Font Size Change

HOMEIT SecurityIPA/ISEC in JAPAN:virus and UCA incident report for January2011

PRINT PAGE

IT Security

IPA/ISEC in JAPAN:virus and UCA incident report for January2011

February 15, 2011

IT Security Center
Information-technology Promotion Agency, Japan (IPA)

This is the summary of computer virus/unauthorized computer access incident report for January 2011, compiled by Information-technology Promotion Agency, Japan (IPA).

I. Reminder for the Month:

"Watch out for smart-phone-targeting viruses"

Smart phone - a type of cell-phone that allows its users to freely install applications and to use them for various purposes - has become popular. Although it looks like an ordinary cell-phone, its contents (i.e., functions) are rather close to those of PCs. So, smart phone users might also suffer from damages caused by computer viruses, as in the case of PC users.

On January 21, 2011, IPA released a security alert for a smart-phone-targeting virus*1. The reason was that, for some smart phones and tablet terminals that are equipped with an OS*2 called "Android", a high-risk virus had been detected that might also affect users in Japan.

In this report, we explain the threats of smart-phone-targeting viruses, characteristics of those viruses as well as how to prevent their infections.

*1  "Security alert for a virus targeted at Android OS" (IPA)
http://www.ipa.go.jp/security/topics/alert20110121.html (in Japanese)

*2 OS stands for Operating Systems and is also called "basic software". It is a basic control program for computers and other devices (hardware), including smart phones, that serves as a basis for running many different application software.

(1)Threats of Smart-Phone-Targeting Viruses

As far as traditional, domestic cell-phones are concerned, no virus-infection case has been confirmed. On the other hand, smart-phones are exposed to the similar virus threats as those for PCs (See Figure 1-1). The remainder of this section describes this situation briefly.

Figure 1-1:Threats of Viruses That Infect Many Different Electronic Devices

First of all, in the case of traditional, domestic cell-phones, specifications vary depending on the model, and users' latitude/flexibility is also restricted so that their security is enhanced, making it difficult for malicious entities to create a virus and thus reducing the risks of virus-infection. For example, in abroad, there have been several cases since around 2004 in which some cell-phones were infected with a computer virus, but in Japan, such case has rarely been confirmed.

Smart phones and PCs have much in common in terms of their functions and mechanism, including the followings that might be exploited by malicious entities to cause virus-infections:

●Shares common specifications with many other devices including those manufactured in abroad

・For PCs, many different models are being sold, but most of them are loaded with a common OS such as Windows or Mac OS. Attackers, in an attempt to infect as many devices as possible, tend to create a virus that works on popular OSs. Smart phones are loaded with such OSs as Windows Phone (formerly, Windows Mobile), iOS (formerly, iPhone OS), Android, or Symbian OS. Most of the recent smart phones models are loaded with the same OS, which might motivate malicious entities to create a virus targeted at such OS. Furthermore, due to the shared specifications, a virus created in abroad might also work on domestic smart phones without modifications.

●The greater latitude/flexibility, the greater the security impact

・General characteristics of smart phones are that: users can freely add applications; information to develop those applications is being released. Unlike PCs, smart phones have capability of restricting the operation of malicious software (e.g., virus), and are less susceptible to virus entry than other phones. However, because they provide greater latitude/flexibility than traditional cell-phones, they might suffer greater security impacts.

As the number of users of highly-functional, smart phones increase and important data is stored, malicious entities might be motivated to create a virus with which they can steal such important information or take the control of those phones for their exploitations.

As noted above, smart phones have different nature than that of traditional, domestic cell-phones, and they are exposed to the similar virus threats as those for PCs. These threats are expected to increase in the future.

(2)How to Prevent Damages Caused by Android-Targeting Viruses

As mentioned in the opening sentence, IPA released the "Security alert for a virus targeted at Android OS". The virus detected at that time (hereafter referred to as this time's virus) was found to have been embedded in an existing, legitimate application, which, if installed, could take control of that smart phone in the worst case (For more details, refer to the security alert described in *1). This time's virus and other viruses that have been detected so far is not something that is infected from one smart phone to another, or that penetrates into the user's smart phone without requiring his operation.

The remainder of this section describes, for general users, how to prevent damages caused by this type of virus.

(i)Obtain a legitimate application from a reliable site

Android has an application-distribution mechanism called "Android Market", which is run by Google. There are also third-party-provided markets, including those run by cell-phone carriers (i.e., the company with which you have a contract for your cell-phone) or by game manufacturers.

On the other hand, there are some Websites that are illicitly distributing remodeled/pirated versions of legitimate applications and we've confirmed that a virus is embedded into those applications there and then distributed. In order to prevent virus-infections, it is important to make sure that the site from which you are going to obtain an application is reliable, and that the application is the legitimate one.

●A reliable site, a legitimate application

・Android Market run by Google does not conduct prior-vetting for individual application requesting to be registered in the market. However, it does remove malicious applications that violate its policy, providing a level of trust to its users.

・For markets run by third parties such as cell-phone carriers, policies vary depending on the market. Some markets conduct screening for applications over a certain period of time. So it is recommended to check first for the reliability of that market's operator as well as its policies and if deemed OK, to use it.

・Remodeled/pirated applications may contain a virus and there for, it is recommended not to visit Websites distributing them. It may be difficult for you to determine if they are safe to use only by looking at their appearance, so if you are uncertain about their reliability, you should refrain from using them.

Figure 1-2:Many Different Markets

Other points for obtaining applications in a secure manner are:

●Check for remarks, comments and the number of downloads associated with that application

・In regard to applications provided, some markets (including Android Market) and applications-introducing Websites may post the remarks and/or comments from other users as well as the number of downloads. This information may be nothing but a reference for you, but it should provide a clue to determine whether it is safe to use that application or not.

●Exercise caution with e-mail attachments

・As in the case of PCs, some Android models allow their users to install e-mail attached applications with simple operations. Even if it looked like an e-mail from your acquaintance, it might be a virus-attached e-mail from a malicious entity impersonating your acquaintance, so you should exercise caution with e-mail attachments.

(ii)Uncheck the check box for "Application of Unknown Provider" except when absolutely necessary

In one of the setting screens for Android, there is an item termed "Application of Unknown Provider". If you uncheck this item, you can prevent any applications obtained from non-Android Markets from being installed (NB: This item is unchecked by default.) For procedures for changing, or checking for, the setting for "Application of Unknown Provider", see Figure 1-3.

To avoid an accidental installation of a malicious application, it is recommended to uncheck this item except when absolutely necessary.

Note, however, that in order to install an application obtained from a non-Android Market (even if it was obtained from a reliable, third-party-provided market), you need to temporally check this item. In such cases, uncheck it after the installation.

Figure 1-3:How to Check or Change the Setting for "Application of Unknown Provider"

(iii)Exercise Caution with "Access Permissions" Displayed at the Time of Installation

Security concept for Android applications is as follows:

●Android applications declare which information/function(s) of that smart phone they are going to access in the form of requesting "access permissions".

●The application user checks for the requested "access permissions" displayed at the time of installation and if deemed OK, grants those permissions on his own responsibility.

●The application which was given the "access permissions" and installed on that smart phone can freely access those information/function(s) without notifying the phone user.

Among the detected Android-targeting viruses is: a virus disguising as a harmless application such as games and requesting "access permissions" for accessing "Your Personal Data" or "Charged Services"; if the phone user installed it without adequate confirmation, he could suffer serious damages.

Figure 1-4 shows an example of a screen requesting "access permissions".

Figure 1-4:Display Screen Image for "Access Permissions"

Regardless of where the application was obtained from, be sure to read through the "Access Permissions" list displayed at the time of installation. If you find any mismatch or anything suspicious between the functions of that application and requested "access permissions", it is recommended to cancel the installation.

Furthermore, some applications may request "access permissions" that seem irrelevant to their inherent functions, for such purposes as displaying advertisements. Table 1-1 shows typical examples of "access permissions", some of which are hard to make out.

Table1-1:Description of "Access Permissions" (For some parts)

No. Displayed Message Description
1

Outgoing call Read the phone's status

This is thought to be used for stopping a played music depending on the phone's incoming-call status. The application which was given this permission is able to read the smart phone's telephone number as well as terminal identification number assigned to each phone.
2

Your site
Approximate Location

(Network- Based)
"Approximate Location" refers to the location of a base station for that cell-phone, or to the phone's location that is estimated from the distance from wireless LAN facilities in the surrounding areas. The estimated location may have a margin of error of plus or minus dozens of meters to several kilometers.
This positional information can also be used by an advertiser to determine the contents of advertisements to be displayed on the application's screen.
3

Network communication Full Internet access

Literally, this is a function that enables users to transmit/receive information over the Internet. This is also used for exchanging ad-related data.

Note:Displayed messages (expressions) may differ slightly depending on the model.

Most of smart phone applications become serviceable when the Internet connection is available. The problem is, if the access permissions as described in the above item 1 or 2, or item 3 plus for an access to "Your Personal Data" was requested by, and given to, a malicious entity, he might send the smart phone's telephone number and positional information somewhere over the Internet for exploitations.

If you just look at the "Access Permissions" list, it may be difficult to determine whether the application is to be used for a legitimate purpose or malicious one. So, based on the reliability of the application's source and developers as well as other users' remarks, grant access permissions within a scope such that you are not affected should they be exploited by a malicious entity.

(iv)Install security software

In recent years, security for smart phones has received a lot of attention and many different "security software for Android" have been released or are scheduled to be released. Consider using those security software which may provide antivirus feature as well.

For your reference, we compiled information on "security software for Android" currently being provided by major security software venders selling also "security software for PCs" in Japan. Although some of them are currently available only for overseas versions, Japanese versions may also be released in the near future.

<Reference>

(3)Conclusion

Sophistications and deviousness of widely-prevalent Windows-targeting viruses have been advancing over the years. And many different techniques that have emerged in that field are likely to be applied also to smart phones, putting smart phones users at risk.

For secure use, smart phones users should be aware of what OS is running on their phones and implement required antivirus measures accordingly, and then keep up with the latest security-related news.

II. Reporting Status of Computer Virus – further details, please refer to the Attachment 1 –

Reporting Status of Virus

While the virus detection count *1 in January 2011 was about 23,000, equivalent to the December 2010 level (about 23,000), the virus report count *2 in January was 1,106, up 26.5 percent from 874 in December 2010.

*1 Virus detection count: indicates how many times a specific virus appeared in the reports submitted, or the aggregate virus detection counts for a specific period.

*2 Virus report count: indicates how many reports on a specific virus were submitted. If the same type of viruses were reported by the same person with the same detection day, they are counted as one report regarding the virus of that sort.

* In January, the virus report count, which was obtained by consolidating about 23,000 virus detection reports, was 1,106.

W32/Netsky marked the highest detection count at about 16,000, followed by W32/ Mydoom at about 3,000 and W32/Autorun at about 1,000.

Figure 2-1: Virus Detection Count

Figure 2-2: Virus Report Count

III. Reporting Status of Unauthorized Computer Access (includes Consultations) Please refer to the Attachment 2 for further details

Table 3-1: Reported Number for unauthorized computer access and the status of consultation
  Aug.'10 Sep. Oct. Nov. Dec. Jan.'11
Total for Reported (a) 18 15 14 14 22 12
  Damaged (b) 12 10 8 7 7 6
Not Damaged (c) 6 5 6 7 15 6
Total for Consultation (d) 56 47 40 45 27 41
  Damaged (e) 16 8 15 12 7 11
Not Damaged (f) 40 39 25 33 20 30
Grand Total (a + d) 74 62 54 59 49 53
  Damaged (b + e) 28 18 23 19 14 17
Not Damaged (c + f) 46 44 31 40 35 36

(1)Unauthorized Computer Access Reported

The report count for unauthorized computer access in January was 12, 6 of which reportedly had certain damages.

(2)Unauthorized Computer Access and Other Related Problems Consulted

The consultation count for unauthorized computer access and other related problems was 41 (5 of which were also included in the report count). 11 of them reportedly had certain damages.

(3)Damages Caused

The breakdown of the damage reports were: Spoofing (6).

Damages caused by "Spoofing" were: online service (online game (5), Free IP Phone (1)) being used by someone who successfully impersonated a legitimate user and logged on.

(4) Damage Instance

[Spoofing]

(i)I found that my online game currency has reduced to zero
    <Instance>
  • –I found that the currency for an online game that I had purchased in advance had reduced to zero.
  • –Upon checking the usage records, I found a purchase record that I do not remember.
  • –I was using the same password so as not to forget it.
  • –I had no particular security countermeasure in place.
(ii)All of sudden, I became unable to log into a membership online-game
<Instance>
  • –One day, I became unable to log into a membership online-game.
  • –The items own by my character were found to have been trafficked.
  • –The cause of this incident remains unknown but I assume that somebody had gained an unauthorized access and changed my password.
  • –Would the police accept a damage-report concerning impersonation like this?

IV. Unauthorized Computer Access Consulted

The total number of consultations in January 2011 was 1,463. 442 of which were related to "One-Click Billing" (compared to 474 in December 2010); 17 to "Fake Security Software" (compared to 10 in December 2010); 3 to "Winny" (compared to 4 in December 2010); 1 to "A Suspicious E-Mail Sent to a Specific Organization to Collect Specific Information/Data" (compared to 0 in December 2010)

Table 4-1: Total Number of Consultations Handled by IPA over the Past Six Months
  Aug.'10 Sep. Oct. Nov. Dec. Jan.'11
Total 2,432 2,102 1,813 1,692 1,536 1,463
  Automatic Response System 1,298 1,142 1,065 1,036 954 892
Telephone 1,053 873 675 580 531 499
e-mail 75 85 69 72 49 64
Fax, Others 6 3 4 4 2 8

* IPA set up "Worry-Free Information Security Consultation Service" that provides consultation/advises for computer virus, unauthorized computer access, problems related to Winny as well as overall information security.

mail_address
Tel.: +81-3-5978-7509 (24-Hour Automatic Response; Consultations are provided by IPA Security Center personnel and available from Mon.-Fri., 10:00-12:00, 13:30-17:00)
Fax: +81-3-5978-7518 (24-hour automatic response)

*”Automatic Response System”: Numbers responded by automatic response
*”Telephone”: Numbers responded by the Security Center personnel
*Total Number includes the number in the Consultation (d) column in the Table 3-1, “III. Unauthorized Computer Access Reported (including Consultations)”.

Figure 4-1: Changes in the Number of Consultation Regarding One-Click Billing


Major consultation instances are as follows:

(i)A software program termed SystemTool is automatically activated

What was consulted:

When I was surfing the Internet, all of sudden, a warning message was displayed and subsequently, a screen for "SystemTool" - unknown software which looks like antivirus software – appeared. Although I restarted my PC, it did not disappear. What should I do? (Apart from this, 13 similar cases have been reported so far)

Response:

The consulter is suffering from what is called "Fake Security Software" virus. In January, we received a number of inquiries regarding SystemTool, so it is thought that many people have suffered from it.

Among the symptoms suffered by PCs are: being unable to connect to the Internet, being unable to activate certain applications, their wall papers being changed, etc.

Recommend solutions for a PC infected with this sort of virus is, to perform "System Restore" function to restore the PC's settings back to one day before the virus-infection, or if this cannot be done, to perform initialization on that PC.

<Reference>

(ii)Infected with a virus via Winnys

What was consulted:

I copied a file (ISO image*) downloaded via Winny to a DVD and opened it on my PC. Then a number of suspicious screens began to appear. I assume that I've contracted a computer virus via the downloaded file.

To resolve this symptom, do I have to perform initialization? I knew that it's better not to use Winny, but I wasn't concerned about using it.

* ISO image: A disk image obtained from a CD or DVD, which is in a file format.

Response:

To restore your PC from this state, we recommend that you perform initialization. And if you use file-sharing software such as Winny, not only might you suffer from the virus-infection like this, you might also involuntarily violate copyrights. You should recognize the risks of using file-sharing software and refrain from using such software.

<Reference>

V. Access Status Captured by the Internet Fixed-Point Monitoring System (TALOT2) in January

According to the Internet Fixed-Point Monitoring System (TALOT2), 95,509 unwanted (one-sided) accesses were observed at ten monitoring points in January 2011 and the total number of sources* was 42,791.  This means on average, 308 accesses form 138 sources were observed at one monitoring point per day. (See Figure 5-1)

*Total number of sources:indicates how many accesses in total were observed by TALOT2.  If multiple accesses from the same source were observed at the same monitoring point/port on the same day, they are considered one access from the specific source on that day.

Since the environment of each monitoring point for TALOT2 is equivalent to that of general Internet connection, an equal number of such accesses are thought to be made in the Internet users’ system environment.

Figure 5-1: Daily, Averaged Number of Unwanted (One-Sided) Accesses and Sources at the Same Monitoring Point/Port per Month (From August 2010 to January 2011)

The Figure 5-1 shows daily, averaged number of unwanted (one-sided) accesses and sources at the same monitoring point/port per month (from August 2010 to January 2011). As shown in this figure, the number of unwanted (one-sided) accesses in January 2011 remained almost the same level as that of December 2010.

The Figure 5-2 shows the January 2011-over-December 2010 comparison results for the number of unwanted (one-sided) accesses, classified by destination (port type). As shown in this figure, compared to the December level, there has been a particular increase in the number of access to 445/tcp.

Upon comparing the number of unwanted (one-sided) accesses to 445/tcp by source, such accesses from the Top ten countries including the U.S and Japan have been on the increase, contributed to the increase in the overall figure (See Figure 5-3).

Figure 5-2: January-over-December Comparison for the Number of Access, Classified by Destination (Port Type)

Figure 5-3: Access to 445/tcp

Variety of statistical Information provided by the other organizations/vendors is available at the following sites:

Contact

IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC)
Tel:+81-3-5978-7591
Fax:+81-3-5978-7518
E-mail: