Font Size Change

HOMEIT SecurityIPA/ISEC in JAPAN:virus and UCA incident report for February2011

PRINT PAGE

IT Security

IPA/ISEC in JAPAN:virus and UCA incident report for February2011

March 11, 2011

IT Security Center
Information-technology Promotion Agency, Japan (IPA)

This is the summary of computer virus/unauthorized computer access incident report for January 2011, compiled by Information-technology Promotion Agency, Japan (IPA).

I. Reminder for the Month:

"Let's deactivate the "Autorun" function on Your PC!"

-You can do it by applying Windows Update!-

There have been a number of cases involving a virus infection through external storage media such as USB thumb drives (hereafter referred to as external media). According to a survey conducted by IPA in 2010*1 , among the entry routs of the viruses detected, "external media, carried-in PCs" accounted for 48 percent. A virus said to have targeted a nuclear power plant's control system*2 was also intended to cause infection through USB thumb drives.

One of the reasons why a virus infection through external media is employed would be the presence of the "Autorun" function*3 of Windows-based PCs. This function enables the automatic execution of files stored on external media when they are connected to a PC. By disabling this function, you can reduce the risk of allowing a virus infection through external media.

IPA has once issued an alert, calling for the deactivation of "Autorun", and from February 2011, simplified deactivation steps became available. So in this report, we explain anew about "Autorun", a virus exploiting it, and how to prevent the virus infection.

*1 The 2009 Survey on Damages Caused by Information Security-Related Events in Japan
http://www.ipa.go.jp/security/fy21/reports/isec-survey/ (in Japanese)

*2 This was caused by a virus called "Stuxnet". For more information, refer to an IPA technical watch report on the New Types of Attacks http://www.ipa.go.jp/about/technicalwatch/20101217.html (in Japanese)

*3 This function is activated by default for Windows XP, Vista, and Windows Server 2003/2008. In the case of Windows 7, this is deactivated by default.

(1)What is "Autorun"

"Autorun" is a function of Windows. If this function is enabled, programs/moving images stored on external media (such as CDs, DVDs, USB thumb drives and external hard disk drives) are automatically executed/played when they are connected to a PC.

A virus exploiting this function carries out infection activities as follows: (See Figure 1-1):

<1>There is a PC that has been infected with a virus due to the following reasons: a USB thumb drive containing the virus was connected to it; or its user opened a suspicious e-mail attachment containing the virus.

<2>If a virus-free USB thumb drive is connected to the above-mentioned PC, the virus in that PC creates a copy of itself and places it in the thumb drive. At the same time, it embeds operation code to exploit "Autorun".

<3>If the USB thumb drive containing the copied virus is connected to another PC not having sufficient antivirus measures in place (including not deactivating "Autorun"), the virus is executed automatically. As a result, this PC is also infected with the virus.

<4>Repetition of these steps might lead to chained infections.

Figure 1-1:Infection by a Virus Exploiting "Autorun"

(2)Examples of A Virus That Exploits "Autorun"

A virus that exploits "Autorun" is not an unusual type of virus but common one. Let's take the W32/Virut virus for example. When it first appeared, it did not have a feature of exploiting "Autorun", but such feature was added to its subspecies that emerged later.

According to the reports submitted to IPA, in February 2011, W32/Autorun, W32/Downad, W32/Sality and W32/Virut, all of which exploit "Autorun" to spread their infections, were ranked in the top 10. For W32/Autorun, in particular, around 170 reports were submitted every month on average for the past year.

If infected with these viruses, that PC might allow further spread of infection through external media; security software on it might go off; or information on it (e.g., online-game account) might be leaked to external parties.

Furthermore, IPA's "Worry-Free Information Security Consultation Service":4 received inquiries as to the following problems:

●After copying a household PC's data to a USB thumb drive and connecting it to a company PC, a virus was detected. Through the investigation, I found that the household PC had been infected with a virus that exploits "Autorun".

●After inserting a USB thumb drive into my PC and working on it, I became unable to brows a security vendor's Website. Through the investigation, I found that a virus had been embedded in the USB thumb.

Inquiries as to problems like these are made to IPA every month, showing no sign of an end to damages caused by Autorun-exploiting viruses.

