Font Size Change

HOMEIT SecurityIPA/ISEC in JAPAN:virus and UCA incident report for March2011, and the 1st Quarter of2011

PRINT PAGE

IT Security

IPA/ISEC in JAPAN:virus and UCA incident report for March2011, and the 1st Quarter of2011

April 14, 2011

IT Security Center
Information-technology Promotion Agency, Japan (IPA)

This is the summary of computer virus/unauthorized computer access incident report for March 2011, and the 1st Quarter of 2011, compiled by Information-technology Promotion Agency, Japan (IPA).

I. Reminder for the Month:

"Let's protect your wireless LAN from being used by others!"

In recent years, there have been a number of reported cases in which an unsecured home-use wireless LAN was exploited. A wireless LAN with inadequate security settings might be exploited by a malicious party. In fact, crime infrastructure*, including an unsecured home-use wireless LAN, is being built up and expanding in every crime field, including organized crimes, fraud, theft and cybercrime. On March 10, 2011, the Tokyo Metropolitan Police Department announced that it will tighten control over the crime infrastructure, which includes the development of "Anti-Crime-Infrastructure Program" - a guideline for tackling the crime infrastructure.

To protect your home-use wireless LAN from being exploited as crime infrastructure, make appropriate security settings.

* Crime infrastructure is an infrastructure that abets or facilitates crimes. Even if the infrastructure itself was legal, if it was being used for a crime, it would become a crime infrastructure.

<Reference>

(1)Outline of Problems Surrounding Wireless LAN

Wireless LAN is a network environment that enables communication between a Wireless LAN access point (hereafter called "base unit") and PCs, smart phones, and game machines etc. that have wireless LAN capability (hereafter called "cordless handset"), using radio waves. In the case of Wireless LAN, once communication settings have been made on both the base unit and the cordless handset(s), they can communicate each other within the reach of the radio wave, penetrating obstacles such as walls.

While Wireless LAN is convenient, it might also be exploited by an attacker to get into a home networking or to commit wrongdoing over the Internet (i.e., used as so called "stepping stone"). Because radio waves which are invisible communication paths are used, you might not even notice an intrusion. So you need to watch out (See Figure 1-1).

Figure 1-1:Threats to Wireless LAN

(2)Actual Incidents Involving Wireless LAN

Table 1-1 shows actual Cases Involving Wireless LAN.

Table1-1:Actual Cases Involving Wireless LAN

Occurrence Time
Description
Jun. 2008

A man was arrested for illicitly connecting his Internet-capable, handheld gaming device to a family's wireless LAN and posting a message on a message board that foretold an indiscriminate killing.

Oct. 2008 A man was arrested for selling child pornography DVDs at an Internet auction. He was found to have gained access to the Internet via a family's wireless LAN and obtained child pornography files.
Feb. 2010 Two members of a fraud group were arrested for shopping on the Internet using somebody else's credit-card information they had obtained through illicit means. They were found to have gained access to the Internet via a family's wireless LAN.
Jun. 2010 A man was arrested for obtaining money by fraud, saying he would sell his bank account in a message posed on a message board. He was found to have gained access to the Internet via a family's wireless LAN in an attempt to hide his identity.

In any of the above cases, because the home-use wireless LAN had inadequate security settings, they were used as a "stepping stone". Other possible cases include:

・An attacker breaks into the wireless LAN and steals important information

・An attacker sniffs communication data

(3)Countermeasures

To prevent the above incidents, it is important to make appropriate security settings on your wireless LAN. There are two important points: "selecting an appropriate encryption scheme" and "setting an appropriate password".

(i)Selecting an appropriate encryption scheme

There are three main types of encryption scheme: "WEP", "WPA" and "WPA2", the safest of which is "WPA2" that is the newest one.

There are a few options for "WPA2", so when you select an encryption scheme, choose the one that provides the most robust security among those that use an authentic method called WPA2-PSK (Pre-Shared Key). That is: "WPA2-PSK (AES)".

But if this is not available, as the next best policy, use "WPA-PSK (AES)", which provides the most robust security among those that use an authentic method called WPA-PSK (Pre-Shared Key) in the family of "WPA".

The rest of encryption schemes do not warrant sufficiently-strong security, so do not select them. For more details on encryption scheme, please refer to the web page below.

<Reference>

For reference, screenshots of a setting screen for a basic unit and a setting confirmation screen are shown in Figure 1-2 and Figure 1-3, respectively. Users of home-use Wireless LANs are encouraged to check their settings. Note that appearance of the screens and how to make or confirm settings vary depending on the model in use. For more information on operations etc., please refer to the instruction manual for your base unit.

Figure 1-2:Screenshot of a Setting Screen for a Basic Unit

Figure 1-3:Screenshot of a Setting Confirmation Screen for a Basic Unit

Note that not only the base unit but also all of its cordless handsets need to support the encryption scheme you want to select. That means, if you configured your base unit to use "WPA2-PSK (AES)", all the cordless handsets connected to it should also be configured to use "WPA2-PSK (AES)".

(ii)Setting an Appropriate Password

When generating an encryption key used for the above encryption schemes, you are required to set a password. When setting the password, observe the following points to prevent it from being easily guessed:

・Do not use a single word in a dictionary of English

・Use a combination of lowercase and uppercase alphabetical characters, numeric characters and symbols

・Use twenty or more Number of characters should be no less than twenty (In the case of English one byte characters plus symbols, up to sixty-three characters)

II. Reporting Status of Computer Virus – further details, please refer to the Attachment 1 –

(1)Reporting Status of Virus

While the virus detection count*1 in March was about 24,000, up 10.6 percent from about 22,000 in February, the virus report count*2 in March was 985, equivalent to the February level (974).

*1 Virus detection count: indicates how many times a specific virus appeared in the reports submitted, or the aggregate virus detection counts for a specific period.

*2 Virus report count: indicates how many reports on a specific virus were submitted. If the same type of viruses were reported by the same person with the same detection day, they are counted as one report regarding the virus of that sort.

* In March, the virus report count, which was obtained by consolidating about 24,000 virus detection reports, was 985.

W32/Netsky marked the highest detection count at about 16,000, followed by W32/ Mydoom at about 5,800 and W32/Autorun at about 1,400.

Figure 2-1: Virus Detection Count

Figure 2-2: Virus Report Count

(2)Malicious Programs Detected

In the second half of March 2011, we saw an increase of FAKEAV, which refers to any of fake security software, and BACKDOOR, which refers to a malicious program that install backdoors on a PC.

This sort of malicious program is often contained in an e-mail attachment and distributed, so adequate cautions should be exercised in handling e-mail attachments.

Figure 2-3: Malicious Program Detection Count

III. Reporting Status of Unauthorized Computer Access (includes Consultations) Please refer to the Attachment 2 for further details

Table 3-1: Reported Number for unauthorized computer access and the status of consultation
  Oct.'10 Nov. Dec. Jan.'11 Feb. Mar.
Total for Reported (a) 14 14 22 12 10 6
  Damaged (b) 8 7 7 6 5 6
Not Damaged (c) 6 7 15 6 5 0
Total for Consultation (d) 40 45 27 41 23 45
  Damaged (e) 15 12 7 11 6 10
Not Damaged (f) 25 33 20 30 17 35
Grand Total (a + d) 54 59 49 53 33 51
  Damaged (b + e) 23 19 14 17 11 16
Not Damaged (c + f) 31 40 35 36 22 35

(1)Unauthorized Computer Access Reported

The report count for unauthorized computer access in March was 6, all of which reportedly had certain damages.

(2)Unauthorized Computer Access and Other Related Problems Consulted

The consultation count for unauthorized computer access and other related problems was 45 (2 of which were also included in the report count). 10 of them reportedly had certain damages.

(3)Damages Caused

The breakdown of the damage reports were: intrusion (1); spoofing (5).

Damages caused by "intrusion" were: a tool to attack external sites being embedded into a teleconference system, which in turn served as a stepping stone for attacking other sites (1). Damages caused by "spoofing" were: online service being used by someone who successfully impersonated a legitimate user and logged on (mail server (2); online game (1); shopping service (1); IP phone service (1)).

The causes of "intrusion" were: "Poor ID & password management" (1); "a vulnerability in OS being exploited (1) (As for the rest, the cause remains unknown).

(4) Damage Instance

[Intrusion]

(i)A teleconference system was taken over and used as a stepping stone for attacking external computers
    <Instance>
  • –I've detected an access attempting to break into an external server from the company's network.
  • –Though an investigation, I found that a Cisco teleconference system located in the company had been exploited as a stepping stone for breaking into an external server.
  • –A vulnerability in the teleconference system's firmware (OS) was exploited by the attacker to obtain the administrative privilege, proceeding to break into the system via SSH* and take its control.
  • * SSH(Secure SHell) a protocol that allows someone using one computer to communicate with a remote computer over a network.

[Spoofing]

(ii)An e-mail account was logged in an unauthorized manner and used as a stepping stone for sending unsolicited e-mails
<Instance>
  • –I found that the size of a log for the company's mail server was getting enlarged at a rapid pace. Then I was notified by an external organization, saying "We've received a large volume of unsolicited e-mails that that we think from your mail server."
  • –Though an investigation, I found that one of the e-mail accounts had been logged in by an outsider in an unauthorized manner and then used as a stepping stone for sending unsolicited e-mails.
  • –Because a large number of e-mails were sent in a short amount of time, most of them were rejected by the destination server, which in turn sent back tons of error mails to our company's mail server,  taking up 's its hard disk space and causing it to breakdown.
  • –As I was unable to identify the exact cause, I deleted all the accounts once and re-created them.

IV. Unauthorized Computer Access Consulted

The total number of consultations in February was 1,723. 466 of which were related to "One-Click Billing" (compared to 473 in February); 7 to "Fake Security Software" (compared to 9 in February); 22 to "Winny" (compared to 6 in February); 2 to "A Suspicious E-Mail Sent to a Specific Organization to Collect Specific Information/Data" (compared to zero in February)

Table 4-1: Total Number of Consultations Handled by IPA over the Past Six Months
  Oct.'10 Nov. Dec. Jan.'11 Feb. Mar.
Total 1,813 1,692 1,536 1,463 1,521 1,723
  Automatic Response System 1,065 1,036 954 892 892 1,106
Telephone 675 580 531 499 570 551
e-mail 69 72 49 64 53 58
Fax, Others 4 4 2 8 6 8

* IPA set up "Worry-Free Information Security Consultation Service" that provides consultation/advises for computer virus, unauthorized computer access, problems related to Winny as well as overall information security.

mail_address
Tel.: +81-3-5978-7509 (24-Hour Automatic Response; Consultations are provided by IPA Security Center personnel and available from Mon.-Fri., 10:00-12:00, 13:30-17:00)
Fax: +81-3-5978-7518 (24-hour automatic response)

*”Automatic Response System”: Numbers responded by automatic response
*”Telephone”: Numbers responded by the Security Center personnel
*Total Number includes the number in the Consultation (d) column in the Table 3-1, “III. Unauthorized Computer Access Reported (including Consultations)”.

Figure 4-1: Changes in the Number of Consultation Regarding One-Click Billing


Major consultation instances are as follows:

(i)Having suffered from one-click billing, I sent personal information to the site operator

When my underage son was browsing a sexually explicit site, a billing screen appeared, so in a hurry I contacted the site operator. They told me that they would make the billing screen disappear if I showed them something to certify his name and date of birth. So I took a photo of his insurance card and sent it by e-mail, and they made the screen disappear. Do you think this was an appropriate response?

Response:

It is dangerous to send important information (like a copy of one's insurance card) to anybody you don't know well. In the case like this, you should first consult the consumer affairs bureau etc., asking if such contract is really effective, regardless of whether it was a minor or an adult who clicked and opened it.

<Reference>

(ii)I received a suspicious e-mail whose sender's address was identical to a friend of mine's address

What was consulted:

I received a suspicious e-mail whose sender's address was identical to a friend of mine's address. The e-mail has no subject and contains only a suspicious URL in its message. What do you think will happen if I click it? Can I trust this as an e-mail from the friend?

Response:

Upon investing this URL, we found that a trap was set in the website so that a PC browsing it is infected with a virus.

Possible causes for receiving such e-mail from the address of your friend are that, the e-mail address might be spoofed one, or the friend's PC might have been infected with a virus, which in turn sent an e-mail like this.

If you feel suspicious, do not open that URL contained in the e-mail message and treat it with skepticism.

<Reference>

V. Access Status Captured by the Internet Fixed-Point Monitoring System (TALOT2) in March

According to the Internet Fixed-Point Monitoring System (TALOT2), 143,494 unwanted (one-sided) accesses were observed at ten monitoring points in February and the total number of sources* was 41,803.  This means on average, 624 accesses form 182 sources were observed at one monitoring point per day. (See Figure 5-1)

*Total number of sources:indicates how many accesses in total were observed by TALOT2.  If multiple accesses from the same source were observed at the same monitoring point/port on the same day, they are considered one access from the specific source on that day.

Since the environment of each monitoring point for TALOT2 is equivalent to that of general Internet connection, an equal number of such accesses are thought to be made in the Internet users’ system environment.

Figure 5-1: Daily, Averaged Number of Unwanted (One-Sided) Accesses and Sources at the Same Monitoring Point/Port per Month (From October 2010 to March 2011)

The Figure 5-1 shows daily, averaged number of unwanted (one-sided) accesses and sources at the same monitoring point/port per month (from October 2010 to March 2011). As shown in this figure, the number of unwanted (one-sided) accesses in March has significantly increased, compared to the February level.

The Figure 5-2 shows the March-over-February comparison results for the number of unwanted (one-sided) accesses, classified by destination (port type). As shown in this figure, compared to the February level, there has been a particular increase in the number of access to 445/tcp, 17500/udp and 16753/udp.

Figure 5-2: March-over-February Comparison for the Number of Access, Classified by Destination (Port Type)

445/tcp is a port which is likely to be used for an attack that exploits a Windows vulnerability. As in the previous month, we saw an increased in the number of accesses to this port, which is attributable to the increased access from countries other than the U.S. and the rest of top 10 countries.

Figure 5-3: Access to 445/udp (Total Number of Accesses Observed at Ten Monitoring Points)

As for 17500/udp, as in the previous month, access was made from multiple IP addresses within the same segment at a regular interval against a single monitoring point for TALOT 2 (See Figure 5-3). Because the existence of software for general users that sends broadcast has been confirmed, this access might have been made by a user of a PC running that software. What was thought to be from multiple IP addresses has turned out to be from one PC which used different IP addresses each time it was connected to the network. Because the rest of the monitoring points were configured to prevent broadcast from reaching the terminal, such access was not detected.

As for 16753/udp, in the second half of March, access was made from multiple IP addresses against a single monitoring point for TALOT 2 (See Figure 5-4). It has yet to be identified why this port was accessed as it is not the one used by a specific application.

Figure 5-4: Access to 16753/udp (Total Number of Accesses at a Single Monitoring Point)

In the previous issue, we reported that since February 21, an increasing number of accesses from multiple IP addresses in Myanmar had been observed at multiple monitoring points for TALOT 2, and in March, such accesses to 80/tcp, 443/tcp , 25/tcp, 21/tcp, 22/tcp and 1/tcp has been observed (See Figure 5-5). Similar increasing trends have also been observed by other organizations undertaking fixed point observations, and because this could be some sort of attack, we'll continue to watch out for such accesses to these ports.

Figure 5-4: Access to 21/tcp, 22/tcp, 25/tcp, 80/tcp 443/tcp and 1/tcp from an IP addresses in Myanmar

Variety of statistical Information provided by the other organizations/vendors is available at the following sites:

Contact

IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC)
Tel:+81-3-5978-7591
Fax:+81-3-5978-7518
E-mail: