Font Size Change

HOMEIT SecurityIPA/ISEC in JAPAN:virus and UCA incident report for June2010

PRINT PAGE

IT Security

IPA/ISEC in JAPAN:virus and UCA incident report for June2010

July 16, 2010

IT Security Center
Information-technology Promotion Agency, Japan (IPA)

This is the summary of computer virus/unauthorized computer access incident report for June 2010, compiled by Information-technology Promotion Agency, Japan (IPA).

I. Reminder for the Month:

”Operation systems whose support has terminated are put at risk”

In the "Reminder for this Month" column (*1) of the May 2007 issue, IPA addressed the risk of using OS(operating System) whose support has terminated (hereafter called "off-the-support OS"). However, there are still  users who seek consultations with IPA about off-the-support OS such as Windows98/Me. IPA has also been asked for advice from persons in charge of information systems who were not aware of the risk of using off-the-support OS.

On July 13, 2010 (U.S time zone), Microsoft terminates its support for Windows 2000 and Windows XP Service Pack 2 (SP2) (*2) that are estimated to be used by a number of users. For this reason, we restate the risk of using off-the-support OS as well as countermeasures to be taken.

(*1)"Be aware of the risk of using a PC equipped with operation systems whose support has terminated!!" (The reminder of the May 2007 issue)
http://www.ipa.go.jp/security/english/virus/press/200704/E_PR200704.html

(*2)"About the Termination of Support for Windows Vista RTM / Windows XP Service Pack 2 (SP2) / Windows 2000 (Server / Professional) " (Microsoft)
http://www.microsoft.com/japan/windows/lifecycle/default.mspx (in Japanese)

(1)Support ending time period and associated risks for operation systems

(i)Usage status and support ending time period for each operation systems

Table 1-1 shows distribution for each type of operation systems used by those who asked for advice (hereafter called 'consultant'), compiled from the consultations made to IPA for the past one-year (from July 1, 2009 to June 30, 2010). For Windows 98/Me whose support had been terminated by Microsoft about four years before (in July 2006), the number of users was 94, accounting for 1.3%. Because no security patch is provided and no support is available for antivirus software that can be run on Windows 98/Me, users are vulnerable to an attack from an external party and thus are put at a high risk.

Table1-1:operation systems used by consultants

OS
Windows
7
Windows
Vista
Windows
XP
Windows
2000
Windows
98/Me
Mac OS
Ohter
Number of consultations
313
2,207
4,249
100
94
26
45
Percentage
4.4%
31.4%
60.4%
1.4%
1.3%
0.4%
0.6%

Note:  among all the consulted cases, only the cases whose OS type was identifiable were counted.

(ii)Risk of using off-the-support OS

The biggest problem in using off-the-support OS is, no security patch is provided by its manufacture. The fact that no security patch is available means that, even if vulnerability was detected in the OS, it could not be remedied.

A PC equipped with OS having vulnerability carries the following risks:

  • If the PC received an attack exploiting its vulnerability via the Internet, it could allow unauthorized access (i.e., penetrating into the PC).
  • The PC might be infected with a virus only by visiting a malicious Website.

PCs that have suffered damages caused by the above-mentioned unauthorized access and virus infection might be used as a stepping stone to attack third parties. If you were in such situation, you might unintentionally attack other users of the Internet, so you should be aware of such risk.

Figure 1-1: Images of a house taken as an example of off-the-support OS

Moreover, the support for application software running on off-the-support OS might also be terminated. Especially, if the support for antivirus software was terminated, pattern files for new type of virus would not be provided by its manufacture, which would lead to deterioration in defense against newly-emerging viruses.

(2)How to Cope with Off-the-Support OS

For Windows, users should check for the version of their OS by taking the following steps and then refer to the coping processes for each operating system in the next page. For other OS such as Mac OS, users should refer to support information from their manufactures and upgrade to the latest version.

[Windows Version Confirmation Procedure]

(i)Click the [Start] button and then [Run].

(ii)Enter "winver" on the entry screen displayed and click the [OK] button

(iii)The "Windows Version Information" screen is displayed

Note: in the step (i), if you cannot find the menu [Run], enter "winver" on the entry field next to [Search programs and files] or [Start Search] and then press the Enter key.

(a)In the case of Windows XP or Vista

For some version of Windows XP or Vista, Microsoft has terminated its support, but if you upgrade them to the latest version, you are able to receive their support on an ongoing basis. By referring to Table 1-2 below, check to see if the OS you are using are the latest one and if not, update it by applying Microsoft Update or Windows Update.

Table1-2:The latest version for each operation system

Product Name The latest version (as of July 2010)
Windows XP Service Pack 3
Windows Vista Service Pack 2
<Reference>

(b)In the case of Windows 98/Me

For Windows 98/Me, Microsoft terminated its support on July 2006, so if you continue to use them, you would be put at risk as described in (1).

Especially, if a PC equipped with these OS is connected to the Internet, the probability of getting a virus, etc. increases. It is recommended that users of Windows 98/Me refrain from connecting to the Internet and renew their PCs as early as possible to the one equipped with the latest OS.

(c)In the case of Windows 2000 Server/Professional

For Windows 2000 (Server/Professional), Microsoft terminates its support on July 13, 2010 (U.S. time zone), so if you continue to use them, you would be put at risk as described in (1). It is recommended to make early shift to the OS for which support is available.

Especially, if you are providing a service on the Internet by using Windows 2000, you cannot remedy vulnerability detected and thus are exposed to an attack from an external party. Should your systems suffer from virus infection, the damage might extend to the users of your service, so it is an urgent task to shift to the latest OS or take alternative measures.

However, organizations might have difficulty in responding to the termination of support for some reasons (e.g., it takes time to migrate to other systems, for economic reason, etc.) In such cases, as a temporal workaround, you can use a tool to defend against an attack that exploits vulnerability. While defending against an attack that exploits vulnerability, plan and implement system migration.

<Reference>

Lastly, if it is necessary for you to continue to use a PC equipped with off-the-support OS despite being aware of the risks posed, to prevent damages caused by virus infection and unauthorized access, you should refrain from connecting to the Internet and exchanging data with other PCs through USB memory, etc.

II. Reporting Status of Computer Virus – further details, please refer to the Attachment 1 –

(1)Reporting Status of Virus

While the virus detection count (*1) in June was about 41,000, down 18.8 percent from about 50,000 in May, the virus report count (*2) in June was 1,245, up 14.9 percent from 1,084 in May.

*1 Detection Number: virus counts (cumulative) found by a filer

*2 Aggregated virus counts.  Viruses of same type and their variants reported on the same day are counted as one case number regardless how many viruses or the actual number of viruses is found by the same filer on the same day.

* In June, the virus report count, which was obtained by consolidating about 41,000 virus detection reports, was 1,245.

W32/Netsky marked the highest detection count at about 33,000, followed by W32/Mydoom at about 4,000 and W32/Autorun at about 1,000.

Figure 2-1: Virus Detection Count

Figure 2-2: Virus Report Count

(2)Malicious Programs Detected

For the number of malicious programs detected, we have seen a rapid increase in ADCLICKER in June 2010. (See Figure 2-3)

ADCLICKER is designed to automatically click on an advertisement on a Web page. Even if this activity is performed, that Web page is not displayed on the screen so that PC users do not notice it. Note, however, that there are a number of subspecies, some of which may display such advertisements on the screen.

Because this sort of malicious program is contained in an e-mail attachment and distributed, you should be careful in handling an e-mail attachment. In some cases, attackers use Bot(*1)-infected PCs to distribute malicious programs.

Cyber Clean Center (CCC) (*2) provides anti-Bot measures as well as online Bot-removal tools. To avoid taking part in the email distribution of malicious programs, check your PC for Bot infection, and then implement infection-prevention measures, including blocking the entry of malicious programs.

<Reference>

*1 Bot is designed to penetrate into a computer in the same manner as that of a computer virus and to remotely operate the victim's computer via the network.

*2 Cyber Clean Center is a Bot countermeasure project launched by the Ministry of Internal Affairs and Communications and the Ministry of Economy, Trade and Industry.
(Reference)About Cyber Clean Center
https://www.ccc.go.jp/ccc/ (in Japanese)

Figure 2-3: Changes in Virus Detection Count for Malicious Programs

III. Reporting Status of Unauthorized Computer Access (includes Consultations) Please refer to the Attachment 2 for further details

Table 3-1: Reported Number for unauthorized computer access and the status of consultation
  Jan.'10 Feb. Mar. Apr. May Jun.
Total for Reported (a) 20 27 19 11 8 15
  Damaged (b) 12 17 13 10 5 13
Not Damaged (c) 8 10 6 1 3 2
Total for Consultation (d) 67 47 60 39 52 77
  Damaged (e) 34 28 23 16 22 50
Not Damaged (f) 33 19 37 23 30 27
Grand Total (a + d) 87 74 79 50 60 92
  Damaged (b + e) 46 45 36 26 27 63
Not Damaged (c + f) 41 29 43 24 33 29

(1)Unauthorized Computer Access Reported

The report count for unauthorized computer access in June was 15, 13 of which reportedly had certain damages.

(2)Unauthorized Computer Access and Other Related Problems Consulted

The consultation count for unauthorized computer access and other related problems was 77 (8 of which were also included in the report count). 50 of them reportedly had certain damages.

(3)Damages Caused

The breakdown of the damage reports were: intrusion (3); spoofing (9); others involving actual damage (1).

Damages caused by "intrusion" were: a Web page being defaced (3), with all the cases involving malicious code embedded; The cause of the intrusion has not been fully identified, but three cases was suspected to have been caused by "Gumblar";

Damages caused by "spoofing" included: online service (online game (9)) being used by someone who successfully impersonated a legitimate user and logged on.

(4) Damage Instance

[Intrusion]

(i)Website Defacement Caused by Means of "Gumblar"
    <Instance>
  • –I'm running a Website by using a rental server. One day, I was notified by a site visitor that, "When I visit your site, a virus is detected."
  • –When I inspected the Website contents, I found that a script to lead site visitors to a malicious site was embedded in a HTML source code.
  • –I conducted further inspections and found that, a PC which was used for updating Web pages had been infected with a virus and that, its ftp account information had been stolen.
  • –The attacker accessed my Web server by using the stolen ftp account and defaced the Web pages.
  • –The virus-infected PC was an employee's personal belonging which was in his home.

[Spoofing]

(ii)Online Game Account Hijacked by the Exploitation of the Password Reissuance Mechanism
<Instance>
  • –Because I became unable to log on to an online game site, I applied for the reissuance of my password, and the site operator sent a new password to the email address I registered in advance. This email address is that of a free mail service.
  • –When I logged on to the online game site again, I found that some items and all of the in-game currencies had gone.
  • –I looked into the free mail service's login history and leaned that a login attempt which I do not remember had successfully been made; I assume that somebody made an unauthorized access to the free mail to have a new password reissued.
  • –As I was using completely different character strings for the passwords for the online game and free mail services, I have no idea how the password for the online game was cracked.

IV. Unauthorized Computer Access Consulted

The total number of consultations in June was 1,983.755 of which were related to "One-Click Billing Fraud" (compared to 637 in May); 7 to "Hard Selling of Security Software" (compared to 27 in May); 2 to "Winny" (compared to 5 in May); 0 to "A Suspicious E-Mail Sent to a Specific Organization to Collect Specific Information/Data" (compared to 4 in May)

Table 4-1: Total Number of Consultations Handled by IPA over the Past Six Months
  Jan.'10 Feb. Mar. Apr. May Jun.
Total 2,150 1,789 2,000 2,110 1,881 1,983
  Automatic Response System 1,160 977 1,057 1,197 1,091 1,022
Telephone 910 736 846 835 714 829
e-mail 78 70 92 81 76 129
Fax, Others 2 6 5 0 0 3

* IPA provides consultation/advises for computer virus, unauthorized computer access, problems related to Winny as well as overall information security.

mail_address
Tel.: +81-3-5978-7509 (24-hour automatic response)
Fax: +81-3-5978-7518 (24-hour automatic response)

*”Automatic Response System”: Numbers responded by automatic response
*”Telephone”: Numbers responded by the Security Center personnel
*Total Number includes the number in the Consultation (d) column in the Table 3-1, “III. Unauthorized Computer Access Reported (including Consultations)”.

Figure 4-1: Changes in the Number of Consultation Regarding One-Click Billing Fraud


Major consultation instances are as follows:

(i)When I connected my cell-phone to a PC, the PC was infected with a virus

What was consulted:

To recharge my cell-phone, I connected it with a PC by using a USB cable. Because the memory card in the cell-phone had been infected with a virus, the PC was also infected with the virus. Is there a possibility of virus infection transmitted through digital audio equipment or a game machine?

Response:

It seems that the memory card in his cell-phone was infected with a USB-infection type virus. We don't know how the virus entered into it. In the environment where a device is connected to a PC with USB cable and recognized as an external storage medium, it could become the source or victim of USB-infection type virus. When reusing a memory card already infected with a virus, erase all the date stored by formatting it. For a PC that contains important data, you should avoid easily connecting uncontrolled USB memory or other external media. For a PC to which such device is connected, take appropriate countermeasures, such as using antivirus software and disabling the "automatic execution" feature of Windows so that a virus is not activated at the time of connection.

<Reference>

(ii)While inspecting hazardous sites for the sake of my family, I was trapped in One-Click Billing Fraud

What was consulted:

[Example 1] I have a grandchild who is a student and I don't want him to access a hazardous site. But as I did not know what exactly a hazardous site is, I conducted inspections and was tricked into signing up a sexually explicit site. Since then, a billing screen has been displayed, which I'm unable to remove.

[Example 2]While checking the Internet access history to see whether or not my son is accessing a suspicious site, I mistakenly signed up a sexually explicit site and a billing screen began to be displayed.

Response:

In both cases, it was an action taken for the sake of their family, but they were guided to a sexually explicit site and without confirming the text messages contained in the Web page, subsequently clicked "Yes" on the One-Click Billing Fraud site and as a result, fell victim to the One-Click Billing Fraud. When conducting site inspections, you should suppress curiosity, read carefully confirmation messages, etc. that appear on the screen, and determine whether or not you should proceed. For a family having a minority, it is effective to block sexually explicit sites, specifically, by using software such as Web filtering software/URL filtering software or integrated antivirus software that has a feature to block hazardous sites, or by using the hazardous-site-blocking service provided by providers.

<Reference>

V. Access Status Captured by the Internet Fixed-Point Monitoring System (TALOT2) in June

According to the Internet Fixed-Point Monitoring System (TALOT2), 117,157 unwanted (one-sided) accesses were observed at ten monitoring points in June 2010 and the total number of sources* was 46,800.  This means on average, 434 accesses form 173 sources were observed at one monitoring point per day. (See Figure 5-1)

*Total number of sources:indicates how many accesses in total were observed by TALOT2.  If multiple accesses from the same source were observed at the same monitoring point/port on the same day, they are considered one access from the specific source on that day.

Since the environment of each monitoring point for TALOT2 is equivalent to that of general Internet connection, an equal number of such accesses are thought to be made in the Internet users’ system environment.

* For maintenance work, we shut down the systems from June 18 to June 20. Therefore, the statistical information was derived from the data excluding that of these three days. Normally, the systems are in operation all times.

Figure 5-1: Daily, Averaged Number of Unwanted (One-Sided) Accesses and Sources at the Same Monitoring Point/Port per Month

The Figure 5-1 shows daily, averaged number of unwanted (one-sided) accesses and sources at the same monitoring point/port per month (from January 2010 to June 2010). As shown in this Figure, the number of unwanted (one-sided) accesses increased in June compared to May.

The Figure 5-2 shows the June-over- May comparison results for the number of unwanted (one-sided) accesses, classified by destination (port type). As shown in this Figure, the number of access to 23/tcp has significantly increased in June from May.

Access to this port has been increasing since the end of May and has been observed at multiple monitoring points of TALOT2 and the sources of such access included Peru, the U.S and many other countries (see Figure 5-3). 23/tcp is generally used in telnet, but the reason of the increased access is still unknown. Similar increasing trends have also been observed by other organizations undertaking fixed point observations, indicating that such access was made in widely-scattered areas.

Figure 5-2: June-over-May Comparison for the Number of Access, Classified by Destination (Port Type)

Figure 5-3: Number of Access for 23/tcp

For more detailed information, please also refer to the following URLs.

Variety of statistical Information provided by the other organizations/vendors is available at the following sites:

Contact

IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC)
Tel:+81-3-5978-7527
Fax:+81-3-5978-7518
E-mail: