Font Size Change

HOMEIT SecurityIPA/ISEC in JAPAN:virus and UCA incident report for May2011

PRINT PAGE

IT Security

IPA/ISEC in JAPAN:virus and UCA incident report for May2011

Jun 10, 2011

IT Security Center
Information-technology Promotion Agency, Japan (IPA)

This is the summary of computer virus/unauthorized computer access incident report for May 2011, compiled by Information-technology Promotion Agency, Japan (IPA).

I. Reminder for the Month:

"My password is a treasure unknown to anybody other than myself"*1

From April to May, information leakage incidents occurred one after another, one of which caused one hundred million users' account information (including ID and password) to be leaked. Those using the service in question are required to change their password as their leaked account information might be used fraudulently to gain unauthorized access (i.e., spoofing).

Although there have been a number of cases involving "spoofing", this is the first time such a large amount of information was leaked, possibly including information of users who were using the same ID and password for other services as well (hereinafter referred to as "cross-service" ID and password). If this is the case, "spoofing" might also be carried out against those other services, inflicting further damages.

Stealing a leading company's Web-based e-mail service's account information by means of Phishing*2 has become prevalent. So, if you are using cross-service ID and password, it could contribute to the expansion of damages.

If you allowed for "spoofing" in your online service, you might sustain monetary damage. To prevent this, you need to exercise adequate cautions in creating and managing your password. Remember that IDs and passwords that are used for an online service are always targeted by malicious entities attempting to fraudulently use them, and perform appropriate management.

*2 Phishing: an attempt to illicitly obtain the victim's ID and password on a bogus Web page to which the victim is guided through a doctored e-mail that looks like from a legitimate Web service or an existing company (e.g., financial institution).

(1)Risks of Using Cross-Service ID and Password

Nowadays, there are many different online services, each of which requires that users register and manage their ID and password. In such occasion, users tend to register cross-service ID and password as they think they cannot remember many different passwords. Should cross-service ID and password be leaked from one of those services, spoofing might also be carried out for the other services, incurring further damages (See Figure 1-1).

Figure 1-1:Risks of Using Cross-Service ID and Password

【1】Cross-service ID and passwords registered in multiple online services

To simplify password management, the user registers cross-service ID and passwords in multiple services (Company A, B and C in Figure 1-1).

【2】Company B's Website is logged into by a malicious entity by using account information for Company A's Website

An information leakage incident occurs at Company A in which clients' passwords are leaked to a malicious entity; he then tries to log into Company B's Website by using the leaked information and it works out.

【3】A malicious entity cracks a password to log into Company C's Website and then logs into Company B's Website by using the account information

A malicious entity obtains a user's ID and password at Company C's Website that has no sufficient countermeasure in place against Brute Force attack*3 and Dictionary attack*4, both of which are designed to crack a password; he then tries to log into Company B's Website by using the information and it works out.

*3 An attack by force that tries every possible combination of characters until it cracks a password. Character sets are created based on certain rules.

*4 An attack that tries every possible combination of words in a dictionary until it cracks a password.

A key point to prevent "spoofing"-induced damages from spreading is, not to use cross-service ID and password.

Basically, to avoid falling victim to "spoofing", you need to implement basic ID & password handling measures.

(2)Basic Countermeasures against Spoofing

Basic countermeasures against "spoofing" are divided into three categories: strengthening, keeping, and using a password (See Figure 1-2).

You should not be negligent of any one of these three items.

Figure 1-2:Countermeasures against Spoofing

By referring to the following points, implement an appropriate ID & password management.

(a)Strengthen your password

If an easy-to-crack password is used, an attacker can easily crack it by using Brute Force attack or Dictionary attack. So, use a hard-to-crack password that meets the following conditions:

Use the combination of all kinds of characters (e.g., alphabetical character (upper- and lower-case), numeric character, symbols)

Use eight or more letters

Do not use a simple word that can be found in a dictionary or the name of a person or a place

(b)Keep your password safe

Once you have created a hard-to-crack password, observe the following points concerning password preservation:

When you takes a note of your password, do it separately from your ID

If you created a long, complex password, it would be difficult to remember it. In such cases, you may write it down on a paper, but do it separately from ID and keep them apart. By doing so, even if your password was stolen by a malicious entity, it would be difficult for him to identify the associated ID and thus to carry out spoofing.

Check for unused IDs on a regular basis

If you left an old ID, its associated password might be cracked over time. It is recommended to regularly check for unused services and deregister your IDs for those services.

(c)Use your password in an appropriate manner

Cautions should be exercised in entering your password for using a service.

Do not enter your ID and password on a PC that can be used by unspecified number of people in such places as Net cafe

Even if you set a hard-to-crack password for a service, if the PC in a Net cafe contained a virus that steels passwords, the password might easily be stolen. On a PC that is not under your control, do not use any online services requiring your ID and password.

Use the one-time password service (e.g., two-factor authentication, two-step authentication)

Online banking and online games may offer a service called "one-time password" in which once-only valid password is issued to the user. Even if your PC was infected with a virus that steels ID and password and they were stolen, you needn't to worry about their fraudulent use as they are valid only one time. And even if you were taken in by a phishing and your ID and password were stolen, no exploitation would occur. Note, however, that it is essential: not to pass your one-time password token*5 to others; not to let out your password that is contained in the token to others; to enter your password on only reliable Websites.

Some online services have a feature of sending a message by e-mail to the user at the time he or she logged into the service (i.e., log-in alert feature). If you received any unknown log-in alert e-mail, lock your account immediately, which would minimize damages incurred.

*5 Token: hardware or software that is used for user authentication. If the token is hardware-based, it can be small enough to fit comfortably in one's pocket and have a feature such as displaying one-time password created based on the local time or storing an encryption key or information for biometric authentication.

Even if you are implementing above-mentioned countermeasures against spoofing, it is essential to install antivirus software, which is a basic security countermeasure. We've confirmed a virus that captures ID and password entered in the login screen for an online service (i.e., key logger). To prevent your PC from being infected with such virus, which in turn steals information stored, install antivirus software and keep its virus definition files up-to-date.

In addition, it is essential to implement anti-vulnerability measures for your OS and application software.

Also note that Internet Explorer and other browsers have a feature of storing users' ID and password, but we've confirmed a virus that steals information stored in browsers. To reduce the risk of being stolen, do not save your ID and password in your browser.

II. Reporting Status of Computer Virus – further details, please refer to the Attachment 1 –

(1)Reporting Status of Virus

While the virus detection count*1 in May was about 23,000, down 11.4 percent from about 26,000 in April, the virus report count*2 in May was 1,049, down 7.8 percent from the April level (1,138).

*1 Virus detection count: indicates how many times a specific virus appeared in the reports submitted, or the aggregate virus detection counts for a specific period.

*2 Virus report count: indicates how many reports on a specific virus were submitted. If the same type of viruses were reported by the same person with the same detection day, they are counted as one report regarding the virus of that sort.

* In May, the virus report count, which was obtained by consolidating about 23,000 virus detection reports, was 1,049.

W32/Netsky marked the highest detection count at about 15,000, followed by W32/ Mydoom at about 5,600 and W32/Autorun at about 700.

Figure 2-1: Virus Detection Count

Figure 2-2: Virus Report Count

(2)Malicious Programs Detected

In May, we saw an increase of BACKDOOR, which refers to a malicious program that installs backdoors on a PC, and DOWNLOADER, which refers to a malicious program that infects a PC with another virus (See Figure 2-3).

Figure 2-3: Malicious Program Detection Count

III. Reporting Status of Unauthorized Computer Access (includes Consultations) Please refer to the Attachment 2 for further details

Table 3-1: Reported Number for unauthorized computer access and the status of consultation
  Dec.'10 Jan.'11 Feb. Mar. Apr. May
Total for Reported (a) 22 12 10 6 5 7
  Damaged (b) 7 6 5 6 5 6
Not Damaged (c) 15 6 5 0 0 1
Total for Consultation (d) 27 41 23 45 38 55
  Damaged (e) 7 11 6 10 10 14
Not Damaged (f) 20 30 17 35 28 41
Grand Total (a + d) 49 53 33 51 43 62
  Damaged (b + e) 14 17 11 16 15 20
Not Damaged (c + f) 35 36 22 35 28 42

(1)Unauthorized Computer Access Reported

The report count for unauthorized computer access in May was 7, 6 of which reportedly had certain damages.

(2)Unauthorized Computer Access and Other Related Problems Consulted

The consultation count for unauthorized computer access and other related problems was 55. 14 of them reportedly had certain damages.

(3)Damages Caused

The breakdown of the damage reports were: intrusion (4); spoofing (2).

Damages caused by "intrusion" were: a server's vulnerability being exploited to place a suspicious file on it and information in the database being stolen (1); Web pages being defaced (3, and in one case, contents to be used for phishing* were embedded). Causes of "intrusion" were: older version used (1); a week password being set (1); incorrect access-control settings (1) (Others remain unknown).

Damages caused by "spoofing" were: a free Web-based e-mail service being logged in an unauthorized manner and an e-mail being sent (1); an online service being logged in an unauthorized manner and the victim's account being deleted (1).

* phishing: an attempt to illicitly obtain the victim's ID and password on a bogus Web page to which the victim is guided through a doctored e-mail that looks like from a legitimate Web service or an existing company (e.g., financial institution).

(4) Damage Instance

[Spoofing]

(i)My Web-based e-mail service was logged in an unauthorized manner and my account deleted
    <Instance>
  • –All of sudden, I became unable to log into the Web-based e-mail service which I had been using regularly.
  • –When I contacted the service provider, I was told that a third party had logged into it and performed "ID deletion".
  • –I think my password had been stolen, but I wonder how?

[Intrusion]

(ii)Damages thought to have been caused by "Gumblar"
<Instance>
  • –When I accessed my company's homepage, a virus alert was issued by the antivirus software.
  • –Upon investigating the Website's contents, I found in the HTML source code a script that guides a site visitor to a malicious site.
  • –Immediately I changed my ftp password. As a future measure, I restricted IP addresses from which ftp connection can be established.

IV. Unauthorized Computer Access Consulted

The total number of consultations in May was 1,640. 519 of which were related to "One-Click Billing" (compared to 455 in April); 3 to "Fake Security Software" (compared to 6 in April); 5 to "Winny" (compared to 13 in April); 8 to "A Suspicious E-Mail Sent to a Specific Organization to Collect Specific Information/Data" (compared to 1 in April)

Table 4-1: Total Number of Consultations Handled by IPA over the Past Six Months
  Dec.'10 Jan.'11 Feb. Mar. Apr. May
Total 1,536 1,463 1,521 1,723 1,608 1,640
  Automatic Response System 954 892 892 1,106 997 950
Telephone 531 499 570 551 555 620
e-mail 49 64 53 58 50 62
Fax, Others 2 8 6 8 6 8

* IPA set up "Worry-Free Information Security Consultation Service" that provides consultation/advises for computer virus, unauthorized computer access, problems related to Winny as well as overall information security.

mail_address
Tel.: +81-3-5978-7509 (24-Hour Automatic Response; Consultations are provided by IPA Security Center personnel and available from Mon.-Fri., 10:00-12:00, 13:30-17:00)
Fax: +81-3-5978-7518 (24-hour automatic response)

*”Automatic Response System”: Numbers responded by automatic response
*”Telephone”: Numbers responded by the Security Center personnel
*Total Number includes the number in the Consultation (d) column in the Table 3-1, “III. Unauthorized Computer Access Reported (including Consultations)”.

Figure 4-1: Changes in the Number of Consultation Regarding One-Click Billing


Major consultation instances are as follows:

(i)I received a suspect e-mail from FBI

I received an e-mail from would-be FBI. The subject was "You visit illegal websites" and a file was attached to the e-mail. Body text was written in English and contained a message "We've detected your IP address in many illegal Websites' logs. So, we want you to answer the questions in the attached file." I have nothing in mind. Why did I receive an e-mil like this?

Response:

This can be a trapping e-mail with a spoofed that was targeted at unspecified number of people. In early May 2011, a security company in abroad issued a security alert about a similar e-mail being circulated. Apparently, opening the attached file would result in a virus infection.

A malicious entity attempts to trick the target into contracting a virus by using verbal dexterity. So if you receive any unknown e-mail, do not carelessly open it.

<Reference>

(ii)My online game was accessed in an unauthorized manner

What was consulted:

When I logged into the online game site which I'd been using regularly, I could not locate my items and in-game currency that had certainly been there the previous day.

In fact, a few days before this happened, while I was logged in the online game, it was also logged in by somebody else (i.e., double log-in) and I lost the connection. Just in case, I changed my password but even after that, unauthorized access was successfully made by the third party.

I wonder how he made it?

Response:

For a password-cracking method such as Brute Force attack* that may take long to crack a password, once you have changed your password, it would not be cracked for a while

But in your case, although you had changed your password, it was cracked in relatively short period of time. So, it is likely that new password was simple enough to be cracked easily or your PC had been infected with a virus that steals password information.

If this incident was caused by a virus, you would need to clean it by using antivirus software, but even if no virus was detected by the antivirus software, you should not let down your guard. Just in case, it is recommended to perform initialization on your PC.

<Reference>

V. Access Status Captured by the Internet Fixed-Point Monitoring System (TALOT2) in May

According to the Internet Fixed-Point Monitoring System (TALOT2), 189,497 unwanted (one-sided) accesses were observed at ten monitoring points in May and the total number of sources* was 78,227.  This means on average, 611 accesses form 252 sources were observed at one monitoring point per day. (See Figure 5-1)

*Total number of sources:indicates how many accesses in total were observed by TALOT2.  If multiple accesses from the same source were observed at the same monitoring point/port on the same day, they are considered one access from the specific source on that day.

Since the environment of each monitoring point for TALOT2 is equivalent to that of general Internet connection, an equal number of such accesses are thought to be made in the Internet users’ system environment.

Figure 5-1: Daily, Averaged Number of Unwanted (One-Sided) Accesses and Sources at the Same Monitoring Point/Port per Month (From December to May)

The Figure 5-1 shows daily, averaged number of unwanted (one-sided) accesses and sources at the same monitoring point/port per month (from December 2010 to May 2011). As shown in this figure, the number of unwanted (one-sided) accesses in May has decreased, compared to the April level.

The Figure 5-2 shows the May-over-April comparison results for the number of unwanted (one-sided) accesses, classified by destination (port type). As shown in this figure, compared to the April level, there has been a particular increase in the number of access to 10394/udp, 10394/tcp and "others".

Figure 5-2: May-over-April Comparison for the Number of Access, Classified by Destination (Port Type)

As for 10394/udp and 10394/tcp, we saw an increase around May 22 (See Figure 5-3). It has yet to be identified why this port was accessed as it is not the one used by a specific application. These accesses were observed at a single monitoring point but were made from multiple sources.

Figure 5-3: Access to 10394/tcp and 10394/udp (Total Number of Accesses Observed at One Monitoring Points)

Through the analysis of the increased access to "others", we found that a series of accesses was made from an IP address in the U.S (80/tcp) from May 20 to 23, which was observed at a single monitoring point for TALOT2 (See Figure 5-4). It is possible that Dos attack (SYN Flood attack)(*1) was carried out against certain organizations by using an address used by TALOT2, because all of these accesses were turned out to be SYN/ACK packets sent from somewhere (i.e., bounced packets (*3)) to a spoofed address which is identical with the one used by TALOT2.

Figure 5-4:Changes in the number of bounced packets for each monitoring point(In the case of SYN Flood attack from an IP address in the U.S)

On May 26, accesses from an IP address in China (7001/tcp) were observed (See Figure 5-5). Because all of these accesses were turned out to be SYN/ACK packets and an address used by TALOT2 was used for address spoofing, as in the above-mentioned case, it is possible that SYN Flood attack was carried out against certain organizations.

Figure 5-5: Changes in the number of bounced packets for each monitoring point(In the case of SYN Flood attack from an IP address in China)

(*1)DoS attack (SYN Flood attack)
DoS stands for Denial of Service. It causes the stoppages or degradation of a service provided by the target machine. One of DoS attacks is SYN Flood attack, which causes the target machine to "be overloaded". It sends a large number of SYN packets (which are sent first in the connection establishment process of three-way handshake (*2)) with a spoofed address to cause a bunch of pending connections.

(*2) Three-way handshake
This is a connection establishment process for TCP communication. Through this process, both ends become able to communicate each other.
The process flow is as follows:
1. A sends a SYN packet to B
2. B sends back ACK plus SYN packets to A
3. A sends an ACK packet to B

(*3) Bounced packet
In DoS attack (SYN Flood attack), a large number of SYN plus ACK packets might be sent from the targeted machine(s) to the attacker-specified spoofed address. These packets are called "bounced packets".

For more detailed information, please also refer to the following URLs:

Variety of statistical Information provided by the other organizations/vendors is available at the following sites:

Contact

IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC)
Tel:+81-3-5978-7591
Fax:+81-3-5978-7518
E-mail: