Font Size Change

HOMEIT SecurityIPA/ISEC in JAPAN:virus and UCA incident report for April2010

PRINT PAGE

IT Security

IPA/ISEC in JAPAN:virus and UCA incident report for April2010

May 14, 2010

IT Security Center
Information-technology Promotion Agency, Japan (IPA)

This is the summary of computer virus/unauthorized computer access incident report for April 2010, compiled by Information-technology Promotion Agency, Japan (IPA).

I. Reminder for the Month:

"Watch out for an attack that focuses on a popular service!”

Among the Internet services that are popular in recent years are: miniblog service such as "Twitter" and "Ameba Now" and social networking service such as "mixi" and "Facebook." These services allow users to transmit what they think and their activities across the Internet, or to use a Website as a place for communicating with others having the same hobby/way of thinking. These services are used by a variety of people including entertainers and those in the political and business worlds. On the other hand, popular services like these often become the target of an attack. IPA has been consulted on cases where these services were exploited to trick users or to infect their PCs with a computer virus. When using a new service, users should understand the elements of the service that could be exploited and take appropriate security measures so they don't fall victim to an attack that exploits the nature of that service.

(1)Characteristics of Miniblog Service and Example of Attack Methods

In this section, we present the characteristics of Twitter, which is one of the miniblog services, and how an attack could be carried out by exploiting it.

▼Characteristics of Twitter

Twitter allows users to "tweet (mumble, post on a Website)" what has come to their mind. Twitter has a mechanism called "Follow" that allows users to see other users' "tweet." (See Figure 1-1) For example, once you have "followed" your favorite entertainer, you can view the entertainer's "tweet" from your "Timeline," which is a feature to display the list of "tweets."

Figure 1-1: Mechanism of Twitter

An attacker with malicious intent could exploit this mechanism to infect users' PCs with a computer virus. An example of an attack exploiting Twitter is as follows:

▼Example of How an Attack Could be Carried Out

【1】The attacker Mr. X "follows" Mr. A who is the target of his attack. When following Mr. A, no permission is required. Mr. A comes to know that he has been followed by Mr. X.

【2】Mr. A follows Mr. X by return, which is called "Follow Back", and it can be done without precaution.

【3】As a result, Mr. X's "Tweet" begins to appear in Mr. A's "Timeline." Mr. X tweets an interesting message along with a link to a malicious Website. If Mr. A clicks on the link, he is guided to the Website designed to transmit a computer virus.

Figure 1-2: An Attack Method that Exploits Twitter

▼Actions Requiring Precaution

In the example above, actions requiring precaution are as follows:

- "Following" someone without careful consideration

Without "following" or "followed", you might find it less attractive to use Twitter. However, as in the example above, if you are not careful about following someone, you might include an attacker in your "Timeline". You should also watch out for fraud by "spoofing". "Spoofing" as a celebrity or a best-known company has been prevalent, posing a risk for Website visitors to be guided to a phishing scam Website without knowing it is a fake. A fake politician or entertainer has become a serious problem for Twitter users and if users fall victim, they might be tricked in buying a phony concert ticket.

- Clicking on a URL contained in other persons' Tweet without careful consideration

Clicking on a URL in other persons' Tweet without careful consideration is as risky as "carelessly opening an e-mail attachment unknown to you" or "clicking on a suspicious link posted on a Blog or a BBS." You should be careful not to contract a computer virus by clicking on an "abbreviated URL."

"Abbreviated URL" is a function in which a lengthy URL is displayed in abbreviated form. For example, abbreviate URL for "http://www.ipa.go.jp/security/personal/yobikake/index.html" might be http://XYZ/5G5G3g; (XYZ is the name of the Website providing the abbreviated URL service and the following characters excluding the slash are an identifier defined by the service site operator.) In the case of Twitter, the number of characters that can be entered at one time is limited and some URLs are too long to fit in. For this reason, URLs in abbreviated form are often used when included in a message. Users clicking on an abbreviated URL might easily be guided to a malicious Website designed to transmit a computer virus as they do not know where they would be guided until they arrive in a certain Website.

▼Countermeasures

- It is not easy to detect "spoofing" but if you would like to follow an entertainer or an enterprise in Twitter, you may fist contact the corporation the entertainer belongs to or the enterprise, or visit their official Websites for confirmation. You should be aware that whenever communicating with a person unknown to you, you might possibly be communicating with a person with malicious intent.

- Before clicking on an abbreviated URL, check for its reliability by using a tool or a service that displays the original URL for the abbreviated one.

(2)Basic Countermeasures

Apart from the above-mentioned measures, it is essential to implement the following basic countermeasures:

- Keep your OS installed in your PC up- to-date;

- Keep up-to-date all the application software products installed in your PC (e.g., Internet browser, mail software, moving-image browser, document file browser) by applying updates;

<Reference>

* As of April 2010, Windows XP and Vista supported

- Keep up-to-date the pattern files of your anti-virus software. It is recommended to use an integrated antivirus software product with a function to filter unsolicited e-mails and hazardous sites;

- Back up important data in case your PC is infected with a computer virus.

This time, we took Twitter as an example and presented how an attack could be carried out as well as countermeasures against such attacks. In the past, this type of attack was also carried out against Blog, BBS or e-mail service. Being a new service does not mean that it is safe to use. Remember that a popular, user-friendly service could be targeted by an attacker and therefore, when using such services, you need to take appropriate countermeasures.

II. Reporting Status of Computer Virus – further details, please refer to the Attachment 1 –

(1)Reporting Status of Virus

While the virus detection count (*1) in April was about 40,000, down 31.9 percent from about 58,000 in March, the virus report count (*2) in April was 1,077, down 27.4 percent from 1,484 in March.

*1 Detection Number: virus counts (cumulative) found by a filer

*2 Virus report count: indicates how many reports on a specific virus were submitted. If the same type of viruses were reported by the same person with the same detection day, they are counted as one report regarding the virus of that sort.

* In April, the virus report count, which was obtained by consolidating about 40,000 virus detection reports, was 1,077.

W32/Netsky marked the highest detection count at about 32,000, followed by W32/Mydoom at about 5,000 and W32/Autorun at about 1,000.

Figure 2-1: Virus Detection Count

Figure 2-2: Virus Report Count

(2)Malicious Programs Detected

For the number of malicious programs detected, we have not seen a significant difference between March and April 2010. However, as we saw in January and February 2010, the figure might increase rapidly at any time. Because most of malicious programs are contained in an e-mail attachment and distributed, you should be careful in handling an e-mail attachment. In some cases, attackers use Bots to distribute malicious programs.

Cyber Clean Center (CCC) provides anti-Bot measures as well as online Bot-removal tools.  To avoid taking part in the e-mail distribution of malicious programs, check your PC for Bot infection, and then implement infection-prevention measures, including blocking the entry of malicious programs.

<Reference>

Figure 2-3: Malicious Program Detection Count

III. Reporting Status of Unauthorized Computer Access (includes Consultations) –Please refer to the Attachment 2 for further details–

Chart 3-1: Reported Number for unauthorized computer access and the status of consultation
  Nov. Dec. Jan.'10 Feb. Mar. Apr.
Total for Reported (a) 11 9 20 27 19 11
  Damaged (b) 6 6 12

17

13

10

Not Damaged (c) 5 3 8

10

6

1

Total for Consultation (d) 34 22 67 47 60 39
  Damaged (e) 14 14 34 28 23 16
Not Damaged (f) 20 8 33 19 37 23
Grand Total (a + d) 45 31 87 74 79 50
  Damaged (b + e) 20 20 46 45 36 26
Not Damaged (c + f) 25 11 41 29 43 24

(1)Unauthorized Computer Access Reported

The report count for unauthorized computer access in April was 11, 10 of which reportedly had certain damages.

(2)Unauthorized Computer Access and Other Related Problems Consulted

The consultation count for unauthorized computer access and other related problems was 39 (3 of which were also included in the report count). 16 of them reportedly had certain damages.

(3)Damages Caused

The breakdown of the damage reports were: intrusion (5); spoofing (3); malicious program embedded (1); others (1).

Damages caused by "intrusion" were: a Web page being defaced (2), with one case involving malicious code embedded; malicious programs being embedded into a Web server, which in turn served as a stepping stone for attacking other sites (2), authentication of a BBS bypassed, allowing an unauthorized person to post arbitral messages (1). The cause of the intrusion has not been fully identified, but one case was suspected to have been caused by "Gumblar"; one due to a poor ID/password management (password cracking attack* was thought to have been carried out against a port used by SSH*); one due to vulnerability in the Web application (FCKeditor); and one due to inappropriate configuration.

Damages caused by "spoofing" included: online service (online game (2), others (1)) being used by someone who successfully impersonated a legitimate user and logged on.

 

* SSH (Secure Shell): a protocol that allows someone using one computer to communicate with a remote computer via the network.

Password cracking: a process of finding out other person's password, e.g., through a password analysis. This includes Brute Force attack and Dictionary attack. There are also password-cracking programs.

(4) Damage Instance

[Intrusion]

(i)Unauthorized Access Using the Port for SSH
    <Instance>
  • –The Internet connection from within the company became abruptly unavailable.
  • –As the investigation proceeded, I found that there was an unauthorized access using the port for SSH and that log files etc. had been deleted.
  • –Furthermore, there were signs of login attempts made against a port used for an external Website's SSH.
  • –This was thought to have been caused by the cracking of a password for an account which had not been logged on for a long period of time.

[Spoofing]

(ii)Online Game Account Hijacked through the Exploitation of the Password-Reissuing Mechanism
<Instance>
  • –One day, when I checked login history for my Yahoo account, I found that a login attempt had been successfully made by a third party using my account.
  • –Feeling suspicious, I checked the status of other services and then found that my account for an online game service had been compromised, leading to the theft of several items. In fact, upon using this service, I had set my contact address to my Yahoo e-mail address.
  • –My Yahoo ID and game ID were identical and the password for my Yahoo account was easy to guess. So apparently, the password had been cracked and the corresponding account stolen by a third party, allowing him to have a new password issued.
  • –I decided to use the Yahoo "login alert" service from then on.

IV. Unauthorized Computer Access Consulted

The total number of consultations in April was 2,110. 747 of which were related to "One-Click Billing Fraud" (compared to 725 in March); 23 to "Hard Selling of Security Software" (compared to 12 in March); 11 to "Winny" (compared to 8 in March); 4 to "A Suspicious E-Mail Sent to a Specific Organization to Collect Specific Information/Data" (compared to 1 in March).

Table 4-1: Total Number of Consultations Handled by IPA over the Past Six Months
  Nov. Dec. Jan.'10 Feb. Mar. Apr.
Total 2,315 1,794 2,150 1,789 2,000 2,110
  Automatic Response System 1,340 1,138 1,160 977 1,057 1,197
Telephone 918 602 910 736 846 835
e-mail 53 52 78 70 92 81
Fax, Others 4 2 2 6 5 0

* IPA provides consultation/advises for computer virus, unauthorized computer access, problems related to Winny as well as overall information security.

mail_address
Tel.: +81-3-5978-7509 (24-hour automatic response)
Fax: +81-3-5978-7518 (24-hour automatic response)

 

*”Automatic Response System”: Numbers responded by automatic response
*”Telephone”: Numbers responded by the Security Center personnel
*Total Number includes the number in the Consultation (d) column in the Table 3-1, “III. Unauthorized Computer Access Reported (including Consultations)”.

Figure 4-1: Changes in the Number of Consultation Regarding One-Click Billing Fraud

 

Major consultation instances are as follows:

(i)I Cannot Recover from Damages Caused by "One-Click Billing Fraud"

What was consulted:

After accessing a sexually explicit site once, a billing message began to appear constantly on the screen, so I consulted IPA and was advised to perform "system recovery." I visited the sexually explicit site in November and the system recovery point could only be set to December or later. So I cannot restore the system up to a point in November or earlier.

Response:

Disk space that can be used for system recovery is limited. So if the space had been taken up, the recovery point information for the oldest data/information would have been deleted. It is recommended to promptly perform system recovery whenever you think "There's something wrong with my PC!" to protect against not only "One-Click Billing Fraud" but other threats.

<Reference>

(ii)About Security Settings for Wireless LAN

What was consulted:

I'm using a Wireless LAN in my house. I heard that inappropriate Wireless LAN settings might lead to the exploitation by a third party. I want to take countermeasures to prevent access from a third party, but I do not have sufficient knowledge and skill. What should I do?

Response:

One of the basic wireless LAN settings is: "to encrypt connection." It is important to select appropriate encryption method (e.g., WPA2 and AES) and to use more than twenty characters for your password. If a simplified-setting feature (e.g., Wi-Fi Protected Setup) is available for main and sub units, you can easily make settings.
If you still find it difficult, you can use a fare-paying, home-visit setting service. Contact the shop where you purchased your PC or the Wireless LAN manufacture.

<Reference>

V. Access Status Captured by the Internet Fixed-Point Monitoring System (TALOT2) in April

According to the Internet Fixed-Point Monitoring System (TALOT2), 149,345 unwanted (one-sided) accesses were observed at ten monitoring points in April 2010 and the total number of sources* was 50,563.  This means on average, 498 accesses form 169 sources were observed at one monitoring point per day. (See Figure 5-1)

 

*Total number of sources:indicates how many accesses in total were observed by TALOT2.  If multiple accesses from the same source were observed at the same monitoring point/port on the same day, they are considered one access from the specific source on that day.


Since the environment of each monitoring point for TALOT2 is equivalent to that of general Internet connection, an equal number of such accesses are thought to be made in the Internet users’ system environment.

Figure 5-1: Daily, Averaged Number of Unwanted (One-Sided) Accesses and Sources at the Same Monitoring Point/Port per Month

The Figure 5-1 shows daily, averaged number of unwanted (one-sided) accesses and sources at the same monitoring point/port per month (from November 2009 to April 2010). As shown in this Figure, the number of unwanted (one-sided) accesses increased in April compared to March.

The Figure 5-2 shows the April-over-March comparison results for the number of unwanted (one-sided) accesses, classified by destination (port type). As shown in this Figure, the number of access to 17500/udp, which increased in March, have increased further in April. (See Figure 5-3) The nature of this access is, for a specific monitoring point for TALOT2, access was made from multiple IP addresses within the same segment at a regular interval. After the investigation, we found that there was an application program sending broadcast towards 17500/udp, which may be one of the causes. What was thought to be from multiple IP addresses has turned out to be from one PC sending a variable broadcast to the monitoring point for TALOT2 at each start up process. Because the rest of the monitoring points were configured to prevent broadcast from reaching the terminal, such access was not detected.

Furthermore, access to 6779/tcp and 6779/udp, which was not observed in March, has been frequently observed in this month. It has yet to be identified why these ports were accessed as they are not the ones used by a specific application. For both ports, access was observed only at one monitoring point.

Figure 5-2: April-over-March Comparison for the Number of Access, Classified by Destination (Port Type)

Figure 5-3: Number of Access for 17500/udp

For more detailed information, please also refer to the following URLs.

Variety of statistical Information provided by the other organizations/vendors is available at the following sites:

Contact

IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC)
Tel:+81-3-5978-7527
Fax:+81-3-5978-7518
E-mail: