Press Release May 14, 2010 Information-technology Promotion Agency, Japan Computer Virus/Unauthorized Computer Access Incident Report - April 2010 - This is the summary of computer virus/unauthorized computer access incident report for April 2010, compiled by Information-technology Promotion Agency, Japan (IPA). I. Reminder for this Month "Watch out for an attack that focuses on a popular service!” Among the Internet services that are popular in recent years are: miniblog service such as "Twitter" and "Ameba Now" and social networking service such as "mixi" and "Facebook." These services allow users to transmit what they think and their activities across the Internet, or to use a Website as a place for communicating with others having the same hobby/way of thinking. These services are used by a variety of people including entertainers and those in the political and business worlds. On the other hand, popular services like these often become the target of an attack. IPA has been consulted on cases where these services were exploited to trick users or to infect their PCs with a computer virus. When using a new service, users should understand the elements of the service that could be exploited and take appropriate security measures so they don't fall victim to an attack that exploits the nature of that service. （1） Characteristics of Miniblog Service and Example of Attack Methods In this section, we present the characteristics of Twitter, which is one of the miniblog services, and how an attack could be carried out by exploiting it. Characteristics of Twitter Twitter allows users to "tweet (mumble, post on a Website)" what has come to their mind. Twitter has a mechanism called "Follow" that allows users to see other users' "tweet." (See Figure 1-1) For example, once you have "followed" your favorite entertainer, you can view the entertainer's "tweet" from your "Timeline," which is a feature to display the list of "tweets." Figure 1-1: Mechanism of Twitter - 1 - Press Release May 14, 2010 Information-technology Promotion Agency, Japan An attacker with malicious intent could exploit this mechanism to infect users' PCs with a computer virus. An example of an attack exploiting Twitter is as follows: Example of How an Attack Could be Carried Out (1) The attacker Mr. X "follows" Mr. A who is the target of his attack. When following Mr. A, no permission is required. Mr. A comes to know that he has been followed by Mr. X. (2) Mr. A follows Mr. X by return, which is called "Follow Back", and it can be done without precaution. (3) As a result, Mr. X's "Tweet" begins to appear in Mr. A's "Timeline." Mr. X tweets an interesting message along with a link to a malicious Website. If Mr. A clicks on the link, he is guided to the Website designed to transmit a computer virus. Figure 1-2: An Attack Method that Exploits Twitter Actions Requiring Precaution In the example above, actions requiring precaution are as follows: - "Following" someone without careful consideration Without "following" or "followed", you might find it less attractive to use Twitter. However, as in the example above, if you are not careful about following someone, you might include an attacker in your "Timeline". You should also watch out for fraud by "spoofing". "Spoofing" as a celebrity or a best-known company has been prevalent, posing a risk for Website visitors to be guided to a phishing scam Website without knowing it is a fake. A fake politician or entertainer has become a serious problem for Twitter users and if users fall victim, they might be tricked in buying a phony concert ticket. - Clicking on a URL contained in other persons' Tweet without careful consideration Clicking on a URL in other persons' Tweet without careful consideration is as risky as "carelessly opening an e-mail attachment unknown to you" or "clicking on a suspicious link posted on a Blog or a BBS." You should be careful not to contract a computer virus by clicking on an "abbreviated URL." "Abbreviated URL" is a function in which a lengthy URL is displayed in abbreviated form. For example, abbreviate URL for "http://www.ipa.go.jp/security/personal/yobikake/index.html" might be http://XYZ/5G5G3g; (XYZ is the name of the Website providing the abbreviated URL service and the following characters excluding the slash are an identifier defined by the service - 2 - Press Release May 14, 2010 Information-technology Promotion Agency, Japan site operator.) In the case of Twitter, the number of characters that can be entered at one time is limited and some URLs are too long to fit in. For this reason, URLs in abbreviated form are often used when included in a message. Users clicking on an abbreviated URL might easily be guided to a malicious Website designed to transmit a computer virus as they do not know where they would be guided until they arrive in a certain Website. Countermeasures - It is not easy to detect "spoofing" but if you would like to follow an entertainer or an enterprise in Twitter, you may fist contact the corporation the entertainer belongs to or the enterprise, or visit their official Websites for confirmation. You should be aware that whenever communicating with a person unknown to you, you might possibly be communicating with a person with malicious intent. - Before clicking on an abbreviated URL, check for its reliability by using a tool or a service that displays the original URL for the abbreviated one. （2） Basic Countermeasures Apart from the above-mentioned measures, it is essential to implement the following basic countermeasures: - Keep your OS installed in your PC up- to-date; - Keep up-to-date all the application software products installed in your PC (e.g., Internet browser, mail software, moving-image browser, document file browser) by applying updates; (Reference) (MyJVN version checker) (IPA) (in Japanese) http://jvndb.jvn.jp/apis/myjvn/#VCCHECK * As of April 2010, Windows XP and Vista supported - Keep up-to-date the pattern files of your anti-virus software. It is recommended to use an integrated antivirus software product with a function to filter unsolicited e-mails and hazardous sites; - Back up important data in case your PC is infected with a computer virus. This time, we took Twitter as an example and presented how an attack could be carried out as well as countermeasures against such attacks. In the past, this type of attack was also carried out against Blog, BBS or e-mail service. Being a new service does not mean that it is safe to use. Remember that a popular, user-friendly service could be targeted by an attacker and therefore, when using such services, you need to take appropriate countermeasures. II. Computer Virus Reported – for more details, please refer to Attachment 1 – (1) Computer Virus Reported While the virus detection count (*1) in April was about 40,000, down 31.9 percent from about 58,000 in March, the virus report count (*2) in April was 1,077, down 27.4 percent from 1,484 in March. (*1) Virus detection count: indicates how many times a specific virus appeared in the reports submitted, or the aggregate virus detection counts for a specific period. - 3 - Press Release May 14, 2010 Information-technology Promotion Agency, Japan (*2) Virus report count: indicates how many reports on a specific virus were submitted. If the same type of viruses were reported by the same person with the same detection day, they are counted as one report regarding the virus of that sort. * In April, the virus report count, which was obtained by consolidating about 40,000 virus detection reports, was 1,077. W32/Netsky marked the highest detection count at about 32,000, followed by W32/Mydoom at about 5,000 and W32/Autorun at about 1,000. Figure 2-1: Virus Detection Count Figure 2-2: Virus Report Count （2）Malicious Programs Detected - 4 - Press Release May 14, 2010 Information-technology Promotion Agency, Japan For the number of malicious programs detected, we have not seen a significant difference between March and April 2010. However, as we saw in January and February 2010, the figure might increase rapidly at any time. Because most of malicious programs are contained in an e-mail attachment and distributed, you should be careful in handling an e-mail attachment. In some cases, attackers use Bots to distribute malicious programs. Cyber Clean Center (CCC) provides anti-Bot measures as well as online Bot-removal tools. To avoid taking part in the e-mail distribution of malicious programs, check your PC for Bot infection, and then implement infection-prevention measures, including blocking the entry of malicious programs. <Reference> “Knowledge of How to Prevent Infection” (Cyber Clean Center) (in Japanese) https://www.ccc.go.jp/knowledge/ Figure 2-3: Malicious Program Detection Count - 5 - Press Release May 14, 2010 Information-technology Promotion Agency, Japan III. Unauthorized Computer Access Reported (including Consultations) – for more detail, please refer to Attachment 2 – Table 3-1: Unauthorized Computer Access Reported (including Consultations) Nov. Dec. Jan. ’10 Feb. Mar. Apr. Total for Reported (a) 11 9 20 27 19 11 Damaged (b) 6 6 12 17 13 10 Not Damaged (c) 5 3 8 10 6 1 Total for Consultation (d) 34 22 67 47 60 39 Damaged (e) 14 14 34 28 23 16 Not Damaged (f) 20 8 33 19 37 23 Grand Total (a + d) 45 31 87 74 79 50 Damaged (b + e) 20 20 46 45 36 26 Not Damaged (c + f) 25 11 41 29 43 24 （1）Unauthorized Computer Access Reported The report count for unauthorized computer access in April was 11, 10 of which reportedly had certain damages.