PDF: 3.14MB

Distributed via
http://www.cyberpolice.go.jp/
Technological Countermeasures
against High-tech Crime
Annual Report 2003
June 2004
High-Tech Crime Technology Division
National Police Agency of Japan
[ Content ]
1 Combating the Menace against the
Internet -Review of 2003-
･ ･ ･ ･ ･ ･ ･
P.2
2 Malicious and Criminal Activities on the
Internet
･ ･ ･ ･ ･ ･ ･
P.7
3 Cyber Force Activities
･ ･ ･ ･ ･ ･ ･
P.16
4 Trainings
･ ･ ･ ･ ･ ･ ･
P.17
5 Vulnerability Report
･ ･ ･ ･ ･ ･ ･
P.18
6 Analysis of computer virus
･ ･ ･ ･ ･ ･ ･
P.21
7 Incident Report
･ ･ ･ ･ ･ ･ ･
P.24
8 International Cooperation
･ ･ ･ ･ ･ ･ ･
P.26
9 National Police Agency Security Portal
Site, @Police
･ ･ ･ ･ ･ ･ ･
P.28
1
1 Combating the Menace against the Internet -Review of 20031.1 Viruses and Worms Threatening the Safety of the Internet
Computer viruses affect the whole of the Internet as well as the compromised PCs. The year of
2003 was the year that a variety of viruses diffused over networks and showed their powers.
Many of the viruses that emerged in 2003 infected so fast and their ways of infection were so
complicated that computer users could not protect from their attacks. A variety of worms that had
their own objectives emerged. Some viruses attacked a specific computer on the Internet from the
infected computers. Some aimed at leaking information from the victim computers. Some created
backdoors in the infected computers to intrude other computers. Now, a virus is one of the biggest
menaces to the Internet that is an indispensable infrastructure for people’s living.
Web Server
Common users
Web Server
Internet
Mail Server
Mail Server
Common users
ADSL users,
Dial-up users, etc.
Intranet
It is difficult to stop worm activities because they can be widespread all over the world for a short
time. The National Police Agency (NPA), using the technology and mobility, is making efforts to
promptly provide the public with information for the detailed analysis regarding worms and for the
countermeasures.
As for the Slammer worm and the Welchia that emerged in January and August, respectively, we
found the signs of the possible wide spreading of their infections and successfully called the public
attention to them. Many people highly applauded our successful warnings that made it possible to
take countermeasures against them at an early stage of infection.
To confront new menaces caused by viruses, we are enhancing our abilities to gather and analyze
data and strengthening efforts by using a variety of instruments for the provision of information.
2
1.2 Bridge between Police and the Public -@policeThe security portal site of the NPA, @police, established in 2003, is operated as a prompt and
accurate measure to provide with information in case of an emergency situation by using the
real-time feature. On the other hand, @police is usually operated as an information source
necessary for securely using the Internet.
The security portal site has a broad range of contents. While some contents are for children and
beginners who just start using the Internet, others are for system administrators. Because this kind of
information needs a real-time feature, we review and update the contents appropriately.
By analyzing data through our fixed-point network, we detect a turbulent sign on the Internet at an
early date and call the public attention to it. Comprehensive and statistical analysis of the situation
on the Internet contributes to broad countermeasures against trouble.
Furthermore, collaborating with a web site that provides with security information in foreign
countries, we choose some news from the web site, translate and publicize them in “The Security
Trends in the World” (URL: http://www.cyberpolice.go.jp/international/index.html) almost every
day.
3
1.3 Combating Cyber Terrorism
The Cyber Force Unit, a mobile technological unit established in police, gathers data on the
Internet around the clock and makes efforts to detect a sign that becomes a clue for cybercrime.
When the unit detects an unusual phenomenon, the unit promptly responds to it with local police
forces. For instance, the unit provides critical infrastructures with security information for the
prevention of cyber terrorism and conducts vulnerability test. Additionally, the unit will give critical
infrastructures advice on how to limit the damage from such an incident and how to recover their
services safely, and find the cause of the incident.
NPA
（Cyber Force Center）
Hacker tools,
Computer virus,
etc.
Hacker/Cracker
Real-time Detection
Attack
Attack
侵入検知
Intrusion
Intrusion
detection
detection
IDS
IDS
Intelligence
Intelligence
Collection
Collectionand
and
Analysis
Analysis
Quick
Quick
Response
Response
警察関連施設／重要防護施設
Request/
Request/
Report
Report
Critical
CriticalInfrastructures
Infrastructures
such
suchas:
as:
- -Information
InformationCommunications,
Communications,
- -Finances,
Finances,
- -Railroads,
Air
Railroads, AirCarriers,
Carriers,
- -Power/Gas
Power/Gascompanies,
companies,and
and
- -Government
Governmentinstitutions
institutions
Report
Report
Analysis
AnalysisResult
Result
Request/Report
Request/Report
Monitoring
Monitoring
Quick
Quick
Response
Response
Regional Police Bureau
Cyber Force
Monitoring
Monitoring
RPB
Cyber Force
1.4 Technology to Support Police Activity
The NPA established the High-Tech Crime Technology Division (HTCTD) to technically assist
cybercrime investigation nationwide in 1999 and the Technology Center as the technical core facility
in the HTCTD. The center provides a guidance on technology at search and seizure sites, retrieves
information from physically destructed digital recording media, restores and analyzes deleted
information and so on. Additionally, the center analyzes and examines a variety of computer viruses,
unauthorized access methods and vulnerabilities that may cause serious damage to Internet society.
We publicize the results as security information through @police. Our total technology that makes
it possible to respond to these complicated and various phenomena swiftly is applauded
internationally as well as domestically.
4
1.5 Total Enhancement of Technological Countermeasures
The number of crimes using information and communication technology such as fraud on Internet
auction sites and copyright infringement through file sharing software is getting lager every year.
Also, modus operandi of these crimes has become remarkably sophisticated.
The NPA gathered information regarding the analysis of information technology necessary for
cybercrime investigation, including a variety of phenomena on the Internet and trends in information
and communications. We assist technical support sections for cybercrime investigation nationwide
by providing with the information shown above.
In addition to the HTCTD in the NPA and the Regional Police Bureaus, we built up a nationwide
technical support framework by establishing the HTCTDs in all the Prefectural Police
Info-Communications Departments in April 2004. This framework can appropriately deal with
cybercrime, which is getting more sophisticated, complicated and extensive.
5
1.6 Japan in the World -Japan Police Leading AsiaCybercrime using the Internet and other information and communications lines is committed
much more internationally than any other kind of crimes, because cybercrime is free from temporal
and physical restriction. The High-Tech Crime Subgroup is attached to the Senior Experts Group of
G8 on Transnational Organized Crime, what we call “the G8 Lyon Group”. The sub group is
discussing cybercrime situation, and appropriate and effective response to international cybercrime.
The HTCTD in the NPA also sends the official to the sub group and makes international contribution
from the aspect of technology. Especially, Japan, the unique G8 member state in Asia, has a role to
technically support countries in Asia. One of our efforts aims to build up a framework to share
information among officials in charge of technical measures in cybercrime investigation.
Illustrations of our efforts are that we established and operate a network system to share information
in real time and that we hold the “CTINS Annual Conference” to share internationally common
technological basis.
Cooperation with foreign law enforcement organizations is indispensable to carry out
countermeasures against cybercrime and cyber terrorism.
6
2. Malicious and Criminal Activities on the Internet
2.1 Introduction
The HTCTD in the NPA is researching and analyzing a variety of phenomena occurring on the
Internet by installing intrusion detection systems and firewalls into 57 Internet connection points
used by police organizations nationwide. We appropriately publicize the analysis to widely alert
people through a security portal site of the NPA, @police.
On the basis of alerts detected by our intrusion detection systems or logs at specific Internet
connection points, we researched and analyzed phenomena which occurred on the Internet in 2003
： United States and Canada
： other countries or territories
Fig 2-1 Accumulated numbers of attacks sorted by countries or territories
7
2.2 Attack Type
In 2003, we detected about 398,000 accesses from external networks and some 94,000 hosts as
attack sources. The attacks we detected were from computers in 176 countries or territories.
Accumulated numbers of attacks sorted by the country or territory are shown in Fig 2-1. As shown
in Fig 2-1, attacks were detected invariably from computers in almost all the countries and territories.
Especially, attacks from East Asia including Japan, Europe and North America are prominent.
2.2.1 Analysis of Attack Sources on the Basis of IP Addresses
(1) Number of Attacks Sorted by the Country
The top 10 countries regarding the
number of attacks, determined by the IP
address, are shown in Fig 2-2.
The US is the top attack source, which
accounted for about 34%, followed by
China (about 15%) and South Korea
(about 7%). The attacks from computers
Fig 2-2 Top 10 Countries regarding the number of attacks
in Japan accounted for only about 4%.
The fact that TCP packets of the Windows size 55808 from Czech accounted for 95% of all the
packets from Czech is considered as the effect of "Stumbler", a distributed port scanner, “Randex.C”
worm and so on. Most of the IP addresses of the attacking computers seem to be spoofed.
(2) Number of Attacking Hosts
The top 10 countries regarding the
number of attacking hosts, determined by
the IP address, are shown in Fig 2-3. As
well as ranked as the top countries
regarding the number of attacks, the US is
the top attacking host sources, which
accounted for about 41%, followed by
Fig 2-3 Top 10 Countries regarding the number of
attacking hosts
China (about 5%).
Japan was ranked as the fifth highest in the number of attacks and the third highest in the number
of attacking hosts. While the numbers of attacks from Netherlands and Czech were ranked as the
eighteenth and twentieth respectively, the numbers of attacking hosts in these countries were ranked
lower. It seems that a small number of hosts were the sources of many attacks.
8
2.2.2 Alert Type
(1) Alert Type
The numbers of attacks sorted by the method in 2003 are shown in Fig 2-4.
Fig 2-4 Number of attacks sorted by the method in 2003
One of the worms that seriously influenced our society through the Internet in 2003 is the
Slammer worm, which emerged in January. Although the worm activities calmed down after its
spreading all over the world, the worm activated in the late February, again. Around 700 alerts were
daily detected even in December and the activities seem not to fade off.
In March, the defacements of web sites in the US and the UK to oppose a war in Iraq were
identified. In the same month, several defacements of web sites for the same purpose were identified
in Japan.
Port scan-related alerts had been increasing since April, which were mainly caused by scanning
1080/TCP from the specific domain in the Netherlands. Port scans from this specific domain through
the Internet targeted ports such as 80/TCP, 3128/TCP, 6588/TCP and 8080/TCP, all of which are
used by proxy servers. Spam mails were distributed from this specific domain by exploiting
vulnerability (CERT/CC Vulnerability Note VU #150227) included in multiple vendors’ http proxy
software. As a British reporter found the relation between this specific domain and the spamming
company, the upstream ISP stopped its service for the company on July 1. Port scans from the
specific domain were not detected afterward.
“The Defacers Challenge (TDC)”, the competition regarding defacements of web sites, was held
in July. We enhanced vigilance, because there was a possibility that a lot of unauthorized accesses
were committed in Japan. However, only a few cases were confirmed as unauthorized access in our
9
domestic territory. Just before the competition, we detected port scans from China that accessed to
all the ports in one of the hosts where we conduct fixed-point monitoring.
The Blaster worms and the Welchia worm diffused in August. These worms exploited the
vulnerability 823980 (MS03-026), the buffer overrun vulnerability in RPC interface that may allow
an attacker to execute an arbitrary code.
Although we did not detect these worms at our IDSs, we found the activities by detecting the
increase in the traffic of the specific port or protocol. Regarding the Welchia worm, we detected the
surge of ICMP related packets and alerted the public.
After these worms diffused, the number of infection against TCP/135 by the Blaster worm and
ICMP Echo Requests by the Welchia worm kept being large.
5.10%
4.04%
0.97%
0.14%
0.14%
36.29%
(2) Attack Methods
The ratio of each attack method
detected in 2003 is shown in Fig 2-5. As
shown in Fig 2-5, worm-related attacks
53.32%
and scan-related attacks accounted for
Worm
some 53% and some 36%, respectively,
which means that two major methods
Scan
BackDoor
ICMP
DNS
IIS
Others
Fig 2-5 Ratio of respective attack methods in 2003
accounted for about 90% of the total
attacks.
The result shows that most attacks were conducted in the preparatory stage and direct attacks
against servers by exploiting vulnerability accounted for just about 10%. The reason why the ratio of
the direct attacks was small seems to be the enhanced security at the connection point we monitored.
The high level of security made attackers give up direct attacks in the planning stage in which
packets are unilaterally sent by the Slammer worms, port scans and others.
10
(3) Targeted Port Numbers and IP Addresses of Attack Sources
The accumulating numbers of targeted port numbers and IP addresses detected in 2003 are shown
in Fig 2-6. X-axis, Y-axis and Z-axis are IP address of attack source, targeted port number
(TCP/UDP) and accumulated numbers of attacks respectively.
Fig 2-6 Accumulating numbers of targeted port numbers and IP addresses detected in 2003
The prominent values of the First Octet of IP addresses of attack sources were around 60 and 80 in
the Class A, and around 210 in the Class C. The prominent targeted port numbers were 21 1080,
1434 and 27374.
Compared with attacks against other ports, there were more attacks against 52076/TCP. The IP
addresses of the attack sources were those in Czech and the window size was 55808.
11
2.2.3 Hour of the Day Trend
Fig 2-7 shows hour of the day difference from average hourly number of alerts [(Data - Average) /
Standard Deviation]. The time in the figure represents the local hours (Oceania: AEST, East Asia:
JST, Asia: UTC+7, Western Europe: GMT, Africa: GMT, North America: CST, Middle America:
UTC-3, South America: AST).
While the number of alerts between midnight and early morning were decreasing, those in the
afternoon were increasing.
3
2
1
0
-1
-2
-3
0
1
2
3
4
5
6
7
Oceania
Europe
Central America
8
9
10 11 12 13 14 15 16 17 18 19 20 21 22 23
East Asia
Africa
South America
Asia
North America
Fig 2-7 Hour of the day difference from average hourly alert numbers
[(Data - Average) / Standard Deviation]
12
2.3 Blaster worm and SQL Slammer worm
2.3.1 Summary
(1) Blaster worm
The Blaster worm emerged on the Internet on August 12. The worm exploited vulnerability of
Distributed Component Object Model (DCOM) Interface, the buffer overrun in RPC interface that
may allow an attacker to execute code (MS03-026). Additionally, the Welchia worm, which
exploited the same vulnerability, emerged on August 18 and affected our society seriously.
While the number of access to 135/TCP was around 30 in a day before the vulnerability was
reported, the Blaster worm caused 9220 accesses to 135/TCP on August 12. Afterwards, although the
number of the accesses was gradually decreasing by August 17, the Welchia worm, emerging on
August 18, made the number of the accesses surge, again. We detected the increase by the Welchia
worm at some of our monitoring fixed-points. Because the points were set up to accept ICMP-related
packets, host computers compromised by the worm increased the number of the accesses to 135/TCP
in fixed-point monitoring network.
Fig 2-8 and Fig 2-9 show the number of detected accesses by the destination port and that by the
source country after the emerging of the worm, respectively.
icmp
135/tcp
445/tcp
137/udp
21/tcp
others
icmp
17300/tcp
8/18 12:00
8/18 0:00
0
8/17 12:00
1000
8/17 0:00
100
8/16 12:00
2000
8/16 0:00
200
8/15 12:00
3000
8/15 0:00
300
8/14 12:00
4000
8/14 0:00
400
8/13 12:00
5000
8/13 0:00
500
8/12 12:00
6000
8/12 0:00
600
80/tcp
Fig 2-8 Attacked ports after the emerging of the Blaster and Welchia worms
13
0
600
500
400
300
200
100
US
GB
JP
HK
CN
KR
8/18 0:00
8/17 12:00
8/17 0:00
8/16 12:00
8/16 0:00
8/15 12:00
8/15 0:00
8/14 12:00
8/14 0:00
8/13 12:00
8/13 0:00
8/12 12:00
8/12 0:00
0
CA
others
その他
Fig 2-9 Number of attacks by the Blaster worm by source country
Through a security portal site @police, we widely publicized warnings of the surge in the
number of accesses to 135/TCP on August 5, the widespread of the worm exploiting vulnerability of
the Windows on August 12, and the worm that suddenly increased the traffic of ICMP related
packets.
(2) Slammer worm
The Slammer worm, which emerged in January 2003, infected computers by exploiting the
vulnerability of Microsoft SQL servers (323875, MS02-039), the buffer overrun in the resolution
service, which may allow an attacker to execute code. A computer compromised by the worm
randomly chose host computers and the worm diffused to infect the computers with the same
vulnerability. You may remember that many host computers simultaneously compromised by the
worm triggered the rapid increase of the traffic and caused trouble in communication networks.
The number of the Slammer worm detected after the emergence is shown in Fig 2-10.
Although the worm activities gradually calmed down after the emergence, the worms activated in
late-February, again. Around 700 Slammer worms were daily detected even in December. The
numbers of alerts and detected host computers had kept being about 40 and around 14 in a day,
respectively, and seem not to fade off.
14
1,400
Alerts
Hosts
1,200
Alerts/Hosts
1,000
800
600
400
2003/12/31
2003/12/17
2003/12/3
2003/11/5
2003/11/19
2003/10/22
2003/10/8
2003/9/24
2003/9/10
2003/8/27
2003/8/13
2003/7/30
2003/7/2
2003/7/16
2003/6/4
2003/6/18
2003/5/7
2003/5/21
2003/4/9
2003/4/23
2003/3/26
2003/3/12
2003/2/26
2003/2/12
2003/1/29
2003/1/1
0
2003/1/15
200
Fig 2-10 Detected number of attacks and attacking hosts by the Slammer worm
The source countries regarding the number of the Slammer worm attacks and those regarding the
number of the Slammer worm attacking hosts, determined by their IP addresses, are shown in Fig
2-11 and Fig 2-12, respectively. The US is the top attack source, which accounted for about 34%,
followed by China (about 21%) and Japan (about 6%). As well as the countries regarding the number
of the attack source, the US is the top attacking hosts, which accounted for about 43%. While the
number of the Slammer worm attacks in China was large, the number of the attacking hosts in China
was not. This result seems to show that many compromised host computers in China were left
infected for a long time.
20.55%
28.08%
33.92%
42.61%
2.04%
2.13%
2.39%
2.50%
2.96%3.31%
3.90%
1.96%
2.00%
2.55%
3.55%
4.24%
z
4.98%
1.71%
1.86%
5.09%
United States
P.R. China
United Kingdom
Canada
Japan
Australia
France
Spain
Brazil
others
Germany
6.49%
United States
Brazil
Canada
France
Fig 2-11 Ratio of the alerts by country
21.17%
P. R. China
United Kingdom
Hong Kong
others
Japan
Australia
Sweden
Fig 2-12 Ratio of the attacking hosts by country
15
3. Cyber Force Activities
Cyber Force activities in 2003 are shown below.
3.1 Collaboration with Critical Infrastructures
3.1.1 Providing Security Information
We have periodically visited critical infrastructures and given security advice and guidance for
security since 2002. In 2003, we made efforts to raise their security levels through providing them
with a variety of information including cases relating to the whole Internet, the countermeasures
against the cases, “the Criminal and Malicious Activities on the Internet” quarterly published by us,
the methods used in the actual cases and so on.
3.1.2 Penetration Test
We also conducted penetration tests upon requests by critical infrastructures and gave advice
regarding information security with considering the results.
3.1.3 Responding to Cases
When critical infrastructures were involved in information security cases, we searched the causes
of the cases upon their requests and gave them advice regarding countermeasures for information
security.
3.2 Public Relation Activities
3.2.1 Sending Our Staff to Conferences as Speakers
(1) Internet Week 2003
(2) Shirahama Computer Crime Symposium 2003
(3) Security Seminar held by JPNIC, JPCERT/CC
3.2.2 Sending our Staff to the Counter Cyber Terrorism Councils and the ISP Councils
(1) Tokyo Prefecture Counter High-Tech Crime Council
(2) Mie Prefecture ISP Crime Prevention Network
3.3 Research & Development
3.3.1 Collaborative Research and Development on Vulnerabilities of System and Attacks
against System among Private, Academic and Public Parties
We sent our officer to a laboratory in the Institute of Industrial Science, University of Tokyo to
research on the detection of cyber attacks.
3.3.2 Analysis of a variety of attacking packets on the Internet
16
4 Trainings
4.1 IDS Training
Twelve week long training was provided to staff appointed at Cyber Force on computer hardware,
Operating Systems and various application in order to meet their responsibilities of cyber terrorism
prevention and damage limitation caused by such incidents.
4.2 Cyber Force Training
Three week long training was provided to staff appointed at Cyber Force on source code and
detailed specifications of computer hardware and software owned by their venders in order to meet
their responsibilities relating to examination and analysis at crime scenes, etc. This training was
provided only to the staff with prominent technical knowledge and skill.
4.3 Internal training
Two week training held by the HTCTD in the NPA was provided to police officials to acquire
technical knowledge relating to high-tech crime investigation.
4.4 Specialized Course of Technical Support to High-tech Crime Investigation
Six week long training was provided to police officials involved in technical support activities to
high-tech crime investigations to acquire technical knowledge such as analysis method of digital
record and legal knowledge such as criminal procedure act which are required to fulfill their duties at
crime scenes.
4.5 Specialized Course of Counter Cyber Terrorism Technology
Two week long training was provided to police officials involved in counter cyber terrorism
activities to acquire knowledge on trends of information security, technical countermeasures against
a variety of cyber attacks and organizational responses at the cases relating to information security.
4.6 Specialized Course of Basic Investigation Support
Two week long training was provided to police officials who were required to support criminal
investigations in general at local police forces to acquire basic knowledge including technical
matters that were required to conduct their work.
4.7 Others
The Cyber Force sent its staff 45 times to various trainings and conferences held at national police
branches and local police forces.
17
5. Vulnerability Reports
The National Police Agency verified various vulnerabilities found and reported on the Internet and
widely publicized the verification results at the security portal site, @police. In 2003, it chose 200
vulnerabilities in total, including 136 unauthorized computer access modus operandi and 64
malicious tools for unauthorized computer accesses, as shown in Fig 5-1, and verified the influences,
the affected operation systems and services and the countermeasures.
Figure 5-1 Number of unauthorized access method analysis conducted by the NPA in 2003
Month of 2003
subtotal
Unauthorized access
method
Unauthorized access
tool
January
February
March
April
May
June
July
August
September
October
November
December
total
16
20
15
14
16
18
20
15
15
19
15
17
200
10
11
12
8
12
13
14
9
12
12
9
14
136
6
9
3
6
4
5
6
6
3
7
6
3
64
The detailed 2003 reports on unauthorized computer access exploits in Japanese are available at
the security portal site, @police (http://www.cyberpolice.go.jp), and the followings are some
excerpted versions from among the reports.
5.1 Windows DCOM RPC Interface Buffer Overrun Vulnerability
5.1.1 Overview and Influence
Both PRC and DCOM adopted in Windows Operation System have a problem that causes the
buffer overrun. The vulnerability may allow attackers to execute an arbitrary code with System
privilege. This vulnerability is publicized as Microsoft Security Bulletin MS03-026.
5.1.2 Affected Operation Systems and Services
O: affected X: not affected
OS
Windows NT series
Windows 2000 series
Windows XP series
Windows Server 2003 series
Service
RPC, DCOM
18
(As of August 12. 2002)
Version
Effect Note
-
O
5.1.3 Countermeasures
Download the program to solve the problem from the URL shown below and execute it.
Otherwise, apply patch programs by updating Windows Operation System.
URL for downloading the program to solve the problem:
http://support.microsoft.com/default.aspx?scid=kb;ja;823980
Windows Update URL:
http://windowupdate.microsoft.com/
5.2 Analysis of the ATD OpenSSL Mass Exploiter
5.2.1 Overview
This attacking tool exploits vulnerabilities in OpenSSL 0.9.6d or earlier versions. There are four
kinds of files: mass, vuln, openssl-too and osslmass2 in the archive. These four files are detected as
the Linux.RST.B viruse.
5.2.2 Influence
This attacking tool has programs to get User privilege of Apache, which is usually “apache” or
“nobody”, by exploiting vulnerabilities of OpenSSL.
User privilege of Apache in a server computer in which vulnerable OpenSSL is running may be
taken by using one of the four tools.
Additionally, this tool can alter ELF, the Linux execution files.
5.2.3 Affected OS and Services
O: affected X: not affected
OS
Service
Internet Explorer
Outlook
MS Windows series
Outlook Express
(As of April 9, 2002)
Version
Effect Note
6.0 or earlier
O
2002 or earlier
O
6.0 or earlier
O
5.2.4 Countermeasures
Update OpenSSL 0.9.6d or earlier versions that are running in host computer to OpenSSL 0.9.6e
or later versions that do not have this problem. Additionally, it is possible to detect this attacking tool
by installing antivirus software and updating virus definition files to the latest version.
The latest version OpenSSL URL:
http://www.openssl.org/source/
19
5.3 IE Remote URLMON.DLL Buffer Overflow Vulnerability
5.3.1 Overview and Influence
URLMON.DLL that is used for http communication on the Internet Explorer may trigger the
buffer overrun by receiving http reply with many character strings. This vulnerability may enable a
login user to execute an arbitrary code under the User Power.
This vulnerability is publicized as the Microsoft Security Bulletin MS03-015.
5.3.2 OS and Services affected
O: affected X: not affected
OS
MS Windows series
Service
Internet Explorer
Version
5.0
5.01 SP1
5.01 SP2
5.01 SP3
5.5
5.5 SP1
5.5 SP2
6.0
6.0 SP1
(As of July 2, 2003)
Effect
Note
O
X
O
O
O
O
O
O
O
5.3.3 Countermesures
Download the program to solve the problem from the URL shown below and execute it.
URL: http://www.microsoft.com/windows/ie/downloads/critical/813489/default.asp
20
6 Analysis of computer viruses
The NPA analyzes and verifies computer viruses that are considered to cause a serious influence to
society. We publicize the results as security information through @police as well as provide
critical infrastructures with the results.
6.1 Analyzed Computer Viruses
The NPA conducted analysis on computer viruses as shown in the Fig 6-1.
Figure 6-1 Computer virus analyses by the NPA in 2003
No.
1
Month
Jan.
2
Jan.
3
Name of virus
W32/Yaha.K-mm
No.
14
Month
Jun.
Name of virus
W32/Sobig.A-mm
15
Jun.
W32.Bugbear.B@mm
Jan.
Trojan.Linux.JBellz
16
Jun.
VBS/Redlof
4
Jan.
SQL-Slammer
17
Jun.
W32.Sobig.E@mm
5
Jan.
MircPack..597504
18
Jul.
Backdoor Fluxay
6
Feb.
W32/Lovgate.C-mm
19
Aug.
W32.Mimail.A@mm
7
Mar.
W32/Deloder.A
20
Aug.
W32.Blaster.Worm
8
Mar.
W32/CodeRed.F
21
Aug.
W32.Dumaru@mm
9
Mar.
W32/Bibrog.C-mm
22
Aug.
W32.Welchia.Worm
10
May
W32.HLLW.Kullan
23
Aug.
W32.Sobig.F@mm
11
May
W32.Yaha.S@mm
24
Sep.
W32.Swen.A@mm
12
May
W32.HLLW.Fizzer
25
Nov.
W32.Mimail.C@mm
13
May
W32.Sobig.B@mm
26
Nov.
W32.Mimail.J@mm
W32.Sobig.C@mm
6.2 Result of Analysis
The followings are some excerpted versions of the analysis on computer viruses.
6.2.1 SQL-Slammer
Type
File Name and Size
(attachment name, if exits)
Program Language
System Affected
Discovery Date
Origin
Risk Assessment
Worm (Win32 Program)
No file. The size of the execution file is 376 bytes.
Assembler
Servers that use the Microsoft SQL server 2000 but do not apply patch program
for security hole “MS02-039”. Or, servers that install SQL Server 2000 Desktop
Engine of Microsoft Office 2000 (Access 2000).
Before dawn on January 25, 2003
The US, the UK, South Korea and so on (the origin is not clear)
High (Score 4 or 4.5 out of 5). The worm activity may make traffic of networks
extraordinarily heavy, and the communications difficult and impossible.
21
Trigger Conditions
Outline of its operation
Damage
The Microsoft SQL Server 2000 is operated
Neither of the patch for the security hole “MS02-039” nor the Service Pack 3 is
applied, or the SQL Server 2000 Desktop Engine of Microsoft Office 2000
(Access 2000) is installed
The program to solve the problem is not applied to a server
A server is attacked by this worm
1. This worm infects either a server using Microsoft SQL Server 2000 with the
vulnerability shown above or one that runs Microsoft Desktop Engine 2000.
2. The affected server randomly chooses a computer, attacks 1434/TCP and infects
it. The repeat of this infection process leads to widespread infection.
3. Once this worm infects a server, many attacks against other servers are
conducted by the server, which may make network blocked or its access speed
remarkably low.
4. Since this worm exists in a memory of the server, it does not exist as a file.
5. This worm does not have any routine triggered for explosive activation.
The speed on the Internet became remarkably slow all over the world before dawn
on January 25 (GMT), and the condition had continued for a day. The accurate
data regarding the number of victims was unknown as of January 27, 2003.
6.2.2 W32.Blaster.Worm
Type:
Program name and size:
Program Language:
System Affected:
Discovery Date
Place of Origin
Risk Assessment
Trigger Conditions
Outline of its operation
Damage:
Worm
msblast.exe 6,176 bytes
Unknown (compressed by UPX)
Windows 2000, Windows XP
August 12, 2003
Germany (first reported)
Because the attack of this worm exploits the vulnerability of DCOM RPC,
MS03-26, a server that does not apply the program to solve this problem has very
high risk. (Score 4 out of 5)
When this worm attacks a PC with this security hole.
1. This worm targets 135/TCP and exploits the vulnerability of DCOM RPC
(MS-03-026).
2. The affected computer downloads msblast.exe and executes it.
3. This worm conducts DoS Attacks against windowupdate.com so that the victim
computers cannot apply the program for fixing the vulnerability of DCOM RPC.
Widespread all over the world
6.2.3 W32.Welchia.Worm
Type:
Program name and size:
Program Language
System Affected
Discovery Date
Place of Origin
Risk Assessment
Trigger Condition
Outline of its operation
Damage:
Worm
Dllhost.exe 10,240 bytes
Unknown
Microsoft IIS, Windows 2000, Windows XP
August 18, 2003
China (first reported)
Once the PC with the security hole is connected to the Internet, it may be infected
soon. It has very high risk (Score 4 out of 5).
When the PC with the security hole is attacked by this worm
This worm downloads the program to solve the problem regarding DCOM RPC
from the Microsoft Windows update website, installs it in the PC and restarts the
PC. This worm, which sends ICMP echo, looks for PCs in operation, compromises
them and increases the traffic of ICMP. This worm attempts to delete the
W32.Blaster.Worm.
Widespread all over the world
22
6.2.4 W32.Mimail.J@mm
Type:
Program name and size
Program Language
System Affected
Discovery Date
Place of Origin
Risk Assessment
Trigger Condition
Outline of its operation
Damage
Mutant and Variety
Worm
Svchost32.exe, ee98af.tmp (13,856 bytes)
Attached file: InfoUpdate.exe or www.paypal.com.pif
Unknown
Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP,
Windows Me
November 17, 2003
The US (first reported)
Because this worm sends itself to all the e-mail addresses found in cache of
IE, it may widely infect. Also, user information may be stolen from the person
who types credit card information. It has intermediate risk (Score 3 out of 5).
When executing www.paypal.com.pif or InfoUpdate.exe sent from this worm
as attached files.
This worm is a mass-mailing worm attempting to steal personal information.
It displays a web site that asks a user to type his/her credit card information,
stores the information in the web site and sends the information to some
pre-designated e-mail addresses.
Although only a few computers were reported as affected, the credit card
information that a user typed may be stolen.
W32.Mimail.A@mn (discovered on Aug. 2, 2003),
W32.Mimail.C@mm (discovered on Oct. 31, 2003),
W32.Mimail.D@mm (discovered on Nov. 1, 2003),
W32.Mimail.E@mm (discovered on Nov. 2, 2003),
W32.Mimail.F@mn (discovered on Nov. 4, 2003),
W32.Mimail.G@mm (discovered on Nov. 4, 2003),
W32.Mimail.H@mm (discovered on Nov. 13, 2003) and
W32.Mimail.I@mm (discovered on Nov. 13, 2003).
The existence of many variants whose e-mail titles and attached files differed
were confirmed.
23
7. Incident Report
The following are major success stories of technical support activities to criminal investigations in
2003.
7.1 Violation of the law on Investment Deposits and Interest Rate and the Money Lending
Control Law
Many computers and related devices in the office, which ran loan sharking under cover of rental
furniture shop and gained illegal profit, were seized. Through analyzing them, the formation of the
business, the detailed information regarding the illegal profit and so on were confirmed. We
contributed to solve the case.
7.2 Case of Publicly Displaying Child Porno through the Internet
The computers and CDs in the home of the suspect, who uploaded child porno pictures on an
electric BBS, and those of the people who involved in the case were seized. Through analyzing them,
we found child porno pictures that could become the evidence for the case, found the modus
operandi and contributed to solve the case.
7.3 Fraud Case of using the auction web sites on the Internet
The PC in the home of the suspect who fraudlently obtained much money through Internet
auctions was seized. In analyzing the PC, we found the sophisticated modus operandi of the fraud
clearly and contributed to solve the case.
7.4 Defamation case of using the electric BBS
The PC in the home of the suspect, who wrote in detracting the other by filling in the contents
such as the physical features and the rumor, was seized. In analyzing the PC in detail, we found the
data to prove the motive for the crime and the evidence, and contributed to solve the case.
7.5 Violation of the Stimulant Drugs Control Act by using electric BBS and e-mail
The PCs possessed by several suspects, who used electric BBS and e-mail to traffic in stimulant
drugs and were arrested, were seized. Through analyzing the PCs, we found the e-mail describing
the detailed transactions among the suspects and contributed to solve the case.
7.6 Violation of the Unauthorized Computer Access Law
In the case that the suspect stole the password for the system administrator and committed
unauthorized access to the company’s web site, we analyzed the access logs in detail and found who
was the suspect.
24
7.7 Uttering of False Official Document, Forgery and Uttering of Private Document and
Attempts of Fraud
The suspect forged other’s driver license, filled in his information including his name on an
application form which was placed in an ATM of a consumer financing company and tried to
fraudulently obtain money. We seized the computer that the suspect possessed to forge the driver
license, analyzed it, found how to forge the driver license and contributed to solve the case.
7.8 Deceptive Labeling of origins of chickens
Many computers and devices that were used to deceive the origin of chickens by a large food
group companies were seized. Through analyzing a large amount of data in them, we found the
evidence to prove the involvement of the companies and contributed to solve the case.
25
8. International Cooperation
Activities at the HTCTD in the NPA should be conducted on the international dimension
considering the internationality and universality of information communications technology and
computer networks. At the Hi-Tech Crime Subgroup, a forum under the G8, has been discussing
various issues from policy approximation to actual investigation techniques, and the HTCTD has
been participating the discussions ever since 1999. Also, we have been operating a computer
network (Cybercrime Technology Information Network System (CTINS)) to share and exchange
information among Asian countries on a daily basis. Furthermore, in order to develop capability for
cybercrime investigation, we have been organizing an international conference in Tokyo, the CTINS
Annual Meeting, to exchange technical information required for combating cybercrimes every year.
8.1. G8 Lyon Group Hi-tech Crime Subgroup
At the G8 Lyon Group Hi-Tech Crime Subgroup, various issues from policy approximation and
actual investigation techniques are being discussed. In 2003, the measures to protect critical
infrastructures were discussed in the group and at “The G8 Conference on the Critical Infrastructure”
in Paris in March. The G8 developed the principles that would become the guidance for planning the
policies of individual member countries’. The principles adopted at the G8 Justice and Interior
Minister's Meeting in Paris in May 5, 2003 was the first international agreement of this kind.
8.2. Asian Conference on Cybercrime Investigation Technology and Forensics
An international conference on cybercrime investigation technology and forensics was held in
Tokyo in February 2003, and police officials from China, Hong-Kong, India, Indonesia, South Korea,
Malaysia, the Philippines, Singapore, Thailand and Japan participated in the conference. Two police
officials from the UK also participated as observers. At the conference, the information regarding the
cybercrime situations in each country and region as well as the technical practices to deal with
cybercrime was exchanged, the challenge for the future was discussed and the participant countries
agreed to strengthen international cooperation among police in this area.
8.3. Other International Conference
International conferences in which the official in the HTCTD participated in 2003 are followings.
- Jun. 22 – Jun. 27 FIRST Annual Conference (Ottawa, Canada)
- Jul. 21 – Jul. 25 APEC Cybercrime Conference (Bangkok, Thailand)
- Oct. 5 – Oct. 9 ICPO Technology Crime Investigation and Training Seminar (Hong Kong)
- Oct. 29 – Oct. 31 ICPO Asia-South Pacific Working Party On Information Technology
Crime (Shanghai, China)
26
8.4. Cybercrime Technology Information Network System (CTINS)
The HTCTD has been operating and maintaining an international computer network connecting
police officials in charge of technical countermeasures against cybercrime in 9 countries and a
region in Asia. The network aims to share and exchange information including techniques to deal
with security incidents on the Internet and computer forensic practices within short period of time
which is often required to deal with cybercrime.
27
9. National Police Agency Security Portal Site, @police
A security portal site, @police (http://www.cyberpolice.go.jp ), was established in March 2003.
It aims to prevent hi-tech crimes and cyber terrorism, to limit damage caused by security incidents,
and to raise security awareness in general by providing domestic Internet users with network security
information collected by the NPA.
In addition to learning information security in accordance with user ’s knowledge in this portal site,
each user can look for different content for the sake of his own objective. Also, generation status of
computer viruses, vulnerabilities on a variety of software, etc. are publicized on the top page, which
raises security awareness among the Internet users.
Top page of @police
Apart from the contents created at the opening of the web site, the followings were added as new
contents in 2003.
28
9.1 Fixed-Point Internet Monitoring
We hourly gather data detected by intrusion detection systems and firewalls into 57 Internet
connections points used by police organizations nationwide and provide the data and the real time
quantitative understanding
Referring this data makes it possible to quantitatively understand the situation on the Internet
regarding the worldwide phenomena such as the incident caused by the Blaster worm in August
2003 in real-time. Additionally, detecting a unique situation, we raise awareness through “topics” on
the top page.
Attack methods monitored by the NPA’s intrusion detection network system
Attacked ports monitored by the NPA’s firewalls
29
Countries of origin of attacks monitored by the NPA’s firewalls
9.2 Animation version for kids
This content explains a structure of the Internet, its danger and the other issues for children by
using easy stories. For the use for education at school and other explanatory meeting, we also
provide with web contents that can be downloaded from our web site.
30
9.3 Security Lectures for Beginners
According with the price plummet of personal computers and popularization of high speed
Internet access, the number of Internet users is increasing.
The aim of this content is to help persons who use Internet environment for the first time, and
eliminate anxieties. The content clearly explains seven themes including the usage of the Internet
and the dangers that Internet users may encounter. To use for education at school and other
explanatory meetings, we also provide with web contents that can be downloaded from our web site.
9.4 Mail Magazine
We monthly send an e-mail that includes a variety of information such as popular contents and
attractive contents in the month. Also, we send ad hoc e-mail to notify important information
promptly.
(END)
31