Computer Virus/Unauthorized Computer Access Incident Report September 2008

Transcription

1 Computer Virus/Unauthorized Computer Access Incident Report September 2008 This is the summary of computer virus/unauthorized computer access incident report for September 2008 compiled by IPA. I. Reminder for the Month In the consultations/reports rushed to IPA in September, there included number of damage reports that the consulter s account *1 was used by someone fraudulently: one instance was that there listed some items with this consulter s ID while he/she does not know in the auction site he/she signed up with, etc. In the other consultation, there were some cases that it can be assumed that the consulter s account *1 was fraudulently used simply analyzed by malicious intent(s) as some users used combination only by numbers or a simple English word in a dictionary as their passwords. In the Internet services involving money such as auction service, etc., it is much more likely that the users will face such risk that their passwords may be exploited maliciously. To prevent having such damage, it is necessary that users have to be cautious when creating, handling and managing their passwords. The damage reports filed by IPA were taken up by newspapers several times. According to them, there identified number of damages that the legitimate users accounts in an auction site were fraudulently used. Bad to worse, there were such instance that someone listed number of items for buy/sell in that auction site without having legitimate user s permission so that the user was subsequently charged handling fee from the auction site (See the Chart 1-1). It can be assumed that the major cause of the damage was that users set easily analyzable password. It can be viewed that there was many combination only by numbers and a simple word in an English dictionary password in our consultations as well. Simple password is very much easily analyzable by dictionary attack *2, etc. with short period of time so that it is likely to lead that your account will be exploited by someone with ease. *1: Account: One of privileges allowed for a specific user to use information system (services). In the information system, issuing ID (user ID) and password will determine the user s extent how far and what services are allowed. The user is authenticated by that password. *2: Dictionary Attack: One of attacking methods which attempts to search specific words in a dictionary from the very beginning to the end. 1

2 2 Press Release You can frequently be viewed the note saying be sure to use more than 8 letters combined inclusive of alphabets, numbers and symbols upon creating your password in the web site which provides auction service, etc. This is the tip how you can create strong (that is, hardly analyzable) password. That is, if it takes several thousands of years to analyze password even with current computing technology, it can be meant that the password is NOT ANALYZABLE. Accordingly, it can be said that the strong (hardly analyzable) password can be achieved using several types of characters or the password should be enough long in its digits. The Table 1-1 shows the computation results using a password analysis tool. According to this table, it took about 50 years at maximum to analyze 8-digit password combined by alphabets and numbers (inclusive of capital letters and lower case letters) when attempt to compute all of the potential combination. Accordingly, the password s security is enough if you create 8-digit password combined by 3 types of characters (62 characters in total: capital letters, lower case letters and numbers). We encourage you to create your hardly analyzable password by referring the following table 1-1 to review how differ depending on characters type or the number of characters in use. The maximum time required for analysis Number of Type of characters used Number of characters characters usable Alphabets only (without About 37 About 17 About 32 differentiating Caps and 26 About 3 sec. min. days years Lower cases) Alphabets (Caps, Lower About 2 About 5 About 50 About 62 cases) and Numbers min. days years 200,000 yrs. Alphabets (Caps, Lower About a About 9 About 54 About cases), Numbers and 93 thousand min. days 10,000,000 yrs Symbols years * Required time was computed to attempt all combinations respectively. * Assumed that the symbols can be used up to 31kinds. * OS: Windows Vista Business 32 bit ver.(processor: Intel Core 2 Duo T GHz, Memory: 3GB) is used. Be sure to prevent using easily assumable password such as the password which is identical with ID, the combination only by numbers, or the combination by the words in the dictionary, etc. even they have longer than 8 digits. Be sure to implement your account management adequately by referring following tips. (a) The tips how to create your password Though some service provider where provides auction service, etc., may limit usable type of characters, number of characters, etc.: Be sure to set strong password with usable characters as many as possible (in principal, it should be more than 8 characters in total) by referring the Table 1-1 in (2). (b) The tips how to manage your password Password storage Generally, it is hard to memorize the password when you create long and complex one. In that case, you may take notes, but better to keep your ID and your password separately. Even your password is known by someone, there is no mean that which ID the password will work with.

3 Change your password constantly Even you believe that your password is strong enough (providing adequate security), there may be some risks that it will be compromised as the time passing by; accordingly, we strongly recommend you to change your password constantly (i.e., once a month, etc.). Even you are changing your password constantly in practice, there s no mean if you use 2 of your passwords one after the other. (c) The tips relevant to the use of your password Checking of log-in history Depending on the service(s) being provided, you may be able to check the log-in history from the past upon you are logging-in. If you can recognize fraudulent accesses in earlier chance such as there may be some logs that you do not remember, etc., you can prevent that the damage would be enlarged. Accordingly, we encourage you to check your log-in history constantly and in where you can find suspicious logs, be sure to communicate with the site manager immediately to require necessary procedures such as disabling your current account, etc. Do not enter your ID or password to the computer used by unspecified majority (i.e., Internet café, etc.) Even you d set complex password, it can be easily stolen in case some spyware software was embedded to the computer in advance. You should avoid using such service(s) which requires your ID and password in advance such as auction site, etc. in the computers located in an Internet cafe, etc. that you cannot manage. Phishing measures Phishing refers to obtaining private information such as individual s (physical) address, name, banking account, credit card #, etc. fraudulently by sending mail(s) masquerading to be financial organizations (specific bank, credit card company, etc.). Nowadays, there identified such instance that someone (malicious intent) attempts to take up legitimate user s ID and password for auction service spoofing to be an Internet service provider. Accordingly, upon logging-in, be sure to check the site(s) you are now associating with. In addition, if you received inquiries such as identification confirmation, etc. via , do not click the link included in that mail easily and be sure to check the authenticity by directly calling the provider you are signing up with, etc. <Reference> IPA Phishing Measures (in Japanese) Council of Anti-Phishing Japan (in Japanese) 3

4 II. Reporting Status of Computer Virus - further details, please refer to the Attachment 1 - The detection number of virus (*1) in September was about 220T: increased about 15.1% (about 191T) in August. In addition, the reported number of virus (*2) in September was 1,875: 3.5% increased (1,811) from the one in August. *1 Detection Number: Reported virus counts (cumulative) found by a filer. *2 Reported Number: Virus counts are aggregated: viruses of same type and variants reported on the same day are counted as one case number regardless how many viruses or the actual number of viruses is found by the same filer on the same day. In September, the reported number was 1,875: aggregated virus detection number was about 220T (From the May 08 report, we will use T (thousand) instead of using M (Million) to present the detection number of virus). The worst detection number was for W32/Netsky with about 190T. W32/Autorun with about 10.2T and W32/Virut with about 9T were subsequently followed. * Numbers in parentheses present the numbers for previous month. * Numbers in parentheses present the numbers for previous month. 4

5 III. Reporting Status of Unauthorized Computer Access (includes Consultations) Please refer to the Attachment 2 for further details April May June July August Sep. Total for Reported (a) Damaged (b) Not Damaged (c) Total for Consultation (d) Damaged (e) Not Damaged (f) Grand Total (a + d) Damaged (b + e) Not Damaged (c + f) Reported number in September was 14: Of the number actually damaged was 12. The total number of consultation relevant to unauthorized computer access was 38 (of 5 were counted as reported number as well): Of 20 was the number actually damaged. The breakdown of the damage report included intrusion with 6, DoS attack with 1, source address spoofing with 1 and the others (damaged) with 4. Damages relevant to the intrusion report included: server was exploited as a steppingstone server to attack to the other site with 4, data in database(s) was altered with 1, etc. The cause of intrusion was password cracking (*) attack to the port(s) used by SSH (*) with 3, etc. As for the others (damaged), someone logged-in to the on-line service site(s) to use the service that should be provided only for legitimate user without asking with 2 (net auction with 1, on-line game with 1), etc. *SSH (Secure SHel): The one of protocol to communicate with the remote computer(s) via a network. *Password Cracking: The one of activity to parse the other user s password. Brute Force (Exhaustive Search attack) and Dictionary attack are realized. The program exclusively for crack is also existed. 5

6 [Intrusion] (i) Server was intruded by attacking to the port (s) used by SSH Instance - Upon checking the server in my business, it was realized that the general account was fraudulently logged-in by password cracking attack via the port(s) used by SSH. - Though the privilege was not stolen, there embedded 4 different types of malicious codes and the server was exploited as the steppingstone server to attack to the other site(s). - The malicious codes being embedded were: 1. DoS attacking tool to the other site(s), 2. backdoor tool (server/client), 3. attacking tool to the vulnerability in SSH and 4. the tool which deprives privilege by exploiting kernel vulnerability in the server after intruded. - In principal, the server in my business used be managed/operated based on the strict rule sets; however, the manager for the server did not know about the rule sets so that he/she placed server(s) wherever he/she wanted. Bad to worse, the password being set was easily assumable. (ii) Spoofed mail as if it is sent from my business is walking around Instance - It is realized that suspicious mail as if its sender is spoofed to be the public relations office in my business was distributed to the parties involved. Accordingly, we checked that they were not sent from us. - The contents included that the Users should be cautious with the mails being spoofed. by citing actual alerts used in the past by my business. In addition, such message that To harden the countermeasures, please open the file attached. Was added. The mail supposed to be some virus. - We d checked the mail header and realized that the true source was from overseas. 6

7 IV. Accepting Status of Consultation Press Release The gross number of the consultation in September was 2,154. Of the consultation relevant to One-click Billing Fraud was 651 (August: 545), continually increased over the continuum of 4 past months and was in somewhat crisis situation. As for others, consultation relevant to Hard selling of phony security measures software was 50 (August: 18), the worst case ever up to current (August: 18) and the consultation relevant to Winny with 4 (August: 5) etc. were also realized. April May June July August Sep. Total 938 1,080 1,211 1, Automatic Response System Telephone Fax, Others *IPA consults/advises about computer viruses/unauthorized computer accesses as well as the other information concerning overall security issues Mail: virus@ipa.go.jp for virus issues, crack@ipa.go.jp for crack issues. Tel.: (24-hour automatic response; in person consultation by an IPA Security Center is available from Mon. Fri., 10:00 12:00, 13:30 17:00.) Fax: (24-hour automatic response) * Automatic Response System : Responding numbers by automatic response * Telephone : Responding numbers by the Security Center personnel *The Total case number includes the number in Consultation (d) column of the Chart in the III. Reported Status for Unauthorized Computer Access and IV. Accepting Status of Consultation. 7

8 The major consultations (instances) are as follows. (i) Press Release Wishing the provider(s) to conduct additional unauthorized computer measures to the auction site(s)? In the net auction site I d signed up with, I can check log-in history for my account (ID). According to that history, it was realized that someone was attempting to logging-in to my ID continually from some specific IP address within domestic over the several months (All logging-in attempts were failed, anyway.) If I leave this situation as it is, my password would Consultation be analyzed shortly; accordingly, I d asked the auction site manager to provide certain restriction on my account, but my request was totally denied. To prevent potential damage, I need to conduct certain measures. Can you tell me what measures are effective? Also can you tell me what I can do by my self to prevent damages in the future? As for the request to the site, we encourage you to require the site to prevent password exhaustive attack as minimum. For example, your account shall be temporarily locked if your password is entered differently in 3 times continually. As for the things you can do is to set robust password as well as you need to be cautious when you store it: in addition, changing your Response password constantly will also be effective to prevent potential damages. *Please refer to the 1. Reminder for the Month in this report. <Reference> Metropolitan Police Department Consultation Window for Safe/Secured Internet (in Japanese) (ii) Transferred money believing the site for money-making idea on the Internet? I d found such site in where describing about money-making idea on the Consultation Internet. To obtain the information about the idea, I d transferred money, but eventually, I cannot make money. What should I do? It must be one of fraudulent activity selling fictitious money-making idea without justifiable reason. Accordingly, you have lack of chance to take your money back. In this real world, such convenient idea is rarely lying down in front of you. Therefore, you need to be cautious not to be deceived. On the Internet, number of adversaries with sophisticated methods are always targeting to unspecified majority of users. Be sure to behave cautiously reminding that the virtual world is the part of real Response world. <Reference> Reminder for the Month: Do not easily be tempted. There are many traps hiding on the Internet!! Metropolitan Police Department Consultation Window for Safe/Secured Internet (in Japanese) 8

9 V. Accessing Status Captured by the Internet Monitoring (TALOT2) in September According to the Internet Monitoring (TALOT2), the total of unwanted (one-sided) number of access in September 2008 was 119,926 for the 10 monitoring points and the gross number of source * was 47,248. That is, the number of access was 400 from 157 source addresses/monitoring point/day. *Gross number of source: the gross number of the source accessed the TALOT2. In addition, the source will be counted as 1 if accessed from identical source in the same day to the same point/port. Since each monitoring environment for the TALOT2 is nearly equal to the general connection environment used for the Internet; it can be considered that the same amount of unwanted (one-sided) access can be monitored for the general Internet users connection environment. In another word, your computer is being accessed from 157 unknown source addresses in average/day or you are being accessed about 3 times respectively from one source address which considered unauthorized. The Chart 5-1 shows the unwanted (one-sided) number of access and the source number of access/monitoring point/day in average from April to September According to this chart, the both unwanted (one-sided) number of accesses were subtly decreased from the ones in August. They also tended to decrease over the past 6 months. From September 13 to 17, there monitored such accesses to the port 8080/tcp and 6588/tcp were drastically increased of the 7 monitoring points used by TALOT2 (See the Chart 5-2). All the sources were the specific IP addresses in China. The ports 8080/tcp and 6588/tcp were the ports often used by certain proxy services. These accesses may seek such proxy server so called open proxy that can be used to send spams from outside. In addition, they attempted to access to the same monitoring point several hundreds of times within short period of time: accordingly, it is also possible that they were testing the tool for seeking. Such proxy server that it is an open proxy determined by an attacker via the access(s) may be used as the steppingstone server to send spams. 9

10 Accordingly, system administrator who runs some proxy server(s) should reconfirm the configuration one time to prevent the server to be exploited by outsides (malicious intents). *1: Proxy server: The server that communicates in lieu of the internal network (intra network) that cannot directly connect to the Internet. This mechanism is mainly used in organs/businesses to ensure adequate security and realize rapid access for the connection point in between the internal network and the Internet. For further details, please also refer to the following URL. Attachment_3: Accessing Status Captured by the Internet Monitoring (TALOT2) Summary Reporting Status for Computer Virus/Unauthorized Computer Access for September Attachment_1 Computer Virus Incident Report Attachment_2 Unauthorized Computer Access Incident Report Attachment_4 Computer virus Incident Report for the 3 Quarter (July to September) Attachment_5 Unauthorized Computer Access Incident Report for the 3 Quarter (July to September) Variety of statistical Information provided by the other organizations/vendors is available in the following Trendmicro: McAfee: Symantec: 10

11 Inquiries to: Information-Technology Promotion Agency, Security Center Hanamura/Kagaya/Ooura Tel.: Fax: