Font Size Change

HOMEIT SecurityIPA/ISEC in JAPAN:virus and UCA incident report for December2011, and year-round of2011

PRINT PAGE

IT Security

IPA/ISEC in JAPAN:virus and UCA incident report for December2011, and year-round of2011

January 16, 2012

IT Security Center
Information-technology Promotion Agency, Japan (IPA)

This is the summary of computer virus/unauthorized computer access incident report for December 2011, compiled by Information-technology Promotion Agency, Japan (IPA).

I. Reminder for the Month:

"Security that delivers safety to the future※1"


In 2011, serious information security incidents occurred one after another, including the leakage of information from a heavy industries company in September and a cyber attack on the House of Representatives and the House of Councilors in October, both of which are still fresh in our minds.
Among other instances are:

  • Increases in viruses that target Smartphone (in particular Android device), accelerated by the popularity of Smartphone;
  • Emergence of virus-containing e-mails spoofed as disaster information (From March to April);
  • Large scale information leakage from a network service run by a game company (April);
  • A spate of website defacement.

Nowadays, for anyone who uses information technology, incidents on the Internet are not someone else's problems and security measures are indispensable.

In the reminder for this month, we look back "Targeted Attack*2" and "Unauthorized use of Internet services" that stood out in 2011, providing description and countermeasures.

*2 Targeted Attack: a cyber attack that targets a specific organization/individual and it is intended to fraudulently obtain important information and intellectual property, etc.

(1)Targeted Attack

[I]Characteristics of recent cyber attacks and shift in attackers' motivation

As far as recent cyber attacks on enterprises/organizations are concerned, we can see that attackers' motivation has changed and that techniques employed for such attacks have increasingly been sophisticated (see Figure 1-1).

Motivation of those who carry out cyber attacks have shifted from "getting into mischief" or "showing off their ability" to "obtaining money" or "interfering with organizational activities" in recent years. In the case of pecuniary motive, attackers, from the beginning, mark down valuable information (i.e., classified information, personally identifiable information, etc) that are preserved within the organization, and then attempt to steal and cash them in the end. So, if the leakage of such information occurs, it is likely that the leaked information is abused in some form, causing considerable damage to organizational activities.

Figure 1-1:Characteristics of Recent Cyber Attacks

Among cyber attacks that were carried out in 2011, what stood out in terms of numbers was "Targeted Attack" – an attack that zero in on a specific organization/individual. According to a questionnaire survey*3 conducted by the Ministry of Economy, Trade and Industry (METI), among the enterprises surveyed, those that have ever received "Targeted Attack" accounted for 33 percent in 2011, a significant increase from 5.4 percent in 2007.

For Targeted Attack, various techniques can be employed, but major one is to send a virus-containing e-mail designed for a specific organization/individual (i.e., "Targeted Attack Mail"). Unlike a virus-containing e-mail that is distributed at random, Targeted Attack Mail uses an authentic-looking sender or message body as well as a virus that is less likely to be detected by antivirus software.

*3 "Presenting information security measures that are based on the recent trend and bring them home to computer users" (METI)
http://www.meti.go.jp/press/2011/05/20110527004/20110527004.html (in Japanese)


[II]Instances of damages caused by Targeted Attack Mail

By opening a file attached to a "Targeted Attack Mail" or clicking a URL in its massage body, the user's PC is infected with the virus. As a result, files that are stored in that PC might be sent to an external party, leading to information leakage, or the PC might be taken over by an external party, allowing him to gain access to a server within the organization.

Instances of techniques to infect PCs with a virus are as follows:

  • Vulnerabilities in word-processing software, Adobe Reader, Flash Player, JRE, web browser, etc. that are applications to open data files or browse websites are exploited and a PC opening a file attachment is infected with the virus.
  • Extension of a file attachment is spoofed by means of RLO (Right-to-Left Override)*4 so that the PC whose user takes the file as a document file and clicks it is infected with the virus.

*4 RLO (Right-to-Left Override): a function to reverse a file name's character sequence from "left-to-right" to "right-to-left" by using a special control character.


[III]Instances of damages caused by Targeted Attack Mail

(a) Countermeasures that can be taken by individual users

●In "Targeted Attack Mail", vulnerabilities in software installed on a PC are exploited (e.g., using a crafted PDF file) to infect that PC with a virus. Let's use antivirus software. In addition, check the version of your operating systems and applications by using e.g., "MyJVN Version Checker" provided by IPA and then keep them up-to-date so that existing vulnerabilities are eliminated.

<Reference>

Countermeasures by humans (e.g., "See through Targeted Attack Mail and do not open it", "If you have received a suspicious e-mail, communicate it throughout the organization") are also important.

There is a possibility that all the members of an organization receive "Targeted Attack Mail", so all PC users need to understand its threats and exercise cautions. It is also advisable to establish rules on how to respond to suspicious e-mails received as an organization (including procedures for calling all the members' attention to such incident).

<Reference>

(b) For management layer, system administration division, system administrators

The results of "IT Security Vaccination"*5 and a survey on effective implementation methods by JPCERT/Coordination Center (CC), both of which serves as a means for PC users to see through a trapping e-mail, are available to the public, so refer also to them.

*5 "IT Security Vaccination": An act of carrying out Targeted Attack on a specific organization for the purpose of raising its personnel's security awareness. In general, after the distribution of a Targeted Attack Mail, its secret is shown to the personnel in the end so that their uneasiness is dispelled and the survey results are fed back to them for the purpose of educating them.

<Reference>

(c) Contact point for Targeted Attack Mail

Alarmed by the frequent occurrence of Targeted Attack, IPA has set up a special help line as part of efforts to promptly collect, analyze and share the attack information and to provide preventive measures and coping strategy.
Should you receive an e-mail that you think is Targeted Attack Mail, please contact the following:
●Special help line for targeted cyber attack
TEL: 03-5978-7509 FAX: 03-5978-7518

(2)Unauthorized Use of Internet Services

[I]Current state of unauthorized use

Instances of unauthorized use in 2011 are as follows:

  • The website of a major Internet service provider was hacked by a spoofed third party and points redeemable for commodities were stolen (occurred in May, with more than one-hundred cases, causing 100,000 yen worth of damage in total);
  • Customers' credit card information being leaked from a system management company for an online Kamaboko store (occurred in May, with about two-hundred cases, causing about two million yen worth of damage);
  • Internet banking systems of major banks and regional banks in Japan were used in an unauthorized manner (causing about 300 million yen worth of damage in total);
  • A science journal publisher's website was accessed in an unauthorized manner and personally identifiable information and card information were leaked and used fraudulently (occurred in August, with more than a dozen credit cards used fraudulently);
  • A large-scale unauthorized use of a major Internet shopping service (occurred in November, with about 4,000 cases).

In this way, a number of unauthorized use cases occurred in 2011. If we include other unauthorized access cases about which whether information leakage has occurred or not is unclear, the total number increases further. What stood out is the amount of information leaked and the number of clients suffered at a time (i.e., they are so large).

[II]Reason Why Such Unauthorized Use was Possible

One reason for Internet services to be used fraudulently is that their users' IDs and passwords are stolen by means of (a), (b) and (c) listed below.

(a)Virus infection via an e-mail attachment or USB thumb drive

Sends an e-mail to which a virus that steals ID/password is attached, aiming at getting the recipient(s) to open the attachment and their PCs to be infected with the virus. External storage media such as USB thumb drive are also used as an avenue of virus infection.

(b)Virus infection through a Website-browsing

One of the mainstream techniques for virus infection through a Website-browsing is "Drive-by Download". This is an attack that causes a virus or other malicious programs to be downloaded into the victims' PCs upon their visit to certain Websites, and it mainly exploits vulnerabilities in operating system or applications running on that PC. If a PC is infected with a virus that steals IDs and passwords in this manner, the user's ID and password are stolen without him/her knowing.
To guide PC users to a website that carries out "Drive-by Download" attack, attackers use e-mail, social networking service such as mixi and Facebook, or micro-blog service such as Twitter, with tempting messages/comments and a trapping link, aiming at getting the recipients to click the link.

(c)Phishing

Phishing is an act of sending an e-mail which is spoofed as the one from an Internet shopping services or a bank, getting the e-mail recipient to access a fake website and enter his/her important information (such as ID/password), and defrauding money and goods by using such information. Nowadays, social engineering*6 are used in such tempting e-mail messages. Furthermore, a new attack method comprising existing Phishing technique and virus infection technique has emerged, so we need to look out for it.

<Reference>

*6 Social engineering is a technique to obtain confidential information (such as password) from the victim by taking advantage of psychological off-guard or by exploiting loophole in the society.

[III]Reason Why the Damage by Unauthorized Use Spreads

Users of an Internet service are typically required to register and manage their ID/password. But some people register and use the same ID/password for multiple services as they think they cannot remember many different IDs/passwords. Should such cross-service ID/password be leaked from one of those Internet services, unauthorized access could be carried out against the rest of the services, incurring further damages (See Figure 1-2).

Figure 1-2:Risk of Using the Same ID/Password

[IV]Countermeasures

(a)Properly manage ID/password

Using the same ID/password for multiple services might allow for the spread of damages by "spoofing". To avoid suffering from "spoofing", implement basic ID/password-handling measures with the following three points in mind:

●Strengthen your password … Use the combination of all kinds of usable characters (e.g., alphabetical character (upper- and lower-case), numeric character, symbols) and be sure to set a password with eight or more characters. Do not use a simple word that can be found in a dictionary or the name of a person.

●Keep your password safe … You may write down your password on a paper, but do it separately from ID and keep them apart.

●Use your password in an appropriate manner … Do not log into any Internet services from a PC that is not under your control (e.g., a PC that can be used by unspecified number of people in such places as Net café.)

<Reference>

(b)Keep your operating system and programs up-to-date and use antivirus software

Even though you implement the above-mentioned countermeasures against "spoofing", it is essential to install antivirus software, which is a fundamental security measure. A virus that steals ID/password entered by users to log into an online service (i.e., keylogger) has been confirmed. To avoid being infected with this kind of virus and letting information be stolen, install antivirus software and use it with its pattern files updated.

(c)Use login alert feature

Some online services provide login alert feature (i.e., sending an e-mail to a user who has just logged into the service to notify their successful login). Should you receive an unknown login alert e-mail, by locking your account immediately, you can minimize the damage caused.

(3)Outlook of the Year 2012

The tendency of "for enterprises, their information is targeted by attackers, and for individual, their money" is expected to be strengthened. It's not an exaggeration to say that all the services involving money would be put at risk.

[I]Target of attacks might become borderless

In 2011, specific industries and government-affiliated agencies were the main target for Targeted Attack. This trend is expected to continue but in 2012, Targeted Attack might become a major threat to enterprises in all kinds of industries.
As an example, in an attempt to obtain an enterprise's confidential information, a malicious entity may first identity a friend of an official from the official's SNS page, carries out an attack on the friend's PC, for which the PC is infected with a virus, and then obtains the enterprise's confidential information in the end. This kind of scenario was also possible in the past, but the increased use of SNS in recent years has made it easier for a third party to figure out the others' friendships, so any enterprises or individuals might be targeted by attackers to use them as so called "stepping stone".

<Reference>

[II]Free services that have not been targeted until now might also be targeted

In the feature, even the services that do not involve money might become the target of such attacks, focusing on those using the same password for multiple services.
In the case of fee-based services, using the same ID/password for multiple services increases the chance of suffering monetary damage. Regardless of being fee-based or free, you should avoid using an easy password and using the same password for multiple services.

II. Reporting Status of Computer Virus – further details, please refer to the Attachment 1 –

(1)Reporting Status of Virus

While the virus detection count*1 in December was 13,259, down 35.6 percent from 20,585 in November, the virus report count*2 in December was 764, down 31.5 percent from the November level (1,115).

*1 Virus detection count: indicates how many times a specific virus appeared in the reports submitted, or the aggregate virus detection counts for a specific period.

*2 Virus report count: indicates how many reports on a specific virus were submitted. If the same type of viruses were reported by the same person with the same detection day, they are counted as one report regarding the virus of that sort.

*  In December, the virus report count, which was obtained by consolidating 13,259 virus detection reports, was 764.

W32/Netsky marked the highest detection count at 6,425, followed by W32/Mydoom at 4,666 and W32/Downad at about 674.

Figure 2-1: Virus Detection Count

Figure 2-2: Virus Report Count

(2)Malicious Programs Detected

In December, there was no noticeable change. And RLTRAP, which showed a significant increase in September, was detected in great number for only one day in the first half of December (See Figure 2-3).

* "Malicious Program Detection Count" here refers to the summary count of malicious programs that were reported to IPA in that month and that do not fall in the category of computer viruses defined by the "Computer Virus Countermeasures Standard".

* Computer Virus Countermeasures Standard (Announcement No.952 by the Ministry of International Trade and Industry): final decision was made on Dec. 28, 2000 by the Ministry of International Trade and Industry (MITI), which was renamed the Ministry of Economy, Trade and Industry (METI) on Jan. 6, 2001.
"Computer Virus Countermeasures Standard" (METI)
http://www.meti.go.jp/policy/netsecurity/CvirusCMG.htm (in Japanese)

Figure 2-3: Malicious Program Detection Count

III. Reporting Status of Unauthorized Computer Access (includes Consultations) Please refer to the Attachment 2 for further details

Table 3-1: Reported Number for unauthorized computer access and the status of consultation
  Jul.'11 Aug. Sep. Oct. Nov. Dec.
Total for Reported (a) 8 10 7 15 7 7
  Damaged (b) 5 8 5 8 5 7
Not Damaged (c) 3 2 2 7 2 0
Total for Consultation (d) 47 37 31 46 69 42
  Damaged (e) 15 13 8 7 14 13
Not Damaged (f) 32 24 23 39 55 29
Grand Total (a + d) 55 47 38 61 76 49
  Damaged (b + e) 20 21 13 15 19 20
Not Damaged (c + f) 35 26 25 46 57 29

(1)Unauthorized Computer Access Reported

The report count for unauthorized computer access in December was 7, all of which reportedly had certain damages.

(2)Unauthorized Computer Access and Other Related Problems Consulted

The consultation count for unauthorized computer access and other related problems was 42. 13 of them reportedly had certain damages.

(3)Damages Caused

The breakdown of the damage reports were: intrusion (4); Malicious code embedded (3).
Damages caused by "intrusion" were: a Web page being defaced (1); data being deleted after receiving SQL Injection Attack (1); being used as a stepping stone for attacking other sites (2).

The causes of "intrusion" were: a week password being set (2); a vulnerability in OS or a Web application being exploited (3).

(4)Damage Instance

[Intrusion]

(i)A vulnerability in our server was exploited and our web page was defaced
    <Instance>
  • –I was alarmed by the rental server company about the defacement of our website. Just in case, I checked all the contents and found the trace of defacement. The web page was altered so that visitors are automatically redirected to an external site.
  • –CMS (Contents Management System) that we were using on our website for server management had a vulnerability and that vulnerability was exploited to deface the web contents.
  • –We are planning to update CMS to the latest one.

[Intrusion]

(ii)From an online shopping site which I regularly use, I received a notification e-mail
<Instance>
  • –I found that from the public web server located within our school, suspicious packets were intermittently sent overseas.
  • –Upon investigating the server, I found that a service which we usually do not activate was in active state and an executable file for the service was replaced with another file. Concretely speaking, the content of "Odserv.exe" which is an executable file for "Microsoft Office Diagnostics Service" was replaced with that of "Tlntsvr.exe" which is an executable file for Telnet service.
  • –This may have allowed for the activation of Telnet service on the server and thus connection from external parties. Furthermore, from its properties, the replaced file is assumed to be "Tlntsvr.exe", which comes with Chinese version of Windows. How the replacement took place is unclear.
  • –I performed initialization on the server in question. As a future measure, I'm considering installing a network monitoring service.

IV. Unauthorized Computer Access Consulted

The total number of consultations in December was 1,312. 333 of which were related to "One-Click Billing" (compared to 418 in November); 8 to "Fake Security Software" (compared to 11 in November); 7 to "Winny" (compared to 35 in November); 6 to "A Suspicious E-Mail Sent to a Specific Organization to Collect Specific Information/Data" (compared to 1 in November)

Table 4-1: Total Number of Consultations Handled by IPA over the Past Six Months
  Jul.'11 Aug. Sep. Oct. Nov. Dec.
Total 1,490 1,651 1,551 1,496 1,420 1,312
  Automatic Response System 889 958 936 865 746 790
Telephone 540 639 554 564 561 451
e-mail 54 50 52 55 102 65
Fax, Others 7 4 9 12 11 6

* IPA set up "Worry-Free Information Security Consultation Service" that provides consultation/advises for computer virus, unauthorized computer access, problems related to Winny as well as overall information security.

mail_address
Tel.: +81-3-5978-7509 (24-Hour Automatic Response; Consultations are provided by IPA Security Center personnel and available from Mon.-Fri., 10:00-12:00, 13:30-17:00)
Fax: +81-3-5978-7518 (24-hour automatic response)

*”Automatic Response System”: Numbers responded by automatic response
*”Telephone”: Numbers responded by the Security Center personnel
*Total Number includes the number in the Consultation (d) column in the Table 3-1, “III. Unauthorized Computer Access Reported (including Consultations)”.

Figure 4-1: Changes in the Number of Consultation Regarding One-Click Billing


Major consultation instances are as follows:

(i)In Facebook, I found an account which I think had been created by someone impersonating me

When I entered my name on an Internet search site and ran the search, a Facebook account page which I don't remember signing on was displayed. I assume that someone impersonating me created this fake account.
I want to request its deletion but I don't know how.

Response:

Facebook is one of the SNSs (social networking service) being used worldwide. Many famous personages have signed on this service but it is also known for the existence of impersonators. In Facebook, creating an account by impersonating other person is considered the violation of the bylaw. If you find an account that you think was created by someone impersonating you (e.g., by using your photo), follow the steps of "How to report a fake account" on the Facebook help center's web page listed below and report it promptly.

<Reference>

(ii)From an online shopping site which I regularly use, I received an e-mail notification about the purchase of a commodity which I'm innocent of

From an online shopping site which I regularly use, I received an e-mail notification about the purchase of a commodity which I'm innocent of. Upon contacting the site operator, I was told that unauthorized access may have been carried out and I was exempted from paying by credit card for that commodity. I also changed my credit card number.
I think it was wrong for me to set a simple password. I was also using the same password for others services. Is it dangerous?

Response:

As you were using a simple password, it was easily cracked by the third party, who then gained access to the account in question and purchased that commodity. Promptly make your password for that website as complex as possible. In addition, to avoid the damage caused by chained unauthorized access, use complex, distinct passwords for each service.

<Reference>

V. Access Status Captured by the Internet Fixed-Point Monitoring System (TALOT2) in December

According to the Internet Fixed-Point Monitoring System (TALOT2), 81,017 unwanted (one-sided) accesses were observed at ten monitoring points in December 2011 and the total number of sources* was 30,870.  This means on average, 324 accesses form 144 sources were observed at one monitoring point per day. (See Figure 5-1)

*Total number of sources:indicates how many accesses in total were observed by TALOT2.  If multiple accesses from the same source were observed at the same monitoring point/port on the same day, they are considered one access from the specific source on that day.

Since the environment of each monitoring point for TALOT2 is equivalent to that of general Internet connection, an equal number of such accesses are thought to be made in the Internet users’ system environment.

* For maintenance work, we shut down the systems from December 26th to 31st. Therefore, the statistical information was derived from the data excluding that of the six days.

Figure 5-1: Daily, Averaged Number of Unwanted (One-Sided) Accesses and Sources at the Same Monitoring Point/Port per Month (July 2011 to December 2011)

Figure 5-1 shows daily, averaged number of unwanted (one-sided) accesses and sources at the same monitoring point/port per month (from July 2011 to December 2011). As shown in this figure, the number of unwanted (one-sided) accesses in December has increased, compared to the November level.

Figure 5-2 shows the December-over-November comparison results for the number of unwanted (one-sided) accesses, classified by destination (port type). As shown in this figure, access to 24529/tcp and 8612/tcp, which was not observed much in November, has increased in December.

As for 24529/tcp and 8612/tcp, it has yet to be identified why these ports were accessed as they are not the ones used by a specific application, but access to both ports was observed only at a single monitoring point.

Figure 5-2: December-over-November Comparison for the Number of Accesses by Destination (Port Type)

For more detailed information, please also refer to the following URLs:

Variety of statistical Information provided by the other organizations/vendors is available at the following sites:

Contact

IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC)
Tel:+81-3-5978-7591
Fax:+81-3-5978-7518
E-mail: