Font Size Change

HOMEIT SecurityIPA/ISEC in JAPAN:virus and UCA incident report for March2010

PRINT PAGE

IT Security

IPA/ISEC in JAPAN:virus and UCA incident report for March2010

April 20, 2010

IT Security Center
Information-technology Promotion Agency, Japan (IPA)

This is the summary of computer virus/unauthorized computer access incident report for March 2010, compiled by Information-technology Promotion Agency, Japan (IPA).

I. Reminder for the Month:

”Review how your Website is managed!”

- Damages caused by Gumblar are still prevalent -

There are still a number of cases involving Website defacement that are caused by Gumblar and IPA has received relevant reports and inquiries from people, saying "When I visited a Website, a warning message was displayed, indicating that a computer virus had been detected", "My company's Website has been defaced by a third party, which I learned from my client" etc. On the other hand, defacement techniques used by attackers have a huge variety, making it difficult for enterprises to perform accurate Website defacement verification. For this reason, implementing countermeasures against Website defacement is becoming more and more important.

Website administrators should review how their Websites are managed and implement appropriate site management to prevent them from being defaced.

(1)Mechanism of "Gumblar" and Recent Case Examples of Website Defacement

"Gumblar" does not refer to a specific computer virus but a set of tactics employed by attackers to transmit a variety of computer viruses to a large number of PCs.

For more details on the mechanism of Gumblar, please refer to the February 2010 issue on IPA’s Website.
<Reference>

Case examples of Website defacement reported recently to IPA are as follows:

【Case1】

What was consulted After correcting the defaced parts pointed out by an external party, I accessed that Website again for confirmation; however, the same warning message was displayed, indicating that a computer virus had been detected.
Commentary When we checked the Website, we found no problem in the HTML file(*1), but that the JavaScript file(*2) called by an HTML file had been compromised.

【Case2】

What was consulted When I visited a Website using my own PC, a warning message was displayed, indicating that a computer virus has been detected. But when I visited the same Website using another PC with other antivirus software installed, no virus was detected.
Commentary When we checked the Website, we found that some parts had been defaced. So we checked the HTML file on that page using antivirus software products provided by several companies. At that time, the virus in question was detected by only a few of those products, but later, when we went through the same verification process, the virus was detected by a larger number of those products.

【Case3】

What was consulted I was advised to check for the HTML file alteration, but I don't know how to identify the parts altered.
Commentary In the past, we recommended a verification method in which suspicious files were checked to see if they contained specific string of characters such as  "/*GNU GPL*/" or "/*LGPL*/". But nowadays, such distinguishing characters are rarely contained in files, making it unpractical to determine the presence of file alteration only by checking for those characters. In such cases, it is effective to verity the differences between the clean file (before the alteration) and the relevant file on the Web server. 

(*1)HTML(HyperText Markup Language)file: A file written in HyperText Markup Language (HTML). HTML is a makeup language used to create Web pages.

(*2)JavaScript file: A file written in JavaScript . JavaScript is a script used to add behavioral and interactive features to Web pages.

In the case of Gumblar, attackers use a variety of tactics to infect Website visitors’ PCs with computer viruses, rendering traditional verification methods unpractical. For this reason, Website administrators should manage their Websites in more appropriate manner to protect against Website defacement by Gumblar.

(2)Recommended Website Management

This Section introduces a concrete managerial approach to protect against Website defacement.

▼Managerial Approach to Prevent Website Defacement

  • Ftp(* 3) passwords used for Website update should have sufficient length and complexity. In addition, such passwords should be known only to those updating Websites.【Strengthening Passwords】
  • Review and tailor the network and server configurations so that Website update is performed only within the organization. When Website update needs to be performed via the Internet, use VPN(* 4) or other methods to limit the locations from which such update can be performed.【Access Control】
  • Use a dedicated PC for Website update. To prevent damages caused by a computer virus: do not use this PC to access a Website or open an email; keep antivirus software up-to-date; eliminate vulnerabilities as much as you can.【Using a dedicated PC for Website update】

(*3)ftp(File Transfer Protocol):A protocol used to transfer files over networks.

(*4)VPN(Virtual Private Network):A service/technology used for LAN-to-LAN connection etc., via a public line instead of a dedicated line which provides higher security.

Figure 1-1: Image of Managerial Approach to Protect against Website Defacement

▼Managerial Approach to detect Website Defacement

The longer the Website remains defaced, the further the damage might spread. Detecting the Website defacement in an early stage helps prevent further damages. A managerial approach to detect Website defacement as early as possible is as follows:

  • As shown in the [Case 3] in (1), it has become difficult for administrators to determine the presence of Website defacement only by checking the content of HTML files. In such cases, as an alternative, you can keep a clean file in advance and periodically compare it with the relevant file on the Web server. By checking the differences between those file, you can determine the presence of Website defacement. It is also effective to use software products that allow users to collectively perform multiple file comparison.
  • By checking the access logs produced by the ftp for Website update, you can identify unauthorized access, including the one unknown to you.

As an alternative, you can use Website defacement detection services which are subject to fees but enable early detection of such defacement. While Website administrators are responsible for checking their Websites for Website defacement s, they might be notified of such defacement by the site users. Considering this, it is recommended that they post their contact address (e.g., e-mail address) on their Website.

(3)How to Respond to Incidents Involving Website Defacement

If a Website was defaced, its administrator would naturally become a victim, but he might also become a victimizer to the site users. Measures required to prevent further damage in such cases are as follows:

▼First Things to Do

The first thing to do is: suspending the Website operation. At the same time, change the ftp password. This operation should be performed from other PCs than the one used for the Website management as it might have been infected with a password-stealing virus.

It is also recommended that an alternative site be set up to provide information to users, including how the investigation is going, where to contact for inquiries etc.

▼Indentifying the Parts Defaced

Once the above-mentioned measures have been implemented, perform file comparison for the clean file and the relevant file on the Web server, which leads to the identification of defacement performed. Where multiple Websites are managed by the same PC, all the Websites should become subject to file comparison as they might also be defaced.

For each defaced part, check the ftp access logs to see how long the defacement lasted; then investigate further to determine the magnitude of the damage.

▼When Reopening the Website

Once the above-mentioned measures have been implemented and all of the defaced parts have been restored, you may choose to reopen the Website. In such cases, it is recommended that notifications be posted on the Website, describing the fact of the unauthorized alteration. Recommended items (if identified) to be included in this notification are as follows:

  • Description of the alteration
  • Parts altered
  • How long the alteration lasted
  • Potential damages to those accessing the altered parts (e.g., be infected with a computer virus)
  • How to check for the computer virus (including the references to online scan sites, as necessary)
  • Where to contact

Free online virus-check sites provided by security organizations and enterprises are as follows:

<Reference>

Should you suffer from Website defacement, please contact IPA. The submitted information, excluding all personal and organizational identifiers, becomes subject to our analysis and statistics, the results of which are to be presented along with countermeasures.

<Reference>

II. Reporting Status of Computer Virus – further details, please refer to the Attachment 1 –

(1)Reporting Status of Virus

While the virus detection count(*1) in March was about 58,000, up 5.9 percent from about 55,000 in February, the virus report count(*2) in March was 1,484, up 3.3 percent from 1,436 in February.

*1 Detection Number: virus counts (cumulative) found by a filer

*2 Aggregated virus counts.  Viruses of same type and their variants reported on the same day are counted as one case number regardless how many viruses or the actual number of viruses is found by the same filer on the same day.

*In March, the virus report count, which was obtained by consolidating about 58,000 virus detection reports, was 1,484.

W32/Netsky marked the highest detection count at 39,000, followed by W32/Mumu at about 8,000 and W32/Mydoom at about 5,000.

Chart2-1

Figure 2-1: Virus Detection Count

Chart2-2

Figure 2-2: Virus Report Count

(2)Malicious Programs Detected

In February 2010, we saw an increase in the detection count for FAKEAV – a type of computer virus called "counterfeit security software" – but the number dropped in March (See Figure 2-3). This sort of malicious program can be distributed as an attachment to an e-mail from a Bot-infected PC and we don’t know when and how it increases rapidly. For this reason, continuous attention should be paid to the handling of e-mail attachments.

Cyber Clean Center (CCC) provides anti-Bot measures as well as online Bot-removal tools.  To avoid taking part in the e-mail distribution of malicious programs, check your PC for Bot infection, and then implement infection-prevention measures, including blocking the entry of malicious programs.

<Reference>

Chart2-3

Figure 2-3: Changes in Virus Detection Count for Malicious Programs

III. Reporting Status of Unauthorized Computer Access (includes Consultations) Please refer to the Attachment 2 for further details

Chart 3-1: Reported Number for unauthorized computer access and the status of consultation
  Oct. Nov. Dec. Jan.'10 Feb. Mar.
Total for Reported (a) 21 11 9 20 27 19
  Damaged (b) 14 6 6 12

17

13

Not Damaged (c) 7 5 3 8

10

6

Total for Consultation (d) 34 34 22 67 47 60
  Damaged (e) 11 14 14 34 28 23
Not Damaged (f) 23 20 8 33 19 37
Grand Total (a + d) 55 45 31 87 74 79
  Damaged (b + e) 25 20 20 46 45 36
Not Damaged (c + f) 30 25 11 41 29 43

(1)Unauthorized Computer Access Reported

The report count for unauthorized computer access in March was 19, 13 of which reportedly had certain damages.

(2)Unauthorized Computer Access and Other Related Problems Consulted

The consultation count for unauthorized computer access and other related problems was 60 (7 of which were also included in the report count). 23 of them reportedly had certain damages.

(3)Damages Caused

The breakdown of the damage reports were: intrusion (8); spoofed address (1); spoofing (3); others (1).

Damages caused by "intrusion" were: malicious code being inserted into Web pages (2); malicious programs being embedded into a Web server, which in turn served as a stepping stone for attacking other sites (3), unintended contents being loaded on a Web server (2) (one of which was the contents used for phishing scam); and e-mail accounts being used by an external party to send unsolicited e-mails (1). The cause of the intrusion has not been fully identified, but two cases were suspected to have been caused by "Gumblar"; one due to a poor ID/password management; one due to vulnerability in the Web application (phpMyAdmin); and one due to configuration errors.

Damages caused by "spoofing" included: online service (online game (2), free web-based e-mail (1)) being used by someone who successfully impersonated a legitimate user and logged on.

* Phishing: A fraudulent activity in which attackers use a forged, authentic-looking Website (e.g., authoritative financial institutions, existing enterprises etc) to obtain the site visitor’s ID and passwords.

(4) Damage Instance

[Intrusion]

(i)Damages Caused Apparently by "Gumblar"
    <Instance>
  • –When I accessed the Webpage I established, a warning message was displayed, saying "The site you are accessing is reportedly an attacker’s site!”
  • –I contacted the rental server company where the contents of my home pages are located. I was told, “Apparently, malicious code is embedded.”
  • –Upon checking the access logs for the ftp dedicated for contents maintenance, I found that someone had logged on to the system using an IP address unknown to me.
  • –I want to delete the “malicious code” but I can’t locate such code in the HTML file in question.

[Other Damages]

(ii)My wires LAN suffered from free-riding
<Instance>
  • –I’m using wireless LAN in my home. Knowing that a encryption scheme called WEP has a problem with security level, I used it as my portable game player supports only WEP.
  • –One day, when I was playing online game, the connection to the server was lost all of sudden and the device became unstable.
  • –Upon checking the router’s logs, I found that four terminals unknown to me were connected to the router, occupying most of the communication bandwidth.
  • –As I sensed danger, I switched to another encryption scheme called WPA2-PSK(AES).

IV. Unauthorized Computer Access Consulted

The total number of consultations in March was 2,000. 725 of which were related to "One-Click Billing Fraud" (compared to 637 in February); 12 to "Hard Selling of Security Software" (compared to 26 in February); 8 to "Winny" (compared to 1 in February); 1to "A Suspicious E-Mail Sent to a Specific Organization to Collect Specific Information/Data" (compared to 0 in February).

Table 4-1: Total Number of Consultations Handled by IPA over the Past Six Months
  Oct. Nov. Dec. Jan.'10 Feb. Mar.
Total 2,049 2,315 1,794 2,150 1,789 2,000
  Automatic Response System 1,157 1,340 1,138 1,160 977 1,057
Telephone 843 918 602 910 736 846
e-mail 45 53 52 78 70 92
Fax, Others 4 4 2 2 6 5

* IPA provides consultation/advises for computer virus, unauthorized computer access, problems related to Winny as well as overall information security.

mail_address
Tel.: +81-3-5978-7509 (24-hour automatic response)
Fax: +81-3-5978-7518 (24-hour automatic response)

*”Automatic Response System”: Numbers responded by automatic response
*”Telephone”: Numbers responded by the Security Center personnel
*Total Number includes the number in the Consultation (d) column in the Table 3-1, “III. Unauthorized Computer Access Reported (including Consultations)”.

Chart 4-1

Figure 4-1: Changes in the Number of Consultation Regarding One-Click Billing Fraud


Major consultation instances are as follows:

(i) I’ve Fallen "One-Click Billing Fraud" for Twice

What was consulted:

After accessing a sexually explicit site once, a billing message began to appear constantly on the screen, so I consulted IPA and my PC was fixed. Recently, I visited another sexually explicit site, which caused my PC to constantly display a different kind of billing message. Could you teach me how to fix it?

Response:

The reason why you see a billing message is because your PC is infected with a computer virus. That virus is not something that entered into your PC by itself but you downloaded by visiting such sexually explicit site and because; the virus file is opened by yourself. Unless you understand the tactics employed by the adversary, you might fall for it again and again. To avoid being fooled by the same trick, refer to the site below and take appropriate measures.

To prevent from virus infection, be sure to comply with the following rules as the fundamental anti-virus measures from now on:
1)Your anti-virus software shall always be up-to-dated, and
2)Never, ever insert such file (USB memory, in this case) for which source is unknown to your computer.
<Reference>

(ii) About using Privately-Owned at a Public Facility

What was consulted:

Our facility has an Internet browsing corner available to the public, which is provided as a part of public service. Recently, some people are reportedly bringing their own PCs and enjoying Internet surfing by connecting to our facility’s LAN without permission. This sort of behavior was beyond the scope of our assumptions and I have no idea how to deal with this problem.

Response:

Generally, PCs brought in by users are beyond the boundary of the facility. Whether or not those PCs have already been infected with a computer virus is unknown to the facility. If a brought-in PC connected to the facility’s LAN had already been infected with a computer virus, the other PCs might also be infected, or compromised through a computer virus embedded into the LAN by an external party. If the facility allows the Internet connection by brought-in PCs, it should provide an isolated network for such connection to protect against such threats.

V. Access Status Captured by the Internet Fixed-Point Monitoring System (TALOT2) in March

According to the Internet Fixed-Point Monitoring System (TALOT2), 144,590 unwanted (one-sided) accesses were observed at ten monitoring points in March 2010 and the total number of sources* was 57,950.  This means on average, 466 accesses form 187 sources were observed at one monitoring point per day. (See Figure 5-1)

 

*Total number of sources:indicates how many accesses in total were observed by TALOT2.  If multiple accesses from the same source were observed at the same monitoring point/port on the same day, they are considered one access from the specific source on that day.


Since the environment of each monitoring point for TALOT2 is equivalent to that of general Internet connection, an equal number of such accesses are thought to be made in the Internet users’ system environment.

Chart 5-1

Figure 5-1: Daily, Averaged Number of Unwanted (One-Sided) Accesses and Sources at the Same Monitoring Point/Port per Month

The Figure 5-1 shows daily, averaged number of unwanted (one-sided) accesses and sources at the same monitoring point/port per month (from October 2009 to March 2010). As shown in this Figure, the number of unwanted (one-sided) accesses decreased in March compared to February.

The Figure 5-2 shows the March-over-February comparison results for the number of unwanted (one-sided) accesses, classified by destination (port type). As shown in this Figure, access to 17500/udp, 64862/tcp, and 27518/tcp, which had not been observed much, was placed high in March. It has yet to be identified why these ports were accessed as they are not the ones used by a specific application. Moreover, those accesses were observed only at one monitoring point and had multiple sources: for example, according to the observations, access to 27518/tcp was made from more than 350 sources in March alone.

Chart 5-2

Figure 5-2: March-over-February Comparison for the Number of Access, Classified by Destination (Port Type)

For more detailed information, please also refer to the following URLs.

Variety of statistical Information provided by the other organizations/vendors is available at the following sites:

Contact

IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC)
Tel:+81-3-5978-7527
Fax:+81-3-5978-7518
E-mail: