PDF: 3.14MB
Transcription
PDF: 3.14MB
Distributed via http://www.cyberpolice.go.jp/ Technological Countermeasures against High-tech Crime Annual Report 2003 June 2004 High-Tech Crime Technology Division National Police Agency of Japan [ Content ] 1 Combating the Menace against the Internet -Review of 2003- ・ ・ ・ ・ ・ ・ ・ P.2 2 Malicious and Criminal Activities on the Internet ・ ・ ・ ・ ・ ・ ・ P.7 3 Cyber Force Activities ・ ・ ・ ・ ・ ・ ・ P.16 4 Trainings ・ ・ ・ ・ ・ ・ ・ P.17 5 Vulnerability Report ・ ・ ・ ・ ・ ・ ・ P.18 6 Analysis of computer virus ・ ・ ・ ・ ・ ・ ・ P.21 7 Incident Report ・ ・ ・ ・ ・ ・ ・ P.24 8 International Cooperation ・ ・ ・ ・ ・ ・ ・ P.26 9 National Police Agency Security Portal Site, @Police ・ ・ ・ ・ ・ ・ ・ P.28 1 1 Combating the Menace against the Internet -Review of 20031.1 Viruses and Worms Threatening the Safety of the Internet Computer viruses affect the whole of the Internet as well as the compromised PCs. The year of 2003 was the year that a variety of viruses diffused over networks and showed their powers. Many of the viruses that emerged in 2003 infected so fast and their ways of infection were so complicated that computer users could not protect from their attacks. A variety of worms that had their own objectives emerged. Some viruses attacked a specific computer on the Internet from the infected computers. Some aimed at leaking information from the victim computers. Some created backdoors in the infected computers to intrude other computers. Now, a virus is one of the biggest menaces to the Internet that is an indispensable infrastructure for people’s living. Web Server Common users Web Server Internet Mail Server Mail Server Common users ADSL users, Dial-up users, etc. Intranet It is difficult to stop worm activities because they can be widespread all over the world for a short time. The National Police Agency (NPA), using the technology and mobility, is making efforts to promptly provide the public with information for the detailed analysis regarding worms and for the countermeasures. As for the Slammer worm and the Welchia that emerged in January and August, respectively, we found the signs of the possible wide spreading of their infections and successfully called the public attention to them. Many people highly applauded our successful warnings that made it possible to take countermeasures against them at an early stage of infection. To confront new menaces caused by viruses, we are enhancing our abilities to gather and analyze data and strengthening efforts by using a variety of instruments for the provision of information. 2 1.2 Bridge between Police and the Public -@policeThe security portal site of the NPA, @police, established in 2003, is operated as a prompt and accurate measure to provide with information in case of an emergency situation by using the real-time feature. On the other hand, @police is usually operated as an information source necessary for securely using the Internet. The security portal site has a broad range of contents. While some contents are for children and beginners who just start using the Internet, others are for system administrators. Because this kind of information needs a real-time feature, we review and update the contents appropriately. By analyzing data through our fixed-point network, we detect a turbulent sign on the Internet at an early date and call the public attention to it. Comprehensive and statistical analysis of the situation on the Internet contributes to broad countermeasures against trouble. Furthermore, collaborating with a web site that provides with security information in foreign countries, we choose some news from the web site, translate and publicize them in “The Security Trends in the World” (URL: http://www.cyberpolice.go.jp/international/index.html) almost every day. 3 1.3 Combating Cyber Terrorism The Cyber Force Unit, a mobile technological unit established in police, gathers data on the Internet around the clock and makes efforts to detect a sign that becomes a clue for cybercrime. When the unit detects an unusual phenomenon, the unit promptly responds to it with local police forces. For instance, the unit provides critical infrastructures with security information for the prevention of cyber terrorism and conducts vulnerability test. Additionally, the unit will give critical infrastructures advice on how to limit the damage from such an incident and how to recover their services safely, and find the cause of the incident. NPA (Cyber Force Center) Hacker tools, Computer virus, etc. Hacker/Cracker Real-time Detection Attack Attack 侵入検知 Intrusion Intrusion detection detection IDS IDS Intelligence Intelligence Collection Collectionand and Analysis Analysis Quick Quick Response Response 警察関連施設/重要防護施設 Request/ Request/ Report Report Critical CriticalInfrastructures Infrastructures such suchas: as: - -Information InformationCommunications, Communications, - -Finances, Finances, - -Railroads, Air Railroads, AirCarriers, Carriers, - -Power/Gas Power/Gascompanies, companies,and and - -Government Governmentinstitutions institutions Report Report Analysis AnalysisResult Result Request/Report Request/Report Monitoring Monitoring Quick Quick Response Response Regional Police Bureau Cyber Force Monitoring Monitoring RPB Cyber Force 1.4 Technology to Support Police Activity The NPA established the High-Tech Crime Technology Division (HTCTD) to technically assist cybercrime investigation nationwide in 1999 and the Technology Center as the technical core facility in the HTCTD. The center provides a guidance on technology at search and seizure sites, retrieves information from physically destructed digital recording media, restores and analyzes deleted information and so on. Additionally, the center analyzes and examines a variety of computer viruses, unauthorized access methods and vulnerabilities that may cause serious damage to Internet society. We publicize the results as security information through @police. Our total technology that makes it possible to respond to these complicated and various phenomena swiftly is applauded internationally as well as domestically. 4 1.5 Total Enhancement of Technological Countermeasures The number of crimes using information and communication technology such as fraud on Internet auction sites and copyright infringement through file sharing software is getting lager every year. Also, modus operandi of these crimes has become remarkably sophisticated. The NPA gathered information regarding the analysis of information technology necessary for cybercrime investigation, including a variety of phenomena on the Internet and trends in information and communications. We assist technical support sections for cybercrime investigation nationwide by providing with the information shown above. In addition to the HTCTD in the NPA and the Regional Police Bureaus, we built up a nationwide technical support framework by establishing the HTCTDs in all the Prefectural Police Info-Communications Departments in April 2004. This framework can appropriately deal with cybercrime, which is getting more sophisticated, complicated and extensive. 5 1.6 Japan in the World -Japan Police Leading AsiaCybercrime using the Internet and other information and communications lines is committed much more internationally than any other kind of crimes, because cybercrime is free from temporal and physical restriction. The High-Tech Crime Subgroup is attached to the Senior Experts Group of G8 on Transnational Organized Crime, what we call “the G8 Lyon Group”. The sub group is discussing cybercrime situation, and appropriate and effective response to international cybercrime. The HTCTD in the NPA also sends the official to the sub group and makes international contribution from the aspect of technology. Especially, Japan, the unique G8 member state in Asia, has a role to technically support countries in Asia. One of our efforts aims to build up a framework to share information among officials in charge of technical measures in cybercrime investigation. Illustrations of our efforts are that we established and operate a network system to share information in real time and that we hold the “CTINS Annual Conference” to share internationally common technological basis. Cooperation with foreign law enforcement organizations is indispensable to carry out countermeasures against cybercrime and cyber terrorism. 6 2. Malicious and Criminal Activities on the Internet 2.1 Introduction The HTCTD in the NPA is researching and analyzing a variety of phenomena occurring on the Internet by installing intrusion detection systems and firewalls into 57 Internet connection points used by police organizations nationwide. We appropriately publicize the analysis to widely alert people through a security portal site of the NPA, @police. On the basis of alerts detected by our intrusion detection systems or logs at specific Internet connection points, we researched and analyzed phenomena which occurred on the Internet in 2003 : United States and Canada : other countries or territories Fig 2-1 Accumulated numbers of attacks sorted by countries or territories 7 2.2 Attack Type In 2003, we detected about 398,000 accesses from external networks and some 94,000 hosts as attack sources. The attacks we detected were from computers in 176 countries or territories. Accumulated numbers of attacks sorted by the country or territory are shown in Fig 2-1. As shown in Fig 2-1, attacks were detected invariably from computers in almost all the countries and territories. Especially, attacks from East Asia including Japan, Europe and North America are prominent. 2.2.1 Analysis of Attack Sources on the Basis of IP Addresses (1) Number of Attacks Sorted by the Country The top 10 countries regarding the number of attacks, determined by the IP address, are shown in Fig 2-2. The US is the top attack source, which accounted for about 34%, followed by China (about 15%) and South Korea (about 7%). The attacks from computers Fig 2-2 Top 10 Countries regarding the number of attacks in Japan accounted for only about 4%. The fact that TCP packets of the Windows size 55808 from Czech accounted for 95% of all the packets from Czech is considered as the effect of "Stumbler", a distributed port scanner, “Randex.C” worm and so on. Most of the IP addresses of the attacking computers seem to be spoofed. (2) Number of Attacking Hosts The top 10 countries regarding the number of attacking hosts, determined by the IP address, are shown in Fig 2-3. As well as ranked as the top countries regarding the number of attacks, the US is the top attacking host sources, which accounted for about 41%, followed by Fig 2-3 Top 10 Countries regarding the number of attacking hosts China (about 5%). Japan was ranked as the fifth highest in the number of attacks and the third highest in the number of attacking hosts. While the numbers of attacks from Netherlands and Czech were ranked as the eighteenth and twentieth respectively, the numbers of attacking hosts in these countries were ranked lower. It seems that a small number of hosts were the sources of many attacks. 8 2.2.2 Alert Type (1) Alert Type The numbers of attacks sorted by the method in 2003 are shown in Fig 2-4. Fig 2-4 Number of attacks sorted by the method in 2003 One of the worms that seriously influenced our society through the Internet in 2003 is the Slammer worm, which emerged in January. Although the worm activities calmed down after its spreading all over the world, the worm activated in the late February, again. Around 700 alerts were daily detected even in December and the activities seem not to fade off. In March, the defacements of web sites in the US and the UK to oppose a war in Iraq were identified. In the same month, several defacements of web sites for the same purpose were identified in Japan. Port scan-related alerts had been increasing since April, which were mainly caused by scanning 1080/TCP from the specific domain in the Netherlands. Port scans from this specific domain through the Internet targeted ports such as 80/TCP, 3128/TCP, 6588/TCP and 8080/TCP, all of which are used by proxy servers. Spam mails were distributed from this specific domain by exploiting vulnerability (CERT/CC Vulnerability Note VU #150227) included in multiple vendors’ http proxy software. As a British reporter found the relation between this specific domain and the spamming company, the upstream ISP stopped its service for the company on July 1. Port scans from the specific domain were not detected afterward. “The Defacers Challenge (TDC)”, the competition regarding defacements of web sites, was held in July. We enhanced vigilance, because there was a possibility that a lot of unauthorized accesses were committed in Japan. However, only a few cases were confirmed as unauthorized access in our 9 domestic territory. Just before the competition, we detected port scans from China that accessed to all the ports in one of the hosts where we conduct fixed-point monitoring. The Blaster worms and the Welchia worm diffused in August. These worms exploited the vulnerability 823980 (MS03-026), the buffer overrun vulnerability in RPC interface that may allow an attacker to execute an arbitrary code. Although we did not detect these worms at our IDSs, we found the activities by detecting the increase in the traffic of the specific port or protocol. Regarding the Welchia worm, we detected the surge of ICMP related packets and alerted the public. After these worms diffused, the number of infection against TCP/135 by the Blaster worm and ICMP Echo Requests by the Welchia worm kept being large. 5.10% 4.04% 0.97% 0.14% 0.14% 36.29% (2) Attack Methods The ratio of each attack method detected in 2003 is shown in Fig 2-5. As shown in Fig 2-5, worm-related attacks 53.32% and scan-related attacks accounted for Worm some 53% and some 36%, respectively, which means that two major methods Scan BackDoor ICMP DNS IIS Others Fig 2-5 Ratio of respective attack methods in 2003 accounted for about 90% of the total attacks. The result shows that most attacks were conducted in the preparatory stage and direct attacks against servers by exploiting vulnerability accounted for just about 10%. The reason why the ratio of the direct attacks was small seems to be the enhanced security at the connection point we monitored. The high level of security made attackers give up direct attacks in the planning stage in which packets are unilaterally sent by the Slammer worms, port scans and others. 10 (3) Targeted Port Numbers and IP Addresses of Attack Sources The accumulating numbers of targeted port numbers and IP addresses detected in 2003 are shown in Fig 2-6. X-axis, Y-axis and Z-axis are IP address of attack source, targeted port number (TCP/UDP) and accumulated numbers of attacks respectively. Fig 2-6 Accumulating numbers of targeted port numbers and IP addresses detected in 2003 The prominent values of the First Octet of IP addresses of attack sources were around 60 and 80 in the Class A, and around 210 in the Class C. The prominent targeted port numbers were 21 1080, 1434 and 27374. Compared with attacks against other ports, there were more attacks against 52076/TCP. The IP addresses of the attack sources were those in Czech and the window size was 55808. 11 2.2.3 Hour of the Day Trend Fig 2-7 shows hour of the day difference from average hourly number of alerts [(Data - Average) / Standard Deviation]. The time in the figure represents the local hours (Oceania: AEST, East Asia: JST, Asia: UTC+7, Western Europe: GMT, Africa: GMT, North America: CST, Middle America: UTC-3, South America: AST). While the number of alerts between midnight and early morning were decreasing, those in the afternoon were increasing. 3 2 1 0 -1 -2 -3 0 1 2 3 4 5 6 7 Oceania Europe Central America 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 East Asia Africa South America Asia North America Fig 2-7 Hour of the day difference from average hourly alert numbers [(Data - Average) / Standard Deviation] 12 2.3 Blaster worm and SQL Slammer worm 2.3.1 Summary (1) Blaster worm The Blaster worm emerged on the Internet on August 12. The worm exploited vulnerability of Distributed Component Object Model (DCOM) Interface, the buffer overrun in RPC interface that may allow an attacker to execute code (MS03-026). Additionally, the Welchia worm, which exploited the same vulnerability, emerged on August 18 and affected our society seriously. While the number of access to 135/TCP was around 30 in a day before the vulnerability was reported, the Blaster worm caused 9220 accesses to 135/TCP on August 12. Afterwards, although the number of the accesses was gradually decreasing by August 17, the Welchia worm, emerging on August 18, made the number of the accesses surge, again. We detected the increase by the Welchia worm at some of our monitoring fixed-points. Because the points were set up to accept ICMP-related packets, host computers compromised by the worm increased the number of the accesses to 135/TCP in fixed-point monitoring network. Fig 2-8 and Fig 2-9 show the number of detected accesses by the destination port and that by the source country after the emerging of the worm, respectively. icmp 135/tcp 445/tcp 137/udp 21/tcp others icmp 17300/tcp 8/18 12:00 8/18 0:00 0 8/17 12:00 1000 8/17 0:00 100 8/16 12:00 2000 8/16 0:00 200 8/15 12:00 3000 8/15 0:00 300 8/14 12:00 4000 8/14 0:00 400 8/13 12:00 5000 8/13 0:00 500 8/12 12:00 6000 8/12 0:00 600 80/tcp Fig 2-8 Attacked ports after the emerging of the Blaster and Welchia worms 13 0 600 500 400 300 200 100 US GB JP HK CN KR 8/18 0:00 8/17 12:00 8/17 0:00 8/16 12:00 8/16 0:00 8/15 12:00 8/15 0:00 8/14 12:00 8/14 0:00 8/13 12:00 8/13 0:00 8/12 12:00 8/12 0:00 0 CA others その他 Fig 2-9 Number of attacks by the Blaster worm by source country Through a security portal site @police, we widely publicized warnings of the surge in the number of accesses to 135/TCP on August 5, the widespread of the worm exploiting vulnerability of the Windows on August 12, and the worm that suddenly increased the traffic of ICMP related packets. (2) Slammer worm The Slammer worm, which emerged in January 2003, infected computers by exploiting the vulnerability of Microsoft SQL servers (323875, MS02-039), the buffer overrun in the resolution service, which may allow an attacker to execute code. A computer compromised by the worm randomly chose host computers and the worm diffused to infect the computers with the same vulnerability. You may remember that many host computers simultaneously compromised by the worm triggered the rapid increase of the traffic and caused trouble in communication networks. The number of the Slammer worm detected after the emergence is shown in Fig 2-10. Although the worm activities gradually calmed down after the emergence, the worms activated in late-February, again. Around 700 Slammer worms were daily detected even in December. The numbers of alerts and detected host computers had kept being about 40 and around 14 in a day, respectively, and seem not to fade off. 14 1,400 Alerts Hosts 1,200 Alerts/Hosts 1,000 800 600 400 2003/12/31 2003/12/17 2003/12/3 2003/11/5 2003/11/19 2003/10/22 2003/10/8 2003/9/24 2003/9/10 2003/8/27 2003/8/13 2003/7/30 2003/7/2 2003/7/16 2003/6/4 2003/6/18 2003/5/7 2003/5/21 2003/4/9 2003/4/23 2003/3/26 2003/3/12 2003/2/26 2003/2/12 2003/1/29 2003/1/1 0 2003/1/15 200 Fig 2-10 Detected number of attacks and attacking hosts by the Slammer worm The source countries regarding the number of the Slammer worm attacks and those regarding the number of the Slammer worm attacking hosts, determined by their IP addresses, are shown in Fig 2-11 and Fig 2-12, respectively. The US is the top attack source, which accounted for about 34%, followed by China (about 21%) and Japan (about 6%). As well as the countries regarding the number of the attack source, the US is the top attacking hosts, which accounted for about 43%. While the number of the Slammer worm attacks in China was large, the number of the attacking hosts in China was not. This result seems to show that many compromised host computers in China were left infected for a long time. 20.55% 28.08% 33.92% 42.61% 2.04% 2.13% 2.39% 2.50% 2.96%3.31% 3.90% 1.96% 2.00% 2.55% 3.55% 4.24% z 4.98% 1.71% 1.86% 5.09% United States P.R. China United Kingdom Canada Japan Australia France Spain Brazil others Germany 6.49% United States Brazil Canada France Fig 2-11 Ratio of the alerts by country 21.17% P. R. China United Kingdom Hong Kong others Japan Australia Sweden Fig 2-12 Ratio of the attacking hosts by country 15 3. Cyber Force Activities Cyber Force activities in 2003 are shown below. 3.1 Collaboration with Critical Infrastructures 3.1.1 Providing Security Information We have periodically visited critical infrastructures and given security advice and guidance for security since 2002. In 2003, we made efforts to raise their security levels through providing them with a variety of information including cases relating to the whole Internet, the countermeasures against the cases, “the Criminal and Malicious Activities on the Internet” quarterly published by us, the methods used in the actual cases and so on. 3.1.2 Penetration Test We also conducted penetration tests upon requests by critical infrastructures and gave advice regarding information security with considering the results. 3.1.3 Responding to Cases When critical infrastructures were involved in information security cases, we searched the causes of the cases upon their requests and gave them advice regarding countermeasures for information security. 3.2 Public Relation Activities 3.2.1 Sending Our Staff to Conferences as Speakers (1) Internet Week 2003 (2) Shirahama Computer Crime Symposium 2003 (3) Security Seminar held by JPNIC, JPCERT/CC 3.2.2 Sending our Staff to the Counter Cyber Terrorism Councils and the ISP Councils (1) Tokyo Prefecture Counter High-Tech Crime Council (2) Mie Prefecture ISP Crime Prevention Network 3.3 Research & Development 3.3.1 Collaborative Research and Development on Vulnerabilities of System and Attacks against System among Private, Academic and Public Parties We sent our officer to a laboratory in the Institute of Industrial Science, University of Tokyo to research on the detection of cyber attacks. 3.3.2 Analysis of a variety of attacking packets on the Internet 16 4 Trainings 4.1 IDS Training Twelve week long training was provided to staff appointed at Cyber Force on computer hardware, Operating Systems and various application in order to meet their responsibilities of cyber terrorism prevention and damage limitation caused by such incidents. 4.2 Cyber Force Training Three week long training was provided to staff appointed at Cyber Force on source code and detailed specifications of computer hardware and software owned by their venders in order to meet their responsibilities relating to examination and analysis at crime scenes, etc. This training was provided only to the staff with prominent technical knowledge and skill. 4.3 Internal training Two week training held by the HTCTD in the NPA was provided to police officials to acquire technical knowledge relating to high-tech crime investigation. 4.4 Specialized Course of Technical Support to High-tech Crime Investigation Six week long training was provided to police officials involved in technical support activities to high-tech crime investigations to acquire technical knowledge such as analysis method of digital record and legal knowledge such as criminal procedure act which are required to fulfill their duties at crime scenes. 4.5 Specialized Course of Counter Cyber Terrorism Technology Two week long training was provided to police officials involved in counter cyber terrorism activities to acquire knowledge on trends of information security, technical countermeasures against a variety of cyber attacks and organizational responses at the cases relating to information security. 4.6 Specialized Course of Basic Investigation Support Two week long training was provided to police officials who were required to support criminal investigations in general at local police forces to acquire basic knowledge including technical matters that were required to conduct their work. 4.7 Others The Cyber Force sent its staff 45 times to various trainings and conferences held at national police branches and local police forces. 17 5. Vulnerability Reports The National Police Agency verified various vulnerabilities found and reported on the Internet and widely publicized the verification results at the security portal site, @police. In 2003, it chose 200 vulnerabilities in total, including 136 unauthorized computer access modus operandi and 64 malicious tools for unauthorized computer accesses, as shown in Fig 5-1, and verified the influences, the affected operation systems and services and the countermeasures. Figure 5-1 Number of unauthorized access method analysis conducted by the NPA in 2003 Month of 2003 subtotal Unauthorized access method Unauthorized access tool January February March April May June July August September October November December total 16 20 15 14 16 18 20 15 15 19 15 17 200 10 11 12 8 12 13 14 9 12 12 9 14 136 6 9 3 6 4 5 6 6 3 7 6 3 64 The detailed 2003 reports on unauthorized computer access exploits in Japanese are available at the security portal site, @police (http://www.cyberpolice.go.jp), and the followings are some excerpted versions from among the reports. 5.1 Windows DCOM RPC Interface Buffer Overrun Vulnerability 5.1.1 Overview and Influence Both PRC and DCOM adopted in Windows Operation System have a problem that causes the buffer overrun. The vulnerability may allow attackers to execute an arbitrary code with System privilege. This vulnerability is publicized as Microsoft Security Bulletin MS03-026. 5.1.2 Affected Operation Systems and Services O: affected X: not affected OS Windows NT series Windows 2000 series Windows XP series Windows Server 2003 series Service RPC, DCOM 18 (As of August 12. 2002) Version Effect Note - O 5.1.3 Countermeasures Download the program to solve the problem from the URL shown below and execute it. Otherwise, apply patch programs by updating Windows Operation System. URL for downloading the program to solve the problem: http://support.microsoft.com/default.aspx?scid=kb;ja;823980 Windows Update URL: http://windowupdate.microsoft.com/ 5.2 Analysis of the ATD OpenSSL Mass Exploiter 5.2.1 Overview This attacking tool exploits vulnerabilities in OpenSSL 0.9.6d or earlier versions. There are four kinds of files: mass, vuln, openssl-too and osslmass2 in the archive. These four files are detected as the Linux.RST.B viruse. 5.2.2 Influence This attacking tool has programs to get User privilege of Apache, which is usually “apache” or “nobody”, by exploiting vulnerabilities of OpenSSL. User privilege of Apache in a server computer in which vulnerable OpenSSL is running may be taken by using one of the four tools. Additionally, this tool can alter ELF, the Linux execution files. 5.2.3 Affected OS and Services O: affected X: not affected OS Service Internet Explorer Outlook MS Windows series Outlook Express (As of April 9, 2002) Version Effect Note 6.0 or earlier O 2002 or earlier O 6.0 or earlier O 5.2.4 Countermeasures Update OpenSSL 0.9.6d or earlier versions that are running in host computer to OpenSSL 0.9.6e or later versions that do not have this problem. Additionally, it is possible to detect this attacking tool by installing antivirus software and updating virus definition files to the latest version. The latest version OpenSSL URL: http://www.openssl.org/source/ 19 5.3 IE Remote URLMON.DLL Buffer Overflow Vulnerability 5.3.1 Overview and Influence URLMON.DLL that is used for http communication on the Internet Explorer may trigger the buffer overrun by receiving http reply with many character strings. This vulnerability may enable a login user to execute an arbitrary code under the User Power. This vulnerability is publicized as the Microsoft Security Bulletin MS03-015. 5.3.2 OS and Services affected O: affected X: not affected OS MS Windows series Service Internet Explorer Version 5.0 5.01 SP1 5.01 SP2 5.01 SP3 5.5 5.5 SP1 5.5 SP2 6.0 6.0 SP1 (As of July 2, 2003) Effect Note O X O O O O O O O 5.3.3 Countermesures Download the program to solve the problem from the URL shown below and execute it. URL: http://www.microsoft.com/windows/ie/downloads/critical/813489/default.asp 20 6 Analysis of computer viruses The NPA analyzes and verifies computer viruses that are considered to cause a serious influence to society. We publicize the results as security information through @police as well as provide critical infrastructures with the results. 6.1 Analyzed Computer Viruses The NPA conducted analysis on computer viruses as shown in the Fig 6-1. Figure 6-1 Computer virus analyses by the NPA in 2003 No. 1 Month Jan. 2 Jan. 3 Name of virus W32/Yaha.K-mm No. 14 Month Jun. Name of virus W32/Sobig.A-mm 15 Jun. W32.Bugbear.B@mm Jan. Trojan.Linux.JBellz 16 Jun. VBS/Redlof 4 Jan. SQL-Slammer 17 Jun. W32.Sobig.E@mm 5 Jan. MircPack..597504 18 Jul. Backdoor Fluxay 6 Feb. W32/Lovgate.C-mm 19 Aug. W32.Mimail.A@mm 7 Mar. W32/Deloder.A 20 Aug. W32.Blaster.Worm 8 Mar. W32/CodeRed.F 21 Aug. W32.Dumaru@mm 9 Mar. W32/Bibrog.C-mm 22 Aug. W32.Welchia.Worm 10 May W32.HLLW.Kullan 23 Aug. W32.Sobig.F@mm 11 May W32.Yaha.S@mm 24 Sep. W32.Swen.A@mm 12 May W32.HLLW.Fizzer 25 Nov. W32.Mimail.C@mm 13 May W32.Sobig.B@mm 26 Nov. W32.Mimail.J@mm W32.Sobig.C@mm 6.2 Result of Analysis The followings are some excerpted versions of the analysis on computer viruses. 6.2.1 SQL-Slammer Type File Name and Size (attachment name, if exits) Program Language System Affected Discovery Date Origin Risk Assessment Worm (Win32 Program) No file. The size of the execution file is 376 bytes. Assembler Servers that use the Microsoft SQL server 2000 but do not apply patch program for security hole “MS02-039”. Or, servers that install SQL Server 2000 Desktop Engine of Microsoft Office 2000 (Access 2000). Before dawn on January 25, 2003 The US, the UK, South Korea and so on (the origin is not clear) High (Score 4 or 4.5 out of 5). The worm activity may make traffic of networks extraordinarily heavy, and the communications difficult and impossible. 21 Trigger Conditions Outline of its operation Damage The Microsoft SQL Server 2000 is operated Neither of the patch for the security hole “MS02-039” nor the Service Pack 3 is applied, or the SQL Server 2000 Desktop Engine of Microsoft Office 2000 (Access 2000) is installed The program to solve the problem is not applied to a server A server is attacked by this worm 1. This worm infects either a server using Microsoft SQL Server 2000 with the vulnerability shown above or one that runs Microsoft Desktop Engine 2000. 2. The affected server randomly chooses a computer, attacks 1434/TCP and infects it. The repeat of this infection process leads to widespread infection. 3. Once this worm infects a server, many attacks against other servers are conducted by the server, which may make network blocked or its access speed remarkably low. 4. Since this worm exists in a memory of the server, it does not exist as a file. 5. This worm does not have any routine triggered for explosive activation. The speed on the Internet became remarkably slow all over the world before dawn on January 25 (GMT), and the condition had continued for a day. The accurate data regarding the number of victims was unknown as of January 27, 2003. 6.2.2 W32.Blaster.Worm Type: Program name and size: Program Language: System Affected: Discovery Date Place of Origin Risk Assessment Trigger Conditions Outline of its operation Damage: Worm msblast.exe 6,176 bytes Unknown (compressed by UPX) Windows 2000, Windows XP August 12, 2003 Germany (first reported) Because the attack of this worm exploits the vulnerability of DCOM RPC, MS03-26, a server that does not apply the program to solve this problem has very high risk. (Score 4 out of 5) When this worm attacks a PC with this security hole. 1. This worm targets 135/TCP and exploits the vulnerability of DCOM RPC (MS-03-026). 2. The affected computer downloads msblast.exe and executes it. 3. This worm conducts DoS Attacks against windowupdate.com so that the victim computers cannot apply the program for fixing the vulnerability of DCOM RPC. Widespread all over the world 6.2.3 W32.Welchia.Worm Type: Program name and size: Program Language System Affected Discovery Date Place of Origin Risk Assessment Trigger Condition Outline of its operation Damage: Worm Dllhost.exe 10,240 bytes Unknown Microsoft IIS, Windows 2000, Windows XP August 18, 2003 China (first reported) Once the PC with the security hole is connected to the Internet, it may be infected soon. It has very high risk (Score 4 out of 5). When the PC with the security hole is attacked by this worm This worm downloads the program to solve the problem regarding DCOM RPC from the Microsoft Windows update website, installs it in the PC and restarts the PC. This worm, which sends ICMP echo, looks for PCs in operation, compromises them and increases the traffic of ICMP. This worm attempts to delete the W32.Blaster.Worm. Widespread all over the world 22 6.2.4 W32.Mimail.J@mm Type: Program name and size Program Language System Affected Discovery Date Place of Origin Risk Assessment Trigger Condition Outline of its operation Damage Mutant and Variety Worm Svchost32.exe, ee98af.tmp (13,856 bytes) Attached file: InfoUpdate.exe or www.paypal.com.pif Unknown Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me November 17, 2003 The US (first reported) Because this worm sends itself to all the e-mail addresses found in cache of IE, it may widely infect. Also, user information may be stolen from the person who types credit card information. It has intermediate risk (Score 3 out of 5). When executing www.paypal.com.pif or InfoUpdate.exe sent from this worm as attached files. This worm is a mass-mailing worm attempting to steal personal information. It displays a web site that asks a user to type his/her credit card information, stores the information in the web site and sends the information to some pre-designated e-mail addresses. Although only a few computers were reported as affected, the credit card information that a user typed may be stolen. W32.Mimail.A@mn (discovered on Aug. 2, 2003), W32.Mimail.C@mm (discovered on Oct. 31, 2003), W32.Mimail.D@mm (discovered on Nov. 1, 2003), W32.Mimail.E@mm (discovered on Nov. 2, 2003), W32.Mimail.F@mn (discovered on Nov. 4, 2003), W32.Mimail.G@mm (discovered on Nov. 4, 2003), W32.Mimail.H@mm (discovered on Nov. 13, 2003) and W32.Mimail.I@mm (discovered on Nov. 13, 2003). The existence of many variants whose e-mail titles and attached files differed were confirmed. 23 7. Incident Report The following are major success stories of technical support activities to criminal investigations in 2003. 7.1 Violation of the law on Investment Deposits and Interest Rate and the Money Lending Control Law Many computers and related devices in the office, which ran loan sharking under cover of rental furniture shop and gained illegal profit, were seized. Through analyzing them, the formation of the business, the detailed information regarding the illegal profit and so on were confirmed. We contributed to solve the case. 7.2 Case of Publicly Displaying Child Porno through the Internet The computers and CDs in the home of the suspect, who uploaded child porno pictures on an electric BBS, and those of the people who involved in the case were seized. Through analyzing them, we found child porno pictures that could become the evidence for the case, found the modus operandi and contributed to solve the case. 7.3 Fraud Case of using the auction web sites on the Internet The PC in the home of the suspect who fraudlently obtained much money through Internet auctions was seized. In analyzing the PC, we found the sophisticated modus operandi of the fraud clearly and contributed to solve the case. 7.4 Defamation case of using the electric BBS The PC in the home of the suspect, who wrote in detracting the other by filling in the contents such as the physical features and the rumor, was seized. In analyzing the PC in detail, we found the data to prove the motive for the crime and the evidence, and contributed to solve the case. 7.5 Violation of the Stimulant Drugs Control Act by using electric BBS and e-mail The PCs possessed by several suspects, who used electric BBS and e-mail to traffic in stimulant drugs and were arrested, were seized. Through analyzing the PCs, we found the e-mail describing the detailed transactions among the suspects and contributed to solve the case. 7.6 Violation of the Unauthorized Computer Access Law In the case that the suspect stole the password for the system administrator and committed unauthorized access to the company’s web site, we analyzed the access logs in detail and found who was the suspect. 24 7.7 Uttering of False Official Document, Forgery and Uttering of Private Document and Attempts of Fraud The suspect forged other’s driver license, filled in his information including his name on an application form which was placed in an ATM of a consumer financing company and tried to fraudulently obtain money. We seized the computer that the suspect possessed to forge the driver license, analyzed it, found how to forge the driver license and contributed to solve the case. 7.8 Deceptive Labeling of origins of chickens Many computers and devices that were used to deceive the origin of chickens by a large food group companies were seized. Through analyzing a large amount of data in them, we found the evidence to prove the involvement of the companies and contributed to solve the case. 25 8. International Cooperation Activities at the HTCTD in the NPA should be conducted on the international dimension considering the internationality and universality of information communications technology and computer networks. At the Hi-Tech Crime Subgroup, a forum under the G8, has been discussing various issues from policy approximation to actual investigation techniques, and the HTCTD has been participating the discussions ever since 1999. Also, we have been operating a computer network (Cybercrime Technology Information Network System (CTINS)) to share and exchange information among Asian countries on a daily basis. Furthermore, in order to develop capability for cybercrime investigation, we have been organizing an international conference in Tokyo, the CTINS Annual Meeting, to exchange technical information required for combating cybercrimes every year. 8.1. G8 Lyon Group Hi-tech Crime Subgroup At the G8 Lyon Group Hi-Tech Crime Subgroup, various issues from policy approximation and actual investigation techniques are being discussed. In 2003, the measures to protect critical infrastructures were discussed in the group and at “The G8 Conference on the Critical Infrastructure” in Paris in March. The G8 developed the principles that would become the guidance for planning the policies of individual member countries’. The principles adopted at the G8 Justice and Interior Minister's Meeting in Paris in May 5, 2003 was the first international agreement of this kind. 8.2. Asian Conference on Cybercrime Investigation Technology and Forensics An international conference on cybercrime investigation technology and forensics was held in Tokyo in February 2003, and police officials from China, Hong-Kong, India, Indonesia, South Korea, Malaysia, the Philippines, Singapore, Thailand and Japan participated in the conference. Two police officials from the UK also participated as observers. At the conference, the information regarding the cybercrime situations in each country and region as well as the technical practices to deal with cybercrime was exchanged, the challenge for the future was discussed and the participant countries agreed to strengthen international cooperation among police in this area. 8.3. Other International Conference International conferences in which the official in the HTCTD participated in 2003 are followings. - Jun. 22 – Jun. 27 FIRST Annual Conference (Ottawa, Canada) - Jul. 21 – Jul. 25 APEC Cybercrime Conference (Bangkok, Thailand) - Oct. 5 – Oct. 9 ICPO Technology Crime Investigation and Training Seminar (Hong Kong) - Oct. 29 – Oct. 31 ICPO Asia-South Pacific Working Party On Information Technology Crime (Shanghai, China) 26 8.4. Cybercrime Technology Information Network System (CTINS) The HTCTD has been operating and maintaining an international computer network connecting police officials in charge of technical countermeasures against cybercrime in 9 countries and a region in Asia. The network aims to share and exchange information including techniques to deal with security incidents on the Internet and computer forensic practices within short period of time which is often required to deal with cybercrime. 27 9. National Police Agency Security Portal Site, @police A security portal site, @police (http://www.cyberpolice.go.jp ), was established in March 2003. It aims to prevent hi-tech crimes and cyber terrorism, to limit damage caused by security incidents, and to raise security awareness in general by providing domestic Internet users with network security information collected by the NPA. In addition to learning information security in accordance with user ’s knowledge in this portal site, each user can look for different content for the sake of his own objective. Also, generation status of computer viruses, vulnerabilities on a variety of software, etc. are publicized on the top page, which raises security awareness among the Internet users. Top page of @police Apart from the contents created at the opening of the web site, the followings were added as new contents in 2003. 28 9.1 Fixed-Point Internet Monitoring We hourly gather data detected by intrusion detection systems and firewalls into 57 Internet connections points used by police organizations nationwide and provide the data and the real time quantitative understanding Referring this data makes it possible to quantitatively understand the situation on the Internet regarding the worldwide phenomena such as the incident caused by the Blaster worm in August 2003 in real-time. Additionally, detecting a unique situation, we raise awareness through “topics” on the top page. Attack methods monitored by the NPA’s intrusion detection network system Attacked ports monitored by the NPA’s firewalls 29 Countries of origin of attacks monitored by the NPA’s firewalls 9.2 Animation version for kids This content explains a structure of the Internet, its danger and the other issues for children by using easy stories. For the use for education at school and other explanatory meeting, we also provide with web contents that can be downloaded from our web site. 30 9.3 Security Lectures for Beginners According with the price plummet of personal computers and popularization of high speed Internet access, the number of Internet users is increasing. The aim of this content is to help persons who use Internet environment for the first time, and eliminate anxieties. The content clearly explains seven themes including the usage of the Internet and the dangers that Internet users may encounter. To use for education at school and other explanatory meetings, we also provide with web contents that can be downloaded from our web site. 9.4 Mail Magazine We monthly send an e-mail that includes a variety of information such as popular contents and attractive contents in the month. Also, we send ad hoc e-mail to notify important information promptly. (END) 31