Font Size Change

HOMEIT SecurityIPA/ISEC in JAPAN:virus and UCA incident report for November2011

PRINT PAGE

IT Security

IPA/ISEC in JAPAN:virus and UCA incident report for November2011

December 12, 2011

IT Security Center
Information-technology Promotion Agency, Japan (IPA)

This is the summary of computer virus/unauthorized computer access incident report for November 2011, compiled by Information-technology Promotion Agency, Japan (IPA).

I. Reminder for the Month:

"My password is my own secret key※1"
~Check your Internet service for unauthorized use~


In November 2011, there was a news report on a large-scale unauthorized use of a major Internet shopping service.

Outline of this incident is that victims were charged fee for a product purchase that they are innocent of, and about 4,000 damage reports have been filed since July 2011. Further, similar incidents had happed on the same shopping site from late 2009 through early 2010.

Causes for both this time's and last time's remain unknown, but it is highly likely that victims' IDs and passwords for the service were stolen and used.

When you use the service broadcasted this time or any other Internet services, perform some checking and implement measures that can be done by PC users, and then manage your ID/passwords in an appropriate manner.

(1)Instance of Recent Unauthorized Use Cases

Major cases that occurred in 2011 are as follows:

  • The website of a major Internet service provider was hacked by a spoofed third party and points redeemable for commodities were stolen (May 2011);
  • Internet banking systems of major banks and regional banks in Japan were used in an unauthorized manner (from June 2011 through July 2011);
  • A science journal publisher's website was accessed in an unauthorized manner and personally identifiable information and card information were leaked and used fraudulently.

In this way, a number of unauthorized use cases occurred in 2011, including the major shopping service's case at the beginning of this section. If we include other unauthorized access cases about which whether information leakage has occurred or not is unclear, the total number increases further. What stood out is the amount of information leaked and the number of clients suffered at a time (i.e., they are so large).

(2)Reason Why Such Unauthorized Use was Possible

One assumed reason for Internet services to be used fraudulently is that their users' IDs and passwords are stolen by means of [i] and [ii]. Also, [iii] may attribute to the spread of damages.

[I]Virus infection

(a)Via an e-mail to which a virus-containing file is attached

Sends an e-mail to which a virus that steals ID/password is attached, aiming at getting the recipient(s) to open the attachment and their PCs to be infected with the virus.
"Targeted attack", in which an attacker spoofed as an organization or individual concerned sends a virus-containing file attachment to a target organization or individual, is of this sort.

<Reference>

(b)Through "Drive-by Download" attack in which PCs are infected with a virus only by browsing a Website

"Drive-by Download" attack is an attack that causes a virus or other malicious programs to be downloaded into the victims' PCs upon their visit to certain Websites. Over the past few years, this attack has become a mainstream avenue for infecting PCs with a virus. For "Drive-by Download" attack, mainly, vulnerabilities in OSs and/or application software running on the user's PC are exploited. To guide PC users to a website that carries out "Drive-by Download" attack, attackers use e-mail, social networking service such as mixi and Facebook, or micro-blog service such as Twitter, with tempting messages/comments and a trapping link, aiming at getting the recipients to click the link.

<Reference>

(c)Via external storage media such as USB stick

External storage media such as USB stick are often used as an avenue for virus infection. One of the reasons why a virus infection through external media is employed would be the presence of the "Autorun" function*2 of Windows-based PCs.

<Reference>

[II]Phishing

Phishing is an act of sending an e-mail which is spoofed as the one from existing organizations (manly bank and credit card company), getting the e-mail recipient to access a fake website and enter his/her important information (such as personal information and ID/password, bank account and credit card numbers, PIN), and defrauding money and goods by using such information.
If we apply this to the case at the beginning of this section, we can see that the victims were guided to a fake website through an e-mail spoofed as the one from the major Internet shopping service and entered their ID/password on that site, which were then obtained by the attacker. We also assume that social engineering*3 were used in such tempting e-mail messages. Furthermore, a new attack method comprising existing Phishing technique and virus infection technique has emerged, so we need to look out for it.

<Reference>

[III]Using the same ID/password

Users of an Internet service are typically required to register and manage their ID/password. But some people register and use the same ID/password for multiple services as they think they cannot remember many different IDs/passwords. Should such cross-service ID/password be leaked from one of those Internet services, unauthorized access could be carried out against the rest of the services, incurring further damages.

<Reference>

Figure 1-1:Image of How the Internet Service was Used Illegally

(3)Countermeasures

To avoid suffering from unauthorized use, it is important to take the countermeasures below as well as to check periodically whether you can log into the Internet services you are not using regularly. It is also recommended to deregister your account for the services that you think you won't use in the future.

[I]Basis countermeasures

Two basic countermeasures that should be implemented for sure are as follows:

Install antivirus software and use it with its pattern files updated.

Eliminate vulnerabilities in the operating system and applications on your PC.

Nowadays, as with the case of "Drive-by Download" attack, even browsing a legitimate website might result in a virus infection. So, just being cautious while you are on a website does not prevent a virus infection. "Drive-by Download" attack exploits many different vulnerabilities, so it is essential for PC users to eliminate vulnerabilities in their operating system and applications. It is also effective to use integrated antivirus software that can prevent users from browsing hazardous websites, but be sure to use it in the latest condition.

IPA provides "MyJVN Version Checker", with which PC users can, with simple operations, check whether software products installed on their PC are the latest version.

<Reference>

[II]Do not easily open/click e-mails

I

f you received an e-mail from someone you do not know, do not carelessly open it or easily click a link in the message. Even if the e-mail was from someone you know, if you feel suspicious about the e-mail, do not easily open its attached file(s) or click any links in its body message.

You may contact the e-mail sender and confirm whether he/she actually sent it. But in doing so, it is recommended to find out the contact number by yourself and then make confirmation, rather than just reaching at the phone number in the message.

[III]Anti-Phishing measures

As anti-phishing measures, implement the above-mentioned countermeasures [i] and [ii], and even if the e-mail was from a financial institution, check carefully for its content.

Even if you receive an e-mail or phone call with a plausible inquiry (e.g., saying "There's a problem with your system. Please send us your password",) do not let others know your password. Password are something that is supposed to be known only by their owners and that is used for identity verification, so it is not possible for even the provider of an online game or a system administrator to ask your password.

[IV]Properly manage ID/password and check for the websites in use

Using the same ID/password for multiple services might allow for the spread of damages by "spoofing".

To avoid suffering from "spoofing", implement basic ID/password-handling measures with the following three points in mind:

Strengthen your password...Use the combination of all kinds of usable characters (e.g., alphabetical character (upper- and lower-case), numeric character, symbols). Do not use a simple word that can be found in a dictionary or the name of a person.

Keep your password safe...If you created a password which is hard to memorize, you may write it down on a paper, but do it separately from ID and keep them apart.

Use your password in an appropriate manner...Do not log into any Internet services from a PC that is not under your control (e.g., a PC that can be used by unspecified number of people in such places as Net café.) Use services that employee one-time password (with two-factor authentication or two-step authentication, etc.)

For non-regularly-used Internet services, its associated password might be cracked over time. So check regularly whether you can log into such services.

 

[V]Should you suffer from unauthorized use

Should you suffer from unauthorized use of your Internet service (e.g., your credit card statement contains a purchase record that you are innocent of), contact your credit card company and the Internet service provider and inform them of the wrong claim, and then ask them for prompt action. In an occasion like this, it is also effective to consult a consumer affairs bureau. You may be advised to report your damage situation to the police. If so, go to a police station nearby and ask them how to deal with the situation.

<Reference>

II. Reporting Status of Computer Virus – further details, please refer to the Attachment 1 –

(1)Reporting Status of Virus

While the virus detection count*1 in November was 20,585, up 0.9 percent from 20,409 in October, the virus report count*2 in November was 1,115, up 40.3 percent from the October level (795).

*1 Virus detection count: indicates how many times a specific virus appeared in the reports submitted, or the aggregate virus detection counts for a specific period.

*2 Virus report count: indicates how many reports on a specific virus were submitted. If the same type of viruses were reported by the same person with the same detection day, they are counted as one report regarding the virus of that sort.

*  In November, the virus report count, which was obtained by consolidating 20,585 virus detection reports, was 1,115.

W32/Netsky marked the highest detection count at 10,425, followed by W32/Mydoom at 6,996 and W32/Downad at about 738.

Figure 2-1: Virus Detection Count

Figure 2-2: Virus Report Count

(2)Malicious Programs Detected

In November, we saw an increase of BACKDOOR, which refers to a malicious program that installs backdoors on a PC. RLTRAP, which showed a significant increase in September, was detected in great number for two days in the first half of November (See Figure 2-3).

* "Malicious Program Detection Count" here refers to the summary count of malicious programs that were reported to IPA in that month and that do not fall in the category of computer viruses defined by the "Computer Virus Countermeasures Standard".

* Computer Virus Countermeasures Standard (Announcement No.952 by the Ministry of International Trade and Industry): final decision was made on Dec. 28, 2000 by the Ministry of International Trade and Industry (MITI), which was renamed the Ministry of Economy, Trade and Industry (METI) on Jan. 6, 2001.
"Computer Virus Countermeasures Standard" (METI)
http://www.meti.go.jp/policy/netsecurity/CvirusCMG.htm (in Japanese)

Figure 2-3: Malicious Program Detection Count

III. Reporting Status of Unauthorized Computer Access (includes Consultations) Please refer to the Attachment 2 for further details

Table 3-1: Reported Number for unauthorized computer access and the status of consultation
  Jun.'11 Jul. Aug. Sep. Oct. Nov.
Total for Reported (a) 9 8 10 7 15 7
  Damaged (b) 9 5 8 5 8 5
Not Damaged (c) 0 3 2 2 7 2
Total for Consultation (d) 32 47 37 31 46 69
  Damaged (e) 7 15 13 8 7 14
Not Damaged (f) 25 32 24 23 39 55
Grand Total (a + d) 41 55 47 38 61 76
  Damaged (b + e) 16 20 21 13 15 19
Not Damaged (c + f) 25 35 26 25 46 57

(1)Unauthorized Computer Access Reported

The report count for unauthorized computer access in November was 7, 5 of which reportedly had certain damages.

(2)Unauthorized Computer Access and Other Related Problems Consulted

The consultation count for unauthorized computer access and other related problems was 69. 14 of them reportedly had certain damages.

(3)Damages Caused

The breakdown of the damage reports were: intrusion (2); Spoofing (2), DoS (1).

Damages caused by "intrusion" were: a tool to attack external sites being embedded into a Web server, which in turn served as a stepping stone for attacking other sites (1); a server's improper setting being exploited for the falsification of configuration files on the server (1).

Damages caused by "spoofing" were: free web-based e-mail system being logged in by someone who successfully impersonated a legitimate user (1); an online shopping service being used by someone who successfully impersonated a legitimate user and logged on (1).

[Intrusion]

(i)Improper server settings allowed for an attacker to hack in and falsify a file
    <Instance>
  • –I received a phone call from a rental server company, saying "In a directory on your company's website, there is a queer file that could have been created through tampering".
  • –From my PC's browser, I accessed that dictionary on my company's website, but I landed on another website.
  • –Immediately, I write-protected the directory and after confirming that the directory is no longer needed, I deleted it.
  • –Due to some mistakes in the last updating process of the website, such unnecessary file was left undeleted. As a result, the directory was not included in the directories to be controlled and adequate settings were not performed against it.

[Spoofing]

(ii)My online shop was logged in by a third party and I was charged fee for a product purchase that I'm innocent of
<Instance>
  • –I'm using an online shop that specializes in ticket sales. One day, I received an e-mail indicating that my application for a ticket had been accepted, which I'm totally innocent of.
  • –According to the e-mail, payment method was not by credit card but the payment at a convenience store, so the payment was not withdrawn from my bank account. However, the e-mail said that no cancel is available and that if I didn't pay for it, I would become subject to slow payment.
  • –I contacted the shop and told them that I'm totally innocent of, and then changed my login password for the shop.
  • –I don't know why such spoofing was possible.

IV. Unauthorized Computer Access Consulted

The total number of consultations in October was 1,420. 418 of which were related to "One-Click Billing" (compared to 419 in October); 11 to "Fake Security Software" (compared to 7 in October); 35 o "Winny" (compared to 12 in October); 1 to "A Suspicious E-Mail Sent to a Specific Organization to Collect Specific Information/Data" (compared to 9 in October)

Table 4-1: Total Number of Consultations Handled by IPA over the Past Six Months
  Jun.'11 Jul. Aug. Sep. Oct. Nov.
Total 1,692 1,490 1,651 1,551 1,496 1,420
  Automatic Response System 999 889 958 936 865 746
Telephone 639 540 639 554 564 561
e-mail 50 54 50 52 55 102
Fax, Others 4 7 4 9 12 11

* IPA set up "Worry-Free Information Security Consultation Service" that provides consultation/advises for computer virus, unauthorized computer access, problems related to Winny as well as overall information security.

mail_address
Tel.: +81-3-5978-7509 (24-Hour Automatic Response; Consultations are provided by IPA Security Center personnel and available from Mon.-Fri., 10:00-12:00, 13:30-17:00)
Fax: +81-3-5978-7518 (24-hour automatic response)

*”Automatic Response System”: Numbers responded by automatic response
*”Telephone”: Numbers responded by the Security Center personnel
*Total Number includes the number in the Consultation (d) column in the Table 3-1, “III. Unauthorized Computer Access Reported (including Consultations)”.

Figure 4-1: Changes in the Number of Consultation Regarding One-Click Billing


Major consultation instances are as follows:

(i)I want to implement antivirus measures on my PC with the least money

Recently, I began to use a PC at home, but since I'm on a tight budget, I don't want to spend much money on antivirus measures.
How can I implement antivirus measures with the least money?

Response:

Antivirus software can be paid or free.
Free ones are costless, but their usage is difficult to figure out and no support is available. So they are not suitable for beginners. Furthermore, among free antivirus software available from the Internet, there also are fake antivirus software, so it's very dangerous.
Paid ones incur initial purchase cost and most of them require renewal fee at the time of contract renewal. But technical supports from their manufactures are available and most of them provide not only antivirus measures but also comprehensive security measures. If you have any problem with selecting software, consult an attendant at a computer shop.

(ii)While I was browsing an enterprise's website, my PC was infected with a virus

When I accessed an enterprise's website, suddenly my PC' browser terminated. Although I rebooted my PC several, it froze immediately.
As I had not installed antivirus software, was my PC infected with the virus?

Response:

It is highly likely that the enterprise's website had been defaced so that PCs accessing it are infected with a virus.
If you had installed antivirus software, you could have prevented the virus infection. So, we recommend you to install antivirus software and keep it up-to-date. Eliminating vulnerabilities in your operating system and applications is also an important measure to prevent virus infections like the one you have experienced this time.

<Reference>

V. Access Status Captured by the Internet Fixed-Point Monitoring System (TALOT2) in November

According to the Internet Fixed-Point Monitoring System (TALOT2), 86,568 unwanted (one-sided) accesses were observed at ten monitoring points in November 2011 and the total number of sources* was 36,259.  This means on average, 288 accesses form 120 sources were observed at one monitoring point per day. (See Figure 5-1)

*Total number of sources:indicates how many accesses in total were observed by TALOT2.  If multiple accesses from the same source were observed at the same monitoring point/port on the same day, they are considered one access from the specific source on that day.

Since the environment of each monitoring point for TALOT2 is equivalent to that of general Internet connection, an equal number of such accesses are thought to be made in the Internet users’ system environment.

Figure 5-1: Daily, Averaged Number of Unwanted (One-Sided) Accesses and Sources at the Same Monitoring Point/Port per Month (June 2011 to November 2011)

Figure 5-1 shows daily, averaged number of unwanted (one-sided) accesses and sources at the same monitoring point/port per month (from June 2011 to November 2011). As shown in this figure, the number of unwanted (one-sided) accesses in November has decreased, compared to the October level.

Figure 5-2 shows the November-over-October comparison results for the number of unwanted (one-sided) accesses, classified by destination (port type). As shown in this figure, for ports other than top ten ports, access decreased significantly and for other ports, there was no significant change in the number of access.

However, access to 8909/tcp, which had never been ranked in the top ten until the last month, has gradually been increasing since August, originating mainly from the U.S and China (See Figure 5-3). This port is used as the communication port for video-download software for a video-sharing site in China, and if this software is installed on a PC and used under specific conditions, that PC turns to be a public proxy server. So, access to this port may have been made by a malicious entity searching for PCs running this software so that he could use them to attack web servers, etc.

<Reference>

Figure 5-2: October-over-September Comparison for the Number of Access, Classified by Destination (Port Type)

Figure 5-3: Access to 8909/tcp (Total Number of Accesses Observed at Ten Monitoring Points)

For more detailed information, please also refer to the following URLs:

Variety of statistical Information provided by the other organizations/vendors is available at the following sites:

Contact

IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC)
Tel:+81-3-5978-7591
Fax:+81-3-5978-7518
E-mail: