Font Size Change

HOMEIT SecurityIPA/ISEC in JAPAN:virus and UCA incident report for November2010


IT Security

IPA/ISEC in JAPAN:virus and UCA incident report for November2010

December 14, 2010

IT Security Center
Information-technology Promotion Agency, Japan (IPA)

This is the summary of computer virus/unauthorized computer access incident report for November 2010, compiled by Information-technology Promotion Agency, Japan (IPA).

I. Reminder for the Month:

"Watch out for 'Drive-by Download' attack in which PCs are infected with a virus only by browsing a Website"

Gumblar*1 that spread like wildfire from 2009 through 2010 uses so called "Drive-by Download" attack method, in which the victims' PCs were infected with a virus only by browsing certain Websites, through the mechanism of. In September and October 2010, a new attack that uses this attack method was carried out, affecting a number of domestic Websites. In the future, "Drive-by Download" attacks in various forms are expected to be carried out, so we need to remain alert.

In this Section, we sort out information on "Drive-by Download" attack and present countermeasures that can be taken by Website operators and PC users.

*1 “Let's Learn the Mechanism of Gumblar and Take Appropriate Countermeasures” (IPA, Reminder of the February 2010 issue)

(1)About "Drive-by Download" Attack

"Drive-by Download" attack is an attack that causes a virus or other malicious programs to be downloaded into the victims' PCs upon their visit to certain Websites. For "Drive-by Download" attack, mainly, vulnerabilities in OSs and/or application software running on the user's PC are exploited. Figure 1-1 shows how this attack is carried out.

Figure 1-1:Image of "Drive-by Download" Attack

●The PC's user visits a malicious Website ([a] in the Figure 1-1);

●A virus is downloaded through the exploitation of vulnerability in the user's PC ([b] in Figure 1-1);

●The user's PC is infected with the virus ([c] in Figure 1-1).

(2)Case Example of Recent "Drive-by Download" Attack

One of the popular attacks employing the mechanism of "Drive-by Download" attack is Gumblar that spread like wildfire from 2009 through 2010. Apart from it, a new attack was carried out in September 2010 that alters Websites of advertisement distribution service providers, affecting a number of domestic Websites. In both cases, the attacker alters a legitimate Website so that site visitors are guided to a malicious Website, effectively applying "Drive-by Download" attack described in (1).

The difference between the case of Gumblar and that of advertisement distribution site alteration lies in the part(s) altered by the attacker.

(i)In the case of Gumblar

In the case of Gumblar, the attacker directly alters a legitimate Website so that the site visitors are guided to a malicious Website that leads to a virus-downloading (See Figure 1-2).

Figure 1-2:Example of a Legitimate Website Directly Being Altered

(ii)In the case of Advertisement Distribution Site Alteration

Unlike Gumblar attack, the attacker does not alter the Website itself but its components (e.g., banner ads). The attacker breaks into the server of an enterprise supplying a Website component and alters that component, so that visitors to the Website of an enterprise receiving that component are guided to a malicious Website that leads to a virus-downloading (See Figure 1-3). In this case, it is very difficult to identify where the problem lies as no alteration is found on the part of the developer of that legitimate Website.

Figure 1-3:Example of a Website Component Supplier's Server Being Altered

In this new case introduced this time (hereinafter called this time's case), it is difficult to identify where the problem lies and therefore, developing countermeasures is challenging. However, there are some measures to alleviate damages, including those described in (3), so it is recommended to apply them.

(3)Countermeasures That Can Be Taken by Website Operators

Damage alleviation measures that can be applied to this time's case by Website operators are as follows:

(i)Use a service provided by a company specializing in information security

One of the measures to alleviate damages in this time's case is to use a service provided by a company specializing in information security. It is effective to use a monitoring service that monitors your Website for unauthorized alterations and a sign of exploitation for "Drive-by Download" attack.

(ii)Scan your Website with multiple antivirus software products

Prepare many different antivirus software products (the more the better), install each of them on different PCs, and regularly check your Website using those PCs. By using multiple antivirus software products for the checking, you can increases the probability of identifying problematic part(s).

As in this time's case, if you found no alteration in the Website you crated but you were notified of a virus-infection by a site visitor, saying "When I was browsing your company's Website, a virus was detected by antivirus software," consult with IPA.


(4)Countermeasures That Can Be Taken By PC Users

This time's case is extremely bothersome for Website operators; however, countermeasures taken by PC users are the same as traditional ones. "How to avoid falling victim" to this attack and "How to restore your PC" from damages caused by this attack are follows:

(i)How to avoid falling victim

In order to avoid falling victim to this attack, it is important to eliminate vulnerabilities in OSs (e.g., Windows) and application software running on your PC. Generally, application software used by many people is more likely to become the target of attackers, so keep such application software up-to-date with existing vulnerabilities eliminated. IPA provides "MyJVN Version Checker" – an easy-to operate tool that allows users to check if the software products installed on their PC are of the latest version.


Nowadays, as in Gumblar and this time's case, a legitimate Websites might be altered by an attacker, posing greater risks to site visitors. In order to prevent virus-infection via such Websites, It is essential to use antivirus software. Install antivirus software and keep its virus definition files updated.

(ii)How to restore your PC

If your PC starts to malfunction following a visit to a Website and a virus-infection is suspected, and if no virus is detected or cleaned by the antivirus software installed, IPA recommends that you perform initialization (i.e., restoring default settings) on your PC to ensure that the suspected virus is cleaned.

II. Reporting Status of Computer Virus – further details, please refer to the Attachment 1 –

(1)Reporting Status of Virus

While the virus detection count*1 in November was about 32,000, down 7.2 percent from about 34,000 in October, the virus report count*2 in November was 1,094, up 9.8 percent from 996 in October.

*1 Virus detection count: indicates how many times a specific virus appeared in the reports submitted, or the aggregate virus detection counts for a specific period.

*2 Virus report count: indicates how many reports on a specific virus were submitted. If the same type of viruses were reported by the same person with the same detection day, they are counted as one report regarding the virus of that sort.

*  In October, the virus report count, which was obtained by consolidating about 34,000 virus detection reports, was 996.

W32/Netsky marked the highest detection count at about 23,000, followed by W32/ Mydoom at about 4,000 and W32/Autorun at about 1,000.

Figure 2-1: Virus Detection Count

Figure 2-2: Virus Report Count

(2)Malicious Programs Detected

For the number of malicious programs detected, we have not seen a rapid increase in November. This was the same trend as in October (See Figure 2-3)

This sort of malicious program is often contained in an e-mail attachment and distributed, and in some cases, Bot*3-infected PCs are used for the mail distribution.

Cyber Clean Center (CCC)*4 provides anti-Bot measures as well as online Bot-removal tools.  To avoid taking part in the e-mail distribution of malicious programs, check your PC for Bot infection, and then implement infection-prevention measures, including blocking the entry of malicious programs.


*3 Bot is designed to penetrate into a computer in the same manner as that of a computer virus and to remotely operate the victim's computer via the network.

*4 Cyber Clean Center is a Bot countermeasure project launched by the Ministry of Internal Affairs and Communications and the Ministry of Economy, Trade and Industry.
What is Cyber Clean Center?

Figure 2-3: Changes in Virus Detection Count for Malicious Programs

III. Reporting Status of Unauthorized Computer Access (includes Consultations) Please refer to the Attachment 2 for further details

Table 3-1: Reported Number for unauthorized computer access and the status of consultation
  Jun.'10 Jul. Aug. Sep. Oct. Nov.
Total for Reported (a) 15 14 18 15 14 14
  Damaged (b) 13 9 12 10 8 7
Not Damaged (c) 2 5 6 5 6 7
Total for Consultation (d) 77 44 56 47 40 45
  Damaged (e) 50 23 16 8 15 12
Not Damaged (f) 27 21 40 39 25 33
Grand Total (a + d) 92 58 74 62 54 59
  Damaged (b + e) 63 32 28 18 23 19
Not Damaged (c + f) 29 26 46 44 31 40

(1)Unauthorized Computer Access Reported

The report count for unauthorized computer access in October was 14, 7 of which reportedly had certain damages.

(2)Unauthorized Computer Access and Other Related Problems Consulted

The consultation count for unauthorized computer access and other related problems was 45 (2 of which were also included in the report count). 12 of them reportedly had certain damages.

(3)Damages Caused

The breakdown of the damage reports were: intrusion (4); DoS Attack (1); spoofing (2).

Damages caused by "intrusion" were: a Web page being defaced (2); a tool to attack external sites being embedded into a Web server, which in turn served as a stepping stone for attacking other sites (2). The causes of the intrusion were: week password setting (2), OS and Web application vulnerability being exploited (1) (cause of other cases was unknown).

(4) Damage Instance


(i)An incorrect page was added to our Website
  • –Thanks to the notification from an external party, I learned that an unacquainted incorrect page had been added to our official Website.
  • –I found that somebody had logged into our Website management system in an unauthorized manner and performed alteration.
  • –Through the analysis of access logs, I found the trace of an unauthorized access made via a specific server.
  • –ID and password for the site management was relatively easy to guess, which it thought to be the cause of this incident.


(ii)A large number of access requests were made from a specific IP address
  • –A large number of access requests were made from a specific IP address against an online shopping site, causing degradation in the overall response time of that Website.
  • –Those requests were directed at multiple retail premises in a short period of time, asking for merchandise information.
  • –As a result, response time for an access request from general users significantly slowed, rendering the Website's services unavailable.
  • –As I set the Firewall to block access from that IP address, equivalent number of access attempts was made from another IP address.

IV. Unauthorized Computer Access Consulted

The total number of consultations in November was1692. 483 of which were related to "One-Click Billing" (compared to 603 in October); 18 to "Hard Selling of Security Software" (compared to 13 in October); 8 to "Winny" (compared to 7 in October); 10 to "A Suspicious E-Mail Sent to a Specific Organization to Collect Specific Information/Data" (compared to 1 in October)

Table 4-1: Total Number of Consultations Handled by IPA over the Past Six Months
  Jun.'10 Jul. Aug. Sep. Oct. Nov.
Total 1,983 2,133 2,432 2,102 1,813 1,692
  Automatic Response System 1,022 1,142 1,298 1,142 1,065 1,036
Telephone 829 924 1,053 873 675 580
e-mail 129 66 75 85 69 72
Fax, Others 3 1 6 3 4 4

* IPA set up "Worry-Free Information Security Consultation Service" that provides consultation/advises for computer virus, unauthorized computer access, problems related to Winny as well as overall information security.

Tel.: +81-3-5978-7509 (24-Hour Automatic Response; Consultations are provided by IPA Security Center personnel and available from Mon. � Fri., 10:00 � 12:00, 13:30 � 17:00)
Fax: +81-3-5978-7518 (24-hour automatic response)

*”Automatic Response System”: Numbers responded by automatic response
*”Telephone”: Numbers responded by the Security Center personnel
*Total Number includes the number in the Consultation (d) column in the Table 3-1, “III. Unauthorized Computer Access Reported (including Consultations)”.

Figure 4-1: Changes in the Number of Consultation Regarding One-Click Billing

Major consultation instances are as follows:

(i)An unacquainted device is connected to the wireless LAN router in my house?

What was consulted:

When I checked the connection status of the wireless LAN access point in my house, I found an unacquainted device name "XX-XX-iPhone" in the list of registered devices. None of my family uses iPhone, so I don't know why such device was in the list.


Because encryption setting for the wireless LAN communication was not enabled, it is assumed that an unacquainted iPhone user hanging around your house was "piggybacking" on your wireless LAN access point. If you leave your Wireless LAN unprotected, your Wireless LAN environment might be used in an unauthorized manner and/or communications intercepted.

For secure use of Wireless LAN, it is important to select an appropriate encryption scheme (e.g., WPA2 and AES) and to use a password with twenty or more characters.


(ii)When I inserted a USB thumb drive into the company's PC, a virus was detected.

What was consulted:

On a routine basis, I was exchanging business documents between the company's PC (having antivirus software installed) and my home PC (having no antivirus software) using a USB thumb drive. On one occasion, when I inserted the USB thumb drive into the company's PC, antivirus software issued an alert: "A virus has been detected." What should I do?


Because the virus entry was detected and blocked by antivirus software, we don't think that the company's PC is infected with that virus. On the other hand, it is highly possible that the home PC having no antivirus software has already been infected with that virus.

Because the antivirus software installed on the company's PC was able to detect that virus, it is recommended to purchase the same antivirus software and to scan your home PC for viruses.

One wrong move and the company's PC could also have been infected with that virus. The company should review the rule concerning the use of USB thumb drives.

V. Access Status Captured by the Internet Fixed-Point Monitoring System (TALOT2) in November

According to the Internet Fixed-Point Monitoring System (TALOT2), 83,479 unwanted (one-sided) accesses were observed at ten monitoring points in November 2010 and the total number of sources* was 38,329.  This means on average, 278 accesses form 128 sources were observed at one monitoring point per day. (See Figure 5-1)

*Total number of sources:indicates how many accesses in total were observed by TALOT2.  If multiple accesses from the same source were observed at the same monitoring point/port on the same day, they are considered one access from the specific source on that day.

Since the environment of each monitoring point for TALOT2 is equivalent to that of general Internet connection, an equal number of such accesses are thought to be made in the Internet users’ system environment.

Figure 5-1: Daily, Averaged Number of Unwanted (One-Sided) Accesses and Sources at the Same Monitoring Point/Port per Month

The Figure 5-1 shows daily, averaged number of unwanted (one-sided) accesses and sources at the same monitoring point/port per month (from June 2010 to November 2010). As shown in this Figure, the number of unwanted (one-sided) accesses decreased significantly in November compared to October.

The Figure 5-2 shows the November-over-October comparison results for the number of unwanted (one-sided) accesses, classified by destination (port type). As shown in this Figure, compared to the October level, there has been a particular increase in the number of access to 445/tcp. Access to this port has been made from multiple sources overseas and from late October, an increasing number of such accesses were observed at multiple monitoring points for TALOT2.

As for access to 9415/udp that was addressed in the June, August and September issues, such access began to decrease after peaking in mid-October (See Figure 5-3). Software program with the proxy feature that is posted on a Website in China was found to be waiting for this post to open. It is assumed that the decline in the access from China to explore this port has attributed to the decrease in overall figure.

Figure 5-2: November-over-October Comparison for the Number of Access, Classified by Destination (Port Type)

Figure 5-3: Access to 9415/tcp

For more detailed information, please also refer to the following URLs.

Variety of statistical Information provided by the other organizations/vendors is available at the following sites:


IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC)