Font Size Change

HOMEIT SecurityIPA/ISEC in JAPAN:virus and UCA incident report for December2010


IT Security

IPA/ISEC in JAPAN:virus and UCA incident report for December2010

January 18, 2011

IT Security Center
Information-technology Promotion Agency, Japan (IPA)

This is the summary of computer virus/unauthorized computer access incident report for December 2010, compiled by Information-technology Promotion Agency, Japan (IPA).

I. Reminder for the Month:

"Remember that even now computer viruses are evolving and apply updates consistently*1"

*1 The 6th IPA Information Security Poster & Slogan Competition for Students (Conducted in fiscal 2010), Bronze Prize in the Slogan Category for High School Students: Mr. Shogo Hayashi (2nd grade student of Rikkyo Niiza High School, in Saitama, Japan)

In 2010, various information-security-related events have occurred, including a large number of PCs being infected with a virus only by browsing a legitimate Websites; computer-virus creators being arrested; and information leakage occurring successively. Typical examples of such cases are:

●A number of legitimate Websites have been defaced, ranging from those of leading companies to those of personal blogs. As a result, PC users visiting those sites contracted computer viruses (From January to December).

●Information leakage by means of unauthorized access (March, September, November, December), and man-made leakage of sensitive information (October, November)

●Recapture of a virus creator (August), and a person has become the first person to be arrested for fraud conduct through the exploitation of a computer virus (May)

●A number of Website alterations associated with political problems with neighboring countries (regardless of public or private sector) (September)

Furthermore, technique for attacking PC users has become more multifaceted.

In this report, we look back what happened in 2010 and provide commentary of, and countermeasures against, the following three immediate information security threats:

(1)Transition of attack method involving "Drive-by Download"*2

(2)Transition of fraudulent technique

(3)Information security threats concerning Smart Phone

We also consider the direction of information security threats (i.e., attack method) for the year 2011.

*2 "Watch out for 'Drive-by Download' attack in which PCs are infected with a virus only by browsing a Website" (the December 2010 issue by IPA)

Figure 1-1:Various Forms of Virus-Infection and Threats

(1)Transition of Attack Method Involving "Drive-By Download"

When we look at the information security incidents (i.e., incidents and accidents related to information security) that occurred in 2010, we can say that the sophistication of "Drive-by Download" attack stood out. This attack method, applied also by so called "Gumblar"*3, has become the mainstream of a method for infecting PCs with a virus in recent years.

To prevent damages caused by "Drive-by Download" attack, you need to understand: (i) How it guides PC users to a malicious Website (ii) How it alters a legitimate Website and (iii) How it infects PCs with a virus, as they comprise "Drive-by Download" attack and they have been evolving respectively. The remainder of this section explains the above-mentioned three items, respectively.

*3 "Let’s learn the mechanism of Gumblar and take appropriate countermeasures" (the February 2010 issue by IPA)

(i)How it guides PC users to a malicious Website

In the past, it was thought that one can avoid the risk of contracting a virus as long as he does not brows a suspicious Website on his own. Recently, however, a legitimate Website might also be altered by an attacker to carry out "Drive-by Download" attack.

To guide PC users to such Website, the attacker, for example, may manipulate Search Engine Optimization (SEO) - a technique to improve a web site's ranking in a keyword search result list - to place a Website that carries out "Drive-by Download" attack in the top of the search result list (See Figure 1-2). In this case, PC users, without noticing that this is a trapping link, might click on it, which leads them to a malicious Website. Such Websites are removed from the candidates for the search result list if detected during the monitoring process of a search site. But if it takes a long period for those sites to be removed, it might result in heavy damages.

Figure 1-2:Image of Exploitation of SEO

(ii)How it alters a legitimate Website

In September 2010, a case was confirmed in which not a Website itself but its components had been altered by an attacker. The targeted components were advertising banners and other components that were provided by external providers to enterprises, etc. for their Websites and apparently, the attackers had embedded operation code for guiding site visitors to a malicious Website into the data area of those components. In this new method*4, the attackers broke into the servers of the Website component providers and altered the data stored on them. By 2009, a typical Website alteration technique had been SQL injection, but since 2009, unauthorized access by an attacker stealing an ftp account has frequently been observed (as in the case of Gumblar*5.) In both cases, "operation code" for guiding site visitors to a malicious Website was embedded into Web pages.

*4 "Watch out for 'Drive-by Download' attack in which PCs are infected with a virus only by browsing a Website" (the December 2010 issue by IPA)

*5 "Review how your Website is managed!" (the April 2010 issue by IPA)

(iii)A Virus-infection from a malicious Website

In 2010, the following methods are used for virus-infection for "Drive-by Download" attack:

・Exploitation of vulnerability in Application Software - Adobe Reader, Flash Player, and JRE etc.

・Exploitation of vulnerability in Windows – a vulnerability in Windows Shell (MS10-046) was exploited. In this new attack*6, PCs are infected with a virus only by opening the folder containing a doctored short-cut file (lnk file).

*6 "A virus has emerged that spreads via USB thumb drive with a new attack method!" (the September 2010 issue by IPA)

How to prevent it

Nowadays, even specialists cannot identify which Website infects site visitors' PCs with a virus. For this reason, one cannot prevent virus-infection only by exercising cautions in browsing Websites. As shown in (iii), various vulnerabilities are exploited by attackers to cause virus-infection. So it is essential for you to eliminate vulnerability in the OS and application software running on your PC. Apart from this, it is also effective to install "Integrated Antivirus Software" that can block access to harmful Websites and to keep it up-to-date. Collecting information on vulnerabilities in OSs and application software on a daily basis should help you take appropriate response in the event of contingency.

IPA provides, free of charge, "MyJVN Version Checker" – an easy-to-use tool that allows PC users to check whether software products installed on their PC are the latest versions.

For the Website containing this tool, about one million accesses are made every month on average (hitting a record high of about four million in January 2010), indicating that it has been used regularly by PC users. Since November 2010, Windows 7 has also been supported.


(2)Transition of Fraudulent Technique

Recent trend is that attackers deceive PC users by means of spoofing. So far, various forms of fraudulent techniques have been observed, including Spam e-mails spoofed as a greeting card which is sent seasonably; exploitation of popular Web services, including Social Networking Service (e.g., mixi, Facebook), Micro-blog service (e.g., Twitter) and user-generated video site (e.g., YouTube). This section explains the mechanism of these fraudulent techniques.

(i)An Attack that Exploits Popular Services

Attackers use services and functions within SNS and deceive PC users by using the following techniques:

・Posts an article that provokes one's desires and induces PC users to click on the trapping link contained in it

For example, using Twitter, an attacker may tweet: "xxx is now available free of charge!", "Chance to get a gift card which is worth 1,000 dollars!" etc. to induce PC users to click on the trapping link contained in those articles. Those who clicked on that link would be guided to a phishing Website or a Website that infects site visitors' PCs with a virus.

・Exploits the abbreviated URL*7 service.

This is a service for converting a long URL beginning with "http://" to shorter one. Abbreviated URLs are often used for Micro-blog which only allows a limited number of characters to be entered. They are convenient, but they are also being used by attackers to guide PC users to a malicious Website as their original URLs are hidden from the eyes of those users.

*7 "Watch out for an attack that focuses on a popular service!" (the May 2010 issue by IPA)

(ii)An Attack that Exploits E-mails (A Virus Attached to an E-mail)

In this attack, the attacker sends an e-mail being spoofed as the one from a friend/acquaintance of the recipient or as the one containing useful information on a commercial product that seems beneficial to the recipient. These e-mails are typically sent along with an URL to guide the recipient to a Website that causes a virus-infection or an attachment file containing a virus. If the recipient clicks on that link or opens that file, his PC is infected with a virus. He might do this without careful consideration as he believes that this was an e-mail from his acquaintance or the one containing useful information related to him.

Contents of such e-mails can be attractive information for the recipients (e.g., information on international sports events, popular games, or commercial products manufactured by enterprises; or the information containing keywords in fashion.

How to prevent it

As for the above-mentioned attack, in most cases, a technique to put PC users off their guard was applied. Even if it seems to be a "tempting offer", if you think that the message or the e-mail itself is unrelated to you, you should leave it as it is or delete it immediately. And even if it was a tweet/message/e-mail from your acquaintance, if you find anything suspicious, you should doubt it and refrain from opening the file attached to it or from clicking any URLs contained in it. As for abbreviated URLs, you can learn original URLs by using a tool or service designed to convert abbreviated URLs into original ones and to display them.

Collecting information from news sites and other sources on a daily basis should help you grasp the mechanism of new fraud techniques and establish preventive measures.

(3)Information security threats concerning Smart Phone

Smart Phone is a type of mobile phone that has become popular now. For Smart Phone, several vulnerabilities have been detected in its OS, along with some viruses that infect it. The number of Smart Phone users is expected to rise in the future and so does attacks targeted at Smart Phone.

(i)Case examples of attacks

Several viruses that infect Smart Phone have been detected. Attackers embed such viruses in system update files or pretended-to-be useful application software to induce Smart Phone users to download them. Major vulnerability information and case examples of virus-infection are as follows:

iPhone(Apple iOS)

・A vulnerability in PDF-file processing has been detected; a vulnerability has been detected that allows for the elevation of privilege;

・A virus has been detected that changes wallpapers. This virus infects iPhone whose protection feature is disabled (so called Jail Break.)

Android(Google Android)

・A vulnerability was detected in Android's standard Web browser that allows attackers to steal its users' information. Files stored in the body of Smart Phone or memory cards might also be stolen.

・A virus has been detected in Russia that exploits a billing function for Short Message Service (i.e., a service that allows an e-mail with a small number of characters to be exchanged among mobile phones.) With the pretense of video-replay software, it induces the mobile phone users to install it. If infected, that mobile phone sends SMS mails on its own. In abroad, there is a pay-as-you-go SMS e-mailing system, so attackers, by having the virus-infected mobile phones send SMS mails, can fraudulently obtain the money paid by the phone users.

・A virus has been detected that sends the phone user's location information to external parties in an unauthorized manner. This virus is spoofed as ordinary application software and distributed from Android Market – A Website that sells and distributes application software for Android terminals.

How to prevent it

To avoid contracting a virus, as in the case of PCs, mobile phone users should eliminate vulnerabilities. Keep up-to-date OSs and application software running on your PC. It is also important to acquire application software only from a reliable site.

・Apple iOS

Applications for Apple iOS are available only from Apple's official site "App Store". The applications acquired from App Store allow their users to check if any updates are available and to apply a centrally-managed update. It is recommended for application users to check them regularly. Users should not disable iOS's protection feature (i.e., Jail Break).

・Google Android

As for applications for Google Android, you should acquire them only from Android Market or other sites that allow you to check if any updates are available and to apply a centrally-managed update; you should avoid acquiring them from personal sites or unreliable sites. When acquiring such applications from non-Android Markets, it is recommended to first check for any negative reputations concerning those applications, by conducting a keyword search with their names on the Internet. In order to avoid installing a low-reliability application, make sure that the check box "Allows applications from an unknown source to be installed" is unchecked.

(4)Foresight for the Year 2011

The above-mentioned three threats are expected to pose an increased threat in the future. Foresight for these threats is as follows:

●Attack method involving "Drive-by Download"

As a way to directly guide site visitors to a malicious Website, SEO poisoning*8 is expected to be used frequently in the future. This is because the Internet users tend to carry out a keyword search in the first place. If SEO is manipulated by an attacker so that a link to a malicious Website is displayed in a keyword search result list, PC users might click on it, which would result in a virus-infection. In the future, a technique to more efficiently spread a virus would emerge with greater sophistication. So it is important to keep an eye out for new information available. Whenever any vulnerability is brought to light, it is exploited by attackers and this trend would remain unchanged in the future. Depending on the vulnerability identified, a new attack method might be developed and a new virus with a new infective form might also emerge.

*8 SEO poisoning: A technique to causes a link to a malicious Website to be displayed in a keyword search result list by exploiting the mechanism of SEO.

●Fraudulent technique

Due to the rise of PC users' security awareness and advanced countermeasures taken by ISPs against SPAM e-mails, attackers have come to use not only SPAM e-mails but also Social Networking Service. This trend is expected to continue for some time in the future.

●Information security threats concerning Smart Phone

As in the case of PCs, "Drive-by Download" attack is expected to be carried out frequently through the exploitation of vulnerabilities in Smart Phone.

Depending on the virus with which Smart Phone is infected, personal information stored in the address book might be leaked; or its user might be defrauded of his money or suffer other immense damages.

II. Reporting Status of Computer Virus – further details, please refer to the Attachment 1 –

(1)Reporting Status of Virus

While the virus detection count*1 in December was about 23,000, down 28.2 percent from about 32,000 in November, the virus report count*2 in December was 874, down 20.1 percent from 1,094 in November.

*1 Virus detection count: indicates how many times a specific virus appeared in the reports submitted, or the aggregate virus detection counts for a specific period.

*2 Virus report count: indicates how many reports on a specific virus were submitted. If the same type of viruses were reported by the same person with the same detection day, they are counted as one report regarding the virus of that sort.

* In December, the virus report count, which was obtained by consolidating about 23,000 virus detection reports, was 874.

W32/Netsky marked the highest detection count at about 17,000, followed by W32/ Mydoom at about 3,000 and W32/Autorun at about 1,000.

Figure 2-1: Virus Detection Count

Figure 2-2: Virus Report Count

(2)Malicious Programs Detected

For the number of malicious programs detected, we have not seen a rapid increase as marked in September. This is the same trend as in October and November. (See Figure 2-3)

This sort of malicious program is often contained in an e-mail attachment and distributed, and in some cases, Bot*3-infected PCs are used for the mail distribution.

Cyber Clean Center (CCC)*4 provides anti-Bot measures as well as online Bot-removal tools.  To avoid taking part in the e-mail distribution of malicious programs, check your PC for Bot infection, and then implement infection-prevention measures, including blocking the entry of malicious programs.


*3 Bot is designed to penetrate into a computer in the same manner as that of a computer virus and to remotely operate the victim's computer via the network.

*4 Cyber Clean Center is a Bot countermeasure project launched by the Ministry of Internal Affairs and Communications and the Ministry of Economy, Trade and Industry.
What is Cyber Clean Center?

Figure 2-3: Changes in Virus Detection Count for Malicious Programs

III. Reporting Status of Unauthorized Computer Access (includes Consultations) Please refer to the Attachment 2 for further details

Table 3-1: Reported Number for unauthorized computer access and the status of consultation
  Jul.'10 Aug. Sep. Oct. Nov. Dec.
Total for Reported (a) 14 18 15 14 14 22
  Damaged (b) 9 12 10 8 7 7
Not Damaged (c) 5 6 5 6 7 15
Total for Consultation (d) 44 56 47 40 45 27
  Damaged (e) 23 16 8 15 12 7
Not Damaged (f) 21 40 39 25 33 20
Grand Total (a + d) 58 74 62 54 59 49
  Damaged (b + e) 32 28 18 23 19 14
Not Damaged (c + f) 26 46 44 31 40 35

(1)Unauthorized Computer Access Reported

The report count for unauthorized computer access in December was 22, 7 of which reportedly had certain damages.

(2)Unauthorized Computer Access and Other Related Problems Consulted

The consultation count for unauthorized computer access and other related problems was 27 (3 of which were also included in the report count). 7 of them reportedly had certain damages.

(3)Damages Caused

The breakdown of the damage reports were: intrusion (5); DoS Attack (1); Malicious code embedded (1).

Damages caused by "intrusion" were: data being stolen (1); a tool to attack external sites being embedded into a Web server, which in turn served as a stepping stone for attacking other sites (1), an account being created in an unauthorized manner (1) and others (2). The causes of the intrusion were: Inappropriate settings on the part of a server (2), OS and Web application vulnerability being exploited (3).

(4) Damage Instance


(i)Our Website was accessed in an unauthorized manner through the exploitation of vulnerability in a Web application
  • –I found a trace of an unauthorized access made to our Website. A Website access log analysis tool detected an abnormal figure, indicating such unauthorized access had been made.
  • –Through the in-depth analysis of that access log, the cause of the unauthorized access was found to be SQL injection attack.
  • –A Web application in use had a vulnerability to SQL injection attack that was exploited by the attacker to attack our Website.
(ii)From outside, an attack tool was embedded into our server whose settings were incorrect. As a result, our server was used as a stepping stone for attacking others
  • –I confirmed that our server had received an attack from outside and that a tool to attack others had been embedded.
  • –I found that our server had also been used as a stepping stone for making a connection to an IRC server.
  • –Upon inspecting our server, I found incorrect settings on the part of the company being in charge of its settings.
  • –The configuration files "/etc/hosts.allow" and "/etc/hosts.deny" that control accesses from other computers had setting errors, making it easy for an attacker to break into the server from outside.

IV. Unauthorized Computer Access Consulted

The total number of consultations in December was 1536. 474 of which were related to "One-Click Billing" (compared to 483 in November); 10 to "Hard Selling of Security Software" (compared to 18 in November); 4 to "Winny" (compared to 8 in November); 0 to "A Suspicious E-Mail Sent to a Specific Organization to Collect Specific Information/Data" (compared to 10 in November)

Table 4-1: Total Number of Consultations Handled by IPA over the Past Six Months
  Jul.'10 Aug. Sep. Oct. Nov. Dec.
Total 2,133 2,432 2,102 1,813 1,692 1,536
  Automatic Response System 1,142 1,298 1,142 1,065 1,036 954
Telephone 924 1,053 873 675 580 531
e-mail 66 75 85 69 72 49
Fax, Others 1 6 3 4 4 2

* IPA set up "Worry-Free Information Security Consultation Service" that provides consultation/advises for computer virus, unauthorized computer access, problems related to Winny as well as overall information security.

Tel.: +81-3-5978-7509 (24-Hour Automatic Response; Consultations are provided by IPA Security Center personnel and available from Mon. ・Fri., 10:00 ・12:00, 13:30 ・17:00)
Fax: +81-3-5978-7518 (24-hour automatic response)

*”Automatic Response System”: Numbers responded by automatic response
*”Telephone”: Numbers responded by the Security Center personnel
*Total Number includes the number in the Consultation (d) column in the Table 3-1, “III. Unauthorized Computer Access Reported (including Consultations)”.

Figure 4-1: Changes in the Number of Consultation Regarding One-Click Billing

Major consultation instances are as follows:

(i)I received an e-mail from my ISP, saying "Your PC is carrying out an activity that violates a copyright"

What was consulted:

I received an e-mail from my ISP, saying "An activity that violates a copyright is being carried out by a terminal that can only be logged on with your login ID."

I don't know what's going on? What should I do?


Assuming from the contents of the e-mail from that provider, aren't you using file-sharing software such as Winny? If you are sure you haven't installed it, it is possible that anyone else in your family have installed it.

As far as the violation of a copyright is concerned, there is nothing we can advice, but if you are using file-sharing software such as Winny, your PC might be infected with a virus, which might result in information leakage.

Since January 1, 2010, the Police Agency has been monitoring file-sharing networks and there has been a report of a person being arrested for violating a copyright. So if you have something in your mind, you should promptly take appropriate steps.


(ii)Infected with a USB-thumb-drive-based virus

What was consulted:

After I inserted a USB thumb drive into my notebook running an antivirus software whose renewal deadline had passed, I became unable to access Websites of Microsoft and Symantec, etc.

When I inserted that USB thumb drive into a PC running a valid antivirus software, a virus called "W32.Downadup" was detected.

When I asked the manufacture of my notebook to check for it, I was recommended to perform initialization, but I want to avoid it as practicably as possible.


W32.Downadup is a virus that exploits vulnerabilities in Windows and it has been confirmed to use USB thumb drives as its infection route. If you had extended the deadline of the antivirus software running on your notebook, you would've been able to avoid the virus-infection. Apparently, access to the Websites of Microsoft and Symantec, etc. is obstructed by this virus.

By updating your antivirus software, you might be able to clean that virus, but if it did not work, it is recommended to perform initialization.


V. Access Status Captured by the Internet Fixed-Point Monitoring System (TALOT2) in December

According to the Internet Fixed-Point Monitoring System (TALOT2), 81,226 unwanted (one-sided) accesses were observed at ten monitoring points in December 2010 and the total number of sources* was 37,550.  This means on average, 290 accesses form 134 sources were observed at one monitoring point per day. (See Figure 5-1)

*Total number of sources:indicates how many accesses in total were observed by TALOT2.  If multiple accesses from the same source were observed at the same monitoring point/port on the same day, they are considered one access from the specific source on that day.

Since the environment of each monitoring point for TALOT2 is equivalent to that of general Internet connection, an equal number of such accesses are thought to be made in the Internet users’ system environment.

*For maintenance work, we shut down the systems from December 22 to December 24. Therefore, the statistical information was derived from the data excluding that of these three days. Normally, the systems are in operation all times.

Figure 5-1: Daily, Averaged Number of Unwanted (One-Sided) Accesses and Sources at the Same Monitoring Point/Port per Month (From July 2010 to December 2010)

The Figure 5-1 shows daily, averaged number of unwanted (one-sided) accesses and sources at the same monitoring point/port per month (from July 2010 to December 2010). As shown in this figure, the number of unwanted (one-sided) accesses increased in December compared to November.

The Figure 5-2 shows the December-over-November comparison results for the number of unwanted (one-sided) accesses, classified by destination (port type). As shown in this figure, compared to the November level, there has been a particular increase in the number of access to 445/tcp.

Access to 445/tcp has been on the increase as in the last month and the increase in the number of accesses from the U.S and Japan contributed to the increase in the overall figure (See Figure 5-3).

Figure 5-2: December-over-November Comparison for the Number of Access, Classified by Destination (Port Type)

Figure 5-3: Access to 445/tcp

(1)Access Reports for the Year 2010

Figure 5-4 shows daily, averaged number of unwanted (one-sided) accesses and sources at the same monitoring point/port per month (from January 2010 to December 2010). When we look at the number of unwanted (one-sided) accesses, it has been on the decrease from the end of January except April, June and September which marked increase and in the end of the year, the umber was reduced to about half of the January level.

Figure 5-4: Daily, Averaged Number of Unwanted (One-Sided) Accesses and Sources at the Same Monitoring Point/Port per Month (From January 2010 to December 2010)

Figure 5-4 shows the breakdown of the number of accesses by destination (port type) (from January 2010 to December 2010). As shown in this figure, access to 445/tcp which occupied a large portion at the beginning of the year has been decreasing significantly, ending up with the half of the December accesses.

Figure 5-5: Breakdown of the Number of Accesses by Destination (Port Type) (From January 2010 to December 2010)

The Figure 5-6 shows the year-2009-over-year-2010 comparison results for the number of unwanted (one-sided) accesses, classified by destination (port type). As shown in this figure, access to 445/tcp, 17500/udp and 9415/tcp has been on the increase from the 2009 level, with 445/tcp marking an increase of 30,000, 17500/udp with about 40,000 and 9415/tcp with about 20,000. On the other hand, access to 135/tcp, Ping (ICMP) and 2967/tcp has been on the decrease, with 135/tcp marking a decrease of about 210,000, Ping (ICMP) with about 60,000 and 2967/tcp with about 30,000.

Figure 5-6: Year-2009-over-Year-2010 Comparison for the Number of Accesses for each Destination (Port Type)

One characteristic of the accesses to TALOT2 which were observed in 2010 was a significant increase in the number of assesses to 17500/udp and 9415/tcp. As for 17500/udp, access was made from multiple IP addresses within the same segment at a regular interval against a single monitoring point for TALOT 2. Upon inspecting this access, we confirmed the existence of an application that sends broadcast to 17500/udp, so this is considered one of the causes for such access. What was thought to be from multiple IP addresses has turned out to be from one PC sending a variable broadcast to the monitoring point for TALOT2 at each start up process. Because the rest of the monitoring points were configured to prevent broadcast from reaching the terminal, such access was not detected.

As for 9415/tcp, software program with the proxy feature that is posted on a Website in China was found to be waiting for this post to open. It is possible that a person with malicious intent was in search for a PC where this software program is installed so that he could use it as a stepping stone to carry out an attack against a Web server, etc.

Figure 5-7 shows monthly variation in the number of unwanted (one-sided) accesses to 17500/udp (from January 2010 to December 2010).

Figure 5-8 shows monthly variation in the number of unwanted (one-sided) accesses to 9415/tcp.

Figure 5-7: Access to 17500/udp

Figure 5-8: Access to 9415/tcp

For more detailed information, please also refer to the following URLs.

Variety of statistical Information provided by the other organizations/vendors is available at the following sites:


IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC)