Font Size Change

HOMEIT SecurityIPA/ISEC in JAPAN:virus and UCA incident report for June2011, and the 1st Half of2011

PRINT PAGE

IT Security

IPA/ISEC in JAPAN:virus and UCA incident report for June2011, and the 1st Half of2011

July 15, 2011

IT Security Center
Information-technology Promotion Agency, Japan (IPA)

This is the summary of computer virus/unauthorized computer access incident report for June 2011, and the 1st Half of 2011, compiled by Information-technology Promotion Agency, Japan (IPA).

I. Reminder for the Month:

"Let's check for your countermeasure situation regarding cyber attacks"

In April 2011, there was a news report on a large-scale personal information leak involving Sony's "PlayStation Network". Following this, cyber attacks against many different organizations have been reported in rapid sequence, including the ones for which groups such as "Anonymous" and "LulzSec" clamed responsibilities latter or announced their plane in advance, which gained the public attention and raised concerns about threats of, and countermeasures against, cyber attacks. Regardless of their size and line of business, all kinds of organizations and enterprises in our country may also become the target of such attacks. In response to this situation, the Ministry of Economy, Trade and Industry (METI) released a guideline to "Bring Information Security Measures Home to the Public".


"Announcement and implementation of information security measures based on recent trends "(METI)
http://www.meti.go.jp/english/press/2011/0527_02.html

Each organization is required to check for their countermeasure situation regarding cyber attacks and review their system and countermeasures if necessary, with those in a management position and the system management department and rank-and-file employees united.

(1)Characteristics of the Recent Cyber Attacks

In recent years, various organizations have received cyber attacks, including large corporations such as Sony, Nintendo and Google, public institution such as IMF, as well as government-related organizations of different countries such as CIA. According to a questionnaire survey*1 conducted by METI, enterprises that have received "targeted attack" – a type of cyber attacks – has accounted for 33 percent in 2011 of all the enterprises that responded, an exponential increase from 5.4 percent in 2007. Still, this figure does not include enterprises whose damages haven't come to light yet, so we consider that a large number of organizations using the Internet are being targeted for cyber attacks.

*1 From the above-mentioned "Presenting the Information Security Measures That are Based on the Current Trend and Bring Them Home to the Public" (METI).

From the recent cyber attacks targeting at enterprises/organizations, we can see the changes in attackers' motive as well as the sophistication of attack avenues (See Figure 1-1).

Figure 1-1:Characteristics of the Recent Cyber Attacks

Changes in Attackers' Motive

Motive of those carrying out cyber attacks has shifted from "mischief", "showing off their ability", etc. to "pecuniary motive" and "obstructing organization activities".

In the case of pecuniary motive, the attacker knows about valuable information held by the organization (i.e., classified information, personally identifiable information (PII)), and tries to obtain it and make money out of it in the end. So, if such information was leaked, it might be used for illicit purposes, causing an extensive damage to the organization's activities.

This time, Sony suffered the leakage of more than one hundred million client's PII and the cost to counter the unauthorized computer access like this was estimated to be about 1.4 billion yen*2. Apart from Sony, many other organizations have reportedly been targeted by attackers trying to obtain the PII held that could affect their business continuity.

On the other hand, an increasing number of politically- or ideologically-motivated cyber attacks have been reported, whose purpose is to obstruct a specific organization's activities or to cause social turmoil. US Secretary of Defense announced that "We consider cyber attacks as an act of war"*3, so we are concerned about step-up of such attack and exacerbation of damages caused.

*2 "Consolidated Earnings Forecast for Fiscal 2010 Revised" (Sony)
http://www.sony.co.jp/SonyInfo/IR/financial/fr/10revision_sonypre.pdf(in Japanese)

*3 "The U.S Expressed Serious Concerns about Cyber Attacks, Ready to Tackle it as an Act of War" (Reuters)
http://jp.reuters.com/article/topNews/idJPJAPAN-21538820110606(in Japanese)

(2)Avenues of Cyber Attacks

This section explains recently-used, prominent avenues of cyber attacks that are depicted in Figure 1-1.

(i) An Attack/Penetration that Exploits a Vulnerability

If a vulnerability exists in operating systems or an application running on a public server connected to the Internet, it may be exploited by an attacker to steal information from the inner system through the public server, which is pretty dangerous. While this kind of attack avenue is of old standing, new vulnerabilities are detected day-by-day, so we need to take countermeasures on an ongoing basis.

According to the vulnerability-related information submitted to the "Information Security Early Warning Partnership"*4, among the 6,651 reports submitted in total (as of June 2011), those that were related to Websites were 5,444, accounting for more than 80 percent. Because a Website consists of operating systems, various types of middleware, Web applications and database, etc., vulnerabilities in all of those components should be eliminated accordingly.

*4 "Vulnerability–Related Information Submitted" (IPA)
http://www.ipa.go.jp/security/vuln/report/index.html(in Japanese)

(ii) Pinpoint E-mailing

Pinpoint e-mailing is a type of "targeted attack" in which a virus-containing e-mail crafted for entrapping a specific organization or individual is sent to the target. Unlike other virus-containing e-mails distributed at random, it uses an authentic-looking sender name or message body or a hard-to-detect virus from the point of antivirus software. If the user is trapped in and opens the e-mail attachment or clicks a link in the massage body, his/her PC is infected with the virus. The PC might also be used by the attacker as a "stepping stone" for breaking into the inner systems.

(3)Countermeasures

Countermeasures against cyber attacks need to be addressed by the whole organization. Table 1-1 shows role-based countermeasures guidelines for organization members.

Table1-1:Role-Based Countermeasures Guidelines (In the Case of Cyber Attacks)

Role
guidelines for action
Those in a management position As part of the management of the business risks that could affect the entire organization, check and review organization-wide security countermeasures from the aspect of business continuity plan (BCP) and corporate social responsibility (CSR).

System management department,System administrators

For the systems and services currently in operation, check for countermeasures against cyber attacks and if they need to be bolstered, do it as early as possible.

Rank-and-file employees,General users

If a PC being used within the organization was infected with a computer virus, it might also be used by an attacker as a "stepping stone" for breaking into the inner systems. Remember that threats of cyber attacks are extended to rank-and-file employees and other individuals, and be sure to take necessary security countermeasures.

The remainder of this section explains countermeasures against avenues of cyber attacks described in (2).

(a) Countermeasures against an "attack/penetration that exploits a vulnerability"

(a-1) For those in a management position, those in the system management department and system administrators

As described in "(i) An attack/penetration that exploits a vulnerability", one of the main targets for cyber attacks is a website operated by an organization. Attackers try to steal classified information through such Website, or to take control of such Website covertly to break into the inner systems. In response to the rush of information leakage incidents, IPA issued the following security alert in May 2011.

<Reference>

This security alert contains a "checklist" with which you can check security countermeasures taken by your organization for its systems and networks (see Figure 1-2). In order to get the picture of not only your Website but also the systems being operated by your organization, it is recommended to check once again for the countermeasures taken.

Figure 1-2:Image of the "Checklist" (For the Latest Version, See the Security Alert Listed Above)

This checklist is intended to serve as a comprehensive list for security countermeasures that should be taken, including slightly sophisticated ones. Go through this check process and if you find any deficiency in a security countermeasure, fill it up. Note, however, that it is important to have well-balanced countermeasures in place, taking into account the assets to be protected and their level of importance.

Organizations should also pay attention to up-to-the-minute information on cyber attacks and periodically check for the prevalent attack avenues and whether their security countermeasures are not obsolete.

(b) Countermeasures against "Pinpoint E-mailing"

(b-1) For all the members of the organization

Pinpoint e-mailing may involve a crafted PDF file. Basically, it is intended to infect the victim's PC with a computer virus through the exploitation of a vulnerability in software running on a PC. For general users, it is recommended to use "MyJVN Version Checker" provided by IPA so that they can keep their operating systems and applications up-to-date and eliminate existing vulnerabilities.

<Reference>

Recommended countermeasures against pinpoint e-mailing are: elimination of vulnerabilities and use of antivirus software, both of which are mentioned earlier, as well as countermeasures by human beings, including  "detecting a trapping e-mail and not opening it", "communicating to all the organization members about any suspicious e-mail received".

IPA posts on its Website a report on and countermeasures against pinpoint e-mailing (available in Japanese only). Because such e-mails might arrive at all the members' mail box within the organization, all the PC users should understand the threats exposed and exercise cautions accordingly. Furthermore, organizations should establish rules on how to respond to a suspicious e-mail received (including communicating it to all other members).

<Reference>

(b-2) For those in a management position, those in the system management department and system administrators

JPCERT/CC released the results of "IT Security Vaccination" and the findings of the research on its effective implementation, which would help train and brace yourself for a "trapping e-mail".

<Reference>

II. Reporting Status of Computer Virus – further details, please refer to the Attachment 1 –

(1)Reporting Status of Virus

While the virus detection count*1 in June was about 38,000, up 64.9 percent from about 23,000 in May, the virus report count*2 in June was 1,209, up 15.3 percent from the May level (1,049).

*1 Virus detection count: indicates how many times a specific virus appeared in the reports submitted, or the aggregate virus detection counts for a specific period.

*2 Virus report count: indicates how many reports on a specific virus were submitted. If the same type of viruses were reported by the same person with the same detection day, they are counted as one report regarding the virus of that sort.

* In June, the virus report count, which was obtained by consolidating about 38,000 virus detection reports, was 1,209.

W32/Netsky marked the highest detection count at about 16,000, followed by W32/Gammima at about 9,400 and W32/Mydoom at about 9,000.

Figure 2-1: Virus Detection Count

Figure 2-2: Virus Report Count

(2)Malicious Programs Detected

In June, we saw an increase of BACKDOOR, which refers to a malicious program that installs backdoors on a PC (See Figure 2-3).

Figure 2-3: Malicious Program Detection Count

III. Reporting Status of Unauthorized Computer Access (includes Consultations) Please refer to the Attachment 2 for further details

Table 3-1: Reported Number for unauthorized computer access and the status of consultation
  Jan.'11 Feb. Mar. Apr. May Jun.
Total for Reported (a) 12 10 6 5 7 9
  Damaged (b) 6 5 6 5 6 9
Not Damaged (c) 6 5 0 0 1 0
Total for Consultation (d) 41 23 45 38 55 32
  Damaged (e) 11 6 10 10 14 7
Not Damaged (f) 30 17 35 28 41 25
Grand Total (a + d) 53 33 51 43 62 41
  Damaged (b + e) 17 11 16 15 20 16
Not Damaged (c + f) 36 22 35 28 42 25

(1)Unauthorized Computer Access Reported

The report count for unauthorized computer access in June was 9, all of which reportedly had certain damages.

(2)Unauthorized Computer Access and Other Related Problems Consulted

The consultation count for unauthorized computer access and other related problems was 32. 7 of them reportedly had certain damages.

(3)Damages Caused

The breakdown of the damage reports were: intrusion (8); DoS attack (1).

Damages caused by "intrusion" were: credit card information, etc. being stolen from a database (3); Web pages being defaced (2); being used as a stepping stone (4). Causes of "intrusion" were: a week password being set (3); a vulnerability in a Web application being exploited (3); improper setting (1) (Others remain unknown).

(4) Damage Instance

[Intrusion]

(i)A malicious program running on our server, which in turn carried out an attack against an external computer
    <Instance>
  • –I received a phone call from an external party, saying "We received an attack from your server".
  • –The server in question was an experimental server which was not configured to block a remote access via its SSH.
  • –I found that an account whose password was "password" had been used by the intruder to break into the server.
  • -A malicious program to attack an external computer was running on the server.

[Malicious Program Embedded]

(ii)Backdoor*1 was embedded into our server that provides an online shopping service
<Instance>
  • –When I was performing maintenance on our server that provides an online shopping service, I found a suspicious access log.
  • –Upon investigating the server, I found that connect-back*2 type backdoor had been embedded into the server through the exploitation of a vulnerability. Arbitrary commands could be executed on the server and I'm not sure what command was actually executed.
  • –Even the network intrusion detection system installed was unable to detect it.

*1 Backdoor:A mechanism that enables an successful intruder to a computer to break into the computer again at some time later.

*2 Connect-back:a communication method used by an intruder to break into a computer in which the communication originates from the computer and not the intruder. In response, the intruder establishes connection with the computer and breaks into it. This technique is mainly used by an intruder to bypass a security firewall.

IV. Unauthorized Computer Access Consulted

The total number of consultations in May was 1,692. 511 of which were related to "One-Click Billing" (compared to 519 in May); 11 to "Fake Security Software" (compared to 3 in May); 7 to "Winny" (compared to 5 in May); 6 to "A Suspicious E-Mail Sent to a Specific Organization to Collect Specific Information/Data" (compared to 8 in May)

Table 4-1: Total Number of Consultations Handled by IPA over the Past Six Months
  Jan.'11 Feb. Mar. Apr. May Jun.
Total 1,463 1,521 1,723 1,608 1,640 1,692
  Automatic Response System 892 892 1,106 997 950 999
Telephone 499 570 551 555 620 639
e-mail 64 53 58 50 62 50
Fax, Others 8 6 8 6 8 4

* IPA set up "Worry-Free Information Security Consultation Service" that provides consultation/advises for computer virus, unauthorized computer access, problems related to Winny as well as overall information security.

mail_address
Tel.: +81-3-5978-7509 (24-Hour Automatic Response; Consultations are provided by IPA Security Center personnel and available from Mon.-Fri., 10:00-12:00, 13:30-17:00)
Fax: +81-3-5978-7518 (24-hour automatic response)

*”Automatic Response System”: Numbers responded by automatic response
*”Telephone”: Numbers responded by the Security Center personnel
*Total Number includes the number in the Consultation (d) column in the Table 3-1, “III. Unauthorized Computer Access Reported (including Consultations)”.

Figure 4-1: Changes in the Number of Consultation Regarding One-Click Billing


Major consultation instances are as follows:

(i)A fake system diagnostic tool does not disappear

When I was using the Internet, all of sudden, a screen titled "Windows Restore" appeared that looked like a system diagnostic tool. It warned that my PC had many fatal errors, urging to purchase the paid-for version to solve the problems.
This is the same trick as that of fake security software and I have no intention of purchasing it, but I don't know how to remove the screen.

Response:

So far, we have received numerous inquiries about fake security software. These days, we also receive inquiries about "fake system diagnostic tool" that makes a false report about system abnormality instead of virus detection.
As a countermeasure, as with fake security software, you can use "System Restoration" feature of Windows to get your PC back to a previous state or else, perform initialization on your PC.

<Reference>

(ii)About the interpretation of the "Crime of the Creation of a Computer Virus"

I learned that amendment to the Penal Code had been passed in the Diet in June 2011 that included the new law for the "Crime of the Creation of a Computer Virus". According to the new law, not only creating or providing a computer virus, but also acquiring or preserving it becomes the subject of criminal punishment.
Does that mean, if I received a virus-containing e-mail from a third party, will I be charged with the acquisition and preservation of a computer virus?

Response:

According to the "Q6" in the Q & A section posted on the Ministry of Justice's Website, just receiving a virus-containing e-mail (or receiving a virus-containing e-mail and allowing the virus to infect your PC) does not constitute a crime.

<Reference>

V. Access Status Captured by the Internet Fixed-Point Monitoring System (TALOT2) in June

According to the Internet Fixed-Point Monitoring System (TALOT2), 157,476 unwanted (one-sided) accesses were observed at ten monitoring points in June and the total number of sources* was 69,532.  This means on average, 525 accesses form 232 sources were observed at one monitoring point per day. (See Figure 5-1)

*Total number of sources:indicates how many accesses in total were observed by TALOT2.  If multiple accesses from the same source were observed at the same monitoring point/port on the same day, they are considered one access from the specific source on that day.

Since the environment of each monitoring point for TALOT2 is equivalent to that of general Internet connection, an equal number of such accesses are thought to be made in the Internet users’ system environment.

Figure 5-1: Daily, Averaged Number of Unwanted (One-Sided) Accesses and Sources at the Same Monitoring Point/Port per Month (From January to June)

The Figure 5-1 shows daily, averaged number of unwanted (one-sided) accesses and sources at the same monitoring point/port per month (from January 2011 to June 2011). As shown in this figure, the number of unwanted (one-sided) accesses in June has decreased, compared to the May level.

The Figure 5-2 shows the June-over-May comparison results for the number of unwanted (one-sided) accesses, classified by destination (port type). As shown in this figure, compared to the May level, there has been a particular increase in the number of access to 80/tcp.

Figure 5-2: June-over-May Comparison for the Number of Access, Classified by Destination (Port Type)

As for 80/tcp, we saw an increased access in the second half of June from multiple IP addresses in the U.S and China (See Figure 5-3). It is possible that Dos attack (SYN Flood attack)(*1) was carried out against certain organizations by using an address used by TALOT2, because all of these accesses were turned out to be SYN/ACK packets sent from somewhere (i.e., bounced packets(*3)) to a spoofed address which is identical with the one used by TALOT2.

(*1)DoS attack (SYN Flood attack)
DoS stands for Denial of Service. It causes the stoppages or degradation of a service provided by the target machine. One of DoS attacks is SYN Flood attack, which causes the target machine to "be overloaded". It sends a large number of SYN packets (which are sent first in the connection establishment process of three-way handshake (*2)) with a spoofed address to cause a bunch of pending connections.

(*2) Three-way handshake
This is a connection establishment process for TCP communication. Through this process, both ends become able to communicate each other.
The process flow is as follows:
1. A sends a SYN packet to B
2. B sends back ACK plus SYN packets to A
3. A sends an ACK packet to B

(*3) Bounced packet
In DoS attack (SYN Flood attack), a large number of SYN plus ACK packets might be sent from the targeted machine(s) to the attacker-specified spoofed address. These packets are called "bounced packets".

For more detailed information, please also refer to the following URLs:

Variety of statistical Information provided by the other organizations/vendors is available at the following sites:

Contact

IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC)
Tel:+81-3-5978-7591
Fax:+81-3-5978-7518
E-mail: