software.

I used to download music data using the file sharing software named Cabos.  One day, when I started up my computer, the software so called “Control Center” was automatically launched.  It seemed that the software warned me something in English.  It could be read “Your computer is infected by virus.  To remove them, you need to download/install paid-for anti-virus software.” Then the software urged me to enter my credit card number one-sidedly.
*We had accepted 3 similar cases reported by Cabos users.

Response:

The “Control Center” is actually a “falsified security measures software” type of virus.  Once infected, it interferes any of recovery activities (by human users and/or by security software) so that the last resort has to initialize your computer.

It is probable that there embedded some virus in the files downloaded by Cabos.  Since Cabos can download most of the files for which source is unknown, you’d better not to use file sharing software such as Cabos as possible as you can – there may be included some virus covertly which may cause you significant damage.

V. Accessing Status Captured by the Internet Monitoring (TALOT2) in February

According to the Internet Monitoring (TALOT2), the total of unwanted (one-sided) number of access in February was 121,167 for the 10 monitoring points and the gross number of source* was 49,130.  That is, the number of access was 505 from 205 source addresses/monitoring point/day.

 

*Gross number of source:Gross number of source refers the total of source number of access summed-up to the respective monitoring points in TALOT2.


Since each monitoring environment for the TALOT2 is nearly equal to the general connection environment used by the Internet; it can be considered that the same amount of unwanted (one-sided) access can be monitored for the general Internet users’ connection environment.

* Since system maintenance periods were fallen on February 5 to 8, the statistic information for monitoring points for February was aggregated by eliminating these 4 days. Generally, the TALOT2 system is fully operated.

Chart 5-1

Chart 5-1: Unwanted (One-sided) Number of Access and Source Number of Access/Monitoring Point/Day in Average

The Chart 5-1 shows the unwanted (one-sided) number of access and source number of access/monitoring point/day in average from September 2009 to February 2010.  Both unwanted (one-sided) number of accesses were significantly decreased from the one in January.

The Chart 5-2 shows the comparison in the number of access classified by destination (by port) in January and February.  According to this chart, the access to the port 445/tcp decreased about 58% of the one in January and decreased entire number of access as its consequence.

Looking back to review the number of access to the port 445/tcp more specific, the accessing tendency in respective monitoring points was turned to be differed upon their IP addresses were newly allocated after the system was recovered from its maintenance period, from February 5 to 8.  Since the number of access to the port 445/tcp in respective monitoring points were tended to decreasing, thus the entire number of access to the port 445/tcp was drastically decreased.  For your further reference, the Chart 5-3 shows the shift in number of access to the port 445/tcp in single monitoring point for which ups and downs were relatively remarkable.

Chart 5-2

Chart 5-2: Comparison in Number of Access Classified by Destination (by Port)January: February

 

Chart 5-3

Chart 5-3: The Shift in Number of Access to the Port 445/tcp (Single Monitoring Point)

For further information, please also refer to the following URLs.

Variety of statistical Information provided by the other organizations/vendors is available in the following sites.

Contact

IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC)
Tel:+81-3-5978-7527
Fax:+81-3-5978-7518
E-mail: