[ISN] Japanese virus shares private info

From: InfoSec News (isn@private)
Date: Tue Jun 13 2006 - 05:08:27 PDT


http://www.smh.com.au/news/security/japanese-virus-shares-private-info/2006/06/13/1149964511797.html

The Sydney Morning Herald
June 13, 2006 

A computer virus that targets the popular file-sharing program Winny
isn't the most destructive bug or even the most widespread. But it's
the most talked about in Japan as it generates headline after
headline, month after month.

The malware, called Antinny, finds random files on Winny users' PCs
and makes them available on the file-sharing network. So far, the data
leaked have been varied and plentiful: passwords for restricted areas
at airports, police investigations, customer information, sales
reports, staff lists.

The constantly updated virus seems to have spared no one airlines,
local police forces, mobile phone companies, the National Defence
Agency. Even an antivirus software manufacturer has suffered.

"The virus has been quite effective in getting information off a
user's computer and onto the Internet. The data is supposed to be
secret, so people are quite sensitive about it," said Tsukuba
University computer scientist Kazuhiko Kato.

Compared to attacks on Microsoft Corp's Windows software, the scope of
the Antinny outbreak is narrow. But the Winny mess has caused an
enormous brouhaha in Japan.

Antinny also may have the dubious distinction of being the first virus
to exploit the nature of file-sharing itself in Japan, if not in the
world, said Mamoru Saito of Telecom Information Sharing and Analysis
Centre Japan.

Other viruses and spyware are often found on such networks, though
none appears to take advantage of the underlying technology to spread
personal data.

And while Antinny's writers seem to be limiting themselves to Japanese
file-sharing software for now, he said, the code theoretically could
be modified to attack other file-sharing networks such as


Gnutella and BitTorrent.

The outbreak has triggered a broad damage-control effort by government
and businesses. They have banned Winny from in-house computers and
fired employees who use it on them. They've also demanded that staff
not take work home and delete Winny from any home PCs used for work.

"The most secure way to prevent the leakage of information is not to
use Winny on your computer," Chief Cabinet Secretary Shinzo Abe, the
government's top spokesman, told reporters.

But the outbreak shows little sign of abating.

"The problem has shown that many people just don't know how to use the
internet safely," said Takeshi Sato of the government's National
Information Security Centre.

File-sharing programs like Winny are used to find and get files from
music to video to documents from the computers of other people also
using the software. The PC owner typically has control over what is
made available by limiting sharing to a specific folder.

The virus takes advantage of this culture to propagate itself by
playing a "social" trick on users, said Telecom ISAC Japan's Saito.

When the virus is activated on a computer, it first chooses a new name
for itself by taking the names of other files users are likely to be
searching for usually photos or music. The resulting new name becomes
so long that, under normal Windows' settings, the three-letter file
extension that indicates the type of file disappears from view, he
said.

Careless users who download the file will see only the name and think
it is something they wanted say, a photo of a favorite movie star.  
They don't see that they are actually trying to open an application,
not a picture.

When they do, the virus then looks on the computer for the Winny
application, grabs random files off the hard drive and uses Winny to
make those files and itself available for download on the network.

And so the cycle repeats.

New strains of Antinny appear all the time. Software maker Trend Micro
listed 46 variations of the virus in its database as of mid-May. Trend
itself lost sales data due to a Winny leak in 2005.

"Just keeping your antivirus software up to date isn't enough, because
the updates can't keep up with all the new strains of the virus," the
government's Sato said.

The government's concerns about Winny go beyond viruses. It's often
used to share files and that often means illegally exchanging
copyrighted materials.

Winny was already on the government's radar screen in November 2004,
when its creator then an instructor at the prestigious University of
Tokyo was handed a three-year suspended sentence on charges of
violating copyright laws.

But now it is confidential data rather than hit songs that have Winny
back in the spotlight.

Japan Airlines, for example, discovered last December that an
Antinny-infected computer owned by one of its co-pilots leaked
passwords for restricted areas at 16 airports around Japan as well as
Guam's international airport. The airline was forced to alert the
airports to have passwords changed as a precaution.

In early March, Japan's National Defence Agency said it lost
"confidential information" due to a Winny leak, again from an
employee's home computer. While defence officials refused to say what
data had been lost, a news report said it included reports on training
exercises conducted in Okinawa with U.S. troops in 2005.

In the aftermath of the leaks, the agency ordered employees not to use
Winny on any computers used for work. It also announced plans to
purchase 56,000 computers so employees would no longer have to use
their own equipment for work.

Schools, internet providers and electric companies are among the
others who can tell of similar losses. Making matters worse, reports
began surfacing in May that the virus was now attacking another
Japanese file-sharing application called Share (pronounced
"shah-ray"), opening the door to yet more embarrassing leaks.

The excitement being generated is all the more remarkable when one
considers the outbreak's scale.

Because Antinny needs Winny to spread, both the virus and the files it
picks up are limited to a small section of internet users anywhere
from 300,000 to 600,000 people, based on government and industry
estimates.

Government statistics show Antinny was responsible for a minuscule
fraction of the 24,155 virus outbreaks reported between November 2005
and April 2006.

"Reports of the leaks make for good drama," Tsukuba's Kato said.  
"Still, they show that people need to be careful if they connect their
computers to the Internet."

The government and businesses are trying to help, with everything from
educational pamphlets and Web sites to free software that can remove
Antinny, Winny or both. But there are limits to what they can do.

"The industry is providing information about how to deal with the
problem," said Telecom ISAC-Japan's Saito. "The question is whether or
not the users do anything about it."

Copyright © 2006. The Sydney Morning Herald.



_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com



This archive was generated by hypermail 2.1.3 : Tue Jun 13 2006 - 05:26:44 PDT