*4 A general consultation service for malware (malicious program) and unauthorized computer access that is provided by IPA for Japanese citizens.
http://www.ipa.go.jp/security/anshin/ (in Japanese)

(3)How to Disable "Autorun"

There are several ways to disable*5 "Autorun", but the simplest one would be to install a patch*6 provided by Microsoft Japan Co., Ltd. Traditionally, PC users needed to access a dedicated download site and select and install an adequate patch (to disable "Autorun") for their OS. But since February 9, 2011 (in Japan time), such patch has been included in Windows Update. Because appropriate patches for the user's PC are automatically selected and displayed, the user can easily install them. These tasks are not required for the users of Windows 7 as "Autorun" is deactivated by default. And if you have already installed the above-mentioned patch, it is not displayed on the list of available updates, so you can skip it.

To install this patch, access Windows Update first, and if you see either of the screens shown in Figure 1-2, go through the respective steps below. By doing so, you can disable "Autorun".

*5 "Disabling" in this context is: configuring a PC so that "Autorun" is activated for CD/DVD Drives only and not for USB thumb drives.

*6 Patch is a program to fix security vulnerabilities and other bugs. This is also called "program to correct the problem" or "program for updates".

●For Windows Vista

Click on the "Critical" tab and select and install a path with the number "KB971029".

●For Windows XP

Click on the "High Priority updates" tab and select and install a path with the number "KB971029".

Figure 1-2:Windows Update Screen(Left : Vista , Right : XP)

If you are an information system administrator belonging to an enterprise or other organizations, you can configure a group policy so that "Autorun" is disabled on the PCs belonging to that group (For details, refer to the site below).

<Reference>

IPA provides "MyJVN Security Configuration Checker", with which you can check if "Autorun" is deactivated on your PC. So, feel free to use it to check the "Autorun" setting on your PC.

<Reference>

(4)How to Prevent Virus Infections

(i)Implement technological countermeasure

By disabling "Autorun" and implementing the following technological countermeasures, you can reduce the risk of contracting a virus. These countermeasures are effective against not only Autorun-exploiting viruses but also other viruses in general, so it is recommended to implement them so you can protect your PC against those viruses.

Use antivirus software

Install antivirus software and keep its virus definition files up-to-date. By doing so, you can prevent a virus infection through external media as a virus-scan is performed with the latest definition.

Eliminate vulnerabilities (e.g., by applying Windows Update)

Vulnerabilities in OSs and application software are detected one right after the other. And a virus might emerge that exploits a new vulnerability, for which your PC might be infected only by connecting a USB thumb drive to it, even though you disabled "Autorun". So, eliminate vulnerabilities as much as you can by keeping your OS and application software updated. IPA provides charge-free "MyJVN Version Checker", with which you can easily check if the major applications installed on your PC are the latest versions. This tool is intended for software products that have ever been exploited for attacks such as viruses. Hope you will make use of it!

(ii)Precautions in using USB thumb drives

"Autorun" can be activated/deactivated for USB thumb drives, external hard disk drives, digital cameras, music players, SD memory cards and other external storage media that can exchange data with a PC with which they are connected. When handling them, take the following precautions:

●Do not connect your USB thumb drive to a PC that is not under your control or that is used by unspecified number of people;

●Do not connect to your PC any USB thumb drive that is not under your control or whose owner is unknown.

<Reference>

II. Reporting Status of Computer Virus – further details, please refer to the Attachment 1 –

Reporting Status of Virus

While the virus detection count*1 in February was about 22,000, down 2.7 percent from 23,000 in January, the virus report count*2 in February was 974, down 11.9 percent from 1,106 in January.

*1 Virus detection count: indicates how many times a specific virus appeared in the reports submitted, or the aggregate virus detection counts for a specific period.

*2 Virus report count: indicates how many reports on a specific virus were submitted. If the same type of viruses were reported by the same person with the same detection day, they are counted as one report regarding the virus of that sort.

* In February, the virus report count, which was obtained by consolidating about 22,000 virus detection reports, was 974.

W32/Netsky marked the highest detection count at about 16,000, followed by W32/ Mydoom at about 3,000 and W32/Autorun at about 1,000.

Figure 2-1: Virus Detection Count

Figure 2-2: Virus Report Count

III. Reporting Status of Unauthorized Computer Access (includes Consultations) –Please refer to the Attachment 2 for further details–

Table 3-1: Reported Number for unauthorized computer access and the status of consultation
  Sep.'10 Oct. Nov. Dec. Jan.'11 Feb.
Total for Reported (a) 15 14 14 22 12 10
  Damaged (b) 10 8 7 7 6 5
Not Damaged (c) 5 6 7 15 6 5
Total for Consultation (d) 47 40 45 27 41 23
  Damaged (e) 8 15 12 7 11 6
Not Damaged (f) 39 25 33 20 30 17
Grand Total (a + d) 62 54 59 49 53 33
  Damaged (b + e) 18 23 19 14 17 11
Not Damaged (c + f) 44 31 40 35 36 22

(1)Unauthorized Computer Access Reported

The report count for unauthorized computer access in February was 10, 5 of which reportedly had certain damages.

(2)Unauthorized Computer Access and Other Related Problems Consulted

The consultation count for unauthorized computer access and other related problems was 23 (2 of which were also included in the report count). 6 of them reportedly had certain damages.

(3)Damages Caused

The breakdown of the damage reports were: intrusion (2); spoofing (1); Malicious code embedded (1); Dos attack (1).

Damages caused by "intrusion" were: a tool to attack external sites being embedded into a Web server, which in turn served as a stepping stone for attacking other sites (2). Damages caused by "spoofing" were: online service being used by someone who successfully impersonated a legitimate user and logged on (1).

The causes of "intrusion" were: "Poor ID & password management" (1); "inappropriate settings" (1).

(4) Damage Instance

[Intrution]

(i)A malicious program was executed on the company's server, which in turn attacked external computers

* SSH(Secure SHell) a protocol that allows someone using one computer to communicate with a remote computer over a network.

    <Instance>
  • –I was notified by a person outside the company that, "Received an attack from your company's server".
  • –Upon checking the server, I found that a SSH* port thought to have been unused was open, for which a remote connection could be established.
  • –I found an account with login ID and password being identical (i.e., the same spelling) and that this account had been used to hack into the server.
  • –Apparently, a malicious program to attack external computers was run by the hacker.

[Spoofing]

(ii)In a Web service's login history, I found the trace of a unfamiliar login from abroad
<Instance>
  • –Recently, I received a large number of unwanted e-mails. Feeling suspicious, I checked the login history for a Web service in use and found the trace of an unfamiliar, successful login from abroad.
  • –My Web-based e-mail was accessed by someone else, but I have no idea what was done with it.
  • –It happened as I had been robbed of my password, but I don't know how it was stolen.

IV. Unauthorized Computer Access Consulted

The total number of consultations in February was 1,521. 473 of which were related to "One-Click Billing" (compared to 442 in January); 9 to "Fake Security Software" (compared to 17 in January); 6 to "Winny" (compared to 3 in January); 0 to "A Suspicious E-Mail Sent to a Specific Organization to Collect Specific Information/Data" (compared to 1 in January)

Table 4-1: Total Number of Consultations Handled by IPA over the Past Six Months
  Sep.'10 Oct. Nov. Dec. Jan.'11 Feb.
Total 2,102 1,813 1,692 1,536 1,463 1,521
  Automatic Response System 1,142 1,065 1,036 954 892 892
Telephone 873 675 580 531 499 570
e-mail 85 69 72 49 64 53
Fax, Others 3 4 4 2 8 6

* IPA set up "Worry-Free Information Security Consultation Service" that provides consultation/advises for computer virus, unauthorized computer access, problems related to Winny as well as overall information security.

mail_address
Tel.: +81-3-5978-7509 (24-Hour Automatic Response; Consultations are provided by IPA Security Center personnel and available from Mon.-Fri., 10:00-12:00, 13:30-17:00)
Fax: +81-3-5978-7518 (24-hour automatic response)

 

*”Automatic Response System”: Numbers responded by automatic response
*”Telephone”: Numbers responded by the Security Center personnel
*Total Number includes the number in the Consultation (d) column in the Table 3-1, “III. Unauthorized Computer Access Reported (including Consultations)”.

Figure 4-1: Changes in the Number of Consultation Regarding One-Click Billing


Major consultation instances are as follows:

(i)Is trustworthy an alert issued by fake security software?

I installed and am using a security software product on my PC. One day, when one of my family members was browsing a Website, an unfamiliar security software screen appeared along with a warning message "Your PC's infected with Spyware!!"

I'm going to ask the manufacture of that security software to see to it, but I'm still worrying about the possible infection of Spyware.

Response:

Apparently, your family browsed a malicious Website, for which the PC was infected with the "fake security software" virus. It is wise to ask the manufacture of that security software to see to it.

And a warning message "Your PC's infected with Spyware!!" is a kind of trick to prompt fears and the screen itself is actually displayed by an insidious virus.

Even if you were using a legitimate security software product, as demonstrated this time, a virus might still enter into your PC by bypassing security checks. So, you should be careful with the Website you are going to visit. Meanwhile, pay attention to anti-vulnerability measures available for Windows and applications in use.

<Reference>

(ii)A message "Hacked by Godzilla" appears in Internet Explorer's title bar

What was consulted:

From a few days ago, I began to see a message "Hacked by Godzilla" in Internet Explorer's title bar whenever I opened Yahoo's front page. What's the cause of this phenomenon? How can I get it back?

* This image was created by IPA, based on description of the consulter.

Response:

This sort of phenomenon occurs if a PC is infected with the W32.VBS.Godzilla virus. This is a virus that spreads its infection through USB thumb drives, etc., so before you saw such phenomenon, didn't you use a USB thumb on your PC?

Firstly, update your antivirus software's virus definition files and try to clean the virus. If you failed to get rid of it, we recommended that you perform initialization on Your PC.

<Reference>

V. Access Status Captured by the Internet Fixed-Point Monitoring System (TALOT2) in February

According to the Internet Fixed-Point Monitoring System (TALOT2), 143,494 unwanted (one-sided) accesses were observed at ten monitoring points in February and the total number of sources* was 41,803.  This means on average, 624 accesses form 182 sources were observed at one monitoring point per day. (See Figure 5-1)

*Total number of sources:indicates how many accesses in total were observed by TALOT2.  If multiple accesses from the same source were observed at the same monitoring point/port on the same day, they are considered one access from the specific source on that day.

Since the environment of each monitoring point for TALOT2 is equivalent to that of general Internet connection, an equal number of such accesses are thought to be made in the Internet users’ system environment.

*For maintenance work, we shut down the systems from February 4 to February 8. Therefore, the statistical information was derived from the data excluding that of these five days. Normally, the systems are in operation all times.

Figure 5-1: Daily, Averaged Number of Unwanted (One-Sided) Accesses and Sources at the Same Monitoring Point/Port per Month (From September 2010 to February 2011)

The Figure 5-1 shows daily, averaged number of unwanted (one-sided) accesses and sources at the same monitoring point/port per month (from September 2010 to February 2011). As shown in this figure, the number of unwanted (one-sided) accesses in February has significantly increased, compared to the January level.

The Figure 5-2 shows the February-over-January comparison results for the number of unwanted (one-sided) accesses, classified by destination (port type). As shown in this figure, compared to the January level, there has been a particular increase in the number of access to 80/tcp, 17500/udp, 443/tcp and 25/tcp.

As for 17500/udp, we saw one-time increase around September 2010 and as in the past, access was made from multiple IP addresses within the same segment at a regular interval against a single monitoring point for TALOT 2 (See Figure 5-3). Because the existence of software for general users that sends broadcast has been confirmed, this access might have been made by a user of a PC running that software. What was thought to be from multiple IP addresses has turned out to be from one PC which used different IP addresses each time it was connected to the network. Because the rest of the monitoring points were configured to prevent broadcast from reaching the terminal, such access was not detected.

In February, we saw an increase in the number of accesses to 80/tcp, 443/tcp and 25/tcp. This is because, after February 21st, an increasing number of accesses were made to these ports from multiple IP addresses in Myanmar, which were observed at multiple monitoring points for TALOT 2. Apart from these ports, we also saw an increasing number of accesses to 21/tcp and 22/tcp from the same IP addresses (See Figure 5-4). Similar increasing trends have also been observed by other organizations undertaking fixed point observations. The cause is currently under investigation, but this is thought to be some sort of attack, so we'll continue to watch out for accesses to these five ports.

Figure 5-2: February-over-January Comparison for the Number of Access, Classified by Destination (Port Type)

Figure 5-3: Access to 17500/udp

Figure 5-4: Access to 21/tcp, 22/tcp, 25/tcp, 80/tcp and 443/tcp from an IP address in Myanmar

Variety of statistical Information provided by the other organizations/vendors is available at the following sites:

Contact

IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC)
Tel:+81-3-5978-7591
Fax:+81-3-5978-7518
E-mail: