Font Size Change

HOMEIT SecurityIPA/ISEC in JAPAN:virus and UCA incident report for August2011


IT Security

IPA/ISEC in JAPAN:virus and UCA incident report for August2011

September 9, 2011

IT Security Center
Information-technology Promotion Agency, Japan (IPA)

This is the summary of computer virus/unauthorized computer access incident report for August 2011, compiled by Information-technology Promotion Agency, Japan (IPA).

I. Reminder for the Month:

"Your bank account is also being targeted!?"
-Watch out for the SpyEye virus-

From June to July 2011, there were incidents involving unauthorized use of Internet banking. The police have reportedly received inquiries and reports on such incidents from about ten financial institutions. Given the seriousness of the matter, IPA issued a security alert in August as emergency countermeasure information*1.

There is a possibility that these unauthorized use incidents were caused by a virus called "SpyEye" as it contains a feature to use Japanese banks in an unauthorized manner.

IPA has acquired a type of SpyEye (v1.3.45) and is conducting an analysis. Not every detail has been analyzed yet, but based on the analysis results currently available, we explain what kind of virus SpyEye is, how this virus works after the infection and measures to avoid suffering from it.

*1  IPA – "About unauthorized access to domestic Internet banking that is occurring one after another" (in Japanese)

(1)What is SpyEye?

"SpyEye" was originally the name of a tool to create viruses (hereinafter referred to as virus creation tool), but viruses created with this tool are also called "SpyEye". So we use this term to refer to created viruses themselves throughout this document.

Because SpyEye can easily be created by using such tool and can easily be customized, there are many subspecies with each having slightly different functions.

Figure 1-1:Image of a Virus Creator Creating a Virus by Using a Virus Creation Tool

<i>Emergence of SpyEye

SpyEye is a virus intended to steal IDs and Passwords used for Internet banking. It is said to have appeared first between late 2009 to early 2010, from an underground site*2 in Russia.

Until then, Zeus and Zbot that are created by using a virus creation tool called "Zeus" had been the mainstream of such virus (i.e., the one that steals IDs and passwords used for Internet banking). SpyEye is thought to have been created based on this Zeus.

*2 Underground site: a website that, via the Internet, invites people to join illegal or criminal acts or that receives requests for such acts.

<ii>How it works after the infection

Through this time's analysis, we confirmed the following two activities performed by SpyEye after the infection.

  • Steals ID and password entered by a user on a website
  • Transfers, via the Internet, the obtained information to a server administered by the virus creator

If a PC was infected with SpyEye, ID and password entered by the PC user on a web page for Internet banking, etc. might be stolen and the information transferred to a specific server that controls Bot*3 –infected PCs. This means that SpyEye has the feature of botnet*4.

By using bot feature, the virus creator can replace the SpyEye on the infected PC with a new virus. And by continuously replacing with a new virus undetectable by antivirus software, the virus creator can make the infection hardly detectable and thus can obtain necessary information over a long period of infection. So SpyEye could become a serious threat to PC users.

*3 Bot: Bot is a type of virus and PCs that are infected with bot are controlled by the attacker outside via the Internet.

*4 Botnet: A network consisting of bot-infected PCs and a server that controls them.


(2)How SpyEye infects PCs

SpyEye infection can take the following two forms:

<i>Downloaded from a website

When a PC user visited a website, regardless of his/her intention, malicious programs like virus may be downloaded to the PC. This type of attack is called "Drive by Download" attack. "Drive by Download" attack mainly exploits vulnerabilities in operating system or applications running on the victim's PC.

Figure 1-2:Image of "Drive by Download" Attack

"Drive by Download" attack is a common maneuver for causing virus infection and it is also used for infecting PCs with SpyEye.


<ii>Attached to an email and sent

An attacker sends an email with a virus-infected file attached and the recipient who opens that file contracts the virus: this is also common practice for virus infection. In this technique, the attacker spoofs the email's subject, message, sender address and/or or the name of the attached file in order to get the recipient to open that file.

In recent years, "targeted attack" emails have become prevalent, in which an email carrying a virus-infected file is sent to a specific organization or individual, posing as the one from a concerned organization or individual.



<i>Eliminate vulnerabilities in operating systems and applications software

It is important to eliminate vulnerabilities in your operating system (e.g., Windows) and applications. In general, applications that have many users tend to be targeted, so they need to have their vulnerabilities eliminated and be kept up-to-date. IPA provides "MyJVN Version Checker", a tool with which PC users can, with simple operations, check whether software products installed on their PC are the latest version. As of August 18, it also began to support Windows 7 (64 bit) and version check for software installed on servers.


<ii>Block the invasion of viruses by using antivirus software

By installing antivirus software and keeping its virus list up-to-date, you can prevent the invasion of viruses and clean any viruses already entered. Most resent viruses are so subtle that PC users do not notice their infection only by looking at their PC's screen, so it is imperative for PC users to install antivirus software to detect and clean viruses.

<iii>Do not easily open email attachments

If you received an email from someone you do not know, do not carelessly open it or easily click a link in the message. If possible, contact the email sender and confirm whether he/she actually sent it. But in doing so, it is recommended to find out the contact number by yourself and then make confirmation, rather than just reaching at the phone number in the message.

If any files are attached to the email, even if the email was from someone you know, you need to exercise cautions. If you feel suspicious about the email, the best way is to contact the email sender for confirmation or to delete the email without opening it.

<iv>Do not use the same ID and password for various purposes

Purpose of SpyEye is to steal IDs and passwords that are used for Internet banking. If you are using the same ID and password for other websites, in case your PC is infected with SpyEye and your ID and passwords is stolen, services provided by those websites may also be used by an unauthorized person.

You should be aware that your passwords are always being targeted by a malicious entity. By referring to the web page below, perform proper password management.

Some internet banking systems provide a service called "one-time password" in which one- time used password is issued. Since this password is used only once, even if your PC is infected with a virus that steals ID and password, there would be no risk of them being abused afterward.


<v>Measures that can be taken in case your PC is infected with a virus

If the infection of SpyEye or other viruses is suspected (e.g., PC working slowly or in unusual ways, a file of unknown source is opened), scan your PC for viruses by using antivirus software with the latest virus list.

SpyEye allows the virus creator to replace anytime the SpyEye on the infected PC with new SpyEye, making it undetectable by antivirus software. If your PC does not work normally despite no virus being detected or any detected viruses being cleaned, you need to perform initialization that restores your PC to the state at the point of purchase.

For more details on working method, refer to the instruction manual that comes with your PC and follow the instructions in sections such as "Restoring your PC to the state at the point of purchase"). When you perform initialization, be sure to make backup copies of important data. And before you restore the backup copies on your PC, be sure to scan them for viruses by using your antivirus software.

Should you suffer from unauthorized use of your Internet banking service, contact the processing bank. Most banks provide a means for their users to send inquiries from the front page of their website. In addition, by using a non-infected, safe PC that is under your control, change your password for the Internet banking service.

II. Reporting Status of Computer Virus – further details, please refer to the Attachment 1 –

(1)Reporting Status of Virus

While the virus detection count*1 in August was about 25,000, up 9.6 percent from about 23,000 in July, the virus report count*2 in August was 931, down 12.5 percent from the July level (1,064).

*1 Virus detection count: indicates how many times a specific virus appeared in the reports submitted, or the aggregate virus detection counts for a specific period.

*2 Virus report count: indicates how many reports on a specific virus were submitted. If the same type of viruses were reported by the same person with the same detection day, they are counted as one report regarding the virus of that sort.

* In August, the virus report count, which was obtained by consolidating about 25,000 virus detection reports, was 931.

W32/Netsky marked the highest detection count at about 14,000, followed by W32/ Mydoom at about 9,000 and W32/ Autorun at about 600.

Figure 2-1: Virus Detection Count

Figure 2-2: Virus Report Count

(2)Malicious Programs Detected

In August, DOWNLOADER which refers to a malicious program that attempts to infect the victim's PC with another virus was on the increase (See Figure 2-3). (See Figure 2-3).

Figure 2-3: Malicious Program Detection Count

September through December is a period in which updated versions of legitimate antivirus software are released, but taking this opportunity, a growing number of "Fake Security Software" type virus and other malicious programs might emerge.

By referring to the web page below, implement measures to avoid virus infections.


III. Reporting Status of Unauthorized Computer Access (includes Consultations) Please refer to the Attachment 2 for further details

Table 3-1: Reported Number for unauthorized computer access and the status of consultation
  Mar.'11 Apr. May Jun. Jul. Aug.
Total for Reported (a) 6 5 7 9 8 10
  Damaged (b) 6 5 6 9 5 8
Not Damaged (c) 0 0 1 0 3 2
Total for Consultation (d) 45 38 55 32 47 37
  Damaged (e) 10 10 14 7 15 13
Not Damaged (f) 35 28 41 25 32 24
Grand Total (a + d) 51 43 62 41 55 47
  Damaged (b + e) 16 15 20 16 20 21
Not Damaged (c + f) 35 28 42 25 35 26

(1)Unauthorized Computer Access Reported

The report count for unauthorized computer access in August was 10, 8 of which reportedly had certain damages.

(2)Unauthorized Computer Access and Other Related Problems Consulted

The consultation count for unauthorized computer access and other related problems was 37. 13 of them reportedly had certain damages.

(3)Damages Caused

The breakdown of the damage reports were: intrusion (7); Dos attack (1).

Damages caused by "intrusion" were: an email account being used by an outsider in an unauthorized manner to send unsolicited emails (1); a webpage being defaced (1); credit card information being stolen from a database (1); a tool to attack an external site being embedded in a server, which in turn used as a stepping stone (3); others are unspecified. Causes of "intrusion" were: improper firewall settings (1); poor ID & password management (1); a vulnerability in a web application being exploited (1); (other cases remain unknown)

(4) Damage Instance


(i)Our server was logged in by an unauthorized person and a file was placed on it
  • –While I was performing maintenance on our server, I found an unknown program running.
  • –Although the root privilege was not taken over, an existing general user's account was used to illicitly log into the server and two types of malicious programs were embedded. As a result the server served as a stepping stone for attacking en external site.
  • –One of the embedded malicious programs was IRC bot and the other was DoS attack tool for attacking external sites. Immediately, I abort those two programs and deleted them. Then I removed the directory and account of that user.
  • -As a post-incident response, I removed no-longer-required accounts and changed all the users' passwords.
(ii)Received SQL injection attack and credit card information was stolen and used by an unauthorized person
  • –I'm running an online shopping site. I was informed by a credit card company of unauthorized card use.
  • –An investigation revealed that SQL injection attack had successfully been carried out by an attacker outside. It was also found that a piece of credit card information that should have been removed from our database had remained by accident and been retrieved by the attacker thorough the attack.
  • –As a post-incident response, I'm planning to shift from performing credit-card transactions on my company's website to performing such transactions on our settlement agency's website. I'm also planning to review the source code to counter SQL injection.

IV. Unauthorized Computer Access Consulted

The total number of consultations in July was 1,650. 535 of which were related to "One-Click Billing" (compared to 461 in July); 7 to "Fake Security Software" (compared to 8 in July); 7 to "Winny" (compared to 7 in July); 0 to "A Suspicious E-Mail Sent to a Specific Organization to Collect Specific Information/Data" (compared to 2 in July)

Table 4-1: Total Number of Consultations Handled by IPA over the Past Six Months
  Mar.'11 Apr. May Jun. Jul. Aug.
Total 1,723 1,608 1,640 1,692 1,490 1,651
  Automatic Response System 1,106 997 950 999 889 958
Telephone 551 555 620 639 540 639
e-mail 58 50 62 50 54 50
Fax, Others 8 6 8 4 7 4

* IPA set up "Worry-Free Information Security Consultation Service" that provides consultation/advises for computer virus, unauthorized computer access, problems related to Winny as well as overall information security.

Tel.: +81-3-5978-7509 (24-Hour Automatic Response; Consultations are provided by IPA Security Center personnel and available from Mon.-Fri., 10:00-12:00, 13:30-17:00)
Fax: +81-3-5978-7518 (24-hour automatic response)

*”Automatic Response System”: Numbers responded by automatic response
*”Telephone”: Numbers responded by the Security Center personnel
*Total Number includes the number in the Consultation (d) column in the Table 3-1, “III. Unauthorized Computer Access Reported (including Consultations)”.

Figure 4-1: Changes in the Number of Consultation Regarding One-Click Billing

Major consultation instances are as follows:

(i)Thinking that it was free of charge, I installed software that claims to accelerate PCs' processing speed

When I was casually looking at a website, if found a message "Big chance to accelerate your PC's processing speed! Check first for errors by using our free software!" Off guard, I click on the message and proceeded, and then installed and run that software. Immediately, a large number of errors were detected and I was warned to buy paid version so that I could fix the problems.
As I thought it was free of charge, I just tried it, so I have no intention of buying it. But I don't know how I can remove the installed software. Could you help me?


In the case of generic application programs, you can delete them as follows: if you are using Windows Vista or Windows 7, open the "Control Panel" window and double-click "Uninstall Programs". If you are using Windows XP, open the "Control Panel" window and double-click "Add or Remove Programs". Then, in any of the above cases, click the program you want to delete and press the "Uninstall" or "Delete" button. When browsing a website, you may encounter with this type of advertising message that draws PC users' attention; but in any cases, you should avoid using software of unknown source. If you have no confidence about software selection, it is recommended to go to a computer shop, ask for staff's advice and then buy appropriate one, rather than purchasing one on a download site.

(ii)An account for Twitter was spoofed

An account that I registered for Twitter was taken over by a third party who successfully cracked my password. Posing as me, the third party is tweeting what could damage my own reputation.
I want stop such vicious act, but I don't know how.


If an account for Twitter is taken over by a third party, he could pose as the owner of the account and tweet whatever he wants. So this is very troubling.
In this case, the top priority is to report the fact of the impersonation to Twitter and ask them for the deletion of that account. If needed, consider reporting it to the police as well.
Assuming that this type of incidents could happen, Twitter set up a help center web page, so it is recommended to report them the fact of the impersonation by referring to the "About reports on the violation of agreements" section in the web page below.
In order not to suffer from the same damage, it is also recommended to review the security measures for your password.


V. Access Status Captured by the Internet Fixed-Point Monitoring System (TALOT2) in August

According to the Internet Fixed-Point Monitoring System (TALOT2), 106,910 unwanted (one-sided) accesses were observed at ten monitoring points in August and the total number of sources* was 46,101.  This means on average, 345 accesses form 149 sources were observed at one monitoring point per day. (See Figure 5-1)

*Total number of sources:indicates how many accesses in total were observed by TALOT2.  If multiple accesses from the same source were observed at the same monitoring point/port on the same day, they are considered one access from the specific source on that day.

Since the environment of each monitoring point for TALOT2 is equivalent to that of general Internet connection, an equal number of such accesses are thought to be made in the Internet users’ system environment.

Figure 5-1: Daily, Averaged Number of Unwanted (One-Sided) Accesses and Sources at the Same Monitoring Point/Port per Month (March 2011 to August 2011)

The Figure 5-1 shows daily, averaged number of unwanted (one-sided) accesses and sources at the same monitoring point/port per month (from February 2011 to July 2011). As shown in this figure, the number of unwanted (one-sided) accesses in July has decreased significantly, compared to the June level.

The Figure 5-2 shows the July-over-June comparison results for the number of unwanted (one-sided) accesses, classified by destination (port type). As shown in this figure, compared to the June level, access to 445/tcp has decreased significantly while access to 11083/tcp has increased.

As for 22936/udp and 10394/udp, it has yet to be identified why these port were accessed as they are not the one used by a specific application, but accesses to both ports were observed only at a single monitoring point.

As for 3389/tcp, we saw an increase in late August (See Figure 5-3) and similar increasing trends have also been observed by other organizations undertaking fixed point observations in Japan. This port is mainly used by RDP*1 and because a virus called Morto*2 was confirmed that exploits this port to spread its infection to Windows computers, accesses to this port may have been made as part of the virus infection activities.

For Windows users who are using features like remote desktop, it is recommended to review their virus countermeasures and to take steps to prevent the virus infection, including strengthening their log-in passwords.

*1 RDP (Remote Desktop Protocol): A protocol that is used for remote desktop feature which allows Windows computers to be controlled remotely.

*2 Morto: A virus that infects Windows computers by exploiting RDP. After the infection, it performs port scan on 3389/tcp to search for computers whose remote desktop feature is activated, and then attempts password cracking against them.

Figure 5-2: August-over-July Comparison for the Number of Access, Classified by Destination (Port Type)

Figure 5-3: Access to 3389/tcp (Total Number of Accesses Observed at Ten Monitoring Points)

* For maintenance work, this system is halted on July 2.

For more detailed information, please also refer to the following URLs:

Variety of statistical Information provided by the other organizations/vendors is available at the following sites:


IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC)