Aug 3, 2012
Information-technology Promotion Agency, Japan
Computer Virus/Unauthorized Computer Access Incident Report - July 2012 This is the summary of computer virus/unauthorized computer access incident report for July 2012,
compiled by Information-technology Promotion Agency, Japan (IPA).
I. Reminder for this Month
"We would appreciate your notification of computer viruses and unauthorized
computer access!"
- We also provide consultation for information security IPA is designated as an organization that receives notification on computer virus/unauthorized computer
access. Inquiries and notification from many people are used as a basis for "Reminder", "Security Alert"
and "Emergency Countermeasures", which we release to prevent the spread of damages detected, at
an early date, and the recurrence of such incidents. As a recent example, the distribution of a malicious
Android application was effectively prevented owing to an inquiry from a single person, which triggered
an investigation and corporation among the organizations concerned. As demonstrated by this actual
example, even an inquiry from a single person can lead to the prevention of damages to all
people.
In this month's reminder, we explain the objective of Computer Virus/Unauthorized Computer Access
Notification System and how to make use of it, and introduce the notification method and tips for making
inquiries.
We would appreciate your provision of information.
(1) About Computer Virus/Unauthorized Computer Access Notification System
1. Computer Virus/Unauthorized Computer Access Notification System
Computer Virus Notification System started in April 1990, based on Computer Virus
Countermeasures Standard*1 established by the Ministry of International Trade and Industry
(currently, the Ministry of Economy, Trade and Industry). After that, Unauthorized Computer
Access Notification System started in August 1996, based on Unauthorized Computer Access
Countermeasures Standard*2 established by the ministry. For both of the systems, IPA was
designated as a receiving organization.
In addition to receiving notifications, IPA provides comprehensive consultations on viruses
and unauthorized computer access on the Internet, computers and smartphone, etc., as part of
"Worry-Free Information Security Consultation Service". For the inquiries and notifications
received, due privacy consideration is given, and based on them, IPA analyzes the situation
including the damages incurred and releases its examination results on a regular basis. Main
purpose of these activities is to safeguard against, detect, and prevent the spread or recurrence
of, damages.
-1-
Aug 3, 2012
Information-technology Promotion Agency, Japan
Figure1-1: Image of Computer Virus/Unauthorized Computer Access Notification System
*1
Computer Virus Countermeasures Standard
http://www.meti.go.jp/policy/netsecurity/CvirusCMG.htm (in Japanese)
*2
Unauthorized Computer Access Countermeasures Standard
http://www.meti.go.jp/policy/netsecurity/UAaccessCMG.htm (in Japanese)
2. Release of "Monthly Report" on Computer Virus/Unauthorized Computer Access Reports
IPA analyzes notifications from individuals and enterprises, education/research/public
institutions etc. and releases results each month. For matters of special importance, IPA
includes them in "Reminder for this Month" to call people's attention and if necessary, it issues
"Security Alert" as well. Monthly reports on notification have three types: "Computer Virus
Incident Report", "Unauthorized Computer Access Report" and "Inquiries Received". These are
released respectively. "Computer Virus Incident Report" shows the types and the detection
count of computer viruses, report count, and the trend of new types of viruses. "Unauthorized
Computer Access Report" shows the number of notifications received and the number of
inquiries made for that month (including presence or absence of damages), their monthly trend,
and actual damages caused that month (e.g., spoofing on an online game, a malicious program
being embedded). "Inquiries Received" shows the total number of inquires made about
computer virus/unauthorized computer access, breakout of the inquires (such as "One-Click
Billing Fraud", "Fake Security Software", "Winny" and "Suspicious E-mails"), and their monthly
trends.
(2) Recent Instances in which IPA Issued "Reminder" and "Security Alert", Triggered
by the Inquiries/Notifications Received
1. An Instance of a Virus-Based Phishing (Reminder for October 2011*3)
From a notification received in September 2011, IPA learned the presence of a new type of
phishing technique that uses a virus, and included it in the "Reminder" for October that year. In
this incident, a bogus e-mail carrying a virus and posing as a bank was sent to a PC user. Its
mechanism was that, if the virus was executed, a screen would appear, prompting the user to
enter his login information or to fill in random number table; and if the recipient entered
information as instructed by the e-mail, the information would be transferred to the malicious
entity. IPA obtained this bogus e-mail and analyzed the virus attached. Based on its analysis
results, IPA explained the outline of this virus and how it would work if executed, and presented
measures to avoid falling victim.
*3 Watch out for new type of phishing scam that uses a virus! (IPA - Reminder for October 2011)
http://www.ipa.go.jp/security/txt/2011/10outline.html (in Japanese)
-2-
Aug 3, 2012
Information-technology Promotion Agency, Japan
2. An Instance of One-Click Billing Fraud on an Android Device (Reminder for February 2012*4)
From a notification received in January 2012, IPA confirmed a case in which a billing screen
continued to appear on the screen of an Android-based smartphone. In fact, this phenomenon
was caused by a malicious application installed, in the same manner as one-click billing fraud
on PCs.
Figure1-2: Image of a Smartphone being Targeted by a Virus
In this incident, if the user installed that malicious application, his smartphone's telephone
number, e-mail address and other information would automatically be transferred to the entity
carrying out one-click billing fraud. A mechanism like this is more malignant than that of
one-click billing fraud on PCs and may cause wider range of damages. So, in the "Reminder" for
the February that year, IPA explained this mechanism and presented measures to avoid falling
victim as well as coping strategy should the user install such malicious application.
*4 Watch out for One-Click Billing Fraud for Smartphone (IPA - Reminder for February 2012)
http://www.ipa.go.jp/security/txt/2012/02outline.html (in Japanese)
3. An Instance of a Suspicious Android Application (Reminder for May 2012*5)
From an inquiry made by a man in April 2012, IPA learned that an Android application that
behaves strangely was introduced on a commonly-used point-exchange site and that many
people had already downloaded it. That suspicious application uses a name which smartphone
users would be keenly interested in. Through its analysis, IPA found that, if executed, the
application transfers to an external party the victim's smartphone's device information, address
book contents and other personal information. As there was a high risk of it being used for
malicious activities, in May that year, IPA released the name of this suspicious application, and
then issued an emergency security alert containing the description of its mechanism as well as
measures to avoid falling victim. IPA also provided relevant information to domestic security
vendors and communicated to the organizations concerned. As a result, this suspicious
application became un-downloadable immediately.
-3-
Aug 3, 2012
Information-technology Promotion Agency, Japan
Figure1-3: Image of How the Suspicious Application Causes Information Leakage
*5
Security Alert on a Suspicions Application Targeting at Android OS (IPA - Reminder for May 2012)
http://www.ipa.go.jp/security/topics/alert20120523.html (in Japanese)
(3) How to Make Inquiries/Notification
Notifications that IPA receives are: computer virus notification, unauthorized computer access
notification, and vulnerability-related information notification*6. The last one deals mainly with
technical issues concerning computer virus/unauthorized computer access. The remainder of this
section explains how to make use of Computer Virus/Unauthorized Computer Access Notification
and Inquiries Systems.
*6
Vulnerability-related information notification (IPA)
http://www.ipa.go.jp/security/topics/alert20120523.html (in Japanese)
1. How to Send Your Notification
For "Computer Virus Notification" and "Unauthorized Computer Access Notification", dedicated
notification forms are provided respectively on IPA's website*7. When you send a notification,
include at least your contact information and description of the specific phenomenon, and then
submit it by e-mail or other means. Depending on the contents, IPA may send a reply mail to ask
for more details. Above all, it is important that you submit such notification. If you have sorted
out the necessary information or if you have an experience of sending a notification, go ahead
and fill in the notification form and submit it. If you have any questions, please feel free to
contact "Worry-Free Information Security Consultation Service".
*7
About Information Security Notification (IPA)
http://www.ipa.go.jp/security/todoke/ (in Japanese)
-4-
Aug 3, 2012
Information-technology Promotion Agency, Japan
Main contents to
be submitted
・The submitter's contact information etc.
e.g., his/her name or company name, phone number, e-mail address
・Concrete situation (name of the virus or description of that unauthorized access)
・Process leading to this time's notification
Do us favor!
First of all, contact us!
Where to contact
E-mail
Computer Virus Notification : [email protected]
Unauthorized Computer Access Notification: [email protected]
Note: Do not send any specific e-mail to these addresses!
FAX
03-5978-7518
To "Worry-Free Information Security Consultation Service",
Posting
IT Security Center, IPA
Bunkyo Green Court Center Office 16th Floors
2-28-8 Hon-Komagome, Bunkyo-ku, Tokyo, Japan 113-6591
2. About making inquires
As part of "Worry-Free Information Security Consultation Service", IPA provides consultation on
technical issues concerning computer virus/unauthorized computer access, by means of
telephone call or e-mail and with the time slot below. When you make inquiries, sort out your
situation in advance so that you can convey us as much information as possible
smoothly, which would facilitate a quick response from our side. Based on the contents of
the inquiry, we explain the current status of and how to recover your system, and future
prevention measures. Refer also to Frequently-Asked Question (FAQ)*8 in the "Worry-Free
Information Security Consultation Service" page on IPA's website.
*8
FAQ (IPA)
http://www.ipa.go.jp/security/anshin/
-5-
Aug 3, 2012
Information-technology Promotion Agency, Japan
What we ask
when contacted
・Type of your operating system and update situation
e.g., Windows 7, Mac OS10.xx, Android2.3.3, iOS5.1.1, etc.
e.g., kept up-to-date by applying the automatic update feature?; application situation of
security patches, etc.
・Name of the security software in use, update situation of its pattern files
・Version of key applications installed on that PC
e.g., Adobe Flash Player, Adobe Reader, Java
・Type of the web browser in use, browsing software for PDF files, etc.
e.g., Internet Explorer 9, using Adobe Reader to view PDF files?
・Concrete situation (messages, virus name, the e-mail's subject)
・Possible cause of, date and time of, and trigger for the event
・Measures taken prior to the consultation
Do us favor!
First of all, consult us!
Contact information for "Worry-Free Information Security
Consultation Service"
03-5978-7509
Tel
(Support by operators is available on weekdays, 10:00 – 12:00 and
13:30-17:00)
E-mail
FAX
[email protected]
Note: Do not send any specific e-mail to this address!
03-5978-7518
To "Worry-Free Information Security Consultation Service",
Posting
IT Security Center, IPA
Bunkyo Green Court Center Office 16th Floors
2-28-8 Hon-Komagome, Bunkyo-ku, Tokyo, Japan 113-6591
-6-
Aug 3, 2012
Information-technology Promotion Agency, Japan
II. Computer Virus Reported – for more details, please refer to Attachment 1 –
(1) Computer Virus Reported
While the virus detection count *1 in July 2012 was 25,487, up 15.9 percent from 21,990 in June
2012, the virus report count *2 in July 2012 was 877, down 8.5 percent from the June 2012 level
(958).
*1 Virus detection count: indicates how many times a specific virus appeared in the reports submitted, or the
aggregate virus detection counts for a specific period.
*2 Virus report count: indicates how many reports on a specific virus were submitted. If the same type of viruses
were reported by the same person with the same detection day, they are counted as one
report regarding the virus of that sort.
W32/Mydoom marked the highest detection count at 12,115, followed by W32/Netsky at 4,372
and W32/Mytob at about 2,750.
Figure 2-1: Virus Detection Count
Figure 2-2: Virus Report Count
-7-
Aug 3, 2012
Information-technology Promotion Agency, Japan
(2) Malicious Programs Detected
The detection count *1 of malicious programs in July 2012 was 100,367, up 295.2 percent from
25,399 in June 2012.
Adware, which refers to a program that displays advertisements, was detected most at 16,042,
followed by Bancos at 13,326, which steals IDs and passwords for online banking, and
Malscript at 5,039, which refers to a program containing malicious scripts.
What followed them are: Downloader, which attempts to download another virus on the
already-infected PCs, Trojan/Horse, which attempts to infect PCs by posing as legitimate
software etc., and Backdoor, which sets a backdoor on PCs.
*1
Detection count: indicates how many times a specific virus appeared in the reports submitted.
* "Malicious Program Detection Count" here refers to the summary count of malicious programs that were
reported to IPA in that month and that do not fall in the category of computer viruses defined by the "Computer
Virus Countermeasures Standard".
* Computer Virus Countermeasures Standard (Announcement No.952 by the Ministry of International Trade and
Industry): final decision was made on Dec. 28, 2000 by the Ministry of International Trade and Industry (MITI),
which was renamed the Ministry of Economy, Trade and Industry (METI) on Jan. 6, 2001.
"Computer Virus Countermeasures Standard" (METI)
http://www.meti.go.jp/policy/netsecurity/CvirusCMG.htm (in Japanese)
Figure 2-3: Malicious Program Detection Count
In July, the number of infection reports on Fakeav increased significantly. If infected with such
"Fake Security Software"-type virus, your PC might not be restored to normal, so by referring to
the website below, implement measures to prevent infection on your PC.
<Reference>
"Incidents involving a virus that issues a fake warning continue" (IPA)
http://www.ipa.go.jp/security/txt/2012/03outline.html (in Japanese)
-8-
Aug 3, 2012
Information-technology Promotion Agency, Japan
Figure 2-4: The Number of Infection Reports for "Fake Security Software"-Type Virus
-9-
Aug 3, 2012
Information-technology Promotion Agency, Japan
III. Unauthorized Computer Access Reported (including Consultations) – for more
detail, please refer to Attachment 2 –
Table 3-1: Unauthorized Computer Access Reported (including Consultations)
(a)
Total for Reported
(b)
Damaged
(c)
Not Damaged
(d)
Total for Consultation
(e)
Damaged
(f)
Not Damaged
(a + d)
Grand Total
(b + e)
Damaged
(c + f)
Not Damaged
Feb. '12
13
9
4
37
14
23
50
23
27
Mar.
5
4
1
54
10
44
59
14
45
Apr.
9
7
2
46
9
37
55
16
39
May
10
6
4
50
17
33
60
23
37
Jun.
2
2
0
38
12
26
40
14
26
Jul.
19
18
1
54
26
28
73
44
29
(1) Unauthorized Computer Access Reported
The report count for unauthorized computer access in July was 19, 18 of which reportedly
had certain damages.
(2) Unauthorized Computer Access and Other Related Problems Consulted
The consultation count for unauthorized computer access and other related problems was 54. 26
of them reportedly had certain damages.
(3) Damages Caused
The breakdown of the damage reports were: Intrusion (8); Spoofing (4); Malicious code
embedded (3); Dos (2); and Other factors (1).
Damages caused by "Intrusion" were: a web page being defaced (7); an account being created
in an unauthorized manner (1). Causes of "Intrusion" were: vulnerabilities in a server
management tool or a contents management system being exploited (4); and others remain
unknown.
Damages caused by "Spoofing" were: an e-mail account being abused to send spam e-mails (2);
a point-exchange website being logged in by someone who successfully impersonated a
legitimate user and used in an unauthorized manner (1); a free web-based e-mail service being
logged in by someone who successfully impersonated a legitimate user (1).
- 10 -
Aug 3, 2012
Information-technology Promotion Agency, Japan
(4) Damage Instance
[Spoofing]
(i) A vulnerability in our server management tool was exploited and our website was
tampered
-
Instance
-
Our company's website was tampered so that visitors are redirected
to another site. The forwarding destination was a malicious site
which, if accessed, downloads a malicious program.
Cause of the defacement was that we were using an older version of
server management tool for remotely controlling the server, and a
vulnerability in that older version was exploited.
[Others]
(ii) A file that was not supposed to be publicly-accessible was referenced
-
Instance
-
-
There was an access attempt to reference the configuration file and
the password file on our school's web server. We learned about it
after receiving notification from our network intrusion detection and
monitoring service provider.
Just in case, we checked our server's settings and found that, upon
receiving a reference request, the server could allow for access to
even the files not in the directory for storing web contents.
We had the web contents builder fix this problem immediately and
directed them to take security measures from now on.
- 11 -
Aug 3, 2012
Information-technology Promotion Agency, Japan
IV. Virus and Unauthorized Computer Access related Consultations
The total number of consultations in July 2012 was 921, 216 of which were related to "One-click
Billing Fraud" (compared to 319 in June 2012); 23 to "Fake Security Software" (compared to 10
in June 2012); 4 to "Winny" (compared to 3 in June 2012); 3 to "A Suspicious E-Mail Sent to a
Specific Organization to Collect Specific Information/Data" (compared to 1 in June 2012)
Table 4-1: Total Number of Consultations Handled by IPA over the Past Six Months
Feb. '12
Total
Automatic Response
System
Telephone
e-mail
Fax, Others
1,073
Mar.
772
Apr.
750
May
934
Jun.
1,097
Jul.
645
427
428
490
578
530
362
62
4
287
49
9
270
50
2
363
78
3
439
79
1
342
46
3
921
* IPA set up "Worry-Free Information Security Consultation Service" that provides consultation/advises for
computer virus, unauthorized computer access, problems related to Winny as well as overall information
security.
E-mail address: [email protected]
Tel.:
+81-3-5978-7509 (24-Hour Automatic Response; Consultations are provided by IPA Security
Center personnel and available from Mon. – Fri., 10:00 – 12:00, 13:30 – 17:00)
Fax:
+81-3-5978-7518 (around-the-clock acceptance)
*”Automatic Response System”: Numbers responded by automatic response
"Telephone”: Numbers responded by the Security Center personnel
(d)
*Total Number includes the number in the Consultation
column in the Table 3-1, “III. Unauthorized Computer
Access Reported (including Consultations)”.
Figure 4-1: Number of the "One-click Billing Fraud" Cases Consulted
- 12 -
Aug 3, 2012
Information-technology Promotion Agency, Japan
Major consultation instances are as follows:
（i）My PC has slowed down, what should I do?
What was
consulted
Response
Recently, my PC has slowed down and before I knew, various things began to
appear on the tool bar. What should I do?
If your PC has slowed down, one way you can do is to activate Task
Manager and check for any application whose CPU utilization is high. If
various things began to appear on the tool bar without your knowing, it is
possible that you have unintentionally installed Adware or other software of
the sort. So, activate "Add or Remove Programs" or "Browser's Add-on
Management" and check for any unknown application or application not in
use.
If you are not sure which application is responsible for that problem, to bring
your PC back to the state of when you felt comfortable with it, it is also
effective to perform system restoration. After the restoration, be sure to apply
updates on your operating system and applications in use. And also, keep
up-to-date your security software's virus definition files.
<Reference>
IPA – MyJVN Version Checker
http://jvndb.jvn.jp/apis/myjvn/ (in Japanese)
（ii）About an e-mail which says "I'll give you 16.8 million yen in cash"
What was
consulted
Since yesterday, all of a sudden, an e-mail which says "I'll give you cash" has
frequently arrived into my e-mail box. The first e-mail I received said, "16.8
million yen in cash is ready for you. Please reply to this e-mail." Contents of
those e-mails were all the same: "I want you to receive our money" and at the
bottommost was a kind of company name. I'm so curious that I want to send a
reply, but could this be a true offering?
This is just another example of junk e-mails. In many cases, such e-mails
are sent to people to attract their interest first, and then to redirect them to a
dating service website, encourage them to exchange e-mails, and ultimately
charge them a hefty usage fee.
Response
In general, there is no such a tempting offer in this world. Once you think
about it calmly, you will understand.
If such e-mail continues to arrive into your e-mail box and you feel annoyed,
consider using the filtering feature of your e-mail software or provider, or
changing your e-mail address if needed. If you are overwhelmed with a pile of
such e-mails, consult the "Junk E-mail Counseling Center".
<Reference>
"Junk E-mail Counseling Center" run by Japan Data Communications
Association
http://www.dekyo.or.jp/soudan/ihan/ (in Japanese)
For more detailed information, please also refer to the following URLs:
Attachment_1 Computer Virus Incident Report
http://www.ipa.go.jp/security/english/virus/press/201207/documents/virus1207.pdf
Attachment_2 Unauthorized Computer Access Incident Report
http://www.ipa.go.jp/security/english/virus/press/201207/documents/crack1207.pdf
- 13 -
Aug 3, 2012
Information-technology Promotion Agency, Japan
Variety of statistical Information provided by the other organizations/vendors is available at
the following sites:
JPCERT/Coordination Center (CC)：http://www.jpcert.or.jp/english/
@police：http://www.cyberpolice.go.jp/english/
Council of Anti-Phishing Japan: http://www.antiphishing.jp/ (in Japanese)
Symantec：http://www.symantec.com/
Trendmicro：http://us.trendmicro.com/us/home/
McAfee：http://www.mcafee.com/us/
Kaspersky：http://www.viruslistjp.com/analysis/ (in Japanese)
Inquiries to:
IT Security Center, Information-technology Promotion
Agency, Japan (IPA/ISEC)
Kagaya/Aoki
Tel: +81-3-5978-7591; Fax: +81-3-5978-7518;
E-mail:
- 14 -