Font Size Change

HOMEIT SecurityIPA/ISEC in JAPAN:virus and UCA incident report for October2010

PRINT PAGE

IT Security

IPA/ISEC in JAPAN:virus and UCA incident report for October2010

November 15, 2010

IT Security Center
Information-technology Promotion Agency, Japan (IPA)

This is the summary of computer virus/unauthorized computer access incident report for October 2010, compiled by Information-technology Promotion Agency, Japan (IPA).

I. Reminder for the Month:

"Watch out for a new virus hiding in PDF files!"

In September 2010, a vulnerability in Adobe Reader (hereinafter called Vulnerability X) was reported and in October, a security patch to remedy Vulnerability X was released. In early September, news was aired on IT-related Web news that said there had been an attack that exploits Vulnerability X. IPA also received a malicious PDF file*1 that infects PCs with a virus through the exploitation of Vulnerability X. This file was sent as an attachment to an e-mail.

In this way, even in the case of a document file like PDF, a virus might be hiding in it. Just because the file sent is a PDF file does not mean that it is safe, so caution should exercised in handling e-mail attachments.

In this section, we explain the outline of, and countermeasures against, an attack that exploits Vulnerability X.

*1 PDF (Portable Document Format) file is a document file that can be viewed by using software products such as "Adobe Reader".

(1)About Vulnerability X that was released in September

Vulnerability X*2 that was reported in September allows an attacker to doctor a PDF file so that the screen of Adobe Reader would suddenly disappear when the user opened it, or to take control of the user's PC. Through the analysis of the above-mentioned PDF file that IPA received, the file was also confirmed to exploit Vulnerability X.

Adobe Reader is widely used as application software to view a document file in PDF format and nowadays, it is pre-installed for many of PCs for general users.

 

*2  About the Adobe Reader and Acrobat vulnerability (APSB10-21) (IPA)
http://www.ipa.go.jp/security/ciadr/vul/20101006-adobe.html (in Japanese)

(2)Outline of this virus analyzed by IPA

In this section, we explain the behavior of a sample of the virus that exploits Vulnerability X, which was analyzed by IPA. (See Figure 1-1)

Figure 1-1:Behavior of the Virus that Exploits Vulnerability X

This virus exploits vulnerability in Adobe Reader and when the user opens the doctored PDF file, malicious code (command) is executed. As a result, a malicious program that has backdoor*3 feature is installed on that PC.

Meanwhile, on that PC's screen, a document file that looks like free of problem is displayed as normal, effectively making the user believe that this is not a virus. This time, the file content was information about holding an existent international conference.

Backdoor which is installed on PCs in an unauthorized manner has a function in which a file specified by the attacker is downloaded and executed. This might allow an attacker to infect the victim's PC with other viruses such as Spyware designed to steal information on that PC.

*3 Backdoor is a device to gain unauthorized access to the victim's PC. This is a "backdoor" infection root.

This virus uses Adobe Reader's Java Script function to exploit Vulnerability X, so users could prevent such attack by disabling this function*4

*4 To disable this function, activate Adobe Reader, select from the menu bar "Edit" - "Environmental Setting", and select "JavaScript" in the dialog box displayed and then uncheck "Uses Acrobat JavaScript".

(3)Countermeasures

One of the countermeasures against the attack described this time is to excise caution in handling e-mail attachments even when they are document files like PDF files, and to keep your application software up-to-date so that existing vulnerabilities are remedied. Details of these countermeasures are as follows:

(I)Exercise caution in handling such document files as PDF files

As in the case of the attack described this time, a virus might be hiding even in PDF files that are thought to be a safe document file. As a fundamental measure for e-mail attachments, you should not open any attachments if there are any doubtful points (e.g., an e-mail from an unknown sender, body messages are somewhat different from the ones you would receive regularly.)

Apart from PDF files, Microsoft Word and Ichitaro files have also been exploited for virus infection. For any e-mail attachments, caution should be exercised in their handlings.

(II)Check whether your application software is the latest version

For any application software, older versions might have a vulnerability that can easily be exploited for virus infection. For this reason, it is important to keep your application software up-to-date so they have no such vulnerability.

IPA provides "MyJVN Version Checker" that allows PC users to check: whether application software products often exploited by viruses are installed on their PC (excluding Adobe Reader and other software products of Microsoft), and if installed, whether they are the latest versions. For application software that was determined to be non-latest one by this tool, you need to manually update it. In the case of Microsoft products, you can apply automatic update by using "Microsoft Update" described in the following page.

This countermeasure is also effective in preventing so called "Gumbler" attack and case example of how to use this tool was presented at the lecture "Never-ending 'Gumbler attack' – What countermeasure can be taken?'" at the IPA Forum 2010.

For more information on MyJVN, refer to IPA's Web page "MyJVN Version Checker". For information on how to use "MyJVN Version Checker" and procedures for updating your application software to the latest version, refer to the Web page "To prevent infection via Web pages" listed below.

<Reference>

MyJVN Version Checker supports Windows 7 now

In addition to Windows XP and Windows Vista, Windows 7 was added to the supported OSs in November 4, 2010. Monthly-averaged number of access to MyJVN Version Checker is over one million. An increasing number of enterprises and personal users are installing Windows 7 and this tool is expected to be used by many other PC users from now on.

Figure 1-2:Example of Output by "MyJVN Version Checker"

(III)Apply security patches by using Microsoft Update

For Microsoft OSs (such as Windows) and application software, vulnerabilities have also been detected and security patches provided; so keep your OS and application software up-to-date by using "Microsoft Update".

<Reference>

(IV)Use antivirus software to prevent virus entry

By installing antivirus software and keeping its virus definition files up-to-date, you can prevent the virus entry as well as clean the viruses already penetrated into your PC. Most of recent viruses are designed to be hardly recognizable only by looking at PCs' screen. It is essential for PC users to have antivirus software to detect and clean viruses.

(3)Countermeasures Against "Zero-Day Attack"

This time's attack that exploits Vulnerability X was "Zero-Day Attack". "Zero-Day Attack" is carried out between "the time a new vulnerability is detected and the time a security patch to remedy it is released"; in short, it attacks a PC whose vulnerability cannot be remedied due to the lack of security patches. In the case of "zero-day attack", even when you are using the latest application software, it is very difficult to defend. If this attack became prevalent, using the Internet itself might expose your PC to the risk.

To avoid receiving "Zero-Day Attack", collecting information becomes critical. Check for vulnerability information provided by IT-related news and vendors and take appropriate responses.

For example, in many cases, if a "Zero-Day Attack" is confirmed, it is aired by IT-related Web news; so it is recommended to access such Websites on a daily basis and collect information. If you find any information on that specific "Zero-Day Attack", check also for the information provided by the vendor of the product that exploited for that attack. Apart from remedying vulnerability, you can apply workaround such as disabling the problematic function by changing settings (For a specific example, see *4). In some cases, releasing time of a security patch is posted by the vendor of that product on its Website.

IPA's Web page "Security Alert" provides information on vulnerabilities that have been exploited by "Zero-Day Attack" as well as actions that should be taken urgently; so please check it on a daily basis and obtain information.

<Reference>

Note:

Worry-Free Information Security Consultation Service started

IPA integrated multiple existing consultation services into one service called "Worry-Free Information Security Consultation Service" that centrally deals with inquiries related to information security. This service started on October 19, 2010 and aims to provide adequate information in timely manner in response to questions from consulters. IPA is also striving to enrich its FAQ (Frequently Asked Questions) service on its Website so that site visitors can solve many of their problems by themselves even during non-office hours.

II. Reporting Status of Computer Virus – further details, please refer to the Attachment 1 –

(1)Reporting Status of Virus

While the virus detection count*1 in October was about 34,000, which is the same level as about 34,000 September, the virus report count*2 in October was 996, down 7.9 percent from 1,082 in September.

*1 Virus detection count: indicates how many times a specific virus appeared in the reports submitted, or the aggregate virus detection counts for a specific period.

*2 Virus report count: indicates how many reports on a specific virus were submitted. If the same type of viruses were reported by the same person with the same detection day, they are counted as one report regarding the virus of that sort.

*  In October, the virus report count, which was obtained by consolidating about 34,000 virus detection reports, was 996.

W32/Netsky marked the highest detection count at about 24,000, followed by W32/ Mydoom at about 5,000 and W32/Waledac at about 2,000.

Figure 2-1: Virus Detection Count

Figure 2-2: Virus Report Count

(2)Malicious Programs Detected

For the number of malicious programs detected, we have not seen a rapid increase in October as we did with MALSCRIPT and FAKEAV in September. (See Figure 2-3)

This sort of malicious program is often contained in an e-mail attachment and distributed, and in some cases, Bot*3-infected PCs are used for the mail distribution.

Cyber Clean Center (CCC)*4 provides anti-Bot measures as well as online Bot-removal tools.  To avoid taking part in the e-mail distribution of malicious programs, check your PC for Bot infection, and then implement infection-prevention measures, including blocking the entry of malicious programs.

<Reference>

*3 Bot is designed to penetrate into a computer in the same manner as that of a computer virus and to remotely operate the victim's computer via the network.

*4 Cyber Clean Center is a Bot countermeasure project launched by the Ministry of Internal Affairs and Communications and the Ministry of Economy, Trade and Industry.
What is Cyber Clean Center?
https://www.ccc.go.jp/en_ccc/index.html

Figure 2-3: Changes in Virus Detection Count for Malicious Programs

III. Reporting Status of Unauthorized Computer Access (includes Consultations) Please refer to the Attachment 2 for further details

Table 3-1: Reported Number for unauthorized computer access and the status of consultation
  May'10 Jun. Jul. Aug. Sep. Oct.
Total for Reported (a) 8 15 14 18 15 14
  Damaged (b) 5 13 9 12 10 8
Not Damaged (c) 3 2 5 6 5 6
Total for Consultation (d) 52 77 44 56 47 40
  Damaged (e) 22 50 23 16 8 15
Not Damaged (f) 30 27 21 40 39 25
Grand Total (a + d) 60 92 58 74 62 54
  Damaged (b + e) 27 63 32 28 18 23
Not Damaged (c + f) 33 29 26 46 44 31

(1)Unauthorized Computer Access Reported

The report count for unauthorized computer access in October was 14, 8 of which reportedly had certain damages.

(2)Unauthorized Computer Access and Other Related Problems Consulted

The consultation count for unauthorized computer access and other related problems was 40 (3 of which were also included in the report count). 15 of them reportedly had certain damages.

(3)Damages Caused

The breakdown of the damage reports were: intrusion (5); spoofed address (1); spoofing (2).

Damages caused by "intrusion" were: a Web page being defaced (3); a tool to attack external sites being embedded into a Web server, which in turn served as a stepping stone for attacking other sites (1). The causes of the intrusion were: week password setting (2), Web application vulnerability being exploited (1), OS application vulnerability being exploited (1) (cause of other cases was unknown).

(4) Damage Instance

[Intrusion]

(i)The initial page of our Website was defaced
    <Instance>
  • –I was informed by an external party that the "Note List" in the initial page of our Website had been altered in an unauthorized manner by somebody other than its administrator.
  • –The altered part can only be altered by using the administrator's ID and password.
  • –One of the possible causes is SQL-Injection Attack.

[Spoofing]

(ii)My account for a free Web-based e-mail was abused to send a large volume of e-mails
<Instance>
  • –My account for a free Web-based e-mail was accessed in an unauthorized manner and a suspicious e-mail was sent to a large number of people.
  • –The messages were written in English and the content was sort of an advertisement.
  • –I wonder my personal information was leaked somewhere through that unauthorized access. I have no idea what damage has been brought about.
  • –Now I disconnect the connection to the Internet except when it's in use and I'm going to do so for the time being.

IV. Unauthorized Computer Access Consulted

The total number of consultations in October was 1,813. 603 of which were related to "One-Click Billing" (compared to 820 in September); 13 to "Hard Selling of Security Software" (compared to 13 in September); 7 to "Winny" (compared to 3 in September); 1 to "A Suspicious E-Mail Sent to a Specific Organization to Collect Specific Information/Data" (compared to 2 in September)

Table 4-1: Total Number of Consultations Handled by IPA over the Past Six Months
  May'10 Jun. Jul. Aug. Sep. Oct.
Total 1,881 1,983 2,133 2,432 2,102 1,813
  Automatic Response System 1,091 1,022 1,142 1,298 1,142 1,065
Telephone 714 829 924 1,053 873 675
e-mail 76 129 66 75 85 69
Fax, Others 0 3 1 6 3 4

* IPA set up "Worry-Free Information Security Consultation Service" that provides consultation/advises for computer virus, unauthorized computer access, problems related to Winny as well as overall information security.

mail_address
Tel.: +81-3-5978-7509 (24-Hour Automatic Response; Consultations are provided by IPA Security Center personnel and available from Mon. � Fri., 10:00 � 12:00, 13:30 � 17:00)
Fax: +81-3-5978-7518 (24-hour automatic response)

*”Automatic Response System”: Numbers responded by automatic response
*”Telephone”: Numbers responded by the Security Center personnel
*Total Number includes the number in the Consultation (d) column in the Table 3-1, “III. Unauthorized Computer Access Reported (including Consultations)”.

Figure 4-1: Changes in the Number of Consultation Regarding One-Click Billing


Major consultation instances are as follows:

(i)My personal information is exposed on the Internet?

What was consulted:

When I make searches for my name on the Internet, my address and name are displayed? They are not what I posted. How can I delete them?

Response:

Because your personal information was posted without your intention, it could be treated as a human right violation. It is recommended to consult with Human Rights Bureau of the Ministry of Justice. You can also consult with "Internet Hotline Center" that receives reports on illegal and harmful materials on the Internet.

<Reference>

(ii)There is an authentic-looking Website having a different address.

What was consulted:

When I made searches for a legitimate Website on the Internet, another Website with the same name but different address was also contained in the search result. I found that the character string ".proxy.******.com" was added to the address of the legitimate Website. However, the displayed content looked exactly the same as that of the legitimate Website. Isn't this a fake site?

Response:

When we added the character string ".proxy.******.com" to the address of another legitimate Website, we saw the same phenomenon. So, it is assumed that this Web page was loaded via a proxy server. However, this is not a fake site.

We don't know what that proxy server is for, but in the case of an access via a proxy server whose operator is unknown to you, It's not an exaggeration to say that information passed might be captured during that access by a malicious entity. It is wise to avoid using a proxy-based access carelessly.

V. Access Status Captured by the Internet Fixed-Point Monitoring System (TALOT2) in October

According to the Internet Fixed-Point Monitoring System (TALOT2), 93,749 unwanted (one-sided) accesses were observed at ten monitoring points in October 2010 and the total number of sources* was 38,826.  This means on average, 302 accesses form 125 sources were observed at one monitoring point per day. (See Figure 5-1)

*Total number of sources:indicates how many accesses in total were observed by TALOT2.  If multiple accesses from the same source were observed at the same monitoring point/port on the same day, they are considered one access from the specific source on that day.

Since the environment of each monitoring point for TALOT2 is equivalent to that of general Internet connection, an equal number of such accesses are thought to be made in the Internet users’ system environment.

Figure 5-1: Daily, Averaged Number of Unwanted (One-Sided) Accesses and Sources at the Same Monitoring Point/Port per Month

The Figure 5-1 shows daily, averaged number of unwanted (one-sided) accesses and sources at the same monitoring point/port per month (from May 2010 to October 2010). As shown in this Figure, the number of unwanted (one-sided) accesses decreased significantly in October compared to September.

The Figure 5-2 shows the October-over-September comparison results for the number of unwanted (one-sided) accesses, classified by destination (port type). As shown in this Figure, the number of access to 445/tcp has decreased to about 71 percent of the September level, which is thought to have attributed to the decrease in the overall figure.

Figure 5-2: October-over-September Comparison for the Number of Access, Classified by Destination (Port Type)

For more detailed information, please also refer to the following URLs.

Variety of statistical Information provided by the other organizations/vendors is available at the following sites:

Contact

IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC)
Tel:+81-3-5978-7527
Fax:+81-3-5978-7518
E-mail